fix(api): use Bitbucket user workspaces endpoint for listing

… verification

- Introduced a new column `enableSsl` in the IdentityKubernetesAuth table to control TLS verification.
- Updated schemas and API documentation to reflect the new `enableSsl` parameter.
- Enhanced validation logic to require a CA certificate when SSL verification is enabled.
- Modified frontend forms to include a toggle for enabling SSL verification.

…r TLS verification

- Added a new migration to introduce the `verifyTlsCertificate` column in the IdentityKubernetesAuth table.
- Updated schemas, API documentation, and frontend forms to reflect the change from `enableSsl` to `verifyTlsCertificate`.
- Enhanced validation logic to require a CA certificate when TLS verification is enabled.
- Adjusted related service and validation logic to utilize the new `verifyTlsCertificate` parameter.

chore: disable Telemetry in CI

- Updated API documentation to clarify the behavior of `caCert` and `verifyTlsCertificate`.
- Added validation to prevent disabling TLS verification when a CA certificate is provided.
- Adjusted service logic to enforce the new validation rules.
- Modified frontend forms to reflect the updated verification requirements and improve user experience.

Matches the behavior of the View Failed Rotations button so empty cards consistently render badge-only with no disabled button stub.

…ult-for-kubernetes-auth

fix(kubernetes-auth): configurable TLS verification for identity Kubernetes auth

feat: add custom CRL distribution points in PKI CAs

fix: add missing ECDSA_P521 in the UI

The pie chart was switched to render resourceCount only, so accountCount was no longer surfaced anywhere on the frontend. Remove the dead aggregation along with its DAL helper and route schema field instead of patching the merge logic.

…alues

- Introduced a new utility function to resolve effective TLS certificate verification based on CA certificate presence.
- Updated service logic to utilize the new function for determining `rejectUnauthorized` settings.
- Adjusted frontend form to set `verifyTlsCertificate` default to false, enhancing user experience and aligning with backend logic.

* fix(pam): default access duration to policy max in request modal

The Request Account Access modal hardcoded the access duration to "4h",
which fails when the matching policy's max is smaller (e.g., "10m").
Fetch the matched policy's accessDuration.max via /check-policy-match,
default the field to it, and reject above-max values client-side.

Also adds .orderBy("id", "asc") to findByProjectId so matchPolicy is
deterministic across the modal-open and submit calls. This is a behavior
change for cert-request matching too (overlapping cert policies now
resolve to the lowest-id policy instead of arbitrary order).

* fix(pam): reject access duration below 30s in request modal

The backend already enforces a 30s floor via DurationSchema, but the
client only checked max — so values like "10s" slipped past the modal
and surfaced as a generic toast on submit. Mirror the floor client-side
so it shows as an inline field error.

* refactor(pam): extract check-policy-match response schemas

Move the inline response schemas in approval-policy-routers/index.ts
into named exports that follow the existing Base* / PamAccess* pattern
used by sibling schemas.

…ll-instead-of-encrypt-in-kubernetes-auth

fix(k8s-auth): align TLS verification with CA presence and empty CA storage

…-template

chore: update bug report issue template

feat: pam insights dashboard

chore: update bundled infisical cli

feature(platfor-313): add upgrade impact tooling