Create a Overlay Navigation Screen

PM-38637: Bug: Add additional CRL distrobution server to clear-text permitted list (#7045 )
Chore: Update the local app version (#7043 )
2026-06-10 08:36:09 -05:00 · 2026-06-09 17:27:17 -05:00 · 2026-06-09 20:36:41 +00:00 · 2026-06-09 16:44:20 +00:00 · 2026-06-09 16:41:30 +00:00 · 2026-06-09 16:22:07 +00:00
506 changed files with 25681 additions and 8122 deletions
--- a/.claude/skills/implementing-android-code/SKILL.md
+++ b/.claude/skills/implementing-android-code/SKILL.md
@@ -1,6 +1,6 @@
 ---
 name: implementing-android-code
-version: 0.1.3
+version: 0.1.4
 description: This skill should be used when implementing Android code in Bitwarden. Covers critical patterns, gotchas, and anti-patterns unique to this codebase. Triggered by "How do I implement a ViewModel?", "Create a new screen", "Add navigation", "Write a repository", "BaseViewModel pattern", "State-Action-Event", "type-safe navigation", "@Serializable route", "SavedStateHandle persistence", "process death recovery", "handleAction", "sendAction", "Hilt module", "Repository pattern", "implementing a screen", "adding a data source", "handling navigation", "encrypted storage", "security patterns", "Clock injection", "DataState", or any questions about implementing features, screens, ViewModels, data sources, or navigation in the Bitwarden Android app.
 ---

@@ -236,6 +236,44 @@ object ExampleRepositoryModule {
 - ✅ Data sources return `Result<T>`, repositories return domain sealed classes
 - ✅ Use `StateFlow` for continuously observed data

+**KDoc on Interfaces vs. Implementations**
+
+KDoc on an interface member describes the **contract** — what the caller can rely on. It must not describe **how** the implementation fulfills that contract. Implementation details (which data source is consulted, what is cached, what is logged, which manager is delegated to, ordering of internal calls, etc.) belong on the `...Impl` member — and only when the *why* is non-obvious from the code itself.
+
+This applies to every interface in the codebase: repositories, managers, data sources, validators, and UI-layer interfaces alike. The rule is the same one CLAUDE.md states for comments in general — describe the contract or the non-obvious *why*, never the *what* a well-named identifier already conveys.
+
+❌ **Wrong** — interface KDoc leaks the implementation:
+```kotlin
+interface ExampleRepository {
+    /**
+     * Fetches data by reading from [ExampleDiskSource] first, falling back to
+     * [ExampleService] on cache miss and writing the network result back to disk.
+     */
+    suspend fun fetchData(id: String): ExampleResult
+}
+```
+
+✅ **Right** — interface KDoc describes the contract; implementation details (if needed at all) live on the override:
+```kotlin
+interface ExampleRepository {
+    /** Returns the [ExampleData] for [id], or an error result on failure. */
+    suspend fun fetchData(id: String): ExampleResult
+}
+
+class ExampleRepositoryImpl(...) : ExampleRepository {
+    // No KDoc needed — the disk-then-network pattern is visible in the code.
+    override suspend fun fetchData(id: String): ExampleResult { ... }
+}
+```
+
+Red flags that an interface KDoc has drifted into implementation territory:
+- Names a concrete collaborator (`...DiskSource`, `...Service`, `...Manager`, `...Impl`)
+- Describes ordering of internal calls ("first ... then ...", "falls back to ...")
+- Mentions caching, retries, logging, or threading behavior that callers don't depend on
+- Restates the method signature in prose ("Suspends until X returns Y")
+
+If callers genuinely depend on a behavior (e.g., "this method is safe to call before vault unlock", "result is cached for the session"), that *is* part of the contract and belongs on the interface. The test: would a different valid implementation be free to change this? If yes, it's implementation detail — strip it.
+
 ---

 ### E. UI Components
@@ -504,6 +542,9 @@ Single-line branches (body fits on the same line as `->`) do **not** need braces
 ❌ **NEVER call `Instant.now()` or `DateTime.now()` directly**
 - Inject `Clock` via Hilt, use `clock.instant()` for testability

