diff --git a/.github/workflows/test-workflows.yml b/.github/workflows/test-workflows.yml
index 27b8c622ee21a..9c7cec22e086c 100644
--- a/.github/workflows/test-workflows.yml
+++ b/.github/workflows/test-workflows.yml
@@ -25,7 +25,7 @@ jobs:
 
       - uses: pnpm/action-setup@v2.4.0
         with:
-          version: 8.6.12
+          version: 8.7.0
 
       - uses: actions/setup-node@v3.7.0
         with:
diff --git a/.gitignore b/.gitignore
index 3060b870c1692..0c3174e84ee88 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,5 +19,6 @@ packages/**/.turbo
 *.tsbuildinfo
 cypress/videos/*
 cypress/screenshots/*
+cypress/downloads/*
 *.swp
 CHANGELOG-*.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 76d7700794b38..07b01bdabd039 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,32 @@
+# [1.5.0](https://github.com/n8n-io/n8n/compare/n8n@1.4.0...n8n@1.5.0) (2023-08-31)
+
+
+### Bug Fixes
+
+* **Agile CRM Node:** Fix issue with company address not working ([#6997](https://github.com/n8n-io/n8n/issues/6997)) ([2f81652](https://github.com/n8n-io/n8n/commit/2f81652400b6a793fa610728519fd992c03c3d0d))
+* **Code Node:** Switch over to vm2 fork ([#7018](https://github.com/n8n-io/n8n/issues/7018)) ([dfe0fa6](https://github.com/n8n-io/n8n/commit/dfe0fa65f8111cd534387e26197cb3836d694e27))
+* **core:** Invalid NODES_INCLUDE should not crash the app ([#7038](https://github.com/n8n-io/n8n/issues/7038)) ([04e3178](https://github.com/n8n-io/n8n/commit/04e31789019aad6fe122ed81b06552a61d7f3a6d)), closes [#6683](https://github.com/n8n-io/n8n/issues/6683)
+* **core:** Setup websocket keep-live messages ([#6866](https://github.com/n8n-io/n8n/issues/6866)) ([8bdb07d](https://github.com/n8n-io/n8n/commit/8bdb07d33ded48eab0b8f892a06e18f37bee9372)), closes [#6757](https://github.com/n8n-io/n8n/issues/6757)
+* **core:** Throw `NodeSSLError` only for nodes that allow ignoring SSL issues ([#6928](https://github.com/n8n-io/n8n/issues/6928)) ([a01c3fb](https://github.com/n8n-io/n8n/commit/a01c3fbc19d66cf8b1dac3e34e0999dd36d81e7c))
+* **Date & Time Node:** Dont parse date if it's not set (null or undefined) ([#7050](https://github.com/n8n-io/n8n/issues/7050)) ([d72f79f](https://github.com/n8n-io/n8n/commit/d72f79ffb393a096f510f0c41bb66d987fe8cb0d))
+* **editor:** Fix sending of Ask AI tracking events ([#7002](https://github.com/n8n-io/n8n/issues/7002)) ([fb05afa](https://github.com/n8n-io/n8n/commit/fb05afa16560c3c837abf46824f8dc7fa3bb1c83))
+* **Microsoft Excel 365 Node:** Support for more extensions in workbook rlc ([#7020](https://github.com/n8n-io/n8n/issues/7020)) ([d6e1cf2](https://github.com/n8n-io/n8n/commit/d6e1cf232f86ddc69cceb69c8971c3373dab454c))
+* **MongoDB Node:** Stringify response ObjectIDs ([#6990](https://github.com/n8n-io/n8n/issues/6990)) ([9ca990b](https://github.com/n8n-io/n8n/commit/9ca990b9936ee80972952d0a1ad73c2926809ba2))
+* **MongoDB Node:** Upgrade mongodb package to address  CVE-2021-32050 ([#7054](https://github.com/n8n-io/n8n/issues/7054)) ([d3f6356](https://github.com/n8n-io/n8n/commit/d3f635657c7514296fd0a473ba13672db2717490))
+* **Postgres Node:** Empty return data fix for Postgres and MySQL ([#7016](https://github.com/n8n-io/n8n/issues/7016)) ([176ccd6](https://github.com/n8n-io/n8n/commit/176ccd62bc1d6f28958c0fc894ee647f1e3a5f6e))
+* **Webhook Node:** Fix URL params for webhooks ([#6986](https://github.com/n8n-io/n8n/issues/6986)) ([596b569](https://github.com/n8n-io/n8n/commit/596b5695cdcca33da02bec428d58de8b2a13297e))
+
+
+### Features
+
+* **core:** Add filtering, selection and pagination to users ([#6994](https://github.com/n8n-io/n8n/issues/6994)) ([b716241](https://github.com/n8n-io/n8n/commit/b716241b428ef09cf6bdf32cb3a8680e9ba8f25f))
+* **core:** Add MFA ([#4767](https://github.com/n8n-io/n8n/issues/4767)) ([2b7ba6f](https://github.com/n8n-io/n8n/commit/2b7ba6fdf100ef78b60358648d773e2f200847b8))
+* **editor:** Debug executions in the editor ([#6834](https://github.com/n8n-io/n8n/issues/6834)) ([c833078](https://github.com/n8n-io/n8n/commit/c833078c87adeadb1e701f17d3f380c669eb1460))
+* External Secrets storage for credentials ([#6477](https://github.com/n8n-io/n8n/issues/6477)) ([ed927d3](https://github.com/n8n-io/n8n/commit/ed927d34b25b4ddd7048b622c141e32a8a57b6b7))
+* **RSS Read Node:** Add support for self signed certificates ([#7039](https://github.com/n8n-io/n8n/issues/7039)) ([3b9f0fe](https://github.com/n8n-io/n8n/commit/3b9f0fed7af2d3a234049ab7d50d883ee4608007))
+
+
+
 # [1.4.0](https://github.com/n8n-io/n8n/compare/n8n@1.3.0...n8n@1.4.0) (2023-08-23)
 
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 529bab60aaef1..4adfd050d4acd 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -65,7 +65,7 @@ dependencies are installed and the packages get linked correctly. Here's a short
 
 #### pnpm
 
-[pnpm](https://pnpm.io/) version 7.18 or newer is required for development purposes. We recommend installing it with [corepack](#corepack).
+[pnpm](https://pnpm.io/) version 8.7 or newer is required for development purposes. We recommend installing it with [corepack](#corepack).
 
 ##### pnpm workspaces
 
diff --git a/cypress/e2e/27-two-factor-authentication.cy.ts b/cypress/e2e/27-two-factor-authentication.cy.ts
new file mode 100644
index 0000000000000..e2aa0d0f9608a
--- /dev/null
+++ b/cypress/e2e/27-two-factor-authentication.cy.ts
@@ -0,0 +1,69 @@
+import { MainSidebar } from './../pages/sidebar/main-sidebar';
+import { INSTANCE_OWNER, BACKEND_BASE_URL } from '../constants';
+import { SigninPage } from '../pages';
+import { PersonalSettingsPage } from '../pages/settings-personal';
+import { MfaLoginPage } from '../pages/mfa-login';
+import generateOTPToken from 'cypress-otp';
+
+const MFA_SECRET = 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD';
+
+const RECOVERY_CODE = 'd04ea17f-e8b2-4afa-a9aa-57a2c735b30e';
+
+const user = {
+	email: INSTANCE_OWNER.email,
+	password: INSTANCE_OWNER.password,
+	firstName: 'User',
+	lastName: 'A',
+	mfaEnabled: false,
+	mfaSecret: MFA_SECRET,
+	mfaRecoveryCodes: [RECOVERY_CODE],
+};
+
+const mfaLoginPage = new MfaLoginPage();
+const signinPage = new SigninPage();
+const personalSettingsPage = new PersonalSettingsPage();
+const mainSidebar = new MainSidebar();
+
+describe('Two-factor authentication', () => {
+	beforeEach(() => {
+		Cypress.session.clearAllSavedSessions();
+		cy.request('POST', `${BACKEND_BASE_URL}/rest/e2e/reset`, {
+			owner: user,
+			members: [],
+		});
+		cy.on('uncaught:exception', (err, runnable) => {
+			expect(err.message).to.include('Not logged in');
+			return false;
+		});
+	});
+
+	it('Should be able to login with MFA token', () => {
+		const { email, password } = user;
+		signinPage.actions.loginWithEmailAndPassword(email, password);
+		personalSettingsPage.actions.enableMfa();
+		mainSidebar.actions.signout();
+		const token = generateOTPToken(user.mfaSecret)
+		mfaLoginPage.actions.loginWithMfaToken(email, password, token);
+		mainSidebar.actions.signout();
+	});
+
+	it('Should be able to login with recovery code', () => {
+		const { email, password } = user;
+		signinPage.actions.loginWithEmailAndPassword(email, password);
+		personalSettingsPage.actions.enableMfa();
+		mainSidebar.actions.signout();
+		mfaLoginPage.actions.loginWithRecoveryCode(email, password, user.mfaRecoveryCodes[0]);
+		mainSidebar.actions.signout();
+	});
+
+	it('Should be able to disable MFA in account', () => {
+		const { email, password } = user;
+		signinPage.actions.loginWithEmailAndPassword(email, password);
+		personalSettingsPage.actions.enableMfa();
+		mainSidebar.actions.signout();
+		const token = generateOTPToken(user.mfaSecret)
+		mfaLoginPage.actions.loginWithMfaToken(email, password, token);
+		personalSettingsPage.actions.disableMfa();
+		mainSidebar.actions.signout();
+	});
+});
diff --git a/cypress/e2e/28-debug.cy.ts b/cypress/e2e/28-debug.cy.ts
new file mode 100644
index 0000000000000..ede3b500cb707
--- /dev/null
+++ b/cypress/e2e/28-debug.cy.ts
@@ -0,0 +1,129 @@
+import {
+	HTTP_REQUEST_NODE_NAME, IF_NODE_NAME,
+	INSTANCE_OWNER,
+	MANUAL_TRIGGER_NODE_NAME,
+	SET_NODE_NAME,
+} from '../constants';
+import { WorkflowPage, NDV, WorkflowExecutionsTab } from '../pages';
+
+const workflowPage = new WorkflowPage();
+const ndv = new NDV();
+const executionsTab = new WorkflowExecutionsTab();
+
+describe('Debug', () => {
+		it('should be able to debug executions', () => {
+				cy.intercept('GET', '/rest/settings', (req) => {
+					req.on('response', (res) => {
+						res.send({
+							data: { ...res.body.data, enterprise: { debugInEditor: true } },
+						});
+					});
+				}).as('loadSettings');
+				cy.intercept('GET', '/rest/executions?filter=*').as('getExecutions');
+				cy.intercept('GET', '/rest/executions/*').as('getExecution');
+				cy.intercept('GET', '/rest/executions-current?filter=*').as('getCurrentExecutions');
+				cy.intercept('POST', '/rest/workflows/run').as('postWorkflowRun');
+
+				cy.signin({ email: INSTANCE_OWNER.email, password: INSTANCE_OWNER.password });
+
+				workflowPage.actions.visit();
+
+        workflowPage.actions.addInitialNodeToCanvas(MANUAL_TRIGGER_NODE_NAME);
+        workflowPage.actions.addNodeToCanvas(HTTP_REQUEST_NODE_NAME);
+        workflowPage.actions.openNode(HTTP_REQUEST_NODE_NAME);
+        ndv.actions.typeIntoParameterInput('url', 'https://foo.bar');
+        ndv.actions.close();
+
+        workflowPage.actions.addNodeToCanvas(SET_NODE_NAME, true);
+
+        workflowPage.actions.saveWorkflowUsingKeyboardShortcut();
+        workflowPage.actions.executeWorkflow();
+
+        cy.wait(['@postWorkflowRun']);
+
+        executionsTab.actions.switchToExecutionsTab();
+
+        cy.wait(['@getExecutions', '@getCurrentExecutions']);
+
+        executionsTab.getters.executionDebugButton().should('have.text', 'Debug in editor').click();
+			  cy.get('.el-notification').contains('Execution data imported').should('be.visible');
+			  cy.get('.matching-pinned-nodes-confirmation').should('not.exist');
+
+
+        workflowPage.actions.openNode(HTTP_REQUEST_NODE_NAME);
+        ndv.actions.clearParameterInput('url');
+        ndv.actions.typeIntoParameterInput('url', 'https://postman-echo.com/get?foo1=bar1&foo2=bar2');
+        ndv.actions.close();
+
+        workflowPage.actions.saveWorkflowUsingKeyboardShortcut();
+        workflowPage.actions.executeWorkflow();
+
+        cy.wait(['@postWorkflowRun']);
+
+			  workflowPage.actions.openNode(HTTP_REQUEST_NODE_NAME);
+			  ndv.actions.pinData();
+			  ndv.actions.close();
+
+        executionsTab.actions.switchToExecutionsTab();
+
+        cy.wait(['@getExecutions', '@getCurrentExecutions']);
+
+        executionsTab.getters.executionListItems().should('have.length', 2).first().click();
+        cy.wait(['@getExecution']);
+
+        executionsTab.getters.executionDebugButton().should('have.text', 'Copy to editor').click();
+
+			  let confirmDialog = cy.get('.matching-pinned-nodes-confirmation').filter(':visible');
+			  confirmDialog.find('li').should('have.length', 2);
+			  confirmDialog.get('.btn--cancel').click();
+
+				cy.wait(['@getExecutions', '@getCurrentExecutions']);
+
+				executionsTab.getters.executionListItems().should('have.length', 2).first().click();
+				cy.wait(['@getExecution']);
+
+			  executionsTab.getters.executionDebugButton().should('have.text', 'Copy to editor').click();
+
+				confirmDialog = cy.get('.matching-pinned-nodes-confirmation').filter(':visible');
+				confirmDialog.find('li').should('have.length', 2);
+			  confirmDialog.get('.btn--confirm').click();
+
+				workflowPage.getters.canvasNodes().first().should('have.descendants', '.node-pin-data-icon');
+			  workflowPage.getters.canvasNodes().not(':first').should('not.have.descendants', '.node-pin-data-icon');
+
+			  cy.reload(true);
+			  cy.wait(['@getExecution']);
+
+				confirmDialog = cy.get('.matching-pinned-nodes-confirmation').filter(':visible');
+				confirmDialog.find('li').should('have.length', 1);
+				confirmDialog.get('.btn--confirm').click();
+
+			  workflowPage.getters.canvasNodePlusEndpointByName(SET_NODE_NAME).click();
+			  workflowPage.actions.addNodeToCanvas(IF_NODE_NAME, false);
+			  workflowPage.actions.saveWorkflowUsingKeyboardShortcut();
+
+			  executionsTab.actions.switchToExecutionsTab();
+			  cy.wait(['@getExecutions', '@getCurrentExecutions']);
+			  executionsTab.getters.executionDebugButton().should('have.text', 'Copy to editor').click();
+
+				confirmDialog = cy.get('.matching-pinned-nodes-confirmation').filter(':visible');
+				confirmDialog.find('li').should('have.length', 1);
+				confirmDialog.get('.btn--confirm').click();
+			  workflowPage.getters.canvasNodes().last().find('.node-info-icon').should('be.empty');
+
+			  workflowPage.getters.canvasNodes().first().dblclick();
+			  ndv.getters.pinDataButton().click();
+			  ndv.actions.close();
+
+			  workflowPage.actions.saveWorkflowUsingKeyboardShortcut();
+			  workflowPage.actions.executeWorkflow();
+				workflowPage.actions.deleteNode(IF_NODE_NAME);
+
+			  executionsTab.actions.switchToExecutionsTab();
+				cy.wait(['@getExecutions', '@getCurrentExecutions']);
+				executionsTab.getters.executionListItems().should('have.length', 3).first().click();
+				cy.wait(['@getExecution']);
+			  executionsTab.getters.executionDebugButton().should('have.text', 'Copy to editor').click();
+			  cy.get('.el-notification').contains('Some execution data wasn\'t imported').should('be.visible');
+		});
+});
diff --git a/cypress/e2e/5-ndv.cy.ts b/cypress/e2e/5-ndv.cy.ts
index 67010b4a13df3..a729ddffaceda 100644
--- a/cypress/e2e/5-ndv.cy.ts
+++ b/cypress/e2e/5-ndv.cy.ts
@@ -288,4 +288,29 @@ describe('NDV', () => {
 			ndv.getters.parameterInput('value').clear();
 		});
 	});
+
+	it('should flag issues as soon as params are set', () => {
+		workflowPage.actions.addInitialNodeToCanvas('Webhook');
+		workflowPage.getters.canvasNodes().first().dblclick();
+
+		workflowPage.getters.nodeIssuesByName('Webhook').should('not.exist');
+		ndv.getters.nodeExecuteButton().should('not.be.disabled');
+		ndv.getters.triggerPanelExecuteButton().should('exist');
+
+		ndv.getters.parameterInput('path').clear();
+
+		ndv.getters.nodeExecuteButton().should('be.disabled');
+		ndv.getters.triggerPanelExecuteButton().should('not.exist');
+		ndv.actions.close();
+		workflowPage.getters.nodeIssuesByName('Webhook').should('exist');
+
+		workflowPage.getters.canvasNodes().first().dblclick();
+		ndv.getters.parameterInput('path').type('t')
+
+		ndv.getters.nodeExecuteButton().should('not.be.disabled');
+		ndv.getters.triggerPanelExecuteButton().should('exist');
+
+		ndv.actions.close();
+		workflowPage.getters.nodeIssuesByName('Webhook').should('not.exist');
+	});
 });
diff --git a/cypress/e2e/6-code-node.cy.ts b/cypress/e2e/6-code-node.cy.ts
index 0ed9ba5089b6b..bd266562f5d10 100644
--- a/cypress/e2e/6-code-node.cy.ts
+++ b/cypress/e2e/6-code-node.cy.ts
@@ -110,23 +110,17 @@ describe('Code node', () => {
 					statusCode: 200,
 					body: {
 						data: {
-							code: 'console.log("Hello World")',
-							usage: {
-								prompt_tokens: 15,
-								completion_tokens: 15,
-								total_tokens: 30
-							}
+							code: 'console.log("Hello World")'
 						},
 					}
 				}).as('ask-ai');
+
 				cy.getByTestId('ask-ai-cta').click();
-				cy.wait('@ask-ai')
-					.its('request.body')
-					.should('deep.include', {
-						question: prompt,
-						model: "gpt-3.5-turbo-16k",
-						context: { schema: [] }
-					});
+				const askAiReq = cy.wait('@ask-ai')
+
+				askAiReq.its('request.body').should('have.keys', ['question', 'model', 'context', 'n8nVersion']);
+
+				askAiReq.its('context').should('have.keys', ['schema', 'ndvSessionId', 'sessionId']);
 
 				cy.contains('Code generation completed').should('be.visible')
 				cy.getByTestId('code-node-tab-code').should('contain.text', 'console.log("Hello World")');
diff --git a/cypress/pages/index.ts b/cypress/pages/index.ts
index 4d95611a12129..18e3649e1acda 100644
--- a/cypress/pages/index.ts
+++ b/cypress/pages/index.ts
@@ -8,3 +8,5 @@ export * from './settings-log-streaming';
 export * from './sidebar';
 export * from './ndv';
 export * from './bannerStack';
+export * from './workflow-executions-tab';
+export * from './signin';
diff --git a/cypress/pages/mfa-login.ts b/cypress/pages/mfa-login.ts
new file mode 100644
index 0000000000000..50ca5adab7f98
--- /dev/null
+++ b/cypress/pages/mfa-login.ts
@@ -0,0 +1,77 @@
+import { N8N_AUTH_COOKIE } from '../constants';
+import { BasePage } from './base';
+import { SigninPage } from './signin';
+import { WorkflowsPage } from './workflows';
+
+export class MfaLoginPage extends BasePage {
+	url = '/mfa';
+	getters = {
+		form: () => cy.getByTestId('mfa-login-form'),
+		token: () => cy.getByTestId('token'),
+		recoveryCode: () => cy.getByTestId('recoveryCode'),
+		enterRecoveryCodeButton: () => cy.getByTestId('mfa-enter-recovery-code-button'),
+	};
+
+	actions = {
+		loginWithMfaToken: (email: string, password: string, mfaToken: string) => {
+			const signinPage = new SigninPage();
+			const workflowsPage = new WorkflowsPage();
+
+			cy.session(
+				[mfaToken],
+				() => {
+					cy.visit(signinPage.url);
+
+					signinPage.getters.form().within(() => {
+						signinPage.getters.email().type(email);
+						signinPage.getters.password().type(password);
+						signinPage.getters.submit().click();
+					});
+
+					this.getters.form().within(() => {
+						this.getters.token().type(mfaToken);
+					});
+
+					// we should be redirected to /workflows
+					cy.url().should('include', workflowsPage.url);
+				},
+				{
+					validate() {
+						cy.getCookie(N8N_AUTH_COOKIE).should('exist');
+					},
+				},
+			);
+		},
+		loginWithRecoveryCode: (email: string, password: string, recoveryCode: string) => {
+			const signinPage = new SigninPage();
+			const workflowsPage = new WorkflowsPage();
+
+			cy.session(
+				[recoveryCode],
+				() => {
+					cy.visit(signinPage.url);
+
+					signinPage.getters.form().within(() => {
+						signinPage.getters.email().type(email);
+						signinPage.getters.password().type(password);
+						signinPage.getters.submit().click();
+					});
+
+					this.getters.enterRecoveryCodeButton().click();
+
+					this.getters.form().within(() => {
+						this.getters.recoveryCode().type(recoveryCode);
+					});
+
+					// we should be redirected to /workflows
+					cy.url().should('include', workflowsPage.url);
+				},
+				{
+					validate() {
+						cy.getCookie(N8N_AUTH_COOKIE).should('exist');
+					},
+				},
+			);
+		},
+	};
+}
diff --git a/cypress/pages/modals/mfa-setup-modal.ts b/cypress/pages/modals/mfa-setup-modal.ts
new file mode 100644
index 0000000000000..d127731be278d
--- /dev/null
+++ b/cypress/pages/modals/mfa-setup-modal.ts
@@ -0,0 +1,11 @@
+import { BasePage } from './../base';
+
+export class MfaSetupModal extends BasePage {
+	getters = {
+		modalContainer: () => cy.getByTestId('changePassword-modal').last(),
+		tokenInput: () => cy.getByTestId('mfa-token-input'),
+		copySecretToClipboardButton: () => cy.getByTestId('mfa-secret-button'),
+		downloadRecoveryCodesButton: () => cy.getByTestId('mfa-recovery-codes-button'),
+		saveButton: () => cy.getByTestId('mfa-save-button'),
+	};
+}
diff --git a/cypress/pages/ndv.ts b/cypress/pages/ndv.ts
index 301de78cfe5a3..0cd8e0913b863 100644
--- a/cypress/pages/ndv.ts
+++ b/cypress/pages/ndv.ts
@@ -8,6 +8,7 @@ export class NDV extends BasePage {
 		copyInput: () => cy.getByTestId('copy-input'),
 		credentialInput: (eq = 0) => cy.getByTestId('node-credentials-select').eq(eq),
 		nodeExecuteButton: () => cy.getByTestId('node-execute-button'),
+		triggerPanelExecuteButton: () => cy.getByTestId('trigger-execute-button'),
 		inputSelect: () => cy.getByTestId('ndv-input-select'),
 		inputOption: () => cy.getByTestId('ndv-input-option'),
 		inputPanel: () => cy.getByTestId('ndv-input-panel'),
diff --git a/cypress/pages/settings-personal.ts b/cypress/pages/settings-personal.ts
index 554455ef73420..671b5e21a2129 100644
--- a/cypress/pages/settings-personal.ts
+++ b/cypress/pages/settings-personal.ts
@@ -1,10 +1,15 @@
 import { ChangePasswordModal } from './modals/change-password-modal';
+import { MfaSetupModal } from './modals/mfa-setup-modal';
 import { BasePage } from './base';
+import generateOTPToken from 'cypress-otp';
 
 const changePasswordModal = new ChangePasswordModal();
+const mfaSetupModal = new MfaSetupModal();
 
 export class PersonalSettingsPage extends BasePage {
 	url = '/settings/personal';
+	secret = '';
+
 	getters = {
 		currentUserName: () => cy.getByTestId('current-user-name'),
 		firstNameInput: () => cy.getByTestId('firstName').find('input').first(),
@@ -13,6 +18,8 @@ export class PersonalSettingsPage extends BasePage {
 		emailInput: () => cy.getByTestId('email').find('input').first(),
 		changePasswordLink: () => cy.getByTestId('change-password-link').first(),
 		saveSettingsButton: () => cy.getByTestId('save-settings-button'),
+		enableMfaButton: () => cy.getByTestId('enable-mfa-button'),
+		disableMfaButton: () => cy.getByTestId('disable-mfa-button'),
 	};
 	actions = {
 		loginAndVisit: (email: string, password: string) => {
@@ -50,5 +57,21 @@ export class PersonalSettingsPage extends BasePage {
 			this.actions.loginAndVisit(email, password);
 			cy.url().should('match', new RegExp(this.url));
 		},
+		enableMfa: () => {
+			cy.visit(this.url);
+			this.getters.enableMfaButton().click();
+			mfaSetupModal.getters.copySecretToClipboardButton().realClick();
+			cy.readClipboard().then((secret) => {
+				const token = generateOTPToken(secret)
+
+				mfaSetupModal.getters.tokenInput().type(token);
+				mfaSetupModal.getters.downloadRecoveryCodesButton().click();
+				mfaSetupModal.getters.saveButton().click();
+			});
+		},
+		disableMfa: () => {
+			cy.visit(this.url);
+			this.getters.disableMfaButton().click();
+		},
 	};
 }
diff --git a/cypress/pages/sidebar/main-sidebar.ts b/cypress/pages/sidebar/main-sidebar.ts
index 789d63545f6e9..1559d3da65c7f 100644
--- a/cypress/pages/sidebar/main-sidebar.ts
+++ b/cypress/pages/sidebar/main-sidebar.ts
@@ -1,6 +1,8 @@
 import { BasePage } from '../base';
 import { WorkflowsPage } from '../workflows';
 
+const workflowsPage = new WorkflowsPage();
+
 export class MainSidebar extends BasePage {
 	getters = {
 		menuItem: (menuLabel: string) =>
@@ -25,7 +27,7 @@ export class MainSidebar extends BasePage {
 			this.getters.credentials().click();
 		},
 		openUserMenu: () => {
-			this.getters.userMenu().find('[role="button"]').last().click();
+			this.getters.userMenu().click();
 		},
 		openUserMenu: () => {
 			this.getters.userMenu().click();
diff --git a/cypress/pages/signin.ts b/cypress/pages/signin.ts
new file mode 100644
index 0000000000000..1b2b35c22fbb4
--- /dev/null
+++ b/cypress/pages/signin.ts
@@ -0,0 +1,41 @@
+import { N8N_AUTH_COOKIE } from '../constants';
+import { BasePage } from './base';
+import { WorkflowsPage } from './workflows';
+
+export class SigninPage extends BasePage {
+	url = '/signin';
+	getters = {
+		form: () => cy.getByTestId('auth-form'),
+		email: () => cy.getByTestId('email'),
+		password: () => cy.getByTestId('password'),
+		submit: () => cy.get('button'),
+	};
+
+	actions = {
+		loginWithEmailAndPassword: (email: string, password: string) => {
+			const signinPage = new SigninPage();
+			const workflowsPage = new WorkflowsPage();
+
+			cy.session(
+				[email, password],
+				() => {
+					cy.visit(signinPage.url);
+
+					this.getters.form().within(() => {
+						this.getters.email().type(email);
+						this.getters.password().type(password);
+						this.getters.submit().click();
+					});
+
+					// we should be redirected to /workflows
+					cy.url().should('include', workflowsPage.url);
+				},
+				{
+					validate() {
+						cy.getCookie(N8N_AUTH_COOKIE).should('exist');
+					},
+				},
+			);
+		},
+	};
+}
diff --git a/cypress/pages/workflow-executions-tab.ts b/cypress/pages/workflow-executions-tab.ts
index 674ff6d5f3911..eff3fedd3095b 100644
--- a/cypress/pages/workflow-executions-tab.ts
+++ b/cypress/pages/workflow-executions-tab.ts
@@ -22,6 +22,7 @@ export class WorkflowExecutionsTab extends BasePage {
 			this.getters.executionPreviewDetails().find('[data-test-id="execution-preview-label"]'),
 		executionPreviewId: () =>
 			this.getters.executionPreviewDetails().find('[data-test-id="execution-preview-id"]'),
+		executionDebugButton: () => cy.getByTestId('execution-debug-button'),
 	};
 	actions = {
 		toggleNodeEnabled: (nodeName: string) => {
diff --git a/cypress/pages/workflow.ts b/cypress/pages/workflow.ts
index 950c83be9bc9e..a92736e17906c 100644
--- a/cypress/pages/workflow.ts
+++ b/cypress/pages/workflow.ts
@@ -26,6 +26,10 @@ export class WorkflowPage extends BasePage {
 		canvasNodes: () => cy.getByTestId('canvas-node'),
 		canvasNodeByName: (nodeName: string) =>
 			this.getters.canvasNodes().filter(`:contains(${nodeName})`),
+		nodeIssuesByName: (nodeName: string) =>
+			this.getters.canvasNodes().filter(`:contains(${nodeName})`)
+			.should('have.length.greaterThan', 0)
+			.findChildByTestId('node-issues'),
 		getEndpointSelector: (type: 'input' | 'output' | 'plus', nodeName: string, index = 0) => {
 			return `[data-endpoint-name='${nodeName}'][data-endpoint-type='${type}'][data-input-index='${index}']`;
 		},
diff --git a/cypress/support/commands.ts b/cypress/support/commands.ts
index c215bdf3f7138..c86db382a36e4 100644
--- a/cypress/support/commands.ts
+++ b/cypress/support/commands.ts
@@ -41,14 +41,13 @@ Cypress.Commands.add('waitForLoad', (waitForIntercepts = true) => {
 
 Cypress.Commands.add('signin', ({ email, password }) => {
 	Cypress.session.clearAllSavedSessions();
-	cy.session(
-		[email, password],
-		() => cy.request('POST', `${BACKEND_BASE_URL}/rest/login`, { email, password }),
-		{
-			validate() {
-				cy.getCookie(N8N_AUTH_COOKIE).should('exist');
-			},
-		},
+	cy.session([email, password], () =>
+		cy.request({
+			method: 'POST',
+			url: `${BACKEND_BASE_URL}/rest/login`,
+			body: { email, password },
+			failOnStatusCode: false,
+		}),
 	);
 });
 
diff --git a/docker/compose/subfolderWithSSL/docker-compose.yml b/docker/compose/subfolderWithSSL/docker-compose.yml
index 9c4cc247c3801..d989329841aa3 100644
--- a/docker/compose/subfolderWithSSL/docker-compose.yml
+++ b/docker/compose/subfolderWithSSL/docker-compose.yml
@@ -19,6 +19,13 @@ services:
     volumes:
       - ${DATA_FOLDER}/letsencrypt:/letsencrypt
       - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  initContainer:
+    image: busybox
+    command: ['sh', '-c', 'chown -R 1000:1000 /home/node/.n8n']
+    volumes:
+      - ${DATA_FOLDER}/.n8n:/home/node/.n8n
+
   n8n:
     image: docker.n8n.io/n8nio/n8n
     ports:
@@ -50,3 +57,6 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ${DATA_FOLDER}/.n8n:/home/node/.n8n
+    depends_on:
+      initContainer:
+        condition: service_completed_successfully
diff --git a/package.json b/package.json
index da405a61e63bc..b2523cfba098b 100644
--- a/package.json
+++ b/package.json
@@ -1,13 +1,13 @@
 {
   "name": "n8n",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "private": true,
   "homepage": "https://n8n.io",
   "engines": {
     "node": ">=18.10",
-    "pnpm": ">=8.6"
+    "pnpm": ">=8.7"
   },
-  "packageManager": "pnpm@8.6.12",
+  "packageManager": "pnpm@8.7.0",
   "scripts": {
     "preinstall": "node scripts/block-npm-install.js",
     "build": "turbo run build",
@@ -42,6 +42,7 @@
     "@types/supertest": "^2.0.12",
     "@vitest/coverage-v8": "^0.33.0",
     "cross-env": "^7.0.3",
+    "cypress-otp": "^1.0.3",
     "cypress": "^12.17.2",
     "cypress-real-events": "^1.9.1",
     "jest": "^29.6.2",
@@ -79,7 +80,7 @@
       "tslib": "^2.6.1",
       "tsconfig-paths": "^4.2.0",
       "ts-node": "^10.9.1",
-      "typescript": "^5.1.6",
+      "typescript": "^5.2.2",
       "xml2js": "^0.5.0",
       "cpy@8>globby": "^11.1.0",
       "qqjs>globby": "^11.1.0"
@@ -88,7 +89,8 @@
       "typedi@0.10.0": "patches/typedi@0.10.0.patch",
       "@sentry/cli@2.17.0": "patches/@sentry__cli@2.17.0.patch",
       "pkce-challenge@3.0.0": "patches/pkce-challenge@3.0.0.patch",
-      "pyodide@0.23.4": "patches/pyodide@0.23.4.patch"
+      "pyodide@0.23.4": "patches/pyodide@0.23.4.patch",
+      "@types/ws@8.5.4": "patches/@types__ws@8.5.4.patch"
     }
   }
 }
diff --git a/packages/cli/BREAKING-CHANGES.md b/packages/cli/BREAKING-CHANGES.md
index 24db177b505da..a60b6e29fa576 100644
--- a/packages/cli/BREAKING-CHANGES.md
+++ b/packages/cli/BREAKING-CHANGES.md
@@ -2,6 +2,16 @@
 
 This list shows all the versions which include breaking changes and how to upgrade.
 
+## 1.5.0
+
+### What changed?
+
+In the Code node, `console.log` does not output to stdout by default. 
+
+### When is action necessary?
+
+If you were relying on `console.log` for non-manual executions of a Code node, you need to set the env variable `CODE_ENABLE_STDOUT` to `true` to send Code node logs to process's stdout.
+
 ## 1.2.0
 
 ### What changed?
diff --git a/packages/cli/package.json b/packages/cli/package.json
index 80e6a29656539..fdbecf3d5cbb9 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "n8n",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "n8n Workflow Automation Tool",
   "license": "SEE LICENSE IN LICENSE.md",
   "homepage": "https://n8n.io",
@@ -139,6 +139,7 @@
     "formidable": "^3.5.0",
     "google-timezones-json": "^1.1.0",
     "handlebars": "4.7.7",
+    "infisical-node": "^1.3.0",
     "inquirer": "^7.0.1",
     "ioredis": "^5.2.4",
     "json-diff": "^1.0.6",
@@ -159,6 +160,7 @@
     "oauth-1.0a": "^2.2.6",
     "open": "^7.0.0",
     "openapi-types": "^10.0.0",
+    "otpauth": "^9.1.1",
     "p-cancelable": "^2.0.0",
     "p-lazy": "^3.1.0",
     "passport": "^0.6.0",
diff --git a/packages/cli/src/ActiveWorkflowRunner.ts b/packages/cli/src/ActiveWorkflowRunner.ts
index af2d4d75aeec1..c40a103049410 100644
--- a/packages/cli/src/ActiveWorkflowRunner.ts
+++ b/packages/cli/src/ActiveWorkflowRunner.ts
@@ -194,6 +194,9 @@ export class ActiveWorkflowRunner implements IWebhookManager {
 
 		Logger.debug(`Received webhook "${httpMethod}" for path "${path}"`);
 
+		// Reset request parameters
+		request.params = {} as WebhookRequest['params'];
+
 		// Remove trailing slash
 		if (path.endsWith('/')) {
 			path = path.slice(0, -1);
diff --git a/packages/cli/src/CredentialsHelper.ts b/packages/cli/src/CredentialsHelper.ts
index 303b7a0fcb632..f8bfc0cc8ad67 100644
--- a/packages/cli/src/CredentialsHelper.ts
+++ b/packages/cli/src/CredentialsHelper.ts
@@ -31,6 +31,7 @@ import type {
 	IHttpRequestHelper,
 	INodeTypeData,
 	INodeTypes,
+	IWorkflowExecuteAdditionalData,
 	ICredentialTestFunctions,
 } from 'n8n-workflow';
 import {
@@ -342,6 +343,7 @@ export class CredentialsHelper extends ICredentialsHelper {
 	 * @param {boolean} [raw] Return the data as supplied without defaults or overwrites
 	 */
 	async getDecrypted(
+		additionalData: IWorkflowExecuteAdditionalData,
 		nodeCredentials: INodeCredentialsDetails,
 		type: string,
 		mode: WorkflowExecuteMode,
@@ -356,12 +358,18 @@ export class CredentialsHelper extends ICredentialsHelper {
 			return decryptedDataOriginal;
 		}
 
+		await additionalData?.secretsHelpers?.waitForInit();
+
+		const canUseSecrets = await this.credentialOwnedByOwner(nodeCredentials);
+
 		return this.applyDefaultsAndOverwrites(
+			additionalData,
 			decryptedDataOriginal,
 			type,
 			mode,
 			defaultTimezone,
 			expressionResolveValues,
+			canUseSecrets,
 		);
 	}
 
@@ -369,11 +377,13 @@ export class CredentialsHelper extends ICredentialsHelper {
 	 * Applies credential default data and overwrites
 	 */
 	applyDefaultsAndOverwrites(
+		additionalData: IWorkflowExecuteAdditionalData,
 		decryptedDataOriginal: ICredentialDataDecryptedObject,
 		type: string,
 		mode: WorkflowExecuteMode,
 		defaultTimezone: string,
 		expressionResolveValues?: ICredentialsExpressionResolveValues,
+		canUseSecrets?: boolean,
 	): ICredentialDataDecryptedObject {
 		const credentialsProperties = this.getCredentialsProperties(type);
 
@@ -395,6 +405,10 @@ export class CredentialsHelper extends ICredentialsHelper {
 			decryptedData.oauthTokenData = decryptedDataOriginal.oauthTokenData;
 		}
 
+		const additionalKeys = NodeExecuteFunctions.getAdditionalKeys(additionalData, mode, null, {
+			secretsEnabled: canUseSecrets,
+		});
+
 		if (expressionResolveValues) {
 			const timezone = expressionResolveValues.workflow.settings.timezone ?? defaultTimezone;
 
@@ -408,7 +422,7 @@ export class CredentialsHelper extends ICredentialsHelper {
 					expressionResolveValues.connectionInputData,
 					mode,
 					timezone,
-					{},
+					additionalKeys,
 					undefined,
 					false,
 					decryptedData,
@@ -431,7 +445,7 @@ export class CredentialsHelper extends ICredentialsHelper {
 				decryptedData as INodeParameters,
 				mode,
 				defaultTimezone,
-				{},
+				additionalKeys,
 				undefined,
 				undefined,
 				decryptedData,
@@ -573,10 +587,24 @@ export class CredentialsHelper extends ICredentialsHelper {
 		}
 
 		if (credentialsDecrypted.data) {
-			credentialsDecrypted.data = CredentialsOverwrites().applyOverwrite(
-				credentialType,
-				credentialsDecrypted.data,
-			);
+			try {
+				const additionalData = await WorkflowExecuteAdditionalData.getBase(user.id);
+				credentialsDecrypted.data = this.applyDefaultsAndOverwrites(
+					additionalData,
+					credentialsDecrypted.data,
+					credentialType,
+					'internal' as WorkflowExecuteMode,
+					additionalData.timezone,
+					undefined,
+					user.isOwner,
+				);
+			} catch (error) {
+				Logger.debug('Credential test failed', error);
+				return {
+					status: 'Error',
+					message: error.message.toString(),
+				};
+			}
 		}
 
 		if (typeof credentialTestFunction === 'function') {
@@ -759,6 +787,36 @@ export class CredentialsHelper extends ICredentialsHelper {
 			message: 'Connection successful!',
 		};
 	}
+
+	async credentialOwnedByOwner(nodeCredential: INodeCredentialsDetails): Promise<boolean> {
+		if (!nodeCredential.id) {
+			return false;
+		}
+
+		const credential = await Db.collections.SharedCredentials.findOne({
+			where: {
+				role: {
+					scope: 'credential',
+					name: 'owner',
+				},
+				user: {
+					globalRole: {
+						scope: 'global',
+						name: 'owner',
+					},
+				},
+				credentials: {
+					id: nodeCredential.id,
+				},
+			},
+		});
+
+		if (!credential) {
+			return false;
+		}
+
+		return true;
+	}
 }
 
 /**
diff --git a/packages/cli/src/ExternalSecrets/ExternalSecrets.controller.ee.ts b/packages/cli/src/ExternalSecrets/ExternalSecrets.controller.ee.ts
new file mode 100644
index 0000000000000..10eed808a6eb0
--- /dev/null
+++ b/packages/cli/src/ExternalSecrets/ExternalSecrets.controller.ee.ts
@@ -0,0 +1,102 @@
+import { Authorized, Get, Post, RestController } from '@/decorators';
+import { ExternalSecretsRequest } from '@/requests';
+import { NotFoundError } from '@/ResponseHelper';
+import { Response } from 'express';
+import { Service } from 'typedi';
+import { ProviderNotFoundError, ExternalSecretsService } from './ExternalSecrets.service.ee';
+
+@Service()
+@Authorized(['global', 'owner'])
+@RestController('/external-secrets')
+export class ExternalSecretsController {
+	constructor(private readonly secretsService: ExternalSecretsService) {}
+
+	@Get('/providers')
+	async getProviders() {
+		return this.secretsService.getProviders();
+	}
+
+	@Get('/providers/:provider')
+	async getProvider(req: ExternalSecretsRequest.GetProvider) {
+		const providerName = req.params.provider;
+		try {
+			return this.secretsService.getProvider(providerName);
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+	}
+
+	@Post('/providers/:provider/test')
+	async testProviderSettings(req: ExternalSecretsRequest.TestProviderSettings, res: Response) {
+		const providerName = req.params.provider;
+		try {
+			const result = await this.secretsService.testProviderSettings(providerName, req.body);
+			if (result.success) {
+				res.statusCode = 200;
+			} else {
+				res.statusCode = 400;
+			}
+			return result;
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+	}
+
+	@Post('/providers/:provider')
+	async setProviderSettings(req: ExternalSecretsRequest.SetProviderSettings) {
+		const providerName = req.params.provider;
+		try {
+			await this.secretsService.saveProviderSettings(providerName, req.body, req.user.id);
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+		return {};
+	}
+
+	@Post('/providers/:provider/connect')
+	async setProviderConnected(req: ExternalSecretsRequest.SetProviderConnected) {
+		const providerName = req.params.provider;
+		try {
+			await this.secretsService.saveProviderConnected(providerName, req.body.connected);
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+		return {};
+	}
+
+	@Post('/providers/:provider/update')
+	async updateProvider(req: ExternalSecretsRequest.UpdateProvider, res: Response) {
+		const providerName = req.params.provider;
+		try {
+			const resp = await this.secretsService.updateProvider(providerName);
+			if (resp) {
+				res.statusCode = 200;
+			} else {
+				res.statusCode = 400;
+			}
+			return { updated: resp };
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+	}
+
+	@Get('/secrets')
+	getSecretNames() {
+		return this.secretsService.getAllSecrets();
+	}
+}
diff --git a/packages/cli/src/ExternalSecrets/ExternalSecrets.service.ee.ts b/packages/cli/src/ExternalSecrets/ExternalSecrets.service.ee.ts
new file mode 100644
index 0000000000000..9952c8a9b8b36
--- /dev/null
+++ b/packages/cli/src/ExternalSecrets/ExternalSecrets.service.ee.ts
@@ -0,0 +1,154 @@
+import { CREDENTIAL_BLANKING_VALUE } from '@/constants';
+import type { SecretsProvider } from '@/Interfaces';
+import type { ExternalSecretsRequest } from '@/requests';
+import type { IDataObject } from 'n8n-workflow';
+import { deepCopy } from 'n8n-workflow';
+import Container, { Service } from 'typedi';
+import { ExternalSecretsManager } from './ExternalSecretsManager.ee';
+
+export class ProviderNotFoundError extends Error {
+	constructor(public providerName: string) {
+		super(undefined);
+	}
+}
+
+@Service()
+export class ExternalSecretsService {
+	getProvider(providerName: string): ExternalSecretsRequest.GetProviderResponse | null {
+		const providerAndSettings =
+			Container.get(ExternalSecretsManager).getProviderWithSettings(providerName);
+		if (!providerAndSettings) {
+			throw new ProviderNotFoundError(providerName);
+		}
+		const { provider, settings } = providerAndSettings;
+		return {
+			displayName: provider.displayName,
+			name: provider.name,
+			icon: provider.name,
+			state: provider.state,
+			connected: settings.connected,
+			connectedAt: settings.connectedAt,
+			properties: provider.properties,
+			data: this.redact(settings.settings, provider),
+		};
+	}
+
+	async getProviders() {
+		return Container.get(ExternalSecretsManager)
+			.getProvidersWithSettings()
+			.map(({ provider, settings }) => ({
+				displayName: provider.displayName,
+				name: provider.name,
+				icon: provider.name,
+				state: provider.state,
+				connected: !!settings.connected,
+				connectedAt: settings.connectedAt,
+				data: this.redact(settings.settings, provider),
+			}));
+	}
+
+	// Take data and replace all sensitive values with a sentinel value.
+	// This will replace password fields and oauth data.
+	redact(data: IDataObject, provider: SecretsProvider): IDataObject {
+		const copiedData = deepCopy(data || {});
+
+		const properties = provider.properties;
+
+		for (const dataKey of Object.keys(copiedData)) {
+			// The frontend only cares that this value isn't falsy.
+			if (dataKey === 'oauthTokenData') {
+				copiedData[dataKey] = CREDENTIAL_BLANKING_VALUE;
+				continue;
+			}
+			const prop = properties.find((v) => v.name === dataKey);
+			if (!prop) {
+				continue;
+			}
+
+			if (
+				prop.typeOptions?.password &&
+				(!(copiedData[dataKey] as string).startsWith('=') || prop.noDataExpression)
+			) {
+				copiedData[dataKey] = CREDENTIAL_BLANKING_VALUE;
+			}
+		}
+
+		return copiedData;
+	}
+
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	private unredactRestoreValues(unmerged: any, replacement: any) {
+		// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+		for (const [key, value] of Object.entries(unmerged)) {
+			if (value === CREDENTIAL_BLANKING_VALUE) {
+				// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
+				unmerged[key] = replacement[key];
+			} else if (
+				typeof value === 'object' &&
+				value !== null &&
+				key in replacement &&
+				// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+				typeof replacement[key] === 'object' &&
+				// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+				replacement[key] !== null
+			) {
+				// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+				this.unredactRestoreValues(value, replacement[key]);
+			}
+		}
+	}
+
+	// Take unredacted data (probably from the DB) and merge it with
+	// redacted data to create an unredacted version.
+	unredact(redactedData: IDataObject, savedData: IDataObject): IDataObject {
+		// Replace any blank sentinel values with their saved version
+		const mergedData = deepCopy(redactedData ?? {});
+		this.unredactRestoreValues(mergedData, savedData);
+		return mergedData;
+	}
+
+	async saveProviderSettings(providerName: string, data: IDataObject, userId: string) {
+		const providerAndSettings =
+			Container.get(ExternalSecretsManager).getProviderWithSettings(providerName);
+		if (!providerAndSettings) {
+			throw new ProviderNotFoundError(providerName);
+		}
+		const { settings } = providerAndSettings;
+		const newData = this.unredact(data, settings.settings);
+		await Container.get(ExternalSecretsManager).setProviderSettings(providerName, newData, userId);
+	}
+
+	async saveProviderConnected(providerName: string, connected: boolean) {
+		const providerAndSettings =
+			Container.get(ExternalSecretsManager).getProviderWithSettings(providerName);
+		if (!providerAndSettings) {
+			throw new ProviderNotFoundError(providerName);
+		}
+		await Container.get(ExternalSecretsManager).setProviderConnected(providerName, connected);
+		return this.getProvider(providerName);
+	}
+
+	getAllSecrets(): Record<string, string[]> {
+		return Container.get(ExternalSecretsManager).getAllSecretNames();
+	}
+
+	async testProviderSettings(providerName: string, data: IDataObject) {
+		const providerAndSettings =
+			Container.get(ExternalSecretsManager).getProviderWithSettings(providerName);
+		if (!providerAndSettings) {
+			throw new ProviderNotFoundError(providerName);
+		}
+		const { settings } = providerAndSettings;
+		const newData = this.unredact(data, settings.settings);
+		return Container.get(ExternalSecretsManager).testProviderSettings(providerName, newData);
+	}
+
+	async updateProvider(providerName: string) {
+		const providerAndSettings =
+			Container.get(ExternalSecretsManager).getProviderWithSettings(providerName);
+		if (!providerAndSettings) {
+			throw new ProviderNotFoundError(providerName);
+		}
+		return Container.get(ExternalSecretsManager).updateProvider(providerName);
+	}
+}
diff --git a/packages/cli/src/ExternalSecrets/ExternalSecretsManager.ee.ts b/packages/cli/src/ExternalSecrets/ExternalSecretsManager.ee.ts
new file mode 100644
index 0000000000000..6a0b422377f60
--- /dev/null
+++ b/packages/cli/src/ExternalSecrets/ExternalSecretsManager.ee.ts
@@ -0,0 +1,381 @@
+import { SettingsRepository } from '@/databases/repositories';
+import type {
+	ExternalSecretsSettings,
+	SecretsProvider,
+	SecretsProviderSettings,
+} from '@/Interfaces';
+
+import { UserSettings } from 'n8n-core';
+import Container, { Service } from 'typedi';
+
+import { AES, enc } from 'crypto-js';
+import { getLogger } from '@/Logger';
+
+import type { IDataObject } from 'n8n-workflow';
+import {
+	EXTERNAL_SECRETS_INITIAL_BACKOFF,
+	EXTERNAL_SECRETS_MAX_BACKOFF,
+	EXTERNAL_SECRETS_UPDATE_INTERVAL,
+} from './constants';
+import { License } from '@/License';
+import { InternalHooks } from '@/InternalHooks';
+import { ExternalSecretsProviders } from './ExternalSecretsProviders.ee';
+
+const logger = getLogger();
+
+@Service()
+export class ExternalSecretsManager {
+	private providers: Record<string, SecretsProvider> = {};
+
+	private initializingPromise?: Promise<void>;
+
+	private cachedSettings: ExternalSecretsSettings = {};
+
+	initialized = false;
+
+	updateInterval: NodeJS.Timer;
+
+	initRetryTimeouts: Record<string, NodeJS.Timer> = {};
+
+	constructor(
+		private settingsRepo: SettingsRepository,
+		private license: License,
+		private secretsProviders: ExternalSecretsProviders,
+	) {}
+
+	async init(): Promise<void> {
+		if (!this.initialized) {
+			if (!this.initializingPromise) {
+				this.initializingPromise = new Promise<void>(async (resolve) => {
+					await this.internalInit();
+					this.initialized = true;
+					resolve();
+					this.initializingPromise = undefined;
+					this.updateInterval = setInterval(
+						async () => this.updateSecrets(),
+						EXTERNAL_SECRETS_UPDATE_INTERVAL,
+					);
+				});
+			}
+			return this.initializingPromise;
+		}
+	}
+
+	shutdown() {
+		clearInterval(this.updateInterval);
+		Object.values(this.providers).forEach((p) => {
+			// Disregard any errors as we're shutting down anyway
+			void p.disconnect().catch(() => {});
+		});
+		Object.values(this.initRetryTimeouts).forEach((v) => clearTimeout(v));
+	}
+
+	private async getEncryptionKey(): Promise<string> {
+		return UserSettings.getEncryptionKey();
+	}
+
+	private decryptSecretsSettings(value: string, encryptionKey: string): ExternalSecretsSettings {
+		const decryptedData = AES.decrypt(value, encryptionKey);
+
+		try {
+			return JSON.parse(decryptedData.toString(enc.Utf8)) as ExternalSecretsSettings;
+		} catch (e) {
+			throw new Error(
+				'External Secrets Settings could not be decrypted. The likely reason is that a different "encryptionKey" was used to encrypt the data.',
+			);
+		}
+	}
+
+	private async getDecryptedSettings(
+		settingsRepo: SettingsRepository,
+	): Promise<ExternalSecretsSettings | null> {
+		const encryptedSettings = await settingsRepo.getEncryptedSecretsProviderSettings();
+		if (encryptedSettings === null) {
+			return null;
+		}
+		const encryptionKey = await this.getEncryptionKey();
+		return this.decryptSecretsSettings(encryptedSettings, encryptionKey);
+	}
+
+	private async internalInit() {
+		const settings = await this.getDecryptedSettings(this.settingsRepo);
+		if (!settings) {
+			return;
+		}
+		const providers: Array<SecretsProvider | null> = (
+			await Promise.allSettled(
+				Object.entries(settings).map(async ([name, providerSettings]) =>
+					this.initProvider(name, providerSettings),
+				),
+			)
+		).map((i) => (i.status === 'rejected' ? null : i.value));
+		this.providers = Object.fromEntries(
+			(providers.filter((p) => p !== null) as SecretsProvider[]).map((s) => [s.name, s]),
+		);
+		this.cachedSettings = settings;
+		await this.updateSecrets();
+	}
+
+	private async initProvider(
+		name: string,
+		providerSettings: SecretsProviderSettings,
+		currentBackoff = EXTERNAL_SECRETS_INITIAL_BACKOFF,
+	) {
+		const providerClass = this.secretsProviders.getProvider(name);
+		if (!providerClass) {
+			return null;
+		}
+		const provider: SecretsProvider = new providerClass();
+
+		try {
+			await provider.init(providerSettings);
+		} catch (e) {
+			logger.error(
+				`Error initializing secrets provider ${provider.displayName} (${provider.name}).`,
+			);
+			this.retryInitWithBackoff(name, currentBackoff);
+			return provider;
+		}
+
+		try {
+			if (providerSettings.connected) {
+				await provider.connect();
+			}
+		} catch (e) {
+			try {
+				await provider.disconnect();
+			} catch {}
+			logger.error(
+				`Error initializing secrets provider ${provider.displayName} (${provider.name}).`,
+			);
+			this.retryInitWithBackoff(name, currentBackoff);
+			return provider;
+		}
+
+		return provider;
+	}
+
+	private retryInitWithBackoff(name: string, currentBackoff: number) {
+		if (name in this.initRetryTimeouts) {
+			clearTimeout(this.initRetryTimeouts[name]);
+			delete this.initRetryTimeouts[name];
+		}
+		this.initRetryTimeouts[name] = setTimeout(() => {
+			delete this.initRetryTimeouts[name];
+			if (this.providers[name] && this.providers[name].state !== 'error') {
+				return;
+			}
+			void this.reloadProvider(name, Math.min(currentBackoff * 2, EXTERNAL_SECRETS_MAX_BACKOFF));
+		}, currentBackoff);
+	}
+
+	async updateSecrets() {
+		if (!this.license.isExternalSecretsEnabled()) {
+			return;
+		}
+		await Promise.allSettled(
+			Object.entries(this.providers).map(async ([k, p]) => {
+				try {
+					if (this.cachedSettings[k].connected && p.state === 'connected') {
+						await p.update();
+					}
+				} catch {
+					logger.error(`Error updating secrets provider ${p.displayName} (${p.name}).`);
+				}
+			}),
+		);
+	}
+
+	getProvider(provider: string): SecretsProvider | undefined {
+		return this.providers[provider];
+	}
+
+	hasProvider(provider: string): boolean {
+		return provider in this.providers;
+	}
+
+	getProviderNames(): string[] | undefined {
+		return Object.keys(this.providers);
+	}
+
+	getSecret(provider: string, name: string): IDataObject | undefined {
+		return this.getProvider(provider)?.getSecret(name);
+	}
+
+	hasSecret(provider: string, name: string): boolean {
+		return this.getProvider(provider)?.hasSecret(name) ?? false;
+	}
+
+	getSecretNames(provider: string): string[] | undefined {
+		return this.getProvider(provider)?.getSecretNames();
+	}
+
+	getAllSecretNames(): Record<string, string[]> {
+		return Object.fromEntries(
+			Object.keys(this.providers).map((provider) => [
+				provider,
+				this.getSecretNames(provider) ?? [],
+			]),
+		);
+	}
+
+	getProvidersWithSettings(): Array<{
+		provider: SecretsProvider;
+		settings: SecretsProviderSettings;
+	}> {
+		return Object.entries(this.secretsProviders.getAllProviders()).map(([k, c]) => ({
+			provider: this.getProvider(k) ?? new c(),
+			settings: this.cachedSettings[k] ?? {},
+		}));
+	}
+
+	getProviderWithSettings(provider: string):
+		| {
+				provider: SecretsProvider;
+				settings: SecretsProviderSettings;
+		  }
+		| undefined {
+		const providerConstructor = this.secretsProviders.getProvider(provider);
+		if (!providerConstructor) {
+			return undefined;
+		}
+		return {
+			provider: this.getProvider(provider) ?? new providerConstructor(),
+			settings: this.cachedSettings[provider] ?? {},
+		};
+	}
+
+	async reloadProvider(provider: string, backoff = EXTERNAL_SECRETS_INITIAL_BACKOFF) {
+		if (provider in this.providers) {
+			await this.providers[provider].disconnect();
+			delete this.providers[provider];
+		}
+		const newProvider = await this.initProvider(provider, this.cachedSettings[provider], backoff);
+		if (newProvider) {
+			this.providers[provider] = newProvider;
+		}
+	}
+
+	async setProviderSettings(provider: string, data: IDataObject, userId?: string) {
+		let isNewProvider = false;
+		let settings = await this.getDecryptedSettings(this.settingsRepo);
+		if (!settings) {
+			settings = {};
+		}
+		if (!(provider in settings)) {
+			isNewProvider = true;
+		}
+		settings[provider] = {
+			connected: settings[provider]?.connected ?? false,
+			connectedAt: settings[provider]?.connectedAt ?? new Date(),
+			settings: data,
+		};
+
+		await this.saveAndSetSettings(settings, this.settingsRepo);
+		this.cachedSettings = settings;
+		await this.reloadProvider(provider);
+
+		void this.trackProviderSave(provider, isNewProvider, userId);
+	}
+
+	async setProviderConnected(provider: string, connected: boolean) {
+		let settings = await this.getDecryptedSettings(this.settingsRepo);
+		if (!settings) {
+			settings = {};
+		}
+		settings[provider] = {
+			connected,
+			connectedAt: connected ? new Date() : settings[provider]?.connectedAt ?? null,
+			settings: settings[provider]?.settings ?? {},
+		};
+
+		await this.saveAndSetSettings(settings, this.settingsRepo);
+		this.cachedSettings = settings;
+		await this.reloadProvider(provider);
+		await this.updateSecrets();
+	}
+
+	private async trackProviderSave(vaultType: string, isNew: boolean, userId?: string) {
+		let testResult: [boolean] | [boolean, string] | undefined;
+		try {
+			testResult = await this.getProvider(vaultType)?.test();
+		} catch {}
+		void Container.get(InternalHooks).onExternalSecretsProviderSettingsSaved({
+			user_id: userId,
+			vault_type: vaultType,
+			is_new: isNew,
+			is_valid: testResult?.[0] ?? false,
+			error_message: testResult?.[1],
+		});
+	}
+
+	encryptSecretsSettings(settings: ExternalSecretsSettings, encryptionKey: string): string {
+		return AES.encrypt(JSON.stringify(settings), encryptionKey).toString();
+	}
+
+	async saveAndSetSettings(settings: ExternalSecretsSettings, settingsRepo: SettingsRepository) {
+		const encryptionKey = await this.getEncryptionKey();
+		const encryptedSettings = this.encryptSecretsSettings(settings, encryptionKey);
+		await settingsRepo.saveEncryptedSecretsProviderSettings(encryptedSettings);
+	}
+
+	async testProviderSettings(
+		provider: string,
+		data: IDataObject,
+	): Promise<{
+		success: boolean;
+		testState: 'connected' | 'tested' | 'error';
+		error?: string;
+	}> {
+		let testProvider: SecretsProvider | null = null;
+		try {
+			testProvider = await this.initProvider(provider, {
+				connected: true,
+				connectedAt: new Date(),
+				settings: data,
+			});
+			if (!testProvider) {
+				return {
+					success: false,
+					testState: 'error',
+				};
+			}
+			const [success, error] = await testProvider.test();
+			let testState: 'connected' | 'tested' | 'error' = 'error';
+			if (success && this.cachedSettings[provider]?.connected) {
+				testState = 'connected';
+			} else if (success) {
+				testState = 'tested';
+			}
+			return {
+				success,
+				testState,
+				error,
+			};
+		} catch {
+			return {
+				success: false,
+				testState: 'error',
+			};
+		} finally {
+			if (testProvider) {
+				await testProvider.disconnect();
+			}
+		}
+	}
+
+	async updateProvider(provider: string): Promise<boolean> {
+		if (!this.license.isExternalSecretsEnabled()) {
+			return false;
+		}
+		if (!this.providers[provider] || this.providers[provider].state !== 'connected') {
+			return false;
+		}
+		try {
+			await this.providers[provider].update();
+			return true;
+		} catch {
+			return false;
+		}
+	}
+}
diff --git a/packages/cli/src/ExternalSecrets/ExternalSecretsProviders.ee.ts b/packages/cli/src/ExternalSecrets/ExternalSecretsProviders.ee.ts
new file mode 100644
index 0000000000000..a0e9353699af0
--- /dev/null
+++ b/packages/cli/src/ExternalSecrets/ExternalSecretsProviders.ee.ts
@@ -0,0 +1,24 @@
+import type { SecretsProvider } from '@/Interfaces';
+import { Service } from 'typedi';
+import { InfisicalProvider } from './providers/infisical';
+import { VaultProvider } from './providers/vault';
+
+@Service()
+export class ExternalSecretsProviders {
+	providers: Record<string, { new (): SecretsProvider }> = {
+		infisical: InfisicalProvider,
+		vault: VaultProvider,
+	};
+
+	getProvider(name: string): { new (): SecretsProvider } | null {
+		return this.providers[name] ?? null;
+	}
+
+	hasProvider(name: string) {
+		return name in this.providers;
+	}
+
+	getAllProviders() {
+		return this.providers;
+	}
+}
diff --git a/packages/cli/src/ExternalSecrets/constants.ts b/packages/cli/src/ExternalSecrets/constants.ts
new file mode 100644
index 0000000000000..534b4ceb72d0a
--- /dev/null
+++ b/packages/cli/src/ExternalSecrets/constants.ts
@@ -0,0 +1,6 @@
+export const EXTERNAL_SECRETS_DB_KEY = 'feature.externalSecrets';
+export const EXTERNAL_SECRETS_UPDATE_INTERVAL = 5 * 60 * 1000;
+export const EXTERNAL_SECRETS_INITIAL_BACKOFF = 10 * 1000;
+export const EXTERNAL_SECRETS_MAX_BACKOFF = 5 * 60 * 1000;
+
+export const EXTERNAL_SECRETS_NAME_REGEX = /^[a-zA-Z0-9_]+$/;
diff --git a/packages/cli/src/ExternalSecrets/externalSecretsHelper.ee.ts b/packages/cli/src/ExternalSecrets/externalSecretsHelper.ee.ts
new file mode 100644
index 0000000000000..54885664ff97e
--- /dev/null
+++ b/packages/cli/src/ExternalSecrets/externalSecretsHelper.ee.ts
@@ -0,0 +1,7 @@
+import { License } from '@/License';
+import Container from 'typedi';
+
+export function isExternalSecretsEnabled() {
+	const license = Container.get(License);
+	return license.isExternalSecretsEnabled();
+}
diff --git a/packages/cli/src/ExternalSecrets/providers/infisical.ts b/packages/cli/src/ExternalSecrets/providers/infisical.ts
new file mode 100644
index 0000000000000..39a0eb92d4b44
--- /dev/null
+++ b/packages/cli/src/ExternalSecrets/providers/infisical.ts
@@ -0,0 +1,153 @@
+import type { SecretsProvider, SecretsProviderSettings, SecretsProviderState } from '@/Interfaces';
+import InfisicalClient from 'infisical-node';
+import { populateClientWorkspaceConfigsHelper } from 'infisical-node/lib/helpers/key';
+import { getServiceTokenData } from 'infisical-node/lib/api/serviceTokenData';
+import type { IDataObject, INodeProperties } from 'n8n-workflow';
+import { EXTERNAL_SECRETS_NAME_REGEX } from '../constants';
+
+export interface InfisicalSettings {
+	token: string;
+	siteURL: string;
+	cacheTTL: number;
+	debug: boolean;
+}
+
+interface InfisicalSecret {
+	secretName: string;
+	secretValue?: string;
+}
+
+interface InfisicalServiceToken {
+	environment?: string;
+	scopes?: Array<{ environment: string; path: string }>;
+}
+
+export class InfisicalProvider implements SecretsProvider {
+	properties: INodeProperties[] = [
+		{
+			displayName:
+				'Need help filling out these fields? <a href="https://docs.n8n.io/external-secrets/#connect-n8n-to-your-secrets-store" target="_blank">Open docs</a>',
+			name: 'notice',
+			type: 'notice',
+			default: '',
+		},
+		{
+			displayName: 'Service Token',
+			name: 'token',
+			type: 'string',
+			hint: 'The Infisical Service Token with read access',
+			default: '',
+			required: true,
+			placeholder: 'e.g. st.64ae963e1874ea.374226a166439dce.39557e4a1b7bdd82',
+			noDataExpression: true,
+			typeOptions: { password: true },
+		},
+		{
+			displayName: 'Site URL',
+			name: 'siteURL',
+			type: 'string',
+			hint: "The absolute URL of the Infisical instance. Change it only if you're self-hosting Infisical.",
+			required: true,
+			noDataExpression: true,
+			placeholder: 'https://app.infisical.com',
+			default: 'https://app.infisical.com',
+		},
+	];
+
+	displayName = 'Infisical';
+
+	name = 'infisical';
+
+	state: SecretsProviderState = 'initializing';
+
+	private cachedSecrets: Record<string, string> = {};
+
+	private client: InfisicalClient;
+
+	private settings: InfisicalSettings;
+
+	private environment: string;
+
+	async init(settings: SecretsProviderSettings): Promise<void> {
+		this.settings = settings.settings as unknown as InfisicalSettings;
+	}
+
+	async update(): Promise<void> {
+		if (!this.client) {
+			throw new Error('Updated attempted on Infisical when initialization failed');
+		}
+		if (!(await this.test())[0]) {
+			throw new Error('Infisical provider test failed during update');
+		}
+		const secrets = (await this.client.getAllSecrets({
+			environment: this.environment,
+			path: '/',
+			attachToProcessEnv: false,
+			includeImports: true,
+		})) as InfisicalSecret[];
+		const newCache = Object.fromEntries(
+			secrets.map((s) => [s.secretName, s.secretValue]),
+		) as Record<string, string>;
+		if (Object.keys(newCache).length === 1 && '' in newCache) {
+			this.cachedSecrets = {};
+		} else {
+			this.cachedSecrets = newCache;
+		}
+	}
+
+	async connect(): Promise<void> {
+		this.client = new InfisicalClient(this.settings);
+		if ((await this.test())[0]) {
+			try {
+				this.environment = await this.getEnvironment();
+				this.state = 'connected';
+			} catch {
+				this.state = 'error';
+			}
+		} else {
+			this.state = 'error';
+		}
+	}
+
+	async getEnvironment(): Promise<string> {
+		const serviceTokenData = (await getServiceTokenData(
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+			this.client.clientConfig,
+		)) as InfisicalServiceToken;
+		if (serviceTokenData.environment) {
+			return serviceTokenData.environment;
+		}
+		if (serviceTokenData.scopes) {
+			return serviceTokenData.scopes[0].environment;
+		}
+		throw new Error("Couldn't find environment for Infisical");
+	}
+
+	async test(): Promise<[boolean] | [boolean, string]> {
+		if (!this.client) {
+			return [false, 'Client not initialized'];
+		}
+		try {
+			await populateClientWorkspaceConfigsHelper(this.client.clientConfig);
+			return [true];
+		} catch (e) {
+			return [false];
+		}
+	}
+
+	async disconnect(): Promise<void> {
+		//
+	}
+
+	getSecret(name: string): IDataObject {
+		return this.cachedSecrets[name] as unknown as IDataObject;
+	}
+
+	getSecretNames(): string[] {
+		return Object.keys(this.cachedSecrets).filter((k) => EXTERNAL_SECRETS_NAME_REGEX.test(k));
+	}
+
+	hasSecret(name: string): boolean {
+		return name in this.cachedSecrets;
+	}
+}
diff --git a/packages/cli/src/ExternalSecrets/providers/vault.ts b/packages/cli/src/ExternalSecrets/providers/vault.ts
new file mode 100644
index 0000000000000..65ef4a9acf78b
--- /dev/null
+++ b/packages/cli/src/ExternalSecrets/providers/vault.ts
@@ -0,0 +1,559 @@
+import type { SecretsProviderSettings, SecretsProviderState } from '@/Interfaces';
+import { SecretsProvider } from '@/Interfaces';
+import type { IDataObject, INodeProperties } from 'n8n-workflow';
+import type { AxiosInstance, AxiosResponse } from 'axios';
+import axios from 'axios';
+import { getLogger } from '@/Logger';
+import { EXTERNAL_SECRETS_NAME_REGEX } from '../constants';
+
+const logger = getLogger();
+
+type VaultAuthMethod = 'token' | 'usernameAndPassword' | 'appRole';
+
+interface VaultSettings {
+	url: string;
+	namespace?: string;
+	authMethod: VaultAuthMethod;
+
+	// Token
+	token: string;
+	renewToken: boolean;
+
+	// Username and Password
+	username: string;
+	password: string;
+
+	// AppRole
+	roleId: string;
+	secretId: string;
+}
+
+interface VaultResponse<T> {
+	data: T;
+}
+
+interface VaultTokenInfo {
+	accessor: string;
+	creation_time: number;
+	creation_ttl: number;
+	display_name: string;
+	entity_id: string;
+	expire_time: string | null;
+	explicit_max_ttl: number;
+	id: string;
+	issue_time: string;
+	meta: Record<string, string | number>;
+	num_uses: number;
+	orphan: boolean;
+	path: string;
+	policies: string[];
+	ttl: number;
+	renewable: boolean;
+	type: 'kv' | string;
+}
+
+interface VaultMount {
+	accessor: string;
+	config: Record<string, string | number | boolean | null>;
+	description: string;
+	external_entropy_access: boolean;
+	local: boolean;
+	options: Record<string, string | number | boolean | null>;
+	plugin_version: string;
+	running_plugin_version: string;
+	running_sha256: string;
+	seal_wrap: number;
+	type: string;
+	uuid: string;
+}
+
+interface VaultMountsResp {
+	[path: string]: VaultMount;
+}
+
+interface VaultUserPassLoginResp {
+	auth: {
+		client_token: string;
+	};
+}
+
+type VaultAppRoleResp = VaultUserPassLoginResp;
+
+interface VaultSecretList {
+	keys: string[];
+}
+
+export class VaultProvider extends SecretsProvider {
+	properties: INodeProperties[] = [
+		{
+			displayName:
+				'Need help filling out these fields? <a href="https://docs.n8n.io/external-secrets/#connect-n8n-to-your-secrets-store" target="_blank">Open docs</a>',
+			name: 'notice',
+			type: 'notice',
+			default: '',
+		},
+		{
+			displayName: 'Vault URL',
+			name: 'url',
+			type: 'string',
+			required: true,
+			noDataExpression: true,
+			placeholder: 'e.g. https://example.com/v1/',
+			default: '',
+		},
+		{
+			displayName: 'Vault Namespace (optional)',
+			name: 'namespace',
+			type: 'string',
+			hint: 'Leave blank if not using namespaces',
+			required: false,
+			noDataExpression: true,
+			placeholder: 'e.g. admin',
+			default: '',
+		},
+		{
+			displayName: 'Authentication Method',
+			name: 'authMethod',
+			type: 'options',
+			required: true,
+			noDataExpression: true,
+			options: [
+				{ name: 'Token', value: 'token' },
+				{ name: 'Username and Password', value: 'usernameAndPassword' },
+				{ name: 'AppRole', value: 'appRole' },
+			],
+			default: 'token',
+		},
+
+		// Token Auth
+		{
+			displayName: 'Token',
+			name: 'token',
+			type: 'string',
+			default: '',
+			required: true,
+			noDataExpression: true,
+			placeholder: 'e.g. hvs.2OCsZxZA6Z9lChbt0janOOZI',
+			typeOptions: { password: true },
+			displayOptions: {
+				show: {
+					authMethod: ['token'],
+				},
+			},
+		},
+		// {
+		// 	displayName: 'Renew Token',
+		// 	name: 'renewToken',
+		// 	description:
+		// 		'Try to renew Vault token. This will update the settings on this provider when doing so.',
+		// 	type: 'boolean',
+		// 	noDataExpression: true,
+		// 	default: true,
+		// 	displayOptions: {
+		// 		show: {
+		// 			authMethod: ['token'],
+		// 		},
+		// 	},
+		// },
+
+		// Username and Password
+		{
+			displayName: 'Username',
+			name: 'username',
+			type: 'string',
+			default: '',
+			required: true,
+			noDataExpression: true,
+			placeholder: 'Username',
+			displayOptions: {
+				show: {
+					authMethod: ['usernameAndPassword'],
+				},
+			},
+		},
+		{
+			displayName: 'Password',
+			name: 'password',
+			type: 'string',
+			default: '',
+			required: true,
+			noDataExpression: true,
+			placeholder: '***************',
+			typeOptions: { password: true },
+			displayOptions: {
+				show: {
+					authMethod: ['usernameAndPassword'],
+				},
+			},
+		},
+
+		// Username and Password
+		{
+			displayName: 'Role ID',
+			name: 'roleId',
+			type: 'string',
+			default: '',
+			required: true,
+			noDataExpression: true,
+			placeholder: '59d6d1ca-47bb-4e7e-a40b-8be3bc5a0ba8',
+			displayOptions: {
+				show: {
+					authMethod: ['appRole'],
+				},
+			},
+		},
+		{
+			displayName: 'Secret ID',
+			name: 'secretId',
+			type: 'string',
+			default: '',
+			required: true,
+			noDataExpression: true,
+			placeholder: '84896a0c-1347-aa90-a4f6-aca8b7558780',
+			typeOptions: { password: true },
+			displayOptions: {
+				show: {
+					authMethod: ['appRole'],
+				},
+			},
+		},
+	];
+
+	displayName = 'HashiCorp Vault';
+
+	name = 'vault';
+
+	state: SecretsProviderState = 'initializing';
+
+	private cachedSecrets: Record<string, IDataObject> = {};
+
+	private settings: VaultSettings;
+
+	#currentToken: string | null = null;
+
+	#tokenInfo: VaultTokenInfo | null = null;
+
+	#http: AxiosInstance;
+
+	private refreshTimeout: NodeJS.Timer | null;
+
+	private refreshAbort = new AbortController();
+
+	async init(settings: SecretsProviderSettings): Promise<void> {
+		this.settings = settings.settings as unknown as VaultSettings;
+
+		const baseURL = new URL(this.settings.url);
+
+		this.#http = axios.create({ baseURL: baseURL.toString() });
+		if (this.settings.namespace) {
+			this.#http.interceptors.request.use((config) => {
+				return {
+					...config,
+					// eslint-disable-next-line @typescript-eslint/naming-convention, @typescript-eslint/no-unsafe-assignment
+					headers: { ...config.headers, 'X-Vault-Namespace': this.settings.namespace },
+				};
+			});
+		}
+		this.#http.interceptors.request.use((config) => {
+			if (!this.#currentToken) {
+				return config;
+			}
+			// eslint-disable-next-line @typescript-eslint/naming-convention, @typescript-eslint/no-unsafe-assignment
+			return { ...config, headers: { ...config.headers, 'X-Vault-Token': this.#currentToken } };
+		});
+	}
+
+	async connect(): Promise<void> {
+		if (this.settings.authMethod === 'token') {
+			this.#currentToken = this.settings.token;
+		} else if (this.settings.authMethod === 'usernameAndPassword') {
+			try {
+				this.#currentToken = await this.authUsernameAndPassword(
+					this.settings.username,
+					this.settings.password,
+				);
+			} catch {
+				this.state = 'error';
+				logger.error('Failed to connect to Vault using Username and Password credentials.');
+				return;
+			}
+		} else if (this.settings.authMethod === 'appRole') {
+			try {
+				this.#currentToken = await this.authAppRole(this.settings.roleId, this.settings.secretId);
+			} catch {
+				this.state = 'error';
+				logger.error('Failed to connect to Vault using AppRole credentials.');
+				return;
+			}
+		}
+		try {
+			if (!(await this.test())[0]) {
+				this.state = 'error';
+			} else {
+				this.state = 'connected';
+
+				[this.#tokenInfo] = await this.getTokenInfo();
+				this.setupTokenRefresh();
+			}
+		} catch (e) {
+			this.state = 'error';
+			logger.error('Failed credentials test on Vault connect.');
+		}
+
+		try {
+			await this.update();
+		} catch {
+			logger.warn('Failed to update Vault secrets');
+		}
+	}
+
+	async disconnect(): Promise<void> {
+		if (this.refreshTimeout !== null) {
+			clearTimeout(this.refreshTimeout);
+		}
+		this.refreshAbort.abort();
+	}
+
+	private setupTokenRefresh() {
+		if (!this.#tokenInfo) {
+			return;
+		}
+		// Token never expires
+		if (this.#tokenInfo.expire_time === null) {
+			return;
+		}
+		// Token can't be renewed
+		if (!this.#tokenInfo.renewable) {
+			return;
+		}
+
+		const expireDate = new Date(this.#tokenInfo.expire_time);
+		setTimeout(this.tokenRefresh, (expireDate.valueOf() - Date.now()) / 2);
+	}
+
+	private tokenRefresh = async () => {
+		if (this.refreshAbort.signal.aborted) {
+			return;
+		}
+		try {
+			// We don't actually care about the result of this since it doesn't
+			// return an expire_time
+			await this.#http.post('auth/token/renew-self');
+
+			[this.#tokenInfo] = await this.getTokenInfo();
+
+			if (!this.#tokenInfo) {
+				logger.error('Failed to fetch token info during renewal. Cancelling all future renewals.');
+				return;
+			}
+
+			if (this.refreshAbort.signal.aborted) {
+				return;
+			}
+
+			this.setupTokenRefresh();
+		} catch {
+			logger.error('Failed to renew Vault token. Attempting to reconnect.');
+			void this.connect();
+		}
+	};
+
+	private async authUsernameAndPassword(
+		username: string,
+		password: string,
+	): Promise<string | null> {
+		try {
+			const resp = await this.#http.request<VaultUserPassLoginResp>({
+				method: 'POST',
+				url: `auth/userpass/login/${username}`,
+				responseType: 'json',
+				data: { password },
+			});
+
+			return resp.data.auth.client_token;
+		} catch {
+			return null;
+		}
+	}
+
+	private async authAppRole(roleId: string, secretId: string): Promise<string | null> {
+		try {
+			const resp = await this.#http.request<VaultAppRoleResp>({
+				method: 'POST',
+				url: 'auth/approle/login',
+				responseType: 'json',
+				data: { role_id: roleId, secret_id: secretId },
+			});
+
+			return resp.data.auth.client_token;
+		} catch (e) {
+			return null;
+		}
+	}
+
+	private async getTokenInfo(): Promise<[VaultTokenInfo | null, AxiosResponse]> {
+		const resp = await this.#http.request<VaultResponse<VaultTokenInfo>>({
+			method: 'GET',
+			url: 'auth/token/lookup-self',
+			responseType: 'json',
+			validateStatus: () => true,
+		});
+
+		if (resp.status !== 200 || !resp.data.data) {
+			return [null, resp];
+		}
+		return [resp.data.data, resp];
+	}
+
+	private async getKVSecrets(
+		mountPath: string,
+		kvVersion: string,
+		path: string,
+	): Promise<[string, IDataObject] | null> {
+		let listPath = mountPath;
+		if (kvVersion === '2') {
+			listPath += 'metadata/';
+		}
+		listPath += path;
+		let listResp: AxiosResponse<VaultResponse<VaultSecretList>>;
+		try {
+			listResp = await this.#http.request<VaultResponse<VaultSecretList>>({
+				url: listPath,
+				// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-explicit-any
+				method: 'LIST' as any,
+			});
+		} catch {
+			return null;
+		}
+		const data = Object.fromEntries(
+			(
+				await Promise.allSettled(
+					listResp.data.data.keys.map(async (key): Promise<[string, IDataObject] | null> => {
+						if (key.endsWith('/')) {
+							return this.getKVSecrets(mountPath, kvVersion, path + key);
+						}
+						let secretPath = mountPath;
+						if (kvVersion === '2') {
+							secretPath += 'data/';
+						}
+						secretPath += path + key;
+						try {
+							const secretResp = await this.#http.get<VaultResponse<IDataObject>>(secretPath);
+							return [
+								key,
+								kvVersion === '2'
+									? (secretResp.data.data.data as IDataObject)
+									: secretResp.data.data,
+							];
+						} catch {
+							return null;
+						}
+					}),
+				)
+			)
+				.map((i) => (i.status === 'rejected' ? null : i.value))
+				.filter((v) => v !== null) as Array<[string, IDataObject]>,
+		);
+		const name = path.substring(0, path.length - 1);
+		return [name, data];
+	}
+
+	async update(): Promise<void> {
+		const mounts = await this.#http.get<VaultResponse<VaultMountsResp>>('sys/mounts');
+
+		const kvs = Object.entries(mounts.data.data).filter(([, v]) => v.type === 'kv');
+
+		const secrets = Object.fromEntries(
+			(
+				await Promise.all(
+					kvs.map(async ([basePath, data]): Promise<[string, IDataObject] | null> => {
+						const value = await this.getKVSecrets(basePath, data.options.version as string, '');
+						if (value === null) {
+							return null;
+						}
+						return [basePath.substring(0, basePath.length - 1), value[1]];
+					}),
+				)
+			).filter((v) => v !== null) as Array<[string, IDataObject]>,
+		);
+		this.cachedSecrets = secrets;
+	}
+
+	async test(): Promise<[boolean] | [boolean, string]> {
+		try {
+			const [token, tokenResp] = await this.getTokenInfo();
+
+			if (token === null) {
+				if (tokenResp.status === 404) {
+					return [false, 'Could not find auth path. Try adding /v1/ to the end of your base URL.'];
+				}
+				return [false, 'Invalid credentials'];
+			}
+
+			const resp = await this.#http.request<VaultResponse<VaultTokenInfo>>({
+				method: 'GET',
+				url: 'sys/mounts',
+				responseType: 'json',
+				validateStatus: () => true,
+			});
+
+			if (resp.status === 403) {
+				return [
+					false,
+					"Couldn't list mounts. Please give these credentials 'read' access to sys/mounts.",
+				];
+			} else if (resp.status !== 200) {
+				return [
+					false,
+					"Couldn't list mounts but wasn't a permissions issue. Please consult your Vault admin.",
+				];
+			}
+
+			return [true];
+		} catch (e) {
+			if (axios.isAxiosError(e)) {
+				if (e.code === 'ECONNREFUSED') {
+					return [
+						false,
+						'Connection refused. Please check the host and port of the server are correct.',
+					];
+				}
+			}
+
+			return [false];
+		}
+	}
+
+	getSecret(name: string): IDataObject {
+		return this.cachedSecrets[name];
+	}
+
+	hasSecret(name: string): boolean {
+		return name in this.cachedSecrets;
+	}
+
+	getSecretNames(): string[] {
+		const getKeys = ([k, v]: [string, IDataObject]): string[] => {
+			if (!EXTERNAL_SECRETS_NAME_REGEX.test(k)) {
+				return [];
+			}
+			if (typeof v === 'object') {
+				const keys: string[] = [];
+				for (const key of Object.keys(v)) {
+					if (!EXTERNAL_SECRETS_NAME_REGEX.test(key)) {
+						continue;
+					}
+					const value = v[key];
+					if (typeof value === 'object' && value !== null) {
+						keys.push(...getKeys([key, value as IDataObject]).map((ok) => `${k}.${ok}`));
+					} else {
+						keys.push(`${k}.${key}`);
+					}
+				}
+				return keys;
+			}
+			return [k];
+		};
+		return Object.entries(this.cachedSecrets).flatMap(getKeys);
+	}
+}
diff --git a/packages/cli/src/Interfaces.ts b/packages/cli/src/Interfaces.ts
index 41ca4088f1d01..b6bd20270dbc2 100644
--- a/packages/cli/src/Interfaces.ts
+++ b/packages/cli/src/Interfaces.ts
@@ -21,6 +21,7 @@ import type {
 	ExecutionStatus,
 	IExecutionsSummary,
 	FeatureFlags,
+	INodeProperties,
 	IUserSettings,
 	IHttpRequestMethods,
 } from 'n8n-workflow';
@@ -460,6 +461,13 @@ export interface IInternalHooksClass {
 	onApiKeyCreated(apiKeyDeletedData: { user: User; public_api: boolean }): Promise<void>;
 	onApiKeyDeleted(apiKeyDeletedData: { user: User; public_api: boolean }): Promise<void>;
 	onVariableCreated(createData: { variable_type: string }): Promise<void>;
+	onExternalSecretsProviderSettingsSaved(saveData: {
+		user_id?: string;
+		vault_type: string;
+		is_valid: boolean;
+		is_new: boolean;
+		error_message?: string;
+	}): Promise<void>;
 }
 
 export interface IVersionNotificationSettings {
@@ -758,14 +766,13 @@ export interface PublicUser {
 	passwordResetToken?: string;
 	createdAt: Date;
 	isPending: boolean;
+	hasRecoveryCodesLeft: boolean;
 	globalRole?: Role;
 	signInType: AuthProviderType;
 	disabled: boolean;
 	settings?: IUserSettings | null;
 	inviteAcceptUrl?: string;
-}
-
-export interface CurrentUser extends PublicUser {
+	isOwner?: boolean;
 	featureFlags?: FeatureFlags;
 }
 
