Add permissions to autofillcallback

2026-05-13 07:11:10 -05:00 · 2025-11-25 11:54:39 -05:00
411 changed files with 4630 additions and 11766 deletions
--- a/.claude/prompts/review-code.md
+++ b/.claude/prompts/review-code.md
@@ -1,3 +1,27 @@
 Use the `reviewing-changes` skill to review this pull request.

 The PR branch is already checked out in the current working directory.
+
+## CRITICAL OUTPUT REQUIREMENTS
+
+**Summary Format (REQUIRED):**
+- **Clean PRs (no issues)**: 2-3 lines MAXIMUM
+  - Format: `**Overall Assessment:** APPROVE\n[One sentence]`
+  - Example: "Clean refactoring following established patterns"
+
+- **PRs with issues**: Verdict + critical issues list (5-10 lines MAX)
+  - Format: `**Overall Assessment:** APPROVE/REQUEST CHANGES\n**Critical Issues:**\n- issue 1\nSee inline comments`
+  - All details go in inline comments with `<details>` tags, NOT in summary
+
+**NEVER create:**
+- ❌ Praise sections ("Strengths", "Good Practices", "Excellent X")
+- ❌ Verbose analysis sections (Architecture Assessment, Technical Review, Code Quality, etc.)
+- ❌ Tables, statistics, or detailed breakdowns in summary
+- ❌ Multiple summary sections
+- ❌ Checkmarks listing everything done correctly
+
+**Inline Comments:**
+- Create separate inline comment for each specific issue/recommendation
+- Use collapsible `<details>` sections for code examples and explanations
+- Only severity + one-line description visible; all other content collapsed
+- Track status of previously identified issues if this is a subsequent review
--- a/.claude/skills/reviewing-changes/SKILL.md
+++ b/.claude/skills/reviewing-changes/SKILL.md
@@ -1,34 +1,56 @@
 ---
 name: reviewing-changes
-version: 3.0.0
-description: Android-specific code review workflow additions for Bitwarden Android. Provides change type refinements, checklist loading, and reference material organization. Complements bitwarden-code-reviewer agent's base review standards.
+version: 2.0.0
+description: Comprehensive code reviews for Bitwarden Android. Detects change type (dependency update, bug fix, feature, UI, refactoring, infrastructure) and applies appropriate review depth. Validates MVVM patterns, Hilt DI, security requirements, and test coverage per project standards. Use when reviewing pull requests, checking commits, analyzing code changes, or evaluating architectural compliance.
 ---

-# Reviewing Changes - Android Additions
-
-This skill provides Android-specific workflow additions that complement the base `bitwarden-code-reviewer` agent standards.
+# Reviewing Changes

 ## Instructions

-**IMPORTANT**: Use structured thinking throughout your review process. Plan your analysis in `<thinking>` tags before providing final feedback.
+**IMPORTANT**: Use structured thinking throughout your review process. Plan your analysis in `<thinking>` tags before providing final feedback. This improves accuracy by 40% according to research.

-### Step 1: Retrieve Additional Details
+### Step 1: Check for Existing Review Threads
+
+Always check for existing comment threads to avoid duplicate comments:

 <thinking>
-Determine if more context is available for the changes:
-1. Are there JIRA tickets or GitHub Issues mentioned in the PR title or body?
-2. Are there other GitHub pull requests mentioned in the PR title or body?
+Before creating any comments:
+1. Is this a fresh review or re-review of the same PR?
+2. What existing discussion might already exist?
+3. Which findings should update existing threads vs create new?
 </thinking>

-Retrieve any additional information linked to the pull request using available tools (JIRA MCP, GitHub API).
+**Thread Detection Procedure:**

-If pull request title and message do not provide enough context, request additional details from the reviewer:
- Link a JIRA ticket
- Associate a GitHub issue
- Link to another pull request
- Add more detail to the PR title or body
+1. **Fetch existing comment count:**
+   ```bash
+   gh pr view <pr-number> --json comments --jq '.comments | length'
+   ```

-### Step 2: Detect Change Type with Android Refinements
+2. **If count = 0:** No existing threads. Skip to Step 2 (all comments will be new).
+
+3. **If count > 0:** Fetch full comment data to check for existing threads.
+   ```bash
+   gh pr view <pr-number> --json comments --jq '.comments[] | {id, path, line, body}' > pr_comments.json
+   ```
+
+4. **Parse existing threads:** Extract file paths, line numbers, and issue summaries from previous review comments.
+   - Build map: `{file:line → {comment_id, issue_summary, resolved}}`
+   - Note which issues already have active discussions
+
+5. **Matching Strategy (Hybrid Approach):**
+   When you identify an issue to comment on:
+   - **Exact match:** Same file + same line number → existing thread found
+   - **Nearby match:** Same file + line within ±5 → existing thread found
+   - **No match:** Create new inline comment
+
+6. **Handling Evolved Issues:**
+   - **Issue persists unchanged:** Respond in existing thread with update
+   - **Issue resolved:** Note resolution in thread response (can mark as resolved if supported)
+   - **Issue changed significantly:** Resolve/close old thread, create new comment explaining evolution
+
+### Step 2: Detect Change Type

 <thinking>
 Analyze the changeset systematically:
@@ -38,13 +60,17 @@ Analyze the changeset systematically:
 4. What's the risk level of these changes?
 </thinking>

-Use the base change type detection from the agent, with Android-specific refinements:
+Analyze the changeset to determine the primary change type:

-**Android-specific patterns:**
- **Feature Addition**: New `ViewModel`, new `Repository`, new `@Composable` functions, new `*Screen.kt` files
- **UI Refinement**: Changes only in `*Screen.kt`, `*Composable.kt`, `ui/` package files
- **Infrastructure**: Changes to `.github/workflows/`, `gradle/`, `build.gradle.kts`, `libs.versions.toml`
- **Dependency Update**: Changes only to `libs.versions.toml` or `build.gradle.kts` with version bumps
+**Detection Rules:**
+- **Dependency Update**: Only gradle files changed (`libs.versions.toml`, `build.gradle.kts`) with version number modifications
+- **Bug Fix**: PR/commit title contains "fix", "bug", or issue ID; addresses existing broken behavior
+- **Feature Addition**: New files, new ViewModels, significant new functionality
+- **UI Refinement**: Only UI/Compose files changed, layout/styling focus
+- **Refactoring**: Code restructuring without behavior change, pattern improvements
+- **Infrastructure**: CI/CD files, Gradle config, build scripts, tooling changes
+
+If changeset spans multiple types, use the most complex type's checklist.

 ### Step 3: Load Appropriate Checklist

@@ -63,7 +89,7 @@ The checklist provides:
 - What to check and what to skip
 - Structured thinking guidance

-### Step 4: Execute Review Following Checklist
+### Step 4: Execute Review with Structured Thinking

 <thinking>
 Before diving into details:
@@ -76,7 +102,7 @@ Before diving into details:

 Follow the checklist's multi-pass strategy, thinking through each pass systematically.

-### Step 5: Consult Android Reference Materials As Needed
+### Step 5: Consult Reference Materials As Needed

 Load reference files only when needed for specific questions:

@@ -89,10 +115,206 @@ Load reference files only when needed for specific questions:
 - **UI questions** → `reference/ui-patterns.md` (Compose patterns, theming)
 - **Style questions** → `docs/STYLE_AND_BEST_PRACTICES.md`

+### Step 6: Document Findings
+
+## 🛑 STOP: Determine Output Format FIRST
+
+<thinking>
+Before writing ANY output, answer this critical question:
+1. Did I find ANY issues (Critical, Important, Suggested, or Questions)?
+2. If NO issues found → This is a CLEAN PR → Use 2-3 line minimal format and STOP
+3. If issues found → Use verdict + critical issues list + inline comments format
+4. NEVER create praise sections or elaborate on correct implementations
+</thinking>
+
+**Decision Tree:**
+
+```
+Do you have ANY issues to report (Critical/Important/Suggested/Questions)?
+│
+├─ NO → CLEAN PR
+│   └─ Use 2-3 line format:
+│       "**Overall Assessment:** APPROVE
+│        [One sentence describing what PR does well]"
+│   └─ STOP. Do not proceed to detailed format guidance.
+│
+└─ YES → PR WITH ISSUES
+    └─ Use minimal summary + inline comments:
+        "**Overall Assessment:** APPROVE / REQUEST CHANGES
+         **Critical Issues:**
+         - [issue with file:line]
+         See inline comments for details."
+```
+
+## Special Case: Clean PRs with No Issues
+
+When you find NO critical, important, or suggested issues:
+
+**Minimal Approval Format (REQUIRED):**
+```
+**Overall Assessment:** APPROVE
+
+[One sentence describing what the PR does well]
+```
+
+**Examples:**
+- "Clean refactoring following established patterns"
+- "Solid bug fix with comprehensive test coverage"
+- "Well-structured feature implementation meeting all standards"
+
+**NEVER do this for clean PRs:**
+- ❌ Multiple sections (Key Strengths, Changes, Code Quality, etc.)
+- ❌ Listing everything that was done correctly
+- ❌ Checkmarks for each file or pattern followed
+- ❌ Elaborate praise or detailed positive analysis
+- ❌ Tables, statistics, or detailed breakdowns
+
+**Why brevity matters:**
+- Respects developer time (quick approval = move forward faster)
+- Reduces noise in PR conversations
+- Saves tokens and processing time
+- Focuses attention on PRs that actually need discussion
+
+**If you're tempted to write more than 3 lines for a clean PR, STOP. You're doing it wrong.**
+
+---
+
+<thinking>
+Before writing each comment:
+1. Is this issue Critical, Important, Suggested, or just Acknowledgment?
+2. Should I ask a question or provide direction?
+3. What's the rationale I need to explain?
+4. What code example would make this actionable?
+5. Is there a documentation reference to include?
+</thinking>
+
+**CRITICAL**: Use summary comment + inline comments approach.
+
+**Review Comment Structure**:
+- Create ONE summary comment with overall verdict + critical issues list
+- Create separate inline comment for EACH specific issue on the exact line with full details
+- Summary directs readers to inline comments ("See inline comments for details")
+- Do NOT duplicate issue details between summary and inline comments
+
+### CRITICAL: No Praise-Only Comments
+
+❌ **NEVER** create inline comments solely for positive feedback
+❌ **NEVER** create summary sections like "Strengths", "Good Practices", "What Went Well"
+❌ **NEVER** use inline comments to elaborate on correct implementations
+
+Focus exclusively on actionable feedback. Reserve comments for issues requiring attention.
+
+**Inline Comment Format** (REQUIRED: Use `<details>` Tags):
+
+**MUST use `<details>` tags for ALL inline comments.** Only severity + one-line description should be visible; all other content must be collapsed.
+
+```
+[emoji] **[SEVERITY]**: [One-line issue description]
+
+<details>
+<summary>Details and fix</summary>
+
+[Code example or specific fix]
+
+[Rationale explaining why]
+
+Reference: [docs link if applicable]
+</details>
+```
+
+**Visibility Rule:**
+- **Visible:** Severity prefix (emoji + text) + one-line description
+- **Collapsed in `<details>`:** Code examples, rationale, explanations, references
+
+**Example inline comment**:
+```
+⚠️ **CRITICAL**: Exposes mutable state
+
+<details>
+<summary>Details and fix</summary>
+
+Change `MutableStateFlow<State>` to `StateFlow<State>`:
+
+\```kotlin
+private val _state = MutableStateFlow<State>()
+val state: StateFlow<State> = _state.asStateFlow()
+\```
+
+Exposing MutableStateFlow allows external mutation, violating MVVM unidirectional data flow.
+
+Reference: docs/ARCHITECTURE.md#mvvm-pattern
+</details>
+```
+
+**Summary Comment Format (REQUIRED - No Exceptions):**
+
+When you have issues to report, use this format ONLY:
+
+```
+**Overall Assessment:** APPROVE / REQUEST CHANGES
+
+**Critical Issues** (if any):
+- [One-line summary with file:line reference]
+
+See inline comments for all details.
+```
+
+**Maximum Length**: 5-10 lines total, regardless of PR size or complexity.
+
+**No exceptions for**:
+- ❌ Large PRs (10+ files)
+- ❌ Multiple issue domains
+- ❌ High-severity issues
+- ❌ Complex changes
+
+All details belong in inline comments with `<details>` tags, NOT in the summary.
+
+**Output Format Rules**:
+
+**What to Include:**
+- **Inline comments**: Create separate comment for EACH specific issue with full details in `<details>` tag
+- **Summary comment**: Overall assessment (APPROVE/REQUEST CHANGES) + list of CRITICAL issues only
+- **Severity levels** (hybrid emoji + text format):
+  - ⚠️ **CRITICAL** (blocking)
+  - 📋 **IMPORTANT** (should fix)
+  - 💡 **SUGGESTED** (nice to have)
+  - ❓ **QUESTION** (seeking clarification)
+
+**What to Exclude:**
+- **No duplication**: Never repeat inline comment details in the summary
+- **No Important/Suggested in summary**: Only CRITICAL blocking issues belong in summary
+- **No "Good Practices"/"Strengths" sections**: Never include positive commentary sections
+- **No "Action Items" section**: This duplicates inline comments - avoid entirely
+- **No verbose analysis**: Keep detailed analysis (compilation status, security review, rollback plans) in inline comments only
+
+### ❌ Common Anti-Patterns to Avoid
+
+**DO NOT:**
+- Create multiple summary sections (Strengths, Recommendations, Test Coverage Status, Architecture Compliance)
+- Duplicate critical issues in both summary and inline comments
+- Write elaborate descriptions in summary (details belong in inline comments)
+- Exceed 5-10 lines for simple PRs
+- Create inline comments that only provide praise
+
+**DO:**
+- Put verdict + critical issue list ONLY in summary
+- Put ALL details (explanations, code, rationale) in inline comments with `<details>` collapse
+- Keep summary to 5-10 lines maximum, regardless of PR size or your analysis depth
+- Focus comments exclusively on actionable issues
+
+**Visibility Guidelines:**
+- **Inline comments visible**: Severity + one-line description only
+- **Inline comments collapsed**: Code examples, rationale, references in `<details>` tag
+- **Summary visible**: Verdict + critical issues list only
+
+See `examples/review-outputs.md` for complete examples.
+
 ## Core Principles

+- **Minimal reviews for clean PRs**: 2-3 lines when no issues found (see Step 6 format guidance)
+- **Issues-focused feedback**: Only comment when there's something actionable; acknowledge good work briefly without elaboration (see priority-framework.md:145-166)
 - **Appropriate depth**: Match review rigor to change complexity and risk
 - **Specific references**: Always use `file:line_number` format for precise location
 - **Actionable feedback**: Say what to do and why, not just what's wrong
- **Efficient reviews**: Use multi-pass strategy, skip what's not relevant
- **Android patterns**: Validate MVVM, Hilt DI, Compose conventions, Kotlin idioms
+- **Constructive tone**: Ask questions for design decisions, explain rationale, focus on code not people
+- **Efficient reviews**: Use multi-pass strategy, time-box reviews, skip what's not relevant
--- a/.claude/skills/reviewing-changes/examples/review-outputs.md
+++ b/.claude/skills/reviewing-changes/examples/review-outputs.md
@@ -2,27 +2,6 @@

 Well-structured code reviews demonstrating appropriate depth, tone, and formatting for different change types.

-## Table of Contents
-
-**Format Reference:**
- [Quick Format Reference](#quick-format-reference)
-  - [Inline Comment Format](#inline-comment-format-required)
-  - [Summary Comment Format](#summary-comment-format)
-
-**Examples:**
- [Example 1: Clean PR (No Issues)](#example-1-clean-pr-no-issues)
- [Example 2: Dependency Update with Breaking Changes](#example-2-dependency-update-with-breaking-changes)
- [Example 3: Feature Addition with Critical Issues](#example-3-feature-addition-with-critical-issues)
-
-**Anti-Patterns:**
- [❌ Anti-Patterns to Avoid](#-anti-patterns-to-avoid)
-  - [Problem: Verbose Summary with Multiple Sections](#problem-verbose-summary-with-multiple-sections)
-  - [Problem: Praise-Only Inline Comments](#problem-praise-only-inline-comments)
-  - [Problem: Missing `<details>` Tags](#problem-missing-details-tags)
-
-**Summary:**
- [Summary](#summary)
-
 ---

 ## Quick Format Reference
@@ -46,11 +25,10 @@ Reference: [docs link if applicable]
 ```

 **Severity Levels:**
- ❌ **CRITICAL** - Blocking, must fix (security, crashes, architecture violations)
- ⚠️ **IMPORTANT** - Should fix (missing tests, quality issues)
- ♻️ **DEBT** - Technical debt (duplication, convention violations, future rework needed)
- 🎨 **SUGGESTED** - Nice to have (refactoring, improvements)
- 💭 **QUESTION** - Seeking clarification (requirements, design decisions)
+- ⚠️ **CRITICAL** - Blocking, must fix
+- 📋 **IMPORTANT** - Should fix
+- 💡 **SUGGESTED** - Nice to have
+- ❓ **QUESTION** - Seeking clarification

 ### Summary Comment Format

@@ -103,7 +81,7 @@ See inline comments for migration details.

 **Inline Comment 1** (on `network/api/BitwardenApiService.kt:34`):
 ```markdown
-❌ **CRITICAL**: API migration required for Retrofit 3.0
+⚠️ **CRITICAL**: API migration required for Retrofit 3.0

 <details>
 <summary>Details and fix</summary>
@@ -158,7 +136,7 @@ See inline comments for all issues and suggestions.

 **Inline Comment 1** (on `app/vault/unlock/UnlockViewModel.kt:78`):
 ```markdown
-❌ **CRITICAL**: Exposes mutable state
+⚠️ **CRITICAL**: Exposes mutable state

 <details>
 <summary>Details and fix</summary>
@@ -182,7 +160,7 @@ Reference: docs/ARCHITECTURE.md#mvvm-pattern

 **Inline Comment 2** (on `data/vault/UnlockRepository.kt:145`):
 ```markdown
-❌ **CRITICAL**: PIN stored without encryption - SECURITY ISSUE
+⚠️ **CRITICAL**: PIN stored without encryption - SECURITY ISSUE

 <details>
 <summary>Details and fix</summary>
@@ -210,7 +188,7 @@ Reference: docs/ARCHITECTURE.md#security

 **Inline Comment 3** (on `app/vault/unlock/UnlockViewModel.kt:92`):
 ```markdown
-⚠️ **IMPORTANT**: Missing error handling test
+📋 **IMPORTANT**: Missing error handling test

 <details>
 <summary>Details and fix</summary>
@@ -236,7 +214,7 @@ Ensures error flow remains robust across refactorings.

 **Inline Comment 4** (on `app/vault/unlock/UnlockViewModel.kt:105`):
 ```markdown
-🎨 **SUGGESTED**: Consider rate limiting for PIN attempts
+💡 **SUGGESTED**: Consider rate limiting for PIN attempts

 <details>
 <summary>Details and fix</summary>
@@ -268,7 +246,7 @@ Would add security layer against brute force. Consider discussing threat model w

 **Inline Comment 5** (on `app/vault/unlock/UnlockScreen.kt:134`):
 ```markdown
-💭 **QUESTION**: Can we use BitwardenTextField?
+❓ **QUESTION**: Can we use BitwardenTextField?

 <details>
 <summary>Details</summary>
@@ -378,7 +356,7 @@ This is exactly the right approach for fail-safe security.
 **What NOT to do:**

 ```markdown
-❌ **CRITICAL**: Missing test coverage for security-critical code
+⚠️ **CRITICAL**: Missing test coverage for security-critical code

 The `@OmitFromCoverage` annotation excludes this entire class from test coverage.

@@ -404,7 +382,7 @@ Security-critical code should have the highest test coverage, not be omitted.

 **Correct approach:**
 ```markdown
-❌ **CRITICAL**: Missing test coverage for security-critical code
+⚠️ **CRITICAL**: Missing test coverage for security-critical code

 <details>
 <summary>Details and fix</summary>
@@ -444,3 +422,5 @@ Security-critical code should have the highest test coverage, not be omitted.
 - Praise-only inline comments
 - Duplication between summary and inline comments
 - Verbose analysis in summary (belongs in inline comments)
+
+See `SKILL.md` for complete review guidelines.
--- a/.claude/skills/reviewing-changes/reference/architectural-patterns.md
+++ b/.claude/skills/reviewing-changes/reference/architectural-patterns.md
@@ -2,23 +2,6 @@

 Quick reference for Bitwarden Android architectural patterns during code reviews. For comprehensive details, read `docs/ARCHITECTURE.md` and `docs/STYLE_AND_BEST_PRACTICES.md`.

-## Table of Contents
-
-**Core Patterns:**
- [MVVM + UDF Pattern](#mvvm--udf-pattern)
-  - [ViewModel Structure](#viewmodel-structure)
-  - [UI Layer (Compose)](#ui-layer-compose)
- [Hilt Dependency Injection](#hilt-dependency-injection)
-  - [ViewModels](#viewmodels)
-  - [Repositories and Managers](#repositories-and-managers)
-  - [Clock/Time Handling](#clocktime-handling)
- [Module Organization](#module-organization)
- [Error Handling](#error-handling)
-  - [Use Result Types, Not Exceptions](#use-result-types-not-exceptions)
- [Quick Checklist](#quick-checklist)
-
---
-
 ## MVVM + UDF Pattern

 ### ViewModel Structure
@@ -211,43 +194,6 @@ abstract class DataModule {

 ---

-### Clock/Time Handling
-
-Time-dependent code must use injected `Clock` rather than direct `Instant.now()` or `DateTime.now()` calls. This follows the same DI principle as other dependencies.
-
-**✅ GOOD - Injected Clock**:
-```kotlin
-// ViewModel with Clock injection
-class MyViewModel @Inject constructor(
-    private val clock: Clock,
-) {
-    fun save() {
-        val timestamp = clock.instant()
-    }
-}
-
-// Extension function with Clock parameter
-fun State.getTimestamp(clock: Clock): Instant =
-    existingTime ?: clock.instant()
-```
-
-**❌ BAD - Static/direct calls**:
-```kotlin
-// Hidden dependency, non-testable
-val timestamp = Instant.now()
-val dateTime = DateTime.now()
-```
-
-**Key Rules**:
- Inject `Clock` via Hilt constructor (like other dependencies)
- Pass `Clock` as parameter to extension functions
- `Clock` is provided via `CoreModule` as singleton
- Enables deterministic testing with `Clock.fixed(...)`
-
-Reference: `docs/STYLE_AND_BEST_PRACTICES.md#best-practices--time-and-clock-handling`
-
---
-
 ## Module Organization

 ```
@@ -337,7 +283,6 @@ Reference: `docs/ARCHITECTURE.md#error-handling`
 - [ ] Business logic in Repository, not ViewModel?
 - [ ] Using Hilt DI (@HiltViewModel, @Inject constructor)?
 - [ ] Injecting interfaces, not implementations?
- [ ] Time-dependent code uses injected `Clock` (not `Instant.now()`)?
 - [ ] Correct module placement?

 ### Error Handling
--- a/.claude/skills/reviewing-changes/reference/priority-framework.md
+++ b/.claude/skills/reviewing-changes/reference/priority-framework.md
@@ -1,28 +1,8 @@
-# Finding Priority Framework
+# Issue Priority Framework

 Use this framework to classify findings during code review. Clear prioritization helps authors triage and address issues effectively.

-## Table of Contents
-
-**Severity Categories:**
- [❌ CRITICAL (Blocker - Must Fix Before Merge)](#critical-blocker---must-fix-before-merge)
- [⚠️ IMPORTANT (Should Fix)](#important-should-fix)
- [♻️ DEBT (Technical Debt)](#debt-technical-debt)
- [🎨 SUGGESTED (Nice to Have)](#suggested-nice-to-have)
- [💭 QUESTION (Seeking Clarification)](#question-seeking-clarification)
- [Optional (Acknowledge But Don't Require)](#optional-acknowledge-but-dont-require)
-
-**Guidelines:**
- [Classification Guidelines](#classification-guidelines)
-  - [When Something is Between Categories](#when-something-is-between-categories)
-  - [Context Matters](#context-matters)
- [Examples by Change Type](#examples-by-change-type)
- [Special Cases](#special-cases)
- [Summary](#summary)
-
---
-
-## ❌ **CRITICAL** (Blocker - Must Fix Before Merge)
+## Critical (Blocker - Must Fix Before Merge)

 These issues **must** be addressed before the PR can be merged. They pose immediate risks to security, stability, or architecture integrity.

@@ -69,7 +49,7 @@ This violates MVVM encapsulation pattern.

 ---

-## ⚠️ **IMPORTANT** (Should Fix)
+## Important (Should Fix)

 These issues should be addressed but don't block merge if there's a compelling reason. They improve code quality, maintainability, or robustness.