+❌ **NEVER put implementation details in interface KDoc**
+- Interface KDoc describes the contract; concrete collaborators, call ordering, caching, and fallback behavior belong on the `...Impl` override (and only when the *why* is non-obvious). See section D for examples.
+
 ---

 ## Quick Reference
--- a/.github/actions/setup-android-build/action.yml
+++ b/.github/actions/setup-android-build/action.yml
@@ -12,12 +12,12 @@ runs:
      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0

    - name: Configure Ruby
-      uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
+      uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
      with:
        bundler-cache: true

    - name: Configure JDK
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
      with:
        distribution: "temurin"
        java-version: ${{ inputs.java-version }}
--- a/.github/label-pr.json
+++ b/.github/label-pr.json
@@ -27,32 +27,6 @@
    ],
    "app:authenticator": [
      "authenticator/"
-    ],
-    "t:feature": [
-      "app/src/main/assets/fido2_privileged_community.json",
-      "app/src/main/assets/fido2_privileged_google.json",
-      "testharness/"
-    ],
-    "t:tech-debt": [
-      "gradle.properties",
-      "keystore/"
-    ],
-    "t:ci": [
-      ".checkmarx/",
-      ".github/",
-      "scripts/",
-      "fastlane/",
-      ".gradle/",
-      "detekt-config.yml"
-    ],
-    "t:docs": [
-      "docs/"
-    ],
-    "t:deps": [
-      "gradle/"
-    ],
-    "t:llm": [
-      ".claude/"
    ]
  }
 }
--- a/.github/workflows/_version.yml
+++ b/.github/workflows/_version.yml
@@ -79,7 +79,7 @@ jobs:

      - name: Check out repository
        if: ${{ !inputs.skip_checkout || false }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -167,7 +167,7 @@ jobs:
          echo '```' >> "$GITHUB_STEP_SUMMARY"

      - name: Upload version info artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: version-info
          path: version_info.json
--- a/.github/workflows/build-authenticator.yml
+++ b/.github/workflows/build-authenticator.yml
@@ -63,7 +63,7 @@ jobs:

    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -176,7 +176,7 @@ jobs:

      - name: Upload to GitHub Artifacts - prod.aab
        if: ${{ matrix.variant == 'aab' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.bitwarden.authenticator.aab
          path: authenticator/build/outputs/bundle/release/com.bitwarden.authenticator.aab
@@ -184,7 +184,7 @@ jobs:

      - name: Upload to GitHub Artifacts - prod.apk
        if: ${{ matrix.variant == 'apk' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.bitwarden.authenticator.apk
          path: authenticator/build/outputs/apk/release/com.bitwarden.authenticator.apk
@@ -204,7 +204,7 @@ jobs:

      - name: Upload to GitHub Artifacts - prod.apk-sha256.txt
        if: ${{ matrix.variant == 'apk' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: authenticator-android-apk-sha256.txt
          path: ./authenticator-android-apk-sha256.txt
@@ -212,7 +212,7 @@ jobs:

      - name: Upload to GitHub Artifacts - prod.aab-sha256.txt
        if: ${{ matrix.variant == 'aab' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: authenticator-android-aab-sha256.txt
          path: ./authenticator-android-aab-sha256.txt
--- a/.github/workflows/build-testharness.yml
+++ b/.github/workflows/build-testharness.yml
@@ -48,7 +48,7 @@ jobs:
          inputs: "${{ toJson(inputs) }}"

      - name: Check out repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -65,7 +65,7 @@ jobs:
        run: ./gradlew :testharness:assembleDebug

      - name: Upload Test Harness APK
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.bitwarden.testharness.dev-debug.apk
          path: testharness/build/outputs/apk/debug/com.bitwarden.testharness.dev.apk
@@ -77,7 +77,7 @@ jobs:
            > ./com.bitwarden.testharness.dev.apk-sha256.txt