@@ -778,4 +785,35 @@ export interface N8nApp {
 
 export type UserSettings = Pick<User, 'id' | 'settings'>;
 
+export interface SecretsProviderSettings<T = IDataObject> {
+	connected: boolean;
+	connectedAt: Date | null;
+	settings: T;
+}
+
+export interface ExternalSecretsSettings {
+	[key: string]: SecretsProviderSettings;
+}
+
+export type SecretsProviderState = 'initializing' | 'connected' | 'error';
+
+export abstract class SecretsProvider {
+	displayName: string;
+
+	name: string;
+
+	properties: INodeProperties[];
+
+	state: SecretsProviderState;
+
+	abstract init(settings: SecretsProviderSettings): Promise<void>;
+	abstract connect(): Promise<void>;
+	abstract disconnect(): Promise<void>;
+	abstract update(): Promise<void>;
+	abstract test(): Promise<[boolean] | [boolean, string]>;
+	abstract getSecret(name: string): IDataObject | undefined;
+	abstract hasSecret(name: string): boolean;
+	abstract getSecretNames(): string[];
+}
+
 export type N8nInstanceType = 'main' | 'webhook' | 'worker';
diff --git a/packages/cli/src/InternalHooks.ts b/packages/cli/src/InternalHooks.ts
index ebd3bc2570d86..a099d6fd76e89 100644
--- a/packages/cli/src/InternalHooks.ts
+++ b/packages/cli/src/InternalHooks.ts
@@ -1086,4 +1086,14 @@ export class InternalHooks implements IInternalHooksClass {
 	}): Promise<void> {
 		return this.telemetry.track('User finished push via UI', data);
 	}
+
+	async onExternalSecretsProviderSettingsSaved(saveData: {
+		user_id?: string | undefined;
+		vault_type: string;
+		is_valid: boolean;
+		is_new: boolean;
+		error_message?: string | undefined;
+	}): Promise<void> {
+		return this.telemetry.track('User updated external secrets settings', saveData);
+	}
 }
diff --git a/packages/cli/src/License.ts b/packages/cli/src/License.ts
index 267419da9fd27..b296c3a333860 100644
--- a/packages/cli/src/License.ts
+++ b/packages/cli/src/License.ts
@@ -140,6 +140,10 @@ export class License {
 		return this.isFeatureEnabled(LICENSE_FEATURES.SOURCE_CONTROL);
 	}
 
+	isExternalSecretsEnabled() {
+		return this.isFeatureEnabled(LICENSE_FEATURES.EXTERNAL_SECRETS);
+	}
+
 	isWorkflowHistoryLicensed() {
 		return this.isFeatureEnabled(LICENSE_FEATURES.WORKFLOW_HISTORY);
 	}
diff --git a/packages/cli/src/Mfa/constants.ts b/packages/cli/src/Mfa/constants.ts
new file mode 100644
index 0000000000000..bf5e34c3457dd
--- /dev/null
+++ b/packages/cli/src/Mfa/constants.ts
@@ -0,0 +1 @@
+export const MFA_FEATURE_ENABLED = 'mfa.enabled';
diff --git a/packages/cli/src/Mfa/helpers.ts b/packages/cli/src/Mfa/helpers.ts
new file mode 100644
index 0000000000000..8484572533d97
--- /dev/null
+++ b/packages/cli/src/Mfa/helpers.ts
@@ -0,0 +1,21 @@
+import config from '@/config';
+import * as Db from '@/Db';
+import { MFA_FEATURE_ENABLED } from './constants';
+
+export const isMfaFeatureEnabled = () => config.get(MFA_FEATURE_ENABLED);
+
+const isMfaFeatureDisabled = () => !isMfaFeatureEnabled();
+
+const getUsersWithMfaEnabled = async () =>
+	Db.collections.User.count({ where: { mfaEnabled: true } });
+
+export const handleMfaDisable = async () => {
+	if (isMfaFeatureDisabled()) {
+		// check for users with MFA enabled, and if there are
+		// users, then keep the feature enabled
+		const users = await getUsersWithMfaEnabled();
+		if (users) {
+			config.set(MFA_FEATURE_ENABLED, true);
+		}
+	}
+};
diff --git a/packages/cli/src/Mfa/mfa.service.ts b/packages/cli/src/Mfa/mfa.service.ts
new file mode 100644
index 0000000000000..50b0d29f89c44
--- /dev/null
+++ b/packages/cli/src/Mfa/mfa.service.ts
@@ -0,0 +1,79 @@
+import { v4 as uuid } from 'uuid';
+import { AES, enc } from 'crypto-js';
+import { TOTPService } from './totp.service';
+import { Service } from 'typedi';
+import { UserRepository } from '@/databases/repositories';
+
+@Service()
+export class MfaService {
+	constructor(
+		private userRepository: UserRepository,
+		public totp: TOTPService,
+		private encryptionKey: string,
+	) {}
+
+	public generateRecoveryCodes(n = 10) {
+		return Array.from(Array(n)).map(() => uuid());
+	}
+
+	public generateEncryptedRecoveryCodes() {
+		return this.generateRecoveryCodes().map((code) =>
+			AES.encrypt(code, this.encryptionKey).toString(),
+		);
+	}
+
+	public async saveSecretAndRecoveryCodes(userId: string, secret: string, recoveryCodes: string[]) {
+		const { encryptedSecret, encryptedRecoveryCodes } = this.encryptSecretAndRecoveryCodes(
+			secret,
+			recoveryCodes,
+		);
+		return this.userRepository.update(userId, {
+			mfaSecret: encryptedSecret,
+			mfaRecoveryCodes: encryptedRecoveryCodes,
+		});
+	}
+
+	public encryptSecretAndRecoveryCodes(rawSecret: string, rawRecoveryCodes: string[]) {
+		const encryptedSecret = AES.encrypt(rawSecret, this.encryptionKey).toString(),
+			encryptedRecoveryCodes = rawRecoveryCodes.map((code) =>
+				AES.encrypt(code, this.encryptionKey).toString(),
+			);
+		return {
+			encryptedRecoveryCodes,
+			encryptedSecret,
+		};
+	}
+
+	private decryptSecretAndRecoveryCodes(mfaSecret: string, mfaRecoveryCodes: string[]) {
+		return {
+			decryptedSecret: AES.decrypt(mfaSecret, this.encryptionKey).toString(enc.Utf8),
+			decryptedRecoveryCodes: mfaRecoveryCodes.map((code) =>
+				AES.decrypt(code, this.encryptionKey).toString(enc.Utf8),
+			),
+		};
+	}
+
+	public async getSecretAndRecoveryCodes(userId: string) {
+		const { mfaSecret, mfaRecoveryCodes } = await this.userRepository.findOneOrFail({
+			where: { id: userId },
+			select: ['id', 'mfaSecret', 'mfaRecoveryCodes'],
+		});
+		return this.decryptSecretAndRecoveryCodes(mfaSecret ?? '', mfaRecoveryCodes ?? []);
+	}
+
+	public async enableMfa(userId: string) {
+		await this.userRepository.update(userId, { mfaEnabled: true });
+	}
+
+	public encryptRecoveryCodes(mfaRecoveryCodes: string[]) {
+		return mfaRecoveryCodes.map((code) => AES.encrypt(code, this.encryptionKey).toString());
+	}
+
+	public async disableMfa(userId: string) {
+		await this.userRepository.update(userId, {
+			mfaEnabled: false,
+			mfaSecret: null,
+			mfaRecoveryCodes: [],
+		});
+	}
+}
diff --git a/packages/cli/src/Mfa/totp.service.ts b/packages/cli/src/Mfa/totp.service.ts
new file mode 100644
index 0000000000000..ee85c3f100c55
--- /dev/null
+++ b/packages/cli/src/Mfa/totp.service.ts
@@ -0,0 +1,36 @@
+import OTPAuth from 'otpauth';
+export class TOTPService {
+	generateSecret(): string {
+		return new OTPAuth.Secret()?.base32;
+	}
+
+	generateTOTPUri({
+		issuer = 'n8n',
+		secret,
+		label,
+	}: {
+		secret: string;
+		label: string;
+		issuer?: string;
+	}) {
+		return new OTPAuth.TOTP({
+			secret: OTPAuth.Secret.fromBase32(secret),
+			issuer,
+			label,
+		}).toString();
+	}
+
+	verifySecret({ secret, token, window = 2 }: { secret: string; token: string; window?: number }) {
+		return new OTPAuth.TOTP({
+			secret: OTPAuth.Secret.fromBase32(secret),
+		}).validate({ token, window }) === null
+			? false
+			: true;
+	}
+
+	generateTOTP(secret: string) {
+		return OTPAuth.TOTP.generate({
+			secret: OTPAuth.Secret.fromBase32(secret),
+		});
+	}
+}
diff --git a/packages/cli/src/NodeTypes.ts b/packages/cli/src/NodeTypes.ts
index 8bb2335355df9..0f1d6ebddca08 100644
--- a/packages/cli/src/NodeTypes.ts
+++ b/packages/cli/src/NodeTypes.ts
@@ -10,6 +10,9 @@ import { NodeHelpers } from 'n8n-workflow';
 import { Service } from 'typedi';
 import { RESPONSE_ERROR_MESSAGES } from './constants';
 import { LoadNodesAndCredentials } from './LoadNodesAndCredentials';
+import { join, dirname } from 'path';
+import { readdir } from 'fs/promises';
+import type { Dirent } from 'fs';
 
 @Service()
 export class NodeTypes implements INodeTypes {
@@ -78,4 +81,46 @@ export class NodeTypes implements INodeTypes {
 	private get knownNodes() {
 		return this.nodesAndCredentials.known.nodes;
 	}
+
+	async getNodeTranslationPath({
+		nodeSourcePath,
+		longNodeType,
+		locale,
+	}: {
+		nodeSourcePath: string;
+		longNodeType: string;
+		locale: string;
+	}) {
+		const nodeDir = dirname(nodeSourcePath);
+		const maxVersion = await this.getMaxVersion(nodeDir);
+		const nodeType = longNodeType.replace('n8n-nodes-base.', '');
+
+		return maxVersion
+			? join(nodeDir, `v${maxVersion}`, 'translations', locale, `${nodeType}.json`)
+			: join(nodeDir, 'translations', locale, `${nodeType}.json`);
+	}
+
+	private async getMaxVersion(dir: string) {
+		const entries = await readdir(dir, { withFileTypes: true });
+
+		const dirnames = entries.reduce<string[]>((acc, cur) => {
+			if (this.isVersionedDirname(cur)) acc.push(cur.name);
+			return acc;
+		}, []);
+
+		if (!dirnames.length) return null;
+
+		return Math.max(...dirnames.map((d) => parseInt(d.charAt(1), 10)));
+	}
+
+	private isVersionedDirname(dirent: Dirent) {
+		if (!dirent.isDirectory()) return false;
+
+		const ALLOWED_VERSIONED_DIRNAME_LENGTH = [2, 3]; // e.g. v1, v10
+
+		return (
+			ALLOWED_VERSIONED_DIRNAME_LENGTH.includes(dirent.name.length) &&
+			dirent.name.toLowerCase().startsWith('v')
+		);
+	}
 }
diff --git a/packages/cli/src/ResponseHelper.ts b/packages/cli/src/ResponseHelper.ts
index 968b637fe2d4b..0d87b77f644f1 100644
--- a/packages/cli/src/ResponseHelper.ts
+++ b/packages/cli/src/ResponseHelper.ts
@@ -45,8 +45,8 @@ export class BadRequestError extends ResponseError {
 }
 
 export class AuthError extends ResponseError {
-	constructor(message: string) {
-		super(message, 401);
+	constructor(message: string, errorCode?: number) {
+		super(message, 401, errorCode);
 	}
 }
 
diff --git a/packages/cli/src/SecretsHelpers.ts b/packages/cli/src/SecretsHelpers.ts
new file mode 100644
index 0000000000000..d90a0e84c8ca7
--- /dev/null
+++ b/packages/cli/src/SecretsHelpers.ts
@@ -0,0 +1,41 @@
+import type { IDataObject, SecretsHelpersBase } from 'n8n-workflow';
+import { Service } from 'typedi';
+import { ExternalSecretsManager } from './ExternalSecrets/ExternalSecretsManager.ee';
+
+@Service()
+export class SecretsHelper implements SecretsHelpersBase {
+	constructor(private service: ExternalSecretsManager) {}
+
+	async update() {
+		if (!this.service.initialized) {
+			await this.service.init();
+		}
+		await this.service.updateSecrets();
+	}
+
+	async waitForInit() {
+		if (!this.service.initialized) {
+			await this.service.init();
+		}
+	}
+
+	getSecret(provider: string, name: string): IDataObject | undefined {
+		return this.service.getSecret(provider, name);
+	}
+
+	hasSecret(provider: string, name: string): boolean {
+		return this.service.hasSecret(provider, name);
+	}
+
+	hasProvider(provider: string): boolean {
+		return this.service.hasProvider(provider);
+	}
+
+	listProviders(): string[] {
+		return this.service.getProviderNames() ?? [];
+	}
+
+	listSecrets(provider: string): string[] {
+		return this.service.getSecretNames(provider) ?? [];
+	}
+}
diff --git a/packages/cli/src/Server.ts b/packages/cli/src/Server.ts
index dd627551a0bc0..6114c40701034 100644
--- a/packages/cli/src/Server.ts
+++ b/packages/cli/src/Server.ts
@@ -88,6 +88,7 @@ import {
 	AuthController,
 	LdapController,
 	MeController,
+	MFAController,
 	NodesController,
 	NodeTypesController,
 	OwnerController,
@@ -98,6 +99,7 @@ import {
 	WorkflowStatisticsController,
 } from '@/controllers';
 
+import { ExternalSecretsController } from '@/ExternalSecrets/ExternalSecrets.controller.ee';
 import { executionsController } from '@/executions/executions.controller';
 import { isApiEnabled, loadPublicApiVersions } from '@/PublicApi';
 import {
@@ -162,11 +164,18 @@ import {
 	isLdapCurrentAuthenticationMethod,
 	isSamlCurrentAuthenticationMethod,
 } from './sso/ssoHelpers';
+import { isExternalSecretsEnabled } from './ExternalSecrets/externalSecretsHelper.ee';
 import { isSourceControlLicensed } from '@/environments/sourceControl/sourceControlHelper.ee';
 import { SourceControlService } from '@/environments/sourceControl/sourceControl.service.ee';
 import { SourceControlController } from '@/environments/sourceControl/sourceControl.controller.ee';
-import { ExecutionRepository } from '@db/repositories';
+import { ExecutionRepository, SettingsRepository } from '@db/repositories';
 import type { ExecutionEntity } from '@db/entities/ExecutionEntity';
+import { TOTPService } from './Mfa/totp.service';
+import { MfaService } from './Mfa/mfa.service';
+import { handleMfaDisable, isMfaFeatureEnabled } from './Mfa/helpers';
+import { JwtService } from './services/jwt.service';
+import { RoleService } from './services/role.service';
+import { UserService } from './services/user.service';
 
 const exec = promisify(callbackExec);
 
@@ -310,9 +319,13 @@ export class Server extends AbstractServer {
 				variables: false,
 				sourceControl: false,
 				auditLogs: false,
+				externalSecrets: false,
 				showNonProdBanner: false,
 				debugInEditor: false,
 			},
+			mfa: {
+				enabled: false,
+			},
 			hideUsagePage: config.getEnv('hideUsagePage'),
 			license: {
 				environment: config.getEnv('license.tenantId') === 1 ? 'production' : 'staging',
@@ -444,6 +457,7 @@ export class Server extends AbstractServer {
 			advancedExecutionFilters: isAdvancedExecutionFiltersEnabled(),
 			variables: isVariablesEnabled(),
 			sourceControl: isSourceControlLicensed(),
+			externalSecrets: isExternalSecretsEnabled(),
 			showNonProdBanner: Container.get(License).isFeatureEnabled(
 				LICENSE_FEATURES.SHOW_NON_PROD_BANNER,
 			),
@@ -471,6 +485,9 @@ export class Server extends AbstractServer {
 		if (config.get('nodes.packagesMissing').length > 0) {
 			this.frontendSettings.missingPackages = true;
 		}
+
+		this.frontendSettings.mfa.enabled = isMfaFeatureEnabled();
+
 		return this.frontendSettings;
 	}
 
@@ -479,54 +496,59 @@ export class Server extends AbstractServer {
 		const repositories = Db.collections;
 		setupAuthMiddlewares(app, ignoredEndpoints, this.restEndpoint);
 
+		const encryptionKey = await UserSettings.getEncryptionKey();
+
 		const logger = LoggerProxy;
 		const internalHooks = Container.get(InternalHooks);
 		const mailer = Container.get(UserManagementMailer);
+		const userService = Container.get(UserService);
+		const jwtService = Container.get(JwtService);
 		const postHog = this.postHog;
+		const mfaService = new MfaService(repositories.User, new TOTPService(), encryptionKey);
 
 		const controllers: object[] = [
 			new EventBusController(),
-			new AuthController({
+			new AuthController(config, logger, internalHooks, mfaService, userService, postHog),
+			new OwnerController(
 				config,
-				internalHooks,
-				repositories,
 				logger,
+				internalHooks,
+				Container.get(SettingsRepository),
+				userService,
 				postHog,
-			}),
-			new OwnerController({
+			),
+			new MeController(logger, externalHooks, internalHooks, userService),
+			new NodeTypesController(config, nodeTypes),
+			new PasswordResetController(
 				config,
-				internalHooks,
-				repositories,
-				logger,
-			}),
-			new MeController({
-				externalHooks,
-				internalHooks,
 				logger,
-			}),
-			new NodeTypesController({ config, nodeTypes }),
-			new PasswordResetController({
-				config,
 				externalHooks,
 				internalHooks,
 				mailer,
-				logger,
-			}),
+				userService,
+				jwtService,
+				mfaService,
+			),
 			Container.get(TagsController),
 			new TranslationController(config, this.credentialTypes),
-			new UsersController({
+			new UsersController(
 				config,
-				mailer,
+				logger,
 				externalHooks,
 				internalHooks,
-				repositories,
+				repositories.SharedCredentials,
+				repositories.SharedWorkflow,
 				activeWorkflowRunner,
-				logger,
+				mailer,
+				jwtService,
+				Container.get(RoleService),
+				userService,
 				postHog,
-			}),
+			),
 			Container.get(SamlController),
 			Container.get(SourceControlController),
 			Container.get(WorkflowStatisticsController),
+			Container.get(ExternalSecretsController),
 		];
 
 		if (isLdapEnabled()) {
@@ -546,6 +568,10 @@ export class Server extends AbstractServer {
 			controllers.push(Container.get(E2EController));
 		}
 
+		if (isMfaFeatureEnabled()) {
+			controllers.push(new MFAController(mfaService));
+		}
+
 		controllers.forEach((controller) => registerController(app, config, controller));
 	}
 
@@ -623,6 +649,8 @@ export class Server extends AbstractServer {
 
 		await handleLdapInit();
 
+		await handleMfaDisable();
+
 		await this.registerControllers(ignoredEndpoints);
 
 		this.app.use(`/${this.restEndpoint}/credentials`, credentialsController);
@@ -924,10 +952,13 @@ export class Server extends AbstractServer {
 					throw new ResponseHelper.InternalServerError(error.message);
 				}
 
+				const additionalData = await WorkflowExecuteAdditionalData.getBase(req.user.id);
+
 				const mode: WorkflowExecuteMode = 'internal';
 				const timezone = config.getEnv('generic.timezone');
 				const credentialsHelper = new CredentialsHelper(encryptionKey);
 				const decryptedDataOriginal = await credentialsHelper.getDecrypted(
+					additionalData,
 					credential as INodeCredentialsDetails,
 					credential.type,
 					mode,
@@ -936,6 +967,7 @@ export class Server extends AbstractServer {
 				);
 
 				const oauthCredentials = credentialsHelper.applyDefaultsAndOverwrites(
+					additionalData,
 					decryptedDataOriginal,
 					credential.type,
 					mode,
@@ -1070,10 +1102,13 @@ export class Server extends AbstractServer {
 						throw new ResponseHelper.InternalServerError(error.message);
 					}
 
+					const additionalData = await WorkflowExecuteAdditionalData.getBase(req.user.id);
+
 					const mode: WorkflowExecuteMode = 'internal';
 					const timezone = config.getEnv('generic.timezone');
 					const credentialsHelper = new CredentialsHelper(encryptionKey);
 					const decryptedDataOriginal = await credentialsHelper.getDecrypted(
+						additionalData,
 						credential as INodeCredentialsDetails,
 						credential.type,
 						mode,
@@ -1081,6 +1116,7 @@ export class Server extends AbstractServer {
 						true,
 					);
 					const oauthCredentials = credentialsHelper.applyDefaultsAndOverwrites(
+						additionalData,
 						decryptedDataOriginal,
 						credential.type,
 						mode,
diff --git a/packages/cli/src/TestWebhooks.ts b/packages/cli/src/TestWebhooks.ts
index a16d47099bfa1..8ffa9ad7ad863 100644
--- a/packages/cli/src/TestWebhooks.ts
+++ b/packages/cli/src/TestWebhooks.ts
@@ -56,6 +56,9 @@ export class TestWebhooks implements IWebhookManager {
 		const httpMethod = request.method;
 		let path = request.params.path;
 
+		// Reset request parameters
+		request.params = {} as WebhookRequest['params'];
+
 		// Remove trailing slash
 		if (path.endsWith('/')) {
 			path = path.slice(0, -1);
diff --git a/packages/cli/src/TranslationHelpers.ts b/packages/cli/src/TranslationHelpers.ts
deleted file mode 100644
index dd829534a6d78..0000000000000
--- a/packages/cli/src/TranslationHelpers.ts
+++ /dev/null
@@ -1,48 +0,0 @@
-import { join, dirname } from 'path';
-import { readdir } from 'fs/promises';
-import type { Dirent } from 'fs';
-
-const ALLOWED_VERSIONED_DIRNAME_LENGTH = [2, 3]; // e.g. v1, v10
-
-function isVersionedDirname(dirent: Dirent) {
-	if (!dirent.isDirectory()) return false;
-
-	return (
-		ALLOWED_VERSIONED_DIRNAME_LENGTH.includes(dirent.name.length) &&
-		dirent.name.toLowerCase().startsWith('v')
-	);
-}
-
-async function getMaxVersion(from: string) {
-	const entries = await readdir(from, { withFileTypes: true });
-
-	const dirnames = entries.reduce<string[]>((acc, cur) => {
-		if (isVersionedDirname(cur)) acc.push(cur.name);
-		return acc;
-	}, []);
-
-	if (!dirnames.length) return null;
-
-	return Math.max(...dirnames.map((d) => parseInt(d.charAt(1), 10)));
-}
-
-/**
- * Get the full path to a node translation file in `/dist`.
- */
-export async function getNodeTranslationPath({
-	nodeSourcePath,
-	longNodeType,
-	locale,
-}: {
-	nodeSourcePath: string;
-	longNodeType: string;
-	locale: string;
-}): Promise<string> {
-	const nodeDir = dirname(nodeSourcePath);
-	const maxVersion = await getMaxVersion(nodeDir);
-	const nodeType = longNodeType.replace('n8n-nodes-base.', '');
-
-	return maxVersion
-		? join(nodeDir, `v${maxVersion}`, 'translations', locale, `${nodeType}.json`)
-		: join(nodeDir, 'translations', locale, `${nodeType}.json`);
-}
diff --git a/packages/cli/src/UserManagement/UserManagementHelper.ts b/packages/cli/src/UserManagement/UserManagementHelper.ts
index 5c119df0deac9..6ec733e675863 100644
--- a/packages/cli/src/UserManagement/UserManagementHelper.ts
+++ b/packages/cli/src/UserManagement/UserManagementHelper.ts
@@ -4,13 +4,12 @@ import { Container } from 'typedi';
 
 import * as Db from '@/Db';
 import * as ResponseHelper from '@/ResponseHelper';
-import type { CurrentUser, PublicUser, WhereClause } from '@/Interfaces';
+import type { WhereClause } from '@/Interfaces';
 import type { User } from '@db/entities/User';
 import { MAX_PASSWORD_LENGTH, MIN_PASSWORD_LENGTH } from '@db/entities/User';
 import config from '@/config';
 import { License } from '@/License';
 import { getWebhookBaseUrl } from '@/WebhookHelpers';
-import type { PostHogClient } from '@/posthog';
 import { RoleService } from '@/services/role.service';
 
 export function isEmailSetUp(): boolean {
@@ -84,59 +83,6 @@ export function validatePassword(password?: string): string {
 	return password;
 }
 
-/**
- * Remove sensitive properties from the user to return to the client.
- */
-export function sanitizeUser(user: User, withoutKeys?: string[]): PublicUser {
-	const { password, updatedAt, apiKey, authIdentities, ...rest } = user;
-	if (withoutKeys) {
-		withoutKeys.forEach((key) => {
-			// @ts-ignore
-			delete rest[key];
-		});
-	}
-	const sanitizedUser: PublicUser = {
-		...rest,
-		signInType: 'email',
-	};
-	const ldapIdentity = authIdentities?.find((i) => i.providerType === 'ldap');
-	if (ldapIdentity) {
-		sanitizedUser.signInType = 'ldap';
-	}
-	return sanitizedUser;
-}
-
-export async function withFeatureFlags(
-	postHog: PostHogClient | undefined,
-	user: CurrentUser,
-): Promise<CurrentUser> {
-	if (!postHog) {
-		return user;
-	}
-
-	// native PostHog implementation has default 10s timeout and 3 retries.. which cannot be updated without affecting other functionality
-	// https://github.com/PostHog/posthog-js-lite/blob/a182de80a433fb0ffa6859c10fb28084d0f825c2/posthog-core/src/index.ts#L67
-	const timeoutPromise = new Promise<CurrentUser>((resolve) => {
-		setTimeout(() => {
-			resolve(user);
-		}, 1500);
-	});
-
-	const fetchPromise = new Promise<CurrentUser>(async (resolve) => {
-		user.featureFlags = await postHog.getFeatureFlags(user);
-		resolve(user);
-	});
-
-	return Promise.race([fetchPromise, timeoutPromise]);
-}
-
-export function addInviteLinkToUser(user: PublicUser, inviterId: string): PublicUser {
-	if (user.isPending) {
-		user.inviteAcceptUrl = generateUserInviteUrl(inviterId, user.id);
-	}
-	return user;
-}
-
 export async function getUserById(userId: string): Promise<User> {
 	const user = await Db.collections.User.findOneOrFail({
 		where: { id: userId },
diff --git a/packages/cli/src/WaitingWebhooks.ts b/packages/cli/src/WaitingWebhooks.ts
index 617dc98ed659a..f67fe1de37274 100644
--- a/packages/cli/src/WaitingWebhooks.ts
+++ b/packages/cli/src/WaitingWebhooks.ts
@@ -32,6 +32,9 @@ export class WaitingWebhooks implements IWebhookManager {
 		const { path: executionId, suffix } = req.params;
 		Logger.debug(`Received waiting-webhook "${req.method}" for execution "${executionId}"`);
 
+		// Reset request parameters
+		req.params = {} as WaitingWebhookRequest['params'];
+
 		const execution = await this.executionRepository.findSingleExecution(executionId, {
 			includeData: true,
 			unflattenData: true,
diff --git a/packages/cli/src/WorkflowExecuteAdditionalData.ts b/packages/cli/src/WorkflowExecuteAdditionalData.ts
index 4c8dacf76b7ba..5760cce3d1a6d 100644
--- a/packages/cli/src/WorkflowExecuteAdditionalData.ts
+++ b/packages/cli/src/WorkflowExecuteAdditionalData.ts
@@ -65,6 +65,7 @@ import { InternalHooks } from '@/InternalHooks';
 import type { ExecutionMetadata } from '@db/entities/ExecutionMetadata';
 import { ExecutionRepository } from '@db/repositories';
 import { EventsService } from '@/services/events.service';
+import { SecretsHelper } from './SecretsHelpers';
 import { OwnershipService } from './services/ownership.service';
 
 const ERROR_TRIGGER_TYPE = config.getEnv('nodes.errorTriggerType');
@@ -1167,6 +1168,7 @@ export async function getBase(
 		userId,
 		setExecutionStatus,
 		variables,
+		secretsHelpers: Container.get(SecretsHelper),
 	};
 }
 
diff --git a/packages/cli/src/commands/BaseCommand.ts b/packages/cli/src/commands/BaseCommand.ts
index d748d06f65e6b..78be7cc23f04c 100644
--- a/packages/cli/src/commands/BaseCommand.ts
+++ b/packages/cli/src/commands/BaseCommand.ts
@@ -20,9 +20,7 @@ import type { IExternalHooksClass } from '@/Interfaces';
 import { InternalHooks } from '@/InternalHooks';
 import { PostHogClient } from '@/posthog';
 import { License } from '@/License';
-
-export const UM_FIX_INSTRUCTION =
-	'Please fix the database by running ./packages/cli/bin/n8n user-management:reset';
+import { ExternalSecretsManager } from '@/ExternalSecrets/ExternalSecretsManager.ee';
 
 export abstract class BaseCommand extends Command {
 	protected logger = LoggerProxy.init(getLogger());
@@ -137,6 +135,11 @@ export abstract class BaseCommand extends Command {
 		}
 	}
 
+	async initExternalSecrets() {
+		const secretsManager = Container.get(ExternalSecretsManager);
+		await secretsManager.init();
+	}
+
 	async finally(error: Error | undefined) {
 		if (inTest || this.id === 'start') return;
 		if (Db.connectionState.connected) {
diff --git a/packages/cli/src/commands/import/credentials.ts b/packages/cli/src/commands/import/credentials.ts
index 6eb87aebd2293..942d5c518b12e 100644
--- a/packages/cli/src/commands/import/credentials.ts
+++ b/packages/cli/src/commands/import/credentials.ts
@@ -10,10 +10,11 @@ import { SharedCredentials } from '@db/entities/SharedCredentials';
 import type { Role } from '@db/entities/Role';
 import { CredentialsEntity } from '@db/entities/CredentialsEntity';
 import { disableAutoGeneratedIds } from '@db/utils/commandHelpers';
-import { BaseCommand, UM_FIX_INSTRUCTION } from '../BaseCommand';
+import { BaseCommand } from '../BaseCommand';
 import type { ICredentialsEncrypted } from 'n8n-workflow';
 import { jsonParse } from 'n8n-workflow';
 import { RoleService } from '@/services/role.service';
+import { UM_FIX_INSTRUCTION } from '@/constants';
 
 export class ImportCredentialsCommand extends BaseCommand {
 	static description = 'Import credentials';
diff --git a/packages/cli/src/commands/import/workflow.ts b/packages/cli/src/commands/import/workflow.ts
index 5ae3a529d73b8..177014e460d2a 100644
--- a/packages/cli/src/commands/import/workflow.ts
+++ b/packages/cli/src/commands/import/workflow.ts
@@ -14,10 +14,11 @@ import type { User } from '@db/entities/User';
 import { disableAutoGeneratedIds } from '@db/utils/commandHelpers';
 import type { ICredentialsDb, IWorkflowToImport } from '@/Interfaces';
 import { replaceInvalidCredentials } from '@/WorkflowHelpers';
-import { BaseCommand, UM_FIX_INSTRUCTION } from '../BaseCommand';
+import { BaseCommand } from '../BaseCommand';
 import { generateNanoId } from '@db/utils/generators';
 import { RoleService } from '@/services/role.service';
 import { TagService } from '@/services/tag.service';
+import { UM_FIX_INSTRUCTION } from '@/constants';
 
 function assertHasWorkflowsToImport(workflows: unknown): asserts workflows is IWorkflowToImport[] {
 	if (!Array.isArray(workflows)) {
diff --git a/packages/cli/src/commands/mfa/disable.ts b/packages/cli/src/commands/mfa/disable.ts
new file mode 100644
index 0000000000000..6c5eb2fb9ce3b
--- /dev/null
+++ b/packages/cli/src/commands/mfa/disable.ts
@@ -0,0 +1,55 @@
+import { flags } from '@oclif/command';
+import * as Db from '@/Db';
+import { BaseCommand } from '../BaseCommand';
+
+export class DisableMFACommand extends BaseCommand {
+	static description = 'Disable MFA authentication for a user';
+
+	static examples = ['$ n8n mfa:disable --email=johndoe@example.com'];
+
+	static flags = {
+		help: flags.help({ char: 'h' }),
+		email: flags.string({
+			description: 'The email of the user to disable the MFA authentication',
+		}),
+	};
+
+	async init() {
+		await super.init();
+	}
+
+	async run(): Promise<void> {
+		// eslint-disable-next-line @typescript-eslint/no-shadow
+		const { flags } = this.parse(DisableMFACommand);
+
+		if (!flags.email) {
+			this.logger.info('An email with --email must be provided');
+			return;
+		}
+
+		const updateOperationResult = await Db.collections.User.update(
+			{ email: flags.email },
+			{ mfaSecret: null, mfaRecoveryCodes: [], mfaEnabled: false },
+		);
+
+		if (!updateOperationResult.affected) {
+			this.reportUserDoesNotExistError(flags.email);
+			return;
+		}
+
+		this.reportSuccess(flags.email);
+	}
+
+	async catch(error: Error) {
+		this.logger.error('An error occurred while disabling MFA in account');
+		this.logger.error(error.message);
+	}
+
+	private reportSuccess(email: string) {
+		this.logger.info(`Successfully disabled MFA for user with email: ${email}`);
+	}
+
+	private reportUserDoesNotExistError(email: string) {
+		this.logger.info(`User with email: ${email} does not exist`);
+	}
+}
diff --git a/packages/cli/src/commands/start.ts b/packages/cli/src/commands/start.ts
index 84afe4770c5ea..a21a93e21f1ea 100644
--- a/packages/cli/src/commands/start.ts
+++ b/packages/cli/src/commands/start.ts
@@ -195,6 +195,7 @@ export class Start extends BaseCommand {
 		await this.initLicense();
 		await this.initBinaryManager();
 		await this.initExternalHooks();
+		await this.initExternalSecrets();
 
 		if (!config.getEnv('endpoints.disableUi')) {
 			await this.generateStaticAssets();
diff --git a/packages/cli/src/commands/webhook.ts b/packages/cli/src/commands/webhook.ts
index c627d0d32831b..7d5bf4630232e 100644
--- a/packages/cli/src/commands/webhook.ts
+++ b/packages/cli/src/commands/webhook.ts
@@ -80,6 +80,7 @@ export class Webhook extends BaseCommand {
 		await this.initLicense();
 		await this.initBinaryManager();
 		await this.initExternalHooks();
+		await this.initExternalSecrets();
 	}
 
 	async run() {
diff --git a/packages/cli/src/commands/worker.ts b/packages/cli/src/commands/worker.ts
index 5702dc2d35339..dfaf0e34c0c62 100644
--- a/packages/cli/src/commands/worker.ts
+++ b/packages/cli/src/commands/worker.ts
@@ -239,6 +239,7 @@ export class Worker extends BaseCommand {
 		await this.initLicense();
 		await this.initBinaryManager();
 		await this.initExternalHooks();
+		await this.initExternalSecrets();
 	}
 
 	async run() {
diff --git a/packages/cli/src/config/schema.ts b/packages/cli/src/config/schema.ts
index 567777a39b457..742407853c89f 100644
--- a/packages/cli/src/config/schema.ts
+++ b/packages/cli/src/config/schema.ts
@@ -929,6 +929,15 @@ export const schema = {
 		},
 	},
 
+	mfa: {
+		enabled: {
+			format: Boolean,
+			default: true,
+			doc: 'Whether to enable MFA feature in instance.',
+			env: 'N8N_MFA_ENABLED',
+		},
+	},
+
 	sso: {
 		justInTimeProvisioning: {
 			format: Boolean,
diff --git a/packages/cli/src/constants.ts b/packages/cli/src/constants.ts
index caef03bcb2324..8d9bbb9e14f2b 100644
--- a/packages/cli/src/constants.ts
+++ b/packages/cli/src/constants.ts
@@ -77,6 +77,7 @@ export const LICENSE_FEATURES = {
 	VARIABLES: 'feat:variables',
 	SOURCE_CONTROL: 'feat:sourceControl',
 	API_DISABLED: 'feat:apiDisabled',
+	EXTERNAL_SECRETS: 'feat:externalSecrets',
 	SHOW_NON_PROD_BANNER: 'feat:showNonProdBanner',
 	WORKFLOW_HISTORY: 'feat:workflowHistory',
 	DEBUG_IN_EDITOR: 'feat:debugInEditor',
@@ -90,3 +91,6 @@ export const LICENSE_QUOTAS = {
 export const UNLIMITED_LICENSE_QUOTA = -1;
 
 export const CREDENTIAL_BLANKING_VALUE = '__n8n_BLANK_VALUE_e5362baf-c777-4d57-a609-6eaf1f9e87f6';
+
+export const UM_FIX_INSTRUCTION =
+	'Please fix the database by running ./packages/cli/bin/n8n user-management:reset';
diff --git a/packages/cli/src/controllers/auth.controller.ts b/packages/cli/src/controllers/auth.controller.ts
index 0ee765760b4b8..c7beb64a222f2 100644
--- a/packages/cli/src/controllers/auth.controller.ts
+++ b/packages/cli/src/controllers/auth.controller.ts
@@ -8,22 +8,17 @@ import {
 	InternalServerError,
 	UnauthorizedError,
 } from '@/ResponseHelper';
-import { sanitizeUser, withFeatureFlags } from '@/UserManagement/UserManagementHelper';
 import { issueCookie, resolveJwt } from '@/auth/jwt';
 import { AUTH_COOKIE_NAME, RESPONSE_ERROR_MESSAGES } from '@/constants';
 import { Request, Response } from 'express';
-import type { ILogger } from 'n8n-workflow';
+import { ILogger } from 'n8n-workflow';
 import type { User } from '@db/entities/User';
 import { LoginRequest, UserRequest } from '@/requests';
-import type { Config } from '@/config';
-import type {
-	PublicUser,
-	IDatabaseCollections,
-	IInternalHooksClass,
-	CurrentUser,
-} from '@/Interfaces';
+import type { PublicUser } from '@/Interfaces';
+import { Config } from '@/config';
+import { IInternalHooksClass } from '@/Interfaces';
 import { handleEmailLogin, handleLdapLogin } from '@/auth';
-import type { PostHogClient } from '@/posthog';
+import { PostHogClient } from '@/posthog';
 import {
 	getCurrentAuthenticationMethod,
 	isLdapCurrentAuthenticationMethod,
@@ -32,44 +27,25 @@ import {
 import { InternalHooks } from '../InternalHooks';
 import { License } from '@/License';
 import { UserService } from '@/services/user.service';
+import { MfaService } from '@/Mfa/mfa.service';
 
 @RestController()
 export class AuthController {
-	private readonly config: Config;
-
-	private readonly logger: ILogger;
-
-	private readonly internalHooks: IInternalHooksClass;
-
-	private readonly userService: UserService;
-
-	private readonly postHog?: PostHogClient;
-
-	constructor({
-		config,
-		logger,
-		internalHooks,
-		postHog,
-	}: {
-		config: Config;
-		logger: ILogger;
-		internalHooks: IInternalHooksClass;
-		repositories: Pick<IDatabaseCollections, 'User'>;
-		postHog?: PostHogClient;
-	}) {
-		this.config = config;
-		this.logger = logger;
-		this.internalHooks = internalHooks;
-		this.postHog = postHog;
-		this.userService = Container.get(UserService);
-	}
+	constructor(
+		private readonly config: Config,
+		private readonly logger: ILogger,
+		private readonly internalHooks: IInternalHooksClass,
+		private readonly mfaService: MfaService,
+		private readonly userService: UserService,
+		private readonly postHog?: PostHogClient,
+	) {}
 
 	/**
 	 * Log in a user.
 	 */
 	@Post('/login')
 	async login(req: LoginRequest, res: Response): Promise<PublicUser | undefined> {
-		const { email, password } = req.body;
+		const { email, password, mfaToken, mfaRecoveryCode } = req.body;
 		if (!email) throw new Error('Email is required to log in');
 		if (!password) throw new Error('Password is required to log in');
 
@@ -94,13 +70,35 @@ export class AuthController {
 		} else {
 			user = await handleEmailLogin(email, password);
 		}
+
 		if (user) {
+			if (user.mfaEnabled) {
+				if (!mfaToken && !mfaRecoveryCode) {
+					throw new AuthError('MFA Error', 998);
+				}
+
+				const { decryptedRecoveryCodes, decryptedSecret } =
+					await this.mfaService.getSecretAndRecoveryCodes(user.id);
+
+				user.mfaSecret = decryptedSecret;
+				user.mfaRecoveryCodes = decryptedRecoveryCodes;
+
+				const isMFATokenValid =
+					(await this.validateMfaToken(user, mfaToken)) ||
+					(await this.validateMfaRecoveryCode(user, mfaRecoveryCode));
+
+				if (!isMFATokenValid) {
+					throw new AuthError('Invalid mfa token or recovery code');
+				}
+			}
+
 			await issueCookie(res, user);
 			void Container.get(InternalHooks).onUserLoginSuccess({
 				user,
 				authenticationMethod: usedAuthenticationMethod,
 			});
-			return withFeatureFlags(this.postHog, sanitizeUser(user));
+
+			return this.userService.toPublic(user, { posthog: this.postHog });
 		}
 		void Container.get(InternalHooks).onUserLoginFailed({
 			user: email,
@@ -114,7 +112,7 @@ export class AuthController {
 	 * Manually check the `n8n-auth` cookie.
 	 */
 	@Get('/login')
-	async currentUser(req: Request, res: Response): Promise<CurrentUser> {
+	async currentUser(req: Request, res: Response): Promise<PublicUser> {
 		// Manually check the existing cookie.
 		// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
 		const cookieContents = req.cookies?.[AUTH_COOKIE_NAME] as string | undefined;
@@ -125,7 +123,7 @@ export class AuthController {
 			try {
 				user = await resolveJwt(cookieContents);
 
-				return await withFeatureFlags(this.postHog, sanitizeUser(user));
+				return await this.userService.toPublic(user, { posthog: this.postHog });
 			} catch (error) {
 				res.clearCookie(AUTH_COOKIE_NAME);
 			}
@@ -148,7 +146,7 @@ export class AuthController {
 		}
 
 		await issueCookie(res, user);
-		return withFeatureFlags(this.postHog, sanitizeUser(user));
+		return this.userService.toPublic(user, { posthog: this.postHog });
 	}
 
 	/**
@@ -185,7 +183,10 @@ export class AuthController {
 			}
 		}
 
-		const users = await this.userService.findMany({ where: { id: In([inviterId, inviteeId]) } });
+		const users = await this.userService.findMany({
+			where: { id: In([inviterId, inviteeId]) },
+			relations: ['globalRole'],
+		});
 		if (users.length !== 2) {
 			this.logger.debug(
 				'Request to resolve signup token failed because the ID of the inviter and/or the ID of the invitee were not found in database',
@@ -229,4 +230,27 @@ export class AuthController {
 		res.clearCookie(AUTH_COOKIE_NAME);
 		return { loggedOut: true };
 	}
+
+	private async validateMfaToken(user: User, token?: string) {
+		if (!!!token) return false;
+		return this.mfaService.totp.verifySecret({
+			secret: user.mfaSecret ?? '',
+			token,
+		});
+	}
+
+	private async validateMfaRecoveryCode(user: User, mfaRecoveryCode?: string) {
+		if (!!!mfaRecoveryCode) return false;
+		const index = user.mfaRecoveryCodes.indexOf(mfaRecoveryCode);
+		if (index === -1) return false;
+
+		// remove used recovery code
+		user.mfaRecoveryCodes.splice(index, 1);
+
+		await this.userService.update(user.id, {
+			mfaRecoveryCodes: this.mfaService.encryptRecoveryCodes(user.mfaRecoveryCodes),
+		});
+
+		return true;
+	}
 }
diff --git a/packages/cli/src/controllers/e2e.controller.ts b/packages/cli/src/controllers/e2e.controller.ts
index d2497eddca24f..0957ea95ee773 100644
--- a/packages/cli/src/controllers/e2e.controller.ts
+++ b/packages/cli/src/controllers/e2e.controller.ts
@@ -12,6 +12,9 @@ import { LICENSE_FEATURES, inE2ETests } from '@/constants';
 import { NoAuthRequired, Patch, Post, RestController } from '@/decorators';
 import type { UserSetupPayload } from '@/requests';
 import type { BooleanLicenseFeature } from '@/Interfaces';
+import { UserSettings } from 'n8n-core';
+import { MfaService } from '@/Mfa/mfa.service';
+import { TOTPService } from '@/Mfa/totp.service';
 
 if (!inE2ETests) {
 	console.error('E2E endpoints only allowed during E2E tests');
@@ -61,6 +64,7 @@ export class E2EController {
 		[LICENSE_FEATURES.SOURCE_CONTROL]: false,
 		[LICENSE_FEATURES.VARIABLES]: false,
 		[LICENSE_FEATURES.API_DISABLED]: false,
+		[LICENSE_FEATURES.EXTERNAL_SECRETS]: false,
 		[LICENSE_FEATURES.SHOW_NON_PROD_BANNER]: false,
 		[LICENSE_FEATURES.WORKFLOW_HISTORY]: false,
 		[LICENSE_FEATURES.DEBUG_IN_EDITOR]: false,
@@ -136,13 +140,30 @@ export class E2EController {
 			roles.map(([name, scope], index) => ({ name, scope, id: (index + 1).toString() })),
 		);
 
-		const users = [];
-		users.push({
+		const encryptionKey = await UserSettings.getEncryptionKey();
+
+		const mfaService = new MfaService(this.userRepo, new TOTPService(), encryptionKey);
+
+		const instanceOwner = {
 			id: uuid(),
 			...owner,
 			password: await hashPassword(owner.password),
 			globalRoleId: globalOwnerRoleId,
-		});
+		};
+
+		if (owner?.mfaSecret && owner.mfaRecoveryCodes?.length) {
+			const { encryptedRecoveryCodes, encryptedSecret } = mfaService.encryptSecretAndRecoveryCodes(
+				owner.mfaSecret,
+				owner.mfaRecoveryCodes,
+			);
+			instanceOwner.mfaSecret = encryptedSecret;
+			instanceOwner.mfaRecoveryCodes = encryptedRecoveryCodes;
+		}
+
+		const users = [];
+
+		users.push(instanceOwner);
+
 		for (const { password, ...payload } of members) {
 			users.push(
 				this.userRepo.create({
@@ -154,8 +175,6 @@ export class E2EController {
 			);
 		}
 
-		console.log('users', users);
-
 		await this.userRepo.insert(users);
 
 		await this.settingsRepo.update(
diff --git a/packages/cli/src/controllers/index.ts b/packages/cli/src/controllers/index.ts
index c3e742924e998..2091b95a30edc 100644
--- a/packages/cli/src/controllers/index.ts
+++ b/packages/cli/src/controllers/index.ts
@@ -1,6 +1,7 @@
 export { AuthController } from './auth.controller';
 export { LdapController } from './ldap.controller';
 export { MeController } from './me.controller';
+export { MFAController } from './mfa.controller';
 export { NodesController } from './nodes.controller';
 export { NodeTypesController } from './nodeTypes.controller';
 export { OwnerController } from './owner.controller';
diff --git a/packages/cli/src/controllers/me.controller.ts b/packages/cli/src/controllers/me.controller.ts
index bfebaf0a716f5..8026e67bdb4ea 100644
--- a/packages/cli/src/controllers/me.controller.ts
+++ b/packages/cli/src/controllers/me.controller.ts
@@ -1,55 +1,34 @@
 import validator from 'validator';
 import { plainToInstance } from 'class-transformer';
 import { Authorized, Delete, Get, Patch, Post, RestController } from '@/decorators';
-import {
-	compareHash,
-	hashPassword,
-	sanitizeUser,
-	validatePassword,
-} from '@/UserManagement/UserManagementHelper';
+import { compareHash, hashPassword, validatePassword } from '@/UserManagement/UserManagementHelper';
 import { BadRequestError } from '@/ResponseHelper';
 import { validateEntity } from '@/GenericHelpers';
 import { issueCookie } from '@/auth/jwt';
 import type { User } from '@db/entities/User';
 import { Response } from 'express';
-import type { ILogger } from 'n8n-workflow';
+import { ILogger } from 'n8n-workflow';
 import {
 	AuthenticatedRequest,
 	MeRequest,
 	UserSettingsUpdatePayload,
 	UserUpdatePayload,
 } from '@/requests';
-import type { PublicUser, IExternalHooksClass, IInternalHooksClass } from '@/Interfaces';
+import { IExternalHooksClass, IInternalHooksClass } from '@/Interfaces';
+import type { PublicUser } from '@/Interfaces';
 import { randomBytes } from 'crypto';
 import { isSamlLicensedAndEnabled } from '../sso/saml/samlHelpers';
 import { UserService } from '@/services/user.service';
-import Container from 'typedi';
 
 @Authorized()
 @RestController('/me')
 export class MeController {
-	private readonly logger: ILogger;
-
-	private readonly externalHooks: IExternalHooksClass;
-
-	private readonly internalHooks: IInternalHooksClass;
-
-	private readonly userService: UserService;
-
-	constructor({
-		logger,
-		externalHooks,
-		internalHooks,
-	}: {
-		logger: ILogger;
-		externalHooks: IExternalHooksClass;
-		internalHooks: IInternalHooksClass;
-	}) {
-		this.logger = logger;
-		this.externalHooks = externalHooks;
-		this.internalHooks = internalHooks;
-		this.userService = Container.get(UserService);
-	}
+	constructor(
+		private readonly logger: ILogger,
+		private readonly externalHooks: IExternalHooksClass,
+		private readonly internalHooks: IInternalHooksClass,
+		private readonly userService: UserService,
+	) {}
 
 	/**
 	 * Update the logged-in user's properties, except password.
@@ -105,9 +84,11 @@ export class MeController {
 			fields_changed: updatedKeys,
 		});
 
-		await this.externalHooks.run('user.profile.update', [currentEmail, sanitizeUser(user)]);
+		const publicUser = await this.userService.toPublic(user);
+
+		await this.externalHooks.run('user.profile.update', [currentEmail, publicUser]);
 
-		return sanitizeUser(user);
+		return publicUser;
 	}
 
 	/**
diff --git a/packages/cli/src/controllers/mfa.controller.ts b/packages/cli/src/controllers/mfa.controller.ts
new file mode 100644
index 0000000000000..70e3444851224
--- /dev/null
+++ b/packages/cli/src/controllers/mfa.controller.ts
@@ -0,0 +1,96 @@
+import { Authorized, Delete, Get, Post, RestController } from '@/decorators';
+import { AuthenticatedRequest, MFA } from '@/requests';
+import { BadRequestError } from '@/ResponseHelper';
+import { MfaService } from '@/Mfa/mfa.service';
+@Authorized()
+@RestController('/mfa')
+export class MFAController {
+	constructor(private mfaService: MfaService) {}
+
+	@Get('/qr')
+	async getQRCode(req: AuthenticatedRequest) {
+		const { email, id, mfaEnabled } = req.user;
+
+		if (mfaEnabled)
+			throw new BadRequestError(
+				'MFA already enabled. Disable it to generate new secret and recovery codes',
+			);
+
+		const { decryptedSecret: secret, decryptedRecoveryCodes: recoveryCodes } =
+			await this.mfaService.getSecretAndRecoveryCodes(id);
+
+		if (secret && recoveryCodes.length) {
+			const qrCode = this.mfaService.totp.generateTOTPUri({
+				secret,
+				label: email,
+			});
+
+			return {
+				secret,
+				recoveryCodes,
+				qrCode,
+			};
+		}
+
+		const newRecoveryCodes = this.mfaService.generateRecoveryCodes();
+
+		const newSecret = this.mfaService.totp.generateSecret();
+
+		const qrCode = this.mfaService.totp.generateTOTPUri({ secret: newSecret, label: email });
+
+		await this.mfaService.saveSecretAndRecoveryCodes(id, newSecret, newRecoveryCodes);
+
+		return {
+			secret: newSecret,
+			qrCode,
+			recoveryCodes: newRecoveryCodes,
+		};
+	}
+
+	@Post('/enable')
+	async activateMFA(req: MFA.Activate) {
+		const { token = null } = req.body;
+		const { id, mfaEnabled } = req.user;
+
+		const { decryptedSecret: secret, decryptedRecoveryCodes: recoveryCodes } =
+			await this.mfaService.getSecretAndRecoveryCodes(id);
+
+		if (!token) throw new BadRequestError('Token is required to enable MFA feature');
+
+		if (mfaEnabled) throw new BadRequestError('MFA already enabled');
+
+		if (!secret || !recoveryCodes.length) {
+			throw new BadRequestError('Cannot enable MFA without generating secret and recovery codes');
+		}
+
+		const verified = this.mfaService.totp.verifySecret({ secret, token, window: 10 });
+
+		if (!verified)
+			throw new BadRequestError('MFA token expired. Close the modal and enable MFA again', 997);
+
+		await this.mfaService.enableMfa(id);
+	}
+
+	@Delete('/disable')
+	async disableMFA(req: AuthenticatedRequest) {
+		const { id } = req.user;
+
+		await this.mfaService.disableMfa(id);
+	}
+
+	@Post('/verify')
+	async verifyMFA(req: MFA.Verify) {
+		const { id } = req.user;
+		const { token } = req.body;
+
+		const { decryptedSecret: secret } = await this.mfaService.getSecretAndRecoveryCodes(id);
+
+		if (!token) throw new BadRequestError('Token is required to enable MFA feature');
+
+		if (!secret) throw new BadRequestError('No MFA secret se for this user');
+
+		const verified = this.mfaService.totp.verifySecret({ secret, token });
+
+		if (!verified) throw new BadRequestError('MFA secret could not be verified');
+	}
+}
diff --git a/packages/cli/src/controllers/nodeTypes.controller.ts b/packages/cli/src/controllers/nodeTypes.controller.ts
index 49dec0b674d7d..029f4d879017a 100644
--- a/packages/cli/src/controllers/nodeTypes.controller.ts
+++ b/packages/cli/src/controllers/nodeTypes.controller.ts
@@ -3,21 +3,16 @@ import get from 'lodash/get';
 import { Request } from 'express';
 import type { INodeTypeDescription, INodeTypeNameVersion } from 'n8n-workflow';
 import { Authorized, Post, RestController } from '@/decorators';
-import { getNodeTranslationPath } from '@/TranslationHelpers';
-import type { Config } from '@/config';
-import type { NodeTypes } from '@/NodeTypes';
+import { Config } from '@/config';
+import { NodeTypes } from '@/NodeTypes';
 
 @Authorized()
 @RestController('/node-types')
 export class NodeTypesController {
-	private readonly config: Config;
-
-	private readonly nodeTypes: NodeTypes;
-
-	constructor({ config, nodeTypes }: { config: Config; nodeTypes: NodeTypes }) {
-		this.config = config;
-		this.nodeTypes = nodeTypes;
-	}
+	constructor(
+		private readonly config: Config,
+		private readonly nodeTypes: NodeTypes,
+	) {}
 
 	@Post('/')
 	async getNodeInfo(req: Request) {
@@ -39,7 +34,7 @@ export class NodeTypesController {
 			nodeTypes: INodeTypeDescription[],
 		) => {
 			const { description, sourcePath } = this.nodeTypes.getWithSourcePath(name, version);
-			const translationPath = await getNodeTranslationPath({
+			const translationPath = await this.nodeTypes.getNodeTranslationPath({
 				nodeSourcePath: sourcePath,
 				longNodeType: description.name,
 				locale: defaultLocale,
diff --git a/packages/cli/src/controllers/owner.controller.ts b/packages/cli/src/controllers/owner.controller.ts
index 3437884f1f736..3a33388fd5ec3 100644
--- a/packages/cli/src/controllers/owner.controller.ts
+++ b/packages/cli/src/controllers/owner.controller.ts
@@ -2,58 +2,28 @@ import validator from 'validator';
 import { validateEntity } from '@/GenericHelpers';
 import { Authorized, Post, RestController } from '@/decorators';
 import { BadRequestError } from '@/ResponseHelper';
-import {
-	hashPassword,
-	sanitizeUser,
-	validatePassword,
-	withFeatureFlags,
-} from '@/UserManagement/UserManagementHelper';
+import { hashPassword, validatePassword } from '@/UserManagement/UserManagementHelper';
 import { issueCookie } from '@/auth/jwt';
 import { Response } from 'express';
-import type { ILogger } from 'n8n-workflow';
-import type { Config } from '@/config';
+import { ILogger } from 'n8n-workflow';
+import { Config } from '@/config';
 import { OwnerRequest } from '@/requests';
-import type { IDatabaseCollections, IInternalHooksClass } from '@/Interfaces';
-import type { SettingsRepository } from '@db/repositories';
+import { IInternalHooksClass } from '@/Interfaces';
+import { SettingsRepository } from '@db/repositories';
+import { PostHogClient } from '@/posthog';
 import { UserService } from '@/services/user.service';
-import Container from 'typedi';
-import type { PostHogClient } from '@/posthog';
 
 @Authorized(['global', 'owner'])
 @RestController('/owner')
 export class OwnerController {
-	private readonly config: Config;
-
-	private readonly logger: ILogger;
-
-	private readonly internalHooks: IInternalHooksClass;
-
-	private readonly userService: UserService;
-
-	private readonly settingsRepository: SettingsRepository;
-
-	private readonly postHog?: PostHogClient;
-
-	constructor({
-		config,
-		logger,
-		internalHooks,
-		repositories,
-		postHog,
-	}: {
-		config: Config;
-		logger: ILogger;
-		internalHooks: IInternalHooksClass;
-		repositories: Pick<IDatabaseCollections, 'Settings'>;
-		postHog?: PostHogClient;
-	}) {
-		this.config = config;
-		this.logger = logger;
-		this.internalHooks = internalHooks;
-		this.userService = Container.get(UserService);
-		this.settingsRepository = repositories.Settings;
-		this.postHog = postHog;
-	}
+	constructor(
+		private readonly config: Config,
+		private readonly logger: ILogger,
+		private readonly internalHooks: IInternalHooksClass,
+		private readonly settingsRepository: SettingsRepository,
+		private readonly userService: UserService,
+		private readonly postHog?: PostHogClient,
+	) {}
 
 	/**
 	 * Promote a shell into the owner of the n8n instance,
@@ -131,7 +101,7 @@ export class OwnerController {
 
 		void this.internalHooks.onInstanceOwnerSetup({ user_id: userId });
 
-		return withFeatureFlags(this.postHog, sanitizeUser(owner));
+		return this.userService.toPublic(owner, { posthog: this.postHog });
 	}
 
 	@Post('/dismiss-banner')
diff --git a/packages/cli/src/controllers/passwordReset.controller.ts b/packages/cli/src/controllers/passwordReset.controller.ts
index e012f0409a327..838413c31933b 100644
--- a/packages/cli/src/controllers/passwordReset.controller.ts
+++ b/packages/cli/src/controllers/passwordReset.controller.ts
@@ -13,13 +13,13 @@ import {
 	hashPassword,
 	validatePassword,
 } from '@/UserManagement/UserManagementHelper';
-import type { UserManagementMailer } from '@/UserManagement/email';
+import { UserManagementMailer } from '@/UserManagement/email';
 
 import { Response } from 'express';
-import type { ILogger } from 'n8n-workflow';
-import type { Config } from '@/config';
+import { ILogger } from 'n8n-workflow';
+import { Config } from '@/config';
 import { PasswordResetRequest } from '@/requests';
-import type { IExternalHooksClass, IInternalHooksClass } from '@/Interfaces';
+import { IExternalHooksClass, IInternalHooksClass } from '@/Interfaces';
 import { issueCookie } from '@/auth/jwt';
 import { isLdapEnabled } from '@/Ldap/helpers';
 import { isSamlCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
@@ -30,44 +30,20 @@ import { RESPONSE_ERROR_MESSAGES } from '@/constants';
 import { TokenExpiredError } from 'jsonwebtoken';
 import type { JwtPayload } from '@/services/jwt.service';
 import { JwtService } from '@/services/jwt.service';
+import { MfaService } from '@/Mfa/mfa.service';
 
 @RestController()
 export class PasswordResetController {
-	private readonly config: Config;
-
-	private readonly logger: ILogger;
-
-	private readonly externalHooks: IExternalHooksClass;
-
-	private readonly internalHooks: IInternalHooksClass;
-
-	private readonly mailer: UserManagementMailer;
-
-	private readonly jwtService: JwtService;
-
-	private readonly userService: UserService;
-
-	constructor({
-		config,
-		logger,
-		externalHooks,
-		internalHooks,
-		mailer,
-	}: {
-		config: Config;
-		logger: ILogger;
-		externalHooks: IExternalHooksClass;
-		internalHooks: IInternalHooksClass;
-		mailer: UserManagementMailer;
-	}) {
-		this.config = config;
-		this.logger = logger;
-		this.externalHooks = externalHooks;
-		this.internalHooks = internalHooks;
-		this.mailer = mailer;
-		this.jwtService = Container.get(JwtService);
-		this.userService = Container.get(UserService);
-	}
+	constructor(
+		private readonly config: Config,
+		private readonly logger: ILogger,
+		private readonly externalHooks: IExternalHooksClass,
+		private readonly internalHooks: IInternalHooksClass,
+		private readonly mailer: UserManagementMailer,
+		private readonly userService: UserService,
+		private readonly jwtService: JwtService,
+		private readonly mfaService: MfaService,
+	) {}
 
 	/**
 	 * Send a password reset email.
@@ -150,7 +126,11 @@ export class PasswordResetController {
 			},
 		);
 
-		const url = this.userService.generatePasswordResetUrl(baseUrl, resetPasswordToken);
+		const url = this.userService.generatePasswordResetUrl(
+			baseUrl,
+			resetPasswordToken,
+			user.mfaEnabled,
+		);
 
 		try {
 			await this.mailer.passwordReset({
@@ -233,7 +213,7 @@ export class PasswordResetController {
 	 */
 	@Post('/change-password')
 	async changePassword(req: PasswordResetRequest.NewPassword, res: Response) {
-		const { token: resetPasswordToken, password } = req.body;
+		const { token: resetPasswordToken, password, mfaToken } = req.body;
 
 		if (!resetPasswordToken || !password) {
 			this.logger.debug(
@@ -264,6 +244,16 @@ export class PasswordResetController {
 			throw new NotFoundError('');
 		}
 
+		if (user.mfaEnabled) {
+			if (!mfaToken) throw new BadRequestError('If MFA enabled, mfaToken is required.');
+
+			const { decryptedSecret: secret } = await this.mfaService.getSecretAndRecoveryCodes(user.id);
+
+			const validToken = this.mfaService.totp.verifySecret({ secret, token: mfaToken });
+
+			if (!validToken) throw new BadRequestError('Invalid MFA token.');
+		}
+
 		const passwordHash = await hashPassword(validPassword);
 
 		await this.userService.update(user.id, { password: passwordHash });
diff --git a/packages/cli/src/controllers/users.controller.ts b/packages/cli/src/controllers/users.controller.ts
index 93c1a61ff4c2c..e77774c9ecfdf 100644
--- a/packages/cli/src/controllers/users.controller.ts
+++ b/packages/cli/src/controllers/users.controller.ts
@@ -1,20 +1,17 @@
 import validator from 'validator';
-import { In } from 'typeorm';
-import type { ILogger } from 'n8n-workflow';
-import { ErrorReporterProxy as ErrorReporter } from 'n8n-workflow';
+import type { FindManyOptions } from 'typeorm';
+import { In, Not } from 'typeorm';
+import { ILogger, ErrorReporterProxy as ErrorReporter } from 'n8n-workflow';
 import { User } from '@db/entities/User';
 import { SharedCredentials } from '@db/entities/SharedCredentials';
 import { SharedWorkflow } from '@db/entities/SharedWorkflow';
 import { Authorized, NoAuthRequired, Delete, Get, Post, RestController, Patch } from '@/decorators';
 import {
-	addInviteLinkToUser,
 	generateUserInviteUrl,
 	getInstanceBaseUrl,
 	hashPassword,
 	isEmailSetUp,
-	sanitizeUser,
 	validatePassword,
-	withFeatureFlags,
 } from '@/UserManagement/UserManagementHelper';
 import { issueCookie } from '@/auth/jwt';
 import {
@@ -24,21 +21,16 @@ import {
 	UnauthorizedError,
 } from '@/ResponseHelper';
 import { Response } from 'express';
-import type { Config } from '@/config';
-import { UserRequest, UserSettingsUpdatePayload } from '@/requests';
-import type { UserManagementMailer } from '@/UserManagement/email';
-import type {
-	PublicUser,
-	IDatabaseCollections,
-	IExternalHooksClass,
-	IInternalHooksClass,
-	ITelemetryUserDeletionData,
-} from '@/Interfaces';
-import type { ActiveWorkflowRunner } from '@/ActiveWorkflowRunner';
+import { ListQuery, UserRequest, UserSettingsUpdatePayload } from '@/requests';
+import { UserManagementMailer } from '@/UserManagement/email';
+import { ActiveWorkflowRunner } from '@/ActiveWorkflowRunner';
+import { Config } from '@/config';
+import { IExternalHooksClass, IInternalHooksClass } from '@/Interfaces';
+import type { PublicUser, ITelemetryUserDeletionData } from '@/Interfaces';
 import { AuthIdentity } from '@db/entities/AuthIdentity';
-import type { PostHogClient } from '@/posthog';
+import { PostHogClient } from '@/posthog';
 import { isSamlLicensedAndEnabled } from '../sso/saml/samlHelpers';
-import type { SharedCredentialsRepository, SharedWorkflowRepository } from '@db/repositories';
+import { SharedCredentialsRepository, SharedWorkflowRepository } from '@db/repositories';
 import { plainToInstance } from 'class-transformer';
 import { License } from '@/License';
 import { Container } from 'typedi';
@@ -46,66 +38,25 @@ import { RESPONSE_ERROR_MESSAGES } from '@/constants';
 import { JwtService } from '@/services/jwt.service';
 import { RoleService } from '@/services/role.service';
 import { UserService } from '@/services/user.service';
+import { listQueryMiddleware } from '@/middlewares';
 
 @Authorized(['global', 'owner'])
 @RestController('/users')
 export class UsersController {
-	private config: Config;
-
-	private logger: ILogger;
-
-	private externalHooks: IExternalHooksClass;
-
-	private internalHooks: IInternalHooksClass;
-
-	private sharedCredentialsRepository: SharedCredentialsRepository;
-
-	private sharedWorkflowRepository: SharedWorkflowRepository;
-
-	private activeWorkflowRunner: ActiveWorkflowRunner;
-
-	private mailer: UserManagementMailer;
-
-	private jwtService: JwtService;
-
-	private postHog?: PostHogClient;
-
-	private roleService: RoleService;
-
-	private userService: UserService;
-
-	constructor({
-		config,
-		logger,
-		externalHooks,
-		internalHooks,
-		repositories,
-		activeWorkflowRunner,
-		mailer,
-		postHog,
-	}: {
-		config: Config;
-		logger: ILogger;
-		externalHooks: IExternalHooksClass;
-		internalHooks: IInternalHooksClass;
-		repositories: Pick<IDatabaseCollections, 'SharedCredentials' | 'SharedWorkflow'>;
-		activeWorkflowRunner: ActiveWorkflowRunner;
-		mailer: UserManagementMailer;
-		postHog?: PostHogClient;
-	}) {
-		this.config = config;
-		this.logger = logger;
-		this.externalHooks = externalHooks;
-		this.internalHooks = internalHooks;
-		this.sharedCredentialsRepository = repositories.SharedCredentials;
-		this.sharedWorkflowRepository = repositories.SharedWorkflow;
-		this.activeWorkflowRunner = activeWorkflowRunner;
-		this.mailer = mailer;
-		this.jwtService = Container.get(JwtService);
-		this.postHog = postHog;
-		this.roleService = Container.get(RoleService);
-		this.userService = Container.get(UserService);
-	}
+	constructor(
+		private readonly config: Config,
+		private readonly logger: ILogger,
+		private readonly externalHooks: IExternalHooksClass,
+		private readonly internalHooks: IInternalHooksClass,
+		private readonly sharedCredentialsRepository: SharedCredentialsRepository,
+		private readonly sharedWorkflowRepository: SharedWorkflowRepository,
+		private readonly activeWorkflowRunner: ActiveWorkflowRunner,
+		private readonly mailer: UserManagementMailer,
+		private readonly jwtService: JwtService,
+		private readonly roleService: RoleService,
+		private readonly userService: UserService,
+		private readonly postHog?: PostHogClient,
+	) {}
 
 	/**
 	 * Send email invite(s) to one or multiple users and create user shell(s).
@@ -179,6 +130,7 @@ export class UsersController {
 		// remove/exclude existing users from creation
 		const existingUsers = await this.userService.findMany({
 			where: { email: In(Object.keys(createUsers)) },
+			relations: ['globalRole'],
 		});
 		existingUsers.forEach((user) => {
 			if (user.password) {
@@ -354,20 +306,98 @@ export class UsersController {
 			was_disabled_ldap_user: false,
 		});
 
-		await this.externalHooks.run('user.profile.update', [invitee.email, sanitizeUser(invitee)]);
+		const publicInvitee = await this.userService.toPublic(invitee);
+
+		await this.externalHooks.run('user.profile.update', [invitee.email, publicInvitee]);
 		await this.externalHooks.run('user.password.update', [invitee.email, invitee.password]);
 
-		return withFeatureFlags(this.postHog, sanitizeUser(updatedUser));
+		return this.userService.toPublic(updatedUser, { posthog: this.postHog });
+	}
+
+	private async toFindManyOptions(listQueryOptions?: ListQuery.Options) {
+		const findManyOptions: FindManyOptions<User> = {};
+
+		if (!listQueryOptions) {
+			findManyOptions.relations = ['globalRole', 'authIdentities'];
+			return findManyOptions;
+		}
+
+		const { filter, select, take, skip } = listQueryOptions;
+
+		if (select) findManyOptions.select = select;
+		if (take) findManyOptions.take = take;
+		if (skip) findManyOptions.skip = skip;
+
+		if (take && !select) {
+			findManyOptions.relations = ['globalRole', 'authIdentities'];
+		}
+
+		if (take && select && !select?.id) {
+			findManyOptions.select = { ...findManyOptions.select, id: true }; // pagination requires id
+		}
+
+		if (filter) {
+			const { isOwner, ...otherFilters } = filter;
+
+			findManyOptions.where = otherFilters;
+
+			if (isOwner !== undefined) {
+				const ownerRole = await this.roleService.findGlobalOwnerRole();
+
+				findManyOptions.relations = ['globalRole'];
+				findManyOptions.where.globalRole = { id: isOwner ? ownerRole.id : Not(ownerRole.id) };
+			}
+		}
+
+		return findManyOptions;
+	}
+
+	removeSupplementaryFields(
+		publicUsers: Array<Partial<PublicUser>>,
+		listQueryOptions: ListQuery.Options,
+	) {
+		const { take, select, filter } = listQueryOptions;
+
+		// remove fields added to satisfy query
+
+		if (take && select && !select?.id) {
+			for (const user of publicUsers) delete user.id;
+		}
+
+		if (filter?.isOwner) {
+			for (const user of publicUsers) delete user.globalRole;
+		}
+
+		// remove computed fields (unselectable)
+
+		if (select) {
+			for (const user of publicUsers) {
+				delete user.isOwner;
+				delete user.isPending;
+				delete user.signInType;
+				delete user.hasRecoveryCodesLeft;
+			}
+		}
+
+		return publicUsers;
 	}
 
 	@Authorized('any')
-	@Get('/')
-	async listUsers(req: UserRequest.List) {
-		const users = await this.userService.findMany({ relations: ['globalRole', 'authIdentities'] });
-		return users.map(
-			(user): PublicUser =>
-				addInviteLinkToUser(sanitizeUser(user, ['personalizationAnswers']), req.user.id),
+	@Get('/', { middlewares: listQueryMiddleware })
+	async listUsers(req: ListQuery.Request) {
+		const { listQueryOptions } = req;
+
+		const findManyOptions = await this.toFindManyOptions(listQueryOptions);
+
+		const users = await this.userService.findMany(findManyOptions);
+
+		const publicUsers: Array<Partial<PublicUser>> = await Promise.all(
+			users.map(async (u) => this.userService.toPublic(u, { withInviteUrl: true })),
 		);
+
+		return listQueryOptions
+			? this.removeSupplementaryFields(publicUsers, listQueryOptions)
+			: publicUsers;
 	}
 
 	@Authorized(['global', 'owner'])
@@ -389,7 +419,11 @@ export class UsersController {
 
 		const baseUrl = getInstanceBaseUrl();
 
-		const link = this.userService.generatePasswordResetUrl(baseUrl, resetPasswordToken);
+		const link = this.userService.generatePasswordResetUrl(
+			baseUrl,
+			resetPasswordToken,
+			user.mfaEnabled,
+		);
 		return {
 			link,
 		};
@@ -437,6 +471,7 @@ export class UsersController {
 
 		const users = await this.userService.findMany({
 			where: { id: In([transferId, idToDelete]) },
+			relations: ['globalRole'],
 		});
 
 		if (!users.length || (transferId && users.length !== 2)) {
@@ -527,7 +562,7 @@ export class UsersController {
 				telemetryData,
 				publicApi: false,
 			});
-			await this.externalHooks.run('user.deleted', [sanitizeUser(userToDelete)]);
+			await this.externalHooks.run('user.deleted', [await this.userService.toPublic(userToDelete)]);
 			return { success: true };
 		}
 
@@ -565,7 +600,7 @@ export class UsersController {
 			publicApi: false,
 		});
 
-		await this.externalHooks.run('user.deleted', [sanitizeUser(userToDelete)]);
+		await this.externalHooks.run('user.deleted', [await this.userService.toPublic(userToDelete)]);
 		return { success: true };
 	}
 
diff --git a/packages/cli/src/credentials/credentials.service.ts b/packages/cli/src/credentials/credentials.service.ts
index 94be5b9fb6743..0d6c67c554f5e 100644
--- a/packages/cli/src/credentials/credentials.service.ts
+++ b/packages/cli/src/credentials/credentials.service.ts
@@ -309,7 +309,10 @@ export class CredentialsService {
 			if (!prop) {
 				continue;
 			}
-			if (prop.typeOptions?.password) {
+			if (
+				prop.typeOptions?.password &&
+				(!(copiedData[dataKey] as string).startsWith('={{') || prop.noDataExpression)
+			) {
 				if (copiedData[dataKey].toString().length > 0) {
 					copiedData[dataKey] = CREDENTIAL_BLANKING_VALUE;
 				} else {
diff --git a/packages/cli/src/credentials/oauth2Credential.api.ts b/packages/cli/src/credentials/oauth2Credential.api.ts
index bcb3892ddf455..dda9b486e957d 100644
--- a/packages/cli/src/credentials/oauth2Credential.api.ts
+++ b/packages/cli/src/credentials/oauth2Credential.api.ts
@@ -34,6 +34,8 @@ import config from '@/config';
 import { getInstanceBaseUrl } from '@/UserManagement/UserManagementHelper';
 import { Container } from 'typedi';
 
+import * as WorkflowExecuteAdditionalData from '@/WorkflowExecuteAdditionalData';
+
 export const oauth2CredentialController = express.Router();
 
 /**
@@ -81,12 +83,15 @@ oauth2CredentialController.get(
 			throw new ResponseHelper.InternalServerError((error as Error).message);
 		}
 
+		const additionalData = await WorkflowExecuteAdditionalData.getBase(req.user.id);
+
 		const credentialType = (credential as unknown as ICredentialsEncrypted).type;
 
 		const mode: WorkflowExecuteMode = 'internal';
 		const timezone = config.getEnv('generic.timezone');
 		const credentialsHelper = new CredentialsHelper(encryptionKey);
 		const decryptedDataOriginal = await credentialsHelper.getDecrypted(
+			additionalData,
 			credential as INodeCredentialsDetails,
 			credentialType,
 			mode,
@@ -107,6 +112,7 @@ oauth2CredentialController.get(
 		}
 
 		const oauthCredentials = credentialsHelper.applyDefaultsAndOverwrites(
+			additionalData,
 			decryptedDataOriginal,
 			credentialType,
 			mode,
@@ -223,11 +229,13 @@ oauth2CredentialController.get(
 			}
 
 			const encryptionKey = await UserSettings.getEncryptionKey();
+			const additionalData = await WorkflowExecuteAdditionalData.getBase(state.cid);
 
 			const mode: WorkflowExecuteMode = 'internal';
 			const timezone = config.getEnv('generic.timezone');
 			const credentialsHelper = new CredentialsHelper(encryptionKey);
 			const decryptedDataOriginal = await credentialsHelper.getDecrypted(
+				additionalData,
 				credential as INodeCredentialsDetails,
 				(credential as unknown as ICredentialsEncrypted).type,
 				mode,
@@ -235,6 +243,7 @@ oauth2CredentialController.get(
 				true,
 			);
 			const oauthCredentials = credentialsHelper.applyDefaultsAndOverwrites(
+				additionalData,
 				decryptedDataOriginal,
 				(credential as unknown as ICredentialsEncrypted).type,
 				mode,
diff --git a/packages/cli/src/databases/dsl/Column.ts b/packages/cli/src/databases/dsl/Column.ts
index 7d2257a8697ae..54442c69d8e3c 100644
--- a/packages/cli/src/databases/dsl/Column.ts
+++ b/packages/cli/src/databases/dsl/Column.ts
@@ -93,6 +93,9 @@ export class Column {
 			options.type = isPostgres ? 'timestamptz' : 'datetime';
 		} else if (type === 'json' && isSqlite) {
 			options.type = 'text';
+		} else if (type === 'uuid' && isMysql) {
+			// mysql does not support uuid type
+			options.type = 'varchar(36)';
 		}
 
 		if ((type === 'varchar' || type === 'timestamp') && length !== 'auto') {
diff --git a/packages/cli/src/databases/entities/User.ts b/packages/cli/src/databases/entities/User.ts
index 15370aade6ba9..a32c9f2dc06e9 100644
--- a/packages/cli/src/databases/entities/User.ts
+++ b/packages/cli/src/databases/entities/User.ts
@@ -96,6 +96,15 @@ export class User extends WithTimestamps implements IUser {
 	@Index({ unique: true })
 	apiKey?: string | null;
 