@@ -122,53 +102,7 @@ Fetching items one-by-one in loop. Consider batch fetch to reduce database queri

 ---

-## ♻️ **DEBT** (Technical Debt)
-
-Code that duplicates existing patterns, violates established conventions, or will require rework within 6 months. Introduces technical debt that should be tracked for future cleanup.
-
-### Duplication
- Copy-pasted code blocks across files
- Repeated validation or business logic
- Multiple implementations of same pattern
- Data transformation duplicated in multiple places
-
-**Example**:
-```
-**app/vault/VaultListViewModel.kt:156** - DEBT: Duplicates encryption logic
-Same encryption pattern exists in VaultRepository.kt:234 and SyncManager.kt:89.
-Extract to shared EncryptionUtil to reduce maintenance burden.
-```
-
-### Convention Violations
- Inconsistent error handling approaches within same module
- Mixing architectural patterns (MVVM + MVC)
- Not following established DI patterns
- Deviating from project code style significantly
-
-**Example**:
-```
-**data/auth/AuthRepository.kt:78** - DEBT: Exception-based error handling
-Project standard is Result<T> for error handling. This uses try-catch with throws.
-Creates inconsistency and makes testing harder.
-Reference: docs/ARCHITECTURE.md#error-handling
-```
-
-### Future Rework Required
- Hardcoded values that should be configurable
- Temporary workarounds without TODO/FIXME
- Code that will need changes when planned features arrive
- Tight coupling that prevents future extensibility
-
-**Example**:
-```
-**app/settings/SettingsViewModel.kt:45** - DEBT: Hardcoded feature flags
-Feature flags should come from remote config for A/B testing.
-Will require rework when experimentation framework launches.
-```
-
---
-
-## 🎨 **SUGGESTED** (Nice to Have)
+## Suggested (Nice to Have)

 These are improvement opportunities but not required. Consider the effort vs. benefit before requesting changes.

@@ -208,80 +142,6 @@ Could be extracted to separate validator class for reusability and testing.

 ---

-## 💭 **QUESTION** (Seeking Clarification)
-
-Questions about requirements, unclear intent, or potential conflicts that require human knowledge to answer. Open inquiries that cannot be resolved through code inspection alone.
-
-### Requirements Clarification
- Ambiguous acceptance criteria
- Multiple valid implementation approaches
- Unclear business rules or edge case handling
- Conflicting requirements between specs and implementation
-
-**Example**:
-```
-**app/vault/ItemListViewModel.kt:67** - QUESTION: Expected sort behavior for equal timestamps?
-When items have identical timestamps, should secondary sort be by:
- Name (alphabetical)
- Creation order
- Item type priority
-
-Spec doesn't specify tie-breaking logic.
-```
-
-### Design Decisions
- Architecture choices that could go multiple ways
- Trade-offs between approaches without clear winner
- Feature flag strategy or rollout approach
- API design with multiple valid patterns
-
-**Example**:
-```
-**data/sync/SyncManager.kt:134** - QUESTION: Should sync failures retry automatically?
-Current implementation fails immediately. Options:
- Exponential backoff (3 retries)
- User-triggered retry only
- Background retry on network restore
-
-What's the expected UX?
-```
-
-### System Integration
- Unclear contracts with external systems
- Potential conflicts with other features/modules
- Assumptions about third-party API behavior
- Cross-team coordination needs
-
-**Example**:
-```
-**app/auth/BiometricPrompt.kt:89** - QUESTION: Compatibility with pending device credentials PR?
-PR #1234 is refactoring device credentials. Should this:
- Merge first and adapt later
- Wait for #1234 to land
- Coordinate with that author
-
-Timing unclear.
-```
-
-### Testing Strategy
- Uncertainty about test scope or approach
- Questions about mocking external dependencies
- Edge cases that need product input
- Performance testing requirements
-
-**Example**:
-```
-**data/vault/EncryptionTest.kt:45** - QUESTION: Should we test against real Keystore?
-Currently using mocked Keystore. Real Keystore testing would:
-+ Catch hardware-specific issues
- Slow down CI significantly
- Require API 23+ emulators
-
-What's the priority?
-```
-
---
-
 ## Optional (Acknowledge But Don't Require)

 Note good practices to reinforce positive patterns. Keep these **brief** - list only, no elaboration.
@@ -315,26 +175,11 @@ Note good practices to reinforce positive patterns. Keep these **brief** - list
 - If yes → Critical
 - If no → Important

-**If unsure between Important and Debt**:
- Ask: "Is this a bug/defect or just duplication/inconsistency?"
- If bug/defect → Important
- If duplication/inconsistency → Debt
-
 **If unsure between Important and Suggested**:
 - Ask: "Would I block merge over this?"
 - If yes → Important
 - If no → Suggested

-**If unsure between Debt and Suggested**:
- Ask: "Will this require rework within 6 months?"
- If yes → Debt
- If no → Suggested
-
-**If unsure between Suggested and Question**:
- Ask: "Am I requesting a change or asking for clarification?"
- If requesting change → Suggested
- If seeking clarification → Question
-
 **If unsure between Suggested and Optional**:
 - Ask: "Is this actionable feedback or just acknowledgment?"
 - If actionable → Suggested
@@ -425,7 +270,5 @@ Missing tests for refactored helper → SUGGESTED

 **Critical**: Block merge, must fix (security, stability, architecture)
 **Important**: Should fix before merge (testing, quality, performance)
-**Debt**: Technical debt introduced, track for future cleanup
 **Suggested**: Nice to have, consider effort vs benefit
-**Question**: Seeking clarification on requirements or design
 **Optional**: Acknowledge good practices, keep brief
--- a/.claude/skills/reviewing-changes/reference/review-psychology.md
+++ b/.claude/skills/reviewing-changes/reference/review-psychology.md
@@ -2,20 +2,6 @@

 Effective code review feedback is clear, actionable, and constructive. This guide provides phrasing patterns for inline comments.

-## Table of Contents
-
-**Guidelines:**
- [Core Directives](#core-directives)
- [Phrasing Templates](#phrasing-templates)
-  - [Critical Issues (Prescriptive)](#critical-issues-prescriptive)
-  - [Suggested Improvements (Exploratory)](#suggested-improvements-exploratory)
-  - [Questions (Collaborative)](#questions-collaborative)
-  - [Test Suggestions](#test-suggestions)
- [When to Be Prescriptive vs Ask Questions](#when-to-be-prescriptive-vs-ask-questions)
- [Special Cases](#special-cases)
-
---
-
 ## Core Directives

 - **Keep positive feedback minimal**: For clean PRs with no issues, use 2-3 line approval only. When acknowledging good practices in PRs with issues, use single bullet list with no elaboration. Never create elaborate sections praising correct implementations.
--- a/.github/actions/setup-android-build/action.yml
+++ b/.github/actions/setup-android-build/action.yml
@@ -12,7 +12,7 @@ runs:
      uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0

    - name: Cache Gradle files
-      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
      with:
        path: |
          ~/.gradle/caches
@@ -22,7 +22,7 @@ runs:
          ${{ runner.os }}-gradle-v2-

    - name: Cache build output
-      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
      with:
        path: |
          ${{ github.workspace }}/build-cache
@@ -44,5 +44,6 @@ runs:
    - name: Install Fastlane
      shell: bash
      run: |
+        gem install bundler:2.2.27
        bundle config path vendor/bundle
        bundle install --jobs 4 --retry 3
--- a/.github/label-pr.json
+++ b/.github/label-pr.json
@@ -23,16 +23,11 @@
    ],
    "app:password-manager": [
      "app/",
-      "cxf/",
-      "testharness/"
+      "cxf/"
    ],
    "app:authenticator": [
      "authenticator/"
    ],
-    "t:enhancement": [
-      "app/src/main/assets/fido2_privileged_community.json",
-      "app/src/main/assets/fido2_privileged_google.json"
-    ],
    "t:ci": [
      ".github/",
      "scripts/",
--- a/.github/release.yml
+++ b/.github/release.yml
@@ -1,33 +0,0 @@
-changelog:
-  exclude:
-    labels:
-      - ignore-for-release
-  categories:
-    - title: '✨ Community Highlight'
-      labels:
-        - community-pr
-    - title: '🚀 New Features & Enhancements'
-      labels:
-        - t:feature-app
-        - t:new-feature
-        - t:enhancement
-    - title: ':shipit: Tools'
-      labels:
-        - t:feature-tool
-    - title: '❗ Breaking Changes'
-      labels:
-        - t:breaking-change
-    - title: '🐛 Bug fixes'
-      labels:
-        - t:bug
-    - title: '⚙️ Maintenance'
-      labels:
-        - t:tech-debt
-        - t:ci
-        - t:docs
-        - t:misc
-        - '*'
-    - title: '📦 Dependency Updates'
-      labels:
-        - dependencies
-        - t:deps
--- a/.github/scripts/jira-get-release-notes/README.md
+++ b/.github/scripts/jira-get-release-notes/README.md
@@ -40,7 +40,7 @@ Single line of release notes text

 ```json
 ...
-"customfield_9999": {
+"customfield_10335": {
    "type": "doc",
    "version": 1,
    "content": [
@@ -62,7 +62,7 @@ Single line of release notes text

 ```json
 ...
-"customfield_9999": {
+"customfield_10335": {
    "type": "doc",
    "version": 1,
    "content": [
--- a/.github/scripts/jira-get-release-notes/jira_release_notes.py
+++ b/.github/scripts/jira-get-release-notes/jira_release_notes.py
@@ -5,8 +5,6 @@ import base64
 import json
 import requests

-SCRIPT_NAME = "jira_release_notes.py"
-
 def extract_text_from_content(content):
    if isinstance(content, list):
        texts = [extract_text_from_content(item) for item in content]
@@ -25,42 +23,19 @@ def extract_text_from_content(content):

    return ''

-def log_customfields_with_content(fields):
-    """Log all customfield_* fields that have a 'content' key to help troubleshoot structure changes."""
-    print(f"[{SCRIPT_NAME}] Available customfield_* fields with 'content':", file=sys.stderr)
-    found = False
-    for key, value in fields.items():
-        if key.startswith('customfield_') and isinstance(value, dict) and 'content' in value:
-            found = True
-            print(f"[{SCRIPT_NAME}]   {key}: {json.dumps(value, indent=2)}", file=sys.stderr)
-    if not found:
-        print(f"[{SCRIPT_NAME}]   None found", file=sys.stderr)
-
 def parse_release_notes(response_json):
-    release_notes_field_name = 'customfield_10309'
    try:
-        fields = response_json.get('fields')
-        if not fields:
-            print(f"[{SCRIPT_NAME}] 'fields' is empty or missing in response", file=sys.stderr)
+        fields = response_json.get('fields', {})
+        release_notes_field = fields.get('customfield_10335', {})
+
+        if not release_notes_field or not release_notes_field.get('content'):
            return ''

-        release_notes_field = fields.get(release_notes_field_name)
-        if not release_notes_field:
-            print(f"[{SCRIPT_NAME}] Release notes field is empty or missing. Field name: {release_notes_field_name}", file=sys.stderr)
-            log_customfields_with_content(fields)
-            return ''
-
-        content = release_notes_field.get('content', [])
-        if not content:
-            print(f"[{SCRIPT_NAME}] Release notes field was found but 'content' is empty or missing in {release_notes_field_name}", file=sys.stderr)
-            log_customfields_with_content(fields)
-            return ''
-
-        release_notes = extract_text_from_content(content)
+        release_notes = extract_text_from_content(release_notes_field.get('content', []))
        return release_notes

    except Exception as e:
-        print(f"[{SCRIPT_NAME}] Error parsing release notes: {str(e)}", file=sys.stderr)
+        print(f"Error parsing release notes: {str(e)}", file=sys.stderr)
        return ''

 def main():
@@ -85,7 +60,7 @@ def main():
    )

    if response.status_code != 200:
-        print(f"[{SCRIPT_NAME}] Error fetching Jira issue ({jira_issue_id}). Status code: {response.status_code}. Msg: {response.text}", file=sys.stderr)
+        print(f"Error fetching Jira issue: {response.status_code}", file=sys.stderr)
        sys.exit(1)

    release_notes = parse_release_notes(response.json())
--- a/.github/scripts/label-pr.py
+++ b/.github/scripts/label-pr.py
@@ -131,7 +131,7 @@ def label_filepaths(changed_files: list[str], path_patterns: dict) -> list[str]:
        labels_to_apply.remove("app:shared")

    if not labels_to_apply:
-        print("::notice::No matching file paths found.")
+        print("::warning::No matching file paths found, no labels applied.")

    return list(labels_to_apply)

@@ -151,7 +151,7 @@ def label_title(pr_title: str, title_patterns: dict) -> list[str]:
                break

    if not labels_to_apply:
-        print("::notice::No matching title patterns found.")
+        print("::warning::No matching title patterns found, no labels applied.")

    return list(labels_to_apply)

@@ -222,15 +222,15 @@ def main():
    if all_labels:
        labels_str = ', '.join(sorted(all_labels))
        if mode == "add":
-            print(f"::notice::🏷️ Adding labels: {labels_str}")
+            print(f"🏷️  Adding labels: {labels_str}")
            if not args.dry_run:
                gh_add_labels(pr_number, list(all_labels))
        else:
-            print(f"::notice::🏷️ Replacing labels with: {labels_str}")
+            print(f"🏷️  Replacing labels with: {labels_str}")
            if not args.dry_run:
                gh_replace_labels(pr_number, list(all_labels))
    else:
-        print("::warning::No matching patterns found, no labels applied.")
+        print("ℹ️  No matching patterns found, no labels applied.")

    print("✅ Done")

--- a/.github/workflows/_version.yml
+++ b/.github/workflows/_version.yml
@@ -79,7 +79,7 @@ jobs:

      - name: Check out repository
        if: ${{ !inputs.skip_checkout || false }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -167,7 +167,7 @@ jobs:
          echo '```' >> "$GITHUB_STEP_SUMMARY"

      - name: Upload version info artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: version-info
          path: version_info.json
--- a/.github/workflows/build-authenticator.yml
+++ b/.github/workflows/build-authenticator.yml
@@ -59,7 +59,7 @@ jobs:
          inputs: "${{ toJson(inputs) }}"

      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -67,7 +67,7 @@ jobs:
        uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0

      - name: Cache Gradle files
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ~/.gradle/caches
@@ -77,7 +77,7 @@ jobs:
            ${{ runner.os }}-gradle-v2-

      - name: Cache build output
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ${{ github.workspace }}/build-cache
@@ -98,6 +98,7 @@ jobs:

      - name: Install Fastlane
        run: |
+          gem install bundler:2.2.27
          bundle config path vendor/bundle
          bundle install --jobs 4 --retry 3

@@ -122,7 +123,7 @@ jobs:

    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -133,6 +134,7 @@ jobs:

      - name: Install Fastlane
        run: |
+          gem install bundler:2.2.27
          bundle config path vendor/bundle
          bundle install --jobs 4 --retry 3

@@ -205,7 +207,7 @@ jobs:
        uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0

      - name: Cache Gradle files
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ~/.gradle/caches
@@ -215,7 +217,7 @@ jobs:
            ${{ runner.os }}-gradle-v2-

      - name: Cache build output
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ${{ github.workspace }}/build-cache
@@ -283,7 +285,7 @@ jobs:

      - name: Upload release Play Store .aab artifact
        if: ${{ matrix.variant == 'aab' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.bitwarden.authenticator.aab
          path: authenticator/build/outputs/bundle/release/com.bitwarden.authenticator.aab
@@ -291,7 +293,7 @@ jobs:

      - name: Upload release .apk artifact
        if: ${{ matrix.variant == 'apk' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.bitwarden.authenticator.apk
          path: authenticator/build/outputs/apk/release/com.bitwarden.authenticator.apk
@@ -311,7 +313,7 @@ jobs:

      - name: Upload .apk SHA file for release
        if: ${{ matrix.variant == 'apk' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: authenticator-android-apk-sha256.txt
          path: ./authenticator-android-apk-sha256.txt
@@ -319,7 +321,7 @@ jobs:

      - name: Upload .aab SHA file for release
        if: ${{ matrix.variant == 'aab' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: authenticator-android-aab-sha256.txt
          path: ./authenticator-android-aab-sha256.txt
--- a/.github/workflows/build-testharness.yml
+++ b/.github/workflows/build-testharness.yml
@@ -1,134 +0,0 @@
-name: Build Test Harness
-
-on:
-  push:
-    paths:
-      - testharness/**
-  workflow_dispatch:
-    inputs:
-      version-name:
-        description: "Optional. Version string to use, in X.Y.Z format. Overrides default in the project."
-        required: false
-        type: string
-      version-code:
-        description: "Optional. Build number to use. Overrides default of GitHub run number."
-        required: false
-        type: number
-      patch_version:
-        description: "Order 999 - Overrides Patch version"
-        type: boolean
-
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  JAVA_VERSION: 21
-
-permissions:
-  contents: read
-  packages: read
-
-jobs:
-  version:
-    name: Calculate Version Name and Number
-    uses: bitwarden/android/.github/workflows/_version.yml@main
-    with:
-      app_codename: "bwpm"
-      base_version_number: 0
-      version_name: ${{ inputs.version-name }}
-      version_number: ${{ inputs.version-code }}
-      patch_version: ${{ inputs.patch_version && '999' || '' }}
-
-  build:
-    name: Build Test Harness
-    runs-on: ubuntu-24.04
-    needs: version
-
-    steps:
-      - name: Log inputs to job summary
-        uses: bitwarden/android/.github/actions/log-inputs@main
-        with:
-          inputs: "${{ toJson(inputs) }}"
-
-      - name: Check out repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
-
-      - name: Cache Gradle files
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        with:
-          path: |
-            ~/.gradle/caches
-            ~/.gradle/wrapper
-          key: ${{ runner.os }}-gradle-v2-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties', '**/libs.versions.toml') }}
-          restore-keys: |
-            ${{ runner.os }}-gradle-v2-
-
-      - name: Cache build output
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        with:
-          path: |
-            ${{ github.workspace }}/build-cache
-          key: ${{ runner.os }}-build-cache-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-build-
-
-      - name: Configure JDK
-        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-        with:
-          distribution: "temurin"
-          java-version: ${{ env.JAVA_VERSION }}
-
-      - name: Configure Ruby
-        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
-        with:
-          bundler-cache: true
-
-      - name: Install Fastlane
-        run: |
-          gem install bundler:2.2.27
-          bundle config path vendor/bundle
-          bundle install --jobs 4 --retry 3
-
-      - name: Increment version
-        env:
-          DEFAULT_VERSION_CODE: ${{ github.run_number }}
-          INPUT_VERSION_CODE: "${{ needs.version.outputs.version_number }}"
-          INPUT_VERSION_NAME: ${{ needs.version.outputs.version_name }}
-        run: |
-          VERSION_CODE="${INPUT_VERSION_CODE:-$DEFAULT_VERSION_CODE}"
-          VERSION_NAME_INPUT="${INPUT_VERSION_NAME:-}"
-          bundle exec fastlane setBuildVersionInfo \
-          versionCode:"$VERSION_CODE" \
-          versionName:"$VERSION_NAME_INPUT"
-
-          regex='appVersionName = "(.+)"'
-          if [[ "$(cat gradle/libs.versions.toml)" =~ $regex ]]; then
-            VERSION_NAME="${BASH_REMATCH[1]}"
-          fi
-          echo "Version Name: ${VERSION_NAME}" >> "$GITHUB_STEP_SUMMARY"
-          echo "Version Number: $VERSION_CODE" >> "$GITHUB_STEP_SUMMARY"
-
-      - name: Build Test Harness Debug APK
-        run: ./gradlew :testharness:assembleDebug
-
-      - name: Upload Test Harness APK
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        with:
-          name: com.bitwarden.testharness.dev-debug.apk
-          path: testharness/build/outputs/apk/debug/com.bitwarden.testharness.dev.apk
-          if-no-files-found: error
-
-      - name: Create checksum for Test Harness APK
-        run: |
-          sha256sum "testharness/build/outputs/apk/debug/com.bitwarden.testharness.dev.apk" \
-            > ./com.bitwarden.testharness.dev.apk-sha256.txt
-
-      - name: Upload Test Harness SHA file
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        with:
-          name: com.bitwarden.testharness.dev.apk-sha256.txt
-          path: ./com.bitwarden.testharness.dev.apk-sha256.txt
-          if-no-files-found: error
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -61,7 +61,7 @@ jobs:
          inputs: "${{ toJson(inputs) }}"

      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -69,7 +69,7 @@ jobs:
        uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0

      - name: Cache Gradle files
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ~/.gradle/caches
@@ -79,7 +79,7 @@ jobs:
            ${{ runner.os }}-gradle-v2-

      - name: Cache build output
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ${{ github.workspace }}/build-cache
@@ -100,6 +100,7 @@ jobs:

      - name: Install Fastlane
        run: |
+          gem install bundler:2.2.27
          bundle config path vendor/bundle
          bundle install --jobs 4 --retry 3

@@ -110,7 +111,7 @@ jobs:
        run: bundle exec fastlane assembleDebugApks

      - name: Upload test reports on failure
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: failure()
        with:
          name: test-reports
@@ -131,7 +132,7 @@ jobs:
        artifact: ["apk", "aab"]
    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -142,6 +143,7 @@ jobs:

      - name: Install Fastlane
        run: |
+          gem install bundler:2.2.27
          bundle config path vendor/bundle
          bundle install --jobs 4 --retry 3

@@ -201,7 +203,7 @@ jobs:
        uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0

      - name: Cache Gradle files
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ~/.gradle/caches
@@ -211,7 +213,7 @@ jobs:
            ${{ runner.os }}-gradle-v2-

      - name: Cache build output
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ${{ github.workspace }}/build-cache
@@ -297,7 +299,7 @@ jobs:

      - name: Upload release Play Store .aab artifact
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.aab
          path: app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden.aab
@@ -305,7 +307,7 @@ jobs:

      - name: Upload beta Play Store .aab artifact
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.beta.aab
          path: app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden.beta.aab
@@ -313,7 +315,7 @@ jobs:

      - name: Upload release .apk artifact
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.apk
          path: app/build/outputs/apk/standard/release/com.x8bit.bitwarden.apk
@@ -321,7 +323,7 @@ jobs:

      - name: Upload beta .apk artifact
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.beta.apk
          path: app/build/outputs/apk/standard/beta/com.x8bit.bitwarden.beta.apk
@@ -330,7 +332,7 @@ jobs:
      # When building variants other than 'prod'
      - name: Upload debug .apk artifact
        if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.${{ matrix.variant }}.apk
          path: app/build/outputs/apk/standard/debug/com.x8bit.bitwarden.dev.apk
@@ -368,7 +370,7 @@ jobs:

      - name: Upload .apk SHA file for release
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.apk-sha256.txt
          path: ./com.x8bit.bitwarden.apk-sha256.txt
@@ -376,7 +378,7 @@ jobs:

      - name: Upload .apk SHA file for beta
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.beta.apk-sha256.txt
          path: ./com.x8bit.bitwarden.beta.apk-sha256.txt
@@ -384,7 +386,7 @@ jobs:

      - name: Upload .aab SHA file for release
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.aab-sha256.txt
          path: ./com.x8bit.bitwarden.aab-sha256.txt
@@ -392,7 +394,7 @@ jobs:

      - name: Upload .aab SHA file for beta
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.beta.aab-sha256.txt
          path: ./com.x8bit.bitwarden.beta.aab-sha256.txt
@@ -400,7 +402,7 @@ jobs:

      - name: Upload .apk SHA file for debug
        if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
          path: ./com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
@@ -449,7 +451,7 @@ jobs:
      id-token: write
    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -460,6 +462,7 @@ jobs:

      - name: Install Fastlane
        run: |
+          gem install bundler:2.2.27
          bundle config path vendor/bundle
          bundle install --jobs 4 --retry 3

@@ -505,7 +508,7 @@ jobs:
        uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0

      - name: Cache Gradle files
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ~/.gradle/caches
@@ -515,7 +518,7 @@ jobs:
            ${{ runner.os }}-gradle-v2-

      - name: Cache build output
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ${{ github.workspace }}/build-cache
@@ -576,7 +579,7 @@ jobs:
          keyPassword:$FDROID_BETA_KEY_PASSWORD

      - name: Upload F-Droid .apk artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden-fdroid.apk
          path: app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid.apk
@@ -588,14 +591,14 @@ jobs:
          > ./com.x8bit.bitwarden-fdroid.apk-sha256.txt

      - name: Upload F-Droid SHA file
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden-fdroid.apk-sha256.txt
          path: ./com.x8bit.bitwarden-fdroid.apk-sha256.txt
          if-no-files-found: error