      - name: Upload Test Harness SHA file
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.bitwarden.testharness.dev.apk-sha256.txt
          path: ./com.bitwarden.testharness.dev.apk-sha256.txt
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -65,7 +65,7 @@ jobs:
        artifact: ["apk", "aab"]
    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -192,7 +192,7 @@ jobs:

      - name: Upload to GitHub Artifacts - prod.aab
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.aab
          path: app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden.aab
@@ -200,7 +200,7 @@ jobs:

      - name: Upload to GitHub Artifacts - beta.aab
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.beta.aab
          path: app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden.beta.aab
@@ -208,7 +208,7 @@ jobs:

      - name: Upload to GitHub Artifacts - prod.apk
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.apk
          path: app/build/outputs/apk/standard/release/com.x8bit.bitwarden.apk
@@ -216,7 +216,7 @@ jobs:

      - name: Upload to GitHub Artifacts - beta.apk
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.beta.apk
          path: app/build/outputs/apk/standard/beta/com.x8bit.bitwarden.beta.apk
@@ -225,7 +225,7 @@ jobs:
      # When building variants other than 'prod'
      - name: Upload to GitHub Artifacts - dev.apk
        if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.${{ matrix.variant }}.apk
          path: app/build/outputs/apk/standard/debug/com.x8bit.bitwarden.dev.apk
@@ -263,7 +263,7 @@ jobs:

      - name: Upload to GitHub Artifacts - prod.apk-sha256.txt
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.apk-sha256.txt
          path: ./com.x8bit.bitwarden.apk-sha256.txt
@@ -271,7 +271,7 @@ jobs:

      - name: Upload to GitHub Artifacts - beta.apk-sha256.txt
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.beta.apk-sha256.txt
          path: ./com.x8bit.bitwarden.beta.apk-sha256.txt
@@ -279,7 +279,7 @@ jobs:

      - name: Upload to GitHub Artifacts - prod.aab-sha256.txt
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.aab-sha256.txt
          path: ./com.x8bit.bitwarden.aab-sha256.txt
@@ -287,7 +287,7 @@ jobs:

      - name: Upload to GitHub Artifacts - beta.aab-sha256.txt
        if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.beta.aab-sha256.txt
          path: ./com.x8bit.bitwarden.beta.aab-sha256.txt
@@ -295,7 +295,7 @@ jobs:

      - name: Upload to GitHub Artifacts - debug.apk-sha256.txt
        if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
          path: ./com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
@@ -343,7 +343,7 @@ jobs:
      id-token: write
    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -424,7 +424,7 @@ jobs:
          keyPassword:$FDROID_BETA_KEY_PASSWORD

      - name: Upload to GitHub Artifacts - fdroid.apk
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden-fdroid.apk
          path: app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid.apk
@@ -436,14 +436,14 @@ jobs:
          > ./com.x8bit.bitwarden-fdroid.apk-sha256.txt

      - name: Upload to GitHub Artifacts - fdroid.apk-sha256.txt
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden-fdroid.apk-sha256.txt
          path: ./com.x8bit.bitwarden-fdroid.apk-sha256.txt
          if-no-files-found: error

      - name: Upload to GitHub Artifacts - beta.fdroid.apk
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.beta-fdroid.apk
          path: app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden.beta-fdroid.apk
@@ -455,7 +455,7 @@ jobs:
          > ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt

      - name: Upload to GitHub Artifacts - beta.fdroid.apk-sha256.txt
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
          path: ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
--- a/.github/workflows/cron-sync-google-priviledged-browsers.yml
+++ b/.github/workflows/cron-sync-google-priviledged-browsers.yml
@@ -21,7 +21,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: true

--- a/.github/workflows/crowdin-pull.yml
+++ b/.github/workflows/crowdin-pull.yml
@@ -18,7 +18,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -47,16 +47,16 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Generate GH App token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          client-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
          permission-contents: write      # for creating and pushing a new branch
          permission-pull-requests: write # for creating pull request