+	@Column({ type: Boolean, default: false })
+	mfaEnabled: boolean;
+
+	@Column({ type: String, nullable: true, select: false })
+	mfaSecret?: string | null;
+
+	@Column({ type: 'simple-array', default: '', select: false })
+	mfaRecoveryCodes: string[];
+
 	/**
 	 * Whether the user is pending setup completion.
 	 */
diff --git a/packages/cli/src/databases/migrations/common/1690000000040-AddMfaColumns.ts b/packages/cli/src/databases/migrations/common/1690000000040-AddMfaColumns.ts
new file mode 100644
index 0000000000000..2c044f6dce9d8
--- /dev/null
+++ b/packages/cli/src/databases/migrations/common/1690000000040-AddMfaColumns.ts
@@ -0,0 +1,35 @@
+import type { MigrationContext, ReversibleMigration } from '@/databases/types';
+import { TableColumn } from 'typeorm';
+
+export class AddMfaColumns1690000000030 implements ReversibleMigration {
+	async up({ queryRunner, tablePrefix }: MigrationContext) {
+		await queryRunner.addColumns(`${tablePrefix}user`, [
+			new TableColumn({
+				name: 'mfaEnabled',
+				type: 'boolean',
+				isNullable: false,
+				default: false,
+			}),
+			new TableColumn({
+				name: 'mfaSecret',
+				type: 'text',
+				isNullable: true,
+				default: null,
+			}),
+			new TableColumn({
+				name: 'mfaRecoveryCodes',
+				type: 'text',
+				isNullable: true,
+				default: null,
+			}),
+		]);
+	}
+
+	async down({ queryRunner, tablePrefix }: MigrationContext) {
+		await queryRunner.dropColumns(`${tablePrefix}user`, [
+			'mfaEnabled',
+			'mfaSecret',
+			'mfaRecoveryCodes',
+		]);
+	}
+}
diff --git a/packages/cli/src/databases/migrations/common/1692967111175-CreateWorkflowHistoryTable.ts b/packages/cli/src/databases/migrations/common/1692967111175-CreateWorkflowHistoryTable.ts
new file mode 100644
index 0000000000000..5f047ccb8dbf2
--- /dev/null
+++ b/packages/cli/src/databases/migrations/common/1692967111175-CreateWorkflowHistoryTable.ts
@@ -0,0 +1,27 @@
+import type { MigrationContext, ReversibleMigration } from '@db/types';
+
+const tableName = 'workflow_history';
+
+export class CreateWorkflowHistoryTable1692967111175 implements ReversibleMigration {
+	async up({ schemaBuilder: { createTable, column }, queryRunner }: MigrationContext) {
+		await createTable(tableName)
+			.withColumns(
+				column('versionId').varchar(36).primary.notNull,
+				column('workflowId').varchar(36).notNull,
+				column('nodes').text.notNull,
+				column('connections').text.notNull,
+				column('authors').varchar(255).notNull,
+			)
+			.withTimestamps.withIndexOn('workflowId')
+			.withForeignKey('workflowId', {
+				tableName: 'workflow_entity',
+				columnName: 'id',
+				onDelete: 'CASCADE',
+			})
+			.execute(queryRunner);
+	}
+
+	async down({ schemaBuilder: { dropTable } }: MigrationContext) {
+		await dropTable(tableName);
+	}
+}
diff --git a/packages/cli/src/databases/migrations/mysqldb/index.ts b/packages/cli/src/databases/migrations/mysqldb/index.ts
index ca606867ae335..ce89cb312cb18 100644
--- a/packages/cli/src/databases/migrations/mysqldb/index.ts
+++ b/packages/cli/src/databases/migrations/mysqldb/index.ts
@@ -44,6 +44,8 @@ import { FixExecutionDataType1690000000031 } from './1690000000031-FixExecutionD
 import { RemoveSkipOwnerSetup1681134145997 } from './1681134145997-RemoveSkipOwnerSetup';
 import { RemoveResetPasswordColumns1690000000030 } from '../common/1690000000030-RemoveResetPasswordColumns';
 import { CreateWorkflowNameIndex1691088862123 } from '../common/1691088862123-CreateWorkflowNameIndex';
+import { AddMfaColumns1690000000030 } from './../common/1690000000040-AddMfaColumns';
+import { CreateWorkflowHistoryTable1692967111175 } from '../common/1692967111175-CreateWorkflowHistoryTable';
 
 export const mysqlMigrations: Migration[] = [
 	InitialMigration1588157391238,
@@ -91,4 +93,6 @@ export const mysqlMigrations: Migration[] = [
 	RemoveSkipOwnerSetup1681134145997,
 	RemoveResetPasswordColumns1690000000030,
 	CreateWorkflowNameIndex1691088862123,
+	AddMfaColumns1690000000030,
+	CreateWorkflowHistoryTable1692967111175,
 ];
diff --git a/packages/cli/src/databases/migrations/postgresdb/index.ts b/packages/cli/src/databases/migrations/postgresdb/index.ts
index 554bb1311483a..89249058e6633 100644
--- a/packages/cli/src/databases/migrations/postgresdb/index.ts
+++ b/packages/cli/src/databases/migrations/postgresdb/index.ts
@@ -42,6 +42,8 @@ import { RemoveSkipOwnerSetup1681134145997 } from './1681134145997-RemoveSkipOwn
 import { RemoveResetPasswordColumns1690000000030 } from '../common/1690000000030-RemoveResetPasswordColumns';
 import { AddMissingPrimaryKeyOnExecutionData1690787606731 } from './1690787606731-AddMissingPrimaryKeyOnExecutionData';
 import { CreateWorkflowNameIndex1691088862123 } from '../common/1691088862123-CreateWorkflowNameIndex';
+import { AddMfaColumns1690000000030 } from './../common/1690000000040-AddMfaColumns';
+import { CreateWorkflowHistoryTable1692967111175 } from '../common/1692967111175-CreateWorkflowHistoryTable';
 
 export const postgresMigrations: Migration[] = [
 	InitialMigration1587669153312,
@@ -87,4 +89,6 @@ export const postgresMigrations: Migration[] = [
 	RemoveResetPasswordColumns1690000000030,
 	AddMissingPrimaryKeyOnExecutionData1690787606731,
 	CreateWorkflowNameIndex1691088862123,
+	AddMfaColumns1690000000030,
+	CreateWorkflowHistoryTable1692967111175,
 ];
diff --git a/packages/cli/src/databases/migrations/sqlite/1690000000040-AddMfaColumns.ts b/packages/cli/src/databases/migrations/sqlite/1690000000040-AddMfaColumns.ts
new file mode 100644
index 0000000000000..1047f44f5fc73
--- /dev/null
+++ b/packages/cli/src/databases/migrations/sqlite/1690000000040-AddMfaColumns.ts
@@ -0,0 +1,5 @@
+import { AddMfaColumns1690000000030 as BaseMigration } from '../common/1690000000040-AddMfaColumns';
+
+export class AddMfaColumns1690000000030 extends BaseMigration {
+	transaction = false as const;
+}
diff --git a/packages/cli/src/databases/migrations/sqlite/index.ts b/packages/cli/src/databases/migrations/sqlite/index.ts
index eeb0cc4995b00..9bac59767b0e3 100644
--- a/packages/cli/src/databases/migrations/sqlite/index.ts
+++ b/packages/cli/src/databases/migrations/sqlite/index.ts
@@ -41,6 +41,8 @@ import { RemoveSkipOwnerSetup1681134145997 } from './1681134145997-RemoveSkipOwn
 import { FixMissingIndicesFromStringIdMigration1690000000020 } from './1690000000020-FixMissingIndicesFromStringIdMigration';
 import { RemoveResetPasswordColumns1690000000030 } from './1690000000030-RemoveResetPasswordColumns';
 import { CreateWorkflowNameIndex1691088862123 } from '../common/1691088862123-CreateWorkflowNameIndex';
+import { AddMfaColumns1690000000030 } from './1690000000040-AddMfaColumns';
+import { CreateWorkflowHistoryTable1692967111175 } from '../common/1692967111175-CreateWorkflowHistoryTable';
 
 const sqliteMigrations: Migration[] = [
 	InitialMigration1588102412422,
@@ -85,6 +87,8 @@ const sqliteMigrations: Migration[] = [
 	FixMissingIndicesFromStringIdMigration1690000000020,
 	RemoveResetPasswordColumns1690000000030,
 	CreateWorkflowNameIndex1691088862123,
+	AddMfaColumns1690000000030,
+	CreateWorkflowHistoryTable1692967111175,
 ];
 
 export { sqliteMigrations };
diff --git a/packages/cli/src/databases/repositories/settings.repository.ts b/packages/cli/src/databases/repositories/settings.repository.ts
index 82630bffdb1b1..a213ee78a3018 100644
--- a/packages/cli/src/databases/repositories/settings.repository.ts
+++ b/packages/cli/src/databases/repositories/settings.repository.ts
@@ -1,3 +1,4 @@
+import { EXTERNAL_SECRETS_DB_KEY } from '@/ExternalSecrets/constants';
 import { Service } from 'typedi';
 import { DataSource, Repository } from 'typeorm';
 import { ErrorReporterProxy as ErrorReporter } from 'n8n-workflow';
@@ -10,6 +11,21 @@ export class SettingsRepository extends Repository<Settings> {
 		super(Settings, dataSource.manager);
 	}
 
+	async getEncryptedSecretsProviderSettings(): Promise<string | null> {
+		return (await this.findOne({ where: { key: EXTERNAL_SECRETS_DB_KEY } }))?.value ?? null;
+	}
+
+	async saveEncryptedSecretsProviderSettings(data: string): Promise<void> {
+		await this.upsert(
+			{
+				key: EXTERNAL_SECRETS_DB_KEY,
+				value: data,
+				loadOnStartup: false,
+			},
+			['key'],
+		);
+	}
+
 	async dismissBanner({ bannerName }: { bannerName: string }): Promise<{ success: boolean }> {
 		const key = 'ui.banners.dismissed';
 		const dismissedBannersSetting = await this.findOneBy({ key });
diff --git a/packages/cli/src/environments/sourceControl/sourceControlImport.service.ee.ts b/packages/cli/src/environments/sourceControl/sourceControlImport.service.ee.ts
index a35d18d2f34ac..85a6ad83fdc8e 100644
--- a/packages/cli/src/environments/sourceControl/sourceControlImport.service.ee.ts
+++ b/packages/cli/src/environments/sourceControl/sourceControlImport.service.ee.ts
@@ -15,7 +15,6 @@ import { Credentials, UserSettings } from 'n8n-core';
 import type { IWorkflowToImport } from '@/Interfaces';
 import type { ExportableCredential } from './types/exportableCredential';
 import type { Variables } from '@db/entities/Variables';
-import { UM_FIX_INSTRUCTION } from '@/commands/BaseCommand';
 import { SharedCredentials } from '@db/entities/SharedCredentials';
 import type { WorkflowTagMapping } from '@db/entities/WorkflowTagMapping';
 import type { TagEntity } from '@db/entities/TagEntity';
@@ -28,6 +27,7 @@ import type { SourceControlledFile } from './types/sourceControlledFile';
 import { RoleService } from '@/services/role.service';
 import { VariablesService } from '../variables/variables.service';
 import { TagRepository } from '@/databases/repositories';
+import { UM_FIX_INSTRUCTION } from '@/constants';
 
 @Service()
 export class SourceControlImportService {
diff --git a/packages/cli/src/eventbus/MessageEventBusDestination/MessageEventBusDestinationWebhook.ee.ts b/packages/cli/src/eventbus/MessageEventBusDestination/MessageEventBusDestinationWebhook.ee.ts
index 2a97f4471d09c..6af27c1b76b56 100644
--- a/packages/cli/src/eventbus/MessageEventBusDestination/MessageEventBusDestinationWebhook.ee.ts
+++ b/packages/cli/src/eventbus/MessageEventBusDestination/MessageEventBusDestinationWebhook.ee.ts
@@ -15,6 +15,7 @@ import type {
 	MessageEventBusDestinationOptions,
 	MessageEventBusDestinationWebhookParameterItem,
 	MessageEventBusDestinationWebhookParameterOptions,
+	IWorkflowExecuteAdditionalData,
 } from 'n8n-workflow';
 import { CredentialsHelper } from '@/CredentialsHelper';
 import { UserSettings } from 'n8n-core';
@@ -24,6 +25,7 @@ import { isLogStreamingEnabled } from '../MessageEventBus/MessageEventBusHelper'
 import { eventMessageGenericDestinationTestEvent } from '../EventMessageClasses/EventMessageGeneric';
 import { MessageEventBus } from '../MessageEventBus/MessageEventBus';
 import type { MessageWithCallback } from '../MessageEventBus/MessageEventBus';
+import * as SecretsHelpers from '@/ExternalSecrets/externalSecretsHelper.ee';
 
 export const isMessageEventBusDestinationWebhookOptions = (
 	candidate: unknown,
@@ -108,6 +110,7 @@ export class MessageEventBusDestinationWebhook
 		if (foundCredential) {
 			const timezone = config.getEnv('generic.timezone');
 			const credentialsDecrypted = await this.credentialsHelper?.getDecrypted(
+				{ secretsHelpers: SecretsHelpers } as unknown as IWorkflowExecuteAdditionalData,
 				foundCredential[1],
 				foundCredential[0],
 				'internal',
diff --git a/packages/cli/src/middlewares/listQuery/dtos/base.filter.dto.ts b/packages/cli/src/middlewares/listQuery/dtos/base.filter.dto.ts
new file mode 100644
index 0000000000000..47a7273b5b2df
--- /dev/null
+++ b/packages/cli/src/middlewares/listQuery/dtos/base.filter.dto.ts
@@ -0,0 +1,30 @@
+/* eslint-disable @typescript-eslint/naming-convention */
+
+import { isObjectLiteral } from '@/utils';
+import { plainToInstance, instanceToPlain } from 'class-transformer';
+import { validate } from 'class-validator';
+import { jsonParse } from 'n8n-workflow';
+
+export class BaseFilter {
+	protected static async toFilter(rawFilter: string, Filter: typeof BaseFilter) {
+		const dto = jsonParse(rawFilter, { errorMessage: 'Failed to parse filter JSON' });
+
+		if (!isObjectLiteral(dto)) throw new Error('Filter must be an object literal');
+
+		const instance = plainToInstance(Filter, dto, {
+			excludeExtraneousValues: true, // remove fields not in class
+		});
+
+		await instance.validate();
+
+		return instanceToPlain(instance, {
+			exposeUnsetFields: false, // remove in-class undefined fields
+		});
+	}
+
+	private async validate() {
+		const result = await validate(this);
+
+		if (result.length > 0) throw new Error('Parsed filter does not fit the schema');
+	}
+}
diff --git a/packages/cli/src/middlewares/listQuery/dtos/base.select.dto.ts b/packages/cli/src/middlewares/listQuery/dtos/base.select.dto.ts
new file mode 100644
index 0000000000000..da7ba6752d17b
--- /dev/null
+++ b/packages/cli/src/middlewares/listQuery/dtos/base.select.dto.ts
@@ -0,0 +1,19 @@
+/* eslint-disable @typescript-eslint/naming-convention */
+
+import { isStringArray } from '@/utils';
+import { jsonParse } from 'n8n-workflow';
+
+export class BaseSelect {
+	static selectableFields: Set<string>;
+
+	protected static toSelect(rawFilter: string, Select: typeof BaseSelect) {
+		const dto = jsonParse(rawFilter, { errorMessage: 'Failed to parse filter JSON' });
+
+		if (!isStringArray(dto)) throw new Error('Parsed select is not a string array');
+
+		return dto.reduce<Record<string, true>>((acc, field) => {
+			if (!Select.selectableFields.has(field)) return acc;
+			return (acc[field] = true), acc;
+		}, {});
+	}
+}
diff --git a/packages/cli/src/middlewares/listQuery/dtos/user.filter.dto.ts b/packages/cli/src/middlewares/listQuery/dtos/user.filter.dto.ts
new file mode 100644
index 0000000000000..6c7e8a01312ba
--- /dev/null
+++ b/packages/cli/src/middlewares/listQuery/dtos/user.filter.dto.ts
@@ -0,0 +1,29 @@
+import { IsOptional, IsString, IsBoolean } from 'class-validator';
+import { Expose } from 'class-transformer';
+import { BaseFilter } from './base.filter.dto';
+
+export class UserFilter extends BaseFilter {
+	@IsString()
+	@IsOptional()
+	@Expose()
+	email?: string;
+
+	@IsString()
+	@IsOptional()
+	@Expose()
+	firstName?: string;
+
+	@IsString()
+	@IsOptional()
+	@Expose()
+	lastName?: string;
+
+	@IsBoolean()
+	@IsOptional()
+	@Expose()
+	isOwner?: boolean;
+
+	static async fromString(rawFilter: string) {
+		return this.toFilter(rawFilter, UserFilter);
+	}
+}
diff --git a/packages/cli/src/middlewares/listQuery/dtos/user.select.dto.ts b/packages/cli/src/middlewares/listQuery/dtos/user.select.dto.ts
new file mode 100644
index 0000000000000..7da40be3e8975
--- /dev/null
+++ b/packages/cli/src/middlewares/listQuery/dtos/user.select.dto.ts
@@ -0,0 +1,11 @@
+import { BaseSelect } from './base.select.dto';
+
+export class UserSelect extends BaseSelect {
+	static get selectableFields() {
+		return new Set(['id', 'email', 'firstName', 'lastName']);
+	}
+
+	static fromString(rawFilter: string) {
+		return this.toSelect(rawFilter, UserSelect);
+	}
+}
diff --git a/packages/cli/src/middlewares/listQuery/dtos/workflow.filter.dto.ts b/packages/cli/src/middlewares/listQuery/dtos/workflow.filter.dto.ts
index 4eb9da41e0c94..389246cf6cf42 100644
--- a/packages/cli/src/middlewares/listQuery/dtos/workflow.filter.dto.ts
+++ b/packages/cli/src/middlewares/listQuery/dtos/workflow.filter.dto.ts
@@ -1,9 +1,9 @@
-import { IsOptional, IsString, IsBoolean, IsArray, validate } from 'class-validator';
-import { Expose, instanceToPlain, plainToInstance } from 'class-transformer';
-import { jsonParse } from 'n8n-workflow';
-import { isObjectLiteral } from '@/utils';
+import { IsOptional, IsString, IsBoolean, IsArray } from 'class-validator';
+import { Expose } from 'class-transformer';
 
-export class WorkflowFilter {
+import { BaseFilter } from './base.filter.dto';
+
+export class WorkflowFilter extends BaseFilter {
 	@IsString()
 	@IsOptional()
 	@Expose()
@@ -21,23 +21,6 @@ export class WorkflowFilter {
 	tags?: string[];
 
 	static async fromString(rawFilter: string) {
-		const dto = jsonParse(rawFilter, { errorMessage: 'Failed to parse filter JSON' });
-
-		if (!isObjectLiteral(dto)) throw new Error('Filter must be an object literal');
-
-		const instance = plainToInstance(WorkflowFilter, dto, {
-			excludeExtraneousValues: true, // remove fields not in class
-			exposeUnsetFields: false, // remove in-class undefined fields
-		});
-
-		await instance.validate();
-
-		return instanceToPlain(instance);
-	}
-
-	private async validate() {
-		const result = await validate(this);
-
-		if (result.length > 0) throw new Error('Parsed filter does not fit the schema');
+		return this.toFilter(rawFilter, WorkflowFilter);
 	}
 }
diff --git a/packages/cli/src/middlewares/listQuery/dtos/workflow.select.dto.ts b/packages/cli/src/middlewares/listQuery/dtos/workflow.select.dto.ts
index dd74e81269d7a..0a905604623c0 100644
--- a/packages/cli/src/middlewares/listQuery/dtos/workflow.select.dto.ts
+++ b/packages/cli/src/middlewares/listQuery/dtos/workflow.select.dto.ts
@@ -1,9 +1,6 @@
-import { isStringArray } from '@/utils';
-import { jsonParse } from 'n8n-workflow';
-
-export class WorkflowSelect {
-	fields: string[];
+import { BaseSelect } from './base.select.dto';
 
+export class WorkflowSelect extends BaseSelect {
 	static get selectableFields() {
 		return new Set([
 			'id', // always included downstream
@@ -18,13 +15,6 @@ export class WorkflowSelect {
 	}
 
 	static fromString(rawFilter: string) {
-		const dto = jsonParse(rawFilter, { errorMessage: 'Failed to parse filter JSON' });
-
-		if (!isStringArray(dto)) throw new Error('Parsed select is not a string array');
-
-		return dto.reduce<Record<string, true>>((acc, field) => {
-			if (!WorkflowSelect.selectableFields.has(field)) return acc;
-			return (acc[field] = true), acc;
-		}, {});
+		return this.toSelect(rawFilter, WorkflowSelect);
 	}
 }
diff --git a/packages/cli/src/middlewares/listQuery/filter.ts b/packages/cli/src/middlewares/listQuery/filter.ts
index 6ca297ef909fb..cb189a5042cc5 100644
--- a/packages/cli/src/middlewares/listQuery/filter.ts
+++ b/packages/cli/src/middlewares/listQuery/filter.ts
@@ -2,6 +2,7 @@
 
 import * as ResponseHelper from '@/ResponseHelper';
 import { WorkflowFilter } from './dtos/workflow.filter.dto';
+import { UserFilter } from './dtos/user.filter.dto';
 import { toError } from '@/utils';
 
 import type { NextFunction, Response } from 'express';
@@ -20,6 +21,8 @@ export const filterListQueryMiddleware = async (
 
 	if (req.baseUrl.endsWith('workflows')) {
 		Filter = WorkflowFilter;
+	} else if (req.baseUrl.endsWith('users')) {
+		Filter = UserFilter;
 	} else {
 		return next();
 	}
diff --git a/packages/cli/src/middlewares/listQuery/pagination.ts b/packages/cli/src/middlewares/listQuery/pagination.ts
index 9a16ee3a5a28e..2438292be7517 100644
--- a/packages/cli/src/middlewares/listQuery/pagination.ts
+++ b/packages/cli/src/middlewares/listQuery/pagination.ts
@@ -11,9 +11,13 @@ export const paginationListQueryMiddleware: RequestHandler = (
 ) => {
 	const { take: rawTake, skip: rawSkip = '0' } = req.query;
 
-	if (!rawTake) return next();
-
 	try {
+		if (!rawTake && req.query.skip) {
+			throw new Error('Please specify `take` when using `skip`');
+		}
+
+		if (!rawTake) return next();
+
 		const { take, skip } = Pagination.fromString(rawTake, rawSkip);
 
 		req.listQueryOptions = { ...req.listQueryOptions, skip, take };
diff --git a/packages/cli/src/middlewares/listQuery/select.ts b/packages/cli/src/middlewares/listQuery/select.ts
index e5813bbc0e0a8..4ff4ac525af66 100644
--- a/packages/cli/src/middlewares/listQuery/select.ts
+++ b/packages/cli/src/middlewares/listQuery/select.ts
@@ -1,6 +1,7 @@
 /* eslint-disable @typescript-eslint/naming-convention */
 
 import { WorkflowSelect } from './dtos/workflow.select.dto';
+import { UserSelect } from './dtos/user.select.dto';
 import * as ResponseHelper from '@/ResponseHelper';
 import { toError } from '@/utils';
 
@@ -16,6 +17,8 @@ export const selectListQueryMiddleware: RequestHandler = (req: ListQuery.Request
 
 	if (req.baseUrl.endsWith('workflows')) {
 		Select = WorkflowSelect;
+	} else if (req.baseUrl.endsWith('users')) {
+		Select = UserSelect;
 	} else {
 		return next();
 	}
diff --git a/packages/cli/src/push/index.ts b/packages/cli/src/push/index.ts
index d5225b34893a9..752f90e5a977b 100644
--- a/packages/cli/src/push/index.ts
+++ b/packages/cli/src/push/index.ts
@@ -26,7 +26,7 @@ export class Push extends EventEmitter {
 		} else if (!useWebSockets) {
 			(this.backend as SSEPush).add(req.query.sessionId, { req, res });
 		} else {
-			res.status(1008).send('Unauthorized');
+			res.status(401).send('Unauthorized');
 		}
 		this.emit('editorUiConnected', req.query.sessionId);
 	}
@@ -88,7 +88,7 @@ export const setupPushHandler = (restEndpoint: string, app: Application) => {
 				ws.send(`Unauthorized: ${(error as Error).message}`);
 				ws.close(1008);
 			} else {
-				res.status(1008).send('Unauthorized');
+				res.status(401).send('Unauthorized');
 			}
 			return;
 		}
diff --git a/packages/cli/src/push/websocket.push.ts b/packages/cli/src/push/websocket.push.ts
index 93c9a24220759..46c38394df16f 100644
--- a/packages/cli/src/push/websocket.push.ts
+++ b/packages/cli/src/push/websocket.push.ts
@@ -1,12 +1,29 @@
 import type WebSocket from 'ws';
 import { AbstractPush } from './abstract.push';
 
+function heartbeat(this: WebSocket) {
+	this.isAlive = true;
+}
+
 export class WebSocketPush extends AbstractPush<WebSocket> {
+	constructor() {
+		super();
+
+		// Ping all connected clients every 60 seconds
+		setInterval(() => this.pingAll(), 60 * 1000);
+	}
+
 	add(sessionId: string, connection: WebSocket) {
+		connection.isAlive = true;
+		connection.on('pong', heartbeat);
+
 		super.add(sessionId, connection);
 
 		// Makes sure to remove the session if the connection is closed
-		connection.once('close', () => this.remove(sessionId));
+		connection.once('close', () => {
+			connection.off('pong', heartbeat);
+			this.remove(sessionId);
+		});
 	}
 
 	protected close(connection: WebSocket): void {
@@ -16,4 +33,18 @@ export class WebSocketPush extends AbstractPush<WebSocket> {
 	protected sendToOne(connection: WebSocket, data: string): void {
 		connection.send(data);
 	}
+
+	private pingAll() {
+		for (const sessionId in this.connections) {
+			const connection = this.connections[sessionId];
+			// If a connection did not respond with a `PONG` in the last 60 seconds, disconnect
+			if (!connection.isAlive) {
+				delete this.connections[sessionId];
+				return connection.terminate();
+			}
+
+			connection.isAlive = false;
+			connection.ping();
+		}
+	}
 }
diff --git a/packages/cli/src/requests.ts b/packages/cli/src/requests.ts
index 7fc0bb94f6f04..fe7bb2c421897 100644
--- a/packages/cli/src/requests.ts
+++ b/packages/cli/src/requests.ts
@@ -4,6 +4,7 @@ import type {
 	IConnections,
 	ICredentialDataDecryptedObject,
 	ICredentialNodeAccess,
+	IDataObject,
 	INode,
 	INodeCredentialTestRequest,
 	IPinData,
@@ -14,7 +15,13 @@ import type {
 
 import { IsBoolean, IsEmail, IsOptional, IsString, Length } from 'class-validator';
 import { NoXss } from '@db/utils/customValidators';
-import type { PublicUser, IExecutionDeleteFilter, IWorkflowDb } from '@/Interfaces';
+import type {
+	PublicUser,
+	IExecutionDeleteFilter,
+	IWorkflowDb,
+	SecretsProvider,
+	SecretsProviderState,
+} from '@/Interfaces';
 import type { Role } from '@db/entities/Role';
 import type { User } from '@db/entities/User';
 import type { UserManagementMailer } from '@/UserManagement/email';
@@ -227,7 +234,7 @@ export declare namespace MeRequest {
 	export type Password = AuthenticatedRequest<
 		{},
 		{},
-		{ currentPassword: string; newPassword: string }
+		{ currentPassword: string; newPassword: string; token?: string }
 	>;
 	export type SurveyAnswers = AuthenticatedRequest<{}, {}, Record<string, string> | {}>;
 }
@@ -237,6 +244,9 @@ export interface UserSetupPayload {
 	password: string;
 	firstName: string;
 	lastName: string;
+	mfaEnabled?: boolean;
+	mfaSecret?: string;
+	mfaRecoveryCodes?: string[];
 }
 
 // ----------------------------------
@@ -261,7 +271,7 @@ export declare namespace PasswordResetRequest {
 	export type NewPassword = AuthlessRequest<
 		{},
 		{},
-		Pick<PublicUser, 'password'> & { token?: string; userId?: string }
+		Pick<PublicUser, 'password'> & { token?: string; userId?: string; mfaToken?: string }
 	>;
 }
 
@@ -270,8 +280,6 @@ export declare namespace PasswordResetRequest {
 // ----------------------------------
 
 export declare namespace UserRequest {
-	export type List = AuthenticatedRequest;
-
 	export type Invite = AuthenticatedRequest<{}, {}, Array<{ email: string }>>;
 
 	export type ResolveSignUp = AuthlessRequest<
@@ -332,9 +340,27 @@ export type LoginRequest = AuthlessRequest<
 	{
 		email: string;
 		password: string;
+		mfaToken?: string;
+		mfaRecoveryCode?: string;
 	}
 >;
 
+// ----------------------------------
+//          MFA endpoints
+// ----------------------------------
+
+export declare namespace MFA {
+	type Verify = AuthenticatedRequest<{}, {}, { token: string }, {}>;
+	type Activate = AuthenticatedRequest<{}, {}, { token: string }, {}>;
+	type Config = AuthenticatedRequest<{}, {}, { login: { enabled: boolean } }, {}>;
+	type ValidateRecoveryCode = AuthenticatedRequest<
+		{},
+		{},
+		{ recoveryCode: { enabled: boolean } },
+		{}
+	>;
+}
+
 // ----------------------------------
 //          oauth endpoints
 // ----------------------------------
@@ -476,3 +502,25 @@ export declare namespace VariablesRequest {
 	type Update = AuthenticatedRequest<{ id: string }, {}, CreateUpdatePayload, {}>;
 	type Delete = Get;
 }
+
+export declare namespace ExternalSecretsRequest {
+	type GetProviderResponse = Pick<SecretsProvider, 'displayName' | 'name' | 'properties'> & {
+		icon: string;
+		connected: boolean;
+		connectedAt: Date | null;
+		state: SecretsProviderState;
+		data: IDataObject;
+	};
+
+	type GetProviders = AuthenticatedRequest;
+	type GetProvider = AuthenticatedRequest<{ provider: string }, GetProviderResponse>;
+	type SetProviderSettings = AuthenticatedRequest<{ provider: string }, {}, IDataObject>;
+	type TestProviderSettings = SetProviderSettings;
+	type SetProviderConnected = AuthenticatedRequest<
+		{ provider: string },
+		{},
+		{ connected: boolean }
+	>;
+
+	type UpdateProvider = AuthenticatedRequest<{ provider: string }>;
+}
diff --git a/packages/cli/src/services/user.service.ts b/packages/cli/src/services/user.service.ts
index 678482a340ca4..6d6c9c15f528b 100644
--- a/packages/cli/src/services/user.service.ts
+++ b/packages/cli/src/services/user.service.ts
@@ -4,6 +4,9 @@ import { In } from 'typeorm';
 import { User } from '@db/entities/User';
 import type { IUserSettings } from 'n8n-workflow';
 import { UserRepository } from '@/databases/repositories';
+import { getInstanceBaseUrl } from '@/UserManagement/UserManagementHelper';
+import type { PublicUser } from '@/Interfaces';
+import type { PostHogClient } from '@/posthog';
 
 @Service()
 export class UserService {
@@ -18,7 +21,7 @@ export class UserService {
 	}
 
 	async findMany(options: FindManyOptions<User>) {
-		return this.userRepository.find({ relations: ['globalRole'], ...options });
+		return this.userRepository.find(options);
 	}
 
 	async findOneBy(options: FindOptionsWhere<User>) {
@@ -51,11 +54,62 @@ export class UserService {
 		return this.userRepository.update(userId, { settings: { ...settings, ...newSettings } });
 	}
 
-	generatePasswordResetUrl(instanceBaseUrl: string, token: string) {
+	generatePasswordResetUrl(instanceBaseUrl: string, token: string, mfaEnabled: boolean) {
 		const url = new URL(`${instanceBaseUrl}/change-password`);
 
 		url.searchParams.append('token', token);
+		url.searchParams.append('mfaEnabled', mfaEnabled.toString());
 
 		return url.toString();
 	}
+
+	async toPublic(user: User, options?: { withInviteUrl?: boolean; posthog?: PostHogClient }) {
+		const { password, updatedAt, apiKey, authIdentities, ...rest } = user;
+
+		const ldapIdentity = authIdentities?.find((i) => i.providerType === 'ldap');
+
+		let publicUser: PublicUser = {
+			...rest,
+			signInType: ldapIdentity ? 'ldap' : 'email',
+			hasRecoveryCodesLeft: !!user.mfaRecoveryCodes?.length,
+		};
+
+		if (options?.withInviteUrl && publicUser.isPending) {
+			publicUser = this.addInviteUrl(publicUser, user.id);
+		}
+
+		if (options?.posthog) {
+			publicUser = await this.addFeatureFlags(publicUser, options.posthog);
+		}
+
+		return publicUser;
+	}
+
+	private addInviteUrl(user: PublicUser, inviterId: string) {
+		const url = new URL(getInstanceBaseUrl());
+		url.pathname = '/signup';
+		url.searchParams.set('inviterId', inviterId);
+		url.searchParams.set('inviteeId', user.id);
+
+		user.inviteAcceptUrl = url.toString();
+
+		return user;
+	}
+
+	private async addFeatureFlags(publicUser: PublicUser, posthog: PostHogClient) {
+		// native PostHog implementation has default 10s timeout and 3 retries.. which cannot be updated without affecting other functionality
+		// https://github.com/PostHog/posthog-js-lite/blob/a182de80a433fb0ffa6859c10fb28084d0f825c2/posthog-core/src/index.ts#L67
+		const timeoutPromise = new Promise<PublicUser>((resolve) => {
+			setTimeout(() => {
+				resolve(publicUser);
+			}, 1500);
+		});
+
+		const fetchPromise = new Promise<PublicUser>(async (resolve) => {
+			publicUser.featureFlags = await posthog.getFeatureFlags(publicUser);
+			resolve(publicUser);
+		});
+
+		return Promise.race([fetchPromise, timeoutPromise]);
+	}
 }
diff --git a/packages/cli/test/integration/ExternalSecrets/externalSecrets.api.test.ts b/packages/cli/test/integration/ExternalSecrets/externalSecrets.api.test.ts
new file mode 100644
index 0000000000000..8ea55e7e7317b
--- /dev/null
+++ b/packages/cli/test/integration/ExternalSecrets/externalSecrets.api.test.ts
@@ -0,0 +1,370 @@
+import type { SuperAgentTest } from 'supertest';
+import { License } from '@/License';
+import * as testDb from '../shared/testDb';
+import * as utils from '../shared/utils/';
+import type { ExternalSecretsSettings, SecretsProviderState } from '@/Interfaces';
+import { UserSettings } from 'n8n-core';
+import { SettingsRepository } from '@/databases/repositories/settings.repository';
+import Container from 'typedi';
+import { AES, enc } from 'crypto-js';
+import { ExternalSecretsProviders } from '@/ExternalSecrets/ExternalSecretsProviders.ee';
+import {
+	DummyProvider,
+	FailedProvider,
+	MockProviders,
+	TestFailProvider,
+} from '../../shared/ExternalSecrets/utils';
+import config from '@/config';
+import { ExternalSecretsManager } from '@/ExternalSecrets/ExternalSecretsManager.ee';
+import { CREDENTIAL_BLANKING_VALUE } from '@/constants';
+import type { IDataObject } from 'n8n-workflow';
+
+let authOwnerAgent: SuperAgentTest;
+let authMemberAgent: SuperAgentTest;
+
+const licenseLike = utils.mockInstance(License, {
+	isExternalSecretsEnabled: jest.fn().mockReturnValue(true),
+	isWithinUsersLimit: jest.fn().mockReturnValue(true),
+});
+
+const mockProvidersInstance = new MockProviders();
+let providersMock: ExternalSecretsProviders = utils.mockInstance(
+	ExternalSecretsProviders,
+	mockProvidersInstance,
+);
+
+const testServer = utils.setupTestServer({ endpointGroups: ['externalSecrets'] });
+
+const connectedDate = '2023-08-01T12:32:29.000Z';
+
+async function setExternalSecretsSettings(settings: ExternalSecretsSettings) {
+	const encryptionKey = await UserSettings.getEncryptionKey();
+	return Container.get(SettingsRepository).saveEncryptedSecretsProviderSettings(
+		AES.encrypt(JSON.stringify(settings), encryptionKey).toString(),
+	);
+}
+
+async function getExternalSecretsSettings(): Promise<ExternalSecretsSettings | null> {
+	const encryptionKey = await UserSettings.getEncryptionKey();
+	const encSettings = await Container.get(SettingsRepository).getEncryptedSecretsProviderSettings();
+	if (encSettings === null) {
+		return null;
+	}
+	return JSON.parse(AES.decrypt(encSettings, encryptionKey).toString(enc.Utf8));
+}
+
+const resetManager = async () => {
+	Container.get(ExternalSecretsManager).shutdown();
+	Container.set(
+		ExternalSecretsManager,
+		new ExternalSecretsManager(
+			Container.get(SettingsRepository),
+			licenseLike,
+			mockProvidersInstance,
+		),
+	);
+
+	await Container.get(ExternalSecretsManager).init();
+};
+
+const getDummyProviderData = ({
+	data,
+	includeProperties,
+	connected,
+	state,
+	connectedAt,
+	displayName,
+}: {
+	data?: IDataObject;
+	includeProperties?: boolean;
+	connected?: boolean;
+	state?: SecretsProviderState;
+	connectedAt?: string | null;
+	displayName?: string;
+} = {}) => {
+	const dummy: IDataObject = {
+		connected: connected ?? true,
+		connectedAt: connectedAt === undefined ? connectedDate : connectedAt,
+		data: data ?? {},
+		name: 'dummy',
+		displayName: displayName ?? 'Dummy Provider',
+		icon: 'dummy',
+		state: state ?? 'connected',
+	};
+
+	if (includeProperties) {
+		dummy.properties = new DummyProvider().properties;
+	}
+
+	return dummy;
+};
+
+beforeAll(async () => {
+	await utils.initEncryptionKey();
+
+	const owner = await testDb.createOwner();
+	authOwnerAgent = testServer.authAgentFor(owner);
+	const member = await testDb.createUser();
+	authMemberAgent = testServer.authAgentFor(member);
+	config.set('userManagement.isInstanceOwnerSetUp', true);
+});
+
+beforeEach(async () => {
+	licenseLike.isExternalSecretsEnabled.mockReturnValue(true);
+
+	mockProvidersInstance.setProviders({
+		dummy: DummyProvider,
+	});
+
+	await setExternalSecretsSettings({
+		dummy: {
+			connected: true,
+			connectedAt: new Date(connectedDate),
+			settings: {},
+		},
+	});
+
+	await resetManager();
+});
+
+afterEach(async () => {
+	Container.get(ExternalSecretsManager).shutdown();
+});
+
+describe('GET /external-secrets/providers', () => {
+	test('can retrieve providers as owner', async () => {
+		const resp = await authOwnerAgent.get('/external-secrets/providers');
+		expect(resp.body).toEqual({
+			data: [getDummyProviderData()],
+		});
+	});
+
+	test('can not retrieve providers as non-owner', async () => {
+		const resp = await authMemberAgent.get('/external-secrets/providers');
+		expect(resp.status).toBe(403);
+	});
+
+	test('does obscure passwords', async () => {
+		await setExternalSecretsSettings({
+			dummy: {
+				connected: true,
+				connectedAt: new Date(connectedDate),
+				settings: {
+					username: 'testuser',
+					password: 'testpass',
+				},
+			},
+		});
+
+		await resetManager();
+
+		const resp = await authOwnerAgent.get('/external-secrets/providers');
+		expect(resp.body).toEqual({
+			data: [
+				getDummyProviderData({
+					data: {
+						username: 'testuser',
+						password: CREDENTIAL_BLANKING_VALUE,
+					},
+				}),
+			],
+		});
+	});
+});
+
+describe('GET /external-secrets/providers/:provider', () => {
+	test('can retrieve provider as owner', async () => {
+		const resp = await authOwnerAgent.get('/external-secrets/providers/dummy');
+		expect(resp.body.data).toEqual(getDummyProviderData({ includeProperties: true }));
+	});
+
+	test('can not retrieve provider as non-owner', async () => {
+		const resp = await authMemberAgent.get('/external-secrets/providers/dummy');
+		expect(resp.status).toBe(403);
+	});
+
+	test('does obscure passwords', async () => {
+		await setExternalSecretsSettings({
+			dummy: {
+				connected: true,
+				connectedAt: new Date(connectedDate),
+				settings: {
+					username: 'testuser',
+					password: 'testpass',
+				},
+			},
+		});
+
+		await resetManager();
+
+		const resp = await authOwnerAgent.get('/external-secrets/providers/dummy');
+		expect(resp.body.data).toEqual(
+			getDummyProviderData({
+				data: {
+					username: 'testuser',
+					password: CREDENTIAL_BLANKING_VALUE,
+				},
+				includeProperties: true,
+			}),
+		);
+	});
+});
+
+describe('POST /external-secrets/providers/:provider', () => {
+	test('can update provider settings', async () => {
+		const testData = {
+			username: 'testuser',
+			other: 'testother',
+		};
+		const resp = await authOwnerAgent.post('/external-secrets/providers/dummy').send(testData);
+		expect(resp.status).toBe(200);
+
+		const confirmResp = await authOwnerAgent.get('/external-secrets/providers/dummy');
+		expect(confirmResp.body.data).toEqual(
+			getDummyProviderData({ data: testData, includeProperties: true }),
+		);
+	});
+
+	test('can update provider settings with blanking value', async () => {
+		await setExternalSecretsSettings({
+			dummy: {
+				connected: true,
+				connectedAt: new Date(connectedDate),
+				settings: {
+					username: 'testuser',
+					password: 'testpass',
+				},
+			},
+		});
+
+		await resetManager();
+
+		const testData = {
+			username: 'newuser',
+			password: CREDENTIAL_BLANKING_VALUE,
+		};
+		const resp = await authOwnerAgent.post('/external-secrets/providers/dummy').send(testData);
+		expect(resp.status).toBe(200);
+
+		const confirmResp = await authOwnerAgent.get('/external-secrets/providers/dummy');
+		expect((await getExternalSecretsSettings())?.dummy.settings).toEqual({
+			username: 'newuser',
+			password: 'testpass',
+		});
+	});
+});
+
+describe('POST /external-secrets/providers/:provider/connect', () => {
+	test('can change provider connected state', async () => {
+		const testData = {
+			connected: false,
+		};
+		const resp = await authOwnerAgent
+			.post('/external-secrets/providers/dummy/connect')
+			.send(testData);
+		expect(resp.status).toBe(200);
+
+		const confirmResp = await authOwnerAgent.get('/external-secrets/providers/dummy');
+		expect(confirmResp.body.data).toEqual(
+			getDummyProviderData({
+				includeProperties: true,
+				connected: false,
+				state: 'initializing',
+			}),
+		);
+	});
+});
+
+describe('POST /external-secrets/providers/:provider/test', () => {
+	test('can test provider', async () => {
+		const testData = {
+			username: 'testuser',
+			other: 'testother',
+		};
+		const resp = await authOwnerAgent.post('/external-secrets/providers/dummy/test').send(testData);
+		expect(resp.status).toBe(200);
+		expect(resp.body.data.success).toBe(true);
+		expect(resp.body.data.testState).toBe('connected');
+	});
+
+	test('can test provider fail', async () => {
+		mockProvidersInstance.setProviders({
+			dummy: TestFailProvider,
+		});
+
+		await resetManager();
+
+		const testData = {
+			username: 'testuser',
+			other: 'testother',
+		};
+		const resp = await authOwnerAgent.post('/external-secrets/providers/dummy/test').send(testData);
+		expect(resp.status).toBe(400);
+		expect(resp.body.data.success).toBe(false);
+		expect(resp.body.data.testState).toBe('error');
+	});
+});
+
+describe('POST /external-secrets/providers/:provider/update', () => {
+	test('can update provider', async () => {
+		const updateSpy = jest.spyOn(
+			Container.get(ExternalSecretsManager).getProvider('dummy')!,
+			'update',
+		);
+
+		const resp = await authOwnerAgent.post('/external-secrets/providers/dummy/update');
+		expect(resp.status).toBe(200);
+		expect(resp.body.data).toEqual({ updated: true });
+		expect(updateSpy).toBeCalled();
+	});
+
+	test('can not update errored provider', async () => {
+		mockProvidersInstance.setProviders({
+			dummy: FailedProvider,
+		});
+
+		await resetManager();
+
+		const updateSpy = jest.spyOn(
+			Container.get(ExternalSecretsManager).getProvider('dummy')!,
+			'update',
+		);
+
+		const resp = await authOwnerAgent.post('/external-secrets/providers/dummy/update');
+		expect(resp.status).toBe(400);
+		expect(resp.body.data).toEqual({ updated: false });
+		expect(updateSpy).not.toBeCalled();
+	});
+
+	test('can not update provider without a valid license', async () => {
+		const updateSpy = jest.spyOn(
+			Container.get(ExternalSecretsManager).getProvider('dummy')!,
+			'update',
+		);
+
+		licenseLike.isExternalSecretsEnabled.mockReturnValue(false);
+
+		const resp = await authOwnerAgent.post('/external-secrets/providers/dummy/update');
+		expect(resp.status).toBe(400);
+		expect(resp.body.data).toEqual({ updated: false });
+		expect(updateSpy).not.toBeCalled();
+	});
+});
+
+describe('GET /external-secrets/secrets', () => {
+	test('can get secret names as owner', async () => {
+		const resp = await authOwnerAgent.get('/external-secrets/secrets');
+		expect(resp.status).toBe(200);
+		expect(resp.body.data).toEqual({
+			dummy: ['test1', 'test2'],
+		});
+	});
+
+	test('can not get secret names as non-owner', async () => {
+		const resp = await authMemberAgent.get('/external-secrets/secrets');
+		expect(resp.status).toBe(403);
+		expect(resp.body.data).not.toEqual({
+			dummy: ['test1', 'test2'],
+		});
+	});
+});
diff --git a/packages/cli/test/integration/ldap/ldap.api.test.ts b/packages/cli/test/integration/ldap/ldap.api.test.ts
index 65d1c080d5b7d..8b00566d1187d 100644
--- a/packages/cli/test/integration/ldap/ldap.api.test.ts
+++ b/packages/cli/test/integration/ldap/ldap.api.test.ts
@@ -11,7 +11,6 @@ import { LdapManager } from '@/Ldap/LdapManager.ee';
 import { LdapService } from '@/Ldap/LdapService.ee';
 import { encryptPassword, saveLdapSynchronization } from '@/Ldap/helpers';
 import type { LdapConfig } from '@/Ldap/types';
-import { sanitizeUser } from '@/UserManagement/UserManagementHelper';
 import { getCurrentAuthenticationMethod, setCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
 
 import { randomEmail, randomName, uniqueId } from './../shared/random';
@@ -570,24 +569,3 @@ describe('Instance owner should able to delete LDAP users', () => {
 		await authOwnerAgent.post(`/users/${member.id}?transferId=${owner.id}`);
 	});
 });
-
-test('Sign-type should be returned when listing users', async () => {
-	const ldapConfig = await createLdapConfig();
-	LdapManager.updateConfig(ldapConfig);
-
-	await testDb.createLdapUser(
-		{
-			globalRole: globalMemberRole,
-		},
-		uniqueId(),
-	);
-
-	const allUsers = await testDb.getAllUsers();
-	expect(allUsers.length).toBe(2);
-
-	const ownerUser = allUsers.find((u) => u.email === owner.email)!;
-	expect(sanitizeUser(ownerUser).signInType).toStrictEqual('email');
-
-	const memberUser = allUsers.find((u) => u.email !== owner.email)!;
-	expect(sanitizeUser(memberUser).signInType).toStrictEqual('ldap');
-});
diff --git a/packages/cli/test/integration/mfa/mfa.api.test.ts b/packages/cli/test/integration/mfa/mfa.api.test.ts
new file mode 100644
index 0000000000000..3914a428436b3
--- /dev/null
+++ b/packages/cli/test/integration/mfa/mfa.api.test.ts
@@ -0,0 +1,405 @@
+import config from '@/config';
+import * as Db from '@/Db';
+import type { Role } from '@db/entities/Role';
+import type { User } from '@db/entities/User';
+import * as testDb from './../shared/testDb';
+import * as utils from '../shared/utils';
+import { randomPassword } from '@/Ldap/helpers';
+import { randomDigit, randomString, randomValidPassword, uniqueId } from '../shared/random';
+import { TOTPService } from '@/Mfa/totp.service';
+import Container from 'typedi';
+import { JwtService } from '@/services/jwt.service';
+
+jest.mock('@/telemetry');
+
+let globalOwnerRole: Role;
+let owner: User;
+
+const testServer = utils.setupTestServer({
+	endpointGroups: ['mfa', 'auth', 'me', 'passwordReset'],
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['User']);
+
+	owner = await testDb.createUser({ globalRole: globalOwnerRole });
+
+	config.set('userManagement.disabled', false);
+});
+
+afterAll(async () => {
+	await testDb.terminate();
+});
+
+describe('Enable MFA setup', () => {
+	describe('Step one', () => {
+		test('GET /qr should fail due to unauthenticated user', async () => {
+			const response = await testServer.authlessAgent.get('/mfa/qr');
+
+			expect(response.statusCode).toBe(401);
+		});
+
+		test('GET /qr should reuse secret and recovery codes until setup is complete', async () => {
+			const firstCall = await testServer.authAgentFor(owner).get('/mfa/qr');
+
+			const secondCall = await testServer.authAgentFor(owner).get('/mfa/qr');
+
+			expect(firstCall.body.data.secret).toBe(secondCall.body.data.secret);
+			expect(firstCall.body.data.recoveryCodes.join('')).toBe(
+				secondCall.body.data.recoveryCodes.join(''),
+			);
+
+			await testServer.authAgentFor(owner).delete('/mfa/disable');
+
+			const thirdCall = await testServer.authAgentFor(owner).get('/mfa/qr');
+
+			expect(firstCall.body.data.secret).not.toBe(thirdCall.body.data.secret);
+			expect(firstCall.body.data.recoveryCodes.join('')).not.toBe(
+				thirdCall.body.data.recoveryCodes.join(''),
+			);
+		});
+
+		test('GET /qr should return qr, secret and recovery codes', async () => {
+			const response = await testServer.authAgentFor(owner).get('/mfa/qr');
+
+			expect(response.statusCode).toBe(200);
+
+			const { data } = response.body;
+
+			expect(data.secret).toBeDefined();
+			expect(data.qrCode).toBeDefined();
+			expect(data.recoveryCodes).toBeDefined();
+			expect(data.recoveryCodes).not.toBeEmptyArray();
+			expect(data.recoveryCodes.length).toBe(10);
+		});
+	});
+
+	describe('Step two', () => {
+		test('POST /verify should fail due to unauthenticated user', async () => {
+			const response = await testServer.authlessAgent.post('/mfa/verify');
+
+			expect(response.statusCode).toBe(401);
+		});
+
+		test('POST /verify should fail due to invalid MFA token', async () => {
+			const response = await testServer
+				.authAgentFor(owner)
+				.post('/mfa/verify')
+				.send({ token: '123' });
+
+			expect(response.statusCode).toBe(400);
+		});
+
+		test('POST /verify should fail due to missing token parameter', async () => {
+			await testServer.authAgentFor(owner).get('/mfa/qr');
+
+			const response = await testServer.authAgentFor(owner).post('/mfa/verify').send({ token: '' });
+
+			expect(response.statusCode).toBe(400);
+		});
+
+		test('POST /verify should validate MFA token', async () => {
+			const response = await testServer.authAgentFor(owner).get('/mfa/qr');
+
+			const { secret } = response.body.data;
+
+			const token = new TOTPService().generateTOTP(secret);
+
+			const { statusCode } = await testServer
+				.authAgentFor(owner)
+				.post('/mfa/verify')
+				.send({ token });
+
+			expect(statusCode).toBe(200);
+		});
+	});
+
+	describe('Step three', () => {
+		test('POST /enable should fail due to unauthenticated user', async () => {
+			const response = await testServer.authlessAgent.post('/mfa/enable');
+
+			expect(response.statusCode).toBe(401);
+		});
+
+		test('POST /verify should fail due to missing token parameter', async () => {
+			const response = await testServer.authAgentFor(owner).post('/mfa/verify').send({ token: '' });
+
+			expect(response.statusCode).toBe(400);
+		});
+
+		test('POST /enable should fail due to invalid MFA token', async () => {
+			await testServer.authAgentFor(owner).get('/mfa/qr');
+
+			const response = await testServer
+				.authAgentFor(owner)
+				.post('/mfa/enable')
+				.send({ token: '123' });
+
+			expect(response.statusCode).toBe(400);
+		});
+
+		test('POST /enable should fail due to empty secret and recovery codes', async () => {
+			const response = await testServer.authAgentFor(owner).post('/mfa/enable');
+
+			expect(response.statusCode).toBe(400);
+		});
+
+		test('POST /enable should enable MFA in account', async () => {
+			const response = await testServer.authAgentFor(owner).get('/mfa/qr');
+
+			const { secret } = response.body.data;
+
+			const token = new TOTPService().generateTOTP(secret);
+
+			await testServer.authAgentFor(owner).post('/mfa/verify').send({ token });
+
+			const { statusCode } = await testServer
+				.authAgentFor(owner)
+				.post('/mfa/enable')
+				.send({ token });
+
+			expect(statusCode).toBe(200);
+
+			const user = await Db.collections.User.findOneOrFail({
+				where: {},
+				select: ['mfaEnabled', 'mfaRecoveryCodes', 'mfaSecret'],
+			});
+
+			expect(user.mfaEnabled).toBe(true);
+			expect(user.mfaRecoveryCodes).toBeDefined();
+			expect(user.mfaSecret).toBeDefined();
+		});
+	});
+});
+
+describe('Disable MFA setup', () => {
+	test('POST /disable should disable login with MFA', async () => {
+		const { user } = await testDb.createUserWithMfaEnabled();
+
+		const response = await testServer.authAgentFor(user).delete('/mfa/disable');
+
+		expect(response.statusCode).toBe(200);
+
+		const dbUser = await Db.collections.User.findOneOrFail({
+			where: { id: user.id },
+			select: ['mfaEnabled', 'mfaRecoveryCodes', 'mfaSecret'],
+		});
+
+		expect(dbUser.mfaEnabled).toBe(false);
+		expect(dbUser.mfaSecret).toBe(null);
+		expect(dbUser.mfaRecoveryCodes.length).toBe(0);
+	});
+});
+
+describe('Change password with MFA enabled', () => {
+	test('PATCH /me/password should fail due to missing MFA token', async () => {
+		const { user, rawPassword } = await testDb.createUserWithMfaEnabled();
+
+		const newPassword = randomPassword();
+
+		const response = await testServer
+			.authAgentFor(user)
+			.patch('/me/password')
+			.send({ currentPassword: rawPassword, newPassword });
+
+		expect(response.statusCode).toBe(400);
+	});
+
+	test('POST /change-password should fail due to missing MFA token', async () => {
+		const { user } = await testDb.createUserWithMfaEnabled();
+
+		const newPassword = randomValidPassword();
+
+		const resetPasswordToken = uniqueId();
+
+		const response = await testServer.authlessAgent
+			.post('/change-password')
+			.send({ password: newPassword, token: resetPasswordToken });
+
+		expect(response.statusCode).toBe(400);
+	});
+
+	test('POST /change-password should fail due to invalid MFA token', async () => {
+		const { user } = await testDb.createUserWithMfaEnabled();
+
+		const newPassword = randomValidPassword();
+
+		const resetPasswordToken = uniqueId();
+
+		const response = await testServer.authlessAgent.post('/change-password').send({
+			password: newPassword,
+			token: resetPasswordToken,
+			mfaToken: randomDigit(),
+		});
+
+		expect(response.statusCode).toBe(400);
+	});
+
+	test('POST /change-password should update password', async () => {
+		const { user, rawSecret } = await testDb.createUserWithMfaEnabled();
+
+		const newPassword = randomValidPassword();
+
+		config.set('userManagement.jwtSecret', randomString(5, 10));
+
+		const jwtService = Container.get(JwtService);
+
+		const resetPasswordToken = jwtService.signData({ sub: user.id });
+
+		const mfaToken = new TOTPService().generateTOTP(rawSecret);
+
+		const response = await testServer.authlessAgent.post('/change-password').send({
+			password: newPassword,
+			token: resetPasswordToken,
+			mfaToken,
+		});
+
+		expect(response.statusCode).toBe(200);
+
+		const loginResponse = await testServer
+			.authAgentFor(user)
+			.post('/login')
+			.send({
+				email: user.email,
+				password: newPassword,
+				mfaToken: new TOTPService().generateTOTP(rawSecret),
+			});
+
+		expect(loginResponse.statusCode).toBe(200);
+		expect(loginResponse.body).toHaveProperty('data');
+	});
+});
+
+describe('Login', () => {
+	test('POST /login with email/password should succeed when mfa is disabled', async () => {
+		const password = randomPassword();
+
+		const user = await testDb.createUser({ password });
+
+		const response = await testServer.authlessAgent
+			.post('/login')
+			.send({ email: user.email, password });
+
+		expect(response.statusCode).toBe(200);
+	});
+
+	test('GET /login should include hasRecoveryCodesLeft property in response', async () => {
+		const response = await testServer.authAgentFor(owner).get('/login');
+
+		const { data } = response.body;
+
+		expect(response.statusCode).toBe(200);
+
+		expect(data.hasRecoveryCodesLeft).toBeDefined();
+	});
+
+	test('GET /login should not include mfaSecret and mfaRecoveryCodes property in response', async () => {
+		const response = await testServer.authAgentFor(owner).get('/login');
+
+		const { data } = response.body;
+
+		expect(response.statusCode).toBe(200);
+
+		expect(data.recoveryCodes).not.toBeDefined();
+		expect(data.mfaSecret).not.toBeDefined();
+	});
+
+	test('POST /login with email/password should fail when mfa is enabled', async () => {
+		const { user, rawPassword } = await testDb.createUserWithMfaEnabled();
+
+		const response = await testServer.authlessAgent
+			.post('/login')
+			.send({ email: user.email, password: rawPassword });
+
+		expect(response.statusCode).toBe(401);
+	});
+
+	describe('Login with MFA token', () => {
+		test('POST /login should fail due to invalid MFA token', async () => {
+			const { user, rawPassword } = await testDb.createUserWithMfaEnabled();
+
+			const response = await testServer.authlessAgent
+				.post('/login')
+				.send({ email: user.email, password: rawPassword, mfaToken: 'wrongvalue' });
+
+			expect(response.statusCode).toBe(401);
+		});
+
+		test('POST /login should fail due two MFA step needed', async () => {
+			const { user, rawPassword } = await testDb.createUserWithMfaEnabled();
+
+			const response = await testServer.authlessAgent
+				.post('/login')
+				.send({ email: user.email, password: rawPassword });
+
+			expect(response.statusCode).toBe(401);
+			expect(response.body.code).toBe(998);
+		});
+
+		test('POST /login should succeed with MFA token', async () => {
+			const { user, rawSecret, rawPassword } = await testDb.createUserWithMfaEnabled();
+
+			const token = new TOTPService().generateTOTP(rawSecret);
+
+			const response = await testServer.authlessAgent
+				.post('/login')
+				.send({ email: user.email, password: rawPassword, mfaToken: token });
+
+			const data = response.body.data;
+
+			expect(response.statusCode).toBe(200);
+			expect(data.mfaEnabled).toBe(true);
+		});
+	});
+
+	describe('Login with recovery code', () => {
+		test('POST /login should fail due to invalid MFA recovery code', async () => {
+			const { user, rawPassword } = await testDb.createUserWithMfaEnabled();
+
+			const response = await testServer.authlessAgent
+				.post('/login')
+				.send({ email: user.email, password: rawPassword, mfaRecoveryCode: 'wrongvalue' });
+
+			expect(response.statusCode).toBe(401);
+		});
+
+		test('POST /login should succeed with MFA recovery code', async () => {
+			const { user, rawPassword, rawRecoveryCodes } = await testDb.createUserWithMfaEnabled();
+
+			const response = await testServer.authlessAgent
+				.post('/login')
+				.send({ email: user.email, password: rawPassword, mfaRecoveryCode: rawRecoveryCodes[0] });
+
+			const data = response.body.data;
+
+			expect(response.statusCode).toBe(200);
+			expect(data.mfaEnabled).toBe(true);
+			expect(data.hasRecoveryCodesLeft).toBe(true);
+
+			const dbUser = await Db.collections.User.findOneOrFail({
+				where: { id: user.id },
+				select: ['mfaEnabled', 'mfaRecoveryCodes', 'mfaSecret'],
+			});
+
+			// Make sure the recovery code used was removed
+			expect(dbUser.mfaRecoveryCodes.length).toBe(rawRecoveryCodes.length - 1);
+			expect(dbUser.mfaRecoveryCodes.includes(rawRecoveryCodes[0])).toBe(false);
+		});
+
+		test('POST /login with MFA recovery code should update hasRecoveryCodesLeft property', async () => {
+			const { user, rawPassword, rawRecoveryCodes } = await testDb.createUserWithMfaEnabled({
+				numberOfRecoveryCodes: 1,
+			});
+
+			const response = await testServer.authlessAgent
+				.post('/login')
+				.send({ email: user.email, password: rawPassword, mfaRecoveryCode: rawRecoveryCodes[0] });
+
+			const data = response.body.data;
+
+			expect(response.statusCode).toBe(200);
+			expect(data.mfaEnabled).toBe(true);
+			expect(data.hasRecoveryCodesLeft).toBe(false);
+		});
+	});
+});
diff --git a/packages/cli/test/integration/shared/testDb.ts b/packages/cli/test/integration/shared/testDb.ts
index 58ae9cef6017a..6d1d572473965 100644
--- a/packages/cli/test/integration/shared/testDb.ts
+++ b/packages/cli/test/integration/shared/testDb.ts
@@ -21,7 +21,6 @@ import type { TagEntity } from '@db/entities/TagEntity';
 import type { User } from '@db/entities/User';
 import type { WorkflowEntity } from '@db/entities/WorkflowEntity';
 import type { ICredentialsDb } from '@/Interfaces';
-
 import { DB_INITIALIZATION_TIMEOUT } from './constants';
 import { randomApiKey, randomEmail, randomName, randomString, randomValidPassword } from './random';
 import type {
@@ -38,6 +37,10 @@ import { VariablesService } from '@/environments/variables/variables.service';
 import { TagRepository, WorkflowTagMappingRepository } from '@/databases/repositories';
 import { separate } from '@/utils';
 
+import { randomPassword } from '@/Ldap/helpers';
+import { TOTPService } from '@/Mfa/totp.service';
+import { MfaService } from '@/Mfa/mfa.service';
+
 export type TestDBType = 'postgres' | 'mysql';
 
 export const testDbPrefix = 'n8n_test_';
@@ -95,7 +98,7 @@ export async function init() {
 		await Db.init(getDBOptions('postgres', testDbName));
 	} else if (dbType === 'mysqldb' || dbType === 'mariadb') {
 		const bootstrapMysql = await new Connection(getBootstrapDBOptions('mysql')).initialize();
-		await bootstrapMysql.query(`CREATE DATABASE ${testDbName}`);
+		await bootstrapMysql.query(`CREATE DATABASE ${testDbName} DEFAULT CHARACTER SET utf8mb4`);
 		await bootstrapMysql.destroy();
 
 		await Db.init(getDBOptions('mysql', testDbName));
@@ -204,10 +207,49 @@ export async function createLdapUser(attributes: Partial<User>, ldapId: string):
 	return user;
 }
 
+export async function createUserWithMfaEnabled(
+	data: { numberOfRecoveryCodes: number } = { numberOfRecoveryCodes: 10 },
+) {
+	const encryptionKey = await UserSettings.getEncryptionKey();
+
+	const email = randomEmail();
+	const password = randomPassword();
+
+	const toptService = new TOTPService();
+
+	const secret = toptService.generateSecret();
+
+	const mfaService = new MfaService(Db.collections.User, toptService, encryptionKey);
+
+	const recoveryCodes = mfaService.generateRecoveryCodes(data.numberOfRecoveryCodes);
+
+	const { encryptedSecret, encryptedRecoveryCodes } = mfaService.encryptSecretAndRecoveryCodes(
+		secret,
+		recoveryCodes,
+	);
+
+	return {
+		user: await createUser({
+			mfaEnabled: true,
+			password,
+			email,
+			mfaSecret: encryptedSecret,
+			mfaRecoveryCodes: encryptedRecoveryCodes,
+		}),
+		rawPassword: password,
+		rawSecret: secret,
+		rawRecoveryCodes: recoveryCodes,
+	};
+}
+
 export async function createOwner() {
 	return createUser({ globalRole: await getGlobalOwnerRole() });
 }
 
+export async function createMember() {
+	return createUser({ globalRole: await getGlobalMemberRole() });
+}
+
 export async function createUserShell(globalRole: Role): Promise<User> {
 	if (globalRole.scope !== 'global') {
 		throw new Error(`Invalid role received: ${JSON.stringify(globalRole)}`);
@@ -592,13 +634,12 @@ const baseOptions = (type: TestDBType) => ({
 /**
  * Generate options for a bootstrap DB connection, to create and drop test databases.
  */
-export const getBootstrapDBOptions = (type: TestDBType) =>
-	({
-		type,
-		name: type,
-		database: type,
-		...baseOptions(type),
-	}) as const;
+export const getBootstrapDBOptions = (type: TestDBType) => ({
+	type,
+	name: type,
+	database: type,
+	...baseOptions(type),
+});
 
 const getDBOptions = (type: TestDBType, name: string) => ({
 	type,
diff --git a/packages/cli/test/integration/shared/types.ts b/packages/cli/test/integration/shared/types.ts
index 2b483d4032c13..1e4e20c6f07b6 100644
--- a/packages/cli/test/integration/shared/types.ts
+++ b/packages/cli/test/integration/shared/types.ts
@@ -26,6 +26,8 @@ export type EndpointGroup =
 	| 'license'
 	| 'variables'
 	| 'tags'
+	| 'externalSecrets'
+	| 'mfa'
 	| 'metrics';
 
 export interface SetupProps {
diff --git a/packages/cli/test/integration/shared/utils/testServer.ts b/packages/cli/test/integration/shared/utils/testServer.ts
index ab098e5c64ef5..b00273eb66958 100644
--- a/packages/cli/test/integration/shared/utils/testServer.ts
+++ b/packages/cli/test/integration/shared/utils/testServer.ts
@@ -23,6 +23,7 @@ import { registerController } from '@/decorators';
 import {
 	AuthController,
 	LdapController,
+	MFAController,
 	MeController,
 	NodesController,
 	OwnerController,
@@ -49,8 +50,19 @@ import * as testDb from '../../shared/testDb';
 import { AUTHLESS_ENDPOINTS, PUBLIC_API_REST_PATH_SEGMENT, REST_PATH_SEGMENT } from '../constants';
 import type { EndpointGroup, SetupProps, TestServer } from '../types';
 import { mockInstance } from './mocking';
-import { JwtService } from '@/services/jwt.service';
+import { ExternalSecretsController } from '@/ExternalSecrets/ExternalSecrets.controller.ee';
+import { MfaService } from '@/Mfa/mfa.service';
+import { TOTPService } from '@/Mfa/totp.service';
+import { UserSettings } from 'n8n-core';
 import { MetricsService } from '@/services/metrics.service';
+import {
+	SettingsRepository,
+	SharedCredentialsRepository,
+	SharedWorkflowRepository,
+} from '@/databases/repositories';
+import { JwtService } from '@/services/jwt.service';
+import { RoleService } from '@/services/role.service';
+import { UserService } from '@/services/user.service';
 
 /**
  * Plugin to prefix a path segment into a request URL pathname.
@@ -179,11 +191,13 @@ export const setupTestServer = ({
 		}
 
 		if (functionEndpoints.length) {
+			const encryptionKey = await UserSettings.getEncryptionKey();
+			const repositories = Db.collections;
 			const externalHooks = Container.get(ExternalHooks);
 			const internalHooks = Container.get(InternalHooks);
 			const mailer = Container.get(UserManagementMailer);
-			const jwtService = Container.get(JwtService);
-			const repositories = Db.collections;
+			const mfaService = new MfaService(repositories.User, new TOTPService(), encryptionKey);
+			const userService = Container.get(UserService);
 
 			for (const group of functionEndpoints) {
 				switch (group) {
@@ -197,14 +211,11 @@ export const setupTestServer = ({
 						registerController(
 							app,
 							config,
-							new AuthController({
-								config,
-								logger,
-								internalHooks,
-								repositories,
-							}),
+							new AuthController(config, logger, internalHooks, mfaService, userService),
 						);
 						break;
+					case 'mfa':
+						registerController(app, config, new MFAController(mfaService));
 					case 'ldap':
 						Container.get(License).isLdapEnabled = () => true;
 						await handleLdapInit();
@@ -233,56 +244,63 @@ export const setupTestServer = ({
 						registerController(
 							app,
 							config,
-							new MeController({
-								logger,
-								externalHooks,
-								internalHooks,
-							}),
+							new MeController(logger, externalHooks, internalHooks, userService),
 						);
 						break;
 					case 'passwordReset':
 						registerController(
 							app,
 							config,
-							new PasswordResetController({
+							new PasswordResetController(
 								config,
 								logger,
 								externalHooks,
 								internalHooks,
 								mailer,
-							}),
+								userService,
+								Container.get(JwtService),
+								mfaService,
+							),
 						);
 						break;
 					case 'owner':
 						registerController(
 							app,
 							config,
-							new OwnerController({
+							new OwnerController(
 								config,
 								logger,
 								internalHooks,
-								repositories,
-							}),
+								Container.get(SettingsRepository),
+								userService,
+							),
 						);
 						break;
 					case 'users':
 						registerController(
 							app,
 							config,
-							new UsersController({
+							new UsersController(
 								config,
-								mailer,
+								logger,
 								externalHooks,
 								internalHooks,
-								repositories,
-								activeWorkflowRunner: Container.get(ActiveWorkflowRunner),
-								logger,
-							}),
+								Container.get(SharedCredentialsRepository),
+								Container.get(SharedWorkflowRepository),
+								Container.get(ActiveWorkflowRunner),
+								mailer,
+								Container.get(JwtService),
+								Container.get(RoleService),
+								userService,
+							),
 						);
 						break;
 					case 'tags':
 						registerController(app, config, Container.get(TagsController));
 						break;
+					case 'externalSecrets':
+						registerController(app, config, Container.get(ExternalSecretsController));
+						break;
 				}
 			}
 		}
diff --git a/packages/cli/test/integration/users.api.test.ts b/packages/cli/test/integration/users.api.test.ts
index 0f56258883a15..3f3457d5cb194 100644
--- a/packages/cli/test/integration/users.api.test.ts
+++ b/packages/cli/test/integration/users.api.test.ts
@@ -60,49 +60,6 @@ beforeEach(async () => {
 	config.set('userManagement.emails.smtp.host', '');
 });
 
-describe('GET /users', () => {
-	test('should return all users (for owner)', async () => {
-		await testDb.createUser({ globalRole: globalMemberRole });
-
-		const response = await authOwnerAgent.get('/users');
-
-		expect(response.statusCode).toBe(200);
-		expect(response.body.data.length).toBe(2);
-
-		response.body.data.map((user: User) => {
-			const {
-				id,
-				email,
-				firstName,
-				lastName,
-				personalizationAnswers,
-				globalRole,
-				password,
-				isPending,
-				apiKey,
-			} = user;
-
-			expect(validator.isUUID(id)).toBe(true);
-			expect(email).toBeDefined();
-			expect(firstName).toBeDefined();
-			expect(lastName).toBeDefined();
-			expect(personalizationAnswers).toBeUndefined();
-			expect(password).toBeUndefined();
-			expect(isPending).toBe(false);
-			expect(globalRole).toBeDefined();
-			expect(apiKey).not.toBeDefined();
-		});
-	});
-
-	test('should return all users (for member)', async () => {
-		const member = await testDb.createUser({ globalRole: globalMemberRole });
-		const response = await testServer.authAgentFor(member).get('/users');
-
-		expect(response.statusCode).toBe(200);
-		expect(response.body.data.length).toBe(2);
-	});
-});
-
 describe('DELETE /users/:id', () => {
 	test('should delete the user', async () => {
 		const userToDelete = await testDb.createUser({ globalRole: globalMemberRole });
diff --git a/packages/cli/test/integration/users.controller.test.ts b/packages/cli/test/integration/users.controller.test.ts
new file mode 100644
index 0000000000000..0dc5d41a28daa
--- /dev/null
+++ b/packages/cli/test/integration/users.controller.test.ts
@@ -0,0 +1,248 @@
+import * as testDb from './shared/testDb';
+import { setupTestServer } from './shared/utils/';
+import type { User } from '@/databases/entities/User';
+import type { PublicUser } from '@/Interfaces';
+
+const { any } = expect;
+
+const testServer = setupTestServer({ endpointGroups: ['users'] });
+
+let owner: User;
+let member: User;
+
+beforeEach(async () => {
+	await testDb.truncate(['User']);
+	owner = await testDb.createOwner();
+	member = await testDb.createMember();
+});
+
+const validatePublicUser = (user: PublicUser) => {
+	expect(typeof user.id).toBe('string');
+	expect(user.email).toBeDefined();
+	expect(user.firstName).toBeDefined();
+	expect(user.lastName).toBeDefined();
+	expect(typeof user.isOwner).toBe('boolean');
+	expect(user.isPending).toBe(false);
+	expect(user.signInType).toBe('email');
+	expect(user.settings).toBe(null);
+	expect(user.personalizationAnswers).toBeNull();
+	expect(user.password).toBeUndefined();
+	expect(user.globalRole).toBeDefined();
+};
+
+describe('GET /users', () => {
+	test('should return all users', async () => {
+		const response = await testServer.authAgentFor(owner).get('/users').expect(200);
+
+		expect(response.body.data).toHaveLength(2);
+
+		response.body.data.forEach(validatePublicUser);
+
+		const _response = await testServer.authAgentFor(member).get('/users').expect(200);
+
+		expect(_response.body.data).toHaveLength(2);
+
+		_response.body.data.forEach(validatePublicUser);
+	});
+
+	describe('filter', () => {
+		test('should filter users by field: email', async () => {
+			const secondMember = await testDb.createMember();
+
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query(`filter={ "email": "${secondMember.email}" }`)
+				.expect(200);
+
+			expect(response.body.data).toHaveLength(1);
+
+			const [user] = response.body.data;
+
+			expect(user.email).toBe(secondMember.email);
+
+			const _response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('filter={ "email": "non@existing.com" }')
+				.expect(200);
+
+			expect(_response.body.data).toHaveLength(0);
+		});
+
+		test('should filter users by field: firstName', async () => {
+			const secondMember = await testDb.createMember();
+
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query(`filter={ "firstName": "${secondMember.firstName}" }`)
+				.expect(200);
+
+			expect(response.body.data).toHaveLength(1);
+
+			const [user] = response.body.data;
+
+			expect(user.email).toBe(secondMember.email);
+
+			const _response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('filter={ "firstName": "Non-Existing" }')
+				.expect(200);
+
+			expect(_response.body.data).toHaveLength(0);
+		});
+
+		test('should filter users by field: lastName', async () => {
+			const secondMember = await testDb.createMember();
+
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query(`filter={ "lastName": "${secondMember.lastName}" }`)
+				.expect(200);
+
+			expect(response.body.data).toHaveLength(1);
+
+			const [user] = response.body.data;
+
+			expect(user.email).toBe(secondMember.email);
+
+			const _response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('filter={ "lastName": "Non-Existing" }')
+				.expect(200);
+
+			expect(_response.body.data).toHaveLength(0);
+		});
+
+		test('should filter users by computed field: isOwner', async () => {
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('filter={ "isOwner": true }')
+				.expect(200);
+
+			expect(response.body.data).toHaveLength(1);
+
+			const [user] = response.body.data;
+
+			expect(user.isOwner).toBe(true);
+
+			const _response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('filter={ "isOwner": false }')
+				.expect(200);
+
+			expect(_response.body.data).toHaveLength(1);
+
+			const [_user] = _response.body.data;
+
+			expect(_user.isOwner).toBe(false);
+		});
+	});
+
+	describe('select', () => {
+		test('should select user field: id', async () => {
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('select=["id"]')
+				.expect(200);
+
+			expect(response.body).toEqual({
+				data: [{ id: any(String) }, { id: any(String) }],
+			});
+		});
+
+		test('should select user field: email', async () => {
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('select=["email"]')
+				.expect(200);
+
+			expect(response.body).toEqual({
+				data: [{ email: any(String) }, { email: any(String) }],
+			});
+		});
+
+		test('should select user field: firstName', async () => {
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('select=["firstName"]')
+				.expect(200);
+
+			expect(response.body).toEqual({
+				data: [{ firstName: any(String) }, { firstName: any(String) }],
+			});
+		});
+
+		test('should select user field: lastName', async () => {
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('select=["lastName"]')
+				.expect(200);
+
+			expect(response.body).toEqual({
+				data: [{ lastName: any(String) }, { lastName: any(String) }],
+			});
+		});
+	});
+
+	describe('take', () => {
+		test('should return n users or less, without skip', async () => {
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('take=2')
+				.expect(200);
+
+			expect(response.body.data).toHaveLength(2);
+
+			response.body.data.forEach(validatePublicUser);
+
+			const _response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('take=1')
+				.expect(200);
+
+			expect(_response.body.data).toHaveLength(1);
+
+			_response.body.data.forEach(validatePublicUser);
+		});
+
+		test('should return n users or less, with skip', async () => {
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('take=1&skip=1')
+				.expect(200);
+
+			expect(response.body.data).toHaveLength(1);
+
+			response.body.data.forEach(validatePublicUser);
+		});
+	});
+
+	describe('combinations', () => {
+		test('should support options that require auxiliary fields', async () => {
+			// isOwner requires globalRole
+			// id-less select with take requires id
+
+			const response = await testServer
+				.authAgentFor(owner)
+				.get('/users')
+				.query('filter={ "isOwner": true }&select=["firstName"]&take=10')
+				.expect(200);
+
+			expect(response.body).toEqual({ data: [{ firstName: any(String) }] });
+		});
+	});
+});
diff --git a/packages/cli/test/integration/webhooks.api.test.ts b/packages/cli/test/integration/webhooks.api.test.ts
index b47613a6964c1..a5ec923f836f3 100644
--- a/packages/cli/test/integration/webhooks.api.test.ts
+++ b/packages/cli/test/integration/webhooks.api.test.ts
@@ -10,6 +10,7 @@ import { InternalHooks } from '@/InternalHooks';
 import { getLogger } from '@/Logger';
 import { NodeTypes } from '@/NodeTypes';
 import { Push } from '@/push';
+import type { WorkflowEntity } from '@db/entities/WorkflowEntity';
 
 import { mockInstance, initActiveWorkflowRunner } from './shared/utils';
 import * as testDb from './shared/testDb';
@@ -22,47 +23,43 @@ describe('Webhook API', () => {
 
 	let agent: SuperAgentTest;
 
+	beforeAll(async () => {
+		await testDb.init();
+	});
+
+	afterAll(async () => {
+		await testDb.terminate();
+	});
+
 	describe('Content-Type support', () => {
 		beforeAll(async () => {
-			await testDb.init();
-
 			const node = new WebhookTestingNode();
 			const user = await testDb.createUser();
-			await testDb.createWorkflow(
-				{
-					active: true,
-					nodes: [
-						{
-							name: 'Webhook',
-							type: node.description.name,
-							typeVersion: 1,
-							parameters: {
-								httpMethod: 'POST',
-								path: 'abcd',
-							},
-							id: '74786112-fb73-4d80-bd9a-43982939b801',
-							webhookId: '5ccef736-be16-4d10-b7fb-feed7a61ff22',
-							position: [740, 420],
-						},
-					],
-				},
-				user,
-			);
+			await testDb.createWorkflow(createWebhookWorkflow(node), user);
 
 			const nodeTypes = mockInstance(NodeTypes);
 			nodeTypes.getByName.mockReturnValue(node);
 			nodeTypes.getByNameAndVersion.mockReturnValue(node);
 
 			await initActiveWorkflowRunner();
+
 			const server = new (class extends AbstractServer {})();
 			await server.start();
 			agent = testAgent(server.app);
 		});
 
+		afterAll(async () => {
+			await testDb.truncate(['Workflow']);
+		});
+
 		test('should handle JSON', async () => {
 			const response = await agent.post('/webhook/abcd').send({ test: true });
 			expect(response.statusCode).toEqual(200);
-			expect(response.body).toEqual({ type: 'application/json', body: { test: true } });
+			expect(response.body).toEqual({
+				type: 'application/json',
+				body: { test: true },
+				params: {},
+			});
 		});
 
 		test('should handle XML', async () => {
@@ -83,6 +80,7 @@ describe('Webhook API', () => {
 						inner: 'value',
 					},
 				},
+				params: {},
 			});
 		});
 
@@ -95,6 +93,7 @@ describe('Webhook API', () => {
 			expect(response.body).toEqual({
 				type: 'application/x-www-form-urlencoded',
 				body: { x: '5', y: 'str', z: 'false' },
+				params: {},
 			});
 		});
 
@@ -107,6 +106,7 @@ describe('Webhook API', () => {
 			expect(response.body).toEqual({
 				type: 'text/plain',
 				body: '{"key": "value"}',
+				params: {},
 			});
 		});
 
@@ -133,6 +133,44 @@ describe('Webhook API', () => {
 		});
 	});
 
+	describe('Params support', () => {
+		beforeAll(async () => {
+			const node = new WebhookTestingNode();
+			const user = await testDb.createUser();
+			await testDb.createWorkflow(createWebhookWorkflow(node, ':variable', 'PATCH'), user);
+
+			const nodeTypes = mockInstance(NodeTypes);
+			nodeTypes.getByName.mockReturnValue(node);
+			nodeTypes.getByNameAndVersion.mockReturnValue(node);
+
+			await initActiveWorkflowRunner();
+
+			const server = new (class extends AbstractServer {})();
+			await server.start();
+			agent = testAgent(server.app);
+		});
+
+		afterAll(async () => {
+			await testDb.truncate(['Workflow']);
+		});
+
+		test('should handle params', async () => {
+			const response = await agent
+				.patch('/webhook/5ccef736-be16-4d10-b7fb-feed7a61ff22/test')
+				.send({ test: true });
+			expect(response.statusCode).toEqual(200);
+			expect(response.body).toEqual({
+				type: 'application/json',
+				body: { test: true },
+				params: {
+					variable: 'test',
+				},
+			});
+
+			await agent.post('/webhook/abcd').send({ test: true }).expect(404);
+		});
+	});
+
 	class WebhookTestingNode implements INodeType {
 		description: INodeTypeDescription = {
 			displayName: 'Webhook Testing Node',
@@ -173,8 +211,28 @@ describe('Webhook API', () => {
 				webhookResponse: {
 					type: req.contentType,
 					body: req.body,
+					params: req.params,
 				},
 			};
 		}
 	}
+
+	const createWebhookWorkflow = (
+		node: WebhookTestingNode,
+		path = 'abcd',
+		httpMethod = 'POST',
+	): Partial<WorkflowEntity> => ({
+		active: true,
+		nodes: [
+			{
+				name: 'Webhook',
+				type: node.description.name,
+				typeVersion: 1,
+				parameters: { httpMethod, path },
+				id: '74786112-fb73-4d80-bd9a-43982939b801',
+				webhookId: '5ccef736-be16-4d10-b7fb-feed7a61ff22',
+				position: [740, 420],
+			},
+		],
+	});
 });
diff --git a/packages/cli/test/shared/ExternalSecrets/utils.ts b/packages/cli/test/shared/ExternalSecrets/utils.ts
new file mode 100644
index 0000000000000..068e22576e454
--- /dev/null
+++ b/packages/cli/test/shared/ExternalSecrets/utils.ts
@@ -0,0 +1,215 @@
+import { SecretsProvider } from '@/Interfaces';
+import type { SecretsProviderSettings, SecretsProviderState } from '@/Interfaces';
+import type { IDataObject, INodeProperties } from 'n8n-workflow';
+
+export class MockProviders {
+	providers: Record<string, { new (): SecretsProvider }> = {
+		dummy: DummyProvider,
+	};
+
+	setProviders(providers: Record<string, { new (): SecretsProvider }>) {
+		this.providers = providers;
+	}
+
+	getProvider(name: string): { new (): SecretsProvider } | null {
+		return this.providers[name] ?? null;
+	}
+
+	hasProvider(name: string) {
+		return name in this.providers;
+	}
+
+	getAllProviders() {
+		return this.providers;
+	}
+}
+
+export class DummyProvider extends SecretsProvider {
+	properties: INodeProperties[] = [
+		{
+			name: 'username',
+			displayName: 'Username',
+			type: 'string',
+			default: '',
+			required: true,
+		},
+		{
+			name: 'other',
+			displayName: 'Other',
+			type: 'string',
+			default: '',
+		},
+		{
+			name: 'password',
+			displayName: 'Password',
+			type: 'string',
+			default: '',
+			typeOptions: {
+				password: true,
+			},
+		},
+	];
+
+	secrets: Record<string, string> = {};
+
+	displayName = 'Dummy Provider';
+
+	name = 'dummy';
+
+	state: SecretsProviderState = 'initializing';
+
+	_updateSecrets: Record<string, string> = {
+		test1: 'value1',
+		test2: 'value2',
+	};
+
+	async init(settings: SecretsProviderSettings<IDataObject>): Promise<void> {}
+
+	async connect(): Promise<void> {
+		this.state = 'connected';
+	}
+
+	async disconnect(): Promise<void> {}
+
+	async update(): Promise<void> {
+		this.secrets = this._updateSecrets;
+	}
+
+	async test(): Promise<[boolean] | [boolean, string]> {
+		return [true];
+	}
+
+	getSecret(name: string): IDataObject | undefined {
+		return this.secrets[name] as unknown as IDataObject | undefined;
+	}
+
+	hasSecret(name: string): boolean {
+		return name in this.secrets;
+	}
+
+	getSecretNames(): string[] {
+		return Object.keys(this.secrets);
+	}
+}
+
+export class ErrorProvider extends SecretsProvider {
+	secrets: Record<string, string> = {};
+
+	displayName = 'Error Provider';
+
+	name = 'dummy';
+
+	state: SecretsProviderState = 'initializing';
+
+	async init(settings: SecretsProviderSettings<IDataObject>): Promise<void> {
+		throw new Error();
+	}
+
+	async connect(): Promise<void> {
+		this.state = 'error';
+		throw new Error();
+	}
+
+	async disconnect(): Promise<void> {
+		throw new Error();
+	}
+
+	async update(): Promise<void> {
+		throw new Error();
+	}
+
+	async test(): Promise<[boolean] | [boolean, string]> {
+		throw new Error();
+	}
+
+	getSecret(name: string): IDataObject | undefined {
+		throw new Error();
+	}
+
+	hasSecret(name: string): boolean {
+		throw new Error();
+	}
+
+	getSecretNames(): string[] {
+		throw new Error();
+	}
+}
+
+export class FailedProvider extends SecretsProvider {
+	secrets: Record<string, string> = {};
+
+	displayName = 'Failed Provider';
+
+	name = 'dummy';
+
+	state: SecretsProviderState = 'initializing';
+
+	async init(settings: SecretsProviderSettings<IDataObject>): Promise<void> {}
+
+	async connect(): Promise<void> {
+		this.state = 'error';
+	}
+
+	async disconnect(): Promise<void> {}
+
+	async update(): Promise<void> {}
+
+	async test(): Promise<[boolean] | [boolean, string]> {
+		return [true];
+	}
+
+	getSecret(name: string): IDataObject | undefined {
+		return this.secrets[name] as unknown as IDataObject | undefined;
+	}
+
+	hasSecret(name: string): boolean {
+		return name in this.secrets;
+	}
+
+	getSecretNames(): string[] {
+		return Object.keys(this.secrets);
+	}
+}
+
+export class TestFailProvider extends SecretsProvider {
+	secrets: Record<string, string> = {};
+
+	displayName = 'Test Failed Provider';
+
+	name = 'dummy';
+
+	state: SecretsProviderState = 'initializing';
+
+	_updateSecrets: Record<string, string> = {
+		test1: 'value1',
+		test2: 'value2',
+	};
+
+	async init(settings: SecretsProviderSettings<IDataObject>): Promise<void> {}
+
+	async connect(): Promise<void> {
+		this.state = 'connected';
+	}
+
+	async disconnect(): Promise<void> {}
+
+	async update(): Promise<void> {
+		this.secrets = this._updateSecrets;
+	}
+
+	async test(): Promise<[boolean] | [boolean, string]> {
+		return [false];
+	}
+
+	getSecret(name: string): IDataObject | undefined {
+		return this.secrets[name] as unknown as IDataObject | undefined;
+	}
+
+	hasSecret(name: string): boolean {
+		return name in this.secrets;
+	}
+
+	getSecretNames(): string[] {
+		return Object.keys(this.secrets);
+	}
+}
diff --git a/packages/cli/test/unit/ActiveWorkflowRunner.test.ts b/packages/cli/test/unit/ActiveWorkflowRunner.test.ts
index c9b3e6ad09d0e..0622dac9a2044 100644
--- a/packages/cli/test/unit/ActiveWorkflowRunner.test.ts
+++ b/packages/cli/test/unit/ActiveWorkflowRunner.test.ts
@@ -24,6 +24,7 @@ import { mockInstance } from '../integration/shared/utils/';
 import { Push } from '@/push';
 import { ActiveExecutions } from '@/ActiveExecutions';
 import { NodeTypes } from '@/NodeTypes';
+import { SecretsHelper } from '@/SecretsHelpers';
 import { WebhookService } from '@/services/webhook.service';
 import { VariablesService } from '../../src/environments/variables/variables.service';
 