      - name: Upload F-Droid Beta .apk artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.beta-fdroid.apk
          path: app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden.beta-fdroid.apk
@@ -607,7 +610,7 @@ jobs:
          > ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt

      - name: Upload F-Droid Beta SHA file
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
          path: ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
--- a/.github/workflows/cron-sync-google-priviledged-browsers.yml
+++ b/.github/workflows/cron-sync-google-priviledged-browsers.yml
@@ -2,8 +2,8 @@ name: Cron / Sync Google Privileged Browsers List

 on:
  schedule:
-    # Run weekly on Sunday at 00:00 UTC
-    - cron: '0 0 * * 0'
+    # Run weekly on Monday at 00:00 UTC
+    - cron: "0 0 * * 1"
  workflow_dispatch:

 env:
@@ -21,7 +21,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: true

@@ -96,4 +96,4 @@ jobs:
            --base main \
            --head "$BRANCH_NAME" \
            --label "automated-pr" \
-            --label "t:deps"
+            --label "t:ci"
--- a/.github/workflows/crowdin-pull.yml
+++ b/.github/workflows/crowdin-pull.yml
@@ -4,21 +4,19 @@ run-name: Crowdin Pull - ${{ github.event_name == 'workflow_dispatch' && 'Manual
 on:
  workflow_dispatch:
  schedule:
-    # Run weekly on Sunday at 00:00 UTC
-    - cron: '0 0 * * 0'
-    
-permissions: {}
+    - cron: "0 0 * * 5"

 jobs:
  crowdin-sync:
    name: Crowdin Pull - ${{ github.event_name }}
    runs-on: ubuntu-24.04
    permissions:
-      contents: read
+      contents: write
+      pull-requests: write
      id-token: write
    steps:
      - name: Checkout repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -52,8 +50,6 @@ jobs:
        with:
          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
-          permission-contents: write      # for creating and pushing a new branch
-          permission-pull-requests: write # for creating pull request

      - name: Download translations
        uses: crowdin/github-action@0749939f635900a2521aa6aac7a3766642b2dc71 # v2.11.0
@@ -73,6 +69,5 @@ jobs:
          create_pull_request: true
          pull_request_title: "Crowdin Pull"
          pull_request_body: ":inbox_tray: New translations received!"
-          pull_request_labels: "automated-pr, t:misc"
          gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
          gpg_passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
--- a/.github/workflows/crowdin-push.yml
+++ b/.github/workflows/crowdin-push.yml
@@ -16,7 +16,7 @@ jobs:
      id-token: write
    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Check out repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: true
@@ -183,15 +183,11 @@ jobs:
          _JIRA_API_EMAIL: ${{ steps.get-kv-secrets.outputs.JIRA-API-EMAIL }}
          _JIRA_API_TOKEN: ${{ steps.get-kv-secrets.outputs.JIRA-API-TOKEN }}
        run: |
-          echo "Getting product release notes..."
-          # capture output and exit code so this step continues even if we can't retrieve release notes.
-          script_exit_code=0
-          product_release_notes=$(python .github/scripts/jira-get-release-notes/jira_release_notes.py "$_RELEASE_TICKET_ID" "$_JIRA_API_EMAIL" "$_JIRA_API_TOKEN") || script_exit_code=$?
-          echo "--------------------------------"
+          echo "Getting product release notes"
+          product_release_notes=$(python3 .github/scripts/jira-get-release-notes/jira_release_notes.py "$_RELEASE_TICKET_ID" "$_JIRA_API_EMAIL" "$_JIRA_API_TOKEN")

-          if [[ $script_exit_code -ne 0 || -z "$product_release_notes" ]]; then
-            echo "Script Output: $product_release_notes"
-            echo "::warning::Failed to fetch release notes from Jira. Check script logs for more details."
+          if [[ -z "$product_release_notes" || $product_release_notes == "Error checking"* ]]; then
+            echo "::warning::Failed to fetch release notes from Jira. Output: $product_release_notes"
            product_release_notes="<insert product release notes here>"
          else
            echo "✅ Product release notes:"
@@ -289,5 +285,5 @@ jobs:
            echo " * :ocean: Previous tag set in the description \"Full Changelog\" link: \`$_LAST_RELEASE_TAG\`"
            echo " * :white_check_mark: Description has automated release notes and they match the commits in the release branch"
            echo "> [!NOTE]"
-            echo "> Commits directly pushed to branches without a Pull Request won't appear in the automated release notes."
+            echo "> Commits directly pushed to branches without a Pull Request won't appear in the automated release notes." 
          } >> "$GITHUB_STEP_SUMMARY"
--- a/.github/workflows/publish-store.yml
+++ b/.github/workflows/publish-store.yml
@@ -73,7 +73,7 @@ jobs:
          inputs: "${{ toJson(inputs) }}"

      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Configure Ruby
@@ -83,6 +83,7 @@ jobs:

      - name: Install Fastlane
        run: |
+          gem install bundler:2.2.27
          bundle config path vendor/bundle
          bundle install --jobs 4 --retry 3

--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -22,7 +22,7 @@ jobs:
      actions: write
    steps:
      - name: Check out repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: true
--- a/.github/workflows/review-code.yml
+++ b/.github/workflows/review-code.yml
@@ -2,7 +2,7 @@ name: Code Review

 on:
  pull_request:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, ready_for_review]

 permissions: {}

--- a/.github/workflows/sdlc-label-pr.yml
+++ b/.github/workflows/sdlc-label-pr.yml
@@ -1,8 +1,6 @@
 name: SDLC / Label PR by Files

 on:
-  pull_request:
-    types: [opened, synchronize]
  workflow_dispatch:
    inputs:
      pr-number:
@@ -21,9 +19,6 @@ on:
        type: boolean
        default: false

-env:
-  _PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr-number }}
-
 jobs:
  label-pr:
    name: Label PR by Changed Files
@@ -34,7 +29,7 @@ jobs:

    steps:
      - name: Check out repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -42,6 +37,7 @@ jobs:
        id: label-mode
        env:
          GH_TOKEN: ${{ github.token }}
+          _PR_NUMBER: ${{ inputs.pr-number }}
          _PR_USER: ${{ github.event.pull_request.user.login }}
          _IS_FORK: ${{ github.event.pull_request.head.repo.fork }}
        run: |
@@ -75,6 +71,7 @@ jobs:
      - name: Label PR based on changed files
        env:
          GH_TOKEN: ${{ github.token }}
+          _PR_NUMBER: ${{ inputs.pr-number || github.event.pull_request.number }}
          _LABEL_MODE: ${{ inputs.mode && format('--{0}', inputs.mode) || steps.label-mode.outputs.label_mode }}
          _DRY_RUN: ${{ inputs.dry-run == true && '--dry-run' || '' }}
        run: |
--- a/.github/workflows/sdlc-sdk-update.yml
+++ b/.github/workflows/sdlc-sdk-update.yml
@@ -63,7 +63,7 @@ jobs:
          permission-contents: write

      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          token: ${{ steps.app-token.outputs.token }}
          fetch-depth: 0
@@ -190,7 +190,7 @@ jobs:
              --base main \
              --head "$_BRANCH_NAME" \
              --label "automated-pr" \
-              --label "t:deps")
+              --label "t:ci")
            echo "## 🚀 Created PR: $PR_URL" >> "$GITHUB_STEP_SUMMARY"
          fi

@@ -204,7 +204,7 @@ jobs:

    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -34,7 +34,7 @@ jobs:
        uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0

      - name: Cache Gradle files
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ~/.gradle/caches
@@ -44,7 +44,7 @@ jobs:
            ${{ runner.os }}-gradle-v2-

      - name: Cache build output
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            ${{ github.workspace }}/build-cache
@@ -65,6 +65,7 @@ jobs:

      - name: Install Fastlane
        run: |
+          gem install bundler:2.2.27
          bundle config path vendor/bundle
          bundle install --jobs 4 --retry 3

@@ -75,7 +76,7 @@ jobs:
          bundle exec fastlane check

      - name: Upload test reports
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: always()
        with:
          name: test-reports
--- a/3
+++ b/3
@@ -14,8 +14,5 @@ gem 'logger'
 gem 'mutex_m'
 gem 'csv'

-# Since ruby 3.4.1 these are not included in the standard library
-gem 'nkf'
-
 # Starting with Ruby 3.5.0, these are not included in the standard library
 gem 'ostruct'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,15 +1,18 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    CFPropertyList (3.0.8)
+    CFPropertyList (3.0.7)
+      base64
+      nkf
+      rexml
    abbrev (0.1.2)
-    addressable (2.8.8)
-      public_suffix (>= 2.0.2, < 8.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
    artifactory (3.0.17)
    atomos (0.1.3)
    aws-eventstream (1.4.0)
-    aws-partitions (1.1200.0)
-    aws-sdk-core (3.240.0)
+    aws-partitions (1.1181.0)
+    aws-sdk-core (3.236.0)
      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.992.0)
      aws-sigv4 (~> 1.9)
@@ -17,10 +20,10 @@ GEM
      bigdecimal
      jmespath (~> 1, >= 1.6.1)
      logger
-    aws-sdk-kms (1.118.0)
-      aws-sdk-core (~> 3, >= 3.239.1)
+    aws-sdk-kms (1.117.0)
+      aws-sdk-core (~> 3, >= 3.234.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.209.0)
+    aws-sdk-s3 (1.203.0)
      aws-sdk-core (~> 3, >= 3.234.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.5)
@@ -28,14 +31,14 @@ GEM
      aws-eventstream (~> 1, >= 1.0.2)
    babosa (1.0.4)
    base64 (0.3.0)
-    bigdecimal (4.0.1)
+    bigdecimal (3.3.1)
    claide (1.1.0)
    colored (1.2)
    colored2 (3.1.2)
    commander (4.6.0)
      highline (~> 2.0.0)
    csv (3.3.5)
-    date (3.5.1)
+    date (3.5.0)
    declarative (0.0.20)
    digest-crc (0.7.0)
      rake (>= 12.0.0, < 14.0.0)
@@ -55,14 +58,14 @@ GEM
      faraday-rack (~> 1.0)
      faraday-retry (~> 1.0)
      ruby2_keywords (>= 0.0.4)
-    faraday-cookie_jar (0.0.8)
+    faraday-cookie_jar (0.0.7)
      faraday (>= 0.8.0)
-      http-cookie (>= 1.0.0)
+      http-cookie (~> 1.0.0)
    faraday-em_http (1.0.0)
    faraday-em_synchrony (1.0.1)
    faraday-excon (1.1.0)
    faraday-httpclient (1.0.1)
-    faraday-multipart (1.2.0)
+    faraday-multipart (1.1.1)
      multipart-post (~> 2.0)
    faraday-net_http (1.0.2)
    faraday-net_http_persistent (1.2.0)
@@ -72,9 +75,8 @@ GEM
    faraday_middleware (1.2.1)
      faraday (~> 1.0)
    fastimage (2.4.0)
-    fastlane (2.229.0)
+    fastlane (2.228.0)
      CFPropertyList (>= 2.3, < 4.0.0)
-      abbrev (~> 0.1.2)
      addressable (>= 2.8, < 3.0.0)
      artifactory (~> 3.0)
      aws-sdk-s3 (~> 1.0)
@@ -82,7 +84,6 @@ GEM
      bundler (>= 1.12.0, < 3.0.0)
      colored (~> 1.2)
      commander (~> 4.6)
-      csv (~> 3.3)
      dotenv (>= 2.1.1, < 3.0.0)
      emoji_regex (>= 0.1, < 4.0)
      excon (>= 0.71.0, < 1.0.0)
@@ -102,7 +103,6 @@ GEM
      jwt (>= 2.1.0, < 3)
      mini_magick (>= 4.9.4, < 5.0.0)
      multipart-post (>= 2.0.0, < 3.0.0)
-      mutex_m (~> 0.3.0)
      naturally (~> 2.2)
      optparse (>= 0.1.1, < 1.0.0)
      plist (>= 3.1.0, < 4.0.0)
@@ -169,23 +169,23 @@ GEM
    httpclient (2.9.0)
      mutex_m
    jmespath (1.6.2)
-    json (2.18.0)
+    json (2.16.0)
    jwt (2.10.2)
      base64
    logger (1.7.0)
    mini_magick (4.13.2)
    mini_mime (1.1.5)
-    multi_json (1.19.1)
+    multi_json (1.17.0)
    multipart-post (2.4.1)
    mutex_m (0.3.0)
    nanaimo (0.4.0)
    naturally (2.3.0)
    nkf (0.2.0)
-    optparse (0.8.1)
+    optparse (0.8.0)
    os (1.1.4)
    ostruct (0.6.3)
    plist (3.7.2)
-    public_suffix (7.0.2)
+    public_suffix (6.0.2)
    rake (13.3.1)
    representable (3.2.0)
      declarative (< 0.1.0)
@@ -209,7 +209,7 @@ GEM
    terminal-notifier (2.0.0)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
-    time (0.4.2)
+    time (0.4.1)
      date
    trailblazer-option (0.1.2)
    tty-cursor (0.7.1)
@@ -241,7 +241,6 @@ DEPENDENCIES
  fastlane-plugin-firebase_app_distribution
  logger
  mutex_m
-  nkf
  ostruct
  time

@@ -249,4 +248,4 @@ RUBY VERSION
   ruby 3.4.2p28

 BUNDLED WITH
-   2.6.2
+   2.6.9
--- a/app/schemas/com.x8bit.bitwarden.data.vault.datasource.disk.database.VaultDatabase/9.json
+++ b/app/schemas/com.x8bit.bitwarden.data.vault.datasource.disk.database.VaultDatabase/9.json
@@ -1,279 +0,0 @@
-{
-  "formatVersion": 1,
-  "database": {
-    "version": 9,
-    "identityHash": "61353072161e3101ade140e2c4b65495",
-    "entities": [
-      {
-        "tableName": "ciphers",
-        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `has_totp` INTEGER NOT NULL DEFAULT 1, `cipher_type` TEXT NOT NULL, `cipher_json` TEXT NOT NULL, `organization_id` TEXT, PRIMARY KEY(`id`))",
-        "fields": [
-          {
-            "fieldPath": "id",
-            "columnName": "id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "userId",
-            "columnName": "user_id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "hasTotp",
-            "columnName": "has_totp",
-            "affinity": "INTEGER",
-            "notNull": true,
-            "defaultValue": "1"
-          },
-          {
-            "fieldPath": "cipherType",
-            "columnName": "cipher_type",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "cipherJson",
-            "columnName": "cipher_json",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "organizationId",
-            "columnName": "organization_id",
-            "affinity": "TEXT"
-          }
-        ],
-        "primaryKey": {
-          "autoGenerate": false,
-          "columnNames": [
-            "id"
-          ]
-        },
-        "indices": [
-          {
-            "name": "index_ciphers_user_id",
-            "unique": false,
-            "columnNames": [
-              "user_id"
-            ],
-            "orders": [],
-            "createSql": "CREATE INDEX IF NOT EXISTS `index_ciphers_user_id` ON `${TABLE_NAME}` (`user_id`)"
-          },
-          {
-            "name": "index_ciphers_user_id_organization_id",
-            "unique": false,
-            "columnNames": [
-              "user_id",
-              "organization_id"
-            ],
-            "orders": [],
-            "createSql": "CREATE INDEX IF NOT EXISTS `index_ciphers_user_id_organization_id` ON `${TABLE_NAME}` (`user_id`, `organization_id`)"
-          }
-        ]
-      },
-      {
-        "tableName": "collections",
-        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `organization_id` TEXT NOT NULL, `should_hide_passwords` INTEGER NOT NULL, `name` TEXT NOT NULL, `external_id` TEXT, `read_only` INTEGER NOT NULL, `manage` INTEGER, `default_user_collection_email` TEXT, `type` TEXT NOT NULL DEFAULT '0', PRIMARY KEY(`id`))",
-        "fields": [
-          {
-            "fieldPath": "id",
-            "columnName": "id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "userId",
-            "columnName": "user_id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "organizationId",
-            "columnName": "organization_id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "shouldHidePasswords",
-            "columnName": "should_hide_passwords",
-            "affinity": "INTEGER",
-            "notNull": true
-          },
-          {
-            "fieldPath": "name",
-            "columnName": "name",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "externalId",
-            "columnName": "external_id",
-            "affinity": "TEXT"
-          },
-          {
-            "fieldPath": "isReadOnly",
-            "columnName": "read_only",
-            "affinity": "INTEGER",
-            "notNull": true
-          },
-          {
-            "fieldPath": "canManage",
-            "columnName": "manage",
-            "affinity": "INTEGER"
-          },
-          {
-            "fieldPath": "defaultUserCollectionEmail",
-            "columnName": "default_user_collection_email",
-            "affinity": "TEXT"
-          },
-          {
-            "fieldPath": "type",
-            "columnName": "type",
-            "affinity": "TEXT",
-            "notNull": true,
-            "defaultValue": "'0'"
-          }
-        ],
-        "primaryKey": {
-          "autoGenerate": false,
-          "columnNames": [
-            "id"
-          ]
-        },
-        "indices": [
-          {
-            "name": "index_collections_user_id",
-            "unique": false,
-            "columnNames": [
-              "user_id"
-            ],
-            "orders": [],
-            "createSql": "CREATE INDEX IF NOT EXISTS `index_collections_user_id` ON `${TABLE_NAME}` (`user_id`)"
-          }
-        ]
-      },
-      {
-        "tableName": "domains",
-        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`user_id` TEXT NOT NULL, `domains_json` TEXT, PRIMARY KEY(`user_id`))",
-        "fields": [
-          {
-            "fieldPath": "userId",
-            "columnName": "user_id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "domainsJson",
-            "columnName": "domains_json",
-            "affinity": "TEXT"
-          }
-        ],
-        "primaryKey": {
-          "autoGenerate": false,
-          "columnNames": [
-            "user_id"
-          ]
-        }
-      },
-      {
-        "tableName": "folders",
-        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `name` TEXT, `revision_date` INTEGER NOT NULL, PRIMARY KEY(`id`))",
-        "fields": [
-          {
-            "fieldPath": "id",
-            "columnName": "id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "userId",
-            "columnName": "user_id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "name",
-            "columnName": "name",
-            "affinity": "TEXT"
-          },
-          {
-            "fieldPath": "revisionDate",
-            "columnName": "revision_date",
-            "affinity": "INTEGER",
-            "notNull": true
-          }
-        ],
-        "primaryKey": {
-          "autoGenerate": false,
-          "columnNames": [
-            "id"
-          ]
-        },
-        "indices": [
-          {
-            "name": "index_folders_user_id",
-            "unique": false,
-            "columnNames": [
-              "user_id"
-            ],
-            "orders": [],
-            "createSql": "CREATE INDEX IF NOT EXISTS `index_folders_user_id` ON `${TABLE_NAME}` (`user_id`)"
-          }
-        ]
-      },
-      {
-        "tableName": "sends",
-        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `send_type` TEXT NOT NULL, `send_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
-        "fields": [
-          {
-            "fieldPath": "id",
-            "columnName": "id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "userId",
-            "columnName": "user_id",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "sendType",
-            "columnName": "send_type",
-            "affinity": "TEXT",
-            "notNull": true
-          },
-          {
-            "fieldPath": "sendJson",
-            "columnName": "send_json",
-            "affinity": "TEXT",
-            "notNull": true
-          }
-        ],
-        "primaryKey": {
-          "autoGenerate": false,
-          "columnNames": [
-            "id"
-          ]
-        },
-        "indices": [
-          {
-            "name": "index_sends_user_id",
-            "unique": false,
-            "columnNames": [
-              "user_id"
-            ],
-            "orders": [],
-            "createSql": "CREATE INDEX IF NOT EXISTS `index_sends_user_id` ON `${TABLE_NAME}` (`user_id`)"
-          }
-        ]
-      }
-    ],
-    "setupQueries": [
-      "CREATE TABLE IF NOT EXISTS room_master_table (id INTEGER PRIMARY KEY,identity_hash TEXT)",
-      "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, '61353072161e3101ade140e2c4b65495')"
-    ]
-  }
-}
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@@ -13,7 +13,6 @@
    <uses-permission android:name="android.permission.USE_BIOMETRIC" />
    <uses-permission android:name="android.permission.NFC" />
    <uses-permission android:name="android.permission.CAMERA" />
-    <uses-permission android:name="horizons.permission.HEADSET_CAMERA" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
    <uses-permission android:name="android.permission.READ_USER_DICTIONARY" />
@@ -31,6 +30,10 @@
        android:protectionLevel="signature|knownSigner"
        tools:targetApi="s" />

+    <permission
+        android:name="${applicationId}.permission.AUTOFILL_CALLBACK"
+        android:protectionLevel="signature" />
+
    <application
        android:name=".BitwardenApplication"
        android:allowBackup="false"
@@ -132,7 +135,8 @@
            android:exported="true"
            android:launchMode="singleTop"
            android:noHistory="true"
-            android:theme="@style/AutofillCallbackTheme" />
+            android:theme="@style/AutofillCallbackTheme"
+            android:permission="${applicationId}.permission.AUTOFILL_CALLBACK" />

        <activity
            android:name=".AuthCallbackActivity"
@@ -140,19 +144,6 @@
            android:launchMode="singleTop"
            android:noHistory="true"
            android:theme="@android:style/Theme.NoDisplay">
-            <intent-filter android:autoVerify="true">
-                <action android:name="android.intent.action.VIEW" />
-
-                <category android:name="android.intent.category.DEFAULT" />
-                <category android:name="android.intent.category.BROWSABLE" />
-
-                <data android:scheme="https" />
-                <data android:host="bitwarden.com" />
-                <data android:host="bitwarden.eu" />
-                <data android:pathPattern="/duo-callback" />
-                <data android:pathPattern="/sso-callback" />
-                <data android:pathPattern="/webauthn-callback" />
-            </intent-filter>
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />

@@ -275,7 +266,7 @@
            android:name="com.x8bit.bitwarden.AutofillTileService"
            android:exported="true"
            android:icon="@drawable/ic_notification"
-            android:label="@string/autofill_verb"
+            android:label="@string/autofill_title"
            android:permission="android.permission.BIND_QUICK_SETTINGS_TILE"
            tools:ignore="MissingClass">
            <intent-filter>
--- a/app/src/main/assets/fido2_privileged_community.json
+++ b/app/src/main/assets/fido2_privileged_community.json
@@ -1,21 +1,5 @@
 {
  "apps": [
-    {
-      "type": "android",
-      "info": {
-        "package_name": "eu.weblibre.gecko",
-        "signatures": [
-          {
-            "build": "release",
-            "cert_fingerprint_sha256": "BB:2A:97:F5:61:53:35:C9:E5:7C:86:6F:1C:30:ED:4F:D7:D7:BD:DC:BC:BC:06:68:FE:93:A5:79:17:3D:3D:2D"
-          },
-          {
-            "build": "release",
-            "cert_fingerprint_sha256": "8F:52:6E:1E:53:D6:BD:4D:FB:F4:F4:B9:3C:2A:91:EC:B5:CB:8D:A5:E1:4A:D9:4C:25:70:E1:E3:C7:13:52:7F"
-          },
-        ]
-      }
-    },
    {
      "type": "android",
      "info": {
@@ -28,6 +12,18 @@
        ]
      }
    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "org.chromium.chrome",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "A8:56:48:50:79:BC:B3:57:BF:BE:69:BA:19:A9:BA:43:CD:0A:D9:AB:22:67:52:C7:80:B6:88:8A:FD:48:21:6B"
+          }
+        ]
+      }
+    },
    {
      "type": "android",
      "info": {
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt
@@ -159,11 +159,11 @@ class AuthDiskSourceImpl(
        storeAuthenticatorSyncUnlockKey(userId = userId, authenticatorSyncUnlockKey = null)
        storeShowImportLogins(userId = userId, showImportLogins = null)
        storeLastLockTimestamp(userId = userId, lastLockTimestamp = null)
-        storeEncryptedPin(userId = userId, encryptedPin = null)
-        storePinProtectedUserKey(userId = userId, pinProtectedUserKey = null)
-        storePinProtectedUserKeyEnvelope(userId = userId, pinProtectedUserKeyEnvelope = null)

        // Certain values are never removed as required by the feature requirements:
+        // * EncryptedPin
+        // * PinProtectedUserKey
+        // * PinProtectedUserKeyEnvelope
        // * DeviceKey
        // * PendingAuthRequest
        // * OnboardingStatus
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/AuthSdkSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/AuthSdkSourceImpl.kt
@@ -30,7 +30,7 @@ class AuthSdkSourceImpl(
        getClient()
            .auth()
            .newAuthRequest(
-                email = email.lowercase(),
+                email = email,
            )
    }