      - name: Download translations
-        uses: crowdin/github-action@0749939f635900a2521aa6aac7a3766642b2dc71 # v2.11.0
+        uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2.16.2
        env:
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
          CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.CROWDIN-API-TOKEN }}
--- a/.github/workflows/crowdin-push.yml
+++ b/.github/workflows/crowdin-push.yml
@@ -16,7 +16,7 @@ jobs:
      id-token: write
    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -35,7 +35,7 @@ jobs:
          secrets: "CROWDIN-API-TOKEN"

      - name: Upload sources
-        uses: crowdin/github-action@0749939f635900a2521aa6aac7a3766642b2dc71 # v2.11.0
+        uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2.16.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.CROWDIN-API-TOKEN }}
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Check out repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: true
--- a/.github/workflows/publish-store.yml
+++ b/.github/workflows/publish-store.yml
@@ -73,11 +73,11 @@ jobs:
          inputs: "${{ toJson(inputs) }}"

      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Configure Ruby
-        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
+        uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
        with:
          bundler-cache: true

@@ -169,8 +169,9 @@ jobs:
      - name: Enable Publish Github Release Workflow
        env:
          PRODUCT: ${{ inputs.product }}
+          DRY_RUN: ${{ inputs.dry-run }}
        run: |
-          if ${{ inputs.dry-run }} ; then
+          if $DRY_RUN ; then
            gh workflow view publish-github-release-bwpm.yml
            exit 0
          fi
--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -22,7 +22,7 @@ jobs:
      actions: write
    steps:
      - name: Check out repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: true
--- a/.github/workflows/review-code.yml
+++ b/.github/workflows/review-code.yml
@@ -2,7 +2,7 @@ name: Code Review

 on:
  pull_request:
-    types: [opened, synchronize, reopened]
+    types: [labeled, opened, ready_for_review, reopened, synchronize]

 permissions: {}

--- a/.github/workflows/sdlc-gh-release-update-issue.yml
+++ b/.github/workflows/sdlc-gh-release-update-issue.yml
@@ -24,7 +24,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Check out repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

--- a/.github/workflows/sdlc-label-pr.yml
+++ b/.github/workflows/sdlc-label-pr.yml
@@ -34,7 +34,7 @@ jobs:

    steps:
      - name: Check out repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

--- a/.github/workflows/sdlc-sdk-update.yml
+++ b/.github/workflows/sdlc-sdk-update.yml
@@ -53,17 +53,17 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Generate GH App token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          client-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
          permission-pull-requests: write
          permission-actions: read
          permission-contents: write

      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ steps.app-token.outputs.token }}
          fetch-depth: 0
@@ -204,7 +204,7 @@ jobs:

    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -54,7 +54,7 @@ jobs:

    steps:
      - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -99,7 +99,7 @@ jobs:
          disable_search: true

      - name: Upload test reports
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: test-reports-${{ matrix.group }}
--- a/2
+++ b/2
@@ -2,7 +2,7 @@ source 'https://rubygems.org'

 ruby File.read(".ruby-version").strip

-gem 'fastlane', '2.229.1'
+gem 'fastlane', '2.233.1'
 gem 'time', '0.4.2'