@@ -159,6 +160,7 @@ describe('ActiveWorkflowRunner', () => {
 		Container.set(LoadNodesAndCredentials, nodesAndCredentials);
 		Container.set(VariablesService, mockVariablesService);
 		mockInstance(Push);
+		mockInstance(SecretsHelper);
 	});
 
 	beforeEach(() => {
diff --git a/packages/cli/test/unit/ExternalSecrets/ExternalSecretsManager.test.ts b/packages/cli/test/unit/ExternalSecrets/ExternalSecretsManager.test.ts
new file mode 100644
index 0000000000000..0789b87d67caf
--- /dev/null
+++ b/packages/cli/test/unit/ExternalSecrets/ExternalSecretsManager.test.ts
@@ -0,0 +1,194 @@
+import type { SettingsRepository } from '@/databases/repositories';
+import type { ExternalSecretsSettings } from '@/Interfaces';
+import { License } from '@/License';
+import { ExternalSecretsManager } from '@/ExternalSecrets/ExternalSecretsManager.ee';
+import { ExternalSecretsProviders } from '@/ExternalSecrets/ExternalSecretsProviders.ee';
+import { mock } from 'jest-mock-extended';
+import { UserSettings } from 'n8n-core';
+import Container from 'typedi';
+import { mockInstance } from '../../integration/shared/utils';
+import {
+	DummyProvider,
+	ErrorProvider,
+	FailedProvider,
+	MockProviders,
+} from '../../shared/ExternalSecrets/utils';
+import { AES, enc } from 'crypto-js';
+import { InternalHooks } from '@/InternalHooks';
+
+const connectedDate = '2023-08-01T12:32:29.000Z';
+const encryptionKey = 'testkey';
+let settings: string | null = null;
+const mockProvidersInstance = new MockProviders();
+const settingsRepo = mock<SettingsRepository>({
+	async getEncryptedSecretsProviderSettings() {
+		return settings;
+	},
+	async saveEncryptedSecretsProviderSettings(data) {
+		settings = data;
+	},
+});
+let licenseMock: License;
+let providersMock: ExternalSecretsProviders;
+let manager: ExternalSecretsManager | undefined;
+
+const createMockSettings = (settings: ExternalSecretsSettings): string => {
+	return AES.encrypt(JSON.stringify(settings), encryptionKey).toString();
+};
+
+const decryptSettings = (settings: string) => {
+	return JSON.parse(AES.decrypt(settings ?? '', encryptionKey).toString(enc.Utf8));
+};
+
+describe('External Secrets Manager', () => {
+	beforeAll(() => {
+		jest
+			.spyOn(UserSettings, 'getEncryptionKey')
+			.mockReturnValue(new Promise((resolve) => resolve(encryptionKey)));
+		providersMock = mockInstance(ExternalSecretsProviders, mockProvidersInstance);
+		licenseMock = mockInstance(License, {
+			isExternalSecretsEnabled() {
+				return true;
+			},
+		});
+		mockInstance(InternalHooks);
+	});
+
+	beforeEach(() => {
+		mockProvidersInstance.setProviders({
+			dummy: DummyProvider,
+		});
+		settings = createMockSettings({
+			dummy: { connected: true, connectedAt: new Date(connectedDate), settings: {} },
+		});
+
+		Container.remove(ExternalSecretsManager);
+	});
+
+	afterEach(() => {
+		manager?.shutdown();
+		jest.useRealTimers();
+	});
+
+	test('should get secret', async () => {
+		manager = new ExternalSecretsManager(settingsRepo, licenseMock, providersMock);
+
+		await manager.init();
+
+		expect(manager.getSecret('dummy', 'test1')).toBe('value1');
+	});
+
+	test('should not throw errors during init', async () => {
+		mockProvidersInstance.setProviders({
+			dummy: ErrorProvider,
+		});
+		manager = new ExternalSecretsManager(settingsRepo, licenseMock, providersMock);
+
+		expect(async () => manager!.init()).not.toThrow();
+	});
+
+	test('should not throw errors during shutdown', async () => {
+		mockProvidersInstance.setProviders({
+			dummy: ErrorProvider,
+		});
+		manager = new ExternalSecretsManager(settingsRepo, licenseMock, providersMock);
+
+		await manager.init();
+		expect(() => manager!.shutdown()).not.toThrow();
+		manager = undefined;
+	});
+
+	test('should save provider settings', async () => {
+		manager = new ExternalSecretsManager(settingsRepo, licenseMock, providersMock);
+
+		const settingsSpy = jest.spyOn(settingsRepo, 'saveEncryptedSecretsProviderSettings');
+
+		await manager.init();
+
+		await manager.setProviderSettings('dummy', {
+			test: 'value',
+		});
+
+		expect(decryptSettings(settingsSpy.mock.calls[0][0])).toEqual({
+			dummy: {
+				connected: true,
+				connectedAt: connectedDate,
+				settings: {
+					test: 'value',
+				},
+			},
+		});
+	});
+
+	test('should call provider update functions on a timer', async () => {
+		jest.useFakeTimers();
+		manager = new ExternalSecretsManager(settingsRepo, licenseMock, providersMock);
+
+		await manager.init();
+
+		const updateSpy = jest.spyOn(manager.getProvider('dummy')!, 'update');
+
+		expect(updateSpy).toBeCalledTimes(0);
+
+		jest.runOnlyPendingTimers();
+
+		expect(updateSpy).toBeCalledTimes(1);
+	});
+
+	test('should not call provider update functions if the not licensed', async () => {
+		jest.useFakeTimers();
+
+		manager = new ExternalSecretsManager(
+			settingsRepo,
+			mock<License>({
+				isExternalSecretsEnabled() {
+					return false;
+				},
+			}),
+			providersMock,
+		);
+
+		await manager.init();
+
+		const updateSpy = jest.spyOn(manager.getProvider('dummy')!, 'update');
+
+		expect(updateSpy).toBeCalledTimes(0);
+
+		jest.runOnlyPendingTimers();
+
+		expect(updateSpy).toBeCalledTimes(0);
+	});
+
+	test('should not call provider update functions if the provider has an error', async () => {
+		jest.useFakeTimers();
+
+		mockProvidersInstance.setProviders({
+			dummy: FailedProvider,
+		});
+		manager = new ExternalSecretsManager(settingsRepo, licenseMock, providersMock);
+
+		await manager.init();
+
+		const updateSpy = jest.spyOn(manager.getProvider('dummy')!, 'update');
+
+		expect(updateSpy).toBeCalledTimes(0);
+
+		jest.runOnlyPendingTimers();
+
+		expect(updateSpy).toBeCalledTimes(0);
+	});
+
+	test('should reinitialize a provider when save provider settings', async () => {
+		manager = new ExternalSecretsManager(settingsRepo, licenseMock, providersMock);
+
+		await manager.init();
+
+		const dummyInitSpy = jest.spyOn(DummyProvider.prototype, 'init');
+
+		await manager.setProviderSettings('dummy', {
+			test: 'value',
+		});
+
+		expect(dummyInitSpy).toBeCalledTimes(1);
+	});
+});
diff --git a/packages/cli/test/unit/controllers/me.controller.test.ts b/packages/cli/test/unit/controllers/me.controller.test.ts
index 950957c12c331..e2970be7d7f8b 100644
--- a/packages/cli/test/unit/controllers/me.controller.test.ts
+++ b/packages/cli/test/unit/controllers/me.controller.test.ts
@@ -2,27 +2,21 @@ import type { CookieOptions, Response } from 'express';
 import jwt from 'jsonwebtoken';
 import { mock, anyObject, captor } from 'jest-mock-extended';
 import type { ILogger } from 'n8n-workflow';
-import type { IExternalHooksClass, IInternalHooksClass } from '@/Interfaces';
+import type { IExternalHooksClass, IInternalHooksClass, PublicUser } from '@/Interfaces';
 import type { User } from '@db/entities/User';
 import { MeController } from '@/controllers';
 import { AUTH_COOKIE_NAME } from '@/constants';
 import { BadRequestError } from '@/ResponseHelper';
 import type { AuthenticatedRequest, MeRequest } from '@/requests';
 import { badPasswords } from '../shared/testData';
-import { UserService } from '@/services/user.service';
-import Container from 'typedi';
+import type { UserService } from '@/services/user.service';
 
 describe('MeController', () => {
 	const logger = mock<ILogger>();
 	const externalHooks = mock<IExternalHooksClass>();
 	const internalHooks = mock<IInternalHooksClass>();
 	const userService = mock<UserService>();
-	Container.set(UserService, userService);
-	const controller = new MeController({
-		logger,
-		externalHooks,
-		internalHooks,
-	});
+	const controller = new MeController(logger, externalHooks, internalHooks, userService);
 
 	describe('updateCurrentUser', () => {
 		it('should throw BadRequestError if email is missing in the payload', async () => {
@@ -51,6 +45,7 @@ describe('MeController', () => {
 			const res = mock<Response>();
 			userService.findOneOrFail.mockResolvedValue(user);
 			jest.spyOn(jwt, 'sign').mockImplementation(() => 'signed-token');
+			userService.toPublic.mockResolvedValue({} as unknown as PublicUser);
 
 			await controller.updateCurrentUser(req, res);
 
diff --git a/packages/cli/test/unit/controllers/owner.controller.test.ts b/packages/cli/test/unit/controllers/owner.controller.test.ts
index 5c48c1a1d39bd..ee9ca3ac0b74c 100644
--- a/packages/cli/test/unit/controllers/owner.controller.test.ts
+++ b/packages/cli/test/unit/controllers/owner.controller.test.ts
@@ -12,7 +12,6 @@ import { OwnerController } from '@/controllers';
 import { badPasswords } from '../shared/testData';
 import { AUTH_COOKIE_NAME } from '@/constants';
 import { UserService } from '@/services/user.service';
-import Container from 'typedi';
 import { mockInstance } from '../../integration/shared/utils';
 
 describe('OwnerController', () => {
@@ -20,16 +19,14 @@ describe('OwnerController', () => {
 	const logger = mock<ILogger>();
 	const internalHooks = mock<IInternalHooksClass>();
 	const userService = mockInstance(UserService);
-	Container.set(UserService, userService);
 	const settingsRepository = mock<SettingsRepository>();
-	const controller = new OwnerController({
+	const controller = new OwnerController(
 		config,
 		logger,
 		internalHooks,
-		repositories: {
-			Settings: settingsRepository,
-		},
-	});
+		settingsRepository,
+		userService,
+	);
 
 	describe('setupOwner', () => {
 		it('should throw a BadRequestError if the instance owner is already setup', async () => {
diff --git a/packages/cli/test/unit/middleware/listQuery.test.ts b/packages/cli/test/unit/middleware/listQuery.test.ts
index dc119d1ed4ff6..218c7d25123f7 100644
--- a/packages/cli/test/unit/middleware/listQuery.test.ts
+++ b/packages/cli/test/unit/middleware/listQuery.test.ts
@@ -134,12 +134,12 @@ describe('List query middleware', () => {
 			expect(nextFn).toBeCalledTimes(1);
 		});
 
-		test('should ignore skip without take', () => {
+		test('should throw on skip without take', () => {
 			mockReq.query = { skip: '1' };
 			paginationListQueryMiddleware(...args);
 
 			expect(mockReq.listQueryOptions).toBeUndefined();
-			expect(nextFn).toBeCalledTimes(1);
+			expect(sendErrorResponse).toHaveBeenCalledTimes(1);
 		});
 
 		test('should default skip to 0', () => {
diff --git a/packages/core/package.json b/packages/core/package.json
index d1332149b3360..a0886df9010b3 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "n8n-core",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Core functionality of n8n",
   "license": "SEE LICENSE IN LICENSE.md",
   "homepage": "https://n8n.io",
diff --git a/packages/core/src/DirectoryLoader.ts b/packages/core/src/DirectoryLoader.ts
index 4b55f6b24d147..6a5c195d8cffa 100644
--- a/packages/core/src/DirectoryLoader.ts
+++ b/packages/core/src/DirectoryLoader.ts
@@ -371,7 +371,9 @@ export class LazyPackageDirectoryLoader extends PackageDirectoryLoader {
 			if (this.includeNodes.length) {
 				const allowedNodes: typeof this.known.nodes = {};
 				for (const nodeName of this.includeNodes) {
-					allowedNodes[nodeName] = this.known.nodes[nodeName];
+					if (nodeName in this.known.nodes) {
+						allowedNodes[nodeName] = this.known.nodes[nodeName];
+					}
 				}
 				this.known.nodes = allowedNodes;
 
diff --git a/packages/core/src/NodeExecuteFunctions.ts b/packages/core/src/NodeExecuteFunctions.ts
index 7de0fe5f01025..af000e91cc006 100644
--- a/packages/core/src/NodeExecuteFunctions.ts
+++ b/packages/core/src/NodeExecuteFunctions.ts
@@ -136,6 +136,7 @@ import {
 	setAllWorkflowExecutionMetadata,
 	setWorkflowExecutionMetadata,
 } from './WorkflowExecutionMetadata';
+import { getSecretsProxy } from './Secrets';
 import { getUserN8nFolderPath } from './UserSettings';
 
 axios.defaults.timeout = 300000;
@@ -720,7 +721,7 @@ export async function proxyRequestToAxios(
 					error: responseData,
 					response: pick(response, ['headers', 'status', 'statusText']),
 				});
-			} else if (error instanceof Error && error.message.includes('SSL routines')) {
+			} else if ('rejectUnauthorized' in configObject && error.code?.includes('CERT')) {
 				throw new NodeSSLError(error);
 			}
 		}
@@ -1683,6 +1684,7 @@ export function getAdditionalKeys(
 	additionalData: IWorkflowExecuteAdditionalData,
 	mode: WorkflowExecuteMode,
 	runExecutionData: IRunExecutionData | null,
+	options?: { secretsEnabled?: boolean },
 ): IWorkflowDataProxyAdditionalKeys {
 	const executionId = additionalData.executionId || PLACEHOLDER_EMPTY_EXECUTION_ID;
 	const resumeUrl = `${additionalData.webhookWaitingBaseUrl}/${executionId}`;
@@ -1723,6 +1725,7 @@ export function getAdditionalKeys(
 				: undefined,
 		},
 		$vars: additionalData.variables,
+		$secrets: options?.secretsEnabled ? getSecretsProxy(additionalData) : undefined,
 
 		// deprecated
 		$executionId: executionId,
@@ -1858,6 +1861,7 @@ export async function getCredentials(
 	// }
 
 	const decryptedDataObject = await additionalData.credentialsHelper.getDecrypted(
+		additionalData,
 		nodeCredentials,
 		type,
 		mode,
diff --git a/packages/core/src/Secrets.ts b/packages/core/src/Secrets.ts
new file mode 100644
index 0000000000000..508af6ada302c
--- /dev/null
+++ b/packages/core/src/Secrets.ts
@@ -0,0 +1,76 @@
+import type { IDataObject, IWorkflowExecuteAdditionalData } from 'n8n-workflow';
+import { ExpressionError } from 'n8n-workflow';
+
+function buildSecretsValueProxy(value: IDataObject): unknown {
+	return new Proxy(value, {
+		get(target, valueName) {
+			if (typeof valueName !== 'string') {
+				return;
+			}
+			if (!(valueName in value)) {
+				throw new ExpressionError('Could not load secrets', {
+					description:
+						'The credential in use tries to use secret from an external store that could not be found',
+				});
+			}
+			const retValue = value[valueName];
+			if (typeof retValue === 'object' && retValue !== null) {
+				return buildSecretsValueProxy(retValue as IDataObject);
+			}
+			return retValue;
+		},
+	});
+}
+
+export function getSecretsProxy(additionalData: IWorkflowExecuteAdditionalData): IDataObject {
+	const secretsHelpers = additionalData.secretsHelpers;
+	return new Proxy(
+		{},
+		{
+			get(target, providerName) {
+				if (typeof providerName !== 'string') {
+					return {};
+				}
+				if (secretsHelpers.hasProvider(providerName)) {
+					return new Proxy(
+						{},
+						{
+							get(target2, secretName): IDataObject | undefined {
+								if (typeof secretName !== 'string') {
+									return;
+								}
+								if (!secretsHelpers.hasSecret(providerName, secretName)) {
+									throw new ExpressionError('Could not load secrets', {
+										description:
+											'The credential in use tries to use secret from an external store that could not be found',
+									});
+								}
+								const retValue = secretsHelpers.getSecret(providerName, secretName);
+								if (typeof retValue === 'object' && retValue !== null) {
+									return buildSecretsValueProxy(retValue) as IDataObject;
+								}
+								return retValue;
+							},
+							set() {
+								return false;
+							},
+							ownKeys() {
+								return secretsHelpers.listSecrets(providerName);
+							},
+						},
+					);
+				}
+				throw new ExpressionError('Could not load secrets', {
+					description:
+						'The credential in use pulls secrets from an external store that is not reachable',
+				});
+			},
+			set() {
+				return false;
+			},
+			ownKeys() {
+				return secretsHelpers.listProviders();
+			},
+		},
+	);
+}
diff --git a/packages/design-system/package.json b/packages/design-system/package.json
index 7c1b1f5154c4b..65c42b6a951ba 100644
--- a/packages/design-system/package.json
+++ b/packages/design-system/package.json
@@ -1,6 +1,6 @@
 {
   "name": "n8n-design-system",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "license": "SEE LICENSE IN LICENSE.md",
   "homepage": "https://n8n.io",
   "author": {
diff --git a/packages/design-system/src/components/N8nCallout/Callout.vue b/packages/design-system/src/components/N8nCallout/Callout.vue
index 53545563ab690..639380773f9bd 100644
--- a/packages/design-system/src/components/N8nCallout/Callout.vue
+++ b/packages/design-system/src/components/N8nCallout/Callout.vue
@@ -24,7 +24,7 @@ const CALLOUT_DEFAULT_ICONS: { [key: string]: string } = {
 	info: 'info-circle',
 	success: 'check-circle',
 	warning: 'exclamation-triangle',
-	danger: 'times-circle',
+	danger: 'exclamation-triangle',
 };
 
 export default defineComponent({
diff --git a/packages/design-system/src/components/N8nCallout/__tests__/__snapshots__/Callout.spec.ts.snap b/packages/design-system/src/components/N8nCallout/__tests__/__snapshots__/Callout.spec.ts.snap
index 3e04a43141d65..a2f82a3ef90c6 100644
--- a/packages/design-system/src/components/N8nCallout/__tests__/__snapshots__/Callout.spec.ts.snap
+++ b/packages/design-system/src/components/N8nCallout/__tests__/__snapshots__/Callout.spec.ts.snap
@@ -27,7 +27,7 @@ exports[`components > N8nCallout > should render danger theme correctly 1`] = `
 "<div class=\\"n8n-callout callout danger round\\" role=\\"alert\\">
   <div class=\\"messageSection\\">
     <div class=\\"icon\\">
-      <n8n-icon-stub icon=\\"times-circle\\" size=\\"medium\\" spin=\\"false\\"></n8n-icon-stub>
+      <n8n-icon-stub icon=\\"exclamation-triangle\\" size=\\"medium\\" spin=\\"false\\"></n8n-icon-stub>
     </div>
     <n8n-text-stub bold=\\"false\\" size=\\"small\\" compact=\\"false\\" tag=\\"span\\"></n8n-text-stub> &nbsp;
   </div>
diff --git a/packages/design-system/src/css/loading.scss b/packages/design-system/src/css/loading.scss
index 92442916407a3..d13db8be39264 100644
--- a/packages/design-system/src/css/loading.scss
+++ b/packages/design-system/src/css/loading.scss
@@ -26,7 +26,7 @@
 		position: fixed;
 
 		.el-loading-spinner {
-			margin-top: #{- var.$loading-fullscreen-spinner-size * 0.5};
+			transform: translateY(-50%);
 
 			.circular {
 				height: var.$loading-fullscreen-spinner-size;
@@ -38,7 +38,7 @@
 
 @include mixins.b(loading-spinner) {
 	top: 50%;
-	margin-top: #{- var.$loading-spinner-size * 0.5};
+	transform: translateY(-50%);
 	width: 100%;
 	text-align: center;
 	position: absolute;
diff --git a/packages/design-system/src/css/utilities/_link.scss b/packages/design-system/src/css/utilities/_link.scss
new file mode 100644
index 0000000000000..4a65d43ae81fb
--- /dev/null
+++ b/packages/design-system/src/css/utilities/_link.scss
@@ -0,0 +1,10 @@
+.overlay-link::after {
+	content: '';
+	position: absolute;
+	top: 0;
+	right: 0;
+	bottom: 0;
+	left: 0;
+	z-index: 1;
+	pointer-events: auto;
+}
diff --git a/packages/design-system/src/css/utilities/index.scss b/packages/design-system/src/css/utilities/index.scss
index 73ac65908a51e..e79fb2651a395 100644
--- a/packages/design-system/src/css/utilities/index.scss
+++ b/packages/design-system/src/css/utilities/index.scss
@@ -1,4 +1,5 @@
 @import 'float';
+@import 'link';
 @import 'list';
 @import 'spacing';
 @import 'typography';
diff --git a/packages/editor-ui/package.json b/packages/editor-ui/package.json
index 5e9d3a06ac400..65fd3195b976d 100644
--- a/packages/editor-ui/package.json
+++ b/packages/editor-ui/package.json
@@ -1,6 +1,6 @@
 {
   "name": "n8n-editor-ui",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Workflow Editor UI for n8n",
   "license": "SEE LICENSE IN LICENSE.md",
   "homepage": "https://n8n.io",
@@ -67,6 +67,7 @@
     "pinia": "^2.1.6",
     "prettier": "^3.0.0",
     "stream-browserify": "^3.0.0",
+    "qrcode.vue": "^3.3.4",
     "timeago.js": "^4.0.2",
     "uuid": "^8.3.2",
     "v3-infinite-loading": "^1.2.2",
diff --git a/packages/editor-ui/src/Interface.ts b/packages/editor-ui/src/Interface.ts
index 02814e992ffba..8b0a607d60e61 100644
--- a/packages/editor-ui/src/Interface.ts
+++ b/packages/editor-ui/src/Interface.ts
@@ -30,10 +30,10 @@ import type {
 	FeatureFlags,
 	ExecutionStatus,
 	ITelemetryTrackProperties,
-	IN8nUISettings,
 	IUserManagementSettings,
 	WorkflowSettings,
 	IUserSettings,
+	IN8nUISettings,
 	BannerName,
 } from 'n8n-workflow';
 import type { SignInType } from './constants';
@@ -44,6 +44,7 @@ import type {
 } from './constants';
 import type { BulkCommand, Undoable } from '@/models/history';
 import type { PartialBy } from '@/utils/typeHelpers';
+import type { INodeProperties } from 'n8n-workflow';
 
 export * from 'n8n-design-system/types';
 
@@ -583,9 +584,12 @@ export interface CurrentUserResponse extends IUserResponse {
 export interface IUser extends IUserResponse {
 	isDefaultUser: boolean;
 	isPendingUser: boolean;
+	hasRecoveryCodesLeft: boolean;
 	isOwner: boolean;
 	inviteAcceptUrl?: string;
 	fullName?: string;
+	createdAt?: string;
+	mfaEnabled: boolean;
 }
 
 export interface IVersionNotificationSettings {
@@ -722,7 +726,7 @@ export interface ITimeoutHMS {
 	seconds: number;
 }
 
-export type WorkflowTitleStatus = 'EXECUTING' | 'IDLE' | 'ERROR';
+export type WorkflowTitleStatus = 'EXECUTING' | 'IDLE' | 'ERROR' | 'DEBUG';
 
 export type ExtractActionKeys<T> = T extends SimplifiedNodeType ? T['name'] : never;
 
@@ -894,6 +898,7 @@ export interface WorkflowsState {
 	workflowExecutionData: IExecutionResponse | null;
 	workflowExecutionPairedItemMappings: { [itemId: string]: Set<string> };
 	workflowsById: IWorkflowsMap;
+	isInDebugMode?: boolean;
 }
 
 export interface RootState {
@@ -1142,6 +1147,9 @@ export interface ISettingsState {
 		loginLabel: string;
 		loginEnabled: boolean;
 	};
+	mfa: {
+		enabled: boolean;
+	};
 	onboardingCallPromptEnabled: boolean;
 	saveDataErrorExecution: string;
 	saveDataSuccessExecution: string;
@@ -1535,6 +1543,26 @@ export interface InstanceUsage {
 
 export type CloudPlanAndUsageData = Cloud.PlanData & { usage: InstanceUsage };
 
+export interface ExternalSecretsProviderSecret {
+	key: string;
+}
+
+export type ExternalSecretsProviderData = Record<string, IUpdateInformation['value']>;
+
+export interface ExternalSecretsProvider {
+	icon: string;
+	name: string;
+	displayName: string;
+	connected: boolean;
+	connectedAt: string | false;
+	state: 'connected' | 'tested' | 'initializing' | 'error';
+	data?: ExternalSecretsProviderData;
+}
+
+export interface ExternalSecretsProviderWithProperties extends ExternalSecretsProvider {
+	properties: INodeProperties[];
+}
+
 export type CloudUpdateLinkSourceType =
 	| 'canvas-nav'
 	| 'custom-data-filter'
diff --git a/packages/editor-ui/src/__tests__/router.test.ts b/packages/editor-ui/src/__tests__/router.test.ts
new file mode 100644
index 0000000000000..04e264474674b
--- /dev/null
+++ b/packages/editor-ui/src/__tests__/router.test.ts
@@ -0,0 +1,31 @@
+import { createPinia, setActivePinia } from 'pinia';
+import { createComponentRenderer } from '@/__tests__/render';
+import router from '@/router';
+import { VIEWS } from '@/constants';
+
+const App = {
+	template: '<div />',
+};
+const renderComponent = createComponentRenderer(App);
+
+describe('router', () => {
+	beforeAll(() => {
+		const pinia = createPinia();
+		setActivePinia(pinia);
+		renderComponent({ pinia });
+	});
+
+	test.each([
+		['/', VIEWS.WORKFLOWS],
+		['/workflow', VIEWS.NEW_WORKFLOW],
+		['/workflow/new', VIEWS.NEW_WORKFLOW],
+		['/workflow/R9JFXwkUCL1jZBuw', VIEWS.WORKFLOW],
+		['/workflow/R9JFXwkUCL1jZBuw/executions/29021', VIEWS.EXECUTION_PREVIEW],
+		['/workflow/R9JFXwkUCL1jZBuw/debug/29021', VIEWS.EXECUTION_DEBUG],
+		['/workflows/templates/R9JFXwkUCL1jZBuw', VIEWS.TEMPLATE_IMPORT],
+		['/workflows/demo', VIEWS.DEMO],
+	])('should resolve %s to %s', async (path, name) => {
+		await router.push(path);
+		expect(router.currentRoute.value.name).toBe(name);
+	});
+});
diff --git a/packages/editor-ui/src/api/ai.ts b/packages/editor-ui/src/api/ai.ts
index 95ace358fbdfe..294d3523ac783 100644
--- a/packages/editor-ui/src/api/ai.ts
+++ b/packages/editor-ui/src/api/ai.ts
@@ -2,12 +2,6 @@ import type { IRestApiContext, Schema } from '@/Interface';
 import { makeRestApiRequest } from '@/utils/apiUtils';
 import type { IDataObject } from 'n8n-workflow';
 
-type Usage = {
-	prompt_tokens: number;
-	completion_tokens: number;
-	total_tokens: number;
-};
-
 export async function generateCodeForPrompt(
 	ctx: IRestApiContext,
 	{
@@ -20,11 +14,13 @@ export async function generateCodeForPrompt(
 		context: {
 			schema: Array<{ nodeName: string; schema: Schema }>;
 			inputSchema: { nodeName: string; schema: Schema };
+			sessionId: string;
+			ndvSessionId: string;
 		};
 		model: string;
 		n8nVersion: string;
 	},
-): Promise<{ code: string; usage: Usage }> {
+): Promise<{ code: string }> {
 	return makeRestApiRequest(ctx, 'POST', '/ask-ai', {
 		question,
 		context,
diff --git a/packages/editor-ui/src/api/externalSecrets.ee.ts b/packages/editor-ui/src/api/externalSecrets.ee.ts
new file mode 100644
index 0000000000000..76a1e189f9016
--- /dev/null
+++ b/packages/editor-ui/src/api/externalSecrets.ee.ts
@@ -0,0 +1,58 @@
+import type {
+	IRestApiContext,
+	ExternalSecretsProvider,
+	ExternalSecretsProviderWithProperties,
+} from '@/Interface';
+import { makeRestApiRequest } from '@/utils';
+
+export const getExternalSecrets = async (
+	context: IRestApiContext,
+): Promise<Record<string, string[]>> => {
+	return makeRestApiRequest(context, 'GET', '/external-secrets/secrets');
+};
+
+export const getExternalSecretsProviders = async (
+	context: IRestApiContext,
+): Promise<ExternalSecretsProvider[]> => {
+	return makeRestApiRequest(context, 'GET', '/external-secrets/providers');
+};
+
+export const getExternalSecretsProvider = async (
+	context: IRestApiContext,
+	id: string,
+): Promise<ExternalSecretsProviderWithProperties> => {
+	return makeRestApiRequest(context, 'GET', `/external-secrets/providers/${id}`);
+};
+
+export const testExternalSecretsProviderConnection = async (
+	context: IRestApiContext,
+	id: string,
+	data: ExternalSecretsProvider['data'],
+): Promise<{ testState: ExternalSecretsProvider['state'] }> => {
+	return makeRestApiRequest(context, 'POST', `/external-secrets/providers/${id}/test`, data);
+};
+
+export const updateProvider = async (
+	context: IRestApiContext,
+	id: string,
+	data: ExternalSecretsProvider['data'],
+): Promise<boolean> => {
+	return makeRestApiRequest(context, 'POST', `/external-secrets/providers/${id}`, data);
+};
+
+export const reloadProvider = async (
+	context: IRestApiContext,
+	id: string,
+): Promise<{ updated: boolean }> => {
+	return makeRestApiRequest(context, 'POST', `/external-secrets/providers/${id}/update`);
+};
+
+export const connectProvider = async (
+	context: IRestApiContext,
+	id: string,
+	connected: boolean,
+): Promise<boolean> => {
+	return makeRestApiRequest(context, 'POST', `/external-secrets/providers/${id}/connect`, {
+		connected,
+	});
+};
diff --git a/packages/editor-ui/src/api/mfa.ts b/packages/editor-ui/src/api/mfa.ts
new file mode 100644
index 0000000000000..5909a6ceb8876
--- /dev/null
+++ b/packages/editor-ui/src/api/mfa.ts
@@ -0,0 +1,23 @@
+import type { IRestApiContext } from '@/Interface';
+import { makeRestApiRequest } from '@/utils/apiUtils';
+
+export async function getMfaQR(
+	context: IRestApiContext,
+): Promise<{ qrCode: string; secret: string; recoveryCodes: string[] }> {
+	return makeRestApiRequest(context, 'GET', '/mfa/qr');
+}
+
+export async function enableMfa(context: IRestApiContext, data: { token: string }): Promise<void> {
+	return makeRestApiRequest(context, 'POST', '/mfa/enable', data);
+}
+
+export async function verifyMfaToken(
+	context: IRestApiContext,
+	data: { token: string },
+): Promise<void> {
+	return makeRestApiRequest(context, 'POST', '/mfa/verify', data);
+}
+
+export async function disableMfa(context: IRestApiContext): Promise<void> {
+	return makeRestApiRequest(context, 'DELETE', '/mfa/disable');
+}
diff --git a/packages/editor-ui/src/api/users.ts b/packages/editor-ui/src/api/users.ts
index 6f6d9bd86797d..5ce56d26dd7bd 100644
--- a/packages/editor-ui/src/api/users.ts
+++ b/packages/editor-ui/src/api/users.ts
@@ -16,7 +16,7 @@ export async function loginCurrentUser(
 
 export async function login(
 	context: IRestApiContext,
-	params: { email: string; password: string },
+	params: { email: string; password: string; mfaToken?: string; mfaRecoveryToken?: string },
 ): Promise<CurrentUserResponse> {
 	return makeRestApiRequest(context, 'POST', '/login', params);
 }
@@ -74,7 +74,7 @@ export async function validatePasswordToken(
 
 export async function changePassword(
 	context: IRestApiContext,
-	params: { token: string; password: string },
+	params: { token: string; password: string; mfaToken?: string },
 ): Promise<void> {
 	await makeRestApiRequest(context, 'POST', '/change-password', params);
 }
diff --git a/packages/editor-ui/src/assets/images/doppler.webp b/packages/editor-ui/src/assets/images/doppler.webp
new file mode 100644
index 0000000000000..7bd34406375ca
Binary files /dev/null and b/packages/editor-ui/src/assets/images/doppler.webp differ
diff --git a/packages/editor-ui/src/assets/images/hashicorp.webp b/packages/editor-ui/src/assets/images/hashicorp.webp
new file mode 100644
index 0000000000000..ca52275380f54
Binary files /dev/null and b/packages/editor-ui/src/assets/images/hashicorp.webp differ
diff --git a/packages/editor-ui/src/assets/images/infisical.webp b/packages/editor-ui/src/assets/images/infisical.webp
new file mode 100644
index 0000000000000..abe9a20de36b6
Binary files /dev/null and b/packages/editor-ui/src/assets/images/infisical.webp differ
diff --git a/packages/editor-ui/src/components/ChangePasswordModal.vue b/packages/editor-ui/src/components/ChangePasswordModal.vue
index 9337bb4b0577a..601c7aa5e3265 100644
--- a/packages/editor-ui/src/components/ChangePasswordModal.vue
+++ b/packages/editor-ui/src/components/ChangePasswordModal.vue
@@ -31,10 +31,10 @@
 <script lang="ts">
 import { defineComponent } from 'vue';
 
+import { CHANGE_PASSWORD_MODAL_KEY } from '../constants';
 import { useToast } from '@/composables';
 import Modal from '@/components/Modal.vue';
 import type { IFormInputs } from '@/Interface';
-import { CHANGE_PASSWORD_MODAL_KEY } from '@/constants';
 import { mapStores } from 'pinia';
 import { useUsersStore } from '@/stores/users.store';
 import { createEventBus } from 'n8n-design-system/utils';
@@ -66,7 +66,7 @@ export default defineComponent({
 		...mapStores(useUsersStore),
 	},
 	mounted() {
-		this.config = [
+		const form: IFormInputs = [
 			{
 				name: 'currentPassword',
 				properties: {
@@ -107,6 +107,8 @@ export default defineComponent({
 				},
 			},
 		];
+
+		this.config = form;
 	},
 	methods: {
 		passwordsMatch(value: string | number | boolean | null | undefined) {
@@ -127,7 +129,7 @@ export default defineComponent({
 				this.password = e.value;
 			}
 		},
-		async onSubmit(values: { [key: string]: string }) {
+		async onSubmit(values: { currentPassword: string; password: string }) {
 			try {
 				this.loading = true;
 				await this.usersStore.updateCurrentUserPassword(values);
diff --git a/packages/editor-ui/src/components/CodeNodeEditor/AskAI/AskAI.vue b/packages/editor-ui/src/components/CodeNodeEditor/AskAI/AskAI.vue
index 9a4876b33bd6c..d2ac3e1410d52 100644
--- a/packages/editor-ui/src/components/CodeNodeEditor/AskAI/AskAI.vue
+++ b/packages/editor-ui/src/components/CodeNodeEditor/AskAI/AskAI.vue
@@ -9,7 +9,7 @@ import type { CodeExecutionMode, INodeExecutionData } from 'n8n-workflow';
 import type { BaseTextKey } from '@/plugins/i18n';
 import type { INodeUi, Schema } from '@/Interface';
 import { generateCodeForPrompt } from '@/api/ai';
-import { useDataSchema, useI18n, useMessage, useToast, useTelemetry } from '@/composables';
+import { useDataSchema, useI18n, useMessage, useTelemetry, useToast } from '@/composables';
 import { useNDVStore, usePostHog, useRootStore, useWorkflowsStore } from '@/stores';
 import { executionDataToJson } from '@/utils';
 import {
@@ -131,10 +131,6 @@ async function onSubmit() {
 	if (!activeNode) return;
 	const schemas = getSchemas();
 
-	useTelemetry().trackAskAI('ask.generationClicked', {
-		prompt: prompt.value,
-	});
-
 	if (props.hasChanges) {
 		const confirmModal = await alert(i18n.baseText('codeNodeEditor.askAi.areYouSureToReplace'), {
 			title: i18n.baseText('codeNodeEditor.askAi.replaceCurrentCode'),
@@ -157,9 +153,14 @@ async function onSubmit() {
 				? 'gpt-4'
 				: 'gpt-3.5-turbo-16k';
 
-		const { code, usage } = await generateCodeForPrompt(getRestApiContext, {
+		const { code } = await generateCodeForPrompt(getRestApiContext, {
 			question: prompt.value,
-			context: { schema: schemas.parentNodesSchemas, inputSchema: schemas.inputSchema! },
+			context: {
+				schema: schemas.parentNodesSchemas,
+				inputSchema: schemas.inputSchema!,
+				ndvSessionId: useNDVStore().sessionId,
+				sessionId: useRootStore().sessionId,
+			},
 			model,
 			n8nVersion: version,
 		});
@@ -170,13 +171,9 @@ async function onSubmit() {
 			type: 'success',
 			title: i18n.baseText('codeNodeEditor.askAi.generationCompleted'),
 		});
-
 		useTelemetry().trackAskAI('askAi.generationFinished', {
 			prompt: prompt.value,
 			code,
-			tokensCount: usage?.total_tokens,
-			hasErrors: false,
-			error: '',
 		});
 	} catch (error) {
 		showMessage({
@@ -184,15 +181,12 @@ async function onSubmit() {
 			title: i18n.baseText('codeNodeEditor.askAi.generationFailed'),
 			message: getErrorMessageByStatusCode(error.httpStatusCode || error?.response.status),
 		});
-
+		stopLoading();
 		useTelemetry().trackAskAI('askAi.generationFinished', {
 			prompt: prompt.value,
 			code: '',
-			tokensCount: 0,
-			hasErrors: true,
-			error: getErrorMessageByStatusCode(error.httpStatusCode || error?.response.status),
+			hasError: true,
 		});
-		stopLoading();
 	}
 }
 function triggerLoadingChange() {
diff --git a/packages/editor-ui/src/components/CodeNodeEditor/completer.ts b/packages/editor-ui/src/components/CodeNodeEditor/completer.ts
index dfcb2b6f14352..9d64f92a49921 100644
--- a/packages/editor-ui/src/components/CodeNodeEditor/completer.ts
+++ b/packages/editor-ui/src/components/CodeNodeEditor/completer.ts
@@ -172,6 +172,7 @@ export const completerExtension = defineComponent({
 
 				if (value === '$execution') return this.executionCompletions(context, variable);
 				if (value === '$vars') return this.variablesCompletions(context, variable);
+
 				if (value === '$workflow') return this.workflowCompletions(context, variable);
 				if (value === '$prevNode') return this.prevNodeCompletions(context, variable);
 
diff --git a/packages/editor-ui/src/components/CodeNodeEditor/completions/secrets.completions.ts b/packages/editor-ui/src/components/CodeNodeEditor/completions/secrets.completions.ts
new file mode 100644
index 0000000000000..d3eec85bc0f66
--- /dev/null
+++ b/packages/editor-ui/src/components/CodeNodeEditor/completions/secrets.completions.ts
@@ -0,0 +1,54 @@
+import Vue from 'vue';
+import { addVarType } from '../utils';
+import type { Completion, CompletionContext, CompletionResult } from '@codemirror/autocomplete';
+import type { CodeNodeEditorMixin } from '../types';
+import { useExternalSecretsStore } from '@/stores';
+
+const escape = (str: string) => str.replace('$', '\\$');
+
+export const secretsCompletions = (Vue as CodeNodeEditorMixin).extend({
+	methods: {
+		/**
+		 * Complete `$secrets.` to `$secrets.providerName` and `$secrets.providerName.secretName`.
+		 */
+		secretsCompletions(context: CompletionContext, matcher = '$secrets'): CompletionResult | null {
+			const pattern = new RegExp(`${escape(matcher)}\..*`);
+			const preCursor = context.matchBefore(pattern);
+
+			if (!preCursor || (preCursor.from === preCursor.to && !context.explicit)) return null;
+
+			const provider = preCursor.text.split('.')[1];
+			const externalSecretsStore = useExternalSecretsStore();
+			let options: Completion[];
+
+			const optionsForObject = (leftSide: string, object: object): Completion[] => {
+				return Object.entries(object).flatMap(([key, value]) => {
+					if (typeof value === 'object' && value !== null) {
+						return optionsForObject(`${leftSide}.${key}`, value);
+					}
+					return {
+						label: `${leftSide}.${key}`,
+						info: '*******',
+					};
+				});
+			};
+
+			if (provider) {
+				options = optionsForObject(
+					`${matcher}.${provider}`,
+					externalSecretsStore.secretsAsObject[provider],
+				);
+			} else {
+				options = Object.keys(externalSecretsStore.secretsAsObject).map((provider) => ({
+					label: `${matcher}.${provider}`,
+					info: JSON.stringify(externalSecretsStore.secretsAsObject[provider]),
+				}));
+			}
+
+			return {
+				from: preCursor.from,
+				options: options.map(addVarType),
+			};
+		},
+	},
+});
diff --git a/packages/editor-ui/src/components/CodeNodeEditor/completions/variables.completions.ts b/packages/editor-ui/src/components/CodeNodeEditor/completions/variables.completions.ts
index c7a6983b6ed17..278d401545bb7 100644
--- a/packages/editor-ui/src/components/CodeNodeEditor/completions/variables.completions.ts
+++ b/packages/editor-ui/src/components/CodeNodeEditor/completions/variables.completions.ts
@@ -8,7 +8,7 @@ const escape = (str: string) => str.replace('$', '\\$');
 export const variablesCompletions = defineComponent({
 	methods: {
 		/**
-		 * Complete `$workflow.` to `.id .name .active`.
+		 * Complete `$vars.` to `$vars.VAR_NAME`.
 		 */
 		variablesCompletions(context: CompletionContext, matcher = '$vars'): CompletionResult | null {
 			const pattern = new RegExp(`${escape(matcher)}\..*`);
diff --git a/packages/editor-ui/src/components/CredentialEdit/CredentialConfig.vue b/packages/editor-ui/src/components/CredentialEdit/CredentialConfig.vue
index 8a75cfeb2b842..37b8e7f4c7514 100644
--- a/packages/editor-ui/src/components/CredentialEdit/CredentialConfig.vue
+++ b/packages/editor-ui/src/components/CredentialEdit/CredentialConfig.vue
@@ -126,6 +126,17 @@
 		<n8n-text v-if="isMissingCredentials" color="text-base" size="medium">
 			{{ $locale.baseText('credentialEdit.credentialConfig.missingCredentialType') }}
 		</n8n-text>
+
+		<EnterpriseEdition :features="[EnterpriseEditionFeature.ExternalSecrets]">
+			<template #fallback>
+				<n8n-info-tip class="mt-s">
+					{{ $locale.baseText('credentialEdit.credentialConfig.externalSecrets') }}
+					<n8n-link bold :to="$locale.baseText('settings.externalSecrets.docs')" size="small">
+						{{ $locale.baseText('credentialEdit.credentialConfig.externalSecrets.moreInfo') }}
+					</n8n-link>
+				</n8n-info-tip>
+			</template>
+		</EnterpriseEdition>
 	</div>
 </template>
 
@@ -152,10 +163,12 @@ import { useNodeTypesStore } from '@/stores/nodeTypes.store';
 import type { ICredentialsResponse } from '@/Interface';
 import AuthTypeSelector from '@/components/CredentialEdit/AuthTypeSelector.vue';
 import GoogleAuthButton from './GoogleAuthButton.vue';
+import EnterpriseEdition from '@/components/EnterpriseEdition.ee.vue';
 
 export default defineComponent({
 	name: 'CredentialConfig',
 	components: {
+		EnterpriseEdition,
 		AuthTypeSelector,
 		Banner,
 		CopyInput,
diff --git a/packages/editor-ui/src/components/CredentialEdit/CredentialEdit.vue b/packages/editor-ui/src/components/CredentialEdit/CredentialEdit.vue
index 05a06cbf4da60..22a5e8f3efd30 100644
--- a/packages/editor-ui/src/components/CredentialEdit/CredentialEdit.vue
+++ b/packages/editor-ui/src/components/CredentialEdit/CredentialEdit.vue
@@ -157,6 +157,8 @@ import {
 	getNodeCredentialForSelectedAuthType,
 	updateNodeAuthType,
 	isCredentialModalState,
+	isExpression,
+	isTestableExpression,
 } from '@/utils';
 import { externalHooks } from '@/mixins/externalHooks';
 
@@ -370,12 +372,13 @@ export default defineComponent({
 			}
 
 			const { ownedBy, sharedWith, ...credentialData } = this.credentialData;
-			const hasExpressions = Object.values(credentialData).reduce(
+			const hasUntestableExpressions = Object.values(credentialData).reduce(
 				(accu: boolean, value: CredentialInformation) =>
-					accu || (typeof value === 'string' && value.startsWith('=')),
+					accu ||
+					(typeof value === 'string' && isExpression(value) && !isTestableExpression(value)),
 				false,
 			);
-			if (hasExpressions) {
+			if (hasUntestableExpressions) {
 				return false;
 			}
 
@@ -445,8 +448,14 @@ export default defineComponent({
 					return false;
 				}
 
-				if (property.type === 'number' && typeof this.credentialData[property.name] !== 'number') {
-					return false;
+				if (property.type === 'number') {
+					const isExpression =
+						typeof this.credentialData[property.name] === 'string' &&
+						this.credentialData[property.name].startsWith('=');
+
+					if (typeof this.credentialData[property.name] !== 'number' && !isExpression) {
+						return false;
+					}
 				}
 			}
 			return true;
@@ -835,12 +844,17 @@ export default defineComponent({
 					this.testedSuccessfully = false;
 				}
 
+				const usesExternalSecrets = Object.entries(credentialDetails.data || {}).some(([, value]) =>
+					/=.*\{\{[^}]*\$secrets\.[^}]+}}.*/.test(`${value}`),
+				);
+
 				const trackProperties: ITelemetryTrackProperties = {
 					credential_type: credentialDetails.type,
 					workflow_id: this.workflowsStore.workflowId,
 					credential_id: credential.id,
 					is_complete: !!this.requiredPropertiesFilled,
 					is_new: isNewCredential,
+					uses_external_secrets: usesExternalSecrets,
 				};
 
 				if (this.isOAuthType) {
diff --git a/packages/editor-ui/src/components/DebugPaywallModal.vue b/packages/editor-ui/src/components/DebugPaywallModal.vue
new file mode 100644
index 0000000000000..667e067ce008b
--- /dev/null
+++ b/packages/editor-ui/src/components/DebugPaywallModal.vue
@@ -0,0 +1,40 @@
+<script lang="ts" setup>
+import { useI18n } from '@/composables';
+import Modal from '@/components/Modal.vue';
+
+const props = defineProps<{
+	modalName: string;
+	data: { title: string; footerButtonAction: () => void };
+}>();
+
+const i18n = useI18n();
+</script>
+
+<template>
+	<Modal width="500px" :title="props.data.title" :name="props.modalName">
+		<template #content>
+			<n8n-text>
+				{{ i18n.baseText('executionsList.debug.paywall.content') }}
+				<br />
+				<n8n-link :to="i18n.baseText('executionsList.debug.paywall.link.url')">
+					{{ i18n.baseText('executionsList.debug.paywall.link.text') }}
+				</n8n-link>
+			</n8n-text>
+		</template>
+		<template #footer>
+			<div :class="$style.footer">
+				<n8n-button @click="props.data.footerButtonAction">
+					{{ i18n.baseText('generic.seePlans') }}
+				</n8n-button>
+			</div>
+		</template>
+	</Modal>
+</template>
+
+<style module lang="scss">
+.footer {
+	display: flex;
+	flex-direction: row;
+	justify-content: flex-end;
+}
+</style>
diff --git a/packages/editor-ui/src/components/ExecutionsView/ExecutionPreview.vue b/packages/editor-ui/src/components/ExecutionsView/ExecutionPreview.vue
index b9a4d4c845f7c..5468f6831fded 100644
--- a/packages/editor-ui/src/components/ExecutionsView/ExecutionPreview.vue
+++ b/packages/editor-ui/src/components/ExecutionsView/ExecutionPreview.vue
@@ -79,6 +79,29 @@
 				</n8n-text>
 			</div>
 			<div>
+				<n8n-button
+					size="large"
+					:type="debugButtonData.type"
+					:class="{
+						[$style.debugLink]: true,
+						[$style.secondary]: debugButtonData.type === 'secondary',
+					}"
+				>
+					<router-link
+						:to="{
+							name: VIEWS.EXECUTION_DEBUG,
+							params: {
+								name: activeExecution.workflowId,
+								executionId: activeExecution.id,
+							},
+						}"
+					>
+						<span @click="handleDebugLinkClick" data-test-id="execution-debug-button">{{
+							debugButtonData.text
+						}}</span>
+					</router-link>
+				</n8n-button>
+
 				<el-dropdown
 					v-if="executionUIDetails?.name === 'error'"
 					trigger="click"
@@ -128,13 +151,12 @@
 
 <script lang="ts">
 import { defineComponent } from 'vue';
-
-import { useMessage } from '@/composables';
+import { ElDropdown } from 'element-plus';
+import { useExecutionDebugging, useMessage } from '@/composables';
 import WorkflowPreview from '@/components/WorkflowPreview.vue';
 import type { IExecutionUIData } from '@/mixins/executionsHelpers';
 import { executionHelpers } from '@/mixins/executionsHelpers';
 import { MODAL_CONFIRM, VIEWS } from '@/constants';
-import { ElDropdown } from 'element-plus';
 
 type RetryDropdownRef = InstanceType<typeof ElDropdown> & { hide: () => void };
 
@@ -153,6 +175,7 @@ export default defineComponent({
 	setup() {
 		return {
 			...useMessage(),
+			...useExecutionDebugging(),
 		};
 	},
 	computed: {
@@ -162,6 +185,17 @@ export default defineComponent({
 		executionMode(): string {
 			return this.activeExecution?.mode || '';
 		},
+		debugButtonData(): Record<string, string> {
+			return this.activeExecution?.status === 'success'
+				? {
+						text: this.$locale.baseText('executionsList.debug.button.copyToEditor'),
+						type: 'secondary',
+				  }
+				: {
+						text: this.$locale.baseText('executionsList.debug.button.debugInEditor'),
+						type: 'primary',
+				  };
+		},
 	},
 	methods: {
 		async onDeleteExecution(): Promise<void> {
@@ -212,9 +246,15 @@ export default defineComponent({
 	width: 100%;
 	display: flex;
 	justify-content: space-between;
+	align-items: center;
 	transition: all 150ms ease-in-out;
 	pointer-events: none;
 
+	> div:last-child {
+		display: flex;
+		align-items: center;
+	}
+
 	& * {
 		pointer-events: all;
 	}
@@ -254,4 +294,21 @@ export default defineComponent({
 	margin-top: var(--spacing-l);
 	text-align: center;
 }
+
+.debugLink {
+	padding: 0;
+	margin-right: var(--spacing-xs);
+
+	&.secondary {
+		a span {
+			color: var(--color-primary-shade-1);
+		}
+	}
+
+	a span {
+		display: block;
+		padding: var(--spacing-xs) var(--spacing-m);
+		color: var(--color-text-xlight);
+	}
+}
 </style>
diff --git a/packages/editor-ui/src/components/ExecutionsView/__tests__/ExecutionPreview.test.ts b/packages/editor-ui/src/components/ExecutionsView/__tests__/ExecutionPreview.test.ts
new file mode 100644
index 0000000000000..fb13c06a34958
--- /dev/null
+++ b/packages/editor-ui/src/components/ExecutionsView/__tests__/ExecutionPreview.test.ts
@@ -0,0 +1,112 @@
+import { vi, describe, expect } from 'vitest';
+import { render } from '@testing-library/vue';
+import userEvent from '@testing-library/user-event';
+import { faker } from '@faker-js/faker';
+import { createRouter, createWebHistory } from 'vue-router';
+import { createPinia, PiniaVuePlugin, setActivePinia } from 'pinia';
+import type { IExecutionsSummary } from 'n8n-workflow';
+import { useSettingsStore, useWorkflowsStore } from '@/stores';
+import ExecutionPreview from '@/components/ExecutionsView/ExecutionPreview.vue';
+import { VIEWS } from '@/constants';
+import { i18nInstance, I18nPlugin } from '@/plugins/i18n';
+import { FontAwesomePlugin } from '@/plugins/icons';
+import { GlobalComponentsPlugin } from '@/plugins/components';
+
+let pinia: ReturnType<typeof createPinia>;
+
+const routes = [
+	{ path: '/', name: 'home', component: { template: '<div></div>' } },
+	{
+		path: '/workflow/:name/debug/:executionId',
+		name: VIEWS.EXECUTION_DEBUG,
+		component: { template: '<div></div>' },
+	},
+];
+
+const router = createRouter({
+	history: createWebHistory(),
+	routes,
+});
+
+const $route = {
+	params: {},
+};
+
+const generateUndefinedNullOrString = () => {
+	switch (Math.floor(Math.random() * 4)) {
+		case 0:
+			return undefined;
+		case 1:
+			return null;
+		case 2:
+			return faker.string.uuid();
+		case 3:
+			return '';
+		default:
+			return undefined;
+	}
+};
+
+const executionDataFactory = (): IExecutionsSummary => ({
+	id: faker.string.uuid(),
+	finished: faker.datatype.boolean(),
+	mode: faker.helpers.arrayElement(['manual', 'trigger']),
+	startedAt: faker.date.past(),
+	stoppedAt: faker.date.past(),
+	workflowId: faker.number.int().toString(),
+	workflowName: faker.string.sample(),
+	status: faker.helpers.arrayElement(['failed', 'success']),
+	nodeExecutionStatus: {},
+	retryOf: generateUndefinedNullOrString(),
+	retrySuccessId: generateUndefinedNullOrString(),
+});
+
+describe('ExecutionPreview.vue', () => {
+	let workflowsStore: ReturnType<typeof useWorkflowsStore>;
+	let settingsStore: ReturnType<typeof useSettingsStore>;
+	const executionData: IExecutionsSummary = executionDataFactory();
+
+	beforeEach(() => {
+		pinia = createPinia();
+		setActivePinia(pinia);
+
+		workflowsStore = useWorkflowsStore();
+		settingsStore = useSettingsStore();
+
+		vi.spyOn(workflowsStore, 'activeWorkflowExecution', 'get').mockReturnValue(executionData);
+	});
+
+	test.each([
+		[false, '/'],
+		[true, `/workflow/${executionData.workflowId}/debug/${executionData.id}`],
+	])(
+		'when debug enterprise feature is %s it should handle debug link click accordingly',
+		async (availability, path) => {
+			vi.spyOn(settingsStore, 'isEnterpriseFeatureEnabled', 'get').mockReturnValue(
+				() => availability,
+			);
+
+			// Not using createComponentRenderer helper here because this component should not stub `router-link`
+			const { getByTestId } = render(ExecutionPreview, {
+				global: {
+					plugins: [
+						I18nPlugin,
+						i18nInstance,
+						PiniaVuePlugin,
+						FontAwesomePlugin,
+						GlobalComponentsPlugin,
+						pinia,
+						router,
+					],
+					mocks: {
+						$route,
+					},
+				},
+			});
+
+			await userEvent.click(getByTestId('execution-debug-button'));
+
+			expect(router.currentRoute.value.path).toBe(path);
+		},
+	);
+});
diff --git a/packages/editor-ui/src/components/ExpressionParameterInput.vue b/packages/editor-ui/src/components/ExpressionParameterInput.vue
index 8567f95123d5e..ad9093f180027 100644
--- a/packages/editor-ui/src/components/ExpressionParameterInput.vue
+++ b/packages/editor-ui/src/components/ExpressionParameterInput.vue
@@ -19,6 +19,7 @@
 				:isReadOnly="isReadOnly"
 				:targetItem="hoveringItem"
 				:isSingleLine="isForRecordLocator"
+				:additionalData="additionalExpressionData"
 				:path="path"
 				@focus="onFocus"
 				@blur="onBlur"
@@ -34,7 +35,6 @@
 				data-test-id="expander"
 			/>
 		</div>
-
 		<InlineExpressionEditorOutput
 			:segments="segments"
 			:isReadOnly="isReadOnly"
@@ -46,6 +46,7 @@
 
 <script lang="ts">
 import { mapStores } from 'pinia';
+import type { PropType } from 'vue';
 import { defineComponent } from 'vue';
 
 import { useNDVStore } from '@/stores/ndv.store';
@@ -57,6 +58,7 @@ import { createExpressionTelemetryPayload } from '@/utils/telemetryUtils';
 
 import type { Segment } from '@/types/expressions';
 import type { TargetItem } from '@/Interface';
+import type { IDataObject } from 'n8n-workflow';
 
 type InlineExpressionEditorInputRef = InstanceType<typeof InlineExpressionEditorInput>;
 
@@ -88,6 +90,10 @@ export default defineComponent({
 			type: Boolean,
 			default: false,
 		},
+		additionalExpressionData: {
+			type: Object as PropType<IDataObject>,
+			default: () => ({}),
+		},
 	},
 	computed: {
 		...mapStores(useNDVStore, useWorkflowsStore),
diff --git a/packages/editor-ui/src/components/ExternalSecretsProviderCard.ee.vue b/packages/editor-ui/src/components/ExternalSecretsProviderCard.ee.vue
new file mode 100644
index 0000000000000..ed4934733c287
--- /dev/null
+++ b/packages/editor-ui/src/components/ExternalSecretsProviderCard.ee.vue
@@ -0,0 +1,185 @@
+<script lang="ts" setup>
+import type { PropType, Ref } from 'vue';
+import type { ExternalSecretsProvider } from '@/Interface';
+import ExternalSecretsProviderImage from '@/components/ExternalSecretsProviderImage.ee.vue';
+import ExternalSecretsProviderConnectionSwitch from '@/components/ExternalSecretsProviderConnectionSwitch.ee.vue';
+import { useExternalSecretsStore, useUIStore } from '@/stores';
+import { useExternalSecretsProvider, useI18n, useToast } from '@/composables';
+import { EXTERNAL_SECRETS_PROVIDER_MODAL_KEY } from '@/constants';
+import { DateTime } from 'luxon';
+import { computed, nextTick, onMounted, toRefs } from 'vue';
+
+const props = defineProps({
+	provider: {
+		type: Object as PropType<ExternalSecretsProvider>,
+		required: true,
+	},
+});
+
+const externalSecretsStore = useExternalSecretsStore();
+const i18n = useI18n();
+const uiStore = useUIStore();
+const toast = useToast();
+
+const { provider } = toRefs(props) as Ref<ExternalSecretsProvider>;
+const providerData = computed(() => provider.value.data);
+const {
+	connectionState,
+	initialConnectionState,
+	normalizedProviderData,
+	testConnection,
+	setConnectionState,
+} = useExternalSecretsProvider(provider, providerData);
+
+const actionDropdownOptions = computed(() => [
+	{
+		value: 'setup',
+		label: i18n.baseText('settings.externalSecrets.card.actionDropdown.setup'),
+	},
+	...(props.provider.connected
+		? [
+				{
+					value: 'reload',
+					label: i18n.baseText('settings.externalSecrets.card.actionDropdown.reload'),
+				},
+		  ]
+		: []),
+]);
+
+const canConnect = computed(() => {
+	return props.provider.connected || Object.keys(props.provider.data).length > 0;
+});
+
+const formattedDate = computed((provider: ExternalSecretsProvider) => {
+	return DateTime.fromISO(props.provider.connectedAt!).toFormat('dd LLL yyyy');
+});
+
+onMounted(() => {
+	setConnectionState(props.provider.state);
+});
+
+async function onBeforeConnectionUpdate() {
+	if (props.provider.connected) {
+		return true;
+	}
+
+	await externalSecretsStore.getProvider(props.provider.name);
+	await nextTick();
+	const status = await testConnection();
+
+	return status !== 'error';
+}
+
+function openExternalSecretProvider() {
+	uiStore.openModalWithData({
+		name: EXTERNAL_SECRETS_PROVIDER_MODAL_KEY,
+		data: { name: props.provider.name },
+	});
+}
+
+async function reloadProvider() {
+	try {
+		await externalSecretsStore.reloadProvider(props.provider.name);
+		toast.showMessage({
+			title: i18n.baseText('settings.externalSecrets.card.reload.success.title'),
+			message: i18n.baseText('settings.externalSecrets.card.reload.success.description', {
+				interpolate: { provider: props.provider.displayName },
+			}),
+			type: 'success',
+		});
+	} catch (error) {
+		toast.showError(error, i18n.baseText('error'));
+	}
+}
+
+async function onActionDropdownClick(id: string) {
+	switch (id) {
+		case 'setup':
+			openExternalSecretProvider();
+			break;
+		case 'reload':
+			await reloadProvider();
+			break;
+	}
+}
+</script>
+
+<template>
+	<n8n-card :class="$style.card">
+		<div :class="$style.cardBody">
+			<ExternalSecretsProviderImage :class="$style.cardImage" :provider="provider" />
+			<div :class="$style.cardContent">
+				<n8n-text bold>{{ provider.displayName }}</n8n-text>
+				<n8n-text color="text-light" size="small" v-if="provider.connected">
+					<span>
+						{{
+							i18n.baseText('settings.externalSecrets.card.secretsCount', {
+								interpolate: {
+									count: `${externalSecretsStore.secrets[provider.name]?.length}`,
+								},
+							})
+						}}
+					</span>
+					|
+					<span>
+						{{
+							i18n.baseText('settings.externalSecrets.card.connectedAt', {
+								interpolate: {
+									date: formattedDate,
+								},
+							})
+						}}
+					</span>
+				</n8n-text>
+			</div>
+			<div :class="$style.cardActions" v-if="canConnect">
+				<ExternalSecretsProviderConnectionSwitch
+					:provider="provider"
+					:beforeUpdate="onBeforeConnectionUpdate"
+					:disabled="connectionState === 'error' && !provider.connected"
+				/>
+				<n8n-action-toggle
+					class="ml-s"
+					theme="dark"
+					:actions="actionDropdownOptions"
+					@action="onActionDropdownClick"
+				/>
+			</div>
+			<n8n-button v-else type="tertiary" @click="openExternalSecretProvider()">
+				{{ i18n.baseText('settings.externalSecrets.card.setUp') }}
+			</n8n-button>
+		</div>
+	</n8n-card>
+</template>
+
+<style lang="scss" module>
+.card {
+	position: relative;
+	margin-bottom: var(--spacing-2xs);
+}
+
+.cardImage {
+	width: 28px;
+	height: 28px;
+}
+
+.cardBody {
+	display: flex;
+	flex-direction: row;
+	align-items: center;
+}
+
+.cardContent {
+	display: flex;
+	flex-direction: column;
+	flex-grow: 1;
+	margin-left: var(--spacing-s);
+}
+
+.cardActions {
+	display: flex;
+	flex-direction: row;
+	align-items: center;
+	margin-left: var(--spacing-s);
+}
+</style>
diff --git a/packages/editor-ui/src/components/ExternalSecretsProviderConnectionSwitch.ee.vue b/packages/editor-ui/src/components/ExternalSecretsProviderConnectionSwitch.ee.vue
new file mode 100644
index 0000000000000..d56ead9a86997
--- /dev/null
+++ b/packages/editor-ui/src/components/ExternalSecretsProviderConnectionSwitch.ee.vue
@@ -0,0 +1,116 @@
+<script lang="ts" setup>
+import type { PropType } from 'vue';
+import type { ExternalSecretsProvider } from '@/Interface';
+import { useExternalSecretsStore } from '@/stores';
+import { useI18n, useLoadingService, useToast } from '@/composables';
+import { computed, onMounted, ref } from 'vue';
+import type { EventBus } from 'n8n-design-system/utils';
+
+const emit = defineEmits<{
+	(e: 'change', value: boolean): void;
+}>();
+
+const props = defineProps({
+	provider: {
+		type: Object as PropType<ExternalSecretsProvider>,
+		required: true,
+	},
+	eventBus: {
+		type: Object as PropType<EventBus>,
+		default: undefined,
+	},
+	disabled: {
+		type: Boolean,
+		default: false,
+	},
+	beforeUpdate: {
+		type: Function,
+		default: undefined,
+	},
+});
+
+const loadingService = useLoadingService();
+const externalSecretsStore = useExternalSecretsStore();
+const i18n = useI18n();
+const toast = useToast();
+
+const saving = ref(false);
+
+const connectedTextColor = computed(() => {
+	return props.provider.connected ? 'success' : 'text-light';
+});
+
+onMounted(() => {
+	if (props.eventBus) {
+		props.eventBus.on('connect', onUpdateConnected);
+	}
+});
+
+async function onUpdateConnected(value: boolean) {
+	try {
+		saving.value = true;
+
+		if (props.beforeUpdate) {
+			const result = await props.beforeUpdate(value);
+			if (result === false) {
+				saving.value = false;
+				return;
+			}
+		}
+
+		await externalSecretsStore.updateProviderConnected(props.provider.name, value);
+
+		emit('change', value);
+	} catch (error) {
+		toast.showError(error, 'Error');
+	} finally {
+		saving.value = false;
+	}
+}
+</script>
+
+<template>
+	<div class="connection-switch" v-loading="saving" element-loading-spinner="el-icon-loading">
+		<n8n-icon
+			v-if="provider.state === 'error'"
+			color="danger"
+			icon="exclamation-triangle"
+			class="mr-2xs"
+		/>
+		<n8n-text :color="connectedTextColor" bold class="mr-2xs">
+			{{
+				i18n.baseText(
+					`settings.externalSecrets.card.${provider.connected ? 'connected' : 'disconnected'}`,
+				)
+			}}
+		</n8n-text>
+		<el-switch
+			:modelValue="provider.connected"
+			:title="
+				i18n.baseText('settings.externalSecrets.card.connectedSwitch.title', {
+					interpolate: { provider: provider.displayName },
+				})
+			"
+			:disabled="disabled"
+			data-test-id="settings-external-secrets-connected-switch"
+			@update:modelValue="onUpdateConnected"
+		>
+		</el-switch>
+	</div>
+</template>
+
+<style lang="scss" scoped>
+.connection-switch {
+	position: relative;
+	display: flex;
+	flex-direction: row;
+	align-items: center;
+
+	&.error {
+		:deep(.el-switch.is-checked .el-switch__core) {
+			background-color: #ff4027;
+			border-color: #ff4027;
+		}
+	}
+}
+</style>
diff --git a/packages/editor-ui/src/components/ExternalSecretsProviderImage.ee.vue b/packages/editor-ui/src/components/ExternalSecretsProviderImage.ee.vue
new file mode 100644
index 0000000000000..e70742a4a7548
--- /dev/null
+++ b/packages/editor-ui/src/components/ExternalSecretsProviderImage.ee.vue
@@ -0,0 +1,28 @@
+<script lang="ts" setup>
+import type { PropType } from 'vue';
+import type { ExternalSecretsProvider } from '@/Interface';
+import { computed } from 'vue';
+import infisical from '../assets/images/infisical.webp';
+import doppler from '../assets/images/doppler.webp';
+import vault from '../assets/images/hashicorp.webp';
+
+const props = defineProps({
+	provider: {
+		type: Object as PropType<ExternalSecretsProvider>,
+		required: true,
+	},
+});
+
+const image = computed(
+	() =>
+		({
+			doppler,
+			infisical,
+			vault,
+		})[props.provider.name],
+);
+</script>
+
+<template>
+	<img :src="image" :alt="provider.displayName" width="28" height="28" />
+</template>
diff --git a/packages/editor-ui/src/components/ExternalSecretsProviderModal.ee.vue b/packages/editor-ui/src/components/ExternalSecretsProviderModal.ee.vue
new file mode 100644
index 0000000000000..64c2d54d7b748
--- /dev/null
+++ b/packages/editor-ui/src/components/ExternalSecretsProviderModal.ee.vue
@@ -0,0 +1,331 @@
+<script lang="ts" setup>
+import Modal from './Modal.vue';
+import { EXTERNAL_SECRETS_PROVIDER_MODAL_KEY, MODAL_CONFIRM } from '@/constants';
+import { computed, onMounted, ref } from 'vue';
+import type { PropType, Ref } from 'vue';
+import type { EventBus } from 'n8n-design-system/utils';
+import { useExternalSecretsProvider, useI18n, useMessage, useToast } from '@/composables';
+import { useExternalSecretsStore } from '@/stores/externalSecrets.ee.store';
+import { useUIStore } from '@/stores';
+import { useRoute } from 'vue-router';
+import ParameterInputExpanded from '@/components/ParameterInputExpanded.vue';
+import type { IUpdateInformation, ExternalSecretsProviderData } from '@/Interface';
+import type { IParameterLabel } from 'n8n-workflow';
+import ExternalSecretsProviderImage from '@/components/ExternalSecretsProviderImage.ee.vue';
+import ExternalSecretsProviderConnectionSwitch from '@/components/ExternalSecretsProviderConnectionSwitch.ee.vue';
+import { createEventBus } from 'n8n-design-system/utils';
+import type { ExternalSecretsProvider } from '@/Interface';
+
+const props = defineProps({
+	data: {
+		type: Object as PropType<{ eventBus: EventBus; name: string }>,
+		default: () => ({}),
+	},
+});
+
+const defaultProviderData = {
+	infisical: {
+		siteURL: 'https://app.infisical.com',
+	},
+};
+
+const externalSecretsStore = useExternalSecretsStore();
+const uiStore = useUIStore();
+const toast = useToast();
+const i18n = useI18n();
+const route = useRoute();
+const { confirm } = useMessage();
+
+const saving = ref(false);
+
+const eventBus = createEventBus();
+
+const labelSize: IParameterLabel = { size: 'medium' };
+
+const provider = computed<ExternalSecretsProvider | undefined>(() =>
+	externalSecretsStore.providers.find((p) => p.name === props.data.name),
+) as Ref<ExternalSecretsProvider>;
+const providerData = ref<ExternalSecretsProviderData>({});
+const {
+	connectionState,
+	initialConnectionState,
+	normalizedProviderData,
+	shouldDisplayProperty,
+	setConnectionState,
+	testConnection,
+} = useExternalSecretsProvider(provider, providerData);
+
+const providerDataUpdated = computed(() => {
+	return Object.keys(providerData.value).find((key) => {
+		const value = providerData.value[key];
+		const originalValue = provider.value.data[key];
+
+		return value !== originalValue;
+	});
+});
+
+const canSave = computed(
+	() =>
+		provider.value.properties
+			?.filter((property) => property.required && shouldDisplayProperty(property))
+			.every((property) => {
+				const value = providerData.value[property.name];
+				return !!value;
+			}) && providerDataUpdated.value,
+);
+
+onMounted(async () => {
+	try {
+		const provider = await externalSecretsStore.getProvider(props.data.name);
+		providerData.value = {
+			...(defaultProviderData[props.data.name] || {}),
+			...provider.data,
+		};
+
+		setConnectionState(provider.state);
+
+		if (provider.connected) {
+			initialConnectionState.value = provider.state;
+		} else if (Object.keys(provider.data).length) {
+			await testConnection();
+		}
+
+		if (provider.state === 'connected') {
+			void externalSecretsStore.reloadProvider(props.data.name);
+		}
+	} catch (error) {
+		toast.showError(error, 'Error');
+	}
+});
+
+function close() {
+	uiStore.closeModal(EXTERNAL_SECRETS_PROVIDER_MODAL_KEY);
+}
+
+function onValueChange(updateInformation: IUpdateInformation) {
+	providerData.value = {
+		...providerData.value,
+		[updateInformation.name]: updateInformation.value,
+	};
+}
+
+async function save() {
+	try {
+		saving.value = true;
+		await externalSecretsStore.updateProvider(provider.value.name, {
+			data: normalizedProviderData.value,
+		});
+
+		setConnectionState(provider.value.state);
+	} catch (error) {
+		toast.showError(error, 'Error');
+	}
+
+	await testConnection();
+
+	if (initialConnectionState.value === 'initializing' && connectionState.value === 'tested') {
+		setTimeout(() => {
+			eventBus.emit('connect', true);
+		}, 100);
+	}
+
+	saving.value = false;
+}
+
+async function onBeforeClose() {
+	if (providerDataUpdated.value) {
+		const confirmModal = await confirm(
+			i18n.baseText('settings.externalSecrets.provider.closeWithoutSaving.description', {
+				interpolate: {
+					provider: provider.value.displayName,
+				},
+			}),
+			{
+				title: i18n.baseText('settings.externalSecrets.provider.closeWithoutSaving.title'),
+				confirmButtonText: i18n.baseText(
+					'settings.externalSecrets.provider.closeWithoutSaving.confirm',
+				),
+				cancelButtonText: i18n.baseText(
+					'settings.externalSecrets.provider.closeWithoutSaving.cancel',
+				),
+			},
+		);
+
+		return confirmModal !== MODAL_CONFIRM;
+	}
+
+	return true;
+}
+</script>
+
+<template>
+	<Modal
+		id="external-secrets-provider-modal"
+		width="812px"
+		:title="provider.displayName"
+		:eventBus="data.eventBus"
+		:name="EXTERNAL_SECRETS_PROVIDER_MODAL_KEY"
+		:before-close="onBeforeClose"
+	>
+		<template #header>
+			<div :class="$style.header">
+				<div :class="$style.providerTitle">
+					<ExternalSecretsProviderImage :provider="provider" class="mr-xs" />
+					<span>{{ provider.displayName }}</span>
+				</div>
+				<div :class="$style.providerActions">
+					<ExternalSecretsProviderConnectionSwitch
+						class="mr-s"
+						:disabled="
+							(connectionState === 'initializing' || connectionState === 'error') &&
+							!provider.connected
+						"
+						:event-bus="eventBus"
+						:provider="provider"
+						@change="testConnection"
+					/>
+					<n8n-button
+						type="primary"
+						:loading="saving"
+						:disabled="!canSave && !saving"
+						@click="save"
+					>
+						{{
+							i18n.baseText(
+								`settings.externalSecrets.provider.buttons.${saving ? 'saving' : 'save'}`,
+							)
+						}}
+					</n8n-button>
+				</div>
+			</div>
+		</template>
+
+		<template #content>
+			<div :class="$style.container">
+				<hr class="mb-l" />
+				<div class="mb-l" v-if="connectionState !== 'initializing'">
+					<n8n-callout
+						v-if="connectionState === 'connected' || connectionState === 'tested'"
+						theme="success"
+					>
+						{{
+							i18n.baseText(
+								`settings.externalSecrets.provider.testConnection.success${
+									provider.connected ? '.connected' : ''
+								}`,
+								{
+									interpolate: {
+										count: `${externalSecretsStore.secrets[provider.name]?.length}`,
+										provider: provider.displayName,
+									},
+								},
+							)
+						}}
+						<span v-if="provider.connected">
+							<br />
+							<i18n-t
+								keypath="settings.externalSecrets.provider.testConnection.success.connected.usage"
+							>
+								<template #code>
+									<code>{{ `\{\{ \$secrets\.${provider.name}\.secret_name \}\}` }}</code>
+								</template>
+							</i18n-t>
+							<n8n-link :href="i18n.baseText('settings.externalSecrets.docs.use')" size="small">
+								{{
+									i18n.baseText(
+										'settings.externalSecrets.provider.testConnection.success.connected.docs',
+									)
+								}}
+							</n8n-link>
+						</span>
+					</n8n-callout>
+					<n8n-callout v-else-if="connectionState === 'error'" theme="danger">
+						{{
+							i18n.baseText(
+								`settings.externalSecrets.provider.testConnection.error${
+									provider.connected ? '.connected' : ''
+								}`,
+								{
+									interpolate: { provider: provider.displayName },
+								},
+							)
+						}}
+					</n8n-callout>
+				</div>
+
+				<form
+					v-for="property in provider.properties"
+					v-show="shouldDisplayProperty(property)"
+					:key="property.name"
+					autocomplete="off"
+					data-test-id="external-secrets-provider-properties-form"
+					@submit.prevent
+				>
+					<n8n-notice v-if="property.type === 'notice'" :content="property.displayName" />
+					<parameter-input-expanded
+						v-else
+						class="mb-l"
+						:parameter="property"
+						:value="providerData[property.name]"
+						:label="labelSize"
+						eventSource="external-secrets-provider"
+						@update="onValueChange"
+					/>
+				</form>
+			</div>
+		</template>
+	</Modal>
+</template>
+
+<style module lang="scss">
+.container {
+	> * {
+		overflow-wrap: break-word;
+	}
+}
+
+.header {
+	display: flex;
+	flex-direction: row;
+	justify-content: space-between;
+	align-items: center;
+	flex-grow: 1;
+}
+
+.providerTitle {
+	display: flex;
+	flex-direction: row;
+	align-items: center;
+	flex: 1;
+}
+
+.providerActions {
+	flex: 0;
+	display: flex;
+	flex-direction: row;
+	align-items: center;
+}
+
+.footer {
+	display: flex;
+	flex-direction: row;
+	justify-content: flex-end;
+}
+</style>
+
+<style lang="scss">
+#external-secrets-provider-modal {
+	.el-dialog__header {
+		display: flex;
+		align-items: center;
+		flex-direction: row;
+	}
+
+	.el-dialog__headerbtn {
+		position: relative;
+		top: unset;
+		right: unset;
+		margin-left: var(--spacing-xs);
+	}
+}
+</style>
diff --git a/packages/editor-ui/src/components/InlineExpressionEditor/InlineExpressionEditorInput.vue b/packages/editor-ui/src/components/InlineExpressionEditor/InlineExpressionEditorInput.vue
index 902729dbe1567..fc6434aa632f8 100644
--- a/packages/editor-ui/src/components/InlineExpressionEditor/InlineExpressionEditorInput.vue
+++ b/packages/editor-ui/src/components/InlineExpressionEditor/InlineExpressionEditorInput.vue
@@ -4,6 +4,7 @@
 
 <script lang="ts">
 import { defineComponent } from 'vue';
+import type { PropType } from 'vue';
 import { mapStores } from 'pinia';
 import { EditorView, keymap } from '@codemirror/view';
 import { Compartment, EditorState, Prec } from '@codemirror/state';
@@ -18,6 +19,7 @@ import { expressionInputHandler } from '@/plugins/codemirror/inputHandlers/expre
 import { inputTheme } from './theme';
 import { n8nLang } from '@/plugins/codemirror/n8nLang';
 import { completionManager } from '@/mixins/completionManager';
+import type { IDataObject } from 'n8n-workflow';
 
 const editableConf = new Compartment();
 