@@ -42,7 +42,7 @@ class AuthSdkSourceImpl(
            .platform()
            .fingerprint(
                req = FingerprintRequest(
-                    fingerprintMaterial = email.lowercase(),
+                    fingerprintMaterial = email,
                    publicKey = publicKey,
                ),
            )
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/AuthRequestManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/AuthRequestManagerImpl.kt
@@ -28,6 +28,7 @@ import kotlinx.coroutines.flow.flow
 import kotlinx.coroutines.isActive
 import java.time.Clock
 import javax.inject.Singleton
+import kotlin.coroutines.coroutineContext

 private const val PASSWORDLESS_NOTIFICATION_TIMEOUT_MILLIS: Long = 15L * 60L * 1_000L
 private const val PASSWORDLESS_NOTIFICATION_RETRY_INTERVAL_MILLIS: Long = 4L * 1_000L
@@ -162,7 +163,7 @@ class AuthRequestManagerImpl(
        emit(result)
        if (result is AuthRequestUpdatesResult.Error) return@flow
        var isComplete = false
-        while (currentCoroutineContext().isActive && !isComplete) {
+        while (coroutineContext.isActive && !isComplete) {
            delay(PASSWORDLESS_APPROVER_INTERVAL_MILLIS)
            val updateResult = result as AuthRequestUpdatesResult.Update
            authRequestsService
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/UserLogoutManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/UserLogoutManagerImpl.kt
@@ -49,14 +49,14 @@ class UserLogoutManagerImpl(
    override fun logout(userId: String, reason: LogoutReason) {
        authDiskSource.userState ?: return
        Timber.d("logout reason=$reason")
-        val isSecurityStamp = reason == LogoutReason.SecurityStamp
-        if (isSecurityStamp) {
+        val isExpired = reason == LogoutReason.SecurityStamp
+        if (isExpired) {
            showToast(message = BitwardenString.login_expired)
        }

        val ableToSwitchToNewAccount = switchUserIfAvailable(
            currentUserId = userId,
-            isSecurityStamp = isSecurityStamp,
+            isExpired = isExpired,
            removeCurrentUserFromAccounts = true,
        )

@@ -73,24 +73,19 @@ class UserLogoutManagerImpl(

    override fun softLogout(userId: String, reason: LogoutReason) {
        Timber.d("softLogout reason=$reason")
-        val isSecurityStamp = reason == LogoutReason.SecurityStamp
-        if (isSecurityStamp) {
+        val isExpired = reason == LogoutReason.SecurityStamp
+        if (isExpired) {
            showToast(message = BitwardenString.login_expired)
        }

-        // Save any data that will still need to be retained after otherwise clearing all data
+        // Save any data that will still need to be retained after otherwise clearing all dat
        val vaultTimeoutInMinutes = settingsDiskSource.getVaultTimeoutInMinutes(userId = userId)
        val vaultTimeoutAction = settingsDiskSource.getVaultTimeoutAction(userId = userId)
-        val encryptedPin = authDiskSource.getEncryptedPin(userId = userId)
-        val pinProtectedUserKey = authDiskSource.getPinProtectedUserKey(userId = userId)
-        val pinProtectedUserKeyEnvelope = authDiskSource.getPinProtectedUserKeyEnvelope(
-            userId = userId,
-        )

        switchUserIfAvailable(
            currentUserId = userId,
            removeCurrentUserFromAccounts = false,
-            isSecurityStamp = isSecurityStamp,
+            isExpired = isExpired,
        )

        clearData(userId = userId)
@@ -107,14 +102,6 @@ class UserLogoutManagerImpl(
                vaultTimeoutAction = vaultTimeoutAction,
            )
        }
-        authDiskSource.apply {
-            storeEncryptedPin(userId = userId, encryptedPin = encryptedPin)
-            storePinProtectedUserKey(userId = userId, pinProtectedUserKey = pinProtectedUserKey)
-            storePinProtectedUserKeyEnvelope(
-                userId = userId,
-                pinProtectedUserKeyEnvelope = pinProtectedUserKeyEnvelope,
-            )
-        }
    }

    private fun clearData(userId: String) {
@@ -136,7 +123,7 @@ class UserLogoutManagerImpl(
    private fun switchUserIfAvailable(
        currentUserId: String,
        removeCurrentUserFromAccounts: Boolean,
-        isSecurityStamp: Boolean,
+        isExpired: Boolean = false,
    ): Boolean {
        val currentUserState = authDiskSource.userState ?: return false

@@ -148,7 +135,7 @@ class UserLogoutManagerImpl(

        // Check if there is a new active user
        return if (updatedAccounts.isNotEmpty()) {
-            if (currentUserId == currentUserState.activeUserId && !isSecurityStamp) {
+            if (currentUserId == currentUserState.activeUserId && !isExpired) {
                showToast(message = BitwardenString.account_switched_automatically)
            }

--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepository.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepository.kt
@@ -38,7 +38,6 @@ import com.x8bit.bitwarden.data.auth.repository.util.SsoCallbackResult
 import com.x8bit.bitwarden.data.auth.repository.util.WebAuthResult
 import com.x8bit.bitwarden.data.auth.util.YubiKeyResult
 import com.x8bit.bitwarden.data.platform.datasource.network.authenticator.AuthenticatorProvider
-import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.StateFlow

@@ -49,7 +48,6 @@ import kotlinx.coroutines.flow.StateFlow
 interface AuthRepository :
    AuthenticatorProvider,
    AuthRequestManager,
-    BiometricsEncryptionManager,
    KdfManager,
    UserStateManager {
    /**
@@ -359,14 +357,14 @@ interface AuthRepository :
    suspend fun getPasswordStrength(email: String? = null, password: String): PasswordStrengthResult

    /**
-     * Validates the master password for the current logged-in user.
+     * Validates the master password for the current logged in user.
     */
    suspend fun validatePassword(password: String): ValidatePasswordResult

    /**
-     * Validates the PIN for the current logged-in user.
+     * Validates the PIN for the current logged in user.
     */
-    suspend fun validatePinUserKey(pin: String): ValidatePinResult
+    suspend fun validatePin(pin: String): ValidatePinResult

    /**
     * Validates the given [password] against the master password
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryImpl.kt
@@ -2,10 +2,7 @@ package com.x8bit.bitwarden.data.auth.repository

 import com.bitwarden.core.AuthRequestMethod
 import com.bitwarden.core.InitUserCryptoMethod
-import com.bitwarden.core.RegisterTdeKeyResponse
-import com.bitwarden.core.WrappedAccountCryptographicState
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
-import com.bitwarden.core.data.repository.error.MissingPropertyException
 import com.bitwarden.core.data.repository.util.bufferedMutableSharedFlow
 import com.bitwarden.core.data.util.asFailure
 import com.bitwarden.core.data.util.asSuccess
@@ -15,7 +12,6 @@ import com.bitwarden.crypto.Kdf
 import com.bitwarden.data.datasource.disk.ConfigDiskSource
 import com.bitwarden.data.repository.util.toEnvironmentUrls
 import com.bitwarden.data.repository.util.toEnvironmentUrlsOrDefault
-import com.bitwarden.network.model.CreateAccountKeysResponseJson
 import com.bitwarden.network.model.DeleteAccountResponseJson
 import com.bitwarden.network.model.GetTokenResponseJson
 import com.bitwarden.network.model.IdentityTokenAuthModel
@@ -104,8 +100,8 @@ import com.x8bit.bitwarden.data.auth.util.KdfParamsConstants.DEFAULT_PBKDF2_ITER
 import com.x8bit.bitwarden.data.auth.util.YubiKeyResult
 import com.x8bit.bitwarden.data.auth.util.toSdkParams
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
+import com.x8bit.bitwarden.data.platform.error.MissingPropertyException
 import com.x8bit.bitwarden.data.platform.error.NoActiveUserException
-import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
 import com.x8bit.bitwarden.data.platform.manager.LogsManager
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
 import com.x8bit.bitwarden.data.platform.manager.PushManager
@@ -116,7 +112,6 @@ import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockError
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockResult
-import com.x8bit.bitwarden.data.vault.repository.util.createWrappedAccountCryptographicState
 import com.x8bit.bitwarden.data.vault.repository.util.toSdkMasterPasswordUnlock
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
@@ -162,7 +157,6 @@ class AuthRepositoryImpl(
    private val settingsRepository: SettingsRepository,
    private val vaultRepository: VaultRepository,
    private val authRequestManager: AuthRequestManager,
-    private val biometricsEncryptionManager: BiometricsEncryptionManager,
    private val keyConnectorManager: KeyConnectorManager,
    private val trustedDeviceManager: TrustedDeviceManager,
    private val userLogoutManager: UserLogoutManager,
@@ -174,7 +168,6 @@ class AuthRepositoryImpl(
    dispatcherManager: DispatcherManager,
 ) : AuthRepository,
    AuthRequestManager by authRequestManager,
-    BiometricsEncryptionManager by biometricsEncryptionManager,
    KdfManager by kdfManager,
    UserStateManager by userStateManager {
    /**
@@ -461,32 +454,42 @@ class AuthRepositoryImpl(
                                .getShouldTrustDevice(userId = userId) == true,
                        )
                    }
-                    .flatMap { registerTdeKeyResponse ->
+                    .flatMap { keys ->
                        accountsService
                            .createAccountKeys(
-                                publicKey = registerTdeKeyResponse.publicKey,
-                                encryptedPrivateKey = registerTdeKeyResponse.privateKey,
+                                publicKey = keys.publicKey,
+                                encryptedPrivateKey = keys.privateKey,
                            )
-                            .map { createAccountKeysResponse ->
-                                registerTdeKeyResponse to createAccountKeysResponse
-                            }
+                            .map { keys }
                    }
-                    .flatMap { (registerTdeKeyResponse, createAccountKeysResponse) ->
+                    .flatMap { keys ->
                        organizationService
                            .organizationResetPasswordEnroll(
                                organizationId = orgAutoEnrollStatus.organizationId,
                                userId = userId,
                                passwordHash = null,
-                                resetPasswordKey = registerTdeKeyResponse.adminReset,
+                                resetPasswordKey = keys.adminReset,
                            )
-                            .map { registerTdeKeyResponse to createAccountKeysResponse }
+                            .map { keys }
                    }
-                    .onSuccess { (registerTdeKeyResponse, createAccountKeysResponse) ->
-                        createNewSsoUserSuccess(
+                    .onSuccess { keys ->
+                        // TDE and SSO user creation still uses crypto-v1. These users are not
+                        // expected to have the AEAD keys so we only store the private key for now.
+                        // See https://github.com/bitwarden/android/pull/5682#discussion_r2273940332
+                        // for more details.
+                        authDiskSource.storePrivateKey(
                            userId = userId,
-                            createAccountKeysResponse = createAccountKeysResponse,
-                            registerTdeKeyResponse = registerTdeKeyResponse,
+                            privateKey = keys.privateKey,
                        )
+                        // Order matters here, we need to make sure that the vault is unlocked
+                        // before we trust the device, to avoid state-base navigation issues.
+                        vaultRepository.syncVaultState(userId = userId)
+                        keys.deviceKey?.let { trustDeviceResponse ->
+                            trustedDeviceManager.trustThisDevice(
+                                userId = userId,
+                                trustDeviceResponse = trustDeviceResponse,
+                            )
+                        }
                    }
            }
            .fold(
@@ -495,37 +498,6 @@ class AuthRepositoryImpl(
            )
    }

-    /**
-     * Stores all the relevant data from a successful creation of an SSO user. The data is stored
-     * while in an [UserStateManager.userStateTransaction] to ensure the `UserState` is only
-     * updated once after data stored.
-     */
-    private suspend fun createNewSsoUserSuccess(
-        userId: String,
-        createAccountKeysResponse: CreateAccountKeysResponseJson,
-        registerTdeKeyResponse: RegisterTdeKeyResponse,
-    ): Unit = userStateManager.userStateTransaction {
-        authDiskSource.storeAccountKeys(
-            userId = userId,
-            accountKeys = createAccountKeysResponse.accountKeys,
-        )
-        // TDE and SSO user creation still uses crypto-v1. These users are not
-        // expected to have the AEAD keys so we only store the private key for now.
-        // See https://github.com/bitwarden/android/pull/5682#discussion_r2273940332
-        // for more details.
-        authDiskSource.storePrivateKey(
-            userId = userId,
-            privateKey = registerTdeKeyResponse.privateKey,
-        )
-        vaultRepository.syncVaultState(userId = userId)
-        registerTdeKeyResponse.deviceKey?.let { trustDeviceResponse ->
-            trustedDeviceManager.trustThisDevice(
-                userId = userId,
-                trustDeviceResponse = trustDeviceResponse,
-            )
-        }
-    }
-
    override suspend fun completeTdeLogin(
        requestPrivateKey: String,
        asymmetricalKey: String,
@@ -542,7 +514,6 @@ class AuthRepositoryImpl(
            )
        val signingKey = accountKeys?.signatureKeyPair?.wrappedSigningKey
        val securityState = accountKeys?.securityState?.securityState
-        val signedPublicKey = accountKeys?.publicKeyEncryptionKeyPair?.signedPublicKey

        checkForVaultUnlockError(
            onVaultUnlockError = { error ->
@@ -550,13 +521,10 @@ class AuthRepositoryImpl(
            },
        ) {
            unlockVault(
-                accountCryptographicState = createWrappedAccountCryptographicState(
-                    privateKey = privateKey,
-                    securityState = securityState,
-                    signingKey = signingKey,
-                    signedPublicKey = signedPublicKey,
-                ),
                accountProfile = profile,
+                privateKey = privateKey,
+                signingKey = signingKey,
+                securityState = securityState,
                initUserCryptoMethod = InitUserCryptoMethod.AuthRequest(
                    requestPrivateKey = requestPrivateKey,
                    method = AuthRequestMethod.UserKey(protectedUserKey = asymmetricalKey),
@@ -1319,7 +1287,7 @@ class AuthRepositoryImpl(
            }
    }

-    override suspend fun validatePinUserKey(pin: String): ValidatePinResult {
+    override suspend fun validatePin(pin: String): ValidatePinResult {
        val activeAccount = authDiskSource
            .userState
            ?.activeAccount
@@ -1328,13 +1296,13 @@ class AuthRepositoryImpl(
        val pinProtectedUserKeyEnvelope = authDiskSource
            .getPinProtectedUserKeyEnvelope(userId = activeAccount.userId)
            ?: return ValidatePinResult.Error(
-                error = MissingPropertyException("Pin Protected User Key Envelope"),
+                error = MissingPropertyException("Pin Protected User Key"),
            )
        return vaultSdkSource
-            .validatePinUserKey(
+            .validatePin(
                userId = activeAccount.userId,
                pin = pin,
-                pinProtectedUserKeyEnvelope = pinProtectedUserKeyEnvelope,
+                pinProtectedUserKey = pinProtectedUserKeyEnvelope,
            )
            .fold(
                onSuccess = { ValidatePinResult.Success(isValid = it) },
@@ -1388,10 +1356,10 @@ class AuthRepositoryImpl(
            )
            .fold(
                onSuccess = {
-                    when (it) {
+                    when (val json = it) {
                        VerifyEmailTokenResponseJson.Valid -> EmailTokenResult.Success
                        is VerifyEmailTokenResponseJson.Invalid -> {
-                            EmailTokenResult.Error(message = it.message, error = null)
+                            EmailTokenResult.Error(message = json.message, error = null)
                        }

                        VerifyEmailTokenResponseJson.TokenExpired -> EmailTokenResult.Expired
@@ -1838,23 +1806,14 @@ class AuthRepositoryImpl(
                )
                .map {
                    unlockVault(
-                        accountCryptographicState = createWrappedAccountCryptographicState(
-                            privateKey = privateKey,
-                            securityState = loginResponse.accountKeys
-                                ?.securityState
-                                ?.securityState,
-                            signingKey = loginResponse.accountKeys
-                                ?.signatureKeyPair
-                                ?.wrappedSigningKey,
-                            signedPublicKey = loginResponse.accountKeys
-                                ?.publicKeyEncryptionKeyPair
-                                ?.signedPublicKey,
-                        ),
                        accountProfile = profile,
+                        privateKey = privateKey,
                        initUserCryptoMethod = InitUserCryptoMethod.KeyConnector(
                            masterKey = it.masterKey,
                            userKey = key,
                        ),
+                        securityState = loginResponse.accountKeys?.securityState?.securityState,
+                        signingKey = loginResponse.accountKeys?.signatureKeyPair?.wrappedSigningKey,
                    )
                }
                .fold(
@@ -1875,21 +1834,11 @@ class AuthRepositoryImpl(
                    organizationIdentifier = orgIdentifier,
                )
                .map { keyConnectorResponse ->
-                    val accountKeys = loginResponse.accountKeys
                    val result = unlockVault(
-                        accountCryptographicState = createWrappedAccountCryptographicState(
-                            privateKey = keyConnectorResponse.keys.private,
-                            securityState = accountKeys
-                                ?.securityState
-                                ?.securityState,
-                            signingKey = accountKeys
-                                ?.signatureKeyPair
-                                ?.wrappedSigningKey,
-                            signedPublicKey = accountKeys
-                                ?.publicKeyEncryptionKeyPair
-                                ?.signedPublicKey,
-                        ),
                        accountProfile = profile,
+                        privateKey = keyConnectorResponse.keys.private,
+                        securityState = loginResponse.accountKeys?.securityState?.securityState,
+                        signingKey = loginResponse.accountKeys?.signatureKeyPair?.wrappedSigningKey,
                        initUserCryptoMethod = InitUserCryptoMethod.KeyConnector(
                            masterKey = keyConnectorResponse.masterKey,
                            userKey = keyConnectorResponse.encryptedUserKey,
@@ -1934,30 +1883,27 @@ class AuthRepositoryImpl(
        // Attempt to unlock the vault with password if possible.
        val masterPassword = password ?: return null
        val privateKey = loginResponse.privateKeyOrNull() ?: return null
+        val key = loginResponse.key ?: return null

-        val masterPasswordUnlock = loginResponse
+        val initUserCryptoMethod = loginResponse
            .userDecryptionOptions
            ?.masterPasswordUnlock
-            ?: return null
-        val initUserCryptoMethod = InitUserCryptoMethod.MasterPasswordUnlock(
-            password = masterPassword,
-            masterPasswordUnlock = masterPasswordUnlock.toSdkMasterPasswordUnlock(),
-        )
+            ?.let { masterPasswordUnlock ->
+                InitUserCryptoMethod.MasterPasswordUnlock(
+                    password = masterPassword,
+                    masterPasswordUnlock = masterPasswordUnlock.toSdkMasterPasswordUnlock(),
+                )
+            }
+            ?: InitUserCryptoMethod.Password(
+                password = masterPassword,
+                userKey = key,
+            )

        return unlockVault(
-            accountCryptographicState = createWrappedAccountCryptographicState(
-                privateKey = privateKey,
-                securityState = loginResponse.accountKeys
-                    ?.securityState
-                    ?.securityState,
-                signingKey = loginResponse.accountKeys
-                    ?.signatureKeyPair
-                    ?.wrappedSigningKey,
-                signedPublicKey = loginResponse.accountKeys
-                    ?.publicKeyEncryptionKeyPair
-                    ?.signedPublicKey,
-            ),
            accountProfile = profile,
+            privateKey = privateKey,
+            securityState = loginResponse.accountKeys?.securityState?.securityState,
+            signingKey = loginResponse.accountKeys?.signatureKeyPair?.wrappedSigningKey,
            initUserCryptoMethod = initUserCryptoMethod,
        )
    }
@@ -1965,7 +1911,6 @@ class AuthRepositoryImpl(
    /**
     * Attempt to unlock the current user's vault with trusted device specific data.
     */
-    @Suppress("LongMethod")
    private suspend fun unlockVaultWithTdeOnLoginSuccess(
        loginResponse: GetTokenResponseJson.Success,
        profile: AccountJson.Profile,
@@ -1978,19 +1923,10 @@ class AuthRepositoryImpl(
        if (privateKey != null && key != null) {
            deviceData?.let { model ->
                return unlockVault(
-                    accountCryptographicState = createWrappedAccountCryptographicState(
-                        privateKey = privateKey,
-                        securityState = loginResponse.accountKeys
-                            ?.securityState
-                            ?.securityState,
-                        signingKey = loginResponse.accountKeys
-                            ?.signatureKeyPair
-                            ?.wrappedSigningKey,
-                        signedPublicKey = loginResponse.accountKeys
-                            ?.publicKeyEncryptionKeyPair
-                            ?.signedPublicKey,
-                    ),
                    accountProfile = profile,
+                    privateKey = privateKey,
+                    securityState = loginResponse.accountKeys?.securityState?.securityState,
+                    signingKey = loginResponse.accountKeys?.signatureKeyPair?.wrappedSigningKey,
                    initUserCryptoMethod = InitUserCryptoMethod.AuthRequest(
                        requestPrivateKey = model.privateKey,
                        method = model
@@ -2020,18 +1956,9 @@ class AuthRepositoryImpl(
                        unlockVaultWithTrustedDeviceUserDecryptionOptionsAndStoreKeys(
                            options = options,
                            profile = profile,
-                            privateKey = accountKeys
-                                .publicKeyEncryptionKeyPair
-                                .wrappedPrivateKey,
-                            securityState = accountKeys
-                                .securityState
-                                ?.securityState,
-                            signedPublicKey = accountKeys
-                                .publicKeyEncryptionKeyPair
-                                .signedPublicKey,
-                            signingKey = accountKeys
-                                .signatureKeyPair
-                                ?.wrappedSigningKey,
+                            privateKey = accountKeys.publicKeyEncryptionKeyPair.wrappedPrivateKey,
+                            securityState = accountKeys.securityState?.securityState,
+                            signingKey = accountKeys.signatureKeyPair?.wrappedSigningKey,
                        )
                    }
                    ?: loginResponse.privateKey
@@ -2041,7 +1968,6 @@ class AuthRepositoryImpl(
                                profile = profile,
                                privateKey = privateKey,
                                securityState = null,
-                                signedPublicKey = null,
                                signingKey = null,
                            )
                        }
@@ -2057,7 +1983,6 @@ class AuthRepositoryImpl(
        profile: AccountJson.Profile,
        privateKey: String,
        securityState: String?,
-        signedPublicKey: String?,
        signingKey: String?,
    ): VaultUnlockResult? {
        var vaultUnlockResult: VaultUnlockResult? = null
@@ -2075,13 +2000,10 @@ class AuthRepositoryImpl(
                    // For approved requests the key will always be present.
                    val userKey = requireNotNull(request.key)
                    vaultUnlockResult = unlockVault(
-                        accountCryptographicState = createWrappedAccountCryptographicState(
-                            privateKey = privateKey,
-                            securityState = securityState,
-                            signingKey = signingKey,
-                            signedPublicKey = signedPublicKey,
-                        ),
                        accountProfile = profile,
+                        privateKey = privateKey,
+                        signingKey = signingKey,
+                        securityState = securityState,
                        initUserCryptoMethod = InitUserCryptoMethod.AuthRequest(
                            requestPrivateKey = pendingRequest.requestPrivateKey,
                            method = AuthRequestMethod.UserKey(protectedUserKey = userKey),
@@ -2107,13 +2029,10 @@ class AuthRepositoryImpl(
        }

        vaultUnlockResult = unlockVault(
-            accountCryptographicState = createWrappedAccountCryptographicState(
-                privateKey = privateKey,
-                securityState = securityState,
-                signingKey = signingKey,
-                signedPublicKey = signedPublicKey,
-            ),
            accountProfile = profile,
+            privateKey = privateKey,
+            securityState = securityState,
+            signingKey = signingKey,
            initUserCryptoMethod = InitUserCryptoMethod.DeviceKey(
                deviceKey = deviceKey,
                protectedDevicePrivateKey = encryptedPrivateKey,
@@ -2131,16 +2050,20 @@ class AuthRepositoryImpl(
     * A helper function to unlock the vault for the user associated with the [accountProfile].
     */
    private suspend fun unlockVault(
-        accountCryptographicState: WrappedAccountCryptographicState,
        accountProfile: AccountJson.Profile,
+        privateKey: String,
+        securityState: String?,
+        signingKey: String?,
        initUserCryptoMethod: InitUserCryptoMethod,
    ): VaultUnlockResult {
        val userId = accountProfile.userId
        return vaultRepository.unlockVault(
-            accountCryptographicState = accountCryptographicState,
            userId = userId,
            email = accountProfile.email,
            kdf = accountProfile.toSdkParams(),
+            privateKey = privateKey,
+            signingKey = signingKey,
+            securityState = securityState,
            initUserCryptoMethod = initUserCryptoMethod,
            // The value for the organization keys here will typically be null. We can separately
            // unlock the vault for organization data after receiving the sync response if this
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/di/AuthRepositoryModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/di/AuthRepositoryModule.kt
@@ -19,7 +19,6 @@ import com.x8bit.bitwarden.data.auth.manager.UserStateManagerImpl
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.auth.repository.AuthRepositoryImpl
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
-import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
 import com.x8bit.bitwarden.data.platform.manager.FirstTimeActionManager
 import com.x8bit.bitwarden.data.platform.manager.LogsManager
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
@@ -61,7 +60,6 @@ object AuthRepositoryModule {
        environmentRepository: EnvironmentRepository,
        settingsRepository: SettingsRepository,
        vaultRepository: VaultRepository,
-        biometricsEncryptionManager: BiometricsEncryptionManager,
        keyConnectorManager: KeyConnectorManager,
        authRequestManager: AuthRequestManager,
        trustedDeviceManager: TrustedDeviceManager,
@@ -87,7 +85,6 @@ object AuthRepositoryModule {
        environmentRepository = environmentRepository,
        settingsRepository = settingsRepository,
        vaultRepository = vaultRepository,
-        biometricsEncryptionManager = biometricsEncryptionManager,
        keyConnectorManager = keyConnectorManager,
        authRequestManager = authRequestManager,
        trustedDeviceManager = trustedDeviceManager,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/LeaveOrganizationResult.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/LeaveOrganizationResult.kt
@@ -1,7 +1,7 @@
 package com.x8bit.bitwarden.data.auth.repository.model