 plugins_path = File.join(File.dirname(__FILE__), 'fastlane', 'Pluginfile')
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -8,8 +8,8 @@ GEM
    artifactory (3.0.17)
    atomos (0.1.3)
    aws-eventstream (1.4.0)
-    aws-partitions (1.1241.0)
-    aws-sdk-core (3.246.0)
+    aws-partitions (1.1249.0)
+    aws-sdk-core (3.247.0)
      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.992.0)
      aws-sigv4 (~> 1.9)
@@ -17,17 +17,18 @@ GEM
      bigdecimal
      jmespath (~> 1, >= 1.6.1)
      logger
-    aws-sdk-kms (1.123.0)
-      aws-sdk-core (~> 3, >= 3.244.0)
+    aws-sdk-kms (1.125.0)
+      aws-sdk-core (~> 3, >= 3.247.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.220.0)
-      aws-sdk-core (~> 3, >= 3.244.0)
+    aws-sdk-s3 (1.222.0)
+      aws-sdk-core (~> 3, >= 3.247.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.5)
    aws-sigv4 (1.12.1)
      aws-eventstream (~> 1, >= 1.0.2)
    babosa (1.0.4)
    base64 (0.2.0)
+    benchmark (0.5.0)
    bigdecimal (4.1.2)
    claide (1.1.0)
    colored (1.2)
@@ -72,15 +73,16 @@ GEM
    faraday_middleware (1.2.1)
      faraday (~> 1.0)
    fastimage (2.4.1)
-    fastlane (2.229.1)
+    fastlane (2.233.1)
      CFPropertyList (>= 2.3, < 4.0.0)
      abbrev (~> 0.1.2)
      addressable (>= 2.8, < 3.0.0)
      artifactory (~> 3.0)
-      aws-sdk-s3 (~> 1.0)
+      aws-sdk-s3 (~> 1.197)
      babosa (>= 1.0.3, < 2.0.0)
      base64 (~> 0.2.0)
-      bundler (>= 1.12.0, < 3.0.0)
+      benchmark (>= 0.1.0)
+      bundler (>= 1.17.3, < 5.0.0)
      colored (~> 1.2)
      commander (~> 4.6)
      csv (~> 3.3)
@@ -91,22 +93,24 @@ GEM
      faraday-cookie_jar (~> 0.0.6)
      faraday_middleware (~> 1.0)
      fastimage (>= 2.1.0, < 3.0.0)
-      fastlane-sirp (>= 1.0.0)
+      fastlane-sirp (>= 1.1.0)
      gh_inspector (>= 1.1.2, < 2.0.0)
      google-apis-androidpublisher_v3 (~> 0.3)
      google-apis-playcustomapp_v1 (~> 0.1)
-      google-cloud-env (>= 1.6.0, < 2.0.0)
+      google-cloud-env (>= 1.6.0, <= 2.1.1)
      google-cloud-storage (~> 1.31)
      highline (~> 2.0)
      http-cookie (~> 1.0.5)
      json (< 3.0.0)
      jwt (>= 2.1.0, < 3)
+      logger (>= 1.6, < 2.0)
      mini_magick (>= 4.9.4, < 5.0.0)
      multipart-post (>= 2.0.0, < 3.0.0)
      mutex_m (~> 0.3.0)
      naturally (~> 2.2)
      nkf (~> 0.2.0)
      optparse (>= 0.1.1, < 1.0.0)
+      ostruct (>= 0.1.0)
      plist (>= 3.1.0, < 4.0.0)
      rubyzip (>= 2.0.0, < 3.0.0)
      security (= 0.1.5)
@@ -119,47 +123,50 @@ GEM
      xcodeproj (>= 1.13.0, < 2.0.0)
      xcpretty (~> 0.4.1)
      xcpretty-travis-formatter (>= 0.0.3, < 2.0.0)
-    fastlane-plugin-firebase_app_distribution (0.10.1)
-      google-apis-firebaseappdistribution_v1 (~> 0.3.0)
-      google-apis-firebaseappdistribution_v1alpha (~> 0.2.0)
+    fastlane-plugin-firebase_app_distribution (1.0.0)
+      fastlane (>= 2.232.0)
+      google-apis-firebaseappdistribution_v1 (>= 0.9.0)
+      google-apis-firebaseappdistribution_v1alpha (>= 0.12.0)
    fastlane-sirp (1.1.0)
    gh_inspector (1.1.3)
-    google-apis-androidpublisher_v3 (0.54.0)
-      google-apis-core (>= 0.11.0, < 2.a)
-    google-apis-core (0.11.3)