@@ -39,6 +41,10 @@ export default defineComponent({
 		path: {
 			type: String,
 		},
+		additionalData: {
+			type: Object as PropType<IDataObject>,
+			default: () => ({}),
+		},
 	},
 	watch: {
 		isReadOnly(newValue: boolean) {
@@ -83,6 +89,7 @@ export default defineComponent({
 	},
 	mounted() {
 		const extensions = [
+			n8nLang(),
 			inputTheme({ isSingleLine: this.isSingleLine }),
 			Prec.highest(
 				keymap.of([
@@ -100,7 +107,6 @@ export default defineComponent({
 				]),
 			),
 			autocompletion(),
-			n8nLang(),
 			history(),
 			expressionInputHandler(),
 			EditorView.lineWrapping,
diff --git a/packages/editor-ui/src/components/MainHeader/MainHeader.vue b/packages/editor-ui/src/components/MainHeader/MainHeader.vue
index fbd49bf83ef91..f66dc9344ba24 100644
--- a/packages/editor-ui/src/components/MainHeader/MainHeader.vue
+++ b/packages/editor-ui/src/components/MainHeader/MainHeader.vue
@@ -109,7 +109,11 @@ export default defineComponent({
 				route.name === VIEWS.EXECUTION_PREVIEW
 			) {
 				this.activeHeaderTab = MAIN_HEADER_TABS.EXECUTIONS;
-			} else if (route.name === VIEWS.WORKFLOW || route.name === VIEWS.NEW_WORKFLOW) {
+			} else if (
+				route.name === VIEWS.WORKFLOW ||
+				route.name === VIEWS.NEW_WORKFLOW ||
+				route.name === VIEWS.EXECUTION_DEBUG
+			) {
 				this.activeHeaderTab = MAIN_HEADER_TABS.WORKFLOW;
 			}
 			const workflowName = route.params.name;
diff --git a/packages/editor-ui/src/components/MfaSetupModal.vue b/packages/editor-ui/src/components/MfaSetupModal.vue
new file mode 100644
index 0000000000000..c7240d833c9f0
--- /dev/null
+++ b/packages/editor-ui/src/components/MfaSetupModal.vue
@@ -0,0 +1,359 @@
+<template>
+	<Modal
+		width="460px"
+		:title="
+			!showRecoveryCodes
+				? $locale.baseText('mfa.setup.step1.title')
+				: $locale.baseText('mfa.setup.step2.title')
+		"
+		:eventBus="modalBus"
+		:name="MFA_SETUP_MODAL_KEY"
+		:center="true"
+		:loading="loadingQrCode"
+	>
+		<template #content>
+			<div v-if="!showRecoveryCodes" :class="[$style.container, $style.modalContent]">
+				<div :class="$style.textContainer">
+					<n8n-text size="large" color="text-dark" :bold="true">{{
+						$locale.baseText('mfa.setup.step1.instruction1.title')
+					}}</n8n-text>
+				</div>
+				<div>
+					<n8n-text size="medium" :bold="false">
+						<i18n-t keypath="mfa.setup.step1.instruction1.subtitle" tag="span">
+							<template #part1>
+								{{ $locale.baseText('mfa.setup.step1.instruction1.subtitle.part1') }}
+							</template>
+							<template #part2>
+								<a
+									:class="$style.secret"
+									@click="onCopySecretToClipboard"
+									data-test-id="mfa-secret-button"
+									>{{ $locale.baseText('mfa.setup.step1.instruction1.subtitle.part2') }}</a
+								>
+							</template>
+						</i18n-t>
+					</n8n-text>
+				</div>
+				<div :class="$style.qrContainer">
+					<qrcode-vue :value="qrCode" size="150" level="H" />
+				</div>
+				<div :class="$style.textContainer">
+					<n8n-text size="large" color="text-dark" :bold="true">{{
+						$locale.baseText('mfa.setup.step1.instruction2.title')
+					}}</n8n-text>
+				</div>
+				<div :class="[$style.form, infoTextErrorMessage ? $style.error : '']">
+					<n8n-input-label
+						size="medium"
+						:bold="false"
+						:class="$style.labelTooltip"
+						:label="$locale.baseText('mfa.setup.step1.input.label')"
+					>
+						<n8n-input
+							v-model="authenticatorCode"
+							type="text"
+							:maxlength="6"
+							:placeholder="$locale.baseText('mfa.code.input.placeholder')"
+							@input="onInput"
+							:required="true"
+							data-test-id="mfa-token-input"
+						/>
+					</n8n-input-label>
+					<div :class="[$style.infoText, 'mt-4xs']">
+						<span size="small" v-text="infoTextErrorMessage"></span>
+					</div>
+				</div>
+			</div>
+			<div v-else :class="$style.container">
+				<div>
+					<n8n-text size="medium" :bold="false">{{
+						$locale.baseText('mfa.setup.step2.description')
+					}}</n8n-text>
+				</div>
+				<div :class="$style.recoveryCodesContainer">
+					<div v-for="recoveryCode in recoveryCodes" :key="recoveryCode">
+						<n8n-text size="medium">{{ recoveryCode }}</n8n-text>
+					</div>
+				</div>
+				<n8n-info-tip :bold="false" :class="$style['edit-mode-footer-infotip']">
+					<i18n-t keypath="mfa.setup.step2.infobox.description" tag="span">
+						<template #part1>
+							{{ $locale.baseText('mfa.setup.step2.infobox.description.part1') }}
+						</template>
+						<template #part2>
+							<n8n-text size="small" :bold="true" :class="$style.loseAccessText">
+								{{ $locale.baseText('mfa.setup.step2.infobox.description.part2') }}
+							</n8n-text>
+						</template>
+					</i18n-t>
+				</n8n-info-tip>
+				<div>
+					<n8n-button
+						type="primary"
+						icon="download"
+						float="right"
+						:label="$locale.baseText('mfa.setup.step2.button.download')"
+						data-test-id="mfa-recovery-codes-button"
+						@click="onDownloadClick"
+					/>
+				</div>
+			</div>
+		</template>
+		<template #footer>
+			<div v-if="showRecoveryCodes">
+				<div>
+					<n8n-button
+						float="right"
+						:disabled="!recoveryCodesDownloaded"
+						:label="$locale.baseText('mfa.setup.step2.button.save')"
+						size="large"
+						data-test-id="mfa-save-button"
+						@click="onSetupClick"
+					/>
+				</div>
+			</div>
+			<div v-else>
+				<div>
+					<n8n-button
+						float="right"
+						:label="$locale.baseText('mfa.setup.step1.button.continue')"
+						size="large"
+						:disabled="!readyToSubmit"
+						@click="onSaveClick"
+					/>
+				</div>
+			</div>
+		</template>
+	</Modal>
+</template>
+
+<script lang="ts">
+import Modal from './Modal.vue';
+import {
+	MFA_AUTHENTICATION_TOKEN_INPUT_MAX_LENGTH,
+	MFA_AUTHENTICATION_TOKEN_WINDOW_EXPIRED,
+	MFA_SETUP_MODAL_KEY,
+} from '../constants';
+import { defineComponent } from 'vue';
+import { mapStores } from 'pinia';
+import { useUIStore } from '@/stores/ui.store';
+import { useNDVStore } from '@/stores/ndv.store';
+import { useUsersStore } from '@/stores/users.store';
+import { copyPaste } from '@/mixins/copyPaste';
+import { mfaEventBus } from '@/event-bus';
+import { useToast } from '@/composables';
+//@ts-ignore
+import QrcodeVue from 'qrcode.vue';
+export default defineComponent({
+	name: 'MfaSetupModal',
+	mixins: [copyPaste],
+	components: {
+		Modal,
+		QrcodeVue,
+	},
+	setup() {
+		return {
+			...useToast(),
+		};
+	},
+	data() {
+		return {
+			modalBus: mfaEventBus,
+			MFA_SETUP_MODAL_KEY,
+			secret: '',
+			qrCode: '',
+			readyToSubmit: false,
+			formBus: mfaEventBus,
+			showRecoveryCodes: false,
+			recoveryCodes: [] as string[],
+			recoveryCodesDownloaded: false,
+			authenticatorCode: '',
+			infoTextErrorMessage: '',
+			loadingQrCode: true,
+		};
+	},
+	computed: {
+		...mapStores(useNDVStore, useUIStore, useUsersStore),
+	},
+	methods: {
+		closeDialog(): void {
+			this.modalBus.emit('close');
+		},
+		onInput(value: string) {
+			if (value.length !== MFA_AUTHENTICATION_TOKEN_INPUT_MAX_LENGTH) {
+				this.infoTextErrorMessage = '';
+				return;
+			}
+			this.usersStore
+				.verifyMfaToken({ token: value })
+				.then(() => {
+					this.showRecoveryCodes = true;
+					this.authenticatorCode = value;
+				})
+				.catch(() => {
+					this.infoTextErrorMessage = this.$locale.baseText('mfa.setup.invalidCode');
+				});
+		},
+		onCopySecretToClipboard() {
+			this.copyToClipboard(this.secret);
+			this.showToast({
+				title: this.$locale.baseText('mfa.setup.step1.toast.copyToClipboard.title'),
+				message: this.$locale.baseText('mfa.setup.step1.toast.copyToClipboard.message'),
+				type: 'success',
+			});
+		},
+		async onSubmit(form: { authenticatorCode: string }) {
+			try {
+				await this.usersStore.verifyMfaToken({ token: form.authenticatorCode });
+				this.showRecoveryCodes = true;
+				this.authenticatorCode = form.authenticatorCode;
+			} catch (error) {
+				this.showError(error, this.$locale.baseText('settings.mfa.invalidAuthenticatorCode'));
+			}
+		},
+		onSaveClick() {
+			this.formBus.emit('submit');
+		},
+		onDownloadClick() {
+			const filename = 'n8n-recovery-codes.txt';
+			const temporalElement = document.createElement('a');
+			temporalElement.setAttribute(
+				'href',
+				'data:text/plain;charset=utf-8,' + encodeURIComponent(this.recoveryCodes.join('\n')),
+			);
+			temporalElement.setAttribute('download', filename);
+			temporalElement.style.display = 'none';
+			document.body.appendChild(temporalElement);
+			temporalElement.click();
+			document.body.removeChild(temporalElement);
+			this.recoveryCodesDownloaded = true;
+		},
+		async onSetupClick() {
+			try {
+				await this.usersStore.enableMfa({ token: this.authenticatorCode });
+				this.closeDialog();
+				this.showMessage({
+					type: 'success',
+					title: this.$locale.baseText('mfa.setup.step2.toast.setupFinished.message'),
+				});
+			} catch (e) {
+				if (e.errorCode === MFA_AUTHENTICATION_TOKEN_WINDOW_EXPIRED) {
+					this.showMessage({
+						type: 'error',
+						title: this.$locale.baseText('mfa.setup.step2.toast.tokenExpired.error.message'),
+					});
+					return;
+				}
+
+				this.showMessage({
+					type: 'error',
+					title: this.$locale.baseText('mfa.setup.step2.toast.setupFinished.error.message'),
+				});
+			}
+		},
+		async getMfaQR() {
+			try {
+				const { secret, qrCode, recoveryCodes } = await this.usersStore.getMfaQR();
+				this.qrCode = qrCode;
+				this.secret = secret;
+				this.recoveryCodes = recoveryCodes;
+			} catch (error) {
+				this.showError(error, this.$locale.baseText('settings.api.view.error'));
+			} finally {
+				this.loadingQrCode = false;
+			}
+		},
+	},
+	async mounted() {
+		await this.getMfaQR();
+	},
+});
+</script>
+
+<style module lang="scss">
+.container > * {
+	overflow: visible;
+	margin-bottom: var(--spacing-s);
+	&:last-child {
+		margin-bottom: 0;
+	}
+}
+.textContainer {
+	text-align: left;
+	margin: 0px;
+	margin-bottom: 5px;
+}
+
+.formContainer {
+	padding-bottom: var(--spacing-xl);
+}
+
+.headerContainer {
+	text-align: center;
+}
+.recoveryCodesContainer {
+	height: 140px;
+	display: flex;
+	flex-direction: column;
+	background-color: var(--color-background-base);
+	text-align: center;
+	flex-wrap: nowrap;
+	justify-content: space-between;
+	align-items: normal;
+	align-content: normal;
+	padding-top: var(--spacing-xs);
+	padding-bottom: var(--spacing-xs);
+	gap: var(--spacing-xs);
+	margin-bottom: var(--spacing-2xs);
+	overflow-y: scroll;
+}
+
+.recoveryCodesContainer span {
+	font-size: var(--font-size-s);
+	font-weight: var(--font-weight-regular);
+	line-height: var(--spacing-m);
+	color: #7d7d87;
+}
+
+.form:first-child span {
+	color: var(--color-text-base);
+	font-weight: var(--font-weight-regular);
+	font-size: var(--font-size-s);
+}
+.form input {
+	width: 50%;
+	height: 30px;
+}
+.secret {
+	color: var(--color-primary);
+	font-weight: var(--font-weight-bold);
+}
+
+.loseAccessText {
+	color: var(--color-danger);
+}
+
+.error input {
+	border-color: var(--color-danger);
+}
+
+.error > div > span {
+	color: var(--color-danger);
+	font-size: var(--font-size-2xs);
+}
+
+.modalFooter {
+	justify-content: space-between;
+	display: flex;
+	flex-direction: row;
+}
+
+.notice {
+	margin: 0;
+}
+
+.modalContent {
+	overflow: hidden;
+}
+</style>
diff --git a/packages/editor-ui/src/components/Modals.vue b/packages/editor-ui/src/components/Modals.vue
index d39a3c2c9c91f..a7c1d2be28b77 100644
--- a/packages/editor-ui/src/components/Modals.vue
+++ b/packages/editor-ui/src/components/Modals.vue
@@ -65,6 +65,10 @@
 			<ActivationModal />
 		</ModalRoot>
 
+		<ModalRoot :name="MFA_SETUP_MODAL_KEY">
+			<MfaSetupModal />
+		</ModalRoot>
+
 		<ModalRoot :name="WORKFLOW_SHARE_MODAL_KEY">
 			<template #default="{ modalName, active, data }">
 				<WorkflowShareModal :data="data" :isActive="active" :modalName="modalName" />
@@ -115,6 +119,18 @@
 				<SourceControlPullModal :modalName="modalName" :data="data" />
 			</template>
 		</ModalRoot>
+
+		<ModalRoot :name="EXTERNAL_SECRETS_PROVIDER_MODAL_KEY">
+			<template #default="{ modalName, data }">
+				<ExternalSecretsProviderModal :modalName="modalName" :data="data" />
+			</template>
+		</ModalRoot>
+
+		<ModalRoot :name="DEBUG_PAYWALL_MODAL_KEY">
+			<template #default="{ modalName, data }">
+				<DebugPaywallModal data-test-id="debug-paywall-modal" :modalName="modalName" :data="data" />
+			</template>
+		</ModalRoot>
 	</div>
 </template>
 
@@ -143,6 +159,9 @@ import {
 	LOG_STREAM_MODAL_KEY,
 	SOURCE_CONTROL_PUSH_MODAL_KEY,
 	SOURCE_CONTROL_PULL_MODAL_KEY,
+	EXTERNAL_SECRETS_PROVIDER_MODAL_KEY,
+	DEBUG_PAYWALL_MODAL_KEY,
+	MFA_SETUP_MODAL_KEY,
 } from '@/constants';
 
 import AboutModal from './AboutModal.vue';
@@ -164,10 +183,13 @@ import WorkflowSettings from './WorkflowSettings.vue';
 import DeleteUserModal from './DeleteUserModal.vue';
 import ActivationModal from './ActivationModal.vue';
 import ImportCurlModal from './ImportCurlModal.vue';
+import MfaSetupModal from './MfaSetupModal.vue';
 import WorkflowShareModal from './WorkflowShareModal.ee.vue';
 import EventDestinationSettingsModal from '@/components/SettingsLogStreaming/EventDestinationSettingsModal.ee.vue';
 import SourceControlPushModal from '@/components/SourceControlPushModal.ee.vue';
 import SourceControlPullModal from '@/components/SourceControlPullModal.ee.vue';
+import ExternalSecretsProviderModal from '@/components/ExternalSecretsProviderModal.ee.vue';
+import DebugPaywallModal from '@/components/DebugPaywallModal.vue';
 
 export default defineComponent({
 	name: 'Modals',
@@ -195,6 +217,9 @@ export default defineComponent({
 		EventDestinationSettingsModal,
 		SourceControlPushModal,
 		SourceControlPullModal,
+		ExternalSecretsProviderModal,
+		DebugPaywallModal,
+		MfaSetupModal,
 	},
 	data: () => ({
 		COMMUNITY_PACKAGE_CONFIRM_MODAL_KEY,
@@ -219,6 +244,9 @@ export default defineComponent({
 		LOG_STREAM_MODAL_KEY,
 		SOURCE_CONTROL_PUSH_MODAL_KEY,
 		SOURCE_CONTROL_PULL_MODAL_KEY,
+		EXTERNAL_SECRETS_PROVIDER_MODAL_KEY,
+		DEBUG_PAYWALL_MODAL_KEY,
+		MFA_SETUP_MODAL_KEY,
 	}),
 });
 </script>
diff --git a/packages/editor-ui/src/components/Node.vue b/packages/editor-ui/src/components/Node.vue
index 08ca458cc0972..594dd01864ed8 100644
--- a/packages/editor-ui/src/components/Node.vue
+++ b/packages/editor-ui/src/components/Node.vue
@@ -34,7 +34,7 @@
 					v-if="!data.disabled"
 					:class="{ 'node-info-icon': true, 'shift-icon': shiftOutputCount }"
 				>
-					<div v-if="hasIssues" class="node-issues">
+					<div v-if="hasIssues" class="node-issues" data-test-id="node-issues">
 						<n8n-tooltip placement="bottom">
 							<template #content>
 								<titled-list :title="`${$locale.baseText('node.issues')}:`" :items="nodeIssues" />
diff --git a/packages/editor-ui/src/components/NodeExecuteButton.vue b/packages/editor-ui/src/components/NodeExecuteButton.vue
index ca1ae434b83a2..e7c936c72a2d2 100644
--- a/packages/editor-ui/src/components/NodeExecuteButton.vue
+++ b/packages/editor-ui/src/components/NodeExecuteButton.vue
@@ -99,10 +99,10 @@ export default defineComponent({
 			return Boolean(this.nodeType && this.nodeType.name === MANUAL_TRIGGER_NODE_TYPE);
 		},
 		isPollingTypeNode(): boolean {
-			return !!(this.nodeType && this.nodeType.polling);
+			return !!this.nodeType?.polling;
 		},
 		isScheduleTrigger(): boolean {
-			return !!(this.nodeType && this.nodeType.group.includes('schedule'));
+			return !!this.nodeType?.group.includes('schedule');
 		},
 		isWebhookNode(): boolean {
 			return Boolean(this.nodeType && this.nodeType.name === WEBHOOK_NODE_TYPE);
@@ -129,9 +129,7 @@ export default defineComponent({
 		},
 		hasIssues(): boolean {
 			return Boolean(
-				this.node &&
-					this.node.issues &&
-					(this.node.issues.parameters || this.node.issues.credentials),
+				this.node?.issues && (this.node.issues.parameters || this.node.issues.credentials),
 			);
 		},
 		disabledHint(): string {
@@ -171,7 +169,7 @@ export default defineComponent({
 				return this.$locale.baseText('ndv.execute.listenForTestEvent');
 			}
 
-			if (this.isPollingTypeNode || (this.nodeType && this.nodeType.mockManualExecution)) {
+			if (this.isPollingTypeNode || this.nodeType?.mockManualExecution) {
 				return this.$locale.baseText('ndv.execute.fetchEvent');
 			}
 
@@ -221,6 +219,7 @@ export default defineComponent({
 						node_type: this.nodeType ? this.nodeType.name : null,
 						workflow_id: this.workflowsStore.workflowId,
 						source: this.telemetrySource,
+						session_id: this.ndvStore.sessionId,
 					};
 					this.$telemetry.track('User clicked execute node button', telemetryPayload);
 					await this.$externalHooks().run('nodeExecuteButton.onClick', telemetryPayload);
diff --git a/packages/editor-ui/src/components/ParameterInput.vue b/packages/editor-ui/src/components/ParameterInput.vue
index 6ffe82eef410c..9ff9004163605 100644
--- a/packages/editor-ui/src/components/ParameterInput.vue
+++ b/packages/editor-ui/src/components/ParameterInput.vue
@@ -46,6 +46,7 @@
 				:title="displayTitle"
 				:isReadOnly="isReadOnly"
 				:path="path"
+				:additional-expression-data="additionalExpressionData"
 				:class="{ 'ph-no-capture': shouldRedactValue }"
 				@update:modelValue="expressionUpdated"
 				@modalOpenerClick="openExpressionEditorModal"
@@ -366,6 +367,7 @@ import type {
 	IParameterLabel,
 	EditorType,
 	CodeNodeEditorLanguage,
+	IDataObject,
 } from 'n8n-workflow';
 import { NodeHelpers, CREDENTIAL_EMPTY_VALUE } from 'n8n-workflow';
 
@@ -411,6 +413,10 @@ export default defineComponent({
 		TextEdit,
 	},
 	props: {
+		additionalExpressionData: {
+			type: Object as PropType<IDataObject>,
+			default: () => ({}),
+		},
 		isReadOnly: {
 			type: Boolean,
 		},
diff --git a/packages/editor-ui/src/components/ParameterInputExpanded.vue b/packages/editor-ui/src/components/ParameterInputExpanded.vue
index 8ead0d6eb5813..20a0984eaa019 100644
--- a/packages/editor-ui/src/components/ParameterInputExpanded.vue
+++ b/packages/editor-ui/src/components/ParameterInputExpanded.vue
@@ -66,8 +66,6 @@ import { mapStores } from 'pinia';
 import { useWorkflowsStore } from '@/stores/workflows.store';
 import { createEventBus } from 'n8n-design-system/utils';
 
-type ParamRef = InstanceType<typeof ParameterInputWrapper>;
-
 export default defineComponent({
 	name: 'parameter-input-expanded',
 	components: {
@@ -116,6 +114,10 @@ export default defineComponent({
 				}
 
 				if (this.parameter.type === 'number') {
+					if (typeof this.value === 'string' && this.value.startsWith('=')) {
+						return false;
+					}
+
 					return typeof this.value !== 'number';
 				}
 			}
diff --git a/packages/editor-ui/src/components/ParameterInputWrapper.vue b/packages/editor-ui/src/components/ParameterInputWrapper.vue
index 3d4e86975f7f3..3d9a4901c6712 100644
--- a/packages/editor-ui/src/components/ParameterInputWrapper.vue
+++ b/packages/editor-ui/src/components/ParameterInputWrapper.vue
@@ -16,6 +16,7 @@
 			:isForCredential="isForCredential"
 			:eventSource="eventSource"
 			:expressionEvaluated="expressionValueComputed"
+			:additionalExpressionData="resolvedAdditionalExpressionData"
 			:label="label"
 			:data-test-id="`parameter-input-${parameter.name}`"
 			:event-bus="eventBus"
@@ -50,6 +51,7 @@ import { mapStores } from 'pinia';
 import ParameterInput from '@/components/ParameterInput.vue';
 import InputHint from '@/components/ParameterInputHint.vue';
 import type {
+	IDataObject,
 	INodeProperties,
 	INodePropertyMode,
 	IParameterLabel,
@@ -61,6 +63,8 @@ import type { INodeUi, IUpdateInformation, TargetItem } from '@/Interface';
 import { workflowHelpers } from '@/mixins/workflowHelpers';
 import { isValueExpression } from '@/utils';
 import { useNDVStore } from '@/stores/ndv.store';
+import { useEnvironmentsStore, useExternalSecretsStore } from '@/stores';
+
 import type { EventBus } from 'n8n-design-system/utils';
 import { createEventBus } from 'n8n-design-system/utils';
 
@@ -72,6 +76,10 @@ export default defineComponent({
 		InputHint,
 	},
 	props: {
+		additionalExpressionData: {
+			type: Object as PropType<IDataObject>,
+			default: () => ({}),
+		},
 		isReadOnly: {
 			type: Boolean,
 		},
@@ -127,7 +135,7 @@ export default defineComponent({
 		},
 	},
 	computed: {
-		...mapStores(useNDVStore),
+		...mapStores(useNDVStore, useExternalSecretsStore, useEnvironmentsStore),
 		isValueExpression() {
 			return isValueExpression(this.parameter, this.modelValue);
 		},
@@ -183,6 +191,7 @@ export default defineComponent({
 						inputNodeName: this.ndvStore.ndvInputNodeName,
 						inputRunIndex: this.ndvStore.ndvInputRunIndex,
 						inputBranchIndex: this.ndvStore.ndvInputBranchIndex,
+						additionalKeys: this.resolvedAdditionalExpressionData,
 					};
 				}
 
@@ -208,6 +217,15 @@ export default defineComponent({
 
 			return null;
 		},
+		resolvedAdditionalExpressionData() {
+			return {
+				$vars: this.environmentsStore.variablesAsObject,
+				...(this.externalSecretsStore.isEnterpriseExternalSecretsEnabled && this.isForCredential
+					? { $secrets: this.externalSecretsStore.secretsAsObject }
+					: {}),
+				...this.additionalExpressionData,
+			};
+		},
 	},
 	methods: {
 		onFocus() {
diff --git a/packages/editor-ui/src/components/SettingsSidebar.vue b/packages/editor-ui/src/components/SettingsSidebar.vue
index 3fa7c992b63f8..5f7383d8494cc 100644
--- a/packages/editor-ui/src/components/SettingsSidebar.vue
+++ b/packages/editor-ui/src/components/SettingsSidebar.vue
@@ -74,6 +74,17 @@ export default defineComponent({
 					available: this.canAccessApiSettings(),
 					activateOnRouteNames: [VIEWS.API_SETTINGS],
 				},
+				{
+					id: 'settings-external-secrets',
+					icon: 'vault',
+					label: this.$locale.baseText('settings.externalSecrets.title'),
+					position: 'top',
+					available: this.canAccessExternalSecrets(),
+					activateOnRouteNames: [
+						VIEWS.EXTERNAL_SECRETS_SETTINGS,
+						VIEWS.EXTERNAL_SECRETS_PROVIDER_SETTINGS,
+					],
+				},
 				{
 					id: 'settings-audit-logs',
 					icon: 'clipboard-list',
@@ -164,6 +175,9 @@ export default defineComponent({
 		canAccessUsageAndPlan(): boolean {
 			return this.canUserAccessRouteByName(VIEWS.USAGE);
 		},
+		canAccessExternalSecrets(): boolean {
+			return this.canUserAccessRouteByName(VIEWS.EXTERNAL_SECRETS_SETTINGS);
+		},
 		canAccessSourceControl(): boolean {
 			return this.canUserAccessRouteByName(VIEWS.SOURCE_CONTROL);
 		},
@@ -179,51 +193,43 @@ export default defineComponent({
 		openUpdatesPanel() {
 			this.uiStore.openModal(VERSIONS_MODAL_KEY);
 		},
+		async navigateTo(routeName: (typeof VIEWS)[keyof typeof VIEWS]) {
+			if (this.$router.currentRoute.name !== routeName) {
+				await this.$router.push({ name: routeName });
+			}
+		},
 		async handleSelect(key: string) {
 			switch (key) {
 				case 'settings-personal':
-					if (this.$router.currentRoute.name !== VIEWS.PERSONAL_SETTINGS) {
-						await this.$router.push({ name: VIEWS.PERSONAL_SETTINGS });
-					}
+					await this.navigateTo(VIEWS.PERSONAL_SETTINGS);
 					break;
 				case 'settings-users':
-					if (this.$router.currentRoute.name !== VIEWS.USERS_SETTINGS) {
-						await this.$router.push({ name: VIEWS.USERS_SETTINGS });
-					}
+					await this.navigateTo(VIEWS.USERS_SETTINGS);
 					break;
 				case 'settings-api':
-					if (this.$router.currentRoute.name !== VIEWS.API_SETTINGS) {
-						await this.$router.push({ name: VIEWS.API_SETTINGS });
-					}
+					await this.navigateTo(VIEWS.API_SETTINGS);
 					break;
 				case 'settings-ldap':
-					if (this.$router.currentRoute.name !== VIEWS.LDAP_SETTINGS) {
-						void this.$router.push({ name: VIEWS.LDAP_SETTINGS });
-					}
+					await this.navigateTo(VIEWS.LDAP_SETTINGS);
 					break;
 				case 'settings-log-streaming':
-					if (this.$router.currentRoute.name !== VIEWS.LOG_STREAMING_SETTINGS) {
-						void this.$router.push({ name: VIEWS.LOG_STREAMING_SETTINGS });
-					}
+					await this.navigateTo(VIEWS.LOG_STREAMING_SETTINGS);
 					break;
 				case 'users': // Fakedoor feature added via hooks when user management is disabled on cloud
 				case 'logging':
 					this.$router.push({ name: VIEWS.FAKE_DOOR, params: { featureId: key } }).catch(() => {});
 					break;
 				case 'settings-community-nodes':
-					if (this.$router.currentRoute.name !== VIEWS.COMMUNITY_NODES) {
-						await this.$router.push({ name: VIEWS.COMMUNITY_NODES });
-					}
+					await this.navigateTo(VIEWS.COMMUNITY_NODES);
 					break;
 				case 'settings-usage-and-plan':
-					if (this.$router.currentRoute.name !== VIEWS.USAGE) {
-						void this.$router.push({ name: VIEWS.USAGE });
-					}
+					await this.navigateTo(VIEWS.USAGE);
 					break;
 				case 'settings-sso':
-					if (this.$router.currentRoute.name !== VIEWS.SSO_SETTINGS) {
-						void this.$router.push({ name: VIEWS.SSO_SETTINGS });
-					}
+					await this.navigateTo(VIEWS.SSO_SETTINGS);
+					break;
+				case 'settings-external-secrets':
+					await this.navigateTo(VIEWS.EXTERNAL_SECRETS_SETTINGS);
 					break;
 				case 'settings-source-control':
 					if (this.$router.currentRoute.name !== VIEWS.SOURCE_CONTROL) {
diff --git a/packages/editor-ui/src/components/TriggerPanel.vue b/packages/editor-ui/src/components/TriggerPanel.vue
index 946ef46da87a4..a772ec66f0768 100644
--- a/packages/editor-ui/src/components/TriggerPanel.vue
+++ b/packages/editor-ui/src/components/TriggerPanel.vue
@@ -29,6 +29,7 @@
 						@copy="onTestLinkCopied"
 					></CopyInput>
 					<NodeExecuteButton
+						data-test-id="trigger-execute-button"
 						:nodeName="nodeName"
 						@execute="onNodeExecute"
 						size="medium"
@@ -49,6 +50,7 @@
 						</n8n-text>
 					</div>
 					<NodeExecuteButton
+						data-test-id="trigger-execute-button"
 						:nodeName="nodeName"
 						@execute="onNodeExecute"
 						size="medium"
@@ -72,6 +74,7 @@
 					</div>
 
 					<NodeExecuteButton
+						data-test-id="trigger-execute-button"
 						:nodeName="nodeName"
 						@execute="onNodeExecute"
 						size="medium"
diff --git a/packages/editor-ui/src/components/__tests__/ResourceMapper.test.ts b/packages/editor-ui/src/components/__tests__/ResourceMapper.test.ts
index e3ee648e73ef8..cd36e28700375 100644
--- a/packages/editor-ui/src/components/__tests__/ResourceMapper.test.ts
+++ b/packages/editor-ui/src/components/__tests__/ResourceMapper.test.ts
@@ -292,7 +292,7 @@ describe('ResourceMapper.vue', () => {
 		expect(fetchFieldsSpy).not.toHaveBeenCalled();
 	});
 
-	it('should delete fields from UI and parameter value when they are deleted', async () => {
+	it.skip('should delete fields from UI and parameter value when they are deleted', async () => {
 		const { getByTestId, emitted } = renderComponent({
 			props: {
 				node: {
diff --git a/packages/editor-ui/src/composables/index.ts b/packages/editor-ui/src/composables/index.ts
index 042d79f7b7ec2..2561f7936c81c 100644
--- a/packages/editor-ui/src/composables/index.ts
+++ b/packages/editor-ui/src/composables/index.ts
@@ -3,6 +3,7 @@ export * from './useCopyToClipboard';
 export * from './useDebounce';
 export { default as useDeviceSupport } from './useDeviceSupport';
 export * from './useExternalHooks';
+export * from './useExternalSecretsProvider';
 export { default as useGlobalLinkActions } from './useGlobalLinkActions';
 export * from './useHistoryHelper';
 export * from './useI18n';
@@ -13,3 +14,4 @@ export * from './useTitleChange';
 export * from './useToast';
 export * from './useNodeSpecificationValues';
 export * from './useDataSchema';
+export * from './useExecutionDebugging';
diff --git a/packages/editor-ui/src/composables/useExecutionDebugging.ts b/packages/editor-ui/src/composables/useExecutionDebugging.ts
new file mode 100644
index 0000000000000..b0ca84a6bc0fd
--- /dev/null
+++ b/packages/editor-ui/src/composables/useExecutionDebugging.ts
@@ -0,0 +1,143 @@
+import { h, computed } from 'vue';
+import { useRouter } from 'vue-router';
+import { useI18n, useMessage, useToast } from '@/composables';
+import {
+	DEBUG_PAYWALL_MODAL_KEY,
+	EnterpriseEditionFeature,
+	MODAL_CONFIRM,
+	VIEWS,
+} from '@/constants';
+import { useSettingsStore, useUIStore, useWorkflowsStore } from '@/stores';
+import type { INodeUi } from '@/Interface';
+
+export const useExecutionDebugging = () => {
+	const router = useRouter();
+	const i18n = useI18n();
+	const message = useMessage();
+	const toast = useToast();
+	const workflowsStore = useWorkflowsStore();
+	const settingsStore = useSettingsStore();
+	const uiStore = useUIStore();
+
+	const isDebugEnabled = computed(() =>
+		settingsStore.isEnterpriseFeatureEnabled(EnterpriseEditionFeature.DebugInEditor),
+	);
+
+	const applyExecutionData = async (executionId: string): Promise<void> => {
+		const execution = await workflowsStore.getExecution(executionId);
+		const workflow = workflowsStore.getCurrentWorkflow();
+		const workflowNodes = workflowsStore.getNodes();
+
+		if (!execution?.data?.resultData) {
+			return;
+		}
+
+		const { runData } = execution.data.resultData;
+
+		const executionNodeNames = Object.keys(runData);
+		const missingNodeNames = executionNodeNames.filter(
+			(name) => !workflowNodes.some((node) => node.name === name),
+		);
+
+		// Using the pinned data of the workflow to check if the node is pinned
+		// because workflowsStore.getCurrentWorkflow() returns a cached workflow without the updated pinned data
+		const workflowPinnedNodeNames = Object.keys(workflowsStore.workflow.pinData ?? {});
+		const matchingPinnedNodeNames = executionNodeNames.filter((name) =>
+			workflowPinnedNodeNames.includes(name),
+		);
+
+		if (matchingPinnedNodeNames.length > 0) {
+			const confirmMessage = h('p', [
+				i18n.baseText('nodeView.confirmMessage.debug.message'),
+				h(
+					'ul',
+					{ class: 'mt-l ml-l' },
+					matchingPinnedNodeNames.map((name) => h('li', name)),
+				),
+			]);
+
+			const overWritePinnedDataConfirm = await message.confirm(
+				confirmMessage,
+				i18n.baseText('nodeView.confirmMessage.debug.headline'),
+				{
+					type: 'warning',
+					confirmButtonText: i18n.baseText('nodeView.confirmMessage.debug.confirmButtonText'),
+					cancelButtonText: i18n.baseText('nodeView.confirmMessage.debug.cancelButtonText'),
+					dangerouslyUseHTMLString: true,
+					customClass: 'matching-pinned-nodes-confirmation',
+				},
+			);
+
+			if (overWritePinnedDataConfirm === MODAL_CONFIRM) {
+				matchingPinnedNodeNames.forEach((name) => {
+					const node = workflowsStore.getNodeByName(name);
+					if (node) {
+						workflowsStore.unpinData({ node });
+					}
+				});
+			} else {
+				await router.push({
+					name: VIEWS.EXECUTION_PREVIEW,
+					params: { name: workflow.id, executionId },
+				});
+				return;
+			}
+		}
+
+		// Set execution data
+		workflowsStore.setWorkflowExecutionData(execution);
+
+		// Pin data of all nodes which do not have a parent node
+		workflowNodes
+			.filter((node: INodeUi) => !workflow.getParentNodes(node.name).length)
+			.forEach((node: INodeUi) => {
+				const nodeData = runData[node.name]?.[0].data?.main[0];
+				if (nodeData) {
+					workflowsStore.pinData({
+						node,
+						data: nodeData,
+					});
+				}
+			});
+
+		toast.showToast({
+			title: i18n.baseText('nodeView.showMessage.debug.title'),
+			message: i18n.baseText('nodeView.showMessage.debug.content'),
+			type: 'info',
+		});
+
+		if (missingNodeNames.length) {
+			toast.showToast({
+				title: i18n.baseText('nodeView.showMessage.debug.missingNodes.title'),
+				message: i18n.baseText('nodeView.showMessage.debug.missingNodes.content', {
+					interpolate: { nodeNames: missingNodeNames.join(', ') },
+				}),
+				type: 'warning',
+			});
+		}
+	};
+
+	const handleDebugLinkClick = (event: Event): void => {
+		if (!isDebugEnabled.value) {
+			uiStore.openModalWithData({
+				name: DEBUG_PAYWALL_MODAL_KEY,
+				data: {
+					title: i18n.baseText(uiStore.contextBasedTranslationKeys.feature.unavailable.title),
+					footerButtonAction: () => {
+						uiStore.closeModal(DEBUG_PAYWALL_MODAL_KEY);
+						uiStore.goToUpgrade('debug', 'upgrade-debug');
+					},
+				},
+			});
+			event.preventDefault();
+			event.stopPropagation();
+			return;
+		}
+		workflowsStore.isInDebugMode = false;
+	};
+
+	return {
+		applyExecutionData,
+		handleDebugLinkClick,
+	};
+};
diff --git a/packages/editor-ui/src/composables/useExternalSecretsProvider.ts b/packages/editor-ui/src/composables/useExternalSecretsProvider.ts
new file mode 100644
index 0000000000000..45ee1a1164a86
--- /dev/null
+++ b/packages/editor-ui/src/composables/useExternalSecretsProvider.ts
@@ -0,0 +1,101 @@
+import type {
+	ExternalSecretsProviderWithProperties,
+	ExternalSecretsProvider,
+	IUpdateInformation,
+	ExternalSecretsProviderData,
+} from '@/Interface';
+import type { Ref } from 'vue';
+import { computed, ref } from 'vue';
+import { useExternalSecretsStore } from '@/stores/externalSecrets.ee.store';
+import { useToast } from '@/composables/useToast';
+
+export function useExternalSecretsProvider(
+	provider: Ref<ExternalSecretsProvider>,
+	providerData: Ref<ExternalSecretsProviderData>,
+) {
+	const toast = useToast();
+	const externalSecretsStore = useExternalSecretsStore();
+
+	const initialConnectionState = ref<ExternalSecretsProviderWithProperties['state'] | undefined>(
+		'initializing',
+	);
+	const connectionState = computed(
+		() => externalSecretsStore.connectionState[provider.value?.name],
+	);
+	const setConnectionState = (state: ExternalSecretsProviderWithProperties['state']) => {
+		externalSecretsStore.setConnectionState(provider.value?.name, state);
+	};
+
+	const normalizedProviderData = computed(() => {
+		return Object.entries(providerData.value).reduce(
+			(acc, [key, value]) => {
+				const property = provider.value?.properties?.find((property) => property.name === key);
+				if (shouldDisplayProperty(property)) {
+					acc[key] = value;
+				}
+
+				return acc;
+			},
+			{} as Record<string, IUpdateInformation['value']>,
+		);
+	});
+
+	function shouldDisplayProperty(
+		property: ExternalSecretsProviderWithProperties['properties'][0],
+	): boolean {
+		let visible = true;
+
+		if (property.displayOptions?.show) {
+			visible =
+				visible &&
+				Object.entries(property.displayOptions.show).every(([key, value]) => {
+					return value?.includes(providerData.value[key]);
+				});
+		}
+
+		if (property.displayOptions?.hide) {
+			visible =
+				visible &&
+				!Object.entries(property.displayOptions.hide).every(([key, value]) => {
+					return value?.includes(providerData.value[key]);
+				});
+		}
+
+		return visible;
+	}
+
+	async function testConnection(options: { showError?: boolean } = { showError: true }) {
+		try {
+			const { testState } = await externalSecretsStore.testProviderConnection(
+				provider.value.name,
+				normalizedProviderData.value,
+			);
+			setConnectionState(testState);
+
+			return testState;
+		} catch (error) {
+			setConnectionState('error');
+
+			if (options.showError) {
+				toast.showError(error, 'Error', error.response?.data?.data.error);
+			}
+
+			return 'error';
+		} finally {
+			if (provider.value.connected && ['connected', 'error'].includes(connectionState.value)) {
+				externalSecretsStore.updateStoredProvider(provider.value.name, {
+					state: connectionState.value,
+				});
+			}
+		}
+	}
+
+	return {
+		initialConnectionState,
+		connectionState,
+		normalizedProviderData,
+		testConnection,
+		setConnectionState,
+		shouldDisplayProperty,
+	};
+}
diff --git a/packages/editor-ui/src/composables/useMessage.ts b/packages/editor-ui/src/composables/useMessage.ts
index 20847dffd92c4..066c627da7ddd 100644
--- a/packages/editor-ui/src/composables/useMessage.ts
+++ b/packages/editor-ui/src/composables/useMessage.ts
@@ -10,7 +10,7 @@ export function useMessage() {
 	};
 
 	async function alert(
-		message: string,
+		message: ElMessageBoxOptions['message'],
 		configOrTitle?: string | ElMessageBoxOptions,
 		config?: ElMessageBoxOptions,
 	) {
@@ -27,7 +27,7 @@ export function useMessage() {
 	}
 
 	async function confirm(
-		message: string,
+		message: ElMessageBoxOptions['message'],
 		configOrTitle?: string | ElMessageBoxOptions,
 		config?: ElMessageBoxOptions,
 	): Promise<MessageBoxConfirmResult> {
@@ -51,7 +51,7 @@ export function useMessage() {
 	}
 
 	async function prompt(
-		message: string,
+		message: ElMessageBoxOptions['message'],
 		configOrTitle?: string | ElMessageBoxOptions,
 		config?: ElMessageBoxOptions,
 	) {
diff --git a/packages/editor-ui/src/constants.ts b/packages/editor-ui/src/constants.ts
index ff66533de2e02..c91d713926715 100644
--- a/packages/editor-ui/src/constants.ts
+++ b/packages/editor-ui/src/constants.ts
@@ -45,9 +45,12 @@ export const COMMUNITY_PACKAGE_INSTALL_MODAL_KEY = 'communityPackageInstall';
 export const COMMUNITY_PACKAGE_CONFIRM_MODAL_KEY = 'communityPackageManageConfirm';
 export const IMPORT_CURL_MODAL_KEY = 'importCurl';
 export const LOG_STREAM_MODAL_KEY = 'settingsLogStream';
-
 export const SOURCE_CONTROL_PUSH_MODAL_KEY = 'sourceControlPush';
 export const SOURCE_CONTROL_PULL_MODAL_KEY = 'sourceControlPull';
+export const DEBUG_PAYWALL_MODAL_KEY = 'debugPaywall';
+export const MFA_SETUP_MODAL_KEY = 'mfaSetup';
+
+export const EXTERNAL_SECRETS_PROVIDER_MODAL_KEY = 'externalSecretsProvider';
 
 export const COMMUNITY_PACKAGE_MANAGE_ACTIONS = {
 	UNINSTALL: 'uninstall',
@@ -67,12 +70,14 @@ export const BUILTIN_NODES_DOCS_URL = `https://${DOCS_DOMAIN}/integrations/built
 export const BUILTIN_CREDENTIALS_DOCS_URL = `https://${DOCS_DOMAIN}/integrations/builtin/credentials/`;
 export const DATA_PINNING_DOCS_URL = `https://${DOCS_DOMAIN}/data/data-pinning/`;
 export const DATA_EDITING_DOCS_URL = `https://${DOCS_DOMAIN}/data/data-editing/`;
+export const MFA_DOCS_URL = `https://${DOCS_DOMAIN}/user-management/two-factor-auth/`;
 export const NPM_COMMUNITY_NODE_SEARCH_API_URL = 'https://api.npms.io/v2/';
 export const NPM_PACKAGE_DOCS_BASE_URL = 'https://www.npmjs.com/package/';
 export const NPM_KEYWORD_SEARCH_URL =
 	'https://www.npmjs.com/search?q=keywords%3An8n-community-node-package';
 export const N8N_QUEUE_MODE_DOCS_URL = `https://${DOCS_DOMAIN}/hosting/scaling/queue-mode/`;
-export const COMMUNITY_NODES_INSTALLATION_DOCS_URL = `https://${DOCS_DOMAIN}/integrations/community-nodes/installation/`;
+export const COMMUNITY_NODES_INSTALLATION_DOCS_URL = `https://${DOCS_DOMAIN}/integrations/community-nodes/installation/gui-install/`;
+export const COMMUNITY_NODES_MANUAL_INSTALLATION_DOCS_URL = `https://${DOCS_DOMAIN}/integrations/community-nodes/installation/manual-install/`;
 export const COMMUNITY_NODES_NPM_INSTALLATION_URL =
 	'https://docs.npmjs.com/downloading-and-installing-node-js-and-npm';
 export const COMMUNITY_NODES_RISKS_DOCS_URL = `https://${DOCS_DOMAIN}/integrations/community-nodes/risks/`;
@@ -345,6 +350,7 @@ export const enum VIEWS {
 	COLLECTION = 'TemplatesCollectionView',
 	EXECUTIONS = 'Executions',
 	EXECUTION_PREVIEW = 'ExecutionPreview',
+	EXECUTION_DEBUG = 'ExecutionDebug',
 	EXECUTION_HOME = 'ExecutionsLandingPage',
 	TEMPLATE = 'TemplatesWorkflowView',
 	TEMPLATES = 'TemplatesSearchView',
@@ -372,9 +378,11 @@ export const enum VIEWS {
 	USAGE = 'Usage',
 	LOG_STREAMING_SETTINGS = 'LogStreamingSettingsView',
 	SSO_SETTINGS = 'SSoSettings',
+	EXTERNAL_SECRETS_SETTINGS = 'ExternalSecretsSettings',
 	SAML_ONBOARDING = 'SamlOnboarding',
 	SOURCE_CONTROL = 'SourceControl',
 	AUDIT_LOGS = 'AuditLogs',
+	MFA_VIEW = 'MfaView',
 }
 
 export const enum FAKE_DOOR_FEATURES {
@@ -443,7 +451,9 @@ export const enum EnterpriseEditionFeature {
 	Variables = 'variables',
 	Saml = 'saml',
 	SourceControl = 'sourceControl',
+	ExternalSecrets = 'externalSecrets',
 	AuditLogs = 'auditLogs',
+	DebugInEditor = 'debugInEditor',
 }
 export const MAIN_NODE_PANEL_WIDTH = 360;
 
@@ -532,6 +542,14 @@ export const ASK_AI_EXPERIMENT = {
 
 export const EXPERIMENTS_TO_TRACK = [ASK_AI_EXPERIMENT.name];
 
+export const MFA_AUTHENTICATION_REQUIRED_ERROR_CODE = 998;
+
+export const MFA_AUTHENTICATION_TOKEN_WINDOW_EXPIRED = 997;
+
+export const MFA_AUTHENTICATION_TOKEN_INPUT_MAX_LENGTH = 6;
+
+export const MFA_AUTHENTICATION_RECOVERY_CODE_INPUT_MAX_LENGTH = 36;
+
 export const NODE_TYPES_EXCLUDED_FROM_OUTPUT_NAME_APPEND = [FILTER_NODE_TYPE];
 
 export const ALLOWED_HTML_ATTRIBUTES = ['href', 'name', 'target', 'title', 'class', 'id', 'style'];
diff --git a/packages/editor-ui/src/event-bus/index.ts b/packages/editor-ui/src/event-bus/index.ts
index 16b0e62a9d273..28597782da04c 100644
--- a/packages/editor-ui/src/event-bus/index.ts
+++ b/packages/editor-ui/src/event-bus/index.ts
@@ -3,3 +3,4 @@ export * from './data-pinning';
 export * from './link-actions';
 export * from './html-editor';
 export * from './node-view';
+export * from './mfa';
diff --git a/packages/editor-ui/src/event-bus/mfa.ts b/packages/editor-ui/src/event-bus/mfa.ts
new file mode 100644
index 0000000000000..85f59311acf33
--- /dev/null
+++ b/packages/editor-ui/src/event-bus/mfa.ts
@@ -0,0 +1,3 @@
+import { createEventBus } from 'n8n-design-system';
+
+export const mfaEventBus = createEventBus();
diff --git a/packages/editor-ui/src/mixins/expressionManager.ts b/packages/editor-ui/src/mixins/expressionManager.ts
index adf6d0fd63236..afdaf146e7da0 100644
--- a/packages/editor-ui/src/mixins/expressionManager.ts
+++ b/packages/editor-ui/src/mixins/expressionManager.ts
@@ -2,6 +2,7 @@ import { defineComponent } from 'vue';
 import type { PropType } from 'vue';
 import { mapStores } from 'pinia';
 
+import type { IDataObject } from 'n8n-workflow';
 import { Expression, ExpressionExtensions } from 'n8n-workflow';
 import { ensureSyntaxTree } from '@codemirror/language';
 
@@ -19,6 +20,10 @@ export const expressionManager = defineComponent({
 		targetItem: {
 			type: Object as PropType<TargetItem | null>,
 		},
+		additionalData: {
+			type: Object as PropType<IDataObject>,
+			default: () => ({}),
+		},
 	},
 	data() {
 		return {
@@ -194,7 +199,7 @@ export const expressionManager = defineComponent({
 				const ndvStore = useNDVStore();
 				if (!ndvStore.activeNode) {
 					// e.g. credential modal
-					result.resolved = Expression.resolveWithoutWorkflow(resolvable);
+					result.resolved = Expression.resolveWithoutWorkflow(resolvable, this.additionalData);
 				} else {
 					let opts;
 					if (ndvStore.isInputParentOfActiveNode) {
@@ -203,6 +208,7 @@ export const expressionManager = defineComponent({
 							inputNodeName: this.ndvStore.ndvInputNodeName,
 							inputRunIndex: this.ndvStore.ndvInputRunIndex,
 							inputBranchIndex: this.ndvStore.ndvInputBranchIndex,
+							additionalKeys: this.additionalData,
 						};
 					}
 					result.resolved = this.resolveExpression('=' + resolvable, undefined, opts);
diff --git a/packages/editor-ui/src/mixins/genericHelpers.ts b/packages/editor-ui/src/mixins/genericHelpers.ts
index d0aac24107ce3..4b28e9d04522a 100644
--- a/packages/editor-ui/src/mixins/genericHelpers.ts
+++ b/packages/editor-ui/src/mixins/genericHelpers.ts
@@ -19,9 +19,12 @@ export const genericHelpers = defineComponent({
 	computed: {
 		...mapStores(useSourceControlStore),
 		isReadOnlyRoute(): boolean {
-			return ![VIEWS.WORKFLOW, VIEWS.NEW_WORKFLOW, VIEWS.LOG_STREAMING_SETTINGS].includes(
-				this.$route.name as VIEWS,
-			);
+			return ![
+				VIEWS.WORKFLOW,
+				VIEWS.NEW_WORKFLOW,
+				VIEWS.LOG_STREAMING_SETTINGS,
+				VIEWS.EXECUTION_DEBUG,
+			].includes(this.$route.name as VIEWS);
 		},
 		readOnlyEnv(): boolean {
 			return this.sourceControlStore.preferences.branchReadOnly;
@@ -80,5 +83,16 @@ export const genericHelpers = defineComponent({
 				this.loadingService = null;
 			}
 		},
+		isRedirectSafe() {
+			const redirect = this.getRedirectQueryParameter();
+			return redirect.startsWith('/');
+		},
+		getRedirectQueryParameter() {
+			let redirect = '';
+			if (typeof this.$route.query.redirect === 'string') {
+				redirect = decodeURIComponent(this.$route.query.redirect);
+			}
+			return redirect;
+		},
 	},
 });
diff --git a/packages/editor-ui/src/mixins/workflowHelpers.ts b/packages/editor-ui/src/mixins/workflowHelpers.ts
index 04ea11bc07a38..ed2a45423082d 100644
--- a/packages/editor-ui/src/mixins/workflowHelpers.ts
+++ b/packages/editor-ui/src/mixins/workflowHelpers.ts
@@ -71,6 +71,7 @@ export function resolveParameter(
 		inputNodeName?: string;
 		inputRunIndex?: number;
 		inputBranchIndex?: number;
+		additionalKeys?: IWorkflowDataProxyAdditionalKeys;
 	} = {},
 ): IDataObject | null {
 	let itemIndex = opts?.targetItem?.itemIndex || 0;
@@ -146,6 +147,8 @@ export function resolveParameter(
 		// deprecated
 		$executionId: PLACEHOLDER_FILLED_AT_EXECUTION_TIME,
 		$resumeWebhookUrl: PLACEHOLDER_FILLED_AT_EXECUTION_TIME,
+
+		...opts.additionalKeys,
 	};
 
 	let runIndexCurrent = opts?.targetItem?.runIndex ?? 0;
@@ -646,6 +649,7 @@ export const workflowHelpers = defineComponent({
 				inputRunIndex?: number;
 				inputBranchIndex?: number;
 				c?: number;
+				additionalKeys?: IWorkflowDataProxyAdditionalKeys;
 			} = {},
 		) {
 			const parameters = {
diff --git a/packages/editor-ui/src/plugins/codemirror/completions/__tests__/completions.test.ts b/packages/editor-ui/src/plugins/codemirror/completions/__tests__/completions.test.ts
index ba72cb4e4d830..1e17c4f2a3aca 100644
--- a/packages/editor-ui/src/plugins/codemirror/completions/__tests__/completions.test.ts
+++ b/packages/editor-ui/src/plugins/codemirror/completions/__tests__/completions.test.ts
@@ -1,5 +1,5 @@
 import { createTestingPinia } from '@pinia/testing';
-import { setActivePinia } from 'pinia';
+import { createPinia, setActivePinia } from 'pinia';
 import { DateTime } from 'luxon';
 
 import * as workflowHelpers from '@/mixins/workflowHelpers';
@@ -17,12 +17,38 @@ import type { CompletionSource, CompletionResult } from '@codemirror/autocomplet
 import { CompletionContext } from '@codemirror/autocomplete';
 import { EditorState } from '@codemirror/state';
 import { n8nLang } from '@/plugins/codemirror/n8nLang';
+import { useExternalSecretsStore } from '@/stores/externalSecrets.ee.store';
+import { useUIStore } from '@/stores/ui.store';
+import { useSettingsStore } from '@/stores/settings.store';
+import { CREDENTIAL_EDIT_MODAL_KEY, EnterpriseEditionFeature } from '@/constants';
+import { setupServer } from '@/__tests__/server';
+
+let externalSecretsStore: ReturnType<typeof useExternalSecretsStore>;
+let uiStore: ReturnType<typeof useUIStore>;
+let settingsStore: ReturnType<typeof useSettingsStore>;
+
+let server: ReturnType<typeof setupServer>;
+
+beforeAll(() => {
+	server = setupServer();
+});
+
+beforeEach(async () => {
+	setActivePinia(createPinia());
+
+	externalSecretsStore = useExternalSecretsStore();
+	uiStore = useUIStore();
+	settingsStore = useSettingsStore();
 
-beforeEach(() => {
-	setActivePinia(createTestingPinia());
 	vi.spyOn(utils, 'receivesNoBinaryData').mockReturnValue(true); // hide $binary
 	vi.spyOn(utils, 'isSplitInBatchesAbsent').mockReturnValue(false); // show context
 	vi.spyOn(utils, 'hasActiveNode').mockReturnValue(true);
+
+	await settingsStore.getSettings();
+});
+
+afterAll(() => {
+	server.shutdown();
 });
 
 describe('No completions', () => {
@@ -264,6 +290,62 @@ describe('Resolution-based completions', () => {
 		});
 	});
 
+	describe('secrets', () => {
+		const resolveParameterSpy = vi.spyOn(workflowHelpers, 'resolveParameter');
+		const { $input, $ } = mockProxy;
+
+		test('should return completions for: {{ $secrets.| }}', () => {
+			const provider = 'infisical';
+			const secrets = ['SECRET'];
+
+			resolveParameterSpy.mockReturnValue($input);
+
+			uiStore.modals[CREDENTIAL_EDIT_MODAL_KEY].open = true;
+			settingsStore.settings.enterprise[EnterpriseEditionFeature.ExternalSecrets] = true;
+			externalSecretsStore.state.secrets = {
+				[provider]: secrets,
+			};
+
+			const result = completions('{{ $secrets.| }}');
+
+			expect(result).toEqual([
+				{
+					info: expect.any(Function),
+					label: provider,
+					type: 'keyword',
+				},
+			]);
+		});
+
+		test('should return completions for: {{ $secrets.provider.| }}', () => {
+			const provider = 'infisical';
+			const secrets = ['SECRET1', 'SECRET2'];
+
+			resolveParameterSpy.mockReturnValue($input);
+
+			uiStore.modals[CREDENTIAL_EDIT_MODAL_KEY].open = true;
+			settingsStore.settings.enterprise[EnterpriseEditionFeature.ExternalSecrets] = true;
+			externalSecretsStore.state.secrets = {
+				[provider]: secrets,
+			};
+
+			const result = completions(`{{ $secrets.${provider}.| }}`);
+
+			expect(result).toEqual([
+				{
+					info: expect.any(Function),
+					label: secrets[0],
+					type: 'keyword',
+				},
+				{
+					info: expect.any(Function),
+					label: secrets[1],
+					type: 'keyword',
+				},
+			]);
+		});
+	});
+
 	describe('references', () => {
 		const resolveParameterSpy = vi.spyOn(workflowHelpers, 'resolveParameter');
 		const { $input, $ } = mockProxy;
diff --git a/packages/editor-ui/src/plugins/codemirror/completions/datatype.completions.ts b/packages/editor-ui/src/plugins/codemirror/completions/datatype.completions.ts
index 302137b473c6b..6d650c9ac967f 100644
--- a/packages/editor-ui/src/plugins/codemirror/completions/datatype.completions.ts
+++ b/packages/editor-ui/src/plugins/codemirror/completions/datatype.completions.ts
@@ -1,4 +1,5 @@
 import type { IDataObject, DocMetadata, NativeDoc } from 'n8n-workflow';
+import { Expression } from 'n8n-workflow';
 import { ExpressionExtensions, NativeMethods } from 'n8n-workflow';
 import { DateTime } from 'luxon';
 import { i18n } from '@/plugins/i18n';
@@ -13,6 +14,7 @@ import {
 	splitBaseTail,
 	isPseudoParam,
 	stripExcessParens,
+	isCredentialsModalOpen,
 } from './utils';
 import type { Completion, CompletionContext, CompletionResult } from '@codemirror/autocomplete';
 import type { AutocompleteOptionType, ExtensionTypeName, FnToDoc, Resolved } from './types';
@@ -20,7 +22,7 @@ import { sanitizeHtml } from '@/utils';
 import { isFunctionOption } from './typeGuards';
 import { luxonInstanceDocs } from './nativesAutocompleteDocs/luxon.instance.docs';
 import { luxonStaticDocs } from './nativesAutocompleteDocs/luxon.static.docs';
-import { useEnvironmentsStore } from '@/stores';
+import { useEnvironmentsStore, useExternalSecretsStore } from '@/stores';
 
 /**
  * Resolution-based completions offered according to datatype.
@@ -37,12 +39,18 @@ export function datatypeCompletions(context: CompletionContext): CompletionResul
 
 	let options: Completion[] = [];
 
+	const isCredential = isCredentialsModalOpen();
+
 	if (base === 'DateTime') {
 		options = luxonStaticOptions().map(stripExcessParens(context));
 	} else if (base === 'Object') {
 		options = objectGlobalOptions().map(stripExcessParens(context));
 	} else if (base === '$vars') {
 		options = variablesOptions();
+	} else if (/\$secrets\./.test(base) && isCredential) {
+		options = secretOptions(base).map(stripExcessParens(context));
+	} else if (base === '$secrets' && isCredential) {
+		options = secretProvidersOptions();
 	} else {
 		let resolved: Resolved;
 
@@ -351,6 +359,54 @@ export const variablesOptions = () => {
 	);
 };
 
+export const secretOptions = (base: string) => {
+	const externalSecretsStore = useExternalSecretsStore();
+	let resolved: Resolved;
+
+	try {
+		resolved = Expression.resolveWithoutWorkflow(`{{ ${base} }}`, {
+			$secrets: externalSecretsStore.secretsAsObject,
+		});
+	} catch {
+		return [];
+	}
+
+	if (resolved === null) return [];
+
+	try {
+		if (typeof resolved !== 'object') {
+			return [];
+		}
+		return Object.entries(resolved).map(([secret, value]) =>
+			createCompletionOption('Object', secret, 'keyword', {
+				doc: {
+					name: secret,
+					returnType: typeof value,
+					description: i18n.baseText('codeNodeEditor.completer.$secrets.provider.varName'),
+					docURL: i18n.baseText('settings.externalSecrets.docs'),
+				},
+			}),
+		);
+	} catch {
+		return [];
+	}
+};
+
+export const secretProvidersOptions = () => {
+	const externalSecretsStore = useExternalSecretsStore();
+
+	return Object.keys(externalSecretsStore.secretsAsObject).map((provider) =>
+		createCompletionOption('Object', provider, 'keyword', {
+			doc: {
+				name: provider,
+				returnType: 'object',
+				description: i18n.baseText('codeNodeEditor.completer.$secrets.provider'),
+				docURL: i18n.baseText('settings.externalSecrets.docs'),
+			},
+		}),
+	);
+};
+
 /**
  * Methods and fields defined on a Luxon `DateTime` class instance.
  */
diff --git a/packages/editor-ui/src/plugins/codemirror/completions/dollar.completions.ts b/packages/editor-ui/src/plugins/codemirror/completions/dollar.completions.ts
index 01c4eb1fee5fa..4ef653f56efc7 100644
--- a/packages/editor-ui/src/plugins/codemirror/completions/dollar.completions.ts
+++ b/packages/editor-ui/src/plugins/codemirror/completions/dollar.completions.ts
@@ -7,8 +7,10 @@ import {
 	prefixMatch,
 	stripExcessParens,
 	hasActiveNode,
+	isCredentialsModalOpen,
 } from './utils';
 import type { Completion, CompletionContext, CompletionResult } from '@codemirror/autocomplete';
+import { useExternalSecretsStore } from '@/stores';
 
 /**
  * Completions offered at the dollar position: `$|`
@@ -47,7 +49,24 @@ export function dollarOptions() {
 	const SKIP = new Set();
 	const DOLLAR_FUNCTIONS = ['$jmespath'];
 
-	if (!hasActiveNode()) return []; // e.g. credential modal
+	if (isCredentialsModalOpen()) {
+		return useExternalSecretsStore().isEnterpriseExternalSecretsEnabled
+			? [
+					{
+						label: '$secrets',
+						type: 'keyword',
+					},
+					{
+						label: '$vars',
+						type: 'keyword',
+					},
+			  ]
+			: [];
+	}
+
+	if (!hasActiveNode()) {
+		return [];
+	}
 
 	if (receivesNoBinaryData()) SKIP.add('$binary');
 
diff --git a/packages/editor-ui/src/plugins/codemirror/completions/utils.ts b/packages/editor-ui/src/plugins/codemirror/completions/utils.ts
index ab9e8136a100d..edc22a8a747b5 100644
--- a/packages/editor-ui/src/plugins/codemirror/completions/utils.ts
+++ b/packages/editor-ui/src/plugins/codemirror/completions/utils.ts
@@ -1,8 +1,9 @@
 import { NODE_TYPES_EXCLUDED_FROM_AUTOCOMPLETION } from '@/components/CodeNodeEditor/constants';
-import { SPLIT_IN_BATCHES_NODE_TYPE } from '@/constants';
+import { CREDENTIAL_EDIT_MODAL_KEY, SPLIT_IN_BATCHES_NODE_TYPE } from '@/constants';
 import { useWorkflowsStore } from '@/stores/workflows.store';
 import { resolveParameter } from '@/mixins/workflowHelpers';
 import { useNDVStore } from '@/stores/ndv.store';
+import { useUIStore } from '@/stores/ui.store';
 import type { Completion, CompletionContext } from '@codemirror/autocomplete';
 
 // String literal expression is everything enclosed in single, double or tick quotes following a dot
@@ -125,6 +126,8 @@ export function hasNoParams(toResolve: string) {
 //        state-based utils
 // ----------------------------------
 
+export const isCredentialsModalOpen = () => useUIStore().modals[CREDENTIAL_EDIT_MODAL_KEY].open;
+
 export const hasActiveNode = () => useNDVStore().activeNode?.name !== undefined;
 
 export const isSplitInBatchesAbsent = () =>
diff --git a/packages/editor-ui/src/plugins/i18n/locales/en.json b/packages/editor-ui/src/plugins/i18n/locales/en.json
index e4641639a5700..487403fe9635a 100644
--- a/packages/editor-ui/src/plugins/i18n/locales/en.json
+++ b/packages/editor-ui/src/plugins/i18n/locales/en.json
@@ -61,6 +61,7 @@
 	"generic.workflow": "Workflow",
 	"generic.workflowSaved": "Workflow changes saved",
 	"generic.editor": "Editor",
+	"generic.seePlans": "See plans",
 	"about.aboutN8n": "About n8n",
 	"about.close": "Close",
 	"about.license": "License",
@@ -82,22 +83,22 @@
 	"activationModal.yourTriggersWillNowFire": "Your triggers will now fire production executions automatically.",
 	"activationModal.yourWorkflowWillNowListenForEvents": "Your workflow will now listen for events from {serviceName} and trigger executions.",
 	"activationModal.yourWorkflowWillNowRegularlyCheck": "Your workflow will now regularly check {serviceName} for events and trigger executions for them.",
-	"auth.changePassword": "Change Password",
-	"auth.changePassword.currentPassword": "Current Password",
+	"auth.changePassword": "Change password",
+	"auth.changePassword.currentPassword": "Current password",
 	"auth.changePassword.error": "Problem changing the password",
 	"auth.changePassword.missingTokenError": "Missing token",
 	"auth.changePassword.missingUserIdError": "Missing user ID",
 	"auth.changePassword.passwordUpdated": "Password updated",
 	"auth.changePassword.passwordUpdatedMessage": "You can now sign in with your new password",
 	"auth.changePassword.passwordsMustMatchError": "Passwords must match",
-	"auth.changePassword.reenterNewPassword": "Re-enter New Password",
+	"auth.changePassword.reenterNewPassword": "Re-enter new password",
 	"auth.changePassword.tokenValidationError": "Issue validating invite token",
 	"auth.defaultPasswordRequirements": "8+ characters, at least 1 number and 1 capital letter",
 	"auth.validation.missingParameters": "Missing token or user id",
 	"auth.email": "Email",
 	"auth.firstName": "First Name",
 	"auth.lastName": "Last Name",
-	"auth.newPassword": "New Password",
+	"auth.newPassword": "New password",
 	"auth.password": "Password",
 	"auth.role": "Role",
 	"auth.roles.member": "Member",
@@ -155,6 +156,9 @@
 	"codeNodeEditor.completer.$today": "A timestamp representing the current day (at midnight, as a Luxon object)",
 	"codeNodeEditor.completer.$vars": "The variables defined in your instance",
 	"codeNodeEditor.completer.$vars.varName": "Variable set on this n8n instance. All variables evaluate to strings.",
+	"codeNodeEditor.completer.$secrets": "The external secrets connected to your instance",
+	"codeNodeEditor.completer.$secrets.provider": "External secrets providers connected to this n8n instance.",
+	"codeNodeEditor.completer.$secrets.provider.varName": "External secrets connected to this n8n instance. All secrets evaluate to strings.",
 	"codeNodeEditor.completer.$workflow": "Information about the workflow",
 	"codeNodeEditor.completer.$workflow.active": "Whether the workflow is active or not (boolean)",
 	"codeNodeEditor.completer.$workflow.id": "The ID of the workflow",
@@ -339,6 +343,8 @@
 	"credentialEdit.credentialConfig.authTypeSelectorLabel": "Connect using",
 	"credentialEdit.credentialConfig.authTypeSelectorTooltip": "The authentication method to use for the connection",
 	"credentialEdit.credentialConfig.recommendedAuthTypeSuffix": "(recommended)",
+	"credentialEdit.credentialConfig.externalSecrets": "Enterprise plan users can pull in credentials from external vaults.",
+	"credentialEdit.credentialConfig.externalSecrets.moreInfo": "More info",
 	"credentialEdit.credentialEdit.confirmMessage.beforeClose1.cancelButtonText": "Close",
 	"credentialEdit.credentialEdit.confirmMessage.beforeClose1.confirmButtonText": "Keep Editing",
 	"credentialEdit.credentialEdit.confirmMessage.beforeClose1.headline": "Close without saving?",
@@ -564,6 +570,11 @@
 	"executionsList.view": "View",
 	"executionsList.stop": "Stop",
 	"executionsList.statusTooltipText.theWorkflowIsWaitingIndefinitely": "The workflow is waiting indefinitely for an incoming webhook call.",
+	"executionsList.debug.button.copyToEditor": "Copy to editor",
+	"executionsList.debug.button.debugInEditor": "Debug in editor",
+	"executionsList.debug.paywall.content": "Debug in Editor allows you to debug a previous execution with the actual data pinned, right in your editor.",
+	"executionsList.debug.paywall.link.text": "Read more in the docs",
+	"executionsList.debug.paywall.link.url": "#",
 	"executionSidebar.executionName": "Execution {id}",
 	"executionSidebar.searchPlaceholder": "Search executions...",
 	"executionView.onPaste.title": "Cannot paste here",
@@ -884,6 +895,10 @@
 	"nodeView.confirmMessage.receivedCopyPasteData.confirmButtonText": "Yes, import",
 	"nodeView.confirmMessage.receivedCopyPasteData.headline": "Import Workflow?",
 	"nodeView.confirmMessage.receivedCopyPasteData.message": "Workflow will be imported from<br /><i>{plainTextData}<i>",
+	"nodeView.confirmMessage.debug.cancelButtonText": "Cancel",
+	"nodeView.confirmMessage.debug.confirmButtonText": "Unpin",
+	"nodeView.confirmMessage.debug.headline": "Unpin workflow data",
+	"nodeView.confirmMessage.debug.message": "Loading this execution will unpin the data currently pinned in these nodes",
 	"nodeView.couldntImportWorkflow": "Could not import workflow",
 	"nodeView.deletesTheCurrentExecutionData": "Deletes the current execution data",
 	"nodeView.executesTheWorkflowFromATriggerNode": "Runs the workflow, starting from a Trigger node",
@@ -923,6 +938,10 @@
 	"nodeView.showMessage.stopExecutionCatch.message": "It completed before it could be stopped",
 	"nodeView.showMessage.stopExecutionCatch.title": "Workflow finished executing",
 	"nodeView.showMessage.stopExecutionTry.title": "Execution stopped",
+	"nodeView.showMessage.debug.title": "Execution data imported",
+	"nodeView.showMessage.debug.content": "You can make edits and re-execute. Once you're done, unpin the the first node.",
+	"nodeView.showMessage.debug.missingNodes.title": "Some execution data wasn't imported",
+	"nodeView.showMessage.debug.missingNodes.content": "Some nodes have been deleted or renamed or added to the workflow since the execution ran.",
 	"nodeView.stopCurrentExecution": "Stop current execution",
 	"nodeView.stopWaitingForWebhookCall": "Stop waiting for webhook call",
 	"nodeView.stoppingCurrentExecution": "Stopping current execution",
@@ -1364,6 +1383,43 @@
 	"settings.usageAndPlan.license.activation.success.message": "Your {name} {type} has been successfully activated.",
 	"settings.usageAndPlan.desktop.title": "Upgrade to n8n Cloud for the full experience",
 	"settings.usageAndPlan.desktop.description": "Cloud plans allow you to collaborate with teammates. Plus you don’t need to leave this app open all the time for your workflows to run.",
+	"settings.externalSecrets.title": "External Secrets",
+	"settings.externalSecrets.info": "Connect external secrets tools for centralized credentials management across environments, and to enhance system security.",
+	"settings.externalSecrets.info.link": "More info",
+	"settings.externalSecrets.actionBox.title": "Available on the Enterprise plan",
+	"settings.externalSecrets.actionBox.description": "Connect external secrets tools for centralized credentials management across instances. {link}",
+	"settings.externalSecrets.actionBox.description.link": "More info",
+	"settings.externalSecrets.actionBox.buttonText": "See plans",
+	"settings.externalSecrets.card.setUp": "Set Up",
+	"settings.externalSecrets.card.secretsCount": "{count} secrets",
+	"settings.externalSecrets.card.connectedAt": "Connected {date}",
+	"settings.externalSecrets.card.connected": "Enabled",
+	"settings.externalSecrets.card.disconnected": "Disabled",
+	"settings.externalSecrets.card.actionDropdown.setup": "Edit connection",
+	"settings.externalSecrets.card.actionDropdown.reload": "Reload secrets",
+	"settings.externalSecrets.card.reload.success.title": "Reloaded successfully",
+	"settings.externalSecrets.card.reload.success.description": "All secrets have been reloaded from {provider}.",
+	"settings.externalSecrets.provider.title": "Commit and push changes",
+	"settings.externalSecrets.provider.description": "Select the files you want to stage in your commit and add a commit message. ",
+	"settings.externalSecrets.provider.buttons.cancel": "Cancel",
+	"settings.externalSecrets.provider.buttons.save": "Save",
+	"settings.externalSecrets.provider.buttons.saving": "Saving",
+	"settings.externalSecrets.card.connectedSwitch.title": "Enable {provider}",
+	"settings.externalSecrets.provider.save.success.title": "Provider settings saved successfully",
+	"settings.externalSecrets.provider.connected.success.title": "Provider connected successfully",
+	"settings.externalSecrets.provider.disconnected.success.title": "Provider disconnected successfully",
+	"settings.externalSecrets.provider.testConnection.success.connected": "Service enabled, {count} secrets available on {provider}.",
+	"settings.externalSecrets.provider.testConnection.success.connected.usage": "Use secrets in credentials by setting a parameter to an expression and typing: {code}. ",
+	"settings.externalSecrets.provider.testConnection.success.connected.docs": "More info",
+	"settings.externalSecrets.provider.testConnection.success": "Connection to {provider} executed successfully. Enable the service to use the secrets in credentials.",
+	"settings.externalSecrets.provider.testConnection.error.connected": "Connection unsuccessful, please check your {provider} settings",
+	"settings.externalSecrets.provider.testConnection.error": "Connection unsuccessful, please check your {provider} settings",
+	"settings.externalSecrets.provider.closeWithoutSaving.title": "Close without saving?",
+	"settings.externalSecrets.provider.closeWithoutSaving.description": "Are you sure you want to throw away the changes you made to the {provider} settings?",
+	"settings.externalSecrets.provider.closeWithoutSaving.cancel": "Close",
+	"settings.externalSecrets.provider.closeWithoutSaving.confirm": "Keep editing",
+	"settings.externalSecrets.docs": "https://docs.n8n.io/external-secrets/",
+	"settings.externalSecrets.docs.use": "https://docs.n8n.io/external-secrets/#use-secrets-in-n8n-credentials",
 	"settings.sourceControl.title": "Environments",
 	"settings.sourceControl.actionBox.title": "Available on the Enterprise plan",
 	"settings.sourceControl.actionBox.description": "Use multiple instances for different environments (dev, prod, etc.), deploying between them via a Git repository.",
@@ -1815,7 +1871,6 @@
 	"contextual.credentials.sharing.unavailable.button": "View plans",
 	"contextual.credentials.sharing.unavailable.button.cloud": "Upgrade now",
 	"contextual.credentials.sharing.unavailable.button.desktop": "View plans",
-
 	"contextual.workflows.sharing.title": "Sharing",
 	"contextual.workflows.sharing.unavailable.title": "Sharing",
 	"contextual.workflows.sharing.unavailable.title.cloud": "Upgrade to collaborate",
@@ -1855,6 +1910,10 @@
 	"contextual.upgradeLinkUrl.cloud": "https://app.n8n.cloud/account/change-plan",
 	"contextual.upgradeLinkUrl.desktop": "https://n8n.io/pricing/?utm_source=n8n-internal&utm_medium=desktop",
 
+	"contextual.feature.unavailable.title": "Available on the Enterprise Plan",
+	"contextual.feature.unavailable.title.cloud": "Available on the Pro Plan",
+	"contextual.feature.unavailable.title.desktop": "Available on cloud hosting",
+
 	"settings.ldap": "LDAP",
 	"settings.ldap.note": "LDAP allows users to authenticate with their centralized account. It's compatible with services that provide an LDAP interface like Active Directory, Okta and Jumpcloud.",
 	"settings.ldap.infoTip": "Learn more about <a href='https://docs.n8n.io/user-management/ldap/' target='_blank'>LDAP in the Docs</a>",
@@ -1968,6 +2027,57 @@
 	"settings.sso.actionBox.title": "Available on the Enterprise plan",
 	"settings.sso.actionBox.description": "Use Single Sign On to consolidate authentication into a single platform to improve security and agility.",
 	"settings.sso.actionBox.buttonText": "See plans",
+	"settings.mfa.secret": "Secret {secret}",
+	"settings.mfa": "MFA",
+	"settings.mfa.title": "Multi-factor Authentication",
+	"settings.mfa.updateConfiguration": "MFA configuration updated",
+	"settings.mfa.invalidAuthenticatorCode": "Invalid authenticator code",
+	"mfa.setup.invalidAuthenticatorCode": "{code} is not a valid number",
+	"mfa.setup.invalidCode": "Two-factor code failed. Please try again.",
+	"mfa.code.modal.title": "Two-factor authentication",
+	"mfa.recovery.modal.title": "Two-factor recovery",
+	"mfa.code.input.info": "Don't have your auth device?",
+	"mfa.code.input.info.action": "Enter a recovery code",
+	"mfa.recovery.input.info.action": "enter a recovery code",
+	"mfa.code.button.continue": "Continue",
+	"mfa.recovery.button.verify": "Verify",
+	"mfa.button.back": "Back",
+	"mfa.code.input.label": "Two-factor code",
+	"mfa.code.input.placeholder": "e.g. 123456",
+	"mfa.recovery.input.label": "Recovery Code",
+	"mfa.recovery.input.placeholder": "e.g c79f9c02-7b2e-44...",
+	"mfa.code.invalid": "This code is invalid, try again or",
+	"mfa.recovery.invalid": "This code is invalid or was already used, try again",
+	"mfa.setup.step1.title": "Setup Authenticator app [1/2]",
+	"mfa.setup.step2.title": "Download your recovery codes [2/2]",
+	"mfa.setup.step1.instruction1.title": "1. Scan the QR code",
+	"mfa.setup.step1.instruction1.subtitle": "{part1} {part2}",
+	"mfa.setup.step1.instruction1.subtitle.part1": "Use an authenticator app from your phone to scan. If you can't scan the QR code, enter",
+	"mfa.setup.step1.instruction1.subtitle.part2": "this text code",
+	"mfa.setup.step1.instruction2.title": "2. Enter the code from the app",
+	"mfa.setup.step2.description": "You can use recovery codes as a second factor to authenticate in case you lose access to your device.",
+	"mfa.setup.step2.infobox.description": "{part1} {part2}",
+	"mfa.setup.step2.infobox.description.part1": "Keep your recovery codes somewhere safe. If you lose your device and your recovery codes, you will",
+	"mfa.setup.step2.infobox.description.part2": "lose access to your account.",
+	"mfa.setup.step2.button.download": "Download recovery codes",
+	"mfa.setup.step2.button.save": "I have downloaded my recovery codes",
+	"mfa.setup.step1.button.continue": "Continue",
+	"mfa.setup.step1.input.label": "Code from your authenticator app",
+	"mfa.setup.step1.toast.copyToClipboard.title": "Code copied to clipboard",
+	"mfa.setup.step1.toast.copyToClipboard.message": "Enter the code in your authenticator app",
+	"mfa.setup.step2.toast.setupFinished.message": "Two-factor authentication enabled",
+	"mfa.setup.step2.toast.setupFinished.error.message": "Error enabling two-factor authentication",
+	"mfa.setup.step2.toast.tokenExpired.error.message": "MFA token expired. Close the modal and enable MFA again",
+	"settings.personal.mfa.section.title": "Two-factor authentication (2FA)",
+	"settings.personal.mfa.button.disabled.infobox": "Two-factor authentication is currently disabled.",
+	"settings.personal.mfa.button.enabled.infobox": "Two-factor authentication is currently enabled.",
+	"settings.personal.mfa.button.enabled": "Enable 2FA",
+	"settings.personal.mfa.button.disabled": "Disable two-factor authentication",
+	"settings.personal.mfa.toast.disabledMfa.title": "Two-factor authentication disabled",
+	"settings.personal.mfa.toast.disabledMfa.message": "You will no longer need your authenticator app when signing in",
+	"settings.personal.mfa.toast.disabledMfa.error.message": "Error disabling two-factor authentication",
+	"settings.mfa.toast.noRecoveryCodeLeft.title": "No 2FA recovery codes remaining",
+	"settings.mfa.toast.noRecoveryCodeLeft.message": "You have used all of your recovery codes. Disable then re-enable two-factor authentication to generate new codes. <a href='/https/github.com/settings/personal' target='_blank' >Open settings</a>",
 	"sso.login.divider": "or",
 	"sso.login.button": "Continue with SSO",
 	"executionUsage.currentUsage": "{text} {count}",
diff --git a/packages/editor-ui/src/plugins/icons/custom.ts b/packages/editor-ui/src/plugins/icons/custom.ts
index 8ce0ffa2dcd25..b8c0ac28003d4 100644
--- a/packages/editor-ui/src/plugins/icons/custom.ts
+++ b/packages/editor-ui/src/plugins/icons/custom.ts
@@ -12,6 +12,18 @@ export const faVariable: IconDefinition = {
 	],
 };
 
+export const faVault: IconDefinition = {
+	prefix: 'fas' as IconPrefix,
+	iconName: 'vault' as IconName,
+	icon: [
+		576,
+		512,
+		[],
+		'e006',
+		'M64 0C28.7 0 0 28.7 0 64v352c0 35.3 28.7 64 64 64h16l16 32h64l16-32h224l16 32h64l16-32h16c35.3 0 64-28.7 64-64V64c0-35.3-28.7-64-64-64H64zm160 320a80 80 0 1 0 0-160a80 80 0 1 0 0 160zm0-240a160 160 0 1 1 0 320a160 160 0 1 1 0-320zm256 141.3V336c0 8.8-7.2 16-16 16s-16-7.2-16-16V221.3c-18.6-6.6-32-24.4-32-45.3c0-26.5 21.5-48 48-48s48 21.5 48 48c0 20.9-13.4 38.7-32 45.3z',
+	],
+};
+
 export const faXmark: IconDefinition = {
 	prefix: 'fas' as IconPrefix,
 	iconName: 'xmark' as IconName,
diff --git a/packages/editor-ui/src/plugins/icons/index.ts b/packages/editor-ui/src/plugins/icons/index.ts
index d0bed8ee653bd..66c4ea758db47 100644
--- a/packages/editor-ui/src/plugins/icons/index.ts
+++ b/packages/editor-ui/src/plugins/icons/index.ts
@@ -133,8 +133,9 @@ import {
 	faStickyNote as faSolidStickyNote,
 	faUserLock,
 	faGem,
+	faDownload,
 } from '@fortawesome/free-solid-svg-icons';
-import { faVariable, faXmark } from './custom';
+import { faVariable, faXmark, faVault } from './custom';
 import { faStickyNote } from '@fortawesome/free-regular-svg-icons';
 import { FontAwesomeIcon } from '@fortawesome/vue-fontawesome';
 
@@ -273,11 +274,13 @@ export const FontAwesomePlugin: Plugin<{}> = {
 		addIcon(faUserFriends);
 		addIcon(faUsers);
 		addIcon(faVariable);
+		addIcon(faVault);
 		addIcon(faVideo);
 		addIcon(faTree);
 		addIcon(faUserLock);
 		addIcon(faGem);
 		addIcon(faXmark);
+		addIcon(faDownload);
 
 		app.component('font-awesome-icon', FontAwesomeIcon);
 	},
diff --git a/packages/editor-ui/src/plugins/telemetry/index.ts b/packages/editor-ui/src/plugins/telemetry/index.ts
index c7ec049b2377c..69864d3ca00a4 100644
--- a/packages/editor-ui/src/plugins/telemetry/index.ts
+++ b/packages/editor-ui/src/plugins/telemetry/index.ts
@@ -9,9 +9,11 @@ import { useRootStore } from '@/stores/n8nRoot.store';
 import { useTelemetryStore } from '@/stores/telemetry.store';
 import { SLACK_NODE_TYPE } from '@/constants';
 import { usePostHog } from '@/stores/posthog.store';
+import { useNDVStore } from '@/stores';
 
 export class Telemetry {
 	private pageEventQueue: Array<{ route: RouteLocation }>;
+
 	private previousPath: string;
 
 	private get rudderStack() {
@@ -109,17 +111,12 @@ export class Telemetry {
 
 			const pageName = route.name;
 			let properties: { [key: string]: string } = {};
-			if (
-				route.meta &&
-				route.meta.telemetry &&
-				typeof route.meta.telemetry.getProperties === 'function'
-			) {
+			if (route.meta?.telemetry && typeof route.meta.telemetry.getProperties === 'function') {
 				properties = route.meta.telemetry.getProperties(route);
 			}
 