 /**
- * Models result of leaving an organization.
+ * Models result of deleting an account.
 */
 sealed class LeaveOrganizationResult {
    /**
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/DuoUtils.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/DuoUtils.kt
@@ -5,11 +5,7 @@ import android.net.Uri
 import androidx.browser.auth.AuthTabIntent
 import com.bitwarden.annotation.OmitFromCoverage

-private const val BITWARDEN_EU_HOST: String = "bitwarden.eu"
-private const val BITWARDEN_US_HOST: String = "bitwarden.com"
-private const val APP_LINK_SCHEME: String = "https"
-private const val DEEPLINK_SCHEME: String = "bitwarden"
-private const val CALLBACK: String = "duo-callback"
+private const val DUO_HOST: String = "duo-callback"

 /**
 * Retrieves a [DuoCallbackTokenResult] from an Intent. There are three possible cases.
@@ -22,28 +18,11 @@ private const val CALLBACK: String = "duo-callback"
 * - [DuoCallbackTokenResult.Success]: Intent is the Duo callback, and it has a token.
 */
 fun Intent.getDuoCallbackTokenResult(): DuoCallbackTokenResult? {
-    if (action != Intent.ACTION_VIEW) return null
-    val localData = data ?: return null
-    return when (localData.scheme) {
-        DEEPLINK_SCHEME -> {
-            if (localData.host == CALLBACK) {
-                localData.getDuoCallbackTokenResult()
-            } else {
-                null
-            }
-        }
-
-        APP_LINK_SCHEME -> {
-            if ((localData.host == BITWARDEN_US_HOST || localData.host == BITWARDEN_EU_HOST) &&
-                localData.path == "/$CALLBACK"
-            ) {
-                localData.getDuoCallbackTokenResult()
-            } else {
-                null
-            }
-        }
-
-        else -> null
+    val localData = data
+    return if (action == Intent.ACTION_VIEW && localData != null && localData.host == DUO_HOST) {
+        localData.getDuoCallbackTokenResult()
+    } else {
+        null
    }
 }

--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/SsoUtils.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/SsoUtils.kt
@@ -4,20 +4,14 @@ import android.content.Intent
 import android.net.Uri
 import android.os.Parcelable
 import androidx.browser.auth.AuthTabIntent
-import androidx.core.net.toUri
 import com.bitwarden.annotation.OmitFromCoverage
 import kotlinx.parcelize.Parcelize
 import java.net.URLEncoder
 import java.security.MessageDigest
 import java.util.Base64

-private const val BITWARDEN_EU_HOST: String = "bitwarden.eu"
-private const val BITWARDEN_US_HOST: String = "bitwarden.com"
-private const val APP_LINK_SCHEME: String = "https"
-private const val DEEPLINK_SCHEME: String = "bitwarden"
-private const val CALLBACK: String = "sso-callback"
-
-const val SSO_URI: String = "bitwarden://$CALLBACK"
+private const val SSO_HOST: String = "sso-callback"
+const val SSO_URI: String = "bitwarden://$SSO_HOST"

 /**
 * Generates a URI for the SSO custom tab.
@@ -34,7 +28,7 @@ fun generateUriForSso(
    token: String,
    state: String,
    codeVerifier: String,
-): Uri {
+): String {
    val redirectUri = URLEncoder.encode(SSO_URI, "UTF-8")
    val encodedOrganizationIdentifier = URLEncoder.encode(organizationIdentifier, "UTF-8")
    val encodedToken = URLEncoder.encode(token, "UTF-8")
@@ -45,7 +39,7 @@ fun generateUriForSso(
            .digest(codeVerifier.toByteArray()),
    )

-    val uri = "$identityBaseUrl/connect/authorize" +
+    return "$identityBaseUrl/connect/authorize" +
        "?client_id=mobile" +
        "&redirect_uri=$redirectUri" +
        "&response_type=code" +
@@ -56,7 +50,6 @@ fun generateUriForSso(
        "&response_mode=query" +
        "&domain_hint=$encodedOrganizationIdentifier" +
        "&ssoToken=$encodedToken"
-    return uri.toUri()
 }

 /**
@@ -69,28 +62,11 @@ fun generateUriForSso(
 * - [SsoCallbackResult.Success]: Intent is the SSO callback with required data.
 */
 fun Intent.getSsoCallbackResult(): SsoCallbackResult? {
-    if (action != Intent.ACTION_VIEW) return null
-    val localData = data ?: return null
-    return when (localData.scheme) {
-        DEEPLINK_SCHEME -> {
-            if (localData.host == CALLBACK) {
-                localData.getSsoCallbackResult()
-            } else {
-                null
-            }
-        }
-
-        APP_LINK_SCHEME -> {
-            if ((localData.host == BITWARDEN_US_HOST || localData.host == BITWARDEN_EU_HOST) &&
-                localData.path == "/$CALLBACK"
-            ) {
-                localData.getSsoCallbackResult()
-            } else {
-                null
-            }
-        }
-
-        else -> null
+    val localData = data
+    return if (action == Intent.ACTION_VIEW && localData?.host == SSO_HOST) {
+        localData.getSsoCallbackResult()
+    } else {
+        null
    }
 }

--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/WebAuthUtils.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/WebAuthUtils.kt
@@ -11,13 +11,8 @@ import kotlinx.serialization.json.put
 import java.net.URLEncoder
 import java.util.Base64

-private const val BITWARDEN_EU_HOST: String = "bitwarden.eu"
-private const val BITWARDEN_US_HOST: String = "bitwarden.com"
-private const val APP_LINK_SCHEME: String = "https"
-private const val DEEPLINK_SCHEME: String = "bitwarden"
-private const val CALLBACK: String = "webauthn-callback"
-
-private const val CALLBACK_URI = "bitwarden://$CALLBACK"
+private const val WEB_AUTH_HOST: String = "webauthn-callback"
+private const val CALLBACK_URI = "bitwarden://$WEB_AUTH_HOST"

 /**
 * Retrieves an [WebAuthResult] from an [Intent]. There are three possible cases.
@@ -27,28 +22,14 @@ private const val CALLBACK_URI = "bitwarden://$CALLBACK"
 * - [WebAuthResult.Failure]: Intent is the web auth key callback with incorrect data.
 */
 fun Intent.getWebAuthResultOrNull(): WebAuthResult? {
-    if (action != Intent.ACTION_VIEW) return null
-    val localData = data ?: return null
-    return when (localData.scheme) {
-        DEEPLINK_SCHEME -> {
-            if (localData.host == CALLBACK) {
-                localData.getWebAuthResult()
-            } else {
-                null
-            }
-        }
-
-        APP_LINK_SCHEME -> {
-            if ((localData.host == BITWARDEN_US_HOST || localData.host == BITWARDEN_EU_HOST) &&
-                localData.path == "/$CALLBACK"
-            ) {
-                localData.getWebAuthResult()
-            } else {
-                null
-            }
-        }
-
-        else -> null
+    val localData = data
+    return if (action == Intent.ACTION_VIEW &&
+        localData != null &&
+        localData.host == WEB_AUTH_HOST
+    ) {
+        localData.getWebAuthResult()
+    } else {
+        null
    }
 }

--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/util/CompleteRegistrationDataUtils.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/util/CompleteRegistrationDataUtils.kt
@@ -1,7 +1,7 @@
 package com.x8bit.bitwarden.data.auth.util

 import android.content.Intent
-import androidx.core.net.toUri
+import android.net.Uri
 import com.x8bit.bitwarden.data.platform.manager.model.CompleteRegistrationData

 /**
@@ -14,7 +14,7 @@ fun Intent.getCompleteRegistrationDataIntentOrNull(): CompleteRegistrationData?
        newValue = "/",
        ignoreCase = true,
    )
-    val uri = runCatching { sanitizedUriString.toUri() }.getOrNull() ?: return null
+    val uri = runCatching { Uri.parse(sanitizedUriString) }.getOrNull() ?: return null
    uri.host ?: return null
    if (uri.path != "/finish-signup") return null
    val email = uri.getQueryParameter("email") ?: return null
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/accessibility/util/UriExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/accessibility/util/UriExtensions.kt
@@ -1,7 +1,6 @@
 package com.x8bit.bitwarden.data.autofill.accessibility.util

 import android.net.Uri
-import androidx.core.net.toUri
 import com.bitwarden.annotation.OmitFromCoverage
 import java.net.URISyntaxException

@@ -11,7 +10,7 @@ import java.net.URISyntaxException
@OmitFromCoverage
 fun String.toUriOrNull(): Uri? =
    try {
-        this.toUri()
-    } catch (_: URISyntaxException) {
+        Uri.parse(this)
+    } catch (e: URISyntaxException) {
        null
    }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/builder/CredentialEntryBuilderImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/builder/CredentialEntryBuilderImpl.kt
@@ -11,10 +11,10 @@ import com.bitwarden.fido.Fido2CredentialAutofillView
 import com.bitwarden.ui.platform.resource.BitwardenDrawable
 import com.bitwarden.ui.platform.resource.BitwardenString
 import com.bitwarden.vault.CipherListView
-import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.autofill.util.login
 import com.x8bit.bitwarden.data.credentials.manager.CredentialManagerPendingIntentManager
 import com.x8bit.bitwarden.data.credentials.util.setBiometricPromptDataIfSupported
+import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager

 /**
 * Primary implementation of [CredentialEntryBuilder].
@@ -22,7 +22,7 @@ import com.x8bit.bitwarden.data.credentials.util.setBiometricPromptDataIfSupport
 class CredentialEntryBuilderImpl(
    private val context: Context,
    private val pendingIntentManager: CredentialManagerPendingIntentManager,
-    private val authRepository: AuthRepository,
+    private val biometricsEncryptionManager: BiometricsEncryptionManager,
 ) : CredentialEntryBuilder {

    override fun buildPublicKeyCredentialEntries(
@@ -82,7 +82,7 @@ class CredentialEntryBuilderImpl(
                .also { builder ->
                    if (!isUserVerified) {
                        builder.setBiometricPromptDataIfSupported(
-                            cipher = authRepository.getOrCreateCipher(userId),
+                            cipher = biometricsEncryptionManager.getOrCreateCipher(userId),
                        )
                    }
                }
@@ -113,7 +113,8 @@ class CredentialEntryBuilderImpl(
                .apply {
                    if (!isUserVerified) {
                        setBiometricPromptDataIfSupported(
-                            cipher = authRepository.getOrCreateCipher(userId),
+                            cipher = biometricsEncryptionManager
+                                .getOrCreateCipher(userId),
                        )
                    }
                }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/di/CredentialProviderModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/di/CredentialProviderModule.kt
@@ -25,6 +25,7 @@ import com.x8bit.bitwarden.data.credentials.repository.PrivilegedAppRepositoryIm
 import com.x8bit.bitwarden.data.credentials.sanitizer.PasskeyAttestationOptionsSanitizer
 import com.x8bit.bitwarden.data.credentials.sanitizer.PasskeyAttestationOptionsSanitizerImpl
 import com.x8bit.bitwarden.data.platform.manager.AssetManager
+import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
 import com.x8bit.bitwarden.data.platform.manager.ciphermatching.CipherMatchingManager
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
@@ -53,6 +54,7 @@ object CredentialProviderModule {
        bitwardenCredentialManager: BitwardenCredentialManager,
        dispatcherManager: DispatcherManager,
        pendingIntentManager: CredentialManagerPendingIntentManager,
+        biometricsEncryptionManager: BiometricsEncryptionManager,
        clock: Clock,
    ): CredentialProviderProcessor =
        CredentialProviderProcessorImpl(
@@ -61,6 +63,7 @@ object CredentialProviderModule {
            bitwardenCredentialManager = bitwardenCredentialManager,
            pendingIntentManager = pendingIntentManager,
            clock = clock,
+            biometricsEncryptionManager = biometricsEncryptionManager,
            dispatcherManager = dispatcherManager,
        )

@@ -105,11 +108,11 @@ object CredentialProviderModule {
    fun provideCredentialEntryBuilder(
        @ApplicationContext context: Context,
        pendingIntentManager: CredentialManagerPendingIntentManager,
-        authRepository: AuthRepository,
+        biometricsEncryptionManager: BiometricsEncryptionManager,
    ): CredentialEntryBuilder = CredentialEntryBuilderImpl(
        context = context,
        pendingIntentManager = pendingIntentManager,
-        authRepository = authRepository,
+        biometricsEncryptionManager = biometricsEncryptionManager,
    )

    @Provides
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/BitwardenCredentialManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/BitwardenCredentialManagerImpl.kt
@@ -258,7 +258,6 @@ class BitwardenCredentialManagerImpl(
                        userId = userId,
                        fido2CredentialStore = fido2CredentialStore,
                        relyingPartyId = relyingPartyId,
-                        userHandle = null,
                    )
                    .fold(
                        onSuccess = { it },
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/OriginManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/OriginManagerImpl.kt
@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.credentials.manager
 import androidx.credentials.provider.CallingAppInfo
 import com.bitwarden.network.service.DigitalAssetLinkService
 import com.bitwarden.ui.platform.base.util.prefixHttpsIfNecessary
+import com.bitwarden.ui.platform.base.util.prefixWwwIfNecessary
 import com.x8bit.bitwarden.data.credentials.model.ValidateOriginResult
 import com.x8bit.bitwarden.data.credentials.repository.PrivilegedAppRepository
 import com.x8bit.bitwarden.data.platform.manager.AssetManager
@@ -40,7 +41,13 @@ class OriginManagerImpl(
    ): ValidateOriginResult {
        return digitalAssetLinkService
            .checkDigitalAssetLinksRelations(
-                sourceWebSite = relyingPartyId.prefixHttpsIfNecessary(),
+                sourceWebSite = relyingPartyId
+                    // The DAL API does not allow redirects, so we add `www.` to prevent redirects
+                    // when it is absent from the `relyingPartyId`. This ensures that relying
+                    // parties storing their `assetlinks.json` at the `www.` subdomain do not fail
+                    // verification checks.
+                    .prefixWwwIfNecessary()
+                    .prefixHttpsIfNecessary(),
                targetPackageName = callingAppInfo.packageName,
                targetCertificateFingerprint = callingAppInfo
                    .getSignatureFingerprintAsHexString()
@@ -49,7 +56,6 @@ class OriginManagerImpl(
            )
            .fold(
                onSuccess = {
-                    Timber.d("Digital asset link validation result: linked = ${it.linked}")
                    if (it.linked) {
                        ValidateOriginResult.Success(null)
                    } else {
@@ -57,7 +63,6 @@ class OriginManagerImpl(
                    }
                },
                onFailure = {
-                    Timber.e("Failed to validate origin for calling app")
                    ValidateOriginResult.Error.AssetLinkNotFound
                },
            )
@@ -107,7 +112,7 @@ class OriginManagerImpl(
            .fold(
                onSuccess = { it },
                onFailure = {
-                    Timber.e(it, "Failed to validate calling app is privileged.")
+                    Timber.e(it, "Failed to validate privileged app: ${callingAppInfo.packageName}")
                    ValidateOriginResult.Error.Unknown
                },
            )
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/processor/CredentialProviderProcessorImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/processor/CredentialProviderProcessorImpl.kt
@@ -34,9 +34,9 @@ import com.x8bit.bitwarden.data.auth.repository.model.UserState
 import com.x8bit.bitwarden.data.credentials.manager.BitwardenCredentialManager
 import com.x8bit.bitwarden.data.credentials.manager.CredentialManagerPendingIntentManager
 import com.x8bit.bitwarden.data.credentials.model.GetCredentialsRequest
+import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.launch
-import timber.log.Timber
 import java.time.Clock
 import javax.crypto.Cipher

@@ -52,6 +52,7 @@ class CredentialProviderProcessorImpl(
    private val bitwardenCredentialManager: BitwardenCredentialManager,
    private val pendingIntentManager: CredentialManagerPendingIntentManager,
    private val clock: Clock,
+    private val biometricsEncryptionManager: BiometricsEncryptionManager,
    dispatcherManager: DispatcherManager,
 ) : CredentialProviderProcessor {

@@ -62,10 +63,8 @@ class CredentialProviderProcessorImpl(
        cancellationSignal: CancellationSignal,
        callback: OutcomeReceiver<BeginCreateCredentialResponse, CreateCredentialException>,
    ) {
-        Timber.d("Create credential request received.")
        val userId = authRepository.activeUserId
        if (userId == null) {
-            Timber.w("No active user. Cannot create credential.")
            callback.onError(CreateCredentialUnknownException("Active user is required."))
            return
        }
@@ -73,16 +72,12 @@ class CredentialProviderProcessorImpl(
        val createCredentialJob = ioScope.launch {
            (handleCreatePasskeyQuery(request) ?: handleCreatePasswordQuery(request))
                ?.let { callback.onResult(it) }
-                ?: run {
-                    Timber.w("Unknown create credential request.")
-                    callback.onError(CreateCredentialUnknownException())
-                }
+                ?: callback.onError(CreateCredentialUnknownException())
        }
        cancellationSignal.setOnCancelListener {
            if (createCredentialJob.isActive) {
                createCredentialJob.cancel()
            }
-            Timber.d("Create credential request cancelled by system.")
            callback.onError(CreateCredentialCancellationException())
        }
    }
@@ -92,18 +87,15 @@ class CredentialProviderProcessorImpl(
        cancellationSignal: CancellationSignal,
        callback: OutcomeReceiver<BeginGetCredentialResponse, GetCredentialException>,
    ) {
-        Timber.d("Get credential request received.")
        // If the user is not logged in, return an error.
        val userState = authRepository.userStateFlow.value
        if (userState == null) {
-            Timber.w("No active user. Cannot get credentials.")
            callback.onError(GetCredentialUnknownException("Active user is required."))
            return
        }

        // Return an unlock action if the current account is locked.
        if (!userState.activeAccount.isVaultUnlocked) {
-            Timber.d("Vault is locked. Requesting unlock.")
            val authenticationAction = AuthenticationAction(
                title = context.getString(BitwardenString.unlock),
                pendingIntent = pendingIntentManager.createFido2UnlockPendingIntent(
@@ -128,17 +120,10 @@ class CredentialProviderProcessorImpl(
                        BeginGetCredentialRequest.asBundle(request),
                    ),
                )
-                .onSuccess {
-                    Timber.d("Credentials retrieved.")
-                    callback.onResult(BeginGetCredentialResponse(credentialEntries = it))
-                }
-                .onFailure {
-                    Timber.w("Error getting credentials.")
-                    callback.onError(GetCredentialUnknownException(it.message))
-                }
+                .onSuccess { callback.onResult(BeginGetCredentialResponse(credentialEntries = it)) }
+                .onFailure { callback.onError(GetCredentialUnknownException(it.message)) }
        }
        cancellationSignal.setOnCancelListener {
-            Timber.d("Get credential request cancelled by system.")
            callback.onError(GetCredentialCancellationException())
            getCredentialJob.cancel()
        }
@@ -150,7 +135,6 @@ class CredentialProviderProcessorImpl(
        callback: OutcomeReceiver<Void?, ClearCredentialException>,
    ) {
        // no-op: RFU
-        Timber.w("Unsupported clear credential state request received.")
        callback.onError(ClearCredentialUnsupportedException())
    }

@@ -201,7 +185,7 @@ class CredentialProviderProcessorImpl(
            .setAutoSelectAllowed(true)

        if (isVaultUnlocked) {
-            authRepository
+            biometricsEncryptionManager
                .getOrCreateCipher(userId)
                ?.let { entryBuilder.setBiometricPromptDataIfSupported(cipher = it) }
        }
@@ -249,7 +233,7 @@ class CredentialProviderProcessorImpl(
            .setAutoSelectAllowed(true)

        if (isVaultUnlocked) {
-            authRepository
+            biometricsEncryptionManager
                .getOrCreateCipher(userId)
                ?.let { entryBuilder.setBiometricPromptDataIfSupported(cipher = it) }
        }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSource.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSource.kt
@@ -1,7 +1,7 @@
 package com.x8bit.bitwarden.data.platform.datasource.disk

-import com.bitwarden.data.datasource.disk.FlightRecorderDiskSource
 import com.bitwarden.ui.platform.feature.settings.appearance.model.AppTheme
+import com.x8bit.bitwarden.data.platform.datasource.disk.model.FlightRecorderDataSet
 import com.x8bit.bitwarden.data.platform.manager.model.AppResumeScreenData
 import com.x8bit.bitwarden.data.platform.repository.model.UriMatchType
 import com.x8bit.bitwarden.data.platform.repository.model.VaultTimeoutAction
@@ -13,7 +13,7 @@ import java.time.Instant
 * Primary access point for general settings-related disk information.
 */
@Suppress("TooManyFunctions")
-interface SettingsDiskSource : FlightRecorderDiskSource {
+interface SettingsDiskSource {

    /**
     * The currently persisted app language (or `null` if not set).
@@ -95,6 +95,16 @@ interface SettingsDiskSource : FlightRecorderDiskSource {
     */
    val hasUserLoggedInOrCreatedAccountFlow: Flow<Boolean?>

+    /**
+     * The current status of whether the flight recorder is enabled.
+     */
+    var flightRecorderData: FlightRecorderDataSet?
+
+    /**
+     * Emits updates that track [flightRecorderData].
+     */
+    val flightRecorderDataFlow: Flow<FlightRecorderDataSet?>
+
    /**
     * The time at which the browser autofill dialog is allowed to be shown to the user again.
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSourceImpl.kt
@@ -5,8 +5,8 @@ import androidx.core.content.edit
 import com.bitwarden.core.data.repository.util.bufferedMutableSharedFlow
 import com.bitwarden.core.data.util.decodeFromStringOrNull
 import com.bitwarden.data.datasource.disk.BaseDiskSource
-import com.bitwarden.data.datasource.disk.FlightRecorderDiskSource
 import com.bitwarden.ui.platform.feature.settings.appearance.model.AppTheme
+import com.x8bit.bitwarden.data.platform.datasource.disk.model.FlightRecorderDataSet
 import com.x8bit.bitwarden.data.platform.manager.model.AppResumeScreenData
 import com.x8bit.bitwarden.data.platform.repository.model.UriMatchType
 import com.x8bit.bitwarden.data.platform.repository.model.VaultTimeoutAction
@@ -47,6 +47,7 @@ private const val CREATE_ACTION_COUNT = "createActionCount"
 private const val SHOULD_SHOW_ADD_LOGIN_COACH_MARK = "shouldShowAddLoginCoachMark"
 private const val SHOULD_SHOW_GENERATOR_COACH_MARK = "shouldShowGeneratorCoachMark"
 private const val RESUME_SCREEN = "resumeScreen"
+private const val FLIGHT_RECORDER_KEY = "flightRecorderData"
 private const val IS_DYNAMIC_COLORS_ENABLED = "isDynamicColorsEnabled"
 private const val BROWSER_AUTOFILL_DIALOG_RESHOW_TIME = "browserAutofillDialogReshowTime"

@@ -57,10 +58,8 @@ private const val BROWSER_AUTOFILL_DIALOG_RESHOW_TIME = "browserAutofillDialogRe
 class SettingsDiskSourceImpl(
    private val sharedPreferences: SharedPreferences,
    private val json: Json,
-    flightRecorderDiskSource: FlightRecorderDiskSource,
 ) : BaseDiskSource(sharedPreferences = sharedPreferences),
-    SettingsDiskSource,
-    FlightRecorderDiskSource by flightRecorderDiskSource {
+    SettingsDiskSource {
    private val mutableAppLanguageFlow = bufferedMutableSharedFlow<AppLanguage?>(replay = 1)
    private val mutableAppThemeFlow = bufferedMutableSharedFlow<AppTheme>(replay = 1)