+    google-apis-androidpublisher_v3 (0.100.0)
+      google-apis-core (>= 0.15.0, < 2.a)
+    google-apis-core (0.18.0)
      addressable (~> 2.5, >= 2.5.1)
-      googleauth (>= 0.16.2, < 2.a)
-      httpclient (>= 2.8.1, < 3.a)
+      googleauth (~> 1.9)
+      httpclient (>= 2.8.3, < 3.a)
      mini_mime (~> 1.0)
+      mutex_m
      representable (~> 3.0)
      retriable (>= 2.0, < 4.a)
-      rexml
-    google-apis-firebaseappdistribution_v1 (0.3.0)
-      google-apis-core (>= 0.11.0, < 2.a)
-    google-apis-firebaseappdistribution_v1alpha (0.2.0)
-      google-apis-core (>= 0.11.0, < 2.a)
-    google-apis-iamcredentials_v1 (0.17.0)
-      google-apis-core (>= 0.11.0, < 2.a)
-    google-apis-playcustomapp_v1 (0.13.0)
-      google-apis-core (>= 0.11.0, < 2.a)
-    google-apis-storage_v1 (0.31.0)
-      google-apis-core (>= 0.11.0, < 2.a)
+    google-apis-firebaseappdistribution_v1 (0.19.0)
+      google-apis-core (>= 0.15.0, < 2.a)
+    google-apis-firebaseappdistribution_v1alpha (0.28.0)
+      google-apis-core (>= 0.15.0, < 2.a)
+    google-apis-iamcredentials_v1 (0.27.0)
+      google-apis-core (>= 0.15.0, < 2.a)
+    google-apis-playcustomapp_v1 (0.17.0)
+      google-apis-core (>= 0.15.0, < 2.a)
+    google-apis-storage_v1 (0.62.0)
+      google-apis-core (>= 0.15.0, < 2.a)
    google-cloud-core (1.8.0)
      google-cloud-env (>= 1.0, < 3.a)
      google-cloud-errors (~> 1.0)
-    google-cloud-env (1.6.0)
-      faraday (>= 0.17.3, < 3.0)
+    google-cloud-env (2.1.1)
+      faraday (>= 1.0, < 3.a)
    google-cloud-errors (1.6.0)
-    google-cloud-storage (1.47.0)
+    google-cloud-storage (1.60.0)
      addressable (~> 2.8)
      digest-crc (~> 0.4)
-      google-apis-iamcredentials_v1 (~> 0.1)
-      google-apis-storage_v1 (~> 0.31.0)
+      google-apis-core (>= 0.18, < 2)
+      google-apis-iamcredentials_v1 (~> 0.18)
+      google-apis-storage_v1 (>= 0.42)
      google-cloud-core (~> 1.6)
-      googleauth (>= 0.16.2, < 2.a)
+      googleauth (~> 1.9)
      mini_mime (~> 1.0)
-    googleauth (1.8.1)
-      faraday (>= 0.17.3, < 3.a)
+    googleauth (1.11.2)
+      faraday (>= 1.0, < 3.a)
+      google-cloud-env (~> 2.1)
      jwt (>= 1.4, < 3.0)
      multi_json (~> 1.11)
      os (>= 0.9, < 2.0)
@@ -170,13 +177,13 @@ GEM
    httpclient (2.9.0)
      mutex_m
    jmespath (1.6.2)
-    json (2.19.4)
+    json (2.19.5)
    jwt (2.10.2)
      base64
    logger (1.7.0)
    mini_magick (4.13.2)
    mini_mime (1.1.5)
-    multi_json (1.20.1)
+    multi_json (1.21.1)
    multipart-post (2.4.1)
    mutex_m (0.3.0)
    nanaimo (0.4.0)
@@ -237,7 +244,7 @@ PLATFORMS
 DEPENDENCIES
  abbrev (= 0.1.2)
  csv (= 3.3.5)
-  fastlane (= 2.229.1)
+  fastlane (= 2.233.1)
  fastlane-plugin-firebase_app_distribution
  logger (= 1.7.0)
  mutex_m (= 0.3.0)
--- a/app/src/beta/res/xml/network_security_config.xml
+++ b/app/src/beta/res/xml/network_security_config.xml
@@ -18,6 +18,7 @@
        <!-- CRL Distribution Servers -->
        <domain includeSubdomains="true">c.lencr.org</domain>
        <domain includeSubdomains="true">c.pki.goog</domain>
+        <domain includeSubdomains="true">crls.certainly.com</domain>