-			const category =
-				(route.meta && route.meta.telemetry && route.meta.telemetry.pageCategory) || 'Editor';
-			this.rudderStack.page(category, pageName!, properties);
+			const category = route.meta?.telemetry?.pageCategory || 'Editor';
+			this.rudderStack.page(category, pageName, properties);
 		} else {
 			this.pageEventQueue.push({
 				route,
@@ -138,11 +135,11 @@ export class Telemetry {
 	trackAskAI(event: string, properties: IDataObject = {}) {
 		if (this.rudderStack) {
 			properties.session_id = useRootStore().sessionId;
+			properties.ndv_session_id = useNDVStore().sessionId;
+
 			switch (event) {
 				case 'askAi.generationFinished':
 					this.track('Ai code generation finished', properties, { withPostHog: true });
-				case 'ask.generationClicked':
-					this.track('User clicked on generate code button', properties);
 				default:
 					break;
 			}
@@ -228,7 +225,14 @@ export class Telemetry {
 			switch (nodeType) {
 				case SLACK_NODE_TYPE:
 					if (change.name === 'parameters.otherOptions.includeLinkToWorkflow') {
-						this.track('User toggled n8n reference option');
+						this.track(
+							'User toggled n8n reference option',
+							{
+								node: nodeType,
+								toValue: change.value,
+							},
+							{ withPostHog: true },
+						);
 					}
 					break;
 
diff --git a/packages/editor-ui/src/router.ts b/packages/editor-ui/src/router.ts
index b8403a1d2a396..03b6994d13040 100644
--- a/packages/editor-ui/src/router.ts
+++ b/packages/editor-ui/src/router.ts
@@ -38,8 +38,9 @@ import SettingsSso from './views/SettingsSso.vue';
 import SignoutView from '@/views/SignoutView.vue';
 import SamlOnboarding from '@/views/SamlOnboarding.vue';
 import SettingsSourceControl from './views/SettingsSourceControl.vue';
+import SettingsExternalSecrets from './views/SettingsExternalSecrets.vue';
 import SettingsAuditLogs from './views/SettingsAuditLogs.vue';
-import { VIEWS } from '@/constants';
+import { EnterpriseEditionFeature, VIEWS } from '@/constants';
 
 interface IRouteConfig {
 	meta: {
@@ -207,10 +208,6 @@ export const routes = [
 			},
 		},
 	},
-	{
-		path: '/workflow',
-		redirect: '/workflow/new',
-	},
 	{
 		path: '/workflows',
 		name: VIEWS.WORKFLOWS,
@@ -227,8 +224,8 @@ export const routes = [
 		},
 	},
 	{
-		path: '/workflow/new',
-		name: VIEWS.NEW_WORKFLOW,
+		path: '/workflow/:name/debug/:executionId',
+		name: VIEWS.EXECUTION_DEBUG,
 		components: {
 			default: NodeView,
 			header: MainHeader,
@@ -240,22 +237,9 @@ export const routes = [
 				allow: {
 					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
-			},
-		},
-	},
-	{
-		path: '/workflow/:name',
-		name: VIEWS.WORKFLOW,
-		components: {
-			default: NodeView,
-			header: MainHeader,
-			sidebar: MainSidebar,
-		},
-		meta: {
-			nodeView: true,
-			permissions: {
-				allow: {
-					loginStatus: [LOGIN_STATUS.LoggedIn],
+				deny: {
+					shouldDeny: () =>
+						!useSettingsStore().isEnterpriseFeatureEnabled(EnterpriseEditionFeature.DebugInEditor),
 				},
 			},
 		},
@@ -309,6 +293,41 @@ export const routes = [
 			},
 		],
 	},
+	{
+		path: '/workflows/templates/:id',
+		name: VIEWS.TEMPLATE_IMPORT,
+		components: {
+			default: NodeView,
+			header: MainHeader,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			templatesEnabled: true,
+			getRedirect: getTemplatesRedirect,
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
+				},
+			},
+		},
+	},
+	{
+		path: '/workflow/new',
+		name: VIEWS.NEW_WORKFLOW,
+		components: {
+			default: NodeView,
+			header: MainHeader,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			nodeView: true,
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
+				},
+			},
+		},
+	},
 	{
 		path: '/workflows/demo',
 		name: VIEWS.DEMO,
@@ -324,16 +343,15 @@ export const routes = [
 		},
 	},
 	{
-		path: '/workflows/templates/:id',
-		name: VIEWS.TEMPLATE_IMPORT,
+		path: '/workflow/:name',
+		name: VIEWS.WORKFLOW,
 		components: {
 			default: NodeView,
 			header: MainHeader,
 			sidebar: MainSidebar,
 		},
 		meta: {
-			templatesEnabled: true,
-			getRedirect: getTemplatesRedirect,
+			nodeView: true,
 			permissions: {
 				allow: {
 					loginStatus: [LOGIN_STATUS.LoggedIn],
@@ -341,6 +359,10 @@ export const routes = [
 			},
 		},
 	},
+	{
+		path: '/workflow',
+		redirect: '/workflow/new',
+	},
 	{
 		path: '/signin',
 		name: VIEWS.SIGNIN,
@@ -576,6 +598,28 @@ export const routes = [
 					},
 				},
 			},
+			{
+				path: 'external-secrets',
+				name: VIEWS.EXTERNAL_SECRETS_SETTINGS,
+				components: {
+					settingsView: SettingsExternalSecrets,
+				},
+				meta: {
+					telemetry: {
+						pageCategory: 'settings',
+						getProperties(route: Route) {
+							return {
+								feature: 'external-secrets',
+							};
+						},
+					},
+					permissions: {
+						allow: {
+							role: [ROLE.Owner],
+						},
+					},
+				},
+			},
 			{
 				path: 'sso',
 				name: VIEWS.SSO_SETTINGS,
diff --git a/packages/editor-ui/src/stores/externalSecrets.ee.store.ts b/packages/editor-ui/src/stores/externalSecrets.ee.store.ts
new file mode 100644
index 0000000000000..66d7349d9e81e
--- /dev/null
+++ b/packages/editor-ui/src/stores/externalSecrets.ee.store.ts
@@ -0,0 +1,164 @@
+import { computed, reactive } from 'vue';
+import { defineStore } from 'pinia';
+import { EnterpriseEditionFeature } from '@/constants';
+import { useRootStore } from '@/stores/n8nRoot.store';
+import { useSettingsStore } from '@/stores/settings.store';
+import * as externalSecretsApi from '@/api/externalSecrets.ee';
+import { connectProvider } from '@/api/externalSecrets.ee';
+import { useUsersStore } from '@/stores/users.store';
+import type { ExternalSecretsProvider } from '@/Interface';
+
+export const useExternalSecretsStore = defineStore('externalSecrets', () => {
+	const rootStore = useRootStore();
+	const settingsStore = useSettingsStore();
+	const usersStore = useUsersStore();
+
+	const state = reactive({
+		providers: [] as ExternalSecretsProvider[],
+		secrets: {} as Record<string, string[]>,
+		connectionState: {} as Record<string, ExternalSecretsProvider['state']>,
+	});
+
+	const isEnterpriseExternalSecretsEnabled = computed(() =>
+		settingsStore.isEnterpriseFeatureEnabled(EnterpriseEditionFeature.ExternalSecrets),
+	);
+
+	const secrets = computed(() => state.secrets);
+	const providers = computed(() => state.providers);
+	const connectionState = computed(() => state.connectionState);
+
+	const secretsAsObject = computed(() => {
+		return Object.keys(secrets.value).reduce<Record<string, Record<string, object | string>>>(
+			(providerAcc, provider) => {
+				providerAcc[provider] = secrets.value[provider]?.reduce<Record<string, object | string>>(
+					(secretAcc, secret) => {
+						const splitSecret = secret.split('.');
+						if (splitSecret.length === 1) {
+							secretAcc[secret] = '*********';
+							return secretAcc;
+						}
+						const obj = (secretAcc[splitSecret[0]] ?? {}) as object;
+						let acc: any = obj;
+						for (let i = 1; i < splitSecret.length; i++) {
+							const key = splitSecret[i];
+							// Actual value key
+							if (i === splitSecret.length - 1) {
+								acc[key] = '*********';
+								continue;
+							}
+							if (!(key in acc)) {
+								acc[key] = {};
+							}
+							acc = acc[key];
+						}
+						secretAcc[splitSecret[0]] = obj;
+						return secretAcc;
+					},
+					{},
+				);
+
+				return providerAcc;
+			},
+			{},
+		);
+	});
+
+	async function fetchAllSecrets() {
+		if (usersStore.isInstanceOwner) {
+			try {
+				state.secrets = await externalSecretsApi.getExternalSecrets(rootStore.getRestApiContext);
+			} catch (error) {
+				state.secrets = {};
+			}
+		}
+	}
+
+	async function reloadProvider(id: string) {
+		const { updated } = await externalSecretsApi.reloadProvider(rootStore.getRestApiContext, id);
+		if (updated) {
+			await fetchAllSecrets();
+		}
+
+		return updated;
+	}
+
+	async function getProviders() {
+		state.providers = await externalSecretsApi.getExternalSecretsProviders(
+			rootStore.getRestApiContext,
+		);
+	}
+
+	async function testProviderConnection(id: string, data: ExternalSecretsProvider['data']) {
+		return externalSecretsApi.testExternalSecretsProviderConnection(
+			rootStore.getRestApiContext,
+			id,
+			data,
+		);
+	}
+
+	async function getProvider(id: string) {
+		const provider = await externalSecretsApi.getExternalSecretsProvider(
+			rootStore.getRestApiContext,
+			id,
+		);
+
+		const existingProviderIndex = state.providers.findIndex((p) => p.name === id);
+		if (existingProviderIndex !== -1) {
+			state.providers.splice(existingProviderIndex, 1, provider);
+		} else {
+			state.providers.push(provider);
+		}
+
+		return provider;
+	}
+
+	function updateStoredProvider(id: string, data: Partial<ExternalSecretsProvider>) {
+		const providerIndex = state.providers.findIndex((p) => p.name === id);
+		state.providers = [
+			...state.providers.slice(0, providerIndex),
+			{
+				...state.providers[providerIndex],
+				...data,
+				data: {
+					...state.providers[providerIndex].data,
+					...data.data,
+				},
+			},
+			...state.providers.slice(providerIndex + 1),
+		];
+	}
+
+	async function updateProviderConnected(id: string, value: boolean) {
+		await connectProvider(rootStore.getRestApiContext, id, value);
+		await fetchAllSecrets();
+		updateStoredProvider(id, { connected: value, state: value ? 'connected' : 'initializing' });
+	}
+
+	async function updateProvider(id: string, { data }: Partial<ExternalSecretsProvider>) {
+		await externalSecretsApi.updateProvider(rootStore.getRestApiContext, id, data);
+		await fetchAllSecrets();
+		updateStoredProvider(id, { data });
+	}
+
+	function setConnectionState(id: string, connectionState: ExternalSecretsProvider['state']) {
+		state.connectionState[id] = connectionState;
+	}
+
+	return {
+		state,
+		providers,
+		secrets,
+		connectionState,
+		secretsAsObject,
+		isEnterpriseExternalSecretsEnabled,
+		fetchAllSecrets,
+		getProvider,
+		getProviders,
+		testProviderConnection,
+		updateProvider,
+		updateStoredProvider,
+		updateProviderConnected,
+		reloadProvider,
+		setConnectionState,
+	};
+});
diff --git a/packages/editor-ui/src/stores/index.ts b/packages/editor-ui/src/stores/index.ts
index 61ceae6448090..0c2396997098b 100644
--- a/packages/editor-ui/src/stores/index.ts
+++ b/packages/editor-ui/src/stores/index.ts
@@ -2,6 +2,7 @@ export * from './canvas.store';
 export * from './communityNodes.store';
 export * from './credentials.store';
 export * from './environments.ee.store';
+export * from './externalSecrets.ee.store';
 export * from './history.store';
 export * from './logStreaming.store';
 export * from './n8nRoot.store';
diff --git a/packages/editor-ui/src/stores/ndv.store.ts b/packages/editor-ui/src/stores/ndv.store.ts
index 7b884219fd9a7..d27b4afb2916c 100644
--- a/packages/editor-ui/src/stores/ndv.store.ts
+++ b/packages/editor-ui/src/stores/ndv.store.ts
@@ -9,6 +9,7 @@ import type {
 } from '@/Interface';
 import type { INodeIssues, IRunData } from 'n8n-workflow';
 import { defineStore } from 'pinia';
+import { v4 as uuid } from 'uuid';
 import { useWorkflowsStore } from './workflows.store';
 
 export const useNDVStore = defineStore(STORES.NDV, {
@@ -163,7 +164,7 @@ export const useNDVStore = defineStore(STORES.NDV, {
 			};
 		},
 		setNDVSessionId(): void {
-			this.sessionId = `ndv-${Math.random().toString(36).slice(-8)}`;
+			this.sessionId = `ndv-${uuid()}`;
 		},
 		resetNDVSessionId(): void {
 			this.sessionId = '';
diff --git a/packages/editor-ui/src/stores/settings.store.ts b/packages/editor-ui/src/stores/settings.store.ts
index 9b8dcd758031b..5f25ca38fe41f 100644
--- a/packages/editor-ui/src/stores/settings.store.ts
+++ b/packages/editor-ui/src/stores/settings.store.ts
@@ -60,6 +60,9 @@ export const useSettingsStore = defineStore(STORES.SETTINGS, {
 			loginLabel: '',
 			loginEnabled: false,
 		},
+		mfa: {
+			enabled: false,
+		},
 		onboardingCallPromptEnabled: false,
 		saveDataErrorExecution: 'all',
 		saveDataSuccessExecution: 'all',
@@ -133,6 +136,9 @@ export const useSettingsStore = defineStore(STORES.SETTINGS, {
 		isTelemetryEnabled(): boolean {
 			return this.settings.telemetry && this.settings.telemetry.enabled;
 		},
+		isMfaFeatureEnabled(): boolean {
+			return this.settings?.mfa?.enabled;
+		},
 		areTagsEnabled(): boolean {
 			return this.settings.workflowTagsDisabled !== undefined
 				? !this.settings.workflowTagsDisabled
@@ -354,3 +360,5 @@ export const useSettingsStore = defineStore(STORES.SETTINGS, {
 		},
 	},
 });
+
+export { useUsersStore };
diff --git a/packages/editor-ui/src/stores/ui.store.ts b/packages/editor-ui/src/stores/ui.store.ts
index f3fe6c6b4a85b..8fb69aa968a51 100644
--- a/packages/editor-ui/src/stores/ui.store.ts
+++ b/packages/editor-ui/src/stores/ui.store.ts
@@ -18,6 +18,7 @@ import {
 	IMPORT_CURL_MODAL_KEY,
 	INVITE_USER_MODAL_KEY,
 	LOG_STREAM_MODAL_KEY,
+	MFA_SETUP_MODAL_KEY,
 	ONBOARDING_CALL_SIGNUP_MODAL_KEY,
 	PERSONALIZATION_MODAL_KEY,
 	STORES,
@@ -28,8 +29,10 @@ import {
 	WORKFLOW_ACTIVE_MODAL_KEY,
 	WORKFLOW_SETTINGS_MODAL_KEY,
 	WORKFLOW_SHARE_MODAL_KEY,
+	EXTERNAL_SECRETS_PROVIDER_MODAL_KEY,
 	SOURCE_CONTROL_PUSH_MODAL_KEY,
 	SOURCE_CONTROL_PULL_MODAL_KEY,
+	DEBUG_PAYWALL_MODAL_KEY,
 } from '@/constants';
 import type {
 	CloudUpdateLinkSourceType,
@@ -122,6 +125,9 @@ export const useUIStore = defineStore(STORES.UI, {
 				curlCommand: '',
 				httpNodeParameters: '',
 			},
+			[MFA_SETUP_MODAL_KEY]: {
+				open: false,
+			},
 			[LOG_STREAM_MODAL_KEY]: {
 				open: false,
 				data: undefined,
@@ -138,6 +144,12 @@ export const useUIStore = defineStore(STORES.UI, {
 			[SOURCE_CONTROL_PULL_MODAL_KEY]: {
 				open: false,
 			},
+			[EXTERNAL_SECRETS_PROVIDER_MODAL_KEY]: {
+				open: false,
+			},
+			[DEBUG_PAYWALL_MODAL_KEY]: {
+				open: false,
+			},
 		},
 		modalStack: [],
 		sidebarMenuCollapsed: true,
@@ -194,6 +206,11 @@ export const useUIStore = defineStore(STORES.UI, {
 
 			return {
 				upgradeLinkUrl: `contextual.upgradeLinkUrl${contextKey}`,
+				feature: {
+					unavailable: {
+						title: `contextual.feature.unavailable.title${contextKey}`,
+					},
+				},
 				credentials: {
 					sharing: {
 						unavailable: {
@@ -280,7 +297,9 @@ export const useUIStore = defineStore(STORES.UI, {
 				this.fakeDoorFeatures.find((fakeDoor) => fakeDoor.id.toString() === id);
 		},
 		isReadOnlyView(): boolean {
-			return ![VIEWS.WORKFLOW, VIEWS.NEW_WORKFLOW].includes(this.currentView as VIEWS);
+			return ![VIEWS.WORKFLOW, VIEWS.NEW_WORKFLOW, VIEWS.EXECUTION_DEBUG].includes(
+				this.currentView as VIEWS,
+			);
 		},
 		isNodeView(): boolean {
 			return [
diff --git a/packages/editor-ui/src/stores/users.store.ts b/packages/editor-ui/src/stores/users.store.ts
index 6b9d551e79531..7844e712882a9 100644
--- a/packages/editor-ui/src/stores/users.store.ts
+++ b/packages/editor-ui/src/stores/users.store.ts
@@ -38,6 +38,7 @@ import { usePostHog } from './posthog.store';
 import { useSettingsStore } from './settings.store';
 import { useUIStore } from './ui.store';
 import { useCloudPlanStore } from './cloudPlan.store';
+import { disableMfa, enableMfa, getMfaQR, verifyMfaToken } from '@/api/mfa';
 
 const isDefaultUser = (user: IUserResponse | null) =>
 	Boolean(user && user.isPending && user.globalRole && user.globalRole.name === ROLE.Owner);
@@ -68,6 +69,9 @@ export const useUsersStore = defineStore(STORES.USERS, {
 		isInstanceOwner(): boolean {
 			return isInstanceOwner(this.currentUser);
 		},
+		mfaEnabled(): boolean {
+			return this.currentUser?.mfaEnabled ?? false;
+		},
 		getUserById(state) {
 			return (userId: string): IUser | null => state.users[userId];
 		},
@@ -167,7 +171,12 @@ export const useUsersStore = defineStore(STORES.USERS, {
 
 			usePostHog().init(user.featureFlags);
 		},
-		async loginWithCreds(params: { email: string; password: string }): Promise<void> {
+		async loginWithCreds(params: {
+			email: string;
+			password: string;
+			mfaToken?: string;
+			mfaRecoveryCode?: string;
+		}): Promise<void> {
 			const rootStore = useRootStore();
 			const user = await login(rootStore.getRestApiContext, params);
 			if (!user) {
@@ -233,7 +242,11 @@ export const useUsersStore = defineStore(STORES.USERS, {
 			const rootStore = useRootStore();
 			await validatePasswordToken(rootStore.getRestApiContext, params);
 		},
-		async changePassword(params: { token: string; password: string }): Promise<void> {
+		async changePassword(params: {
+			token: string;
+			password: string;
+			mfaToken?: string;
+		}): Promise<void> {
 			const rootStore = useRootStore();
 			await changePassword(rootStore.getRestApiContext, params);
 		},
@@ -326,5 +339,31 @@ export const useUsersStore = defineStore(STORES.USERS, {
 				uiStore.openModal(PERSONALIZATION_MODAL_KEY);
 			}
 		},
+		async getMfaQR(): Promise<{ qrCode: string; secret: string; recoveryCodes: string[] }> {
+			const rootStore = useRootStore();
+			return getMfaQR(rootStore.getRestApiContext);
+		},
+		async verifyMfaToken(data: { token: string }): Promise<void> {
+			const rootStore = useRootStore();
+			return verifyMfaToken(rootStore.getRestApiContext, data);
+		},
+		async enableMfa(data: { token: string }) {
+			const rootStore = useRootStore();
+			const usersStore = useUsersStore();
+			await enableMfa(rootStore.getRestApiContext, data);
+			const currentUser = usersStore.currentUser;
+			if (currentUser) {
+				currentUser.mfaEnabled = true;
+			}
+		},
+		async disabledMfa() {
+			const rootStore = useRootStore();
+			const usersStore = useUsersStore();
+			await disableMfa(rootStore.getRestApiContext);
+			const currentUser = usersStore.currentUser;
+			if (currentUser) {
+				currentUser.mfaEnabled = false;
+			}
+		},
 	},
 });
diff --git a/packages/editor-ui/src/stores/workflows.store.ts b/packages/editor-ui/src/stores/workflows.store.ts
index 8a79f18342b7b..811535ace04a8 100644
--- a/packages/editor-ui/src/stores/workflows.store.ts
+++ b/packages/editor-ui/src/stores/workflows.store.ts
@@ -128,6 +128,7 @@ export const useWorkflowsStore = defineStore(STORES.WORKFLOWS, {
 		executingNode: null,
 		executionWaitingForWebhook: false,
 		nodeMetadata: {},
+		isInDebugMode: false,
 	}),
 	getters: {
 		// Workflow getters
diff --git a/packages/editor-ui/src/utils/expressions.ts b/packages/editor-ui/src/utils/expressions.ts
new file mode 100644
index 0000000000000..2350cef3ded0f
--- /dev/null
+++ b/packages/editor-ui/src/utils/expressions.ts
@@ -0,0 +1,12 @@
+import { ExpressionParser } from 'n8n-workflow';
+
+export const isExpression = (expr: string) => expr.startsWith('=');
+
+export const isTestableExpression = (expr: string) => {
+	return ExpressionParser.splitExpression(expr).every((c) => {
+		if (c.type === 'text') {
+			return true;
+		}
+		return /\$secrets(\.[a-zA-Z0-9_]+)+$/.test(c.text.trim());
+	});
+};
diff --git a/packages/editor-ui/src/utils/index.ts b/packages/editor-ui/src/utils/index.ts
index fa3064c815cba..168b54ee2435c 100644
--- a/packages/editor-ui/src/utils/index.ts
+++ b/packages/editor-ui/src/utils/index.ts
@@ -9,3 +9,4 @@ export * from './typeGuards';
 export * from './typesUtils';
 export * from './userUtils';
 export * from './sourceControlUtils';
+export * from './expressions';
diff --git a/packages/editor-ui/src/views/ChangePasswordView.vue b/packages/editor-ui/src/views/ChangePasswordView.vue
index 6ce3fb640920c..8b22ba2f39723 100644
--- a/packages/editor-ui/src/views/ChangePasswordView.vue
+++ b/packages/editor-ui/src/views/ChangePasswordView.vue
@@ -14,7 +14,7 @@ import { useToast } from '@/composables';
 
 import { defineComponent } from 'vue';
 import type { IFormBoxConfig } from '@/Interface';
-import { VIEWS } from '@/constants';
+import { MFA_AUTHENTICATION_TOKEN_INPUT_MAX_LENGTH, VIEWS } from '@/constants';
 import { mapStores } from 'pinia';
 import { useUsersStore } from '@/stores/users.store';
 
@@ -39,7 +39,7 @@ export default defineComponent({
 		...mapStores(useUsersStore),
 	},
 	async mounted() {
-		this.config = {
+		const form: IFormBoxConfig = {
 			title: this.$locale.baseText('auth.changePassword'),
 			buttonText: this.$locale.baseText('auth.changePassword'),
 			redirectText: this.$locale.baseText('auth.signin'),
@@ -77,6 +77,24 @@ export default defineComponent({
 		};
 
 		const token = this.getResetToken();
+		const mfaEnabled = this.getMfaEnabled();
+
+		if (mfaEnabled) {
+			form.inputs.push({
+				name: 'mfaToken',
+				initialValue: '',
+				properties: {
+					required: true,
+					label: this.$locale.baseText('mfa.code.input.label'),
+					placeholder: this.$locale.baseText('mfa.code.input.placeholder'),
+					maxlength: MFA_AUTHENTICATION_TOKEN_INPUT_MAX_LENGTH,
+					capitalize: true,
+					validateOnBlur: true,
+				},
+			});
+		}
+
+		this.config = form;
 
 		try {
 			if (!token) {
@@ -110,18 +128,28 @@ export default defineComponent({
 				this.password = e.value;
 			}
 		},
-		getResetToken(): string | null {
+		getResetToken() {
 			return !this.$route.query.token || typeof this.$route.query.token !== 'string'
 				? null
 				: this.$route.query.token;
 		},
-		async onSubmit() {
+		getMfaEnabled() {
+			if (!this.$route.query.mfaEnabled) return null;
+			return this.$route.query.mfaEnabled === 'true' ? true : false;
+		},
+		async onSubmit(values: { mfaToken: string }) {
 			try {
 				this.loading = true;
 				const token = this.getResetToken();
 
 				if (token) {
-					await this.usersStore.changePassword({ token, password: this.password });
+					const changePasswordParameters = {
+						token,
+						password: this.password,
+						...(values.mfaToken && { mfaToken: values.mfaToken }),
+					};
+
+					await this.usersStore.changePassword(changePasswordParameters);
 
 					this.showMessage({
 						type: 'success',
diff --git a/packages/editor-ui/src/views/CredentialsView.vue b/packages/editor-ui/src/views/CredentialsView.vue
index f194740812f08..80d57af398efb 100644
--- a/packages/editor-ui/src/views/CredentialsView.vue
+++ b/packages/editor-ui/src/views/CredentialsView.vue
@@ -56,6 +56,7 @@ import { useUIStore } from '@/stores/ui.store';
 import { useUsersStore } from '@/stores/users.store';
 import { useNodeTypesStore } from '@/stores/nodeTypes.store';
 import { useCredentialsStore } from '@/stores/credentials.store';
+import { useExternalSecretsStore } from '@/stores';
 import { useSourceControlStore } from '@/stores/sourceControl.store';
 
 type IResourcesListLayoutInstance = InstanceType<typeof ResourcesListLayout>;
@@ -84,6 +85,7 @@ export default defineComponent({
 			useUIStore,
 			useUsersStore,
 			useSourceControlStore,
+			useExternalSecretsStore,
 		),
 		allCredentials(): ICredentialsResponse[] {
 			return this.credentialsStore.allCredentials;
@@ -107,6 +109,7 @@ export default defineComponent({
 			const loadPromises = [
 				this.credentialsStore.fetchAllCredentials(),
 				this.credentialsStore.fetchCredentialTypes(false),
+				this.externalSecretsStore.fetchAllSecrets(),
 			];
 
 			if (this.nodeTypesStore.allNodeTypes.length === 0) {
diff --git a/packages/editor-ui/src/views/MfaView.vue b/packages/editor-ui/src/views/MfaView.vue
new file mode 100644
index 0000000000000..5aa8b2985413b
--- /dev/null
+++ b/packages/editor-ui/src/views/MfaView.vue
@@ -0,0 +1,249 @@
+<template>
+	<div :class="$style.container">
+		<div :class="$style.logoContainer">
+			<Logo />
+		</div>
+		<n8n-card>
+			<div :class="$style.headerContainer">
+				<n8n-heading size="xlarge" color="text-dark">{{
+					showRecoveryCodeForm
+						? $locale.baseText('mfa.recovery.modal.title')
+						: $locale.baseText('mfa.code.modal.title')
+				}}</n8n-heading>
+			</div>
+			<div :class="[$style.formContainer, reportError ? $style.formError : '']">
+				<n8n-form-inputs
+					data-test-id="mfa-login-form"
+					v-if="formInputs"
+					:inputs="formInputs"
+					:eventBus="formBus"
+					@input="onInput"
+					@submit="onSubmit"
+				/>
+				<div :class="$style.infoBox">
+					<n8n-text
+						size="small"
+						color="text-base"
+						:bold="false"
+						v-if="!showRecoveryCodeForm && !reportError"
+						>{{ $locale.baseText('mfa.code.input.info') }}
+						<a data-test-id="mfa-enter-recovery-code-button" @click="onRecoveryCodeClick">{{
+							$locale.baseText('mfa.code.input.info.action')
+						}}</a></n8n-text
+					>
+					<n8n-text color="danger" v-if="reportError" size="small"
+						>{{ formError }}
+						<a
+							v-if="!showRecoveryCodeForm"
+							@click="onRecoveryCodeClick"
+							:class="$style.recoveryCodeLink"
+						>
+							{{ $locale.baseText('mfa.recovery.input.info.action') }}</a
+						>
+					</n8n-text>
+				</div>
+			</div>
+			<div>
+				<n8n-button
+					float="right"
+					:loading="verifyingMfaToken"
+					:label="
+						showRecoveryCodeForm
+							? $locale.baseText('mfa.recovery.button.verify')
+							: $locale.baseText('mfa.code.button.continue')
+					"
+					size="large"
+					:disabled="!hasAnyChanges"
+					@click="onSaveClick"
+				/>
+				<n8n-button
+					float="left"
+					:label="$locale.baseText('mfa.button.back')"
+					size="large"
+					type="tertiary"
+					@click="onBackClick"
+				/>
+			</div>
+		</n8n-card>
+	</div>
+</template>
+
+<script lang="ts">
+import { genericHelpers } from '@/mixins/genericHelpers';
+import type { IFormInputs } from '@/Interface';
+import Logo from '../components/Logo.vue';
+import {
+	MFA_AUTHENTICATION_RECOVERY_CODE_INPUT_MAX_LENGTH,
+	MFA_AUTHENTICATION_TOKEN_INPUT_MAX_LENGTH,
+} from '@/constants';
+import { useUsersStore } from '@/stores/users.store';
+import { mapStores } from 'pinia';
+import { mfaEventBus } from '@/event-bus';
+import { defineComponent } from 'vue';
+import { useToast } from '@/composables/useToast';
+
+export const FORM = {
+	MFA_TOKEN: 'MFA_TOKEN',
+	MFA_RECOVERY_CODE: 'MFA_RECOVERY_CODE',
+} as const;
+
+export default defineComponent({
+	name: 'MfaView',
+	mixins: [genericHelpers],
+	components: {
+		Logo,
+	},
+	props: {
+		reportError: Boolean,
+	},
+	async mounted() {
+		this.formInputs = [this.mfaTokenFieldWithDefaults()];
+	},
+	setup() {
+		return {
+			...useToast(),
+		};
+	},
+	data() {
+		return {
+			hasAnyChanges: false,
+			formBus: mfaEventBus,
+			formInputs: null as null | IFormInputs,
+			showRecoveryCodeForm: false,
+			verifyingMfaToken: false,
+			formError: '',
+		};
+	},
+	computed: {
+		...mapStores(useUsersStore),
+	},
+	methods: {
+		onRecoveryCodeClick() {
+			this.formError = '';
+			this.showRecoveryCodeForm = true;
+			this.hasAnyChanges = false;
+			this.formInputs = [this.mfaRecoveryCodeFieldWithDefaults()];
+			this.$emit('onFormChanged', FORM.MFA_RECOVERY_CODE);
+		},
+		onBackClick() {
+			if (!this.showRecoveryCodeForm) {
+				this.$emit('onBackClick', FORM.MFA_TOKEN);
+				return;
+			}
+
+			this.showRecoveryCodeForm = false;
+			this.hasAnyChanges = true;
+			this.formInputs = [this.mfaTokenFieldWithDefaults()];
+			this.$emit('onBackClick', FORM.MFA_RECOVERY_CODE);
+		},
+		onInput({ target: { value, name } }: { target: { value: string; name: string } }) {
+			const isSubmittingMfaToken = name === 'token';
+			const inputValidLength = isSubmittingMfaToken
+				? MFA_AUTHENTICATION_TOKEN_INPUT_MAX_LENGTH
+				: MFA_AUTHENTICATION_RECOVERY_CODE_INPUT_MAX_LENGTH;
+
+			if (value.length !== inputValidLength) {
+				this.hasAnyChanges = false;
+				return;
+			}
+
+			this.verifyingMfaToken = true;
+			this.hasAnyChanges = true;
+
+			this.onSubmit({ token: value, recoveryCode: value })
+				.catch(() => {})
+				.finally(() => (this.verifyingMfaToken = false));
+		},
+		async onSubmit(form: { token: string; recoveryCode: string }) {
+			this.formError = !this.showRecoveryCodeForm
+				? this.$locale.baseText('mfa.code.invalid')
+				: this.$locale.baseText('mfa.recovery.invalid');
+			this.$emit('submit', form);
+		},
+		onSaveClick() {
+			this.formBus.emit('submit');
+		},
+		mfaTokenFieldWithDefaults() {
+			return this.formField(
+				'token',
+				this.$locale.baseText('mfa.code.input.label'),
+				this.$locale.baseText('mfa.code.input.placeholder'),
+				MFA_AUTHENTICATION_TOKEN_INPUT_MAX_LENGTH,
+			);
+		},
+		mfaRecoveryCodeFieldWithDefaults() {
+			return this.formField(
+				'recoveryCode',
+				this.$locale.baseText('mfa.recovery.input.label'),
+				this.$locale.baseText('mfa.recovery.input.placeholder'),
+				MFA_AUTHENTICATION_RECOVERY_CODE_INPUT_MAX_LENGTH,
+			);
+		},
+		formField(name: string, label: string, placeholder: string, maxlength: number) {
+			return {
+				name,
+				initialValue: '',
+				properties: {
+					label,
+					placeholder,
+					maxlength,
+					capitalize: true,
+					validateOnBlur: false,
+				},
+			};
+		},
+	},
+});
+</script>
+
+<style lang="scss" module>
+body {
+	background-color: var(--color-background-light);
+}
+
+.container {
+	display: flex;
+	align-items: center;
+	flex-direction: column;
+	padding-top: var(--spacing-2xl);
+
+	> * {
+		margin-bottom: var(--spacing-l);
+		width: 352px;
+	}
+}
+
+.logoContainer {
+	display: flex;
+	justify-content: center;
+}
+
+.textContainer {
+	text-align: center;
+}
+
+.formContainer {
+	padding-bottom: var(--spacing-xl);
+}
+
+.qrContainer {
+	text-align: center;
+}
+
+.headerContainer {
+	text-align: center;
+	margin-bottom: var(--spacing-xl);
+}
+
+.formError input {
+	border-color: var(--color-danger);
+}
+
+.recoveryCodeLink {
+	text-decoration: underline;
+}
+
+.infoBox {
+	padding-top: var(--spacing-4xs);
+}
+</style>
diff --git a/packages/editor-ui/src/views/NodeView.vue b/packages/editor-ui/src/views/NodeView.vue
index 497faabc42e6f..14a2139df13ac 100644
--- a/packages/editor-ui/src/views/NodeView.vue
+++ b/packages/editor-ui/src/views/NodeView.vue
@@ -218,6 +218,7 @@ import {
 	useMessage,
 	useToast,
 	useTitleChange,
+	useExecutionDebugging,
 } from '@/composables';
 import { useUniqueNodeName } from '@/composables/useUniqueNodeName';
 import { useI18n } from '@/composables/useI18n';
@@ -287,6 +288,7 @@ import {
 	useSettingsStore,
 	useUIStore,
 	useHistoryStore,
+	useExternalSecretsStore,
 } from '@/stores';
 import * as NodeViewUtils from '@/utils/nodeViewUtils';
 import { getAccountAge, getConnectionInfo, getNodeViewTab } from '@/utils';
@@ -355,6 +357,7 @@ export default defineComponent({
 			...useToast(),
 			...useMessage(),
 			...useUniqueNodeName(),
+			...useExecutionDebugging(),
 			// eslint-disable-next-line @typescript-eslint/no-misused-promises
 			...workflowRun.setup?.(props),
 		};
@@ -365,7 +368,7 @@ export default defineComponent({
 	},
 	watch: {
 		// Listen to route changes and load the workflow accordingly
-		$route(to: Route, from: Route) {
+		async $route(to: Route, from: Route) {
 			this.readOnlyEnvRouteCheck();
 
 			const currentTab = getNodeViewTab(to);
@@ -388,14 +391,13 @@ export default defineComponent({
 						this.resetWorkspace();
 						this.uiStore.stateIsDirty = previousDirtyState;
 					}
-					void this.loadCredentials();
-					void this.initView().then(() => {
-						this.stopLoading();
-						if (this.blankRedirect) {
-							this.blankRedirect = false;
-						}
-					});
+					await Promise.all([this.loadCredentials(), this.initView()]);
+					this.stopLoading();
+					if (this.blankRedirect) {
+						this.blankRedirect = false;
+					}
 				}
+				await this.checkAndInitDebugMode();
 			}
 			// Also, when landing on executions tab, check if workflow data is changed
 			if (currentTab === MAIN_HEADER_TABS.EXECUTIONS) {
@@ -495,6 +497,7 @@ export default defineComponent({
 			useEnvironmentsStore,
 			useWorkflowsEEStore,
 			useHistoryStore,
+			useExternalSecretsStore,
 		),
 		nativelyNumberSuffixedDefaults(): string[] {
 			return this.nodeTypesStore.nativelyNumberSuffixedDefaults;
@@ -561,7 +564,7 @@ export default defineComponent({
 		workflowClasses() {
 			const returnClasses = [];
 			if (this.ctrlKeyPressed || this.moveCanvasKeyPressed) {
-				if (this.uiStore.nodeViewMoveInProgress === true) {
+				if (this.uiStore.nodeViewMoveInProgress) {
 					returnClasses.push('move-in-process');
 				} else {
 					returnClasses.push('move-active');
@@ -677,6 +680,7 @@ export default defineComponent({
 				node_type: node ? node.type : null,
 				workflow_id: this.workflowsStore.workflowId,
 				source: 'canvas',
+				session_id: this.ndvStore.sessionId,
 			};
 			this.$telemetry.track('User clicked execute node button', telemetryPayload);
 			void this.$externalHooks().run('nodeView.onRunNode', telemetryPayload);
@@ -1084,7 +1088,7 @@ export default defineComponent({
 						lastSelectedNode.name,
 					);
 				}
-			} else if (e.key === 'a' && this.isCtrlKeyPressed(e) === true) {
+			} else if (e.key === 'a' && this.isCtrlKeyPressed(e)) {
 				// Select all nodes
 				e.stopPropagation();
 				e.preventDefault();
@@ -1504,7 +1508,7 @@ export default defineComponent({
 			const currentTab = getNodeViewTab(this.$route);
 			if (currentTab === MAIN_HEADER_TABS.WORKFLOW) {
 				let workflowData: IWorkflowDataUpdate | undefined;
-				if (this.editAllowedCheck() === false) {
+				if (!this.editAllowedCheck()) {
 					return;
 				}
 				// Check if it is an URL which could contain workflow data
@@ -1779,11 +1783,9 @@ export default defineComponent({
 				parameters: {},
 			};
 
-			const credentialPerType =
-				nodeTypeData.credentials &&
-				nodeTypeData.credentials
-					.map((type) => this.credentialsStore.getUsableCredentialByType(type.name))
-					.flat();
+			const credentialPerType = nodeTypeData.credentials
+				?.map((type) => this.credentialsStore.getUsableCredentialByType(type.name))
+				.flat();
 
 			if (credentialPerType && credentialPerType.length === 1) {
 				const defaultCredential = credentialPerType[0];
@@ -1820,10 +1822,7 @@ export default defineComponent({
 						return newNodeData;
 					}
 
-					if (
-						Object.keys(authDisplayOptions).length === 1 &&
-						authDisplayOptions['authentication']
-					) {
+					if (Object.keys(authDisplayOptions).length === 1 && authDisplayOptions.authentication) {
 						// ignore complex case when there's multiple dependencies
 						newNodeData.credentials = credentials;
 
@@ -1957,7 +1956,7 @@ export default defineComponent({
 
 			newNodeData.name = this.uniqueNodeName(localizedName);
 
-			if (nodeTypeData.webhooks && nodeTypeData.webhooks.length) {
+			if (nodeTypeData.webhooks?.length) {
 				newNodeData.webhookId = uuid();
 			}
 
@@ -2007,9 +2006,8 @@ export default defineComponent({
 			targetNodeName: string,
 			targetNodeOuputIndex: number,
 		): IConnection | undefined {
-			const nodeConnections = (
-				this.workflowsStore.outgoingConnectionsByNodeName(sourceNodeName) as INodeConnections
-			).main;
+			const nodeConnections =
+				this.workflowsStore.outgoingConnectionsByNodeName(sourceNodeName).main;
 			if (nodeConnections) {
 				const connections: IConnection[] | null = nodeConnections[sourceNodeOutputIndex];
 
@@ -2091,7 +2089,7 @@ export default defineComponent({
 			if (lastSelectedNode) {
 				await this.$nextTick();
 
-				if (lastSelectedConnection && lastSelectedConnection.__meta) {
+				if (lastSelectedConnection?.__meta) {
 					this.__deleteJSPlumbConnection(lastSelectedConnection, trackHistory);
 
 					const targetNodeName = lastSelectedConnection.__meta.targetNodeName;
@@ -2432,8 +2430,8 @@ export default defineComponent({
 						const { top, left, right, bottom } = element.getBoundingClientRect();
 						const [x, y] = NodeViewUtils.getMousePosition(e);
 						if (top <= y && bottom >= y && left - inputMargin <= x && right >= x) {
-							const nodeName = (element as HTMLElement).dataset['name'] as string;
-							const node = this.workflowsStore.getNodeByName(nodeName) as INodeUi | null;
+							const nodeName = (element as HTMLElement).dataset.name as string;
+							const node = this.workflowsStore.getNodeByName(nodeName);
 							if (node) {
 								const nodeType = this.nodeTypesStore.getNodeType(node.type, node.typeVersion);
 								if (nodeType && nodeType.inputs && nodeType.inputs.length === 1) {
@@ -2482,7 +2480,7 @@ export default defineComponent({
 				.forEach((endpoint) => setTimeout(() => endpoint.instance.revalidate(endpoint.element), 0));
 		},
 		onPlusEndpointClick(endpoint: Endpoint) {
-			if (endpoint && endpoint.__meta) {
+			if (endpoint?.__meta) {
 				this.insertNodeAfterSelected({
 					sourceId: endpoint.__meta.nodeId,
 					index: endpoint.__meta.index,
@@ -2576,7 +2574,6 @@ export default defineComponent({
 			this.stopLoading();
 		},
 		async tryToAddWelcomeSticky(): Promise<void> {
-			const newWorkflow = this.workflowData;
 			this.canvasStore.zoomToFit();
 		},
 		async initView(): Promise<void> {
@@ -2633,8 +2630,8 @@ export default defineComponent({
 
 					if (workflow) {
 						this.titleSet(workflow.name, 'IDLE');
-						// Open existing workflow
 						await this.openWorkflow(workflow);
+						await this.checkAndInitDebugMode();
 					}
 				} else if (this.$route.meta?.nodeView === true) {
 					// Create new workflow
@@ -2758,8 +2755,7 @@ export default defineComponent({
 				const nodeTypeData = this.nodeTypesStore.getNodeType(node.type, node.typeVersion);
 
 				if (
-					nodeTypeData &&
-					nodeTypeData.maxNodes !== undefined &&
+					nodeTypeData?.maxNodes !== undefined &&
 					this.getNodeTypeCount(node.type) >= nodeTypeData.maxNodes
 				) {
 					this.showMaxNodeTypeError(nodeTypeData);
@@ -2914,7 +2910,7 @@ export default defineComponent({
 		}) {
 			const pinData = this.workflowsStore.getPinData;
 
-			if (pinData && pinData[name]) return;
+			if (pinData?.[name]) return;
 
 			const sourceNodeName = name;
 			const sourceNode = this.workflowsStore.getNodeByName(sourceNodeName);
@@ -2959,7 +2955,7 @@ export default defineComponent({
 
 									if (output.isArtificialRecoveredEventItem) {
 										NodeViewUtils.recoveredConnection(connection);
-									} else if ((!output || !output.total) && !output.isArtificialRecoveredEventItem) {
+									} else if (!output?.total && !output.isArtificialRecoveredEventItem) {
 										NodeViewUtils.resetConnection(connection);
 									} else {
 										NodeViewUtils.addConnectionOutputSuccess(connection, output);
@@ -2971,7 +2967,7 @@ export default defineComponent({
 								sourceNodeName,
 								parseInt(sourceOutputIndex, 10),
 							);
-							if (endpoint && endpoint.endpoint) {
+							if (endpoint?.endpoint) {
 								const output = outputMap[sourceOutputIndex][NODE_OUTPUT_DEFAULT_KEY][0];
 
 								if (output && output.total > 0) {
@@ -3261,7 +3257,7 @@ export default defineComponent({
 			);
 		},
 		async addNodes(nodes: INodeUi[], connections?: IConnections, trackHistory = false) {
-			if (!nodes || !nodes.length) {
+			if (!nodes?.length) {
 				return;
 			}
 
@@ -3610,6 +3606,9 @@ export default defineComponent({
 		async loadVariables(): Promise<void> {
 			await this.environmentsStore.fetchAllVariables();
 		},
+		async loadSecrets(): Promise<void> {
+			await this.externalSecretsStore.fetchAllSecrets();
+		},
 		async loadNodesProperties(nodeInfos: INodeTypeNameVersion[]): Promise<void> {
 			const allNodes: INodeTypeDescription[] = this.nodeTypesStore.allNodeTypes;
 
@@ -3751,7 +3750,7 @@ export default defineComponent({
 			const mode =
 				this.nodeCreatorStore.selectedView === TRIGGER_NODE_CREATOR_VIEW ? 'trigger' : 'regular';
 
-			if (createNodeActive === true) this.nodeCreatorStore.setOpenSource(source);
+			if (createNodeActive) this.nodeCreatorStore.setOpenSource(source);
 			void this.$externalHooks().run('nodeView.createNodeActiveChanged', {
 				source,
 				mode,
@@ -3872,6 +3871,15 @@ export default defineComponent({
 				});
 			}
 		},
+		async checkAndInitDebugMode() {
+			if (this.$route.name === VIEWS.EXECUTION_DEBUG) {
+				this.titleSet(this.workflowName, 'DEBUG');
+				if (!this.workflowsStore.isInDebugMode) {
+					await this.applyExecutionData(this.$route.params.executionId as string);
+					this.workflowsStore.isInDebugMode = true;
+				}
+			}
+		},
 	},
 	async onSourceControlPull() {
 		let workflowId = null as string | null;
@@ -3907,6 +3915,7 @@ export default defineComponent({
 			this.loadCredentials(),
 			this.loadCredentialTypes(),
 			this.loadVariables(),
+			this.loadSecrets(),
 		];
 
 		if (this.nodeTypesStore.allNodeTypes.length === 0) {
diff --git a/packages/editor-ui/src/views/SettingsCommunityNodesView.vue b/packages/editor-ui/src/views/SettingsCommunityNodesView.vue
index ea94c52bb96db..e11ca282ee692 100644
--- a/packages/editor-ui/src/views/SettingsCommunityNodesView.vue
+++ b/packages/editor-ui/src/views/SettingsCommunityNodesView.vue
@@ -55,6 +55,7 @@
 import {
 	COMMUNITY_PACKAGE_INSTALL_MODAL_KEY,
 	COMMUNITY_NODES_INSTALLATION_DOCS_URL,
+	COMMUNITY_NODES_MANUAL_INSTALLATION_DOCS_URL,
 	COMMUNITY_NODES_NPM_INSTALLATION_URL,
 } from '@/constants';
 import CommunityPackageCard from '@/components/CommunityPackageCard.vue';
@@ -190,7 +191,7 @@ export default defineComponent({
 			if (this.settingsStore.isQueueModeEnabled) {
 				return {
 					calloutText: this.$locale.baseText('settings.communityNodes.queueMode.warning', {
-						interpolate: { docURL: COMMUNITY_NODES_INSTALLATION_DOCS_URL },
+						interpolate: { docURL: COMMUNITY_NODES_MANUAL_INSTALLATION_DOCS_URL },
 					}),
 					calloutTheme: 'warning',
 					hideButton: true,
diff --git a/packages/editor-ui/src/views/SettingsExternalSecrets.vue b/packages/editor-ui/src/views/SettingsExternalSecrets.vue
new file mode 100644
index 0000000000000..cdd949c93fd34
--- /dev/null
+++ b/packages/editor-ui/src/views/SettingsExternalSecrets.vue
@@ -0,0 +1,75 @@
+<script lang="ts" setup>
+import { useUIStore } from '@/stores/ui.store';
+import { useI18n, useMessage, useToast } from '@/composables';
+import { useExternalSecretsStore } from '@/stores';
+import { computed, onMounted } from 'vue';
+import ExternalSecretsProviderCard from '@/components/ExternalSecretsProviderCard.ee.vue';
+import type { ExternalSecretsProvider } from '@/Interface';
+
+const i18n = useI18n();
+const uiStore = useUIStore();
+const externalSecretsStore = useExternalSecretsStore();
+const message = useMessage();
+const toast = useToast();
+
+const sortedProviders = computed(() => {
+	return ([...externalSecretsStore.providers] as ExternalSecretsProvider[]).sort((a, b) => {
+		return b.name.localeCompare(a.name);
+	});
+});
+
+onMounted(() => {
+	try {
+		void externalSecretsStore.fetchAllSecrets();
+		void externalSecretsStore.getProviders();
+	} catch (error) {
+		toast.showError(error, i18n.baseText('error'));
+	}
+});
+
+function goToUpgrade() {
+	uiStore.goToUpgrade('external-secrets', 'upgrade-external-secrets');
+}
+</script>
+
+<template>
+	<div class="pb-3xl">
+		<n8n-heading size="2xlarge">{{ i18n.baseText('settings.externalSecrets.title') }}</n8n-heading>
+		<div
+			v-if="externalSecretsStore.isEnterpriseExternalSecretsEnabled"
+			data-test-id="external-secrets-content-licensed"
+		>
+			<n8n-callout theme="secondary" class="mt-2xl mb-l">
+				{{ i18n.baseText('settings.externalSecrets.info') }}
+				<a :href="i18n.baseText('settings.externalSecrets.docs')" target="_blank">
+					{{ i18n.baseText('settings.externalSecrets.info.link') }}
+				</a>
+			</n8n-callout>
+			<ExternalSecretsProviderCard
+				v-for="provider in sortedProviders"
+				:key="provider.name"
+				:provider="provider"
+			/>
+		</div>
+		<n8n-action-box
+			v-else
+			class="mt-2xl mb-l"
+			data-test-id="external-secrets-content-unlicensed"
+			:buttonText="i18n.baseText('settings.externalSecrets.actionBox.buttonText')"
+			@click="goToUpgrade"
+		>
+			<template #heading>
+				<span>{{ i18n.baseText('settings.externalSecrets.actionBox.title') }}</span>
+			</template>
+			<template #description>
+				<i18n-t keypath="settings.externalSecrets.actionBox.description">
+					<template #link>
+						<a :href="i18n.baseText('settings.externalSecrets.docs')" target="_blank">
+							{{ i18n.baseText('settings.externalSecrets.actionBox.description.link') }}
+						</a>
+					</template>
+				</i18n-t>
+			</template>
+		</n8n-action-box>
+	</div>
+</template>
diff --git a/packages/editor-ui/src/views/SettingsPersonalView.vue b/packages/editor-ui/src/views/SettingsPersonalView.vue
index 950c609ddcdaf..90bf36a1aa865 100644
--- a/packages/editor-ui/src/views/SettingsPersonalView.vue
+++ b/packages/editor-ui/src/views/SettingsPersonalView.vue
@@ -43,6 +43,42 @@
 					}}</n8n-link>
 				</n8n-input-label>
 			</div>
+			<div v-if="isMfaFeatureEnabled">
+				<div :class="$style.mfaSection">
+					<n8n-input-label :label="$locale.baseText('settings.personal.mfa.section.title')">
+					</n8n-input-label>
+					<n8n-text :bold="false" :class="$style.infoText">
+						{{
+							mfaDisabled
+								? $locale.baseText('settings.personal.mfa.button.disabled.infobox')
+								: $locale.baseText('settings.personal.mfa.button.enabled.infobox')
+						}}
+						<n8n-link :to="mfaDocsUrl" size="small" :bold="true">
+							{{ $locale.baseText('generic.learnMore') }}
+						</n8n-link>
+					</n8n-text>
+				</div>
+				<div :class="$style.mfaButtonContainer" v-if="mfaDisabled">
+					<n8n-button
+						:class="$style.button"
+						float="left"
+						type="tertiary"
+						:label="$locale.baseText('settings.personal.mfa.button.enabled')"
+						data-test-id="enable-mfa-button"
+						@click="onMfaEnableClick"
+					/>
+				</div>
+				<div v-else>
+					<n8n-button
+						:class="$style.disableMfaButton"
+						float="left"
+						type="tertiary"
+						:label="$locale.baseText('settings.personal.mfa.button.disabled')"
+						data-test-id="disable-mfa-button"
+						@click="onMfaDisableClick"
+					/>
+				</div>
+			</div>
 		</div>
 		<div>
 			<n8n-button
@@ -59,8 +95,8 @@
 
 <script lang="ts">
 import { useI18n, useToast } from '@/composables';
-import { CHANGE_PASSWORD_MODAL_KEY } from '@/constants';
 import type { IFormInputs, IUser } from '@/Interface';
+import { CHANGE_PASSWORD_MODAL_KEY, MFA_DOCS_URL, MFA_SETUP_MODAL_KEY } from '@/constants';
 import { useUIStore } from '@/stores/ui.store';
 import { useUsersStore } from '@/stores/users.store';
 import { useSettingsStore } from '@/stores/settings.store';
@@ -84,6 +120,7 @@ export default defineComponent({
 			formInputs: null as null | IFormInputs,
 			formBus: createEventBus(),
 			readyToSubmit: false,
+			mfaDocsUrl: MFA_DOCS_URL,
 		};
 	},
 	mounted() {
@@ -143,6 +180,12 @@ export default defineComponent({
 				this.settingsStore.isSamlLoginEnabled && this.settingsStore.isDefaultAuthenticationSaml
 			);
 		},
+		mfaDisabled(): boolean {
+			return !this.usersStore.mfaEnabled;
+		},
+		isMfaFeatureEnabled(): boolean {
+			return this.settingsStore.isMfaFeatureEnabled;
+		},
 	},
 	methods: {
 		onInput() {
@@ -178,6 +221,25 @@ export default defineComponent({
 		openPasswordModal() {
 			this.uiStore.openModal(CHANGE_PASSWORD_MODAL_KEY);
 		},
+		onMfaEnableClick() {
+			this.uiStore.openModal(MFA_SETUP_MODAL_KEY);
+		},
+		async onMfaDisableClick() {
+			try {
+				await this.usersStore.disabledMfa();
+				this.showToast({
+					title: this.$locale.baseText('settings.personal.mfa.toast.disabledMfa.title'),
+					message: this.$locale.baseText('settings.personal.mfa.toast.disabledMfa.message'),
+					type: 'success',
+					duration: 0,
+				});
+			} catch (e) {
+				this.showError(
+					e,
+					this.$locale.baseText('settings.personal.mfa.toast.disabledMfa.error.message'),
+				);
+			}
+		},
 	},
 });
 </script>
@@ -194,7 +256,6 @@ export default defineComponent({
 	display: flex;
 	align-items: center;
 	white-space: nowrap;
-
 	*:first-child {
 		flex-grow: 1;
 	}
@@ -220,7 +281,36 @@ export default defineComponent({
 	}
 }
 
+.disableMfaButton {
+	--button-color: var(--color-danger);
+	margin-top: var(--spacing-2xs);
+	> span {
+		font-weight: var(--font-weight-bold);
+	}
+}
+
+.button {
+	font-size: var(--spacing-xs);
+	> span {
+		font-weight: var(--font-weight-bold);
+	}
+}
+
+.mfaSection {
+	margin-top: var(--spacing-l);
+}
+
+.infoText {
+	font-size: var(--font-size-2xs);
+	color: var(--color-text-light);
+}
+
 .sectionHeader {
+	margin-top: var(--spacing-2xl);
 	margin-bottom: var(--spacing-s);
 }
+
+.mfaButtonContainer {
+	margin-top: var(--spacing-2xs);
+}
 </style>
diff --git a/packages/editor-ui/src/views/SigninView.vue b/packages/editor-ui/src/views/SigninView.vue
index 4071a6c486658..e1df9a6025da1 100644
--- a/packages/editor-ui/src/views/SigninView.vue
+++ b/packages/editor-ui/src/views/SigninView.vue
@@ -1,29 +1,43 @@
 <template>
-	<AuthView
-		:form="FORM_CONFIG"
-		:formLoading="loading"
-		:with-sso="true"
-		data-test-id="signin-form"
-		@submit="onSubmit"
-	/>
+	<div>
+		<AuthView
+			v-if="!showMfaView"
+			:form="FORM_CONFIG"
+			:formLoading="loading"
+			:with-sso="true"
+			data-test-id="signin-form"
+			@submit="onEmailPasswordSubmitted"
+		/>
+		<MfaView
+			v-if="showMfaView"
+			@submit="onMFASubmitted"
+			@onBackClick="onBackClick"
+			@onFormChanged="onFormChanged"
+			:reportError="reportError"
+		/>
+	</div>
 </template>
 
 <script lang="ts">
 import { defineComponent } from 'vue';
 import AuthView from './AuthView.vue';
+import MfaView from './MfaView.vue';
 import { useToast } from '@/composables';
-
 import type { IFormBoxConfig } from '@/Interface';
-import { VIEWS } from '@/constants';
+import { MFA_AUTHENTICATION_REQUIRED_ERROR_CODE, VIEWS } from '@/constants';
 import { mapStores } from 'pinia';
 import { useUsersStore } from '@/stores/users.store';
 import { useSettingsStore } from '@/stores/settings.store';
 import { useCloudPlanStore, useUIStore } from '@/stores';
+import { genericHelpers } from '@/mixins/genericHelpers';
+import { FORM } from './MfaView.vue';
 
 export default defineComponent({
 	name: 'SigninView',
+	mixins: [genericHelpers],
 	components: {
 		AuthView,
+		MfaView,
 	},
 	setup() {
 		return {
@@ -34,10 +48,17 @@ export default defineComponent({
 		return {
 			FORM_CONFIG: {} as IFormBoxConfig,
 			loading: false,
+			showMfaView: false,
+			email: '',
+			password: '',
+			reportError: false,
 		};
 	},
 	computed: {
 		...mapStores(useUsersStore, useSettingsStore, useUIStore, useCloudPlanStore),
+		userHasMfaEnabled() {
+			return !!this.usersStore.currentUser?.mfaEnabled;
+		},
 	},
 	mounted() {
 		let emailLabel = this.$locale.baseText('auth.email');
@@ -84,31 +105,94 @@ export default defineComponent({
 		}
 	},
 	methods: {
-		async onSubmit(values: { [key: string]: string }) {
+		async onMFASubmitted(form: { token?: string; recoveryCode?: string }) {
+			await this.login({
+				email: this.email,
+				password: this.password,
+				token: form.token,
+				recoveryCode: form.recoveryCode,
+			});
+		},
+		async onEmailPasswordSubmitted(form: { email: string; password: string }) {
+			await this.login(form);
+		},
+		async login(form: { email: string; password: string; token?: string; recoveryCode?: string }) {
 			try {
 				this.loading = true;
-				await this.usersStore.loginWithCreds(values as { email: string; password: string });
+				await this.usersStore.loginWithCreds({
+					email: form.email,
+					password: form.password,
+					mfaToken: form.token,
+					mfaRecoveryCode: form.recoveryCode,
+				});
+				this.loading = false;
 				await this.cloudPlanStore.checkForCloudPlanData();
 				await this.uiStore.initBanners();
 				this.clearAllStickyNotifications();
-				this.loading = false;
+				this.checkRecoveryCodesLeft();
 
-				if (typeof this.$route.query.redirect === 'string') {
-					const redirect = decodeURIComponent(this.$route.query.redirect);
-					if (redirect.startsWith('/')) {
-						// protect against phishing
-						void this.$router.push(redirect);
+				this.$telemetry.track('User attempted to login', {
+					result: this.showMfaView ? 'mfa_success' : 'success',
+				});
 
-						return;
-					}
+				if (this.isRedirectSafe()) {
+					const redirect = this.getRedirectQueryParameter();
+					void this.$router.push(redirect);
+					return;
 				}
 
 				await this.$router.push({ name: VIEWS.HOMEPAGE });
 			} catch (error) {
-				this.showError(error, this.$locale.baseText('auth.signin.error'));
+				if (error.errorCode === MFA_AUTHENTICATION_REQUIRED_ERROR_CODE) {
+					this.showMfaView = true;
+					this.cacheCredentials(form);
+					return;
+				}
+
+				this.$telemetry.track('User attempted to login', {
+					result: this.showMfaView ? 'mfa_token_rejected' : 'credentials_error',
+				});
+
+				if (!this.showMfaView) {
+					this.showError(error, this.$locale.baseText('auth.signin.error'));
+					this.loading = false;
+					return;
+				}
+
+				this.reportError = true;
+			}
+		},
+		onBackClick(fromForm: string) {
+			this.reportError = false;
+			if (fromForm === FORM.MFA_TOKEN) {
+				this.showMfaView = false;
 				this.loading = false;
 			}
 		},
+		onFormChanged(toForm: string) {
+			if (toForm === FORM.MFA_RECOVERY_CODE) {
+				this.reportError = false;
+			}
+		},
+		cacheCredentials(form: { email: string; password: string }) {
+			this.email = form.email;
+			this.password = form.password;
+		},
+		checkRecoveryCodesLeft() {
+			if (this.usersStore.currentUser) {
+				const { hasRecoveryCodesLeft, mfaEnabled } = this.usersStore.currentUser;
+
+				if (mfaEnabled && !hasRecoveryCodesLeft) {
+					this.showToast({
+						title: this.$locale.baseText('settings.mfa.toast.noRecoveryCodeLeft.title'),
+						message: this.$locale.baseText('settings.mfa.toast.noRecoveryCodeLeft.message'),
+						type: 'info',
+						duration: 0,
+						dangerouslyUseHTMLString: true,
+					});
+				}
+			}
+		},
 	},
 });
 </script>
diff --git a/packages/editor-ui/src/views/__tests__/SettingsExternalSecrets.test.ts b/packages/editor-ui/src/views/__tests__/SettingsExternalSecrets.test.ts
new file mode 100644
index 0000000000000..d6969d526131d
--- /dev/null
+++ b/packages/editor-ui/src/views/__tests__/SettingsExternalSecrets.test.ts
@@ -0,0 +1,60 @@
+import { createTestingPinia } from '@pinia/testing';
+import { merge } from 'lodash-es';
+import { EnterpriseEditionFeature, STORES } from '@/constants';
+import { SETTINGS_STORE_DEFAULT_STATE } from '@/__tests__/utils';
+import SettingsExternalSecrets from '@/views/SettingsExternalSecrets.vue';
+import { useExternalSecretsStore } from '@/stores/externalSecrets.ee.store';
+import { createComponentRenderer } from '@/__tests__/render';
+import { useSettingsStore } from '@/stores';
+import { setupServer } from '@/__tests__/server';
+
+let pinia: ReturnType<typeof createTestingPinia>;
+let externalSecretsStore: ReturnType<typeof useExternalSecretsStore>;
+let settingsStore: ReturnType<typeof useSettingsStore>;
+let server: ReturnType<typeof setupServer>;
+
+const renderComponent = createComponentRenderer(SettingsExternalSecrets);
+
+describe('SettingsExternalSecrets', () => {
+	beforeAll(() => {
+		server = setupServer();
+	});
+
+	beforeEach(async () => {
+		pinia = createTestingPinia({
+			initialState: {
+				[STORES.SETTINGS]: {
+					settings: merge({}, SETTINGS_STORE_DEFAULT_STATE.settings),
+				},
+			},
+		});
+		externalSecretsStore = useExternalSecretsStore(pinia);
+		settingsStore = useSettingsStore();
+
+		await settingsStore.getSettings();
+	});
+
+	afterEach(() => {
+		vi.clearAllMocks();
+	});
+
+	afterAll(() => {
+		server.shutdown();
+	});
+
+	it('should render paywall state when there is no license', () => {
+		const { getByTestId, queryByTestId } = renderComponent({ pinia });
+
+		expect(queryByTestId('external-secrets-content-licensed')).not.toBeInTheDocument();
+		expect(getByTestId('external-secrets-content-unlicensed')).toBeInTheDocument();
+	});
+
+	it('should render licensed content', () => {
+		settingsStore.settings.enterprise[EnterpriseEditionFeature.ExternalSecrets] = true;
+
+		const { getByTestId, queryByTestId } = renderComponent({ pinia });
+
+		expect(getByTestId('external-secrets-content-licensed')).toBeInTheDocument();
+		expect(queryByTestId('external-secrets-content-unlicensed')).not.toBeInTheDocument();
+	});
+});
diff --git a/packages/node-dev/package.json b/packages/node-dev/package.json
index 601d891535577..cc3f17e28736c 100644
--- a/packages/node-dev/package.json
+++ b/packages/node-dev/package.json
@@ -1,6 +1,6 @@
 {
   "name": "n8n-node-dev",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "CLI to simplify n8n credentials/node development",
   "license": "SEE LICENSE IN LICENSE.md",
   "homepage": "https://n8n.io",
diff --git a/packages/nodes-base/nodes/AgileCrm/AgileCrm.node.ts b/packages/nodes-base/nodes/AgileCrm/AgileCrm.node.ts
index 51d32d3d662ae..27fc4689f17e2 100644
--- a/packages/nodes-base/nodes/AgileCrm/AgileCrm.node.ts
+++ b/packages/nodes-base/nodes/AgileCrm/AgileCrm.node.ts
@@ -298,12 +298,16 @@ export class AgileCrm implements INodeType {
 								} as IDataObject);
 							}
 
-							if (additionalFields.address) {
-								properties.push({
-									type: 'SYSTEM',
-									name: 'address',
-									value: additionalFields.address as string,
-								} as IDataObject);
+							if (additionalFields.addressOptions) {
+								//@ts-ignore
+								additionalFields.addressOptions.addressProperties.map((property) => {
+									properties.push({
+										type: 'SYSTEM',
+										subtype: property.subtype as string,
+										name: 'address',
+										value: property.address as string,
+									} as IDataObject);
+								});
 							}
 
 							if (additionalFields.phone) {
@@ -313,6 +317,14 @@ export class AgileCrm implements INodeType {
 									value: additionalFields.phone as string,
 								} as IDataObject);
 							}
+
+							if (additionalFields.name) {
+								properties.push({
+									type: 'SYSTEM',
+									name: 'name',
+									value: additionalFields.name as string,
+								} as IDataObject);
+							}
 						}
 
 						if (additionalFields.websiteOptions) {
@@ -321,7 +333,7 @@ export class AgileCrm implements INodeType {
 								properties.push({
 									type: 'SYSTEM',
 									subtype: property.subtype as string,
-									name: 'webiste',
+									name: 'website',
 									value: property.url as string,
 								} as IDataObject);
 							});
@@ -450,12 +462,16 @@ export class AgileCrm implements INodeType {
 								} as IDataObject);
 							}
 
-							if (additionalFields.address) {
-								properties.push({
-									type: 'SYSTEM',
-									name: 'address',
-									value: additionalFields.address as string,
-								} as IDataObject);
+							if (additionalFields.addressOptions) {
+								//@ts-ignore
+								additionalFields.addressOptions.addressProperties.map((property) => {
+									properties.push({
+										type: 'SYSTEM',
+										subtype: property.subtype as string,
+										name: 'address',
+										value: property.address as string,
+									} as IDataObject);
+								});
 							}
 
 							if (additionalFields.phone) {
@@ -473,11 +489,18 @@ export class AgileCrm implements INodeType {
 								properties.push({
 									type: 'SYSTEM',
 									subtype: property.subtype as string,
-									name: 'webiste',
+									name: 'website',
 									value: property.url as string,
 								} as IDataObject);
 							});
 						}
+						if (additionalFields.name) {
+							properties.push({
+								type: 'SYSTEM',
+								name: 'name',
+								value: additionalFields.name as string,
+							} as IDataObject);
+						}
 						if (additionalFields.customProperties) {
 							//@ts-ignore
 							additionalFields.customProperties.customProperty.map((property) => {
diff --git a/packages/nodes-base/nodes/AgileCrm/CompanyDescription.ts b/packages/nodes-base/nodes/AgileCrm/CompanyDescription.ts
index dc30e3e00d8c5..97ac7aa72ae76 100644
--- a/packages/nodes-base/nodes/AgileCrm/CompanyDescription.ts
+++ b/packages/nodes-base/nodes/AgileCrm/CompanyDescription.ts
@@ -379,11 +379,47 @@ export const companyFields: INodeProperties[] = [
 		options: [
 			{
 				displayName: 'Address',
-				name: 'email',
-				type: 'string',
-				placeholder: 'name@email.com',
-				default: '',
+				name: 'addressOptions',
+				type: 'fixedCollection',
+				default: {},
 				description: 'Company address',
+				typeOptions: {
+					multipleValues: true,
+				},
+				options: [
+					{
+						displayName: 'Address Properties',
+						name: 'addressProperties',
+						values: [
+							{
+								displayName: 'Type',
+								name: 'subtype',
+								type: 'options',
+								required: true,
+								default: '',
+								description: 'Type of address',
+								options: [
+									{
+										name: 'Postal',
+										value: 'postal',
+									},
+									{
+										name: 'Office',
+										value: 'office',
+									},
+								],
+							},
+							{
+								displayName: 'Address',
+								name: 'address',
+								type: 'string',
+								required: true,
+								default: '',
+								description: 'Full address',
+							},
+						],
+					},
+				],
 			},
 			{
 				displayName: 'Email',
@@ -655,11 +691,47 @@ export const companyFields: INodeProperties[] = [
 		options: [
 			{
 				displayName: 'Address',
-				name: 'email',
-				type: 'string',
-				placeholder: 'name@email.com',
-				default: '',
+				name: 'addressOptions',
+				type: 'fixedCollection',
+				default: {},
 				description: 'Company address',
+				typeOptions: {
+					multipleValues: true,
+				},
+				options: [
+					{
+						displayName: 'Address Properties',
+						name: 'addressProperties',
+						values: [
+							{
+								displayName: 'Type',
+								name: 'subtype',
+								type: 'options',
+								required: true,
+								default: '',
+								description: 'Type of address',
+								options: [
+									{
+										name: 'Postal',
+										value: 'postal',
+									},
+									{
+										name: 'Office',
+										value: 'office',
+									},
+								],
+							},
+							{
+								displayName: 'Address',
+								name: 'address',
+								type: 'string',
+								required: true,
+								default: '',
+								description: 'Full address',
+							},
+						],
+					},
+				],
 			},
 			{
 				displayName: 'Email',
diff --git a/packages/nodes-base/nodes/Code/Code.node.ts b/packages/nodes-base/nodes/Code/Code.node.ts
index 0b772ddda1ae3..753cce116be2f 100644
--- a/packages/nodes-base/nodes/Code/Code.node.ts
+++ b/packages/nodes-base/nodes/Code/Code.node.ts
@@ -13,6 +13,8 @@ import { PythonSandbox } from './PythonSandbox';
 import { getSandboxContext } from './Sandbox';
 import { standardizeOutput } from './utils';
 
+const { CODE_ENABLE_STDOUT } = process.env;
+
 export class Code implements INodeType {
 	description: INodeTypeDescription = {
 		displayName: 'Code',
@@ -114,8 +116,10 @@ export class Code implements INodeType {
 				'output',
 				workflowMode === 'manual'
 					? this.sendMessageToUI
-					: (...args) =>
-							console.log(`[Workflow "${this.getWorkflow().id}"][Node "${node.name}"]`, ...args),
+					: CODE_ENABLE_STDOUT === 'true'
+					? (...args) =>
+							console.log(`[Workflow "${this.getWorkflow().id}"][Node "${node.name}"]`, ...args)
+					: () => {},
 			);
 			return sandbox;
 		};
diff --git a/packages/nodes-base/nodes/Code/JavaScriptSandbox.ts b/packages/nodes-base/nodes/Code/JavaScriptSandbox.ts
index ce52de42324d8..e15a37b73ae6a 100644
--- a/packages/nodes-base/nodes/Code/JavaScriptSandbox.ts
+++ b/packages/nodes-base/nodes/Code/JavaScriptSandbox.ts
@@ -1,4 +1,4 @@
-import { NodeVM, makeResolverFromLegacyOptions } from 'vm2';
+import { NodeVM, makeResolverFromLegacyOptions } from '@n8n/vm2';
 import type { IExecuteFunctions, INodeExecutionData } from 'n8n-workflow';
 
 import { ValidationError } from './ValidationError';
diff --git a/packages/nodes-base/nodes/Code/test/Code.node.test.ts b/packages/nodes-base/nodes/Code/test/Code.node.test.ts
index 04318b056ef76..7c47a0a5632f0 100644
--- a/packages/nodes-base/nodes/Code/test/Code.node.test.ts
+++ b/packages/nodes-base/nodes/Code/test/Code.node.test.ts
@@ -1,5 +1,5 @@
 import { anyNumber, mock } from 'jest-mock-extended';
-import { NodeVM } from 'vm2';
+import { NodeVM } from '@n8n/vm2';
 import type { IExecuteFunctions, IWorkflowDataProxyData } from 'n8n-workflow';
 import { NodeHelpers } from 'n8n-workflow';
 import { normalizeItems } from 'n8n-core';
diff --git a/packages/nodes-base/nodes/DateTime/V2/DateTimeV2.node.ts b/packages/nodes-base/nodes/DateTime/V2/DateTimeV2.node.ts
index 0f680fe521472..fd36d4623fdfa 100644
--- a/packages/nodes-base/nodes/DateTime/V2/DateTimeV2.node.ts
+++ b/packages/nodes-base/nodes/DateTime/V2/DateTimeV2.node.ts
@@ -134,18 +134,24 @@ export class DateTimeV2 implements INodeType {
 				const outputFieldName = this.getNodeParameter('outputFieldName', i) as string;
 				const { timezone } = this.getNodeParameter('options', i) as { timezone: boolean };
 
-				const dateLuxon = timezone
-					? parseDate.call(this, date, workflowTimezone)
-					: parseDate.call(this, date);
-				if (format === 'custom') {
-					const customFormat = this.getNodeParameter('customFormat', i) as string;
+				if (date === null || date === undefined) {
 					responseData.push({
-						[outputFieldName]: dateLuxon.toFormat(customFormat),
+						[outputFieldName]: date,
 					});
 				} else {
-					responseData.push({
-						[outputFieldName]: dateLuxon.toFormat(format),
-					});
+					const dateLuxon = timezone
+						? parseDate.call(this, date, workflowTimezone)
+						: parseDate.call(this, date);
+					if (format === 'custom') {
+						const customFormat = this.getNodeParameter('customFormat', i) as string;
+						responseData.push({
+							[outputFieldName]: dateLuxon.toFormat(customFormat),
+						});
+					} else {
+						responseData.push({
+							[outputFieldName]: dateLuxon.toFormat(format),
+						});
+					}
 				}
 			} else if (operation === 'roundDate') {
 				const date = this.getNodeParameter('date', i) as string;
diff --git a/packages/nodes-base/nodes/DateTime/test/node/workflow.nullDate_v2.json b/packages/nodes-base/nodes/DateTime/test/node/workflow.nullDate_v2.json
new file mode 100644
index 0000000000000..a1c3a440ca902
--- /dev/null
+++ b/packages/nodes-base/nodes/DateTime/test/node/workflow.nullDate_v2.json
@@ -0,0 +1,93 @@
+{
+    "name": "Null Date",
+    "nodes": [
+      {
+        "parameters": {},
+        "id": "62bb450c-f2e3-41c9-9894-a954d2c5e115",
+        "name": "When clicking \"Execute Workflow\"",
+        "type": "n8n-nodes-base.manualTrigger",
+        "typeVersion": 1,
+        "position": [
+          1600,
+          740
+        ]
+      },
+      {
+        "parameters": {
+          "jsCode": "return {date: null}"
+        },
+        "id": "47e4ce5b-2365-4987-a058-ae21964d135d",
+        "name": "Code",
+        "type": "n8n-nodes-base.code",
+        "typeVersion": 2,
+        "position": [
+          1820,
+          740
+        ]
+      },
+      {
+        "parameters": {
+          "operation": "formatDate",
+          "date": "={{ $json.date }}",
+          "options": {}
+        },
+        "id": "9af21b91-9db6-40cd-98ee-ee969eb0a348",
+        "name": "Date & Time",
+        "type": "n8n-nodes-base.dateTime",
+        "typeVersion": 2,
+        "position": [
+          2040,
+          740
+        ]
+      }
+    ],
+    "pinData": {
+      "Date & Time": [
+        {
+          "json": {
+            "formattedDate": null
+          }
+        }
+      ],
+      "Code": [
+        {
+          "json": {
+            "date": null
+          }
+        }
+      ]
+    },
+    "connections": {
+      "When clicking \"Execute Workflow\"": {
+        "main": [
+          [
+            {
+              "node": "Code",
+              "type": "main",
+              "index": 0
+            }
+          ]
+        ]
+      },
+      "Code": {
+        "main": [
+          [
+            {
+              "node": "Date & Time",
+              "type": "main",
+              "index": 0
+            }
+          ]
+        ]
+      }
+    },
+    "active": false,
+    "settings": {
+      "executionOrder": "v1"
+    },
+    "versionId": "",
+    "meta": {
+      "instanceId": "78577815012af39cf16dad7a787b0898c42fb7514b8a7f99b2136862c2af502c"
+    },
+    "tags": []
+  }
diff --git a/packages/nodes-base/nodes/Function/Function.node.ts b/packages/nodes-base/nodes/Function/Function.node.ts
index e823ba1763b94..769c12fcec5ab 100644
--- a/packages/nodes-base/nodes/Function/Function.node.ts
+++ b/packages/nodes-base/nodes/Function/Function.node.ts
@@ -1,5 +1,5 @@
-import type { NodeVMOptions } from 'vm2';
-import { NodeVM } from 'vm2';
+import type { NodeVMOptions } from '@n8n/vm2';
+import { NodeVM } from '@n8n/vm2';
 import type {
 	IExecuteFunctions,
 	IBinaryKeyData,
diff --git a/packages/nodes-base/nodes/FunctionItem/FunctionItem.node.ts b/packages/nodes-base/nodes/FunctionItem/FunctionItem.node.ts
index eee5035456dcb..6733a2b36d637 100644
--- a/packages/nodes-base/nodes/FunctionItem/FunctionItem.node.ts
+++ b/packages/nodes-base/nodes/FunctionItem/FunctionItem.node.ts
@@ -1,6 +1,6 @@
 /* eslint-disable @typescript-eslint/no-loop-func */
-import type { NodeVMOptions } from 'vm2';
-import { NodeVM } from 'vm2';
+import type { NodeVMOptions } from '@n8n/vm2';
+import { NodeVM } from '@n8n/vm2';
 import type {
 	IExecuteFunctions,
 	IBinaryKeyData,
diff --git a/packages/nodes-base/nodes/ItemLists/V1/ItemListsV1.node.ts b/packages/nodes-base/nodes/ItemLists/V1/ItemListsV1.node.ts
index 1684b71642785..1630756e2bda3 100644
--- a/packages/nodes-base/nodes/ItemLists/V1/ItemListsV1.node.ts
+++ b/packages/nodes-base/nodes/ItemLists/V1/ItemListsV1.node.ts
@@ -1,6 +1,3 @@
-import type { NodeVMOptions } from 'vm2';
-import { NodeVM } from 'vm2';
-
 import type {
 	IDataObject,
 	IExecuteFunctions,
@@ -61,6 +58,7 @@ const shuffleArray = (array: any[]) => {
 };
 
 import * as summarize from './summarize.operation';
+import { sortByCode } from '../V3/helpers/utils';
 
 export class ItemListsV1 implements INodeType {
 	description: INodeTypeDescription;
@@ -1369,36 +1367,7 @@ return 0;`,
 						return result;
 					});
 				} else {
-					const code = this.getNodeParameter('code', 0) as string;
-					const regexCheck = /\breturn\b/g.exec(code);
-
-					if (regexCheck?.length) {
-						const sandbox = {
-							newItems,
-						};
-						const mode = this.getMode();
-						const options = {
-							console: mode === 'manual' ? 'redirect' : 'inherit',
-							sandbox,
-						};
-						const vm = new NodeVM(options as unknown as NodeVMOptions);
-
-						newItems = await vm.run(
-							`
-						module.exports = async function() {
-							newItems.sort( (a,b) => {
-								${code}
-							})
-							return newItems;
-						}()`,
-							__dirname,
-						);
-					} else {
-						throw new NodeOperationError(
-							this.getNode(),
-							"Sort code doesn't return. Please add a 'return' statement to your code",
-						);
-					}
+					newItems = sortByCode.call(this, newItems);
 				}
 				return this.prepareOutputData(newItems);
 			} else if (operation === 'limit') {
diff --git a/packages/nodes-base/nodes/ItemLists/V2/ItemListsV2.node.ts b/packages/nodes-base/nodes/ItemLists/V2/ItemListsV2.node.ts
index d2d952218f768..23c14a156f668 100644
--- a/packages/nodes-base/nodes/ItemLists/V2/ItemListsV2.node.ts
+++ b/packages/nodes-base/nodes/ItemLists/V2/ItemListsV2.node.ts
@@ -1,6 +1,3 @@
-import type { NodeVMOptions } from 'vm2';
-import { NodeVM } from 'vm2';
-
 import type {
 	IDataObject,
 	IExecuteFunctions,
@@ -61,6 +58,7 @@ const shuffleArray = (array: any[]) => {
 };
 
 import * as summarize from './summarize.operation';
+import { sortByCode } from '../V3/helpers/utils';
 
 export class ItemListsV2 implements INodeType {
 	description: INodeTypeDescription;
@@ -1409,36 +1407,7 @@ return 0;`,
 						return result;
 					});
 				} else {
-					const code = this.getNodeParameter('code', 0) as string;
-					const regexCheck = /\breturn\b/g.exec(code);
-
-					if (regexCheck?.length) {
-						const sandbox = {
-							newItems,
-						};
-						const mode = this.getMode();
-						const options = {
-							console: mode === 'manual' ? 'redirect' : 'inherit',
-							sandbox,
-						};
-						const vm = new NodeVM(options as unknown as NodeVMOptions);
-
-						newItems = await vm.run(
-							`
-						module.exports = async function() {
-							newItems.sort( (a,b) => {
-								${code}
-							})
-							return newItems;
-						}()`,
-							__dirname,
-						);
-					} else {
-						throw new NodeOperationError(
-							this.getNode(),
-							"Sort code doesn't return. Please add a 'return' statement to your code",
-						);
-					}
+					newItems = sortByCode.call(this, newItems);
 				}
 				return this.prepareOutputData(newItems);
 			} else if (operation === 'limit') {
diff --git a/packages/nodes-base/nodes/ItemLists/V3/actions/itemList/sort.operation.ts b/packages/nodes-base/nodes/ItemLists/V3/actions/itemList/sort.operation.ts
index 6d497253d8fc1..fc67372aa302e 100644
--- a/packages/nodes-base/nodes/ItemLists/V3/actions/itemList/sort.operation.ts
+++ b/packages/nodes-base/nodes/ItemLists/V3/actions/itemList/sort.operation.ts
@@ -7,15 +7,12 @@ import type {
 import { NodeOperationError } from 'n8n-workflow';
 import { updateDisplayOptions } from '@utils/utilities';
 