@@ -93,6 +92,8 @@ class SettingsDiskSourceImpl(

    private val mutableHasUserLoggedInOrCreatedAccountFlow = bufferedMutableSharedFlow<Boolean?>()

+    private val mutableFlightRecorderDataFlow = bufferedMutableSharedFlow<FlightRecorderDataSet?>()
+
    private val mutableHasSeenAddLoginCoachMarkFlow = bufferedMutableSharedFlow<Boolean?>()

    private val mutableHasSeenGeneratorCoachMarkFlow = bufferedMutableSharedFlow<Boolean?>()
@@ -213,6 +214,20 @@ class SettingsDiskSourceImpl(
        get() = mutableHasUserLoggedInOrCreatedAccountFlow
            .onSubscription { emit(getBoolean(HAS_USER_LOGGED_IN_OR_CREATED_AN_ACCOUNT_KEY)) }

+    override var flightRecorderData: FlightRecorderDataSet?
+        get() = getString(key = FLIGHT_RECORDER_KEY)
+            ?.let { json.decodeFromStringOrNull<FlightRecorderDataSet>(it) }
+        set(value) {
+            putString(
+                key = FLIGHT_RECORDER_KEY,
+                value = value?.let { json.encodeToString(it) },
+            )
+            mutableFlightRecorderDataFlow.tryEmit(value)
+        }
+
+    override val flightRecorderDataFlow: Flow<FlightRecorderDataSet?>
+        get() = mutableFlightRecorderDataFlow.onSubscription { emit(flightRecorderData) }
+
    override var browserAutofillDialogReshowTime: Instant?
        get() = getLong(key = BROWSER_AUTOFILL_DIALOG_RESHOW_TIME)?.let { Instant.ofEpochMilli(it) }
        set(value) {
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/di/PlatformDiskModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/di/PlatformDiskModule.kt
@@ -5,7 +5,6 @@ import android.content.Context
 import android.content.SharedPreferences
 import androidx.room.Room
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
-import com.bitwarden.data.datasource.disk.FlightRecorderDiskSource
 import com.bitwarden.data.datasource.disk.di.EncryptedPreferences
 import com.bitwarden.data.datasource.disk.di.UnencryptedPreferences
 import com.x8bit.bitwarden.data.platform.datasource.disk.EnvironmentDiskSource
@@ -140,12 +139,10 @@ object PlatformDiskModule {
    fun provideSettingsDiskSource(
        @UnencryptedPreferences sharedPreferences: SharedPreferences,
        json: Json,
-        flightRecorderDiskSource: FlightRecorderDiskSource,
    ): SettingsDiskSource =
        SettingsDiskSourceImpl(
            sharedPreferences = sharedPreferences,
            json = json,
-            flightRecorderDiskSource = flightRecorderDiskSource,
        )

    @Provides
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/model/FlightRecorderDataSet.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/model/FlightRecorderDataSet.kt
@@ -1,4 +1,4 @@
-package com.bitwarden.data.datasource.disk.model
+package com.x8bit.bitwarden.data.platform.datasource.disk.model

 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
--- a/core/src/main/kotlin/com/bitwarden/core/data/repository/error/MissingPropertyException.kt
+++ b/core/src/main/kotlin/com/bitwarden/core/data/repository/error/MissingPropertyException.kt
@@ -1,4 +1,4 @@
-package com.bitwarden.core.data.repository.error
+package com.x8bit.bitwarden.data.platform.error

 /**
 * An exception indicating that a required property was missing.
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/BiometricsEncryptionManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/BiometricsEncryptionManager.kt
@@ -32,6 +32,7 @@ interface BiometricsEncryptionManager {
     */
    fun isBiometricIntegrityValid(
        userId: String,
+        cipher: Cipher?,
    ): Boolean

    /**
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/BiometricsEncryptionManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/BiometricsEncryptionManagerImpl.kt
@@ -90,8 +90,8 @@ class BiometricsEncryptionManagerImpl(
        return cipher?.takeIf { isCipherInitialized }
    }

-    override fun isBiometricIntegrityValid(userId: String): Boolean =
-        isSystemBiometricIntegrityValid(userId) && isAccountBiometricIntegrityValid(userId)
+    override fun isBiometricIntegrityValid(userId: String, cipher: Cipher?): Boolean =
+        isSystemBiometricIntegrityValid(userId, cipher) && isAccountBiometricIntegrityValid(userId)

    override fun isAccountBiometricIntegrityValid(userId: String): Boolean {
        val systemBioIntegrityState = settingsDiskSource
@@ -203,13 +203,11 @@ class BiometricsEncryptionManagerImpl(
        }

    /**
-     * Validates the keystore key and decrypts it, if decryption is successful `true` is returned,
-     * `false` otherwise.
+     * Validates the keystore key and decrypts it using the user-provided [cipher].
     */
-    private fun isSystemBiometricIntegrityValid(userId: String): Boolean {
+    private fun isSystemBiometricIntegrityValid(userId: String, cipher: Cipher?): Boolean {
        // Attempt to get the user scoped key. If that fails, we check to see if a legacy key
        // is available.
-        val cipher = getOrCreateCipher(userId = userId)
        val secretKey = getSecretKeyOrNull(userId = userId) ?: getSecretKeyOrNull(userId = null)
        return if (cipher != null && secretKey != null) {
            cipher.initializeCipher(userId = userId, secretKey = secretKey)
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/CertificateManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/CertificateManagerImpl.kt
@@ -7,9 +7,9 @@ import android.security.KeyChainException
 import androidx.annotation.VisibleForTesting
 import androidx.annotation.WorkerThread
 import androidx.core.net.toUri
-import com.bitwarden.core.data.repository.error.MissingPropertyException
 import com.x8bit.bitwarden.data.platform.datasource.disk.model.MutualTlsCertificate
 import com.x8bit.bitwarden.data.platform.datasource.disk.model.MutualTlsKeyHost
+import com.x8bit.bitwarden.data.platform.error.MissingPropertyException
 import com.x8bit.bitwarden.data.platform.manager.model.ImportPrivateKeyResult
 import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import timber.log.Timber
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManager.kt
@@ -25,10 +25,4 @@ interface PolicyManager {
        userId: String,
        type: PolicyTypeJson,
    ): List<SyncResponseJson.Policy>
-
-    /**
-     * Get the organization id of the personal ownership policy.
-     * If multiple organizations enforce the policy, return the first to set it.
-     */
-    fun getPersonalOwnershipPolicyOrganizationId(): String?
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManagerImpl.kt
@@ -66,13 +66,6 @@ class PolicyManagerImpl(
            )
            .orEmpty()

-    override fun getPersonalOwnershipPolicyOrganizationId(): String? =
-        this
-            .getActivePolicies(PolicyTypeJson.PERSONAL_OWNERSHIP)
-            .sortedBy { it.revisionDate }
-            .firstOrNull()
-            ?.organizationId
-
    /**
     * A helper method to filter policies.
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PushManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PushManagerImpl.kt
@@ -34,8 +34,6 @@ import java.time.Clock
 import java.time.ZoneOffset
 import java.time.ZonedDateTime
 import javax.inject.Inject
-import kotlin.contracts.ExperimentalContracts
-import kotlin.contracts.contract
 import kotlin.time.Duration
 import kotlin.time.Duration.Companion.days
 import kotlin.time.toJavaDuration
@@ -136,6 +134,7 @@ class PushManagerImpl @Inject constructor(
    @Suppress("LongMethod", "CyclomaticComplexMethod")
    private fun onMessageReceived(notification: BitwardenNotification) {
        if (authDiskSource.uniqueAppId == notification.contextId) return
+        val userId = activeUserId ?: return
        Timber.d("Push Notification Received: ${notification.notificationType}")

        when (val type = notification.notificationType) {
@@ -180,13 +179,11 @@ class PushManagerImpl @Inject constructor(
                    .decodeFromString<NotificationPayload.SyncCipherNotification>(
                        string = notification.payload,
                    )
-                    .takeIf {
-                        it.cipherId != null && it.revisionDate != null && isLoggedIn(it.userId)
-                    }
+                    .takeIf { isLoggedIn(userId) && it.userMatchesNotification(userId) }
+                    ?.takeIf { it.cipherId != null && it.revisionDate != null }
                    ?.let {
                        mutableSyncCipherUpsertSharedFlow.tryEmit(
                            SyncCipherUpsertData(
-                                userId = requireNotNull(it.userId),
                                cipherId = requireNotNull(it.cipherId),
                                revisionDate = requireNotNull(it.revisionDate),
                                organizationId = it.organizationId,
@@ -231,13 +228,11 @@ class PushManagerImpl @Inject constructor(
                    .decodeFromString<NotificationPayload.SyncFolderNotification>(
                        string = notification.payload,
                    )
-                    .takeIf {
-                        it.folderId != null && it.revisionDate != null && isLoggedIn(it.userId)
-                    }
+                    .takeIf { isLoggedIn(userId) && it.userMatchesNotification(userId) }
+                    ?.takeIf { it.folderId != null && it.revisionDate != null }
                    ?.let {
                        mutableSyncFolderUpsertSharedFlow.tryEmit(
                            SyncFolderUpsertData(
-                                userId = requireNotNull(it.userId),
                                folderId = requireNotNull(it.folderId),
                                revisionDate = requireNotNull(it.revisionDate),
                                isUpdate = type == NotificationType.SYNC_FOLDER_UPDATE,
@@ -278,13 +273,11 @@ class PushManagerImpl @Inject constructor(
                    .decodeFromString<NotificationPayload.SyncSendNotification>(
                        string = notification.payload,
                    )
-                    .takeIf {
-                        it.sendId != null && it.revisionDate != null && isLoggedIn(it.userId)
-                    }
+                    .takeIf { isLoggedIn(userId) && it.userMatchesNotification(userId) }
+                    ?.takeIf { it.sendId != null && it.revisionDate != null }
                    ?.let {
                        mutableSyncSendUpsertSharedFlow.tryEmit(
                            SyncSendUpsertData(
-                                userId = requireNotNull(it.userId),
                                sendId = requireNotNull(it.sendId),
                                revisionDate = requireNotNull(it.revisionDate),
                                isUpdate = type == NotificationType.SYNC_SEND_UPDATE,
@@ -368,11 +361,11 @@ class PushManagerImpl @Inject constructor(
            )
    }

-    @OptIn(ExperimentalContracts::class)
    private fun isLoggedIn(
-        userId: String?,
-    ): Boolean {
-        contract { returns(true) implies (userId != null) }
-        return userId?.let { authDiskSource.getAccountTokens(it) }?.isLoggedIn == true
-    }
+        userId: String,
+    ): Boolean = authDiskSource.getAccountTokens(userId)?.isLoggedIn == true
+}
+
+private fun NotificationPayload.userMatchesNotification(userId: String): Boolean {
+    return this.userId != null && this.userId == userId
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/di/PlatformManagerModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/di/PlatformManagerModule.kt
@@ -63,6 +63,10 @@ import com.x8bit.bitwarden.data.platform.manager.clipboard.BitwardenClipboardMan
 import com.x8bit.bitwarden.data.platform.manager.clipboard.BitwardenClipboardManagerImpl
 import com.x8bit.bitwarden.data.platform.manager.event.OrganizationEventManager
 import com.x8bit.bitwarden.data.platform.manager.event.OrganizationEventManagerImpl
+import com.x8bit.bitwarden.data.platform.manager.flightrecorder.FlightRecorderManager
+import com.x8bit.bitwarden.data.platform.manager.flightrecorder.FlightRecorderManagerImpl
+import com.x8bit.bitwarden.data.platform.manager.flightrecorder.FlightRecorderWriter
+import com.x8bit.bitwarden.data.platform.manager.flightrecorder.FlightRecorderWriterImpl
 import com.x8bit.bitwarden.data.platform.manager.garbage.GarbageCollectionManager
 import com.x8bit.bitwarden.data.platform.manager.garbage.GarbageCollectionManagerImpl
 import com.x8bit.bitwarden.data.platform.manager.network.NetworkConfigManager
@@ -80,6 +84,7 @@ import com.x8bit.bitwarden.data.platform.repository.DebugMenuRepository
 import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
 import com.x8bit.bitwarden.data.vault.datasource.disk.VaultDiskSource
+import com.x8bit.bitwarden.data.vault.manager.FileManager
 import com.x8bit.bitwarden.data.vault.manager.VaultLockManager
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import dagger.Module
@@ -104,6 +109,34 @@ object PlatformManagerModule {
        application: Application,
    ): AppStateManager = AppStateManagerImpl(application = application)

+    @Provides
+    @Singleton
+    fun provideFlightRecorderWriter(
+        clock: Clock,
+        fileManager: FileManager,
+        dispatcherManager: DispatcherManager,
+    ): FlightRecorderWriter = FlightRecorderWriterImpl(
+        clock = clock,
+        fileManager = fileManager,
+        dispatcherManager = dispatcherManager,
+    )
+
+    @Provides
+    @Singleton
+    fun provideFlightRecorderManager(
+        @ApplicationContext context: Context,
+        clock: Clock,
+        dispatcherManager: DispatcherManager,
+        settingsDiskSource: SettingsDiskSource,
+        flightRecorderWriter: FlightRecorderWriter,
+    ): FlightRecorderManager = FlightRecorderManagerImpl(
+        context = context,
+        clock = clock,
+        dispatcherManager = dispatcherManager,
+        settingsDiskSource = settingsDiskSource,
+        flightRecorderWriter = flightRecorderWriter,
+    )
+
    @Provides
    @Singleton
    fun provideAuthenticatorBridgeProcessor(
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/flightrecorder/FlightRecorderManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/flightrecorder/FlightRecorderManager.kt
@@ -1,7 +1,7 @@
-package com.bitwarden.data.manager.flightrecorder
+package com.x8bit.bitwarden.data.platform.manager.flightrecorder

-import com.bitwarden.data.datasource.disk.model.FlightRecorderDataSet
-import com.bitwarden.data.manager.model.FlightRecorderDuration
+import com.x8bit.bitwarden.data.platform.datasource.disk.model.FlightRecorderDataSet
+import com.x8bit.bitwarden.data.platform.repository.model.FlightRecorderDuration
 import kotlinx.coroutines.flow.StateFlow

 /**
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/flightrecorder/FlightRecorderManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/flightrecorder/FlightRecorderManagerImpl.kt
@@ -1,4 +1,4 @@
-package com.bitwarden.data.manager.flightrecorder
+package com.x8bit.bitwarden.data.platform.manager.flightrecorder

 import android.content.BroadcastReceiver
 import android.content.Context
@@ -7,9 +7,9 @@ import android.content.IntentFilter
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.core.data.util.concurrentMapOf
 import com.bitwarden.core.data.util.toFormattedPattern
-import com.bitwarden.data.datasource.disk.FlightRecorderDiskSource
-import com.bitwarden.data.datasource.disk.model.FlightRecorderDataSet
-import com.bitwarden.data.manager.model.FlightRecorderDuration
+import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
+import com.x8bit.bitwarden.data.platform.datasource.disk.model.FlightRecorderDataSet
+import com.x8bit.bitwarden.data.platform.repository.model.FlightRecorderDuration
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Job
 import kotlinx.coroutines.delay
@@ -33,7 +33,7 @@ private const val EXPIRATION_DURATION_DAYS: Long = 30
 internal class FlightRecorderManagerImpl(
    private val context: Context,
    private val clock: Clock,
-    private val flightRecorderDiskSource: FlightRecorderDiskSource,
+    private val settingsDiskSource: SettingsDiskSource,
    private val flightRecorderWriter: FlightRecorderWriter,
    dispatcherManager: DispatcherManager,
 ) : FlightRecorderManager {
@@ -44,12 +44,10 @@ internal class FlightRecorderManagerImpl(
    private val flightRecorderTree = FlightRecorderTree()

    override val flightRecorderData: FlightRecorderDataSet
-        get() = flightRecorderDiskSource
-            .flightRecorderData
-            ?: FlightRecorderDataSet(data = emptySet())
+        get() = settingsDiskSource.flightRecorderData ?: FlightRecorderDataSet(data = emptySet())

    override val flightRecorderDataFlow: StateFlow<FlightRecorderDataSet>
-        get() = flightRecorderDiskSource
+        get() = settingsDiskSource
            .flightRecorderDataFlow
            .map { it ?: FlightRecorderDataSet(data = emptySet()) }
            .stateIn(
@@ -75,7 +73,7 @@ internal class FlightRecorderManagerImpl(

    override fun dismissFlightRecorderBanner() {
        val originalData = flightRecorderData
-        flightRecorderDiskSource.flightRecorderData = originalData.copy(
+        settingsDiskSource.flightRecorderData = originalData.copy(
            data = originalData.data.map { it.copy(isBannerDismissed = true) }.toSet(),
        )
    }
@@ -83,7 +81,7 @@ internal class FlightRecorderManagerImpl(
    override fun startFlightRecorder(duration: FlightRecorderDuration) {
        val startTime = clock.instant()
        val originalData = flightRecorderData
-        flightRecorderDiskSource.flightRecorderData = originalData.copy(
+        settingsDiskSource.flightRecorderData = originalData.copy(
            data = originalData
                .data
                .mapToInactive(clock = clock)
@@ -108,7 +106,7 @@ internal class FlightRecorderManagerImpl(

    override fun endFlightRecorder() {
        val originalData = flightRecorderData
-        flightRecorderDiskSource.flightRecorderData = originalData.copy(
+        settingsDiskSource.flightRecorderData = originalData.copy(
            data = originalData.data.mapToInactive(clock = clock),
        )
    }
@@ -119,7 +117,7 @@ internal class FlightRecorderManagerImpl(
            data = flightRecorderData.data.filterNot { it.isActive }.toSet(),
        )
        // Clear everything but the active log.
-        flightRecorderDiskSource.flightRecorderData = activeLog?.let {
+        settingsDiskSource.flightRecorderData = activeLog?.let {
            FlightRecorderDataSet(data = setOf(it))
        }
        // Clear all logs but the active one.
@@ -129,7 +127,7 @@ internal class FlightRecorderManagerImpl(
    override fun deleteLog(data: FlightRecorderDataSet.FlightRecorderData) {
        if (data.isActive) return
        val originalData = flightRecorderData
-        flightRecorderDiskSource.flightRecorderData = originalData.copy(
+        settingsDiskSource.flightRecorderData = originalData.copy(
            data = originalData.data.filterNot { it == data }.toSet(),
        )
        ioScope.launch { flightRecorderWriter.deleteLog(data = data) }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/flightrecorder/FlightRecorderWriter.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/flightrecorder/FlightRecorderWriter.kt
@@ -1,6 +1,6 @@
-package com.bitwarden.data.manager.flightrecorder
+package com.x8bit.bitwarden.data.platform.manager.flightrecorder

-import com.bitwarden.data.datasource.disk.model.FlightRecorderDataSet
+import com.x8bit.bitwarden.data.platform.datasource.disk.model.FlightRecorderDataSet
 import java.io.File

 /**
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/flightrecorder/FlightRecorderWriterImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/flightrecorder/FlightRecorderWriterImpl.kt
@@ -1,13 +1,13 @@
-package com.bitwarden.data.manager.flightrecorder
+package com.x8bit.bitwarden.data.platform.manager.flightrecorder

 import android.os.Build
 import android.util.Log
 import com.bitwarden.annotation.OmitFromCoverage
-import com.bitwarden.core.data.manager.BuildInfoManager
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.core.data.util.toFormattedPattern
-import com.bitwarden.data.datasource.disk.model.FlightRecorderDataSet
-import com.bitwarden.data.manager.file.FileManager
+import com.x8bit.bitwarden.BuildConfig
+import com.x8bit.bitwarden.data.platform.datasource.disk.model.FlightRecorderDataSet
+import com.x8bit.bitwarden.data.vault.manager.FileManager
 import kotlinx.coroutines.withContext
 import timber.log.Timber
 import java.io.BufferedWriter
@@ -25,11 +25,10 @@ private const val LOG_TIME_PATTERN: String = "yyyy-MM-dd HH:mm:ss:SSS"
 * The default implementation of the [FlightRecorderWriter].
 */
@OmitFromCoverage
-internal class FlightRecorderWriterImpl(
+class FlightRecorderWriterImpl(
    private val clock: Clock,
    private val fileManager: FileManager,
    private val dispatcherManager: DispatcherManager,
-    private val buildInfoManager: BuildInfoManager,
 ) : FlightRecorderWriter {
    override suspend fun deleteLog(data: FlightRecorderDataSet.FlightRecorderData) {
        fileManager.delete(File(File(fileManager.logsDirectory), data.fileName))
@@ -56,18 +55,19 @@ internal class FlightRecorderWriterImpl(
                val startTime = Instant
                    .ofEpochMilli(data.startTimeMs)
                    .toFormattedPattern(pattern = LOG_TIME_PATTERN, clock = clock)
+                val appVersion = "${BuildConfig.VERSION_NAME} (${BuildConfig.VERSION_CODE})"
                val operatingSystem = "${Build.VERSION.RELEASE} (${Build.VERSION.SDK_INT})"
                // Upon creating the new file, we pre-populate it with basic data
                BufferedWriter(FileWriter(logFile, true)).use { bw ->
-                    bw.append("Bitwarden Android - ${buildInfoManager.applicationName}")
+                    bw.append("Bitwarden Android")
                    bw.newLine()
                    bw.append("Log Start Time: $startTime")
                    bw.newLine()
                    bw.append("Log Duration: ${data.durationMs.milliseconds}")
                    bw.newLine()
-                    bw.append("App Version: ${buildInfoManager.versionData}")
+                    bw.append("App Version: $appVersion")
                    bw.newLine()
-                    bw.append("Build: ${buildInfoManager.buildAndFlavor}")
+                    bw.append("Build: ${BuildConfig.BUILD_TYPE}/${BuildConfig.FLAVOR}")
                    bw.newLine()
                    bw.append("Operating System: $operatingSystem")
                    bw.newLine()
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/OrganizationEvent.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/OrganizationEvent.kt
@@ -114,24 +114,4 @@ sealed class OrganizationEvent {
        override val type: OrganizationEventType
            get() = OrganizationEventType.USER_CLIENT_EXPORTED_VAULT
    }
-
-    /**
-     * Tracks when a user's personal ciphers have been migrated to their organization's My Items
-     * folder as required by the organization's personal vault ownership policy.
-     */
-    data object ItemOrganizationAccepted : OrganizationEvent() {
-        override val cipherId: String? = null
-        override val type: OrganizationEventType
-            get() = OrganizationEventType.ORGANIZATION_ITEM_ORGANIZATION_ACCEPTED
-    }
-
-    /**
-     * Tracks when a user chooses to leave an organization instead of migrating their personal
-     * ciphers to their organization's My Items folder.
-     */
-    data object ItemOrganizationDeclined : OrganizationEvent() {
-        override val cipherId: String? = null
-        override val type: OrganizationEventType
-            get() = OrganizationEventType.ORGANIZATION_ITEM_ORGANIZATION_DECLINED
-    }
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/SyncCipherUpsertData.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/SyncCipherUpsertData.kt
@@ -5,14 +5,12 @@ import java.time.ZonedDateTime
 /**
 * Required data for sync cipher upsert operations.
 *
- * @property userId The user ID associated with this update.
 * @property cipherId The cipher ID.
 * @property revisionDate The cipher's revision date. This is used to determine if the local copy of
 * the cipher is out-of-date.
 * @property isUpdate Whether or not this is an update of an existing cipher.
 */
 data class SyncCipherUpsertData(
-    val userId: String,
    val cipherId: String,
    val revisionDate: ZonedDateTime,
    val organizationId: String?,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/SyncFolderUpsertData.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/SyncFolderUpsertData.kt
@@ -5,14 +5,12 @@ import java.time.ZonedDateTime
 /**
 * Required data for sync folder upsert operations.
 *
- * @property userId The user ID associated with this update.
 * @property folderId The folder ID.
 * @property revisionDate The folder's revision date. This is used to determine if the local copy of
 * the folder is out-of-date.
 * @property isUpdate Whether or not this is an update of an existing folder.
 */
 data class SyncFolderUpsertData(
-    val userId: String,
    val folderId: String,
    val revisionDate: ZonedDateTime,
    val isUpdate: Boolean,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/SyncSendUpsertData.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/SyncSendUpsertData.kt
@@ -5,14 +5,12 @@ import java.time.ZonedDateTime
 /**
 * Required data for sync send upsert operations.
 *
- * @property userId The user ID associated with this update.
 * @property sendId The send ID.
 * @property revisionDate The send's revision date. This is used to determine if the local copy of
 * the send is out-of-date.
 * @property isUpdate Whether or not this is an update of an existing send.
 */
 data class SyncSendUpsertData(
-    val userId: String,
    val sendId: String,
    val revisionDate: ZonedDateTime,
    val isUpdate: Boolean,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/AuthenticatorBridgeRepositoryImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/AuthenticatorBridgeRepositoryImpl.kt
@@ -4,19 +4,18 @@ import com.bitwarden.authenticatorbridge.model.SharedAccountData
 import com.bitwarden.core.InitOrgCryptoRequest
 import com.bitwarden.core.InitUserCryptoMethod
 import com.bitwarden.core.InitUserCryptoRequest
-import com.bitwarden.core.data.repository.error.MissingPropertyException
 import com.bitwarden.core.data.util.asSuccess
 import com.bitwarden.core.data.util.flatMap
 import com.bitwarden.data.repository.util.toEnvironmentUrlsOrDefault
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountJson
 import com.x8bit.bitwarden.data.auth.repository.util.toSdkParams
+import com.x8bit.bitwarden.data.platform.error.MissingPropertyException
 import com.x8bit.bitwarden.data.platform.repository.util.sanitizeTotpUri
 import com.x8bit.bitwarden.data.vault.datasource.disk.VaultDiskSource
 import com.x8bit.bitwarden.data.vault.datasource.sdk.ScopedVaultSdkSource
 import com.x8bit.bitwarden.data.vault.datasource.sdk.model.InitializeCryptoResult
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockResult
-import com.x8bit.bitwarden.data.vault.repository.util.createWrappedAccountCryptographicState
 import com.x8bit.bitwarden.data.vault.repository.util.toEncryptedSdkCipher
 import com.x8bit.bitwarden.data.vault.repository.util.toVaultUnlockResult