-import type { NodeVMOptions } from 'vm2';
-import { NodeVM } from 'vm2';
-
 import get from 'lodash/get';
 
 import isEqual from 'lodash/isEqual';
 import lt from 'lodash/lt';
 
-import { shuffleArray } from '../../helpers/utils';
+import { shuffleArray, sortByCode } from '../../helpers/utils';
 import { disableDotNotationBoolean } from '../common.descriptions';
 
 const properties: INodeProperties[] = [
@@ -272,36 +269,7 @@ export async function execute(
 			return result;
 		});
 	} else {
-		const code = this.getNodeParameter('code', 0) as string;
-		const regexCheck = /\breturn\b/g.exec(code);
-
-		if (regexCheck?.length) {
-			const sandbox = {
-				newItems: returnData,
-			};
-			const mode = this.getMode();
-			const options = {
-				console: mode === 'manual' ? 'redirect' : 'inherit',
-				sandbox,
-			};
-			const vm = new NodeVM(options as unknown as NodeVMOptions);
-
-			returnData = await vm.run(
-				`
-			module.exports = async function() {
-				newItems.sort( (a,b) => {
-					${code}
-				})
-				return newItems;
-			}()`,
-				__dirname,
-			);
-		} else {
-			throw new NodeOperationError(
-				this.getNode(),
-				"Sort code doesn't return. Please add a 'return' statement to your code",
-			);
-		}
+		returnData = sortByCode.call(this, returnData);
 	}
 	return returnData;
 }
diff --git a/packages/nodes-base/nodes/ItemLists/V3/helpers/utils.ts b/packages/nodes-base/nodes/ItemLists/V3/helpers/utils.ts
index 60600eb8d638b..94ba6a2db8695 100644
--- a/packages/nodes-base/nodes/ItemLists/V3/helpers/utils.ts
+++ b/packages/nodes-base/nodes/ItemLists/V3/helpers/utils.ts
@@ -1,4 +1,11 @@
-import type { IDataObject, INode, INodeExecutionData } from 'n8n-workflow';
+import { NodeVM } from '@n8n/vm2';
+import {
+	NodeOperationError,
+	type IDataObject,
+	type IExecuteFunctions,
+	type INode,
+	type INodeExecutionData,
+} from 'n8n-workflow';
 
 import get from 'lodash/get';
 import isEqual from 'lodash/isEqual';
@@ -57,3 +64,26 @@ export const prepareFieldsArray = (fields: string | string[], fieldName = 'Field
 		`The \'${fieldName}\' parameter must be a string of fields separated by commas or an array of strings.`,
 	);
 };
+
+const returnRegExp = /\breturn\b/g;
+
+export function sortByCode(
+	this: IExecuteFunctions,
+	items: INodeExecutionData[],
+): INodeExecutionData[] {
+	const code = this.getNodeParameter('code', 0) as string;
+	if (!returnRegExp.test(code)) {
+		throw new NodeOperationError(
+			this.getNode(),
+			"Sort code doesn't return. Please add a 'return' statement to your code",
+		);
+	}
+
+	const mode = this.getMode();
+	const vm = new NodeVM({
+		console: mode === 'manual' ? 'redirect' : 'inherit',
+		sandbox: { items },
+	});
+
+	return vm.run(`module.exports = items.sort((a, b) => { ${code} })`);
+}
diff --git a/packages/nodes-base/nodes/Microsoft/Excel/v2/methods/listSearch.ts b/packages/nodes-base/nodes/Microsoft/Excel/v2/methods/listSearch.ts
index 031c3e07d5596..b47d49c3c241c 100644
--- a/packages/nodes-base/nodes/Microsoft/Excel/v2/methods/listSearch.ts
+++ b/packages/nodes-base/nodes/Microsoft/Excel/v2/methods/listSearch.ts
@@ -11,7 +11,10 @@ export async function searchWorkbooks(
 	filter?: string,
 	paginationToken?: string,
 ): Promise<INodeListSearchResult> {
-	const q = filter ? encodeURI(`.xlsx AND ${filter}`) : '.xlsx';
+	const fileExtensions = ['.xlsx', '.xlsm', '.xlst'];
+	const extensionFilter = fileExtensions.join(' OR ');
+
+	const q = filter || extensionFilter;
 
 	let response: IDataObject = {};
 
@@ -37,10 +40,22 @@ export async function searchWorkbooks(
 		);
 	}
 
+	if (response.value && filter) {
+		response.value = (response.value as IDataObject[]).filter((workbook: IDataObject) => {
+			return fileExtensions.some((extension) => (workbook.name as string).includes(extension));
+		});
+	}
+
 	return {
 		results: (response.value as IDataObject[]).map((workbook: IDataObject) => {
+			for (const extension of fileExtensions) {
+				if ((workbook.name as string).includes(extension)) {
+					workbook.name = (workbook.name as string).replace(extension, '');
+					break;
+				}
+			}
 			return {
-				name: (workbook.name as string).replace('.xlsx', ''),
+				name: workbook.name as string,
 				value: workbook.id as string,
 				url: workbook.webUrl as string,
 			};
diff --git a/packages/nodes-base/nodes/MongoDb/GenericFunctions.ts b/packages/nodes-base/nodes/MongoDb/GenericFunctions.ts
index 2d485c2fea2da..1be13325373ad 100644
--- a/packages/nodes-base/nodes/MongoDb/GenericFunctions.ts
+++ b/packages/nodes-base/nodes/MongoDb/GenericFunctions.ts
@@ -6,15 +6,15 @@ import type {
 } from 'n8n-workflow';
 import { NodeOperationError } from 'n8n-workflow';
 
+import get from 'lodash/get';
+import set from 'lodash/set';
+import { ObjectId } from 'mongodb';
 import type {
 	IMongoCredentials,
 	IMongoCredentialsType,
 	IMongoParametricCredentials,
 } from './mongoDb.types';
 
-import get from 'lodash/get';
-import set from 'lodash/set';
-
 /**
  * Standard way of building the MongoDB connection string, unless overridden with a provided string
  *
@@ -129,3 +129,14 @@ export function prepareFields(fields: string) {
 		.map((field) => field.trim())
 		.filter((field) => !!field);
 }
+
+export function stringifyObjectIDs(items: IDataObject[]) {
+	items.forEach((item) => {
+		if (item._id instanceof ObjectId) {
+			item._id = item._id.toString();
+		}
+		if (item.id instanceof ObjectId) {
+			item.id = item.id.toString();
+		}
+	});
+}
diff --git a/packages/nodes-base/nodes/MongoDb/MongoDb.node.ts b/packages/nodes-base/nodes/MongoDb/MongoDb.node.ts
index 5bf7c723d2b7a..cd7b72798bc30 100644
--- a/packages/nodes-base/nodes/MongoDb/MongoDb.node.ts
+++ b/packages/nodes-base/nodes/MongoDb/MongoDb.node.ts
@@ -11,15 +11,6 @@ import type {
 } from 'n8n-workflow';
 import { NodeOperationError } from 'n8n-workflow';
 
-import { nodeDescription } from './MongoDbDescription';
-
-import {
-	buildParameterizedConnString,
-	prepareFields,
-	prepareItems,
-	validateAndResolveMongoCredentials,
-} from './GenericFunctions';
-
 import type {
 	FindOneAndReplaceOptions,
 	FindOneAndUpdateOptions,
@@ -27,11 +18,40 @@ import type {
 	Sort,
 } from 'mongodb';
 import { MongoClient, ObjectId } from 'mongodb';
+import { nodeProperties } from './MongoDbProperties';
+
+import {
+	buildParameterizedConnString,
+	prepareFields,
+	prepareItems,
+	stringifyObjectIDs,
+	validateAndResolveMongoCredentials,
+} from './GenericFunctions';
 
 import type { IMongoParametricCredentials } from './mongoDb.types';
 
 export class MongoDb implements INodeType {
-	description: INodeTypeDescription = nodeDescription;
+	description: INodeTypeDescription = {
+		displayName: 'MongoDB',
+		name: 'mongoDb',
+		icon: 'file:mongodb.svg',
+		group: ['input'],
+		version: 1,
+		description: 'Find, insert and update documents in MongoDB',
+		defaults: {
+			name: 'MongoDB',
+		},
+		inputs: ['main'],
+		outputs: ['main'],
+		credentials: [
+			{
+				name: 'mongoDb',
+				required: true,
+				testedBy: 'mongoDbCredentialTest',
+			},
+		],
+		properties: nodeProperties,
+	};
 
 	methods = {
 		credentialTest: {
@@ -65,7 +85,7 @@ export class MongoDb implements INodeType {
 				} catch (error) {
 					return {
 						status: 'Error',
-						message: error.message,
+						message: (error as Error).message,
 					};
 				}
 				return {
@@ -98,15 +118,17 @@ export class MongoDb implements INodeType {
 			// ----------------------------------
 
 			try {
-				const queryParameter = JSON.parse(this.getNodeParameter('query', 0) as string);
+				const queryParameter = JSON.parse(
+					this.getNodeParameter('query', 0) as string,
+				) as IDataObject;
 
 				if (queryParameter._id && typeof queryParameter._id === 'string') {
-					queryParameter._id = new ObjectId(queryParameter._id as string);
+					queryParameter._id = new ObjectId(queryParameter._id);
 				}
 
 				const query = mdb
 					.collection(this.getNodeParameter('collection', 0) as string)
-					.aggregate(queryParameter as Document[]);
+					.aggregate(queryParameter as unknown as Document[]);
 
 				responseData = await query.toArray();
 			} catch (error) {
@@ -140,20 +162,22 @@ export class MongoDb implements INodeType {
 			// ----------------------------------
 
 			try {
-				const queryParameter = JSON.parse(this.getNodeParameter('query', 0) as string);
+				const queryParameter = JSON.parse(
+					this.getNodeParameter('query', 0) as string,
+				) as IDataObject;
 
 				if (queryParameter._id && typeof queryParameter._id === 'string') {
-					queryParameter._id = new ObjectId(queryParameter._id as string);
+					queryParameter._id = new ObjectId(queryParameter._id);
 				}
 
 				let query = mdb
 					.collection(this.getNodeParameter('collection', 0) as string)
-					.find(queryParameter as Document);
+					.find(queryParameter as unknown as Document);
 
 				const options = this.getNodeParameter('options', 0);
 				const limit = options.limit as number;
 				const skip = options.skip as number;
-				const sort: Sort = options.sort && JSON.parse(options.sort as string);
+				const sort = options.sort && (JSON.parse(options.sort as string) as Sort);
 				if (skip > 0) {
 					query = query.skip(skip);
 				}
@@ -339,6 +363,8 @@ export class MongoDb implements INodeType {
 
 		await client.close();
 
+		stringifyObjectIDs(responseData);
+
 		const executionData = this.helpers.constructExecutionMetaData(
 			this.helpers.returnJsonArray(responseData),
 			{ itemData: { item: 0 } },
diff --git a/packages/nodes-base/nodes/MongoDb/MongoDbDescription.ts b/packages/nodes-base/nodes/MongoDb/MongoDbDescription.ts
deleted file mode 100644
index c113f702e3961..0000000000000
--- a/packages/nodes-base/nodes/MongoDb/MongoDbDescription.ts
+++ /dev/null
@@ -1,286 +0,0 @@
-/* eslint-disable n8n-nodes-base/node-filename-against-convention */
-import type { INodeTypeDescription } from 'n8n-workflow';
-
-/**
- * Options to be displayed
- */
-export const nodeDescription: INodeTypeDescription = {
-	displayName: 'MongoDB',
-	name: 'mongoDb',
-	icon: 'file:mongodb.svg',
-	group: ['input'],
-	version: 1,
-	description: 'Find, insert and update documents in MongoDB',
-	defaults: {
-		name: 'MongoDB',
-	},
-	inputs: ['main'],
-	outputs: ['main'],
-	credentials: [
-		{
-			name: 'mongoDb',
-			required: true,
-			testedBy: 'mongoDbCredentialTest',
-		},
-	],
-	properties: [
-		{
-			displayName: 'Operation',
-			name: 'operation',
-			type: 'options',
-			noDataExpression: true,
-			options: [
-				{
-					name: 'Aggregate',
-					value: 'aggregate',
-					description: 'Aggregate documents',
-					action: 'Aggregate documents',
-				},
-				{
-					name: 'Delete',
-					value: 'delete',
-					description: 'Delete documents',
-					action: 'Delete documents',
-				},
-				{
-					name: 'Find',
-					value: 'find',
-					description: 'Find documents',
-					action: 'Find documents',
-				},
-				{
-					name: 'Find And Replace',
-					value: 'findOneAndReplace',
-					description: 'Find and replace documents',
-					action: 'Find and replace documents',
-				},
-				{
-					name: 'Find And Update',
-					value: 'findOneAndUpdate',
-					description: 'Find and update documents',
-					action: 'Find and update documents',
-				},
-				{
-					name: 'Insert',
-					value: 'insert',
-					description: 'Insert documents',
-					action: 'Insert documents',
-				},
-				{
-					name: 'Update',
-					value: 'update',
-					description: 'Update documents',
-					action: 'Update documents',
-				},
-			],
-			default: 'find',
-		},
-
-		{
-			displayName: 'Collection',
-			name: 'collection',
-			type: 'string',
-			required: true,
-			default: '',
-			description: 'MongoDB Collection',
-		},
-
-		// ----------------------------------
-		//         aggregate
-		// ----------------------------------
-		{
-			displayName: 'Query',
-			name: 'query',
-			type: 'json',
-			typeOptions: {
-				alwaysOpenEditWindow: true,
-			},
-			displayOptions: {
-				show: {
-					operation: ['aggregate'],
-				},
-			},
-			default: '',
-			placeholder: '[{ "$match": { "$gt": "1950-01-01" }, ... }]',
-			hint: 'Learn more about aggregation pipeline <a href="https://docs.mongodb.com/manual/core/aggregation-pipeline/">here</a>',
-			required: true,
-			description: 'MongoDB aggregation pipeline query in JSON format',
-		},
-
-		// ----------------------------------
-		//         delete
-		// ----------------------------------
-		{
-			displayName: 'Delete Query (JSON Format)',
-			name: 'query',
-			type: 'json',
-			typeOptions: {
-				rows: 5,
-			},
-			displayOptions: {
-				show: {
-					operation: ['delete'],
-				},
-			},
-			default: '{}',
-			placeholder: '{ "birth": { "$gt": "1950-01-01" } }',
-			required: true,
-			description: 'MongoDB Delete query',
-		},
-
-		// ----------------------------------
-		//         find
-		// ----------------------------------
-		{
-			displayName: 'Options',
-			name: 'options',
-			type: 'collection',
-			displayOptions: {
-				show: {
-					operation: ['find'],
-				},
-			},
-			default: {},
-			placeholder: 'Add options',
-			description: 'Add query options',
-			options: [
-				{
-					displayName: 'Limit',
-					name: 'limit',
-					type: 'number',
-					typeOptions: {
-						minValue: 1,
-					},
-					default: 0,
-					// eslint-disable-next-line n8n-nodes-base/node-param-description-wrong-for-limit
-					description:
-						'Use limit to specify the maximum number of documents or 0 for unlimited documents',
-				},
-				{
-					displayName: 'Skip',
-					name: 'skip',
-					type: 'number',
-					default: 0,
-					description: 'The number of documents to skip in the results set',
-				},
-				{
-					displayName: 'Sort (JSON Format)',
-					name: 'sort',
-					type: 'json',
-					typeOptions: {
-						rows: 2,
-					},
-					default: '{}',
-					placeholder: '{ "field": -1 }',
-					description: 'A JSON that defines the sort order of the result set',
-				},
-			],
-		},
-		{
-			displayName: 'Query (JSON Format)',
-			name: 'query',
-			type: 'json',
-			typeOptions: {
-				rows: 5,
-			},
-			displayOptions: {
-				show: {
-					operation: ['find'],
-				},
-			},
-			default: '{}',
-			placeholder: '{ "birth": { "$gt": "1950-01-01" } }',
-			required: true,
-			description: 'MongoDB Find query',
-		},
-
-		// ----------------------------------
-		//         insert
-		// ----------------------------------
-		{
-			displayName: 'Fields',
-			name: 'fields',
-			type: 'string',
-			displayOptions: {
-				show: {
-					operation: ['insert'],
-				},
-			},
-			default: '',
-			placeholder: 'name,description',
-			description: 'Comma-separated list of the fields to be included into the new document',
-		},
-
-		// ----------------------------------
-		//         update
-		// ----------------------------------
-		{
-			displayName: 'Update Key',
-			name: 'updateKey',
-			type: 'string',
-			displayOptions: {
-				show: {
-					operation: ['update', 'findOneAndReplace', 'findOneAndUpdate'],
-				},
-			},
-			default: 'id',
-			required: true,
-			// eslint-disable-next-line n8n-nodes-base/node-param-description-miscased-id
-			description:
-				'Name of the property which decides which rows in the database should be updated. Normally that would be "id".',
-		},
-		{
-			displayName: 'Fields',
-			name: 'fields',
-			type: 'string',
-			displayOptions: {
-				show: {
-					operation: ['update', 'findOneAndReplace', 'findOneAndUpdate'],
-				},
-			},
-			default: '',
-			placeholder: 'name,description',
-			description: 'Comma-separated list of the fields to be included into the new document',
-		},
-		{
-			displayName: 'Upsert',
-			name: 'upsert',
-			type: 'boolean',
-			displayOptions: {
-				show: {
-					operation: ['update', 'findOneAndReplace', 'findOneAndUpdate'],
-				},
-			},
-			default: false,
-			description: 'Whether to perform an insert if no documents match the update key',
-		},
-		{
-			displayName: 'Options',
-			name: 'options',
-			type: 'collection',
-			displayOptions: {
-				show: {
-					operation: ['update', 'insert', 'findOneAndReplace', 'findOneAndUpdate'],
-				},
-			},
-			placeholder: 'Add Option',
-			default: {},
-			options: [
-				{
-					displayName: 'Date Fields',
-					name: 'dateFields',
-					type: 'string',
-					default: '',
-					description: 'Comma separeted list of fields that will be parse as Mongo Date type',
-				},
-				{
-					displayName: 'Use Dot Notation',
-					name: 'useDotNotation',
-					type: 'boolean',
-					default: false,
-					description: 'Whether to use dot notation to access date fields',
-				},
-			],
-		},
-	],
-};
diff --git a/packages/nodes-base/nodes/MongoDb/MongoDbProperties.ts b/packages/nodes-base/nodes/MongoDb/MongoDbProperties.ts
new file mode 100644
index 0000000000000..467f019e03024
--- /dev/null
+++ b/packages/nodes-base/nodes/MongoDb/MongoDbProperties.ts
@@ -0,0 +1,262 @@
+import type { INodeProperties } from 'n8n-workflow';
+
+export const nodeProperties: INodeProperties[] = [
+	{
+		displayName: 'Operation',
+		name: 'operation',
+		type: 'options',
+		noDataExpression: true,
+		options: [
+			{
+				name: 'Aggregate',
+				value: 'aggregate',
+				description: 'Aggregate documents',
+				action: 'Aggregate documents',
+			},
+			{
+				name: 'Delete',
+				value: 'delete',
+				description: 'Delete documents',
+				action: 'Delete documents',
+			},
+			{
+				name: 'Find',
+				value: 'find',
+				description: 'Find documents',
+				action: 'Find documents',
+			},
+			{
+				name: 'Find And Replace',
+				value: 'findOneAndReplace',
+				description: 'Find and replace documents',
+				action: 'Find and replace documents',
+			},
+			{
+				name: 'Find And Update',
+				value: 'findOneAndUpdate',
+				description: 'Find and update documents',
+				action: 'Find and update documents',
+			},
+			{
+				name: 'Insert',
+				value: 'insert',
+				description: 'Insert documents',
+				action: 'Insert documents',
+			},
+			{
+				name: 'Update',
+				value: 'update',
+				description: 'Update documents',
+				action: 'Update documents',
+			},
+		],
+		default: 'find',
+	},
+
+	{
+		displayName: 'Collection',
+		name: 'collection',
+		type: 'string',
+		required: true,
+		default: '',
+		description: 'MongoDB Collection',
+	},
+
+	// ----------------------------------
+	//         aggregate
+	// ----------------------------------
+	{
+		displayName: 'Query',
+		name: 'query',
+		type: 'json',
+		typeOptions: {
+			alwaysOpenEditWindow: true,
+		},
+		displayOptions: {
+			show: {
+				operation: ['aggregate'],
+			},
+		},
+		default: '',
+		placeholder: '[{ "$match": { "$gt": "1950-01-01" }, ... }]',
+		hint: 'Learn more about aggregation pipeline <a href="https://docs.mongodb.com/manual/core/aggregation-pipeline/">here</a>',
+		required: true,
+		description: 'MongoDB aggregation pipeline query in JSON format',
+	},
+
+	// ----------------------------------
+	//         delete
+	// ----------------------------------
+	{
+		displayName: 'Delete Query (JSON Format)',
+		name: 'query',
+		type: 'json',
+		typeOptions: {
+			rows: 5,
+		},
+		displayOptions: {
+			show: {
+				operation: ['delete'],
+			},
+		},
+		default: '{}',
+		placeholder: '{ "birth": { "$gt": "1950-01-01" } }',
+		required: true,
+		description: 'MongoDB Delete query',
+	},
+
+	// ----------------------------------
+	//         find
+	// ----------------------------------
+	{
+		displayName: 'Options',
+		name: 'options',
+		type: 'collection',
+		displayOptions: {
+			show: {
+				operation: ['find'],
+			},
+		},
+		default: {},
+		placeholder: 'Add options',
+		description: 'Add query options',
+		options: [
+			{
+				displayName: 'Limit',
+				name: 'limit',
+				type: 'number',
+				typeOptions: {
+					minValue: 1,
+				},
+				default: 0,
+				// eslint-disable-next-line n8n-nodes-base/node-param-description-wrong-for-limit
+				description:
+					'Use limit to specify the maximum number of documents or 0 for unlimited documents',
+			},
+			{
+				displayName: 'Skip',
+				name: 'skip',
+				type: 'number',
+				default: 0,
+				description: 'The number of documents to skip in the results set',
+			},
+			{
+				displayName: 'Sort (JSON Format)',
+				name: 'sort',
+				type: 'json',
+				typeOptions: {
+					rows: 2,
+				},
+				default: '{}',
+				placeholder: '{ "field": -1 }',
+				description: 'A JSON that defines the sort order of the result set',
+			},
+		],
+	},
+	{
+		displayName: 'Query (JSON Format)',
+		name: 'query',
+		type: 'json',
+		typeOptions: {
+			rows: 5,
+		},
+		displayOptions: {
+			show: {
+				operation: ['find'],
+			},
+		},
+		default: '{}',
+		placeholder: '{ "birth": { "$gt": "1950-01-01" } }',
+		required: true,
+		description: 'MongoDB Find query',
+	},
+
+	// ----------------------------------
+	//         insert
+	// ----------------------------------
+	{
+		displayName: 'Fields',
+		name: 'fields',
+		type: 'string',
+		displayOptions: {
+			show: {
+				operation: ['insert'],
+			},
+		},
+		default: '',
+		placeholder: 'name,description',
+		description: 'Comma-separated list of the fields to be included into the new document',
+	},
+
+	// ----------------------------------
+	//         update
+	// ----------------------------------
+	{
+		displayName: 'Update Key',
+		name: 'updateKey',
+		type: 'string',
+		displayOptions: {
+			show: {
+				operation: ['update', 'findOneAndReplace', 'findOneAndUpdate'],
+			},
+		},
+		default: 'id',
+		required: true,
+		// eslint-disable-next-line n8n-nodes-base/node-param-description-miscased-id
+		description:
+			'Name of the property which decides which rows in the database should be updated. Normally that would be "id".',
+	},
+	{
+		displayName: 'Fields',
+		name: 'fields',
+		type: 'string',
+		displayOptions: {
+			show: {
+				operation: ['update', 'findOneAndReplace', 'findOneAndUpdate'],
+			},
+		},
+		default: '',
+		placeholder: 'name,description',
+		description: 'Comma-separated list of the fields to be included into the new document',
+	},
+	{
+		displayName: 'Upsert',
+		name: 'upsert',
+		type: 'boolean',
+		displayOptions: {
+			show: {
+				operation: ['update', 'findOneAndReplace', 'findOneAndUpdate'],
+			},
+		},
+		default: false,
+		description: 'Whether to perform an insert if no documents match the update key',
+	},
+	{
+		displayName: 'Options',
+		name: 'options',
+		type: 'collection',
+		displayOptions: {
+			show: {
+				operation: ['update', 'insert', 'findOneAndReplace', 'findOneAndUpdate'],
+			},
+		},
+		placeholder: 'Add Option',
+		default: {},
+		options: [
+			{
+				displayName: 'Date Fields',
+				name: 'dateFields',
+				type: 'string',
+				default: '',
+				description: 'Comma separeted list of fields that will be parse as Mongo Date type',
+			},
+			{
+				displayName: 'Use Dot Notation',
+				name: 'useDotNotation',
+				type: 'boolean',
+				default: false,
+				description: 'Whether to use dot notation to access date fields',
+			},
+		],
+	},
+];
diff --git a/packages/nodes-base/nodes/MySql/MySql.node.ts b/packages/nodes-base/nodes/MySql/MySql.node.ts
index db80bf1ae8188..80b8e8ba3d511 100644
--- a/packages/nodes-base/nodes/MySql/MySql.node.ts
+++ b/packages/nodes-base/nodes/MySql/MySql.node.ts
@@ -11,7 +11,7 @@ export class MySql extends VersionedNodeType {
 			name: 'mySql',
 			icon: 'file:mysql.svg',
 			group: ['input'],
-			defaultVersion: 2.1,
+			defaultVersion: 2.2,
 			description: 'Get, add and update data in MySQL',
 		};
 
@@ -19,6 +19,7 @@ export class MySql extends VersionedNodeType {
 			1: new MySqlV1(baseDescription),
 			2: new MySqlV2(baseDescription),
 			2.1: new MySqlV2(baseDescription),
+			2.2: new MySqlV2(baseDescription),
 		};
 
 		super(nodeVersions, baseDescription);
diff --git a/packages/nodes-base/nodes/MySql/test/v2/operations.test.ts b/packages/nodes-base/nodes/MySql/test/v2/operations.test.ts
index d79432ac2ec36..58e011a73168c 100644
--- a/packages/nodes-base/nodes/MySql/test/v2/operations.test.ts
+++ b/packages/nodes-base/nodes/MySql/test/v2/operations.test.ts
@@ -305,7 +305,7 @@ describe('Test MySql V2, operations', () => {
 
 		const runQueries: QueryRunner = configureQueryRunner.call(
 			fakeExecuteFunction,
-			nodeOptions,
+			{ ...nodeOptions, nodeVersion: 2 },
 			pool,
 		);
 
diff --git a/packages/nodes-base/nodes/MySql/test/v2/runQueries.test.ts b/packages/nodes-base/nodes/MySql/test/v2/runQueries.test.ts
index 94481afa919fe..fb3304dbcb957 100644
--- a/packages/nodes-base/nodes/MySql/test/v2/runQueries.test.ts
+++ b/packages/nodes-base/nodes/MySql/test/v2/runQueries.test.ts
@@ -45,7 +45,7 @@ describe('Test MySql V2, runQueries', () => {
 	});
 
 	it('should execute in "Single" mode, should return success true', async () => {
-		const nodeOptions: IDataObject = { queryBatching: BATCH_MODE.SINGLE };
+		const nodeOptions: IDataObject = { queryBatching: BATCH_MODE.SINGLE, nodeVersion: 2 };
 
 		const pool = createFakePool(fakeConnection);
 		const fakeExecuteFunction = createMockExecuteFunction({}, mySqlMockNode);
@@ -81,7 +81,7 @@ describe('Test MySql V2, runQueries', () => {
 	});
 
 	it('should execute in "independently" mode, should return success true', async () => {
-		const nodeOptions: IDataObject = { queryBatching: BATCH_MODE.INDEPENDENTLY };
+		const nodeOptions: IDataObject = { queryBatching: BATCH_MODE.INDEPENDENTLY, nodeVersion: 2 };
 
 		const pool = createFakePool(fakeConnection);
 
@@ -126,7 +126,7 @@ describe('Test MySql V2, runQueries', () => {
 	});
 
 	it('should execute in "transaction" mode, should return success true', async () => {
-		const nodeOptions: IDataObject = { queryBatching: BATCH_MODE.TRANSACTION };
+		const nodeOptions: IDataObject = { queryBatching: BATCH_MODE.TRANSACTION, nodeVersion: 2 };
 
 		const pool = createFakePool(fakeConnection);
 
diff --git a/packages/nodes-base/nodes/MySql/v2/actions/versionDescription.ts b/packages/nodes-base/nodes/MySql/v2/actions/versionDescription.ts
index 32cd487c7e639..366e8fcaa8c8f 100644
--- a/packages/nodes-base/nodes/MySql/v2/actions/versionDescription.ts
+++ b/packages/nodes-base/nodes/MySql/v2/actions/versionDescription.ts
@@ -8,7 +8,7 @@ export const versionDescription: INodeTypeDescription = {
 	name: 'mySql',
 	icon: 'file:mysql.svg',
 	group: ['input'],
-	version: [2, 2.1],
+	version: [2, 2.1, 2.2],
 	subtitle: '={{ $parameter["operation"] }}',
 	description: 'Get, add and update data in MySQL',
 	defaults: {
diff --git a/packages/nodes-base/nodes/MySql/v2/helpers/utils.ts b/packages/nodes-base/nodes/MySql/v2/helpers/utils.ts
index 7c72e47332d8d..e2b5e5fbdef96 100644
--- a/packages/nodes-base/nodes/MySql/v2/helpers/utils.ts
+++ b/packages/nodes-base/nodes/MySql/v2/helpers/utils.ts
@@ -167,7 +167,23 @@ export function prepareOutput(
 	}
 
 	if (!returnData.length) {
-		returnData.push({ json: { success: true } });
+		if ((options?.nodeVersion as number) < 2.2) {
+			returnData.push({ json: { success: true } });
+		} else {
+			const isSelectQuery = statements
+				.filter((statement) => !statement.startsWith('--'))
+				.every((statement) =>
+					statement
+						.replace(/\/\*.*?\*\//g, '') // remove multiline comments
+						.replace(/\n/g, '')
+						.toLowerCase()
+						.startsWith('select'),
+				);
+
+			if (!isSelectQuery) {
+				returnData.push({ json: { success: true } });
+			}
+		}
 	}
 
 	return returnData;
diff --git a/packages/nodes-base/nodes/Postgres/Postgres.node.ts b/packages/nodes-base/nodes/Postgres/Postgres.node.ts
index d2a06fd89096b..fae684f450642 100644
--- a/packages/nodes-base/nodes/Postgres/Postgres.node.ts
+++ b/packages/nodes-base/nodes/Postgres/Postgres.node.ts
@@ -11,7 +11,7 @@ export class Postgres extends VersionedNodeType {
 			name: 'postgres',
 			icon: 'file:postgres.svg',
 			group: ['input'],
-			defaultVersion: 2.2,
+			defaultVersion: 2.3,
 			description: 'Get, add and update data in Postgres',
 		};
 
@@ -20,6 +20,7 @@ export class Postgres extends VersionedNodeType {
 			2: new PostgresV2(baseDescription),
 			2.1: new PostgresV2(baseDescription),
 			2.2: new PostgresV2(baseDescription),
+			2.3: new PostgresV2(baseDescription),
 		};
 
 		super(nodeVersions, baseDescription);
diff --git a/packages/nodes-base/nodes/Postgres/test/v2/runQueries.test.ts b/packages/nodes-base/nodes/Postgres/test/v2/runQueries.test.ts
index 769569ac57cbf..4297924fe957d 100644
--- a/packages/nodes-base/nodes/Postgres/test/v2/runQueries.test.ts
+++ b/packages/nodes-base/nodes/Postgres/test/v2/runQueries.test.ts
@@ -44,7 +44,9 @@ describe('Test PostgresV2, runQueries', () => {
 		const thisArg = mock<IExecuteFunctions>();
 		const runQueries = configureQueryRunner.call(thisArg, node, false, pgp, db);
 
-		const result = await runQueries([{ query: 'SELECT * FROM table', values: [] }], [], {});
+		const result = await runQueries([{ query: 'SELECT * FROM table', values: [] }], [], {
+			nodeVersion: 2.2,
+		});
 
 		expect(result).toBeDefined();
 		expect(result).toHaveLength(1);
diff --git a/packages/nodes-base/nodes/Postgres/v2/actions/versionDescription.ts b/packages/nodes-base/nodes/Postgres/v2/actions/versionDescription.ts
index dc200de53cba6..722473f43a6d4 100644
--- a/packages/nodes-base/nodes/Postgres/v2/actions/versionDescription.ts
+++ b/packages/nodes-base/nodes/Postgres/v2/actions/versionDescription.ts
@@ -8,7 +8,7 @@ export const versionDescription: INodeTypeDescription = {
 	name: 'postgres',
 	icon: 'file:postgres.svg',
 	group: ['input'],
-	version: [2, 2.1, 2.2],
+	version: [2, 2.1, 2.2, 2.3],
 	subtitle: '={{ $parameter["operation"] }}',
 	description: 'Get, add and update data in Postgres',
 	defaults: {
diff --git a/packages/nodes-base/nodes/Postgres/v2/helpers/utils.ts b/packages/nodes-base/nodes/Postgres/v2/helpers/utils.ts
index 86a5cda18ebc5..a800ee044b60e 100644
--- a/packages/nodes-base/nodes/Postgres/v2/helpers/utils.ts
+++ b/packages/nodes-base/nodes/Postgres/v2/helpers/utils.ts
@@ -199,6 +199,15 @@ export function addReturning(
 	return [`${query} RETURNING $${replacementIndex}:name`, [...replacements, outputColumns]];
 }
 
+const isSelectQuery = (query: string) => {
+	return query
+		.replace(/\/\*.*?\*\//g, '') // remove multiline comments
+		.replace(/\n/g, '')
+		.split(';')
+		.filter((statement) => statement && !statement.startsWith('--')) // remove comments and empty statements
+		.every((statement) => statement.trim().toLowerCase().startsWith('select'));
+};
+
 export function configureQueryRunner(
 	this: IExecuteFunctions,
 	node: INode,
@@ -221,7 +230,16 @@ export function configureQueryRunner(
 						});
 					})
 					.flat();
-				returnData = returnData.length ? returnData : emptyReturnData;
+
+				if (!returnData.length) {
+					if ((options?.nodeVersion as number) < 2.3) {
+						returnData = emptyReturnData;
+					} else {
+						returnData = queries.every((query) => isSelectQuery(query.query))
+							? []
+							: [{ json: { success: true } }];
+					}
+				}
 			} catch (err) {
 				const error = parsePostgresError(node, err, queries);
 				if (!continueOnFail) throw error;
@@ -242,13 +260,26 @@ export function configureQueryRunner(
 				const result: INodeExecutionData[] = [];
 				for (let i = 0; i < queries.length; i++) {
 					try {
-						const transactionResult: IDataObject[] = await transaction.any(
-							queries[i].query,
-							queries[i].values,
-						);
+						const query = queries[i].query;
+						const values = queries[i].values;
+
+						let transactionResults;
+						if ((options?.nodeVersion as number) < 2.3) {
+							transactionResults = await transaction.any(query, values);
+						} else {
+							transactionResults = (await transaction.multi(query, values)).flat();
+						}
+
+						if (!transactionResults.length) {
+							if ((options?.nodeVersion as number) < 2.3) {
+								transactionResults = emptyReturnData;
+							} else {
+								transactionResults = isSelectQuery(query) ? [] : [{ success: true }];
+							}
+						}
 
 						const executionData = this.helpers.constructExecutionMetaData(
-							wrapData(transactionResult.length ? transactionResult : emptyReturnData),
+							wrapData(transactionResults),
 							{ itemData: { item: i } },
 						);
 
@@ -265,17 +296,30 @@ export function configureQueryRunner(
 		}
 
 		if (queryBatching === 'independently') {
-			returnData = await db.task(async (t) => {
+			returnData = await db.task(async (task) => {
 				const result: INodeExecutionData[] = [];
 				for (let i = 0; i < queries.length; i++) {
 					try {
-						const transactionResult: IDataObject[] = await t.any(
-							queries[i].query,
-							queries[i].values,
-						);
+						const query = queries[i].query;
+						const values = queries[i].values;
+
+						let transactionResults;
+						if ((options?.nodeVersion as number) < 2.3) {
+							transactionResults = await task.any(query, values);
+						} else {
+							transactionResults = (await task.multi(query, values)).flat();
+						}
+
+						if (!transactionResults.length) {
+							if ((options?.nodeVersion as number) < 2.3) {
+								transactionResults = emptyReturnData;
+							} else {
+								transactionResults = isSelectQuery(query) ? [] : [{ success: true }];
+							}
+						}
 
 						const executionData = this.helpers.constructExecutionMetaData(
-							wrapData(transactionResult.length ? transactionResult : emptyReturnData),
+							wrapData(transactionResults),
 							{ itemData: { item: i } },
 						);
 
diff --git a/packages/nodes-base/nodes/RssFeedRead/RssFeedRead.node.ts b/packages/nodes-base/nodes/RssFeedRead/RssFeedRead.node.ts
index 6397340036987..af4b2621a9dc4 100644
--- a/packages/nodes-base/nodes/RssFeedRead/RssFeedRead.node.ts
+++ b/packages/nodes-base/nodes/RssFeedRead/RssFeedRead.node.ts
@@ -44,12 +44,30 @@ export class RssFeedRead implements INodeType {
 				required: true,
 				description: 'URL of the RSS feed',
 			},
+			{
+				displayName: 'Options',
+				name: 'options',
+				type: 'collection',
+				placeholder: 'Add Option',
+				default: {},
+				options: [
+					{
+						displayName: 'Ignore SSL Issues',
+						name: 'ignoreSSL',
+						type: 'boolean',
+						default: false,
+						description: 'Whether to ignore SSL/TLS certificate issues or not',
+					},
+				],
+			},
 		],
 	};
 
 	async execute(this: IExecuteFunctions): Promise<INodeExecutionData[][]> {
 		try {
 			const url = this.getNodeParameter('url', 0) as string;
+			const options = this.getNodeParameter('options', 0);
+			const ignoreSSL = Boolean(options.ignoreSSL);
 
 			if (!url) {
 				throw new NodeOperationError(this.getNode(), 'The parameter "URL" has to be set!');
@@ -59,7 +77,11 @@ export class RssFeedRead implements INodeType {
 				throw new NodeOperationError(this.getNode(), 'The provided "URL" is not valid!');
 			}
 
-			const parser = new Parser();
+			const parser = new Parser({
+				requestOptions: {
+					rejectUnauthorized: !ignoreSSL,
+				},
+			});
 
 			let feed: Parser.Output<IDataObject>;
 			try {
diff --git a/packages/nodes-base/nodes/Webhook/Webhook.node.ts b/packages/nodes-base/nodes/Webhook/Webhook.node.ts
index 281cf06287844..fb870c71695db 100644
--- a/packages/nodes-base/nodes/Webhook/Webhook.node.ts
+++ b/packages/nodes-base/nodes/Webhook/Webhook.node.ts
@@ -127,7 +127,7 @@ export class Webhook extends Node {
 		const response: INodeExecutionData = {
 			json: {
 				headers: req.headers,
-				params: {},
+				params: req.params,
 				query: req.query,
 				body: req.body,
 			},
@@ -207,7 +207,7 @@ export class Webhook extends Node {
 			binary: {},
 			json: {
 				headers: req.headers,
-				params: {},
+				params: req.params,
 				query: req.query,
 				body: data,
 			},
@@ -263,7 +263,7 @@ export class Webhook extends Node {
 				binary: {},
 				json: {
 					headers: req.headers,
-					params: {},
+					params: req.params,
 					query: req.query,
 					body: {},
 				},
diff --git a/packages/nodes-base/package.json b/packages/nodes-base/package.json
index 10bfcc287fb1b..5b88b7fc3a1d6 100644
--- a/packages/nodes-base/package.json
+++ b/packages/nodes-base/package.json
@@ -1,6 +1,6 @@
 {
   "name": "n8n-nodes-base",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Base nodes of n8n",
   "license": "SEE LICENSE IN LICENSE.md",
   "homepage": "https://n8n.io",
@@ -809,6 +809,7 @@
   },
   "dependencies": {
     "@kafkajs/confluent-schema-registry": "1.0.6",
+    "@n8n/vm2": "^3.9.19",
     "amqplib": "^0.10.3",
     "aws4": "^1.8.0",
     "basic-auth": "^2.0.1",
@@ -838,7 +839,7 @@
     "minifaker": "^1.34.1",
     "moment": "~2.29.2",
     "moment-timezone": "^0.5.28",
-    "mongodb": "^4.9.1",
+    "mongodb": "^4.17.1",
     "mqtt": "^5.0.2",
     "mssql": "^8.1.2",
     "mysql2": "~2.3.0",
@@ -861,11 +862,10 @@
     "semver": "^7.5.4",
     "showdown": "^2.0.3",
     "simple-git": "^3.17.0",
-    "snowflake-sdk": "^1.6.23",
+    "snowflake-sdk": "^1.8.0",
     "ssh2-sftp-client": "^7.0.0",
     "tmp-promise": "^3.0.2",
     "uuid": "^8.3.2",
-    "vm2": "^3.9.19",
     "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz",
     "xml2js": "^0.5.0"
   }
diff --git a/packages/nodes-base/test/nodes/Helpers.ts b/packages/nodes-base/test/nodes/Helpers.ts
index c038f7621d031..5e3e4a0c7b60a 100644
--- a/packages/nodes-base/test/nodes/Helpers.ts
+++ b/packages/nodes-base/test/nodes/Helpers.ts
@@ -123,6 +123,7 @@ export class CredentialsHelper extends ICredentialsHelper {
 	}
 
 	async getDecrypted(
+		additionalData: IWorkflowExecuteAdditionalData,
 		nodeCredentials: INodeCredentialsDetails,
 		type: string,
 	): Promise<ICredentialDataDecryptedObject> {
diff --git a/packages/workflow/package.json b/packages/workflow/package.json
index 7035df32821e0..826d3db50ba60 100644
--- a/packages/workflow/package.json
+++ b/packages/workflow/package.json
@@ -1,6 +1,6 @@
 {
   "name": "n8n-workflow",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Workflow base code of n8n",
   "license": "SEE LICENSE IN LICENSE.md",
   "homepage": "https://n8n.io",
diff --git a/packages/workflow/src/Expression.ts b/packages/workflow/src/Expression.ts
index a99040b000589..6d1ab313c94d2 100644
--- a/packages/workflow/src/Expression.ts
+++ b/packages/workflow/src/Expression.ts
@@ -2,6 +2,7 @@ import * as tmpl from '@n8n_io/riot-tmpl';
 import { DateTime, Duration, Interval } from 'luxon';
 
 import type {
+	IDataObject,
 	IExecuteData,
 	INode,
 	INodeExecutionData,
@@ -66,8 +67,8 @@ export class Expression {
 		this.workflow = workflow;
 	}
 
-	static resolveWithoutWorkflow(expression: string) {
-		return tmpl.tmpl(expression, {});
+	static resolveWithoutWorkflow(expression: string, data: IDataObject = {}) {
+		return tmpl.tmpl(expression, data);
 	}
 
 	/**
diff --git a/packages/workflow/src/Interfaces.ts b/packages/workflow/src/Interfaces.ts
index a1a403ff0595b..84f142fa051bd 100644
--- a/packages/workflow/src/Interfaces.ts
+++ b/packages/workflow/src/Interfaces.ts
@@ -225,6 +225,7 @@ export abstract class ICredentialsHelper {
 	): Promise<ICredentials>;
 
 	abstract getDecrypted(
+		additionalData: IWorkflowExecuteAdditionalData,
 		nodeCredentials: INodeCredentialsDetails,
 		type: string,
 		mode: WorkflowExecuteMode,
@@ -1775,6 +1776,7 @@ export interface IWorkflowExecuteAdditionalData {
 	executionTimeoutTimestamp?: number;
 	userId: string;
 	variables: IDataObject;
+	secretsHelpers: SecretsHelpersBase;
 }
 
 export type WorkflowExecuteMode =
@@ -2185,6 +2187,7 @@ export interface IN8nUISettings {
 		variables: boolean;
 		sourceControl: boolean;
 		auditLogs: boolean;
+		externalSecrets: boolean;
 		showNonProdBanner: boolean;
 		debugInEditor: boolean;
 	};
@@ -2195,6 +2198,9 @@ export interface IN8nUISettings {
 	variables: {
 		limit: number;
 	};
+	mfa: {
+		enabled: boolean;
+	};
 	banners: {
 		dismissed: string[];
 	};
@@ -2203,4 +2209,15 @@ export interface IN8nUISettings {
 	};
 }
 
+export interface SecretsHelpersBase {
+	update(): Promise<void>;
+	waitForInit(): Promise<void>;
+
+	getSecret(provider: string, name: string): IDataObject | undefined;
+	hasSecret(provider: string, name: string): boolean;
+	hasProvider(provider: string): boolean;
+	listProviders(): string[];
+	listSecrets(provider: string): string[];
+}
+
 export type BannerName = 'V1' | 'TRIAL_OVER' | 'TRIAL' | 'NON_PRODUCTION_LICENSE';
diff --git a/packages/workflow/src/index.ts b/packages/workflow/src/index.ts
index f2a6ac66e6dd2..7fe6de45dd5f8 100644
--- a/packages/workflow/src/index.ts
+++ b/packages/workflow/src/index.ts
@@ -44,6 +44,7 @@ export {
 } from './type-guards';
 
 export { ExpressionExtensions } from './Extensions';
+export * as ExpressionParser from './Extensions/ExpressionParser';
 export { NativeMethods } from './NativeMethods';
 
 export type { DocMetadata, NativeDoc } from './Extensions';
diff --git a/packages/workflow/test/Helpers.ts b/packages/workflow/test/Helpers.ts
index ad2b8c64b723e..fededf3777cb4 100644
--- a/packages/workflow/test/Helpers.ts
+++ b/packages/workflow/test/Helpers.ts
@@ -125,6 +125,7 @@ export class CredentialsHelper extends ICredentialsHelper {
 	}
 
 	async getDecrypted(
+		additionalData: IWorkflowExecuteAdditionalData,
 		nodeCredentials: INodeCredentialsDetails,
 		type: string,
 	): Promise<ICredentialDataDecryptedObject> {
diff --git a/patches/@types__ws@8.5.4.patch b/patches/@types__ws@8.5.4.patch
new file mode 100644
index 0000000000000..b489d1e61843a
--- /dev/null
+++ b/patches/@types__ws@8.5.4.patch
@@ -0,0 +1,14 @@
+diff --git a/index.d.ts b/index.d.ts
+index 7a8182a94289524851cb08a3b24897f2b6bce747..f5bfb61bdacbae81ca274cc4b5a61e6e7322b7cd 100755
+--- a/index.d.ts
++++ b/index.d.ts
+@@ -72,6 +72,9 @@ declare class WebSocket extends EventEmitter {
+         | typeof WebSocket.CLOSED;
+     readonly url: string;
+ 
++    /** Indicates if the connection has replied to the last PING */
++    isAlive: boolean;
++
+     /** The connection is not yet open. */
+     readonly CONNECTING: 0;
+     /** The connection is open and ready to communicate. */
\ No newline at end of file
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 9ce5811f5d1c2..f47bb65a00aa0 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -17,7 +17,7 @@ overrides:
   tslib: ^2.6.1
   tsconfig-paths: ^4.2.0
   ts-node: ^10.9.1
-  typescript: ^5.1.6
+  typescript: ^5.2.2
   xml2js: ^0.5.0
   cpy@8>globby: ^11.1.0
   qqjs>globby: ^11.1.0
@@ -26,6 +26,9 @@ patchedDependencies:
   '@sentry/cli@2.17.0':
     hash: nchnoezkq6p37qaiku3vrpwraq
     path: patches/@sentry__cli@2.17.0.patch
+  '@types/ws@8.5.4':
+    hash: nbzuqaoyqbrfwipijj5qriqqju
+    path: patches/@types__ws@8.5.4.patch
   pkce-challenge@3.0.0:
     hash: dypouzb3lve7vncq25i5fuanki
     path: patches/pkce-challenge@3.0.0.patch
@@ -65,6 +68,9 @@ importers:
       cypress:
         specifier: ^12.17.2
         version: 12.17.2
+      cypress-otp:
+        specifier: ^1.0.3
+        version: 1.0.3
       cypress-real-events:
         specifier: ^1.9.1
         version: 1.9.1(cypress@12.17.2)
@@ -82,7 +88,7 @@ importers:
         version: 29.6.2
       jest-mock-extended:
         specifier: ^3.0.4
-        version: 3.0.4(jest@29.6.2)(typescript@5.1.6)
+        version: 3.0.4(jest@29.6.2)(typescript@5.2.2)
       nock:
         specifier: ^13.3.2
         version: 13.3.2
@@ -106,19 +112,19 @@ importers:
         version: 6.3.3
       ts-jest:
         specifier: ^29.1.1
-        version: 29.1.1(@babel/core@7.22.9)(jest@29.6.2)(typescript@5.1.6)
+        version: 29.1.1(@babel/core@7.22.9)(jest@29.6.2)(typescript@5.2.2)
       tsc-alias:
         specifier: ^1.8.7
         version: 1.8.7
       tsc-watch:
         specifier: ^6.0.4
-        version: 6.0.4(typescript@5.1.6)
+        version: 6.0.4(typescript@5.2.2)
       turbo:
         specifier: 1.10.12
         version: 1.10.12
       typescript:
-        specifier: ^5.1.6
-        version: 5.1.6
+        specifier: ^5.2.2
+        version: 5.2.2
       vite:
         specifier: ^4.4.7
         version: 4.4.7(less@4.1.3)(sass@1.64.1)
@@ -127,7 +133,7 @@ importers:
         version: 0.33.0
       vue-tsc:
         specifier: ^1.8.8
-        version: 1.8.8(typescript@5.1.6)
+        version: 1.8.8(typescript@5.2.2)
 
   packages/@n8n/client-oauth2:
     dependencies:
@@ -142,13 +148,13 @@ importers:
         version: 8.44.1
       '@typescript-eslint/eslint-plugin':
         specifier: ^6.2.0
-        version: 6.2.0(@typescript-eslint/parser@6.2.0)(eslint@8.45.0)(typescript@5.1.6)
+        version: 6.2.0(@typescript-eslint/parser@6.2.0)(eslint@8.45.0)(typescript@5.2.2)
       '@typescript-eslint/parser':
         specifier: ^6.2.0
-        version: 6.2.0(eslint@8.45.0)(typescript@5.1.6)
+        version: 6.2.0(eslint@8.45.0)(typescript@5.2.2)
       '@vue/eslint-config-typescript':
         specifier: ^11.0.3
-        version: 11.0.3(eslint-plugin-vue@9.15.1)(eslint@8.45.0)(typescript@5.1.6)
+        version: 11.0.3(eslint-plugin-vue@9.15.1)(eslint@8.45.0)(typescript@5.2.2)
       eslint:
         specifier: ^8.45.0
         version: 8.45.0
@@ -302,6 +308,9 @@ importers:
       handlebars:
         specifier: 4.7.7
         version: 4.7.7
+      infisical-node:
+        specifier: ^1.3.0
+        version: 1.3.0
       inquirer:
         specifier: ^7.0.1
         version: 7.3.3
@@ -362,6 +371,9 @@ importers:
       openapi-types:
         specifier: ^10.0.0
         version: 10.0.0
+      otpauth:
+        specifier: ^9.1.1
+        version: 9.1.1
       p-cancelable:
         specifier: ^2.0.0
         version: 2.1.1
@@ -545,7 +557,7 @@ importers:
         version: 13.7.7
       '@types/ws':
         specifier: ^8.5.4
-        version: 8.5.4
+        version: 8.5.4(patch_hash=nbzuqaoyqbrfwipijj5qriqqju)
       '@types/xml2js':
         specifier: ^0.4.11
         version: 0.4.11
@@ -563,7 +575,7 @@ importers:
         version: 8.8.1(@types/ioredis-mock@8.2.2)(ioredis@5.2.4)
       ts-essentials:
         specifier: ^7.0.3
-        version: 7.0.3(typescript@5.1.6)
+        version: 7.0.3(typescript@5.2.2)
 
   packages/core:
     dependencies:
@@ -709,7 +721,7 @@ importers:
         version: 7.1.1(@vue/compiler-core@3.3.4)(vue@3.3.4)
       '@storybook/vue3-vite':
         specifier: ^7.1.1
-        version: 7.1.1(@vue/compiler-core@3.3.4)(react-dom@18.2.0)(react@17.0.2)(typescript@5.1.6)(vite@4.4.7)(vue@3.3.4)
+        version: 7.1.1(@vue/compiler-core@3.3.4)(react-dom@18.2.0)(react@17.0.2)(typescript@5.2.2)(vite@4.4.7)(vue@3.3.4)
       '@testing-library/jest-dom':
         specifier: ^5.17.0
         version: 5.17.0
@@ -880,10 +892,13 @@ importers:
         version: 1.0.1
       pinia:
         specifier: ^2.1.6
-        version: 2.1.6(typescript@5.1.6)(vue@3.3.4)
+        version: 2.1.6(typescript@5.2.2)(vue@3.3.4)
       prettier:
         specifier: ^3.0.0
         version: 3.0.0
+      qrcode.vue:
+        specifier: ^3.3.4
+        version: 3.3.4(vue@3.3.4)
       stream-browserify:
         specifier: ^3.0.0
         version: 3.0.0
@@ -994,6 +1009,9 @@ importers:
       '@kafkajs/confluent-schema-registry':
         specifier: 1.0.6
         version: 1.0.6
+      '@n8n/vm2':
+        specifier: ^3.9.19
+        version: 3.9.19
       amqplib:
         specifier: ^0.10.3
         version: 0.10.3
@@ -1082,8 +1100,8 @@ importers:
         specifier: ^0.5.28
         version: 0.5.37
       mongodb:
-        specifier: ^4.9.1
-        version: 4.10.0
+        specifier: ^4.17.1
+        version: 4.17.1
       mqtt:
         specifier: ^5.0.2
         version: 5.0.2
@@ -1151,8 +1169,8 @@ importers:
         specifier: ^3.17.0
         version: 3.17.0
       snowflake-sdk:
-        specifier: ^1.6.23
-        version: 1.6.23(asn1.js@5.4.1)
+        specifier: ^1.8.0
+        version: 1.8.0(asn1.js@5.4.1)
       ssh2-sftp-client:
         specifier: ^7.0.0
         version: 7.2.3
@@ -1162,9 +1180,6 @@ importers:
       uuid:
         specifier: ^8.3.2
         version: 8.3.2
-      vm2:
-        specifier: ^3.9.19
-        version: 3.9.19
       xlsx:
         specifier: https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz
         version: '@cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz'
@@ -1258,7 +1273,7 @@ importers:
         version: 0.4.11
       eslint-plugin-n8n-nodes-base:
         specifier: ^1.16.0
-        version: 1.16.0(eslint@8.45.0)(typescript@5.1.6)
+        version: 1.16.0(eslint@8.45.0)(typescript@5.2.2)
       gulp:
         specifier: ^4.0.0
         version: 4.0.2
@@ -1428,6 +1443,493 @@ packages:
       default-browser-id: 3.0.0
     dev: true
 
+  /@aws-crypto/crc32@3.0.0:
+    resolution: {integrity: sha512-IzSgsrxUcsrejQbPVilIKy16kAT52EwB6zSaI+M3xxIhKh5+aldEyvI+z6erM7TCLB2BJsFrtHjp6/4/sr+3dA==}
+    dependencies:
+      '@aws-crypto/util': 3.0.0
+      '@aws-sdk/types': 3.398.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-crypto/ie11-detection@3.0.0:
+    resolution: {integrity: sha512-341lBBkiY1DfDNKai/wXM3aujNBkXR7tq1URPQDL9wi3AUbI80NR74uF1TXHMm7po1AcnFk8iu2S2IeU/+/A+Q==}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-crypto/sha256-browser@3.0.0:
+    resolution: {integrity: sha512-8VLmW2B+gjFbU5uMeqtQM6Nj0/F1bro80xQXCW6CQBWgosFWXTx77aeOF5CAIAmbOK64SdMBJdNr6J41yP5mvQ==}
+    dependencies:
+      '@aws-crypto/ie11-detection': 3.0.0
+      '@aws-crypto/sha256-js': 3.0.0
+      '@aws-crypto/supports-web-crypto': 3.0.0
+      '@aws-crypto/util': 3.0.0
+      '@aws-sdk/types': 3.398.0
+      '@aws-sdk/util-locate-window': 3.310.0
+      '@aws-sdk/util-utf8-browser': 3.259.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-crypto/sha256-js@3.0.0:
+    resolution: {integrity: sha512-PnNN7os0+yd1XvXAy23CFOmTbMaDxgxXtTKHybrJ39Y8kGzBATgBFibWJKH6BhytLI/Zyszs87xCOBNyBig6vQ==}
+    dependencies:
+      '@aws-crypto/util': 3.0.0
+      '@aws-sdk/types': 3.398.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-crypto/supports-web-crypto@3.0.0:
+    resolution: {integrity: sha512-06hBdMwUAb2WFTuGG73LSC0wfPu93xWwo5vL2et9eymgmu3Id5vFAHBbajVWiGhPO37qcsdCap/FqXvJGJWPIg==}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-crypto/util@3.0.0:
+    resolution: {integrity: sha512-2OJlpeJpCR48CC8r+uKVChzs9Iungj9wkZrl8Z041DWEWvyIHILYKCPNzJghKsivj+S3mLo6BVc7mBNzdxA46w==}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@aws-sdk/util-utf8-browser': 3.259.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/client-cognito-identity@3.398.0:
+    resolution: {integrity: sha512-Pr/S1f8R2FsJ8DwBC6g0CSdtZNNV5dMHhlIi+t8YAmCJvP4KT+UhzFjbvQRINlBRLFuGUuP7p5vRcGVELD3+wA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-crypto/sha256-browser': 3.0.0
+      '@aws-crypto/sha256-js': 3.0.0
+      '@aws-sdk/client-sts': 3.398.0
+      '@aws-sdk/credential-provider-node': 3.398.0
+      '@aws-sdk/middleware-host-header': 3.398.0
+      '@aws-sdk/middleware-logger': 3.398.0
+      '@aws-sdk/middleware-recursion-detection': 3.398.0
+      '@aws-sdk/middleware-signing': 3.398.0
+      '@aws-sdk/middleware-user-agent': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@aws-sdk/util-endpoints': 3.398.0
+      '@aws-sdk/util-user-agent-browser': 3.398.0
+      '@aws-sdk/util-user-agent-node': 3.398.0
+      '@smithy/config-resolver': 2.0.5
+      '@smithy/fetch-http-handler': 2.0.5
+      '@smithy/hash-node': 2.0.5
+      '@smithy/invalid-dependency': 2.0.5
+      '@smithy/middleware-content-length': 2.0.5
+      '@smithy/middleware-endpoint': 2.0.5
+      '@smithy/middleware-retry': 2.0.5
+      '@smithy/middleware-serde': 2.0.5
+      '@smithy/middleware-stack': 2.0.0
+      '@smithy/node-config-provider': 2.0.5
+      '@smithy/node-http-handler': 2.0.5
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/smithy-client': 2.0.5
+      '@smithy/types': 2.2.2
+      '@smithy/url-parser': 2.0.5
+      '@smithy/util-base64': 2.0.0
+      '@smithy/util-body-length-browser': 2.0.0
+      '@smithy/util-body-length-node': 2.1.0
+      '@smithy/util-defaults-mode-browser': 2.0.5
+      '@smithy/util-defaults-mode-node': 2.0.5
+      '@smithy/util-retry': 2.0.0
+      '@smithy/util-utf8': 2.0.0
+      tslib: 2.6.1
+    transitivePeerDependencies:
+      - aws-crt
+    dev: false
+    optional: true
+
+  /@aws-sdk/client-sso@3.398.0:
+    resolution: {integrity: sha512-CygL0jhfibw4kmWXG/3sfZMFNjcXo66XUuPC4BqZBk8Rj5vFoxp1vZeMkDLzTIk97Nvo5J5Bh+QnXKhub6AckQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-crypto/sha256-browser': 3.0.0
+      '@aws-crypto/sha256-js': 3.0.0
+      '@aws-sdk/middleware-host-header': 3.398.0
+      '@aws-sdk/middleware-logger': 3.398.0
+      '@aws-sdk/middleware-recursion-detection': 3.398.0
+      '@aws-sdk/middleware-user-agent': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@aws-sdk/util-endpoints': 3.398.0
+      '@aws-sdk/util-user-agent-browser': 3.398.0
+      '@aws-sdk/util-user-agent-node': 3.398.0
+      '@smithy/config-resolver': 2.0.5
+      '@smithy/fetch-http-handler': 2.0.5
+      '@smithy/hash-node': 2.0.5
+      '@smithy/invalid-dependency': 2.0.5
+      '@smithy/middleware-content-length': 2.0.5
+      '@smithy/middleware-endpoint': 2.0.5
+      '@smithy/middleware-retry': 2.0.5
+      '@smithy/middleware-serde': 2.0.5
+      '@smithy/middleware-stack': 2.0.0
+      '@smithy/node-config-provider': 2.0.5
+      '@smithy/node-http-handler': 2.0.5
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/smithy-client': 2.0.5
+      '@smithy/types': 2.2.2
+      '@smithy/url-parser': 2.0.5
+      '@smithy/util-base64': 2.0.0
+      '@smithy/util-body-length-browser': 2.0.0
+      '@smithy/util-body-length-node': 2.1.0
+      '@smithy/util-defaults-mode-browser': 2.0.5
+      '@smithy/util-defaults-mode-node': 2.0.5
+      '@smithy/util-retry': 2.0.0
+      '@smithy/util-utf8': 2.0.0
+      tslib: 2.6.1
+    transitivePeerDependencies:
+      - aws-crt
+    dev: false
+    optional: true
+
+  /@aws-sdk/client-sts@3.398.0:
+    resolution: {integrity: sha512-/3Pa9wLMvBZipKraq3AtbmTfXW6q9kyvhwOno64f1Fz7kFb8ijQFMGoATS70B2pGEZTlxkUqJFWDiisT6Q6dFg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-crypto/sha256-browser': 3.0.0
+      '@aws-crypto/sha256-js': 3.0.0
+      '@aws-sdk/credential-provider-node': 3.398.0
+      '@aws-sdk/middleware-host-header': 3.398.0
+      '@aws-sdk/middleware-logger': 3.398.0
+      '@aws-sdk/middleware-recursion-detection': 3.398.0
+      '@aws-sdk/middleware-sdk-sts': 3.398.0
+      '@aws-sdk/middleware-signing': 3.398.0
+      '@aws-sdk/middleware-user-agent': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@aws-sdk/util-endpoints': 3.398.0
+      '@aws-sdk/util-user-agent-browser': 3.398.0
+      '@aws-sdk/util-user-agent-node': 3.398.0
+      '@smithy/config-resolver': 2.0.5
+      '@smithy/fetch-http-handler': 2.0.5
+      '@smithy/hash-node': 2.0.5
+      '@smithy/invalid-dependency': 2.0.5
+      '@smithy/middleware-content-length': 2.0.5
+      '@smithy/middleware-endpoint': 2.0.5
+      '@smithy/middleware-retry': 2.0.5
+      '@smithy/middleware-serde': 2.0.5
+      '@smithy/middleware-stack': 2.0.0
+      '@smithy/node-config-provider': 2.0.5
+      '@smithy/node-http-handler': 2.0.5
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/smithy-client': 2.0.5
+      '@smithy/types': 2.2.2
+      '@smithy/url-parser': 2.0.5
+      '@smithy/util-base64': 2.0.0
+      '@smithy/util-body-length-browser': 2.0.0
+      '@smithy/util-body-length-node': 2.1.0
+      '@smithy/util-defaults-mode-browser': 2.0.5
+      '@smithy/util-defaults-mode-node': 2.0.5
+      '@smithy/util-retry': 2.0.0
+      '@smithy/util-utf8': 2.0.0
+      fast-xml-parser: 4.2.5
+      tslib: 2.6.1
+    transitivePeerDependencies:
+      - aws-crt
+    dev: false
+    optional: true
+
+  /@aws-sdk/credential-provider-cognito-identity@3.398.0:
+    resolution: {integrity: sha512-MFUhy1YayHg5ypRTk4OTfDumQRP+OJBagaGv14kA8DzhKH1sNrU4HV7A7y2J4SvkN5hG/KnLJqxpakCtB2/O2g==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/client-cognito-identity': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@smithy/property-provider': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    transitivePeerDependencies:
+      - aws-crt
+    dev: false
+    optional: true
+
+  /@aws-sdk/credential-provider-env@3.398.0:
+    resolution: {integrity: sha512-Z8Yj5z7FroAsR6UVML+XUdlpoqEe9Dnle8c2h8/xWwIC2feTfIBhjLhRVxfbpbM1pLgBSNEcZ7U8fwq5l7ESVQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@smithy/property-provider': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/credential-provider-ini@3.398.0:
+    resolution: {integrity: sha512-AsK1lStK3nB9Cn6S6ODb1ktGh7SRejsNVQVKX3t5d3tgOaX+aX1Iwy8FzM/ZEN8uCloeRifUGIY9uQFygg5mSw==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/credential-provider-env': 3.398.0
+      '@aws-sdk/credential-provider-process': 3.398.0
+      '@aws-sdk/credential-provider-sso': 3.398.0
+      '@aws-sdk/credential-provider-web-identity': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@smithy/credential-provider-imds': 2.0.5
+      '@smithy/property-provider': 2.0.5
+      '@smithy/shared-ini-file-loader': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    transitivePeerDependencies:
+      - aws-crt
+    dev: false
+    optional: true
+
+  /@aws-sdk/credential-provider-node@3.398.0:
+    resolution: {integrity: sha512-odmI/DSKfuWUYeDnGTCEHBbC8/MwnF6yEq874zl6+owoVv0ZsYP8qBHfiJkYqrwg7wQ7Pi40sSAPC1rhesGwzg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/credential-provider-env': 3.398.0
+      '@aws-sdk/credential-provider-ini': 3.398.0
+      '@aws-sdk/credential-provider-process': 3.398.0
+      '@aws-sdk/credential-provider-sso': 3.398.0
+      '@aws-sdk/credential-provider-web-identity': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@smithy/credential-provider-imds': 2.0.5
+      '@smithy/property-provider': 2.0.5
+      '@smithy/shared-ini-file-loader': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    transitivePeerDependencies:
+      - aws-crt
+    dev: false
+    optional: true
+
+  /@aws-sdk/credential-provider-process@3.398.0:
+    resolution: {integrity: sha512-WrkBL1W7TXN508PA9wRXPFtzmGpVSW98gDaHEaa8GolAPHMPa5t2QcC/z/cFpglzrcVv8SA277zu9Z8tELdZhg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@smithy/property-provider': 2.0.5
+      '@smithy/shared-ini-file-loader': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/credential-provider-sso@3.398.0:
+    resolution: {integrity: sha512-2Dl35587xbnzR/GGZqA2MnFs8+kS4wbHQO9BioU0okA+8NRueohNMdrdQmQDdSNK4BfIpFspiZmFkXFNyEAfgw==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/client-sso': 3.398.0
+      '@aws-sdk/token-providers': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@smithy/property-provider': 2.0.5
+      '@smithy/shared-ini-file-loader': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    transitivePeerDependencies:
+      - aws-crt
+    dev: false
+    optional: true
+
+  /@aws-sdk/credential-provider-web-identity@3.398.0:
+    resolution: {integrity: sha512-iG3905Alv9pINbQ8/MIsshgqYMbWx+NDQWpxbIW3W0MkSH3iAqdVpSCteYidYX9G/jv2Um1nW3y360ib20bvNg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@smithy/property-provider': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/credential-providers@3.398.0:
+    resolution: {integrity: sha512-355vXmImn2e85mIWSYDVb101AF2lIVHKNCaH6sV1U/8i0ZOXh2cJYNdkRYrxNt1ezDB0k97lSKvuDx7RDvJyRg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/client-cognito-identity': 3.398.0
+      '@aws-sdk/client-sso': 3.398.0
+      '@aws-sdk/client-sts': 3.398.0
+      '@aws-sdk/credential-provider-cognito-identity': 3.398.0
+      '@aws-sdk/credential-provider-env': 3.398.0
+      '@aws-sdk/credential-provider-ini': 3.398.0
+      '@aws-sdk/credential-provider-node': 3.398.0
+      '@aws-sdk/credential-provider-process': 3.398.0
+      '@aws-sdk/credential-provider-sso': 3.398.0
+      '@aws-sdk/credential-provider-web-identity': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@smithy/credential-provider-imds': 2.0.5
+      '@smithy/property-provider': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    transitivePeerDependencies:
+      - aws-crt
+    dev: false
+    optional: true
+
+  /@aws-sdk/middleware-host-header@3.398.0:
+    resolution: {integrity: sha512-m+5laWdBaxIZK2ko0OwcCHJZJ5V1MgEIt8QVQ3k4/kOkN9ICjevOYmba751pHoTnbOYB7zQd6D2OT3EYEEsUcA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/middleware-logger@3.398.0:
+    resolution: {integrity: sha512-CiJjW+FL12elS6Pn7/UVjVK8HWHhXMfvHZvOwx/Qkpy340sIhkuzOO6fZEruECDTZhl2Wqn81XdJ1ZQ4pRKpCg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/middleware-recursion-detection@3.398.0:
+    resolution: {integrity: sha512-7QpOqPQAZNXDXv6vsRex4R8dLniL0E/80OPK4PPFsrCh9btEyhN9Begh4i1T+5lL28hmYkztLOkTQ2N5J3hgRQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/middleware-sdk-sts@3.398.0:
+    resolution: {integrity: sha512-+JH76XHEgfVihkY+GurohOQ5Z83zVN1nYcQzwCFnCDTh4dG4KwhnZKG+WPw6XJECocY0R+H0ivofeALHvVWJtQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/middleware-signing': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/middleware-signing@3.398.0:
+    resolution: {integrity: sha512-O0KqXAix1TcvZBFt1qoFkHMUNJOSgjJTYS7lFTRKSwgsD27bdW2TM2r9R8DAccWFt5Amjkdt+eOwQMIXPGTm8w==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@smithy/property-provider': 2.0.5
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/signature-v4': 2.0.5
+      '@smithy/types': 2.2.2
+      '@smithy/util-middleware': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/middleware-user-agent@3.398.0:
+    resolution: {integrity: sha512-nF1jg0L+18b5HvTcYzwyFgfZQQMELJINFqI0mi4yRKaX7T5a3aGp5RVLGGju/6tAGTuFbfBoEhkhU3kkxexPYQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@aws-sdk/util-endpoints': 3.398.0
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/token-providers@3.398.0:
+    resolution: {integrity: sha512-nrYgjzavGCKJL/48Vt0EL+OlIc5UZLfNGpgyUW9cv3XZwl+kXV0QB+HH0rHZZLfpbBgZ2RBIJR9uD5ieu/6hpQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-crypto/sha256-browser': 3.0.0
+      '@aws-crypto/sha256-js': 3.0.0
+      '@aws-sdk/middleware-host-header': 3.398.0
+      '@aws-sdk/middleware-logger': 3.398.0
+      '@aws-sdk/middleware-recursion-detection': 3.398.0
+      '@aws-sdk/middleware-user-agent': 3.398.0
+      '@aws-sdk/types': 3.398.0
+      '@aws-sdk/util-endpoints': 3.398.0
+      '@aws-sdk/util-user-agent-browser': 3.398.0
+      '@aws-sdk/util-user-agent-node': 3.398.0
+      '@smithy/config-resolver': 2.0.5
+      '@smithy/fetch-http-handler': 2.0.5
+      '@smithy/hash-node': 2.0.5
+      '@smithy/invalid-dependency': 2.0.5
+      '@smithy/middleware-content-length': 2.0.5
+      '@smithy/middleware-endpoint': 2.0.5
+      '@smithy/middleware-retry': 2.0.5
+      '@smithy/middleware-serde': 2.0.5
+      '@smithy/middleware-stack': 2.0.0
+      '@smithy/node-config-provider': 2.0.5
+      '@smithy/node-http-handler': 2.0.5
+      '@smithy/property-provider': 2.0.5
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/shared-ini-file-loader': 2.0.5
+      '@smithy/smithy-client': 2.0.5
+      '@smithy/types': 2.2.2
+      '@smithy/url-parser': 2.0.5
+      '@smithy/util-base64': 2.0.0
+      '@smithy/util-body-length-browser': 2.0.0
+      '@smithy/util-body-length-node': 2.1.0
+      '@smithy/util-defaults-mode-browser': 2.0.5
+      '@smithy/util-defaults-mode-node': 2.0.5
+      '@smithy/util-retry': 2.0.0
+      '@smithy/util-utf8': 2.0.0
+      tslib: 2.6.1
+    transitivePeerDependencies:
+      - aws-crt
+    dev: false
+    optional: true
+
+  /@aws-sdk/types@3.398.0:
+    resolution: {integrity: sha512-r44fkS+vsEgKCuEuTV+TIk0t0m5ZlXHNjSDYEUvzLStbbfUFiNus/YG4UCa0wOk9R7VuQI67badsvvPeVPCGDQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/util-endpoints@3.398.0:
+    resolution: {integrity: sha512-Fy0gLYAei/Rd6BrXG4baspCnWTUSd0NdokU1pZh4KlfEAEN1i8SPPgfiO5hLk7+2inqtCmqxVJlfqbMVe9k4bw==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/util-locate-window@3.310.0:
+    resolution: {integrity: sha512-qo2t/vBTnoXpjKxlsC2e1gBrRm80M3bId27r0BRB2VniSSe7bL1mmzM+/HFtujm0iAxtPM+aLEflLJlJeDPg0w==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/util-user-agent-browser@3.398.0:
+    resolution: {integrity: sha512-A3Tzx1tkDHlBT+IgxmsMCHbV8LM7SwwCozq2ZjJRx0nqw3MCrrcxQFXldHeX/gdUMO+0Oocb7HGSnVODTq+0EA==}
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@smithy/types': 2.2.2
+      bowser: 2.11.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/util-user-agent-node@3.398.0:
+    resolution: {integrity: sha512-RTVQofdj961ej4//fEkppFf4KXqKGMTCqJYghx3G0C/MYXbg7MGl7LjfNGtJcboRE8pfHHQ/TUWBDA7RIAPPlQ==}
+    engines: {node: '>=14.0.0'}
+    peerDependencies:
+      aws-crt: '>=1.0.0'
+    peerDependenciesMeta:
+      aws-crt:
+        optional: true
+    dependencies:
+      '@aws-sdk/types': 3.398.0
+      '@smithy/node-config-provider': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@aws-sdk/util-utf8-browser@3.259.0:
+    resolution: {integrity: sha512-UvFa/vR+e19XookZF8RzFZBrw2EUkQWxiBW0yYQAhvk3C+QVGl0H3ouca8LDBlBfQKXwmW3huo/59H8rwb1wJw==}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
   /@azure/abort-controller@1.1.0:
     resolution: {integrity: sha512-TrRLIoSQVzfAJX9H1JeFjzAoDGcoK1IYX1UImfceTZpsyYfWr09Ss1aHW1y5TrrR3iq6RZLBwJ3E24uwPhwahw==}
     engines: {node: '>=12.0.0'}
@@ -4077,6 +4579,13 @@ packages:
     resolution: {integrity: sha512-M/BexG/p05C5lFfMunxo/QcgIJnMT2vDVCd00wNqK2ImZONIlEETZwWJu1QtLxtmYlSHlCFl3JNzp0tLe7OJ5g==}
     dev: true
 
+  /@mongodb-js/saslprep@1.1.0:
+    resolution: {integrity: sha512-Xfijy7HvfzzqiOAhAepF4SGN5e9leLkMvg/OPOF97XemjfVCYN/oWa75wnkc6mltMSTwY+XlbhWgUOJmkFspSw==}
+    dependencies:
+      sparse-bitfield: 3.0.3
+    dev: false
+    optional: true
+
   /@msgpackr-extract/msgpackr-extract-darwin-arm64@2.2.0:
     resolution: {integrity: sha512-Z9LFPzfoJi4mflGWV+rv7o7ZbMU5oAU9VmzCgL240KnqDW65Y2HFCT3MW06/ITJSnbVLacmcEJA8phywK7JinQ==}
     cpu: [arm64]
@@ -4132,6 +4641,15 @@ packages:
       - '@lezer/common'
     dev: false
 
+  /@n8n/vm2@3.9.19:
+    resolution: {integrity: sha512-KmrkVqri7VG+GQ2JbJ2/2gyEmVkysxzoJUF+zdtqBZLU8GN9UDwAnjzUOUgpD0dCRd1SUVLqwM4GpjOeca4XZw==}
+    engines: {node: '>=18.10', pnpm: '>=8.6.12'}
+    hasBin: true
+    dependencies:
+      acorn: 8.10.0
+      acorn-walk: 8.2.0
+    dev: false
+
   /@n8n_io/license-sdk@2.4.0:
     resolution: {integrity: sha512-99kuCVH4NcBi4nyn/WIpd6KSIMLk/pbBks0zr8bC65ALKj0se7/2MwC6N+WwGkG7NqH0kMdGe/7Y5KnJkMTefg==}
     engines: {node: '>=14.0.0', npm: '>=7.10.0'}
@@ -4416,12 +4934,45 @@ packages:
     engines: {node: '>=8.0.0'}
     dev: false
 
+  /@otplib/core@12.0.1:
+    resolution: {integrity: sha512-4sGntwbA/AC+SbPhbsziRiD+jNDdIzsZ3JUyfZwjtKyc/wufl1pnSIaG4Uqx8ymPagujub0o92kgBnB89cuAMA==}
+    dev: true
+
+  /@otplib/plugin-crypto@12.0.1:
+    resolution: {integrity: sha512-qPuhN3QrT7ZZLcLCyKOSNhuijUi9G5guMRVrxq63r9YNOxxQjPm59gVxLM+7xGnHnM6cimY57tuKsjK7y9LM1g==}
+    dependencies:
+      '@otplib/core': 12.0.1
+    dev: true
+
+  /@otplib/plugin-thirty-two@12.0.1:
+    resolution: {integrity: sha512-MtT+uqRso909UkbrrYpJ6XFjj9D+x2Py7KjTO9JDPhL0bJUYVu5kFP4TFZW4NFAywrAtFRxOVY261u0qwb93gA==}
+    dependencies:
+      '@otplib/core': 12.0.1
+      thirty-two: 1.0.2
+    dev: true
+
+  /@otplib/preset-default@12.0.1:
+    resolution: {integrity: sha512-xf1v9oOJRyXfluBhMdpOkr+bsE+Irt+0D5uHtvg6x1eosfmHCsCC6ej/m7FXiWqdo0+ZUI6xSKDhJwc8yfiOPQ==}
+    dependencies:
+      '@otplib/core': 12.0.1
+      '@otplib/plugin-crypto': 12.0.1
+      '@otplib/plugin-thirty-two': 12.0.1
+    dev: true
+
+  /@otplib/preset-v11@12.0.1:
+    resolution: {integrity: sha512-9hSetMI7ECqbFiKICrNa4w70deTUfArtwXykPUvSHWOdzOlfa9ajglu7mNCntlvxycTiOAXkQGwjQCzzDEMRMg==}
+    dependencies:
+      '@otplib/core': 12.0.1
+      '@otplib/plugin-crypto': 12.0.1
+      '@otplib/plugin-thirty-two': 12.0.1
+    dev: true
+
   /@pinia/testing@0.1.3(pinia@2.1.6)(vue@3.3.4):
     resolution: {integrity: sha512-D2Ds2s69kKFaRf2KCcP1NhNZEg5+we59aRyQalwRm7ygWfLM25nDH66267U3hNvRUOTx8ofL24GzodZkOmB5xw==}
     peerDependencies:
       pinia: '>=2.1.5'
     dependencies:
-      pinia: 2.1.6(typescript@5.1.6)(vue@3.3.4)
+      pinia: 2.1.6(typescript@5.2.2)(vue@3.3.4)
       vue-demi: 0.14.5(vue@3.3.4)
     transitivePeerDependencies:
       - '@vue/composition-api'
@@ -4585,76 +5136,449 @@ packages:
       - supports-color
     dev: true
 
-  /@sentry/types@7.28.1:
-    resolution: {integrity: sha512-DvSplMVrVEmOzR2M161V5+B8Up3vR71xMqJOpWTzE9TqtFJRGPtqT/5OBsNJJw1+/j2ssMcnKwbEo9Q2EGeS6g==}
-    engines: {node: '>=8'}
+  /@sentry/types@7.28.1:
+    resolution: {integrity: sha512-DvSplMVrVEmOzR2M161V5+B8Up3vR71xMqJOpWTzE9TqtFJRGPtqT/5OBsNJJw1+/j2ssMcnKwbEo9Q2EGeS6g==}
+    engines: {node: '>=8'}
+    dev: false
+
+  /@sentry/types@7.60.1:
+    resolution: {integrity: sha512-8lKKSCOhZ953cWxwnfZwoR3ZFFlZG4P3PQFTaFt/u4LxLh/0zYbdtgvtUqXRURjMCi5P6ddeE9Uw9FGnTJCsTw==}
+    engines: {node: '>=8'}
+    dev: true
+
+  /@sentry/utils@7.28.1:
+    resolution: {integrity: sha512-75/jzLUO9HH09iC9TslNimGbxOP3jgn89P+q7uR+rp2fJfRExHVeKJZQdK0Ij4/SmE7TJ3Uh2r154N0INZEx1g==}
+    engines: {node: '>=8'}
+    dependencies:
+      '@sentry/types': 7.28.1
+      tslib: 2.6.1
+    dev: false
+
+  /@sentry/utils@7.60.1:
+    resolution: {integrity: sha512-ik+5sKGBx4DWuvf6UUKPSafaDiASxP+Xvjg3C9ppop2I/JWxP1FfZ5g22n5ZmPmNahD6clTSoTWly8qyDUlUOw==}
+    engines: {node: '>=8'}
+    dependencies:
+      '@sentry/types': 7.60.1
+      tslib: 2.6.1
+    dev: true
+
+  /@sentry/vite-plugin@2.5.0:
+    resolution: {integrity: sha512-u5lfIysy6UVzUGn/adyDcRXfzFyip4mLGThTnKeOeA9rCgmJUVnErH8TD8xhTKdpq/MBiQ+KqrC6xG9pKCa96g==}
+    engines: {node: '>= 14'}
+    dependencies:
+      '@sentry/bundler-plugin-core': 2.5.0
+      unplugin: 1.0.1
+    transitivePeerDependencies:
+      - encoding
+      - supports-color
+    dev: true
+
+  /@sideway/address@4.1.4:
+    resolution: {integrity: sha512-7vwq+rOHVWjyXxVlR76Agnvhy8I9rpzjosTESvmhNeXOXdZZB15Fl+TI9x1SiHZH5Jv2wTGduSxFDIaq0m3DUw==}
+    dependencies:
+      '@hapi/hoek': 9.3.0
+    dev: true
+
+  /@sideway/formula@3.0.0:
+    resolution: {integrity: sha512-vHe7wZ4NOXVfkoRb8T5otiENVlT7a3IAiw7H5M2+GO+9CDgcVUUsX1zalAztCmwyOr2RUTGJdgB+ZvSVqmdHmg==}
+    dev: true
+
+  /@sideway/pinpoint@2.0.0:
+    resolution: {integrity: sha512-RNiOoTPkptFtSVzQevY/yWtZwf/RxyVnPy/OcA9HBM3MlGDnBEYL5B41H0MTn0Uec8Hi+2qUtTfG2WWZBmMejQ==}
+    dev: true
+
+  /@sinclair/typebox@0.25.21:
+    resolution: {integrity: sha512-gFukHN4t8K4+wVC+ECqeqwzBDeFeTzBXroBTqE6vcWrQGbEUpHO7LYdG0f4xnvYq4VOEwITSlHlp0JBAIFMS/g==}
+    dev: true
+
+  /@sinclair/typebox@0.27.8:
+    resolution: {integrity: sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==}
+    dev: true
+
+  /@sinonjs/commons@2.0.0:
+    resolution: {integrity: sha512-uLa0j859mMrg2slwQYdO/AkrOfmH+X6LTVmNTS9CqexuE2IvVORIkSpJLqePAbEnKJ77aMmCwr1NUZ57120Xcg==}
+    dependencies:
+      type-detect: 4.0.8
+    dev: true
+
+  /@sinonjs/fake-timers@10.0.2:
+    resolution: {integrity: sha512-SwUDyjWnah1AaNl7kxsa7cfLhlTYoiyhDAIgyh+El30YvXs/o7OLXpYH88Zdhyx9JExKrmHDJ+10bwIcY80Jmw==}
+    dependencies:
+      '@sinonjs/commons': 2.0.0
+    dev: true
+
+  /@smithy/abort-controller@2.0.5:
+    resolution: {integrity: sha512-byVZ2KWLMPYAZGKjRpniAzLcygJO4ruClZKdJTuB0eCB76ONFTdptBHlviHpAZXknRz7skYWPfcgO9v30A1SyA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/config-resolver@2.0.5:
+    resolution: {integrity: sha512-n0c2AXz+kjALY2FQr7Zy9zhYigXzboIh1AuUUVCqFBKFtdEvTwnwPXrTDoEehLiRTUHNL+4yzZ3s+D0kKYSLSg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      '@smithy/util-config-provider': 2.0.0
+      '@smithy/util-middleware': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/credential-provider-imds@2.0.5:
+    resolution: {integrity: sha512-KFcf/e0meFkQNyteJ65f1G19sgUEY1e5zL7hyAEUPz2SEfBmC9B37WyRq87G3MEEsvmAWwCRu7nFFYUKtR3svQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/node-config-provider': 2.0.5
+      '@smithy/property-provider': 2.0.5
+      '@smithy/types': 2.2.2
+      '@smithy/url-parser': 2.0.5
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/eventstream-codec@2.0.5:
+    resolution: {integrity: sha512-iqR6OuOV3zbQK8uVs9o+9AxhVk8kW9NAxA71nugwUB+kTY9C35pUd0A5/m4PRT0Y0oIW7W4kgnSR3fdYXQjECw==}
+    dependencies:
+      '@aws-crypto/crc32': 3.0.0
+      '@smithy/types': 2.2.2
+      '@smithy/util-hex-encoding': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/fetch-http-handler@2.0.5:
+    resolution: {integrity: sha512-EzFoMowdBNy1VqtvkiXgPFEdosIAt4/4bgZ8uiDiUyfhmNXq/3bV+CagPFFBsgFOR/X2XK4zFZHRsoa7PNHVVg==}
+    dependencies:
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/querystring-builder': 2.0.5
+      '@smithy/types': 2.2.2
+      '@smithy/util-base64': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/hash-node@2.0.5:
+    resolution: {integrity: sha512-mk551hIywBITT+kXruRNXk7f8Fy7DTzBjZJSr/V6nolYKmUHIG3w5QU6nO9qPYEQGKc/yEPtkpdS28ndeG93lA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      '@smithy/util-buffer-from': 2.0.0
+      '@smithy/util-utf8': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/invalid-dependency@2.0.5:
+    resolution: {integrity: sha512-0wEi+JT0hM+UUwrJVYbqjuGFhy5agY/zXyiN7BNAJ1XoCDjU5uaNSj8ekPWsXd/d4yM6NSe8UbPd8cOc1+3oBQ==}
+    dependencies:
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/is-array-buffer@2.0.0:
+    resolution: {integrity: sha512-z3PjFjMyZNI98JFRJi/U0nGoLWMSJlDjAW4QUX2WNZLas5C0CmVV6LJ01JI0k90l7FvpmixjWxPFmENSClQ7ug==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/middleware-content-length@2.0.5:
+    resolution: {integrity: sha512-E7VwV5H02fgZIUGRli4GevBCAPvkyEI/fgl9SU47nPPi3DAAX3nEtUb8xfGbXjOcJ5BdSUoWWZn42tEd/blOqA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/middleware-endpoint@2.0.5:
+    resolution: {integrity: sha512-tyzDuoNTbsMQCq5Xkc4QOt6e2GACUllQIV8SQ5fc59FtOIV9/vbf58/GxVjZm2o8+MMbdDBANjTDZe/ijZKfyA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/middleware-serde': 2.0.5
+      '@smithy/types': 2.2.2
+      '@smithy/url-parser': 2.0.5
+      '@smithy/util-middleware': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/middleware-retry@2.0.5:
+    resolution: {integrity: sha512-ulIfbFyzQTVnJbLjUl1CTSi0etg6tej/ekwaLp0Gn8ybUkDkKYa+uB6CF/m2J5B6meRwyJlsryR+DjaOVyiicg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/service-error-classification': 2.0.0
+      '@smithy/types': 2.2.2
+      '@smithy/util-middleware': 2.0.0
+      '@smithy/util-retry': 2.0.0
+      tslib: 2.6.1
+      uuid: 8.3.2
+    dev: false
+    optional: true
+
+  /@smithy/middleware-serde@2.0.5:
+    resolution: {integrity: sha512-in0AA5sous74dOfTGU9rMJBXJ0bDVNxwdXtEt5lh3FVd2sEyjhI+rqpLLRF1E4ixbw3RSEf80hfRpcPdjg4vvQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/middleware-stack@2.0.0:
+    resolution: {integrity: sha512-31XC1xNF65nlbc16yuh3wwTudmqs6qy4EseQUGF8A/p2m/5wdd/cnXJqpniy/XvXVwkHPz/GwV36HqzHtIKATQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/node-config-provider@2.0.5:
+    resolution: {integrity: sha512-LRtjV9WkhONe2lVy+ipB/l1GX60ybzBmFyeRUoLUXWKdnZ3o81jsnbKzMK8hKq8eFSWPk+Lmyx6ZzCQabGeLxg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/property-provider': 2.0.5
+      '@smithy/shared-ini-file-loader': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/node-http-handler@2.0.5:
+    resolution: {integrity: sha512-lZm5DZf4b3V0saUw9WTC4/du887P6cy2fUyQgQQKRRV6OseButyD5yTzeMmXE53CaXJBMBsUvvIQ0hRVxIq56w==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/abort-controller': 2.0.5
+      '@smithy/protocol-http': 2.0.5
+      '@smithy/querystring-builder': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/property-provider@2.0.5:
+    resolution: {integrity: sha512-cAFSUhX6aiHcmpWfrCLKvwBtgN1F6A0N8qY/8yeSi0LRLmhGqsY1/YTxFE185MCVzYbqBGXVr9TBv4RUcIV4rA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/protocol-http@2.0.5:
+    resolution: {integrity: sha512-d2hhHj34mA2V86doiDfrsy2fNTnUOowGaf9hKb0hIPHqvcnShU4/OSc4Uf1FwHkAdYF3cFXTrj5VGUYbEuvMdw==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/querystring-builder@2.0.5:
+    resolution: {integrity: sha512-4DCX9krxLzATj+HdFPC3i8pb7XTAWzzKqSw8aTZMjXjtQY+vhe4azMAqIvbb6g7JKwIkmkRAjK6EXO3YWSnJVQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      '@smithy/util-uri-escape': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/querystring-parser@2.0.5:
+    resolution: {integrity: sha512-C2stCULH0r54KBksv3AWcN8CLS3u9+WsEW8nBrvctrJ5rQTNa1waHkffpVaiKvcW2nP0aIMBPCobD/kYf/q9mA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/service-error-classification@2.0.0:
+    resolution: {integrity: sha512-2z5Nafy1O0cTf69wKyNjGW/sNVMiqDnb4jgwfMG8ye8KnFJ5qmJpDccwIbJNhXIfbsxTg9SEec2oe1cexhMJvw==}
+    engines: {node: '>=14.0.0'}
+    dev: false
+    optional: true
+
+  /@smithy/shared-ini-file-loader@2.0.5:
+    resolution: {integrity: sha512-Mvtk6FwMtfbKRC4YuSsIqRYp9WTxsSUJVVo2djgyhcacKGMqicHDWSAmgy3sDrKv+G/G6xTZCPwm6pJARtdxVg==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/signature-v4@2.0.5:
+    resolution: {integrity: sha512-ABIzXmUDXK4n2c9cXjQLELgH2RdtABpYKT+U131e2I6RbCypFZmxIHmIBufJzU2kdMCQ3+thBGDWorAITFW04A==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/eventstream-codec': 2.0.5
+      '@smithy/is-array-buffer': 2.0.0
+      '@smithy/types': 2.2.2
+      '@smithy/util-hex-encoding': 2.0.0
+      '@smithy/util-middleware': 2.0.0
+      '@smithy/util-uri-escape': 2.0.0
+      '@smithy/util-utf8': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/smithy-client@2.0.5:
+    resolution: {integrity: sha512-kCTFr8wfOAWKDzGvfBElc6shHigWtHNhMQ1IbosjC4jOlayFyZMSs2PysKB+Ox/dhQ41KqOzgVjgiQ+PyWqHMQ==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/middleware-stack': 2.0.0
+      '@smithy/types': 2.2.2
+      '@smithy/util-stream': 2.0.5
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/types@2.2.2:
+    resolution: {integrity: sha512-4PS0y1VxDnELGHGgBWlDksB2LJK8TG8lcvlWxIsgR+8vROI7Ms8h1P4FQUx+ftAX2QZv5g1CJCdhdRmQKyonyw==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/url-parser@2.0.5:
+    resolution: {integrity: sha512-OdMBvZhpckQSkugCXNJQCvqJ71wE7Ftxce92UOQLQ9pwF6hoS5PLL7wEfpnuEXtStzBqJYkzu1C1ZfjuFGOXAA==}
+    dependencies:
+      '@smithy/querystring-parser': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/util-base64@2.0.0:
+    resolution: {integrity: sha512-Zb1E4xx+m5Lud8bbeYi5FkcMJMnn+1WUnJF3qD7rAdXpaL7UjkFQLdmW5fHadoKbdHpwH9vSR8EyTJFHJs++tA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/util-buffer-from': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
+
+  /@smithy/util-body-length-browser@2.0.0:
+    resolution: {integrity: sha512-JdDuS4ircJt+FDnaQj88TzZY3+njZ6O+D3uakS32f2VNnDo3vyEuNdBOh/oFd8Df1zSZOuH1HEChk2AOYDezZg==}
+    dependencies:
+      tslib: 2.6.1
     dev: false
+    optional: true
 
-  /@sentry/types@7.60.1:
-    resolution: {integrity: sha512-8lKKSCOhZ953cWxwnfZwoR3ZFFlZG4P3PQFTaFt/u4LxLh/0zYbdtgvtUqXRURjMCi5P6ddeE9Uw9FGnTJCsTw==}
-    engines: {node: '>=8'}
-    dev: true
+  /@smithy/util-body-length-node@2.1.0:
+    resolution: {integrity: sha512-/li0/kj/y3fQ3vyzn36NTLGmUwAICb7Jbe/CsWCktW363gh1MOcpEcSO3mJ344Gv2dqz8YJCLQpb6hju/0qOWw==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
 
-  /@sentry/utils@7.28.1:
-    resolution: {integrity: sha512-75/jzLUO9HH09iC9TslNimGbxOP3jgn89P+q7uR+rp2fJfRExHVeKJZQdK0Ij4/SmE7TJ3Uh2r154N0INZEx1g==}
-    engines: {node: '>=8'}
+  /@smithy/util-buffer-from@2.0.0:
+    resolution: {integrity: sha512-/YNnLoHsR+4W4Vf2wL5lGv0ksg8Bmk3GEGxn2vEQt52AQaPSCuaO5PM5VM7lP1K9qHRKHwrPGktqVoAHKWHxzw==}
+    engines: {node: '>=14.0.0'}
     dependencies:
-      '@sentry/types': 7.28.1
+      '@smithy/is-array-buffer': 2.0.0
       tslib: 2.6.1
     dev: false
+    optional: true
 
-  /@sentry/utils@7.60.1:
-    resolution: {integrity: sha512-ik+5sKGBx4DWuvf6UUKPSafaDiASxP+Xvjg3C9ppop2I/JWxP1FfZ5g22n5ZmPmNahD6clTSoTWly8qyDUlUOw==}
-    engines: {node: '>=8'}
+  /@smithy/util-config-provider@2.0.0:
+    resolution: {integrity: sha512-xCQ6UapcIWKxXHEU4Mcs2s7LcFQRiU3XEluM2WcCjjBtQkUN71Tb+ydGmJFPxMUrW/GWMgQEEGipLym4XG0jZg==}
+    engines: {node: '>=14.0.0'}
     dependencies:
-      '@sentry/types': 7.60.1
       tslib: 2.6.1
-    dev: true
+    dev: false
+    optional: true
 
-  /@sentry/vite-plugin@2.5.0:
-    resolution: {integrity: sha512-u5lfIysy6UVzUGn/adyDcRXfzFyip4mLGThTnKeOeA9rCgmJUVnErH8TD8xhTKdpq/MBiQ+KqrC6xG9pKCa96g==}
-    engines: {node: '>= 14'}
+  /@smithy/util-defaults-mode-browser@2.0.5:
+    resolution: {integrity: sha512-yciP6TPttLsj731aHTvekgyuCGXQrEAJibEwEWAh3kzaDsfGAVCuZSBlyvC2Dl3TZmHKCOQwHV8mIE7KQCTPuQ==}
+    engines: {node: '>= 10.0.0'}
     dependencies:
-      '@sentry/bundler-plugin-core': 2.5.0
-      unplugin: 1.0.1
-    transitivePeerDependencies:
-      - encoding
-      - supports-color
-    dev: true
+      '@smithy/property-provider': 2.0.5
+      '@smithy/types': 2.2.2
+      bowser: 2.11.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
 
-  /@sideway/address@4.1.4:
-    resolution: {integrity: sha512-7vwq+rOHVWjyXxVlR76Agnvhy8I9rpzjosTESvmhNeXOXdZZB15Fl+TI9x1SiHZH5Jv2wTGduSxFDIaq0m3DUw==}
+  /@smithy/util-defaults-mode-node@2.0.5:
+    resolution: {integrity: sha512-M07t99rWasXt+IaDZDyP3BkcoEm/mgIE1RIMASrE49LKSNxaVN7PVcgGc77+4uu2kzBAyqJKy79pgtezuknyjQ==}
+    engines: {node: '>= 10.0.0'}
     dependencies:
-      '@hapi/hoek': 9.3.0
-    dev: true
+      '@smithy/config-resolver': 2.0.5
+      '@smithy/credential-provider-imds': 2.0.5
+      '@smithy/node-config-provider': 2.0.5
+      '@smithy/property-provider': 2.0.5
+      '@smithy/types': 2.2.2
+      tslib: 2.6.1
+    dev: false
+    optional: true
 
-  /@sideway/formula@3.0.0:
-    resolution: {integrity: sha512-vHe7wZ4NOXVfkoRb8T5otiENVlT7a3IAiw7H5M2+GO+9CDgcVUUsX1zalAztCmwyOr2RUTGJdgB+ZvSVqmdHmg==}
-    dev: true
+  /@smithy/util-hex-encoding@2.0.0:
+    resolution: {integrity: sha512-c5xY+NUnFqG6d7HFh1IFfrm3mGl29lC+vF+geHv4ToiuJCBmIfzx6IeHLg+OgRdPFKDXIw6pvi+p3CsscaMcMA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
 
-  /@sideway/pinpoint@2.0.0:
-    resolution: {integrity: sha512-RNiOoTPkptFtSVzQevY/yWtZwf/RxyVnPy/OcA9HBM3MlGDnBEYL5B41H0MTn0Uec8Hi+2qUtTfG2WWZBmMejQ==}
-    dev: true
+  /@smithy/util-middleware@2.0.0:
+    resolution: {integrity: sha512-eCWX4ECuDHn1wuyyDdGdUWnT4OGyIzV0LN1xRttBFMPI9Ff/4heSHVxneyiMtOB//zpXWCha1/SWHJOZstG7kA==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      tslib: 2.6.1
+    dev: false
+    optional: true
 
-  /@sinclair/typebox@0.25.21:
-    resolution: {integrity: sha512-gFukHN4t8K4+wVC+ECqeqwzBDeFeTzBXroBTqE6vcWrQGbEUpHO7LYdG0f4xnvYq4VOEwITSlHlp0JBAIFMS/g==}
-    dev: true
+  /@smithy/util-retry@2.0.0:
+    resolution: {integrity: sha512-/dvJ8afrElasuiiIttRJeoS2sy8YXpksQwiM/TcepqdRVp7u4ejd9C4IQURHNjlfPUT7Y6lCDSa2zQJbdHhVTg==}
+    engines: {node: '>= 14.0.0'}
+    dependencies:
+      '@smithy/service-error-classification': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
 
-  /@sinclair/typebox@0.27.8:
-    resolution: {integrity: sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==}
-    dev: true
+  /@smithy/util-stream@2.0.5:
+    resolution: {integrity: sha512-ylx27GwI05xLpYQ4hDIfS15vm+wYjNN0Sc2P0FxuzgRe8v0BOLHppGIQ+Bezcynk8C9nUzsUue3TmtRhjut43g==}
+    engines: {node: '>=14.0.0'}
+    dependencies:
+      '@smithy/fetch-http-handler': 2.0.5
+      '@smithy/node-http-handler': 2.0.5
+      '@smithy/types': 2.2.2
+      '@smithy/util-base64': 2.0.0
+      '@smithy/util-buffer-from': 2.0.0
+      '@smithy/util-hex-encoding': 2.0.0
+      '@smithy/util-utf8': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
 
-  /@sinonjs/commons@2.0.0:
-    resolution: {integrity: sha512-uLa0j859mMrg2slwQYdO/AkrOfmH+X6LTVmNTS9CqexuE2IvVORIkSpJLqePAbEnKJ77aMmCwr1NUZ57120Xcg==}
+  /@smithy/util-uri-escape@2.0.0:
+    resolution: {integrity: sha512-ebkxsqinSdEooQduuk9CbKcI+wheijxEb3utGXkCoYQkJnwTnLbH1JXGimJtUkQwNQbsbuYwG2+aFVyZf5TLaw==}
+    engines: {node: '>=14.0.0'}
     dependencies:
-      type-detect: 4.0.8
-    dev: true
+      tslib: 2.6.1
+    dev: false
+    optional: true
 
-  /@sinonjs/fake-timers@10.0.2:
-    resolution: {integrity: sha512-SwUDyjWnah1AaNl7kxsa7cfLhlTYoiyhDAIgyh+El30YvXs/o7OLXpYH88Zdhyx9JExKrmHDJ+10bwIcY80Jmw==}
+  /@smithy/util-utf8@2.0.0:
+    resolution: {integrity: sha512-rctU1VkziY84n5OXe3bPNpKR001ZCME2JCaBBFgtiM2hfKbHFudc/BkMuPab8hRbLd0j3vbnBTTZ1igBf0wgiQ==}
+    engines: {node: '>=14.0.0'}
     dependencies:
-      '@sinonjs/commons': 2.0.0
-    dev: true
+      '@smithy/util-buffer-from': 2.0.0
+      tslib: 2.6.1
+    dev: false
+    optional: true
 
   /@sqltools/formatter@1.2.5:
     resolution: {integrity: sha512-Uy0+khmZqUrUGm5dmMqVlnvufZRSK0FbYzVgp0UMstm+F5+W2/jnEEQyc9vo1ZR/E5ZI/B1WjjoTqBqwJL6Krw==}
@@ -5159,11 +6083,11 @@ packages:
       - supports-color
     dev: true
 
-  /@storybook/builder-vite@7.1.1(typescript@5.1.6)(vite@4.4.7):
+  /@storybook/builder-vite@7.1.1(typescript@5.2.2)(vite@4.4.7):
     resolution: {integrity: sha512-OIQv8V7r6fqBqAXQT9mqgu1aqP+wlFGDRACyS2iym5y5B3e6fhCOUS/31pBp3vmgNRK6LAfEI0FXI71aOp82MQ==}
     peerDependencies:
       '@preact/preset-vite': '*'
-      typescript: '>= 4.3.x'
+      typescript: ^5.2.2
       vite: ^3.0.0 || ^4.0.0
       vite-plugin-glimmerx: '*'
     peerDependenciesMeta:
@@ -5193,7 +6117,7 @@ packages:
       remark-external-links: 8.0.0
       remark-slug: 6.1.0
       rollup: 3.26.3
-      typescript: 5.1.6
+      typescript: 5.2.2
       vite: 4.4.7(less@4.1.3)(sass@1.64.1)
     transitivePeerDependencies:
       - encoding
@@ -5786,7 +6710,7 @@ packages:
       file-system-cache: 2.3.0
     dev: true
 
-  /@storybook/vue3-vite@7.1.1(@vue/compiler-core@3.3.4)(react-dom@18.2.0)(react@17.0.2)(typescript@5.1.6)(vite@4.4.7)(vue@3.3.4):
+  /@storybook/vue3-vite@7.1.1(@vue/compiler-core@3.3.4)(react-dom@18.2.0)(react@17.0.2)(typescript@5.2.2)(vite@4.4.7)(vue@3.3.4):
     resolution: {integrity: sha512-BHBDbxz8XjXBcVZjeb5JKrS4czNCGJixb2E0cRxM1ZbxrtWozk0ped153PrwJzK73M6y+MynAR5ySchD36MlwA==}
     engines: {node: ^14.18 || >=16}
     peerDependencies:
@@ -5794,7 +6718,7 @@ packages:
       react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0
       vite: ^3.0.0 || ^4.0.0
     dependencies:
-      '@storybook/builder-vite': 7.1.1(typescript@5.1.6)(vite@4.4.7)
+      '@storybook/builder-vite': 7.1.1(typescript@5.2.2)(vite@4.4.7)
       '@storybook/core-server': 7.1.1
       '@storybook/vue3': 7.1.1(@vue/compiler-core@3.3.4)(vue@3.3.4)
       '@vitejs/plugin-vue': 4.2.3(vite@4.4.7)(vue@3.3.4)
@@ -5918,6 +6842,7 @@ packages:
     resolution: {integrity: sha512-RbzJvlNzmRq5c3O09UipeuXno4tA1FE6ikOjxZK0tuxVv3412l64l5t1W5pj4+rJq9vpkm/kwiR07aZXnsKPxw==}
     engines: {node: '>= 6'}
     dev: false
+    optional: true
 
   /@tootallnate/once@2.0.0:
     resolution: {integrity: sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==}
@@ -6674,11 +7599,12 @@ packages:
       '@types/webidl-conversions': 7.0.0
     dev: false
 
-  /@types/ws@8.5.4:
+  /@types/ws@8.5.4(patch_hash=nbzuqaoyqbrfwipijj5qriqqju):
     resolution: {integrity: sha512-zdQDHKUgcX/zBc4GrwsE/7dVdAD8JR4EuiAXiiUhhfyIJXXb2+PrGshFyeXWQPMmmZ2XxgaqclgpIC7eTXc1mg==}
     dependencies:
       '@types/node': 18.16.16
     dev: true
+    patched: true
 
   /@types/xml2js@0.4.11:
     resolution: {integrity: sha512-JdigeAKmCyoJUiQljjr7tQG3if9NkqGUgwEUqBvV0N7LM4HyQk7UXCnusRa1lnvXAEYJ8mw8GtZWioagNztOwA==}
@@ -6707,7 +7633,7 @@ packages:
     dev: true
     optional: true
 
-  /@typescript-eslint/eslint-plugin@5.59.5(@typescript-eslint/parser@5.59.5)(eslint@8.45.0)(typescript@5.1.6):
+  /@typescript-eslint/eslint-plugin@5.59.5(@typescript-eslint/parser@5.59.5)(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-feA9xbVRWJZor+AnLNAr7A8JRWeZqHUf4T9tlP+TN04b05pFVhO5eN7/O93Y/1OUlLMHKbnJisgDURs/qvtqdg==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
     peerDependencies:
@@ -6719,23 +7645,23 @@ packages:
         optional: true
     dependencies:
       '@eslint-community/regexpp': 4.6.2
-      '@typescript-eslint/parser': 5.59.5(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/parser': 5.59.5(eslint@8.45.0)(typescript@5.2.2)
       '@typescript-eslint/scope-manager': 5.59.5
-      '@typescript-eslint/type-utils': 5.59.5(eslint@8.45.0)(typescript@5.1.6)
-      '@typescript-eslint/utils': 5.59.5(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/type-utils': 5.59.5(eslint@8.45.0)(typescript@5.2.2)
+      '@typescript-eslint/utils': 5.59.5(eslint@8.45.0)(typescript@5.2.2)
       debug: 4.3.4(supports-color@8.1.1)
       eslint: 8.45.0
       grapheme-splitter: 1.0.4
       ignore: 5.2.4
       natural-compare-lite: 1.4.0
       semver: 7.5.4
-      tsutils: 3.21.0(typescript@5.1.6)
-      typescript: 5.1.6
+      tsutils: 3.21.0(typescript@5.2.2)
+      typescript: 5.2.2
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /@typescript-eslint/eslint-plugin@6.2.0(@typescript-eslint/parser@6.2.0)(eslint@8.45.0)(typescript@5.1.6):
+  /@typescript-eslint/eslint-plugin@6.2.0(@typescript-eslint/parser@6.2.0)(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-rClGrMuyS/3j0ETa1Ui7s6GkLhfZGKZL3ZrChLeAiACBE/tRc1wq8SNZESUuluxhLj9FkUefRs2l6bCIArWBiQ==}
     engines: {node: ^16.0.0 || >=18.0.0}
     peerDependencies:
@@ -6747,10 +7673,10 @@ packages:
         optional: true
     dependencies:
       '@eslint-community/regexpp': 4.6.2
-      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.2.2)
       '@typescript-eslint/scope-manager': 6.2.0
-      '@typescript-eslint/type-utils': 6.2.0(eslint@8.45.0)(typescript@5.1.6)
-      '@typescript-eslint/utils': 6.2.0(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/type-utils': 6.2.0(eslint@8.45.0)(typescript@5.2.2)
+      '@typescript-eslint/utils': 6.2.0(eslint@8.45.0)(typescript@5.2.2)
       '@typescript-eslint/visitor-keys': 6.2.0
       debug: 4.3.4(supports-color@8.1.1)
       eslint: 8.45.0
@@ -6759,13 +7685,13 @@ packages:
       natural-compare: 1.4.0
       natural-compare-lite: 1.4.0
       semver: 7.5.4
-      ts-api-utils: 1.0.1(typescript@5.1.6)
-      typescript: 5.1.6
+      ts-api-utils: 1.0.1(typescript@5.2.2)
+      typescript: 5.2.2
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /@typescript-eslint/parser@5.59.5(eslint@8.45.0)(typescript@5.1.6):
+  /@typescript-eslint/parser@5.59.5(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-NJXQC4MRnF9N9yWqQE2/KLRSOLvrrlZb48NGVfBa+RuPMN6B7ZcK5jZOvhuygv4D64fRKnZI4L4p8+M+rfeQuw==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
     peerDependencies:
@@ -6777,15 +7703,15 @@ packages:
     dependencies:
       '@typescript-eslint/scope-manager': 5.59.5
       '@typescript-eslint/types': 5.59.5
-      '@typescript-eslint/typescript-estree': 5.59.5(typescript@5.1.6)
+      '@typescript-eslint/typescript-estree': 5.59.5(typescript@5.2.2)
       debug: 4.3.4(supports-color@8.1.1)
       eslint: 8.45.0
-      typescript: 5.1.6
+      typescript: 5.2.2
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /@typescript-eslint/parser@6.2.0(eslint@8.45.0)(typescript@5.1.6):
+  /@typescript-eslint/parser@6.2.0(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-igVYOqtiK/UsvKAmmloQAruAdUHihsOCvplJpplPZ+3h4aDkC/UKZZNKgB6h93ayuYLuEymU3h8nF1xMRbh37g==}
     engines: {node: ^16.0.0 || >=18.0.0}
     peerDependencies:
@@ -6797,11 +7723,11 @@ packages:
     dependencies:
       '@typescript-eslint/scope-manager': 6.2.0
       '@typescript-eslint/types': 6.2.0
-      '@typescript-eslint/typescript-estree': 6.2.0(typescript@5.1.6)
+      '@typescript-eslint/typescript-estree': 6.2.0(typescript@5.2.2)
       '@typescript-eslint/visitor-keys': 6.2.0
       debug: 4.3.4(supports-color@8.1.1)
       eslint: 8.45.0
-      typescript: 5.1.6
+      typescript: 5.2.2
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -6830,7 +7756,7 @@ packages:
       '@typescript-eslint/visitor-keys': 6.3.0
     dev: true
 
-  /@typescript-eslint/type-utils@5.59.5(eslint@8.45.0)(typescript@5.1.6):
+  /@typescript-eslint/type-utils@5.59.5(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-4eyhS7oGym67/pSxA2mmNq7X164oqDYNnZCUayBwJZIRVvKpBCMBzFnFxjeoDeShjtO6RQBHBuwybuX3POnDqg==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
     peerDependencies:
@@ -6840,17 +7766,17 @@ packages:
       typescript:
         optional: true
     dependencies:
-      '@typescript-eslint/typescript-estree': 5.59.5(typescript@5.1.6)
-      '@typescript-eslint/utils': 5.59.5(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/typescript-estree': 5.59.5(typescript@5.2.2)
+      '@typescript-eslint/utils': 5.59.5(eslint@8.45.0)(typescript@5.2.2)
       debug: 4.3.4(supports-color@8.1.1)
       eslint: 8.45.0
-      tsutils: 3.21.0(typescript@5.1.6)
-      typescript: 5.1.6
+      tsutils: 3.21.0(typescript@5.2.2)
+      typescript: 5.2.2
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /@typescript-eslint/type-utils@6.2.0(eslint@8.45.0)(typescript@5.1.6):
+  /@typescript-eslint/type-utils@6.2.0(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-DnGZuNU2JN3AYwddYIqrVkYW0uUQdv0AY+kz2M25euVNlujcN2u+rJgfJsBFlUEzBB6OQkUqSZPyuTLf2bP5mw==}
     engines: {node: ^16.0.0 || >=18.0.0}
     peerDependencies:
@@ -6860,12 +7786,12 @@ packages:
       typescript:
         optional: true
     dependencies:
-      '@typescript-eslint/typescript-estree': 6.2.0(typescript@5.1.6)
-      '@typescript-eslint/utils': 6.2.0(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/typescript-estree': 6.2.0(typescript@5.2.2)
+      '@typescript-eslint/utils': 6.2.0(eslint@8.45.0)(typescript@5.2.2)
       debug: 4.3.4(supports-color@8.1.1)
       eslint: 8.45.0
-      ts-api-utils: 1.0.1(typescript@5.1.6)
-      typescript: 5.1.6
+      ts-api-utils: 1.0.1(typescript@5.2.2)
+      typescript: 5.2.2
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -6885,7 +7811,7 @@ packages:
     engines: {node: ^16.0.0 || >=18.0.0}
     dev: true
 
-  /@typescript-eslint/typescript-estree@5.59.5(typescript@5.1.6):
+  /@typescript-eslint/typescript-estree@5.59.5(typescript@5.2.2):
     resolution: {integrity: sha512-+XXdLN2CZLZcD/mO7mQtJMvCkzRfmODbeSKuMY/yXbGkzvA9rJyDY5qDYNoiz2kP/dmyAxXquL2BvLQLJFPQIg==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
     peerDependencies:
@@ -6900,13 +7826,13 @@ packages:
       globby: 11.1.0
       is-glob: 4.0.3
       semver: 7.5.4
-      tsutils: 3.21.0(typescript@5.1.6)
-      typescript: 5.1.6
+      tsutils: 3.21.0(typescript@5.2.2)
+      typescript: 5.2.2
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /@typescript-eslint/typescript-estree@6.2.0(typescript@5.1.6):
+  /@typescript-eslint/typescript-estree@6.2.0(typescript@5.2.2):
     resolution: {integrity: sha512-Mts6+3HQMSM+LZCglsc2yMIny37IhUgp1Qe8yJUYVyO6rHP7/vN0vajKu3JvHCBIy8TSiKddJ/Zwu80jhnGj1w==}
     engines: {node: ^16.0.0 || >=18.0.0}
     peerDependencies:
@@ -6921,13 +7847,13 @@ packages:
       globby: 11.1.0
       is-glob: 4.0.3
       semver: 7.5.4
-      ts-api-utils: 1.0.1(typescript@5.1.6)
-      typescript: 5.1.6
+      ts-api-utils: 1.0.1(typescript@5.2.2)
+      typescript: 5.2.2
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /@typescript-eslint/typescript-estree@6.3.0(typescript@5.1.6):
+  /@typescript-eslint/typescript-estree@6.3.0(typescript@5.2.2):
     resolution: {integrity: sha512-Xh4NVDaC4eYKY4O3QGPuQNp5NxBAlEvNQYOqJquR2MePNxO11E5K3t5x4M4Mx53IZvtpW+mBxIT0s274fLUocg==}
     engines: {node: ^16.0.0 || >=18.0.0}
     peerDependencies:
@@ -6942,13 +7868,13 @@ packages:
       globby: 11.1.0
       is-glob: 4.0.3
       semver: 7.5.4
-      ts-api-utils: 1.0.1(typescript@5.1.6)
-      typescript: 5.1.6
+      ts-api-utils: 1.0.1(typescript@5.2.2)
+      typescript: 5.2.2
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /@typescript-eslint/utils@5.59.5(eslint@8.45.0)(typescript@5.1.6):
+  /@typescript-eslint/utils@5.59.5(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-sCEHOiw+RbyTii9c3/qN74hYDPNORb8yWCoPLmB7BIflhplJ65u2PBpdRla12e3SSTJ2erRkPjz7ngLHhUegxA==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
     peerDependencies:
@@ -6959,7 +7885,7 @@ packages:
       '@types/semver': 7.5.0
       '@typescript-eslint/scope-manager': 5.59.5
       '@typescript-eslint/types': 5.59.5
-      '@typescript-eslint/typescript-estree': 5.59.5(typescript@5.1.6)
+      '@typescript-eslint/typescript-estree': 5.59.5(typescript@5.2.2)
       eslint: 8.45.0
       eslint-scope: 5.1.1
       semver: 7.5.4
@@ -6968,7 +7894,7 @@ packages:
       - typescript
     dev: true
 
-  /@typescript-eslint/utils@6.2.0(eslint@8.45.0)(typescript@5.1.6):
+  /@typescript-eslint/utils@6.2.0(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-RCFrC1lXiX1qEZN8LmLrxYRhOkElEsPKTVSNout8DMzf8PeWoQG7Rxz2SadpJa3VSh5oYKGwt7j7X/VRg+Y3OQ==}
     engines: {node: ^16.0.0 || >=18.0.0}
     peerDependencies:
@@ -6979,7 +7905,7 @@ packages:
       '@types/semver': 7.5.0
       '@typescript-eslint/scope-manager': 6.2.0
       '@typescript-eslint/types': 6.2.0
-      '@typescript-eslint/typescript-estree': 6.2.0(typescript@5.1.6)
+      '@typescript-eslint/typescript-estree': 6.2.0(typescript@5.2.2)
       eslint: 8.45.0
       semver: 7.5.4
     transitivePeerDependencies:
@@ -6987,7 +7913,7 @@ packages:
       - typescript
     dev: true
 
-  /@typescript-eslint/utils@6.3.0(eslint@8.45.0)(typescript@5.1.6):
+  /@typescript-eslint/utils@6.3.0(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-hLLg3BZE07XHnpzglNBG8P/IXq/ZVXraEbgY7FM0Cnc1ehM8RMdn9mat3LubJ3KBeYXXPxV1nugWbQPjGeJk6Q==}
     engines: {node: ^16.0.0 || >=18.0.0}
     peerDependencies:
@@ -6998,7 +7924,7 @@ packages:
       '@types/semver': 7.5.0
       '@typescript-eslint/scope-manager': 6.3.0
       '@typescript-eslint/types': 6.3.0
-      '@typescript-eslint/typescript-estree': 6.3.0(typescript@5.1.6)
+      '@typescript-eslint/typescript-estree': 6.3.0(typescript@5.2.2)
       eslint: 8.45.0
       semver: 7.5.4
     transitivePeerDependencies:
@@ -7159,31 +8085,31 @@ packages:
   /@vue/devtools-api@6.5.0:
     resolution: {integrity: sha512-o9KfBeaBmCKl10usN4crU53fYtC1r7jJwdGKjPT24t348rHxgfpZ0xL3Xm/gLUYnc0oTp8LAmrxOeLyu6tbk2Q==}
 
-  /@vue/eslint-config-typescript@11.0.3(eslint-plugin-vue@9.15.1)(eslint@8.45.0)(typescript@5.1.6):
+  /@vue/eslint-config-typescript@11.0.3(eslint-plugin-vue@9.15.1)(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-dkt6W0PX6H/4Xuxg/BlFj5xHvksjpSlVjtkQCpaYJBIEuKj2hOVU7r+TIe+ysCwRYFz/lGqvklntRkCAibsbPw==}
     engines: {node: ^14.17.0 || >=16.0.0}
     peerDependencies:
       eslint: ^6.2.0 || ^7.0.0 || ^8.0.0
       eslint-plugin-vue: ^9.0.0
-      typescript: '*'
+      typescript: ^5.2.2
     peerDependenciesMeta:
       typescript:
         optional: true
     dependencies:
-      '@typescript-eslint/eslint-plugin': 5.59.5(@typescript-eslint/parser@5.59.5)(eslint@8.45.0)(typescript@5.1.6)
-      '@typescript-eslint/parser': 5.59.5(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/eslint-plugin': 5.59.5(@typescript-eslint/parser@5.59.5)(eslint@8.45.0)(typescript@5.2.2)
+      '@typescript-eslint/parser': 5.59.5(eslint@8.45.0)(typescript@5.2.2)
       eslint: 8.45.0
       eslint-plugin-vue: 9.15.1(eslint@8.45.0)
-      typescript: 5.1.6
+      typescript: 5.2.2
       vue-eslint-parser: 9.3.1(eslint@8.45.0)
     transitivePeerDependencies:
       - supports-color
     dev: true
 
-  /@vue/language-core@1.8.8(typescript@5.1.6):
+  /@vue/language-core@1.8.8(typescript@5.2.2):
     resolution: {integrity: sha512-i4KMTuPazf48yMdYoebTkgSOJdFraE4pQf0B+FTOFkbB+6hAfjrSou/UmYWRsWyZV6r4Rc6DDZdI39CJwL0rWw==}
     peerDependencies:
-      typescript: '*'
+      typescript: ^5.2.2
     peerDependenciesMeta:
       typescript:
         optional: true
@@ -7195,7 +8121,7 @@ packages:
       '@vue/shared': 3.3.4
       minimatch: 9.0.1
       muggle-string: 0.3.1
-      typescript: 5.1.6
+      typescript: 5.2.2
       vue-template-compiler: 2.7.14
     dev: true
 
@@ -7252,11 +8178,11 @@ packages:
       vue-component-type-helpers: 1.8.4
     dev: true
 
-  /@vue/typescript@1.8.8(typescript@5.1.6):
+  /@vue/typescript@1.8.8(typescript@5.2.2):
     resolution: {integrity: sha512-jUnmMB6egu5wl342eaUH236v8tdcEPXXkPgj+eI/F6JwW/lb+yAU6U07ZbQ3MVabZRlupIlPESB7ajgAGixhow==}
     dependencies:
       '@volar/typescript': 1.10.0
-      '@vue/language-core': 1.8.8(typescript@5.1.6)
+      '@vue/language-core': 1.8.8(typescript@5.2.2)
     transitivePeerDependencies:
       - typescript
     dev: true
@@ -7529,16 +8455,17 @@ packages:
     resolution: {integrity: sha512-F0SAmZ8iUtS//m8DmCTA0jlh6TDKkHQyK6xc6V4KDTyZKA9dnvX9/3sRTVQrWm79glUAZbnmmNcdYwUIHWVybw==}
     engines: {node: '>=0.4.0'}
     hasBin: true
-    dev: true
 
   /acorn@8.8.1:
     resolution: {integrity: sha512-7zFpHzhnqYKrkYdUjF1HI1bzd0VygEGX8lFk4k5zVMqHEoES+P+7TKI+EvLO9WVMJ8eekdO0aDEK044xTXwPPA==}
     engines: {node: '>=0.4.0'}
     hasBin: true
+    dev: true
 
   /address@1.2.2:
     resolution: {integrity: sha512-4B/qKCfeE/ODUaAUpSwfzazo5x29WD4r3vXiWsB7I2mSDAihwEqKO+g8GELZUQSSAo5e1XTYh3ZVfLyxBc12nA==}
     engines: {node: '>= 10.0.0'}
+    dev: true
 
   /adjust-sourcemap-loader@4.0.0:
     resolution: {integrity: sha512-OXwN5b9pCUXNQHJpwwD2qP40byEmSgzj8B4ydSN0uMNYWiFmJ6x6KwUllMmfk8Rwu/HJDFR7U8ubsWBoN0Xp0A==}
@@ -7988,13 +8915,6 @@ packages:
     engines: {node: '>=0.10.0'}
     dev: true
 
-  /ast-types@0.13.4:
-    resolution: {integrity: sha512-x1FCFnFifvYDDzTaLII71vG5uvDwgtmDTEVWAxrgeiR8VjMONcCXJx7E+USjDtHlwFmt9MysbqgF9b9Vjr6w+w==}
-    engines: {node: '>=4'}
-    dependencies:
-      tslib: 2.6.1
-    dev: false
-
   /ast-types@0.14.2:
     resolution: {integrity: sha512-O0yuUDnZeQDL+ncNGlJ78BiO4jnYI3bvMsD5prT0/nsgijG/LpNBIr63gTjVTNsiGkgQhiyCShTgxt8oXOrklA==}
     engines: {node: '>=4'}
@@ -8176,6 +9096,16 @@ packages:
     transitivePeerDependencies:
       - debug
 
+  /axios@1.4.0:
+    resolution: {integrity: sha512-S4XCWMEmzvo64T9GfvQDOXgYRDJ/wsSZc7Jvdgx5u1sd0JwsuPLqb3SYmusag+edF6ziyMensPVqLTSc1PiSEA==}
+    dependencies:
+      follow-redirects: 1.15.2(debug@4.3.4)
+      form-data: 4.0.0
+      proxy-from-env: 1.1.0
+    transitivePeerDependencies:
+      - debug
+    dev: false
+
   /babel-core@7.0.0-bridge.0(@babel/core@7.22.9):
     resolution: {integrity: sha512-poPX9mZH/5CSanm50Q+1toVci6pv5KSRv/5TWCwtzQS5XEwn40BcCrgIeMFWP9CKKIniKXNxoIOnOq4VVlGXhg==}
     peerDependencies:
@@ -8353,10 +9283,6 @@ packages:
     resolution: {integrity: sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ==}
     dev: false
 
-  /better-eval@1.3.0:
-    resolution: {integrity: sha512-rQdKZHTWok2uC3wHyGwoV6mOxhnOyp07iHhyWQlS+U5zkYyhOEOT6Ri4Q0vPThTqCYs6RCbtAfTbPG+lUZkocw==}
-    dev: false
-
   /better-opn@3.0.2:
     resolution: {integrity: sha512-aVNobHnJqLiUelTaHat9DZ1qM2w0C0Eym4LPI/3JxOnSokGVdsl1T1kN7TFvsEAD8G47A6VKQ0TVHqbBnYMJlQ==}
     engines: {node: '>=12.0.0'}
@@ -8450,6 +9376,11 @@ packages:
   /boolbase@1.0.0:
     resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==}
 
+  /bowser@2.11.0:
+    resolution: {integrity: sha512-AlcaJBi/pqqJBIQ8U9Mcpc9i8Aqxn88Skv5d+xBX006BY5u8N3mGLHa5Lgppa7L/HfwgwLgZ6NYs+Ag6uUmJRA==}
+    dev: false
+    optional: true
+
   /bplist-parser@0.2.0:
     resolution: {integrity: sha512-z0M+byMThzQmD9NILRniCUXYsYpjwnlO8N5uCFaCqIOpqRsJCrQL9NK3JsD67CN5a08nF5oIL2bD6loTdHOuKw==}
     engines: {node: '>= 5.10.0'}
@@ -8531,8 +9462,8 @@ packages:
       node-int64: 0.4.0
     dev: true
 
-  /bson@4.7.0:
-    resolution: {integrity: sha512-VrlEE4vuiO1WTpfof4VmaVolCVYkYTgB9iWgYNOrVlnifpME/06fhFRmONgBhClD5pFC1t9ZWqFUQEQAzY43bA==}
+  /bson@4.7.2:
+    resolution: {integrity: sha512-Ry9wCtIZ5kGqkJoi6aD8KjxFZEx78guTQDnpXWiNthsxzrxAK/i8E6pCHAIZTbaEFWcOCvbecMukfK7XUvyLpQ==}
     engines: {node: '>=6.9.0'}
     dependencies:
       buffer: 5.7.1
@@ -9677,6 +10608,12 @@ packages:
       nub: 0.0.0
     dev: false
 
+  /cypress-otp@1.0.3:
+    resolution: {integrity: sha512-o7LssfI0HRHa+TkaOE5/Aukv6M9vsoZAtYESr9m7Ky2i+HRNb2p/IRelE7Z0wJ/UK2f+nXAGZIfXqraf9EPDqw==}
+    dependencies:
+      otplib: 12.0.1
+    dev: true
+
   /cypress-real-events@1.9.1(cypress@12.17.2):
     resolution: {integrity: sha512-eDYW6NagNs8+68ugyPbB6U1aIsYF0E0WHR6upXo0PbTXZNqBNc2s9Y0u/N+pbU9HpFh+krl6iMhoz/ENlYBdCg==}
     peerDependencies:
@@ -9748,11 +10685,6 @@ packages:
     dependencies:
       assert-plus: 1.0.0
 
-  /data-uri-to-buffer@3.0.1:
-    resolution: {integrity: sha512-WboRycPNsVw3B3TL559F7kuBUM4d8CgMEvk6xEJlOp7OBPjt6G7z8WMWlD2rOFZLk6OYfFIUGsCOWzcQH9K2og==}
-    engines: {node: '>= 6'}
-    dev: false
-
   /data-urls@3.0.2:
     resolution: {integrity: sha512-Jy/tj3ldjZJo63sVAvg6LHt2mHvl4V6AgRAmNDtLdm7faqtsx+aJG42rsyCo9JCoRVKwPFzKlIPx3DIibwSIaQ==}
     engines: {node: '>=12'}
@@ -9981,16 +10913,6 @@ packages:
     resolution: {integrity: sha512-+uO4+qr7msjNNWKYPHqN/3+Dx3NFkmIzayk2L1MyZQlvgZb/J1A0fo410dpKrN2SnqFjt8n4JL8fDJE0wIgjFQ==}
     dev: true
 
-  /degenerator@3.0.2:
-    resolution: {integrity: sha512-c0mef3SNQo56t6urUU6tdQAs+ThoD0o9B9MJ8HEt7NQcGEILCRFqQb7ZbP9JAv+QF1Ky5plydhMR/IrqWDm+TQ==}
-    engines: {node: '>= 6'}
-    dependencies:
-      ast-types: 0.13.4
-      escodegen: 1.14.3
-      esprima: 4.0.1
-      vm2: 3.9.19
-    dev: false
-
   /del@6.1.1:
     resolution: {integrity: sha512-ua8BhapfP0JUJKC/zV9yHHDW/rDoDxP4Zhn3AkA6/xT6gY7jYXJiaeyBZznYVujhZZET+UgcbZiQ7sN3WqcImg==}
     engines: {node: '>=10'}
@@ -10088,11 +11010,9 @@ packages:
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
     dev: true
 
-  /digest-header@0.0.1:
-    resolution: {integrity: sha512-Qi0KOZgRnkQJuvMWbs1ZRRajEnbsMU8xlJI4rHIbPC+skHQ30heO5cIHpUFT4jAvAe+zPtdavLSAxASqoyZ3cg==}
-    engines: {node: '>= 0.10.0'}
-    dependencies:
-      utility: 0.1.11
+  /digest-header@1.1.0:
+    resolution: {integrity: sha512-glXVh42vz40yZb9Cq2oMOt70FIoWiv+vxNvdKdU8CwjLad25qHM3trLxhl9bVjdr6WaslIXhWpn0NO8T/67Qjg==}
+    engines: {node: '>= 8.0.0'}
     dev: false
 
   /dir-glob@3.0.1:
@@ -10711,8 +11631,8 @@ packages:
       eslint: ^7.32.0 || ^8.2.0
       eslint-plugin-import: ^2.25.3
     dependencies:
-      '@typescript-eslint/eslint-plugin': 6.2.0(@typescript-eslint/parser@6.2.0)(eslint@8.45.0)(typescript@5.1.6)
-      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/eslint-plugin': 6.2.0(@typescript-eslint/parser@6.2.0)(eslint@8.45.0)(typescript@5.2.2)
+      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.2.2)
       eslint: 8.45.0
       eslint-config-airbnb-base: 15.0.0(eslint-plugin-import@2.28.0)(eslint@8.45.0)
       eslint-plugin-import: 2.28.0(@typescript-eslint/parser@6.2.0)(eslint-import-resolver-typescript@3.5.5)(eslint@8.45.0)
@@ -10786,7 +11706,7 @@ packages:
       eslint-import-resolver-webpack:
         optional: true
     dependencies:
-      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.2.2)
       debug: 3.2.7(supports-color@5.5.0)
       eslint: 8.45.0
       eslint-import-resolver-typescript: 3.5.5(@typescript-eslint/parser@6.2.0)(eslint-plugin-import@2.28.0)(eslint@8.45.0)
@@ -10815,7 +11735,7 @@ packages:
       eslint-import-resolver-webpack:
         optional: true
     dependencies:
-      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.2.2)
       debug: 3.2.7(supports-color@5.5.0)
       eslint: 8.45.0
       eslint-import-resolver-node: 0.3.7
@@ -10843,7 +11763,7 @@ packages:
       '@typescript-eslint/parser':
         optional: true
     dependencies:
-      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/parser': 6.2.0(eslint@8.45.0)(typescript@5.2.2)
       array-includes: 3.1.6
       array.prototype.findlastindex: 1.2.2
       array.prototype.flat: 1.3.1
@@ -10873,11 +11793,11 @@ packages:
     resolution: {integrity: sha512-qe6sVFDP1Vj5eXlqZxYZpIjwYvhuqXlI0P8OfPyhiPOhMkFtr0TpFphD8/6WCzkm7LJCvG1eJEzURCtMIsFTAg==}
     dev: true
 
-  /eslint-plugin-n8n-nodes-base@1.16.0(eslint@8.45.0)(typescript@5.1.6):
+  /eslint-plugin-n8n-nodes-base@1.16.0(eslint@8.45.0)(typescript@5.2.2):
     resolution: {integrity: sha512-OEztJRuT/jv/WvwRXbXNirdYYddpAo2KZEJeOsVniK1ZCChuG4rrZJU3sgMRZMK6W9Pr613uWabW2q8tU2eKJg==}
     engines: {node: '>=18.10', pnpm: '>=8.6'}
     dependencies:
-      '@typescript-eslint/utils': 6.3.0(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/utils': 6.3.0(eslint@8.45.0)(typescript@5.2.2)
       camel-case: 4.1.2
       indefinite: 2.4.3
       pascal-case: 3.1.2
@@ -10897,7 +11817,7 @@ packages:
       '@types/eslint': '>=8.0.0'
       eslint: '>=8.0.0'
       eslint-config-prettier: '*'
-      prettier: '>=3.0.0'
+      prettier: ^3.0.0
     peerDependenciesMeta:
       '@types/eslint':
         optional: true
@@ -10946,7 +11866,7 @@ packages:
       '@typescript-eslint/eslint-plugin':
         optional: true
     dependencies:
-      '@typescript-eslint/eslint-plugin': 6.2.0(@typescript-eslint/parser@6.2.0)(eslint@8.45.0)(typescript@5.1.6)
+      '@typescript-eslint/eslint-plugin': 6.2.0(@typescript-eslint/parser@6.2.0)(eslint@8.45.0)(typescript@5.2.2)
       eslint: 8.45.0
       eslint-rule-composer: 0.3.0
     dev: true
@@ -11465,8 +12385,16 @@ packages:
     resolution: {integrity: sha512-VhXlQgj9ioXCqGstD37E/HBeqEGV/qOD/kmbVG8h5xKBYvM1L3lR1Zn4555cQ8GkYbJa8aJSipLPndE1k6zK2w==}
     dev: false
 
-  /fast-xml-parser@4.2.4:
-    resolution: {integrity: sha512-fbfMDvgBNIdDJLdLOwacjFAPYt67tr31H9ZhWSm45CDAxvd0I6WTlSOUo7K2P/K5sA5JgMKG64PI3DMcaFdWpQ==}
+  /fast-xml-parser@4.2.5:
+    resolution: {integrity: sha512-B9/wizE4WngqQftFPmdaMYlXoJlJOYxGQOanC77fq9k8+Z0v5dDSVh+3glErdIROP//s/jgb7ZuxKfB8nVyo0g==}
+    hasBin: true
+    dependencies:
+      strnum: 1.0.5
+    dev: false
+    optional: true
+
+  /fast-xml-parser@4.2.7:
+    resolution: {integrity: sha512-J8r6BriSLO1uj2miOk1NW0YVm8AGOOu3Si2HQp/cSmo6EA4m3fcwu2WKjJ4RK9wMLBtg69y1kS8baDiQBR41Ig==}
     hasBin: true
     dependencies:
       strnum: 1.0.5
@@ -11550,11 +12478,6 @@ packages:
       token-types: 4.2.1
     dev: false
 
-  /file-uri-to-path@2.0.0:
-    resolution: {integrity: sha512-hjPFI8oE/2iQPVe4gbrJ73Pp+Xfub2+WI2LlXDbsaJBwT5wuMh35WNWVYYTpnz895shtwfyutMFLFywpQAFdLg==}
-    engines: {node: '>= 6'}
-    dev: false
-
   /filelist@1.0.4:
     resolution: {integrity: sha512-w1cEuf3S+DrLCQL7ET6kz+gmlJdbq9J7yXCSjK/OZCPA+qEN1WyF4ZAf0YYJa4/shHJra2t/d/r8SV4Ji+x+8Q==}
     dependencies:
@@ -11928,14 +12851,6 @@ packages:
     os: [darwin]
     optional: true
 
-  /ftp@0.3.10:
-    resolution: {integrity: sha512-faFVML1aBx2UoDStmLwv2Wptt4vw5x03xxX172nhA5Y5HBshW5JweqQ2W4xL4dezQTG8inJsuYcpPHHU3X5OTQ==}
-    engines: {node: '>=0.8.0'}
-    dependencies:
-      readable-stream: 1.1.14
-      xregexp: 2.0.0
-    dev: false
-
   /function-bind@1.1.1:
     resolution: {integrity: sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==}
 
@@ -12092,20 +13007,6 @@ packages:
     resolution: {integrity: sha512-MjhiaIWCJ1sAU4pIQ5i5OfOuHHxVo1oYeNsWTON7jxYkod8pHocXeh+SSbmu5OZZZK73B6cbJ2XADzXehLyovQ==}
     dev: true
 
-  /get-uri@3.0.2:
-    resolution: {integrity: sha512-+5s0SJbGoyiJTZZ2JTpFPLMPSch72KEqGOTvQsBqg0RBWvwhWUSYZFAtz3TPW0GXJuLBJPts1E241iHg+VRfhg==}
-    engines: {node: '>= 6'}
-    dependencies:
-      '@tootallnate/once': 1.1.2
-      data-uri-to-buffer: 3.0.1
-      debug: 4.3.4(supports-color@8.1.1)
-      file-uri-to-path: 2.0.0
-      fs-extra: 8.1.0
-      ftp: 0.3.10
-    transitivePeerDependencies:
-      - supports-color
-    dev: false
-
   /get-value@2.0.6:
     resolution: {integrity: sha512-Ln0UQDlxH1BapMu3GPtf7CuYNwRZf2gwCuPqbyG6pB8WfmFpzqcy4xtAaAMUhnNqjMKTiCPZG2oMT3YSx8U2NA==}
     engines: {node: '>=0.10.0'}
@@ -12683,6 +13584,7 @@ packages:
     transitivePeerDependencies:
       - supports-color
     dev: false
+    optional: true
 
   /http-proxy-agent@5.0.0:
     resolution: {integrity: sha512-n2hY8YdoRE1i7r6M0w9DIw5GgZN0G25P8zLCRQ8rjXtTU3vsNFBI/vWK/UIeE6g5MUUz6avwAPXmL6Fy9D/90w==}
@@ -12870,6 +13772,17 @@ packages:
     dev: false
     optional: true
 
+  /infisical-node@1.3.0:
+    resolution: {integrity: sha512-tTnnExRAO/ZyqiRdnSlBisErNToYWgtunMWh+8opClEt5qjX7l6HC/b4oGo2AuR2Pf41IR+oqo+dzkM1TCvlUA==}
+    dependencies:
+      axios: 1.4.0
+      dotenv: 16.0.3
+      tweetnacl: 1.0.3
+      tweetnacl-util: 0.15.1
+    transitivePeerDependencies:
+      - debug
+    dev: false
+
   /inflected@2.1.0:
     resolution: {integrity: sha512-hAEKNxvHf2Iq3H60oMBHkB4wl5jn3TPF3+fXek/sRwAB5gP9xWs4r7aweSF95f99HFoz69pnZTcu8f0SIHV18w==}
     dev: true
@@ -13622,8 +14535,8 @@ packages:
     resolution: {integrity: sha512-VxwFOC8gkiJbuodG9CPtMRjBUNZEHxwfQXmIudSTzFWxaci3Qub1ddTRbFNQlD/zUeaifLndh/eDccFX4wCMQw==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
     peerDependencies:
-      '@types/node': '*'
-      ts-node: '>=9.0.0'
+      '@types/node': ^18.16.16
+      ts-node: ^10.9.1
     peerDependenciesMeta:
       '@types/node':
         optional: true
@@ -13836,15 +14749,15 @@ packages:
       stack-utils: 2.0.6
     dev: true
 
-  /jest-mock-extended@3.0.4(jest@29.6.2)(typescript@5.1.6):
+  /jest-mock-extended@3.0.4(jest@29.6.2)(typescript@5.2.2):
     resolution: {integrity: sha512-2ynEZ7IEJNrhrgshklDMhrOdnmW4Nt+PhkyRqZxRgpwMo7JjmFWMzyp0+eSyk+H9KK1QjXI5xTZIw6x7cVDcRg==}
     peerDependencies:
       jest: ^24.0.0 || ^25.0.0 || ^26.0.0 || ^27.0.0 || ^28.0.0 || ^29.0.0
-      typescript: ^3.0.0 || ^4.0.0 || ^5.0.0
+      typescript: ^5.2.2
     dependencies:
       jest: 29.6.2
-      ts-essentials: 7.0.3(typescript@5.1.6)
-      typescript: 5.1.6
+      ts-essentials: 7.0.3(typescript@5.2.2)
+      typescript: 5.2.2
     dev: true
 
   /jest-mock@29.6.2:
@@ -15001,6 +15914,7 @@ packages:
     resolution: {integrity: sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==}
     dependencies:
       yallist: 3.1.1
+    dev: true
 
   /lru-cache@6.0.0:
     resolution: {integrity: sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==}
@@ -15514,23 +16428,25 @@ packages:
   /moment@2.29.4:
     resolution: {integrity: sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w==}
 
-  /mongodb-connection-string-url@2.5.4:
-    resolution: {integrity: sha512-SeAxuWs0ez3iI3vvmLk/j2y+zHwigTDKQhtdxTgt5ZCOQQS5+HW4g45/Xw5vzzbn7oQXCNQ24Z40AkJsizEy7w==}
+  /mongodb-connection-string-url@2.6.0:
+    resolution: {integrity: sha512-WvTZlI9ab0QYtTYnuMLgobULWhokRjtC7db9LtcVfJ+Hsnyr5eo6ZtNAt3Ly24XZScGMelOcGtm7lSn0332tPQ==}
     dependencies:
       '@types/whatwg-url': 8.2.2
       whatwg-url: 11.0.0
     dev: false
 
-  /mongodb@4.10.0:
-    resolution: {integrity: sha512-My2QxLTw0Cc1O9gih0mz4mqo145Jq4rLAQx0Glk/Ha9iYBzYpt4I2QFNRIh35uNFNfe8KFQcdwY1/HKxXBkinw==}
+  /mongodb@4.17.1:
+    resolution: {integrity: sha512-MBuyYiPUPRTqfH2dV0ya4dcr2E5N52ocBuZ8Sgg/M030nGF78v855B3Z27mZJnp8PxjnUquEnAtjOsphgMZOlQ==}
     engines: {node: '>=12.9.0'}
     dependencies:
-      bson: 4.7.0
-      denque: 2.1.0
-      mongodb-connection-string-url: 2.5.4
+      bson: 4.7.2
+      mongodb-connection-string-url: 2.6.0
       socks: 2.7.1
     optionalDependencies:
-      saslprep: 1.0.3
+      '@aws-sdk/credential-providers': 3.398.0
+      '@mongodb-js/saslprep': 1.1.0
+    transitivePeerDependencies:
+      - aws-crt
     dev: false
 
   /moo@0.5.2:
@@ -15764,11 +16680,6 @@ packages:
   /neo-async@2.6.2:
     resolution: {integrity: sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==}
 
-  /netmask@2.0.2:
-    resolution: {integrity: sha512-dBpDMdxv9Irdq66304OLfEmQ9tbNRFnFTuZiLo+bD+r332bBmMJ8GBLXklIXXgxd3+v9+KUnZaUR5PJMa75Gsg==}
-    engines: {node: '>= 0.4.0'}
-    dev: false
-
   /next-tick@1.1.0:
     resolution: {integrity: sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ==}
     dev: true
@@ -16072,7 +16983,7 @@ packages:
     engines: {node: '>= 6.9.0'}
     hasBin: true
     peerDependencies:
-      chokidar: ^3.3.0
+      chokidar: 3.5.2
     peerDependenciesMeta:
       chokidar:
         optional: true
@@ -16360,6 +17271,14 @@ packages:
       jssha: 3.3.0
     dev: false
 
+  /otplib@12.0.1:
+    resolution: {integrity: sha512-xDGvUOQjop7RDgxTQ+o4pOol0/3xSZzawTiPKRrHnQWAy0WjhNs/5HdIDJCrqC4MBynmjXgULc6YfioaxZeFgg==}
+    dependencies:
+      '@otplib/core': 12.0.1
+      '@otplib/preset-default': 12.0.1
+      '@otplib/preset-v11': 12.0.1
+    dev: true
+
   /p-cancelable@2.1.1:
     resolution: {integrity: sha512-BZOr3nRQHOntUjTrH8+Lh54smKHoHyur8We1V8DSMVrl5A2malOOwuJRnKRDjSnkoeBh4at6BwEnb5I7Jl31wg==}
     engines: {node: '>=8'}
@@ -16438,32 +17357,6 @@ packages:
     engines: {node: '>=6'}
     dev: true
 
-  /pac-proxy-agent@5.0.0:
-    resolution: {integrity: sha512-CcFG3ZtnxO8McDigozwE3AqAw15zDvGH+OjXO4kzf7IkEKkQ4gxQ+3sdF50WmhQ4P/bVusXcqNE2S3XrNURwzQ==}
-    engines: {node: '>= 8'}
-    dependencies:
-      '@tootallnate/once': 1.1.2
-      agent-base: 6.0.2
-      debug: 4.3.4(supports-color@8.1.1)
-      get-uri: 3.0.2
-      http-proxy-agent: 4.0.1
-      https-proxy-agent: 5.0.1
-      pac-resolver: 5.0.1
-      raw-body: 2.5.1
-      socks-proxy-agent: 5.0.1
-    transitivePeerDependencies:
-      - supports-color
-    dev: false
-
-  /pac-resolver@5.0.1:
-    resolution: {integrity: sha512-cy7u00ko2KVgBAjuhevqpPeHIkCIqPe1v24cydhWjmeuzaBfmUWFCZJ1iAh5TuVzVZoUzXIW7K8sMYOZ84uZ9Q==}
-    engines: {node: '>= 8'}
-    dependencies:
-      degenerator: 3.0.2
-      ip: 1.1.8
-      netmask: 2.0.2
-    dev: false
-
   /packet-reader@1.0.0:
     resolution: {integrity: sha512-HAKu/fG3HpHFO0AA8WE8q2g+gBJaZ9MG7fcKk+IJPLTGAD6Psw4443l+9DGRbOIh3/aXr7Phy0TjilYivJo5XQ==}
     dev: false
@@ -16855,11 +17748,11 @@ packages:
     engines: {node: '>=6'}
     dev: true
 
-  /pinia@2.1.6(typescript@5.1.6)(vue@3.3.4):
+  /pinia@2.1.6(typescript@5.2.2)(vue@3.3.4):
     resolution: {integrity: sha512-bIU6QuE5qZviMmct5XwCesXelb5VavdOWKWaB17ggk++NUwQWWbP5YnsONTk3b752QkW9sACiR81rorpeOMSvQ==}
     peerDependencies:
       '@vue/composition-api': ^1.4.0
-      typescript: '>=4.4.4'
+      typescript: ^5.2.2
       vue: ^2.6.14 || ^3.3.0
     peerDependenciesMeta:
       '@vue/composition-api':
@@ -16868,7 +17761,7 @@ packages:
         optional: true
     dependencies:
       '@vue/devtools-api': 6.5.0
-      typescript: 5.1.6
+      typescript: 5.2.2
       vue: 3.3.4
       vue-demi: 0.14.5(vue@3.3.4)
 
@@ -17292,22 +18185,6 @@ packages:
       forwarded: 0.2.0
       ipaddr.js: 1.9.1
 
-  /proxy-agent@5.0.0:
-    resolution: {integrity: sha512-gkH7BkvLVkSfX9Dk27W6TyNOWWZWRilRfk1XxGNWOYJ2TuedAv1yFpCaU9QSBmBe716XOTNpYNOzhysyw8xn7g==}
-    engines: {node: '>= 8'}
-    dependencies:
-      agent-base: 6.0.2
-      debug: 4.3.4(supports-color@8.1.1)
-      http-proxy-agent: 4.0.1
-      https-proxy-agent: 5.0.1
-      lru-cache: 5.1.1
-      pac-proxy-agent: 5.0.0
-      proxy-from-env: 1.1.0
-      socks-proxy-agent: 5.0.1
-    transitivePeerDependencies:
-      - supports-color
-    dev: false
-
   /proxy-from-env@1.0.0:
     resolution: {integrity: sha512-F2JHgJQ1iqwnHDcQjVBsq3n/uoaFL+iPW/eAeL7kVxy/2RrWaN4WroKjjvbsoRtv0ftelNyC01bjRhn/bhcf4A==}
     dev: true
@@ -17522,6 +18399,14 @@ packages:
       - supports-color
     dev: true
 
+  /qrcode.vue@3.3.4(vue@3.3.4):
+    resolution: {integrity: sha512-ZVPmKZUUqM/wZ19mIhecFJs7mO6KXFiZZmBZyU6wiB2aXZfYc/VpolXakQcKw/9aGFEmSHHVKfgNwyxtw/Q2Sw==}
+    peerDependencies:
+      vue: ^3.0.0
+    dependencies:
+      vue: 3.3.4
+    dev: false
+
   /qs@6.10.5:
     resolution: {integrity: sha512-O5RlPh0VFtR78y79rgcgKK4wbAI0C5zGVLztOIdpWX6ep368q5Hv6XRxDvXuZ9q3C6v+e3n8UfZZJw7IIG27eQ==}
     engines: {node: '>=0.6'}
@@ -18304,14 +19189,6 @@ packages:
       postcss: 8.4.21
     dev: false
 
-  /saslprep@1.0.3:
-    resolution: {integrity: sha512-/MY/PEMbk2SuY5sScONwhUDsV2p77Znkb/q3nSVstq/yQzYJOH/Azh29p9oJLsl3LnQwSvZDKagDGBsBwSooag==}
-    engines: {node: '>=6'}
-    dependencies:
-      sparse-bitfield: 3.0.3
-    dev: false
-    optional: true
-
   /sass-loader@13.3.2(sass@1.64.1)(webpack@5.75.0):
     resolution: {integrity: sha512-CQbKl57kdEv+KDLquhC+gE3pXt74LEAzm+tzywcA0/aHZuub8wTErbjAoNI57rPUWRYRNC5WUnNl8eGJNbDdwg==}
     engines: {node: '>= 14.15.0'}
@@ -18691,8 +19568,8 @@ packages:
       - supports-color
     dev: true
 
-  /snowflake-sdk@1.6.23(asn1.js@5.4.1):
-    resolution: {integrity: sha512-meKcFQ2NggyhItmZ019JJ5UAeQiN0n98P7plAhM9DjVvI04JngvprUsmluu7c6Ujo/IYQC6jC8/7+cmgiMC7Bw==}
+  /snowflake-sdk@1.8.0(asn1.js@5.4.1):
+    resolution: {integrity: sha512-zdU1c+ytIZclF4K6D4XPPHa5II6l6cOQdsLdvKP95IwSdTYJz324ESA7fPcg/rwYV7vUKnIZJ9OCjB1mE7D2IQ==}
     dependencies:
       '@azure/storage-blob': 12.11.0
       '@google-cloud/storage': 6.11.0
@@ -18700,10 +19577,8 @@ packages:
       agent-base: 6.0.2
       asn1.js-rfc2560: 5.0.1(asn1.js@5.4.1)
       asn1.js-rfc5280: 3.0.0
-      async: 3.2.4
       aws-sdk: 2.1231.0
       axios: 0.27.2(debug@3.2.7)
-      better-eval: 1.3.0
       big-integer: 1.6.51
       bignumber.js: 2.4.0
       binascii: 0.0.2
@@ -18712,7 +19587,7 @@ packages:
       debug: 3.2.7(supports-color@5.5.0)
       expand-tilde: 2.0.2
       extend: 3.0.2
-      fast-xml-parser: 4.2.4
+      fast-xml-parser: 4.2.7
       generic-pool: 3.9.0
       glob: 7.2.3
       https-proxy-agent: 5.0.1
@@ -18726,23 +19601,13 @@ packages:
       simple-lru-cache: 0.0.2
       string-similarity: 4.0.4
       tmp: 0.2.1
-      urllib: 2.39.1
+      urllib: 2.41.0
       uuid: 3.4.0
       winston: 3.8.2
     transitivePeerDependencies:
       - asn1.js
       - encoding
-      - supports-color
-    dev: false
-
-  /socks-proxy-agent@5.0.1:
-    resolution: {integrity: sha512-vZdmnjb9a2Tz6WEQVIurybSwElwPxMZaIc7PzqbJTrezcKNznv6giT7J7tZDZ1BojVaa1jvO/UiUdhDVB0ACoQ==}
-    engines: {node: '>= 6'}
-    dependencies:
-      agent-base: 6.0.2
-      debug: 4.3.4(supports-color@8.1.1)
-      socks: 2.7.1
-    transitivePeerDependencies:
+      - proxy-agent
       - supports-color
     dev: false
 
@@ -19620,6 +20485,11 @@ packages:
       any-promise: 1.3.0
     dev: false
 
+  /thirty-two@1.0.2:
+    resolution: {integrity: sha512-OEI0IWCe+Dw46019YLl6V10Us5bi574EvlJEOcAkB29IzQ/mYD1A6RyNHLjZPiHCmuodxvgF6U+vZO1L15lxVA==}
+    engines: {node: '>=0.2.6'}
+    dev: true
+
   /throttleit@1.0.0:
     resolution: {integrity: sha512-rkTVqu6IjfQ/6+uNuuc3sZek4CEYxTJom3IktzgdSxcZqdARuebbA/f4QmAxMQIxqq9ZLEUkSYqvuk1I6VKq4g==}
     dev: true
@@ -19834,13 +20704,13 @@ packages:
     resolution: {integrity: sha512-XrHUvV5HpdLmIj4uVMxHggLbFSZYIn7HEWsqePZcI50pco+MPqJ50wMGY794X7AOOhxOBAjbkqfAbEe/QMp2Lw==}
     dev: false
 
-  /ts-api-utils@1.0.1(typescript@5.1.6):
+  /ts-api-utils@1.0.1(typescript@5.2.2):
     resolution: {integrity: sha512-lC/RGlPmwdrIBFTX59wwNzqh7aR2otPNPR/5brHZm/XKFYKsfqxihXUe9pU3JI+3vGkl+vyCoNNnPhJn3aLK1A==}
     engines: {node: '>=16.13.0'}
     peerDependencies:
-      typescript: '>=4.2.0'
+      typescript: ^5.2.2
     dependencies:
-      typescript: 5.1.6
+      typescript: 5.2.2
     dev: true
 
   /ts-dedent@2.2.0:
@@ -19848,15 +20718,15 @@ packages:
     engines: {node: '>=6.10'}
     dev: true
 
-  /ts-essentials@7.0.3(typescript@5.1.6):
+  /ts-essentials@7.0.3(typescript@5.2.2):
     resolution: {integrity: sha512-8+gr5+lqO3G84KdiTSMRLtuyJ+nTBVRKuCrK4lidMPdVeEp0uqC875uE5NMcaA7YYMN7XsNiFQuMvasF8HT/xQ==}
     peerDependencies:
-      typescript: '>=3.7.0'
+      typescript: ^5.2.2
     dependencies:
-      typescript: 5.1.6
+      typescript: 5.2.2
     dev: true
 
-  /ts-jest@29.1.1(@babel/core@7.22.9)(jest@29.6.2)(typescript@5.1.6):
+  /ts-jest@29.1.1(@babel/core@7.22.9)(jest@29.6.2)(typescript@5.2.2):
     resolution: {integrity: sha512-D6xjnnbP17cC85nliwGiL+tpoKN0StpgE0TeOjXQTU6MVCfsB4v7aW05CgQ/1OywGb0x/oy9hHFnN+sczTiRaA==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
     hasBin: true
@@ -19866,7 +20736,7 @@ packages:
       babel-jest: ^29.0.0
       esbuild: '*'
       jest: ^29.0.0
-      typescript: '>=4.3 <6'
+      typescript: ^5.2.2
     peerDependenciesMeta:
       '@babel/core':
         optional: true
@@ -19886,7 +20756,7 @@ packages:
       lodash.memoize: 4.1.2
       make-error: 1.3.6
       semver: 7.5.4
-      typescript: 5.1.6
+      typescript: 5.2.2
       yargs-parser: 21.1.1
     dev: true
 
@@ -19906,18 +20776,18 @@ packages:
       plimit-lit: 1.4.1
     dev: true
 
-  /tsc-watch@6.0.4(typescript@5.1.6):
+  /tsc-watch@6.0.4(typescript@5.2.2):
     resolution: {integrity: sha512-cHvbvhjO86w2aGlaHgSCeQRl+Aqw6X6XN4sQMPZKF88GoP30O+oTuh5lRIJr5pgFWrRpF1AgXnJJ2DoFEIPHyg==}
     engines: {node: '>=12.12.0'}
     hasBin: true
     peerDependencies:
-      typescript: '*'
+      typescript: ^5.2.2
     dependencies:
       cross-spawn: 7.0.3
       node-cleanup: 2.1.2
       ps-tree: 1.2.0
       string-argv: 0.3.1
-      typescript: 5.1.6
+      typescript: 5.2.2
     dev: true
 
   /tsconfig-paths@4.2.0:
@@ -19937,14 +20807,14 @@ packages:
     engines: {node: '>=0.6.x'}
     dev: false
 
-  /tsutils@3.21.0(typescript@5.1.6):
+  /tsutils@3.21.0(typescript@5.2.2):
     resolution: {integrity: sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==}
     engines: {node: '>= 6'}
     peerDependencies:
-      typescript: '>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta'
+      typescript: ^5.2.2
     dependencies:
       tslib: 2.6.1
-      typescript: 5.1.6
+      typescript: 5.2.2
     dev: true
 
   /tunnel-agent@0.6.0:
@@ -20012,9 +20882,17 @@ packages:
       turbo-windows-arm64: 1.10.12
     dev: true
 
+  /tweetnacl-util@0.15.1:
+    resolution: {integrity: sha512-RKJBIj8lySrShN4w6i/BonWp2Z/uxwC3h4y7xsRrpP59ZboCd0GpEVsOnMDYLMmKBpYhb5TgHzZXy7wTfYFBRw==}
+    dev: false
+
   /tweetnacl@0.14.5:
     resolution: {integrity: sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==}
 
+  /tweetnacl@1.0.3:
+    resolution: {integrity: sha512-6rt+RN7aOi1nGMyC4Xa5DdYiukl2UWCbcJft7YhxReBGQD7OAM8Pbxw6YMo4r2diNEA8FEmu32YOn9rhaiE5yw==}
+    dev: false
+
   /type-check@0.3.2:
     resolution: {integrity: sha512-ZCmOJdvOWDBYJlzAoFkC+Q0+bUyEOS1ltgp1MGU03fqHG+dbi9tBFU2Rd9QKiDZFAYrhPh2JUf7rZRIuHRKtOg==}
     engines: {node: '>= 0.8.0'}
@@ -20150,7 +21028,7 @@ packages:
       redis: ^3.1.1 || ^4.0.0
       sql.js: ^1.4.0
       sqlite3: ^5.0.3
-      ts-node: ^10.7.0
+      ts-node: ^10.9.1
       typeorm-aurora-data-api-driver: ^2.0.0
     peerDependenciesMeta:
       '@google-cloud/spanner':
@@ -20213,8 +21091,8 @@ packages:
       - supports-color
     dev: false
 
-  /typescript@5.1.6:
-    resolution: {integrity: sha512-zaWCozRZ6DLEWAWFrVDz1H6FVXzUSfTy5FUMWsQlU8Ym5JP9eO4xkTIROFCQvhQf61z6O/G6ugw3SgAnvvm+HA==}
+  /typescript@5.2.2:
+    resolution: {integrity: sha512-mI4WrpHsbCIcwT9cF4FZvr80QUeKvsUsUvKDoR+X/7XHQH98xYD8YHZg7ANtz2GtZt/CBq2QJ0thkGJMHfqc1w==}
     engines: {node: '>=14.17'}
     hasBin: true
 
@@ -20472,21 +21350,25 @@ packages:
       querystring: 0.2.0
     dev: false
 
-  /urllib@2.39.1:
-    resolution: {integrity: sha512-c3sLtY8uhc/WoyJt/nNcEwO4fFC9sFYMQmU5NKoUz9OqUYrPSbYFPflocZCA5oCTavky9weK+YA2EHjsva9AwQ==}
+  /urllib@2.41.0:
+    resolution: {integrity: sha512-pNXdxEv52L67jahLT+/7QE+Fup1y2Gc6EdmrAhQ6OpQIC2rl14oWwv9hvk1GXOZqEnJNwRXHABuwgPOs1CtL7g==}
     engines: {node: '>= 0.10.0'}
+    peerDependencies:
+      proxy-agent: ^5.0.0
+    peerDependenciesMeta:
+      proxy-agent:
+        optional: true
     dependencies:
       any-promise: 1.3.0
       content-type: 1.0.4
       debug: 2.6.9
       default-user-agent: 1.0.0
-      digest-header: 0.0.1
+      digest-header: 1.1.0
       ee-first: 1.1.1
       formstream: 1.1.1
       humanize-ms: 1.2.1
       iconv-lite: 0.4.24
       ip: 1.1.8
-      proxy-agent: 5.0.0
       pump: 3.0.0
       qs: 6.11.0
       statuses: 1.5.0
@@ -20543,13 +21425,6 @@ packages:
       is-typed-array: 1.1.10
       which-typed-array: 1.1.11
 
-  /utility@0.1.11:
-    resolution: {integrity: sha512-epFsJ71+/yC7MKMX7CM9azP31QBIQhywkiBUj74i/T3Y2TXtEor26QBkat7lGamrrNTr5CBI1imd/8F0Bmqw4g==}
-    engines: {node: '>= 0.8.0'}
-    dependencies:
-      address: 1.2.2
-    dev: false
-
   /utility@1.17.0:
     resolution: {integrity: sha512-KdVkF9An/0239BJ4+dqOa7NPrPIOeQE9AGfx0XS16O9DBiHNHRJMoeU5nL6pRGAkgJOqdOu8R4gBRcXnAocJKw==}
     engines: {node: '>= 0.12.0'}
@@ -20712,7 +21587,7 @@ packages:
     engines: {node: ^14.18.0 || >=16.0.0}
     hasBin: true
     peerDependencies:
-      '@types/node': '>= 14'
+      '@types/node': ^18.16.16
       less: '*'
       lightningcss: ^1.21.0
       sass: '*'
@@ -20748,7 +21623,7 @@ packages:
     engines: {node: ^14.18.0 || >=16.0.0}
     hasBin: true
     peerDependencies:
-      '@types/node': '>= 14'
+      '@types/node': ^18.16.16
       less: '*'
       lightningcss: ^1.21.0
       sass: '*'
@@ -20845,15 +21720,6 @@ packages:
       - terser
     dev: true
 
-  /vm2@3.9.19:
-    resolution: {integrity: sha512-J637XF0DHDMV57R6JyVsTak7nIL8gy5KH4r1HiwWLf/4GBbb5MKL5y7LpmF4A8E2nR6XmzpmMFQ7V7ppPTmUQg==}
-    engines: {node: '>=6.0'}
-    hasBin: true
-    dependencies:
-      acorn: 8.8.1
-      acorn-walk: 8.2.0
-    dev: false
-
   /void-elements@3.1.0:
     resolution: {integrity: sha512-Dhxzh5HZuiHQhbvTW9AMetFfBHDMYpo23Uo9btPXgdYP+3T5S+p+jgNy7spra+veYhBP2dCSgxR/i2Y02h5/6w==}
     engines: {node: '>=0.10.0'}
@@ -20977,16 +21843,16 @@ packages:
       he: 1.2.0
     dev: true
 
-  /vue-tsc@1.8.8(typescript@5.1.6):
+  /vue-tsc@1.8.8(typescript@5.2.2):
     resolution: {integrity: sha512-bSydNFQsF7AMvwWsRXD7cBIXaNs/KSjvzWLymq/UtKE36697sboX4EccSHFVxvgdBlI1frYPc/VMKJNB7DFeDQ==}
     hasBin: true
     peerDependencies:
-      typescript: '*'
+      typescript: ^5.2.2
     dependencies:
-      '@vue/language-core': 1.8.8(typescript@5.1.6)
-      '@vue/typescript': 1.8.8(typescript@5.1.6)
+      '@vue/language-core': 1.8.8(typescript@5.2.2)
+      '@vue/typescript': 1.8.8(typescript@5.2.2)
       semver: 7.5.4
-      typescript: 5.1.6
+      typescript: 5.2.2
     dev: true
 
   /vue3-touch-events@4.1.3:
@@ -21458,6 +22324,7 @@ packages:
 
   /yallist@3.1.1:
     resolution: {integrity: sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==}
+    dev: true
 
   /yallist@4.0.0:
     resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==}