@@ -138,21 +137,17 @@ class AuthenticatorBridgeRepositoryImpl(
            ?.securityState
            ?.securityState
        val signingKey = accountKeys?.signatureKeyPair?.wrappedSigningKey
-        val signedPublicKey = accountKeys?.publicKeyEncryptionKeyPair?.signedPublicKey

        return scopedVaultSdkSource
            .initializeCrypto(
                userId = userId,
                request = InitUserCryptoRequest(
-                    accountCryptographicState = createWrappedAccountCryptographicState(
-                        privateKey = privateKey,
-                        securityState = securityState,
-                        signingKey = signingKey,
-                        signedPublicKey = signedPublicKey,
-                    ),
                    userId = userId,
                    kdfParams = account.profile.toSdkParams(),
                    email = account.profile.email,
+                    privateKey = privateKey,
+                    securityState = securityState,
+                    signingKey = signingKey,
                    method = InitUserCryptoMethod.DecryptedKey(
                        decryptedUserKey = decryptedUserKey,
                    ),
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/SettingsRepository.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/SettingsRepository.kt
@@ -1,8 +1,8 @@
 package com.x8bit.bitwarden.data.platform.repository

-import com.bitwarden.data.manager.flightrecorder.FlightRecorderManager
 import com.bitwarden.ui.platform.feature.settings.appearance.model.AppTheme
 import com.x8bit.bitwarden.data.auth.repository.model.UserFingerprintResult
+import com.x8bit.bitwarden.data.platform.manager.flightrecorder.FlightRecorderManager
 import com.x8bit.bitwarden.data.platform.repository.model.BiometricsKeyResult
 import com.x8bit.bitwarden.data.platform.repository.model.ClearClipboardFrequency
 import com.x8bit.bitwarden.data.platform.repository.model.UriMatchType
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/SettingsRepositoryImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/SettingsRepositoryImpl.kt
@@ -3,7 +3,6 @@ package com.x8bit.bitwarden.data.platform.repository
 import android.view.autofill.AutofillManager
 import com.bitwarden.authenticatorbridge.util.generateSecretKey
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
-import com.bitwarden.data.manager.flightrecorder.FlightRecorderManager
 import com.bitwarden.network.model.PolicyTypeJson
 import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.ui.platform.feature.settings.appearance.model.AppTheme
@@ -17,6 +16,7 @@ import com.x8bit.bitwarden.data.autofill.manager.AutofillEnabledManager
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.error.NoActiveUserException
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
+import com.x8bit.bitwarden.data.platform.manager.flightrecorder.FlightRecorderManager
 import com.x8bit.bitwarden.data.platform.repository.model.BiometricsKeyResult
 import com.x8bit.bitwarden.data.platform.repository.model.ClearClipboardFrequency
 import com.x8bit.bitwarden.data.platform.repository.model.UriMatchType
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/di/PlatformRepositoryModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/di/PlatformRepositoryModule.kt
@@ -2,7 +2,6 @@ package com.x8bit.bitwarden.data.platform.repository.di

 import android.view.autofill.AutofillManager
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
-import com.bitwarden.data.manager.flightrecorder.FlightRecorderManager
 import com.bitwarden.data.repository.ServerConfigRepository
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityEnabledManager
@@ -11,6 +10,7 @@ import com.x8bit.bitwarden.data.platform.datasource.disk.EnvironmentDiskSource
 import com.x8bit.bitwarden.data.platform.datasource.disk.FeatureFlagOverrideDiskSource
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
+import com.x8bit.bitwarden.data.platform.manager.flightrecorder.FlightRecorderManager
 import com.x8bit.bitwarden.data.platform.repository.AuthenticatorBridgeRepository
 import com.x8bit.bitwarden.data.platform.repository.AuthenticatorBridgeRepositoryImpl
 import com.x8bit.bitwarden.data.platform.repository.DebugMenuRepository
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/model/FlightRecorderDuration.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/model/FlightRecorderDuration.kt
@@ -1,4 +1,4 @@
-package com.bitwarden.data.manager.model
+package com.x8bit.bitwarden.data.platform.repository.model

 /**
 * The selectable durations allowed for the flight recorder.
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/util/StateFlowExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/util/StateFlowExtensions.kt
@@ -14,36 +14,10 @@ import kotlinx.coroutines.flow.flow
 import kotlinx.coroutines.flow.map

 /**
- * Lazily invokes the [observer] callback with the active user's ID only when this MutableStateFlow
- * has external collectors and a user is logged in. Designed for operations that should only run
- * when UI actively observes the resulting data, but do not require the vault to be unlocked.
- *
- * **Active User Tracking:**
- * This function specifically tracks the active user from [userStateFlow]. When the active user
- * changes (e.g., account switching), the previous observer flow is canceled and a new one is
- * started for the new active user.
- *
- * **Subscription Detection:**
- * Uses [MutableStateFlow.subscriptionCount] to detect external collectors. Only external
- * `.collect()` calls increment subscriptionCount—internal flow operations (map, flatMapLatest,
- * update, etc.) do not affect it.
- *
- * **Common Pattern:**
- * ```kotlin
- * private val _triggerFlow = MutableStateFlow(Unit)
- * val dataFlow = _triggerFlow
- *     .observeWhenSubscribedAndLoggedIn(userFlow) { activeUserId ->
- *         repository.getData(activeUserId)  // Only runs when dataFlow is collected
- *     }
- * // _triggerFlow.update {} does NOT affect subscriptionCount
- * ```
- *
- * **Observer Lifecycle:**
- * - **Invoked** when subscriptionCount > 0 and a user is logged in
- * - **Re-invoked** when the active user changes (account switch)
- * - **Canceled** when subscribers disconnect or user logs out
- *
- * @see observeWhenSubscribedAndUnlocked for variant that also requires vault to be unlocked
+ * Invokes the [observer] callback whenever the user is logged in, the active changes, and there
+ * are subscribers to the [MutableStateFlow]. The flow from all previous calls to the `observer`
+ * is canceled whenever the `observer` is re-invoked, there is no active user (logged-out), or
+ * there are no subscribers to the [MutableStateFlow].
 */
@OptIn(ExperimentalCoroutinesApi::class)
 fun <T, R> MutableStateFlow<T>.observeWhenSubscribedAndLoggedIn(
@@ -61,36 +35,11 @@ fun <T, R> MutableStateFlow<T>.observeWhenSubscribedAndLoggedIn(
        }

 /**
- * Lazily invokes the [observer] callback with the active user's ID only when this MutableStateFlow
- * has external collectors, a user is logged in, and the active user's vault is unlocked. Designed
- * for expensive operations that should only run when UI actively observes the resulting data.
- *
- * **Active User Tracking:**
- * This function specifically tracks the active user from [userStateFlow]. When the active user
- * changes (e.g., account switching), the previous observer flow is canceled and a new one is
- * started for the new active user. The vault unlock state is also tracked per-user.
- *
- * **Subscription Detection:**
- * Uses [MutableStateFlow.subscriptionCount] to detect external collectors. Only external
- * `.collect()` calls increment subscriptionCount—internal flow operations (map, flatMapLatest,
- * update, etc.) do not affect it.
- *
- * **Common Pattern:**
- * ```kotlin
- * private val _triggerFlow = MutableStateFlow(Unit)
- * val dataFlow = _triggerFlow
- *     .observeWhenSubscribedAndUnlocked(userFlow, unlockFlow) { activeUserId ->
- *         repository.getExpensiveData(activeUserId)  // Only runs when dataFlow is collected
- *     }
- * // _triggerFlow.update {} does NOT affect subscriptionCount
- * ```
- *
- * **Observer Lifecycle:**
- * - **Invoked** when subscriptionCount > 0, a user is logged in, and active user's vault unlocked
- * - **Re-invoked** when the active user changes (account switch) or vault state changes
- * - **Canceled** when subscribers disconnect, user logs out, or vault locks
- *
- * @see observeWhenSubscribedAndLoggedIn for variant without vault unlock requirement
+ * Invokes the [observer] callback whenever the user is logged in, the active changes,
+ * the vault for the user changes and there are subscribers to the [MutableStateFlow].
+ * The flow from all previous calls to the `observer`
+ * is canceled whenever the `observer` is re-invoked, there is no active user (logged-out),
+ * there are no subscribers to the [MutableStateFlow] or the vault is not unlocked.
 */
@OptIn(ExperimentalCoroutinesApi::class)
 fun <T, R> MutableStateFlow<T>.observeWhenSubscribedAndUnlocked(
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/util/FileExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/util/FileExtensions.kt
@@ -1,4 +1,4 @@
-package com.bitwarden.core.util
+package com.x8bit.bitwarden.data.platform.util

 import com.bitwarden.annotation.OmitFromCoverage
 import java.io.File
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/util/InputStreamExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/util/InputStreamExtensions.kt
@@ -1,4 +1,4 @@
-package com.bitwarden.core.data.util
+package com.x8bit.bitwarden.data.platform.util

 import android.os.Build
 import com.bitwarden.annotation.OmitFromCoverage
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/VaultDiskSource.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/VaultDiskSource.kt
@@ -24,16 +24,6 @@ interface VaultDiskSource {
     */
    suspend fun getCiphers(userId: String): List<SyncResponseJson.Cipher>

-    /**
-     * Checks if the user has any personal ciphers (ciphers not belonging to an organization).
-     *
-     * This is an optimized query that checks only the indexed organizationId column
-     * without loading full cipher JSON data. Intended for vault migration state checks.
-     *
-     * @return Flow that emits true if user has personal ciphers, false otherwise
-     */
-    fun hasPersonalCiphersFlow(userId: String): Flow<Boolean>
-
    /**
     * Retrieves all ciphers with the given [cipherIds] from the data source for a given [userId].
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/VaultDiskSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/VaultDiskSourceImpl.kt
@@ -55,7 +55,6 @@ class VaultDiskSourceImpl(
                    hasTotp = cipher.login?.totp != null,
                    cipherType = json.encodeToString(cipher.type),
                    cipherJson = json.encodeToString(cipher),
-                    organizationId = cipher.organizationId,
                ),
            ),
        )
@@ -98,9 +97,6 @@ class VaultDiskSourceImpl(
        }
    }

-    override fun hasPersonalCiphersFlow(userId: String): Flow<Boolean> =
-        ciphersDao.hasPersonalCiphersFlow(userId = userId)
-
    override suspend fun getSelectedCiphers(
        userId: String,
        cipherIds: List<String>,
@@ -299,7 +295,6 @@ class VaultDiskSourceImpl(
                            hasTotp = cipher.login?.totp != null,
                            cipherType = json.encodeToString(cipher.type),
                            cipherJson = json.encodeToString(cipher),
-                            organizationId = cipher.organizationId,
                        )
                    },
                )
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/dao/CiphersDao.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/dao/CiphersDao.kt
@@ -88,21 +88,4 @@ interface CiphersDao {
        insertCiphers(ciphers)
        return deletedCiphersCount > 0 || ciphers.isNotEmpty()
    }
-
-    /**
-     * Checks if the user has any personal ciphers (ciphers with null organizationId).
-     * Returns a Flow that emits true if personal ciphers exist, false otherwise.
-     *
-     * This query is optimized for vault migration checks and uses the indexed
-     * organization_id column to avoid loading full cipher JSON.
-     */
-    @Query("""
-        SELECT EXISTS(
-            SELECT 1 FROM ciphers
-            WHERE user_id = :userId
-            AND organization_id IS NULL
-            LIMIT 1
-        )
-    """)
-    fun hasPersonalCiphersFlow(userId: String): Flow<Boolean>
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/database/VaultDatabase.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/database/VaultDatabase.kt
@@ -27,7 +27,7 @@ import com.x8bit.bitwarden.data.vault.datasource.disk.entity.SendEntity
        FolderEntity::class,
        SendEntity::class,
    ],
-    version = 9,
+    version = 8,
    exportSchema = true,
    autoMigrations = [
        AutoMigration(from = 6, to = 7),
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/entity/CipherEntity.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/entity/CipherEntity.kt
@@ -2,25 +2,18 @@ package com.x8bit.bitwarden.data.vault.datasource.disk.entity

 import androidx.room.ColumnInfo
 import androidx.room.Entity
-import androidx.room.Index
 import androidx.room.PrimaryKey

 /**
 * Entity representing a cipher in the database.
 */
-@Entity(
-    tableName = "ciphers",
-    indices = [
-        Index(value = ["user_id"]),
-        Index(value = ["user_id", "organization_id"]),
-    ],
-)
+@Entity(tableName = "ciphers")
 data class CipherEntity(
    @PrimaryKey(autoGenerate = false)
    @ColumnInfo(name = "id")
    val id: String,

-    @ColumnInfo(name = "user_id")
+    @ColumnInfo(name = "user_id", index = true)
    val userId: String,

    // Default to true for initial migration.
@@ -33,9 +26,4 @@ data class CipherEntity(

    @ColumnInfo(name = "cipher_json")
    val cipherJson: String,
-
-    // Extracted organizationId for query optimization to avoid loading full cipher JSON.
-    // Enables lightweight queries for vault migration checks and organization filtering.
-    @ColumnInfo(name = "organization_id")
-    val organizationId: String?,
 )
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSource.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSource.kt
@@ -97,13 +97,12 @@ interface VaultSdkSource {
    ): Result<EnrollPinResponse>

    /**
-     * Validates that the given PIN with the encrypted user key and returns `true` if the PIN is
-     * correct, otherwise `false`.
+     * Validate the user pin using the [pinProtectedUserKey].
     */
-    suspend fun validatePinUserKey(
+    suspend fun validatePin(
        userId: String,
        pin: String,
-        pinProtectedUserKeyEnvelope: String,
+        pinProtectedUserKey: String,
    ): Result<Boolean>

    /**
@@ -488,7 +487,6 @@ interface VaultSdkSource {
        userId: String,
        fido2CredentialStore: Fido2CredentialStore,
        relyingPartyId: String,
-        userHandle: String?,
    ): Result<List<Fido2CredentialAutofillView>>

    /**
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSourceImpl.kt
@@ -100,7 +100,6 @@ class VaultSdkSourceImpl(
                    is DeriveKeyConnectorException.WrongPassword -> {
                        DeriveKeyConnectorResult.WrongPasswordError
                    }
-
                    is DeriveKeyConnectorException.Crypto -> {
                        DeriveKeyConnectorResult.Error(error = ex)
                    }
@@ -130,18 +129,15 @@ class VaultSdkSourceImpl(
                .enrollPinWithEncryptedPin(encryptedPin = encryptedPin)
        }

-    override suspend fun validatePinUserKey(
+    override suspend fun validatePin(
        userId: String,
        pin: String,
-        pinProtectedUserKeyEnvelope: String,
+        pinProtectedUserKey: String,
    ): Result<Boolean> =
        runCatchingWithLogs {
            getClient(userId = userId)
                .auth()
-                .validatePinProtectedUserKeyEnvelope(
-                    pin = pin,
-                    pinProtectedUserKeyEnvelope = pinProtectedUserKeyEnvelope,
-                )
+                .validatePin(pin = pin, pinProtectedUserKey = pinProtectedUserKey)
        }

    override suspend fun getAuthRequestKey(
@@ -603,7 +599,6 @@ class VaultSdkSourceImpl(
        userId: String,
        fido2CredentialStore: Fido2CredentialStore,
        relyingPartyId: String,
-        userHandle: String?,
    ): Result<List<Fido2CredentialAutofillView>> = runCatchingWithLogs {
        getClient(userId)
            .platform()
@@ -612,7 +607,7 @@ class VaultSdkSourceImpl(
                userInterface = Fido2CredentialSearchUserInterfaceImpl(),
                credentialStore = fido2CredentialStore,
            )
-            .silentlyDiscoverCredentials(relyingPartyId, userHandle?.toByteArray())
+            .silentlyDiscoverCredentials(relyingPartyId)
    }

    override suspend fun makeUpdateKdf(
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialAuthenticationUserInterfaceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialAuthenticationUserInterfaceImpl.kt
@@ -28,7 +28,7 @@ class Fido2CredentialAuthenticationUserInterfaceImpl(
        newCredential: Fido2CredentialNewView,
    ): CheckUserAndPickCredentialForCreationResult = throw IllegalStateException()

-    override fun isVerificationEnabled(): Boolean = isVerificationSupported
+    override suspend fun isVerificationEnabled(): Boolean = isVerificationSupported

    override suspend fun pickCredentialForAuthentication(
        availableCredentials: List<CipherView>,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialRegistrationUserInterfaceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialRegistrationUserInterfaceImpl.kt
@@ -32,7 +32,7 @@ class Fido2CredentialRegistrationUserInterfaceImpl(
        checkUserResult = CheckUserResult(userPresent = true, userVerified = true),
    )

-    override fun isVerificationEnabled(): Boolean = isVerificationSupported
+    override suspend fun isVerificationEnabled(): Boolean = isVerificationSupported

    override suspend fun pickCredentialForAuthentication(
        availableCredentials: List<CipherView>,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialSearchUserInterfaceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialSearchUserInterfaceImpl.kt
@@ -29,7 +29,7 @@ class Fido2CredentialSearchUserInterfaceImpl : Fido2UserInterface {

    // Always return true for this property because any problems with verification should
    // be handled downstream where the app can actually offer verification methods.
-    override fun isVerificationEnabled(): Boolean = true
+    override suspend fun isVerificationEnabled(): Boolean = true

    override suspend fun pickCredentialForAuthentication(
        availableCredentials: List<CipherView>,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialStoreImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialStoreImpl.kt
@@ -42,11 +42,7 @@ class Fido2CredentialStoreImpl(
     * @param ids Optional list of FIDO 2 credential ID's to find.
     * @param ripId Relying Party ID to find.
     */
-    override suspend fun findCredentials(
-        ids: List<ByteArray>?,
-        ripId: String,
-        userHandle: ByteArray?,
-    ): List<CipherView> =
+    override suspend fun findCredentials(ids: List<ByteArray>?, ripId: String): List<CipherView> =
        vaultRepository
            .decryptCipherListResultStateFlow
            .value
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CipherManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CipherManagerImpl.kt
@@ -6,8 +6,6 @@ import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.core.data.util.asFailure
 import com.bitwarden.core.data.util.asSuccess
 import com.bitwarden.core.data.util.flatMap
-import com.bitwarden.data.manager.file.FileManager
-import com.bitwarden.data.manager.model.DownloadResult
 import com.bitwarden.network.model.AttachmentJsonResponse
 import com.bitwarden.network.model.CreateCipherInOrganizationJsonRequest
 import com.bitwarden.network.model.CreateCipherResponseJson
@@ -19,7 +17,6 @@ import com.bitwarden.vault.AttachmentView
 import com.bitwarden.vault.CipherView
 import com.bitwarden.vault.EncryptionContext
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
-import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.error.NoActiveUserException
 import com.x8bit.bitwarden.data.platform.manager.PushManager
 import com.x8bit.bitwarden.data.platform.manager.ReviewPromptManager
@@ -27,6 +24,7 @@ import com.x8bit.bitwarden.data.platform.manager.model.SyncCipherDeleteData
 import com.x8bit.bitwarden.data.platform.manager.model.SyncCipherUpsertData
 import com.x8bit.bitwarden.data.vault.datasource.disk.VaultDiskSource
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
+import com.x8bit.bitwarden.data.vault.manager.model.DownloadResult
 import com.x8bit.bitwarden.data.vault.manager.model.GetCipherResult
 import com.x8bit.bitwarden.data.vault.repository.model.CreateAttachmentResult
 import com.x8bit.bitwarden.data.vault.repository.model.CreateCipherResult
@@ -55,7 +53,6 @@ import java.time.Clock
 class CipherManagerImpl(
    private val fileManager: FileManager,
    private val authDiskSource: AuthDiskSource,
-    private val settingsDiskSource: SettingsDiskSource,
    private val ciphersService: CiphersService,
    private val vaultDiskSource: VaultDiskSource,
    private val vaultSdkSource: VaultSdkSource,
@@ -692,7 +689,7 @@ class CipherManagerImpl(
     * for now.
     */
    private suspend fun syncCipherIfNecessary(syncCipherUpsertData: SyncCipherUpsertData) {
-        val userId = syncCipherUpsertData.userId
+        val userId = activeUserId ?: return
        val cipherId = syncCipherUpsertData.cipherId
        val organizationId = syncCipherUpsertData.organizationId
        val collectionIds = syncCipherUpsertData.collectionIds
@@ -735,12 +732,6 @@ class CipherManagerImpl(
        }

        if (!shouldUpdate) return
-        if (activeUserId != userId) {
-            // We cannot update right now since the accounts do not match, so we will
-            // do a full-sync on the next check.
-            settingsDiskSource.storeLastSyncTime(userId = userId, lastSyncTime = null)
-            return
-        }

        ciphersService
            .getCipher(cipherId = cipherId)
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/FileManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/FileManager.kt
@@ -1,9 +1,9 @@
-package com.bitwarden.data.manager.file
+package com.x8bit.bitwarden.data.vault.manager

 import android.net.Uri
 import com.bitwarden.annotation.OmitFromCoverage
-import com.bitwarden.data.manager.model.DownloadResult
-import com.bitwarden.data.manager.model.ZipFileResult
+import com.x8bit.bitwarden.data.vault.manager.model.DownloadResult
+import com.x8bit.bitwarden.data.vault.manager.model.ZipFileResult
 import java.io.File

 /**
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/FileManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/FileManagerImpl.kt
@@ -1,15 +1,15 @@
@file:OmitFromCoverage

-package com.bitwarden.data.manager.file
+package com.x8bit.bitwarden.data.vault.manager

 import android.content.Context
 import android.net.Uri
 import com.bitwarden.annotation.OmitFromCoverage
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
-import com.bitwarden.core.data.util.sdkAgnosticTransferTo
-import com.bitwarden.data.manager.model.DownloadResult
-import com.bitwarden.data.manager.model.ZipFileResult
 import com.bitwarden.network.service.DownloadService
+import com.x8bit.bitwarden.data.platform.util.sdkAgnosticTransferTo
+import com.x8bit.bitwarden.data.vault.manager.model.DownloadResult
+import com.x8bit.bitwarden.data.vault.manager.model.ZipFileResult
 import kotlinx.coroutines.withContext
 import java.io.BufferedInputStream
 import java.io.BufferedOutputStream
@@ -29,7 +29,7 @@ private const val BUFFER_SIZE: Int = 1024
 /**
 * The default implementation of the [FileManager] interface.
 */
-internal class FileManagerImpl(
+class FileManagerImpl(
    private val context: Context,
    private val downloadService: DownloadService,
    private val dispatcherManager: DispatcherManager,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/FolderManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/FolderManagerImpl.kt
@@ -6,7 +6,6 @@ import com.bitwarden.network.model.UpdateFolderResponseJson
 import com.bitwarden.network.service.FolderService
 import com.bitwarden.vault.FolderView
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
-import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.error.NoActiveUserException
 import com.x8bit.bitwarden.data.platform.manager.PushManager
 import com.x8bit.bitwarden.data.platform.manager.model.SyncFolderDeleteData
@@ -26,10 +25,8 @@ import kotlinx.coroutines.flow.onEach
 /**
 * The default implementation of the [FolderManager].
 */
-@Suppress("LongParameterList")
 class FolderManagerImpl(
    private val authDiskSource: AuthDiskSource,
-    private val settingsDiskSource: SettingsDiskSource,
    private val folderService: FolderService,
    private val vaultDiskSource: VaultDiskSource,
    private val vaultSdkSource: VaultSdkSource,
@@ -151,7 +148,7 @@ class FolderManagerImpl(
     * are met.
     */
    private suspend fun syncFolderIfNecessary(syncFolderUpsertData: SyncFolderUpsertData) {
-        val userId = syncFolderUpsertData.userId
+        val userId = activeUserId ?: return
        val folderId = syncFolderUpsertData.folderId
        val isUpdate = syncFolderUpsertData.isUpdate
        val revisionDate = syncFolderUpsertData.revisionDate
@@ -165,12 +162,6 @@ class FolderManagerImpl(
            localFolder.revisionDate.toEpochSecond() < revisionDate.toEpochSecond()

        if (!isValidCreate && !isValidUpdate) return
-        if (activeUserId != userId) {
-            // We cannot update right now since the accounts do not match, so we will
-            // do a full-sync on the next check.
-            settingsDiskSource.storeLastSyncTime(userId = userId, lastSyncTime = null)
-            return
-        }

        folderService
            .getFolder(folderId = folderId)
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/SendManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/SendManagerImpl.kt
@@ -5,7 +5,6 @@ import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.core.data.util.asFailure
 import com.bitwarden.core.data.util.asSuccess
 import com.bitwarden.core.data.util.flatMap
-import com.bitwarden.data.manager.file.FileManager
 import com.bitwarden.network.model.CreateFileSendResponse
 import com.bitwarden.network.model.CreateSendJsonResponse
 import com.bitwarden.network.model.UpdateSendResponseJson
@@ -14,7 +13,6 @@ import com.bitwarden.send.Send
 import com.bitwarden.send.SendType
 import com.bitwarden.send.SendView
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
-import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.error.NoActiveUserException
 import com.x8bit.bitwarden.data.platform.manager.PushManager
 import com.x8bit.bitwarden.data.platform.manager.ReviewPromptManager
@@ -40,7 +38,6 @@ import retrofit2.HttpException
@Suppress("LongParameterList")
 class SendManagerImpl(
    private val authDiskSource: AuthDiskSource,
-    private val settingsDiskSource: SettingsDiskSource,
    private val vaultDiskSource: VaultDiskSource,
    private val vaultSdkSource: VaultSdkSource,
    private val sendsService: SendsService,
@@ -268,7 +265,7 @@ class SendManagerImpl(
     * now.
     */
    private suspend fun syncSendIfNecessary(syncSendUpsertData: SyncSendUpsertData) {
-        val userId = syncSendUpsertData.userId
+        val userId = activeUserId ?: return
        val sendId = syncSendUpsertData.sendId
        val isUpdate = syncSendUpsertData.isUpdate
        val revisionDate = syncSendUpsertData.revisionDate
@@ -281,12 +278,6 @@ class SendManagerImpl(
            localSend != null &&
            localSend.revisionDate.toEpochSecond() < revisionDate.toEpochSecond()
        if (!isValidCreate && !isValidUpdate) return
-        if (activeUserId != userId) {
-            // We cannot update right now since the accounts do not match, so we will
-            // do a full-sync on the next check.
-            settingsDiskSource.storeLastSyncTime(userId = userId, lastSyncTime = null)
-            return
-        }

        sendsService
            .getSend(sendId = sendId)
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultLockManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultLockManager.kt
@@ -1,7 +1,6 @@
 package com.x8bit.bitwarden.data.vault.manager

 import com.bitwarden.core.InitUserCryptoMethod
-import com.bitwarden.core.WrappedAccountCryptographicState
 import com.bitwarden.crypto.Kdf
 import com.bitwarden.sdk.AuthClient
 import com.x8bit.bitwarden.data.vault.manager.model.VaultStateEvent
@@ -62,10 +61,12 @@ interface VaultLockManager {
     */
    @Suppress("LongParameterList")
    suspend fun unlockVault(
-        accountCryptographicState: WrappedAccountCryptographicState,
        userId: String,
        email: String,
        kdf: Kdf,
+        privateKey: String,
+        signingKey: String?,
+        securityState: String?,
        initUserCryptoMethod: InitUserCryptoMethod,
        organizationKeys: Map<String, String>?,
    ): VaultUnlockResult
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultLockManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultLockManagerImpl.kt
@@ -7,10 +7,8 @@ import android.content.IntentFilter
 import com.bitwarden.core.InitOrgCryptoRequest
 import com.bitwarden.core.InitUserCryptoMethod
 import com.bitwarden.core.InitUserCryptoRequest
-import com.bitwarden.core.WrappedAccountCryptographicState
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.core.data.manager.realtime.RealtimeManager
-import com.bitwarden.core.data.repository.error.MissingPropertyException
 import com.bitwarden.core.data.repository.util.bufferedMutableSharedFlow
 import com.bitwarden.core.data.util.asSuccess
 import com.bitwarden.core.data.util.concurrentMapOf
@@ -28,6 +26,7 @@ import com.x8bit.bitwarden.data.auth.repository.util.activeUserIdChangesFlow
 import com.x8bit.bitwarden.data.auth.repository.util.toSdkParams
 import com.x8bit.bitwarden.data.auth.repository.util.userAccountTokens
 import com.x8bit.bitwarden.data.auth.repository.util.userSwitchingChangesFlow
+import com.x8bit.bitwarden.data.platform.error.MissingPropertyException
 import com.x8bit.bitwarden.data.platform.error.NoActiveUserException
 import com.x8bit.bitwarden.data.platform.manager.AppStateManager
 import com.x8bit.bitwarden.data.platform.manager.model.AppCreationState
@@ -40,7 +39,6 @@ import com.x8bit.bitwarden.data.vault.datasource.sdk.model.InitializeCryptoResul
 import com.x8bit.bitwarden.data.vault.manager.model.VaultStateEvent
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockData
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockResult
-import com.x8bit.bitwarden.data.vault.repository.util.createWrappedAccountCryptographicState
 import com.x8bit.bitwarden.data.vault.repository.util.logTag
 import com.x8bit.bitwarden.data.vault.repository.util.statusFor
 import com.x8bit.bitwarden.data.vault.repository.util.toVaultUnlockResult
@@ -173,10 +171,12 @@ class VaultLockManagerImpl(

    @Suppress("LongMethod")
    override suspend fun unlockVault(
-        accountCryptographicState: WrappedAccountCryptographicState,
        userId: String,
        email: String,
        kdf: Kdf,
+        privateKey: String,
+        signingKey: String?,
+        securityState: String?,
        initUserCryptoMethod: InitUserCryptoMethod,
        organizationKeys: Map<String, String>?,
    ): VaultUnlockResult = withContext(context = NonCancellable) {
@@ -187,11 +187,13 @@ class VaultLockManagerImpl(
                    .initializeCrypto(
                        userId = userId,
                        request = InitUserCryptoRequest(
-                            accountCryptographicState = accountCryptographicState,
                            kdfParams = kdf,
                            email = email,
+                            privateKey = privateKey,
                            method = initUserCryptoMethod,
                            userId = userId,
+                            signingKey = signingKey,
+                            securityState = securityState,
                        ),
                    )
                    .flatMap { result ->
@@ -257,19 +259,29 @@ class VaultLockManagerImpl(
        kdf: Kdf,
        userId: String,
    ) {
-        (initUserCryptoMethod as? InitUserCryptoMethod.MasterPasswordUnlock)?.let {
+        if (initUserCryptoMethod is InitUserCryptoMethod.Password ||
+            initUserCryptoMethod is InitUserCryptoMethod.MasterPasswordUnlock
+        ) {
+            val password = when (initUserCryptoMethod) {
+                is InitUserCryptoMethod.Password -> initUserCryptoMethod.password
+                is InitUserCryptoMethod.MasterPasswordUnlock -> initUserCryptoMethod.password
+                else -> throw IllegalStateException(
+                    "Invalid initUserCryptoMethod ${initUserCryptoMethod.logTag}.",
+                )
+            }
+
            // Save the master password hash.
            authSdkSource
                .hashPassword(
                    email = email,
-                    password = initUserCryptoMethod.password,
+                    password = password,
                    kdf = kdf,
                    purpose = HashPurpose.LOCAL_AUTHORIZATION,
                )
-                .onSuccess {
+                .onSuccess { passwordHash ->
                    authDiskSource.storeMasterPasswordHash(
                        userId = userId,
-                        passwordHash = it,
+                        passwordHash = passwordHash,
                    )
                }
        }
@@ -681,18 +693,14 @@ class VaultLockManagerImpl(
            )
        val signingKey = accountKeys?.signatureKeyPair?.wrappedSigningKey
        val securityState = accountKeys?.securityState?.securityState
-        val signedPublicKey = accountKeys?.publicKeyEncryptionKeyPair?.signedPublicKey
        val organizationKeys = authDiskSource.getOrganizationKeys(userId = userId)
        return unlockVault(
-            accountCryptographicState = createWrappedAccountCryptographicState(
-                privateKey = privateKey,
-                securityState = securityState,
-                signingKey = signingKey,
-                signedPublicKey = signedPublicKey,
-            ),
            userId = userId,
            email = account.profile.email,
            kdf = account.profile.toSdkParams(),
+            privateKey = privateKey,
+            signingKey = signingKey,
+            securityState = securityState,
            initUserCryptoMethod = initUserCryptoMethod,
            organizationKeys = organizationKeys,
        )
@@ -705,6 +713,7 @@ class VaultLockManagerImpl(

    private suspend fun updateKdfIfNeeded(initUserCryptoMethod: InitUserCryptoMethod) {
        val password = when (initUserCryptoMethod) {
+            is InitUserCryptoMethod.Password -> initUserCryptoMethod.password
            is InitUserCryptoMethod.MasterPasswordUnlock -> initUserCryptoMethod.password
            is InitUserCryptoMethod.AuthRequest,
            is InitUserCryptoMethod.DecryptedKey,
@@ -712,7 +721,7 @@ class VaultLockManagerImpl(
            is InitUserCryptoMethod.KeyConnector,
            is InitUserCryptoMethod.Pin,
            is InitUserCryptoMethod.PinEnvelope,
-                -> return
+            -> return
        }

        kdfManager
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultMigrationManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultMigrationManager.kt
@@ -1,19 +0,0 @@
-package com.x8bit.bitwarden.data.vault.manager
-
-import com.x8bit.bitwarden.data.vault.manager.model.VaultMigrationData
-import kotlinx.coroutines.flow.StateFlow
-
-/**
- * Manages the migration of personal vault items to organization collections.
- * This interface provides a way to check if migration is needed and track migration state.
- *
- * The manager reactively observes vault cipher data and automatically updates the migration state
- * when conditions change (e.g., after sync, after vault unlock, policy changes).
- */
-interface VaultMigrationManager {
-    /**
-     * Flow that emits when conditions are met for the user to migrate their personal vault.
-     * Automatically updated when cipher data, policies, or feature flags change.
-     */
-    val vaultMigrationDataStateFlow: StateFlow<VaultMigrationData>
-}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultMigrationManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultMigrationManagerImpl.kt
@@ -1,155 +0,0 @@
-package com.x8bit.bitwarden.data.vault.manager
-
-import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
-import com.bitwarden.core.data.manager.model.FlagKey
-import com.bitwarden.network.model.PolicyTypeJson
-import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
-import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
-import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
-import com.x8bit.bitwarden.data.platform.manager.PolicyManager
-import com.x8bit.bitwarden.data.platform.manager.network.NetworkConnectionManager
-import com.x8bit.bitwarden.data.platform.repository.util.observeWhenSubscribedAndUnlocked
-import com.x8bit.bitwarden.data.vault.datasource.disk.VaultDiskSource
-import com.x8bit.bitwarden.data.vault.manager.model.VaultMigrationData
-import kotlinx.coroutines.CoroutineScope
-import kotlinx.coroutines.flow.MutableStateFlow
-import kotlinx.coroutines.flow.StateFlow
-import kotlinx.coroutines.flow.asStateFlow
-import kotlinx.coroutines.flow.combine
-import kotlinx.coroutines.flow.filterNotNull
-import kotlinx.coroutines.flow.launchIn
-import kotlinx.coroutines.flow.onEach
-import kotlinx.coroutines.flow.update
-
-/**
- * Default implementation of [VaultMigrationManager].
- *
- * Reactively observes vault cipher data and automatically updates migration state when:
- * - Vault is unlocked
- * - Sync has occurred at least once
- * - Cipher data changes
- * - Network connectivity changes
- */
-@Suppress("LongParameterList")
-class VaultMigrationManagerImpl(
-    private val authDiskSource: AuthDiskSource,
-    private val vaultDiskSource: VaultDiskSource,
-    private val settingsDiskSource: SettingsDiskSource,
-    private val policyManager: PolicyManager,
-    private val featureFlagManager: FeatureFlagManager,
-    private val connectionManager: NetworkConnectionManager,
-    vaultLockManager: VaultLockManager,
-    dispatcherManager: DispatcherManager,
-) : VaultMigrationManager {
-    private val unconfinedScope = CoroutineScope(dispatcherManager.unconfined)
-
-    private val mutableVaultMigrationDataStateFlow =
-        MutableStateFlow<VaultMigrationData>(value = VaultMigrationData.NoMigrationRequired)
-
-    override val vaultMigrationDataStateFlow: StateFlow<VaultMigrationData>
-        get() = mutableVaultMigrationDataStateFlow.asStateFlow()
-
-    init {
-        // Observe cipher data changes and automatically verify migration state
-        mutableVaultMigrationDataStateFlow
-            .observeWhenSubscribedAndUnlocked(
-                userStateFlow = authDiskSource.userStateFlow,
-                vaultUnlockFlow = vaultLockManager.vaultUnlockDataStateFlow,
-            ) { activeUserId ->
-                observeCipherDataAndUpdateMigrationState(userId = activeUserId)
-            }
-            .launchIn(unconfinedScope)
-    }
-
-    /**
-     * Observes cipher data, sync state, and network connectivity for the given user and updates
-     * migration state when changes occur. Only emits updates after the user has synced at least
-     * once to ensure data freshness.
-     *
-     * Uses optimized [VaultDiskSource.hasPersonalCiphersFlow] query that checks only the
-     * indexed organizationId column without loading full cipher JSON data.
-     *
-     * Combines cipher data with [SettingsDiskSource.getLastSyncTimeFlow] to handle multi-account
-     * scenarios where lastSyncTime may be cleared without clearing cipher data. This ensures
-     * migration state updates when sync completes, not just when cipher data changes.
-     *
-     * Also combines with [NetworkConnectionManager.isNetworkConnectedFlow] to ensure migration
-     * state updates reactively when network connectivity changes.
-     */
-    private fun observeCipherDataAndUpdateMigrationState(userId: String) =
-        combine(
-            vaultDiskSource.hasPersonalCiphersFlow(userId = userId),
-            settingsDiskSource.getLastSyncTimeFlow(userId = userId),
-            connectionManager.isNetworkConnectedFlow,
-        ) { hasPersonalCiphers, lastSyncTime, isNetworkConnected ->
-            // Only process after sync has occurred at least once
-            lastSyncTime ?: return@combine null
-            hasPersonalCiphers to isNetworkConnected
-        }
-            .filterNotNull()
-            .onEach { (hasPersonalCiphers, isNetworkConnected) ->
-                verifyAndUpdateMigrationState(
-                    userId = userId,
-                    hasPersonalCiphers = hasPersonalCiphers,
-                    isNetworkConnected = isNetworkConnected,
-                )
-            }
-
-    /**
-     * Verifies if the user should migrate their personal vault to organization collections
-     * based on active policies, feature flags, network connectivity, and whether they have
-     * personal ciphers.
-     *
-     * @param userId The ID of the user to check for migration.
-     * @param hasPersonalCiphers Boolean indicating if the user has any personal ciphers.
-     * @param isNetworkConnected Boolean indicating if the device has network connectivity.
-     */
-    private fun verifyAndUpdateMigrationState(
-        userId: String,
-        hasPersonalCiphers: Boolean,
-        isNetworkConnected: Boolean,
-    ) {
-        mutableVaultMigrationDataStateFlow.update {
-            if (!shouldMigrateVault(
-                    hasPersonalCiphers = hasPersonalCiphers,
-                    isNetworkConnected = isNetworkConnected,
-                )
-            ) {
-                return@update VaultMigrationData.NoMigrationRequired
-            }
-
-            val orgId = policyManager.getPersonalOwnershipPolicyOrganizationId()
-                ?: return@update VaultMigrationData.NoMigrationRequired
-
-            val orgName = authDiskSource
-                .getOrganizations(userId = userId)
-                ?.firstOrNull { it.id == orgId }
-                ?.name
-                ?: return@update VaultMigrationData.NoMigrationRequired
-
-            VaultMigrationData.MigrationRequired(
-                organizationId = orgId,
-                organizationName = orgName,
-            )
-        }
-    }
-
-    /**
-     * Checks if the user should migrate their vault based on policies, feature flags,
-     * network connectivity, and whether they have personal items.
-     *
-     * @param hasPersonalCiphers Boolean indicating if the user has any personal ciphers.
-     * @param isNetworkConnected Boolean indicating if the device has network connectivity.
-     * @return true if migration conditions are met, false otherwise.
-     */
-    private fun shouldMigrateVault(
-        hasPersonalCiphers: Boolean,
-        isNetworkConnected: Boolean,
-    ): Boolean =
-        policyManager
-            .getActivePolicies(PolicyTypeJson.PERSONAL_OWNERSHIP)
-            .any() &&
-            featureFlagManager.getFeatureFlag(FlagKey.MigrateMyVaultToMyItems) &&
-            isNetworkConnected &&
-            hasPersonalCiphers
-}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultSyncManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultSyncManagerImpl.kt
@@ -310,7 +310,7 @@ class VaultSyncManagerImpl(
                    localSecurityStamp?.let {
                        if (serverSecurityStamp != localSecurityStamp) {
                            // Ensure UserLogoutManager is available
-                            userLogoutManager.logout(
+                            userLogoutManager.softLogout(
                                userId = userId,
                                reason = LogoutReason.SecurityStamp,
                            )
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/di/VaultManagerModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/di/VaultManagerModule.kt
@@ -3,8 +3,8 @@ package com.x8bit.bitwarden.data.vault.manager.di
 import android.content.Context
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.core.data.manager.realtime.RealtimeManager
-import com.bitwarden.data.manager.file.FileManager
 import com.bitwarden.network.service.CiphersService
+import com.bitwarden.network.service.DownloadService
 import com.bitwarden.network.service.FolderService
 import com.bitwarden.network.service.SendsService
 import com.bitwarden.network.service.SyncService
@@ -17,11 +17,9 @@ import com.x8bit.bitwarden.data.auth.manager.UserStateManager
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.manager.AppStateManager
 import com.x8bit.bitwarden.data.platform.manager.DatabaseSchemeManager
-import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
 import com.x8bit.bitwarden.data.platform.manager.PushManager
 import com.x8bit.bitwarden.data.platform.manager.ReviewPromptManager
-import com.x8bit.bitwarden.data.platform.manager.network.NetworkConnectionManager
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
 import com.x8bit.bitwarden.data.vault.datasource.disk.VaultDiskSource
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
@@ -29,6 +27,8 @@ import com.x8bit.bitwarden.data.vault.manager.CipherManager
 import com.x8bit.bitwarden.data.vault.manager.CipherManagerImpl
 import com.x8bit.bitwarden.data.vault.manager.CredentialExchangeImportManager
 import com.x8bit.bitwarden.data.vault.manager.CredentialExchangeImportManagerImpl
+import com.x8bit.bitwarden.data.vault.manager.FileManager
+import com.x8bit.bitwarden.data.vault.manager.FileManagerImpl
 import com.x8bit.bitwarden.data.vault.manager.FolderManager
 import com.x8bit.bitwarden.data.vault.manager.FolderManagerImpl
 import com.x8bit.bitwarden.data.vault.manager.PinProtectedUserKeyManager
@@ -39,8 +39,6 @@ import com.x8bit.bitwarden.data.vault.manager.TotpCodeManager
 import com.x8bit.bitwarden.data.vault.manager.TotpCodeManagerImpl
 import com.x8bit.bitwarden.data.vault.manager.VaultLockManager
 import com.x8bit.bitwarden.data.vault.manager.VaultLockManagerImpl
-import com.x8bit.bitwarden.data.vault.manager.VaultMigrationManager
-import com.x8bit.bitwarden.data.vault.manager.VaultMigrationManagerImpl
 import com.x8bit.bitwarden.data.vault.manager.VaultSyncManager
 import com.x8bit.bitwarden.data.vault.manager.VaultSyncManagerImpl
 import dagger.Module
@@ -59,33 +57,10 @@ import javax.inject.Singleton
@InstallIn(SingletonComponent::class)
 object VaultManagerModule {

-    @Provides
-    @Singleton
-    fun provideVaultMigrationManager(
-        authDiskSource: AuthDiskSource,
-        vaultDiskSource: VaultDiskSource,
-        settingsDiskSource: SettingsDiskSource,
-        vaultLockManager: VaultLockManager,
-        policyManager: PolicyManager,
-        featureFlagManager: FeatureFlagManager,
-        connectionManager: NetworkConnectionManager,
-        dispatcherManager: DispatcherManager,
-    ): VaultMigrationManager = VaultMigrationManagerImpl(
-        authDiskSource = authDiskSource,
-        vaultDiskSource = vaultDiskSource,
-        settingsDiskSource = settingsDiskSource,
-        vaultLockManager = vaultLockManager,
-        policyManager = policyManager,
-        featureFlagManager = featureFlagManager,
-        connectionManager = connectionManager,
-        dispatcherManager = dispatcherManager,
-    )
-
    @Provides
    @Singleton
    fun provideCipherManager(
        ciphersService: CiphersService,
-        settingsDiskSource: SettingsDiskSource,
        vaultDiskSource: VaultDiskSource,
        vaultSdkSource: VaultSdkSource,
        authDiskSource: AuthDiskSource,
@@ -96,7 +71,6 @@ object VaultManagerModule {
        pushManager: PushManager,
    ): CipherManager = CipherManagerImpl(
        fileManager = fileManager,
-        settingsDiskSource = settingsDiskSource,
        authDiskSource = authDiskSource,
        ciphersService = ciphersService,
        vaultDiskSource = vaultDiskSource,
@@ -111,7 +85,6 @@ object VaultManagerModule {
    @Singleton
    fun provideFolderManager(
        folderService: FolderService,
-        settingsDiskSource: SettingsDiskSource,
        vaultDiskSource: VaultDiskSource,
        vaultSdkSource: VaultSdkSource,
        authDiskSource: AuthDiskSource,
@@ -119,7 +92,6 @@ object VaultManagerModule {
        pushManager: PushManager,
    ): FolderManager = FolderManagerImpl(
        authDiskSource = authDiskSource,
-        settingsDiskSource = settingsDiskSource,
        folderService = folderService,
        vaultDiskSource = vaultDiskSource,
        vaultSdkSource = vaultSdkSource,
@@ -134,7 +106,6 @@ object VaultManagerModule {
        vaultDiskSource: VaultDiskSource,
        vaultSdkSource: VaultSdkSource,
        authDiskSource: AuthDiskSource,
-        settingsDiskSource: SettingsDiskSource,
        fileManager: FileManager,
        reviewPromptManager: ReviewPromptManager,
        pushManager: PushManager,
@@ -142,7 +113,6 @@ object VaultManagerModule {
    ): SendManager = SendManagerImpl(
        fileManager = fileManager,
        authDiskSource = authDiskSource,
-        settingsDiskSource = settingsDiskSource,
        sendsService = sendsService,
        vaultDiskSource = vaultDiskSource,
        vaultSdkSource = vaultSdkSource,
@@ -151,6 +121,18 @@ object VaultManagerModule {
        dispatcherManager = dispatcherManager,
    )

+    @Provides
+    @Singleton
+    fun provideFileManager(
+        @ApplicationContext context: Context,
+        downloadService: DownloadService,
+        dispatcherManager: DispatcherManager,
+    ): FileManager = FileManagerImpl(
+        context = context,
+        downloadService = downloadService,
+        dispatcherManager = dispatcherManager,
+    )
+
    @Provides
    @Singleton
    fun provideVaultLockManager(
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/model/DownloadResult.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/model/DownloadResult.kt
@@ -1,4 +1,4 @@
-package com.bitwarden.data.manager.model
+package com.x8bit.bitwarden.data.vault.manager.model

 import java.io.File

--- a/Show More
+++ b/Show More