        <!-- OCSP Responder Servers -->
        <domain includeSubdomains="true">o.pki.goog</domain>
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@@ -9,8 +9,8 @@
        android:name="android.hardware.nfc"
        android:required="false" />

-    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.ACCESS_LOCAL_NETWORK" />
+    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.USE_BIOMETRIC" />
    <uses-permission android:name="android.permission.NFC" />
    <uses-permission android:name="android.permission.CAMERA" />
@@ -170,6 +170,7 @@
                <data android:scheme="https" />
                <data android:host="bitwarden.com" />
                <data android:host="bitwarden.eu" />
+                <data android:host="bitwarden.pw" />
                <data android:pathPattern="/duo-callback" />
                <data android:pathPattern="/sso-callback" />
                <data android:pathPattern="/webauthn-callback" />
--- a/app/src/main/assets/fido2_privileged_google.json
+++ b/app/src/main/assets/fido2_privileged_google.json
@@ -645,6 +645,10 @@
      "info": {
        "package_name": "com.heytap.browser",
        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "B2:9A:A0:BB:DC:9F:D9:DE:F5:5D:C5:6E:A7:D7:45:76:D5:84:6C:BC:F5:E5:AB:D3:05:E2:D9:31:9E:4F:42:AE"
+          },
          {
            "build": "release",
            "cert_fingerprint_sha256": "AF:F8:A7:49:CF:0E:7D:75:44:65:D0:FB:FA:7B:8D:0C:64:5E:22:5C:10:C6:E2:32:AD:A0:D9:74:88:36:B8:E5"
@@ -656,6 +660,18 @@
        ]
      }
    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.oplus.credential",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "E4:98:02:40:95:84:CE:53:15:2A:90:00:82:0A:51:E4:FA:8A:72:3B:7B:CC:26:3E:33:52:40:AC:F1:00:BF:9E"
+          }
+        ]
+      }
+    },
    {
      "type": "android",
      "info": {
--- a/app/src/main/kotlin/com/x8bit/bitwarden/MainActivity.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/MainActivity.kt
@@ -36,13 +36,11 @@ import com.x8bit.bitwarden.data.platform.manager.util.ObserveScreenDataEffect
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
 import com.x8bit.bitwarden.ui.platform.components.util.rememberBitwardenNavController
 import com.x8bit.bitwarden.ui.platform.composition.LocalManagerProvider
-import com.x8bit.bitwarden.ui.platform.feature.cookieacquisition.cookieAcquisitionDestination
-import com.x8bit.bitwarden.ui.platform.feature.cookieacquisition.navigateToCookieAcquisition
 import com.x8bit.bitwarden.ui.platform.feature.debugmenu.debugMenuDestination
 import com.x8bit.bitwarden.ui.platform.feature.debugmenu.manager.DebugMenuLaunchManager
 import com.x8bit.bitwarden.ui.platform.feature.debugmenu.navigateToDebugMenuScreen
-import com.x8bit.bitwarden.ui.platform.feature.rootnav.RootNavigationRoute
-import com.x8bit.bitwarden.ui.platform.feature.rootnav.rootNavDestination
+import com.x8bit.bitwarden.ui.platform.feature.overlaynav.OverlayNavRoute
+import com.x8bit.bitwarden.ui.platform.feature.overlaynav.overlayNavDestination
 import com.x8bit.bitwarden.ui.platform.feature.settings.appearance.model.AppLanguage
 import com.x8bit.bitwarden.ui.platform.model.AuthTabLaunchers
 import com.x8bit.bitwarden.ui.platform.util.appLanguage
@@ -93,6 +91,21 @@ class MainActivity : AppCompatActivity() {
        mainViewModel.trySendAction(MainAction.PremiumCheckoutResult(it))
    }

+    private val stripePortalLauncher = AuthTabIntent.registerActivityResultLauncher(this) {
+        mainViewModel.trySendAction(MainAction.StripePortalResult(it))
+    }
+
+    private val authTabLaunchers by lazy {
+        AuthTabLaunchers(
+            duo = duoLauncher,
+            sso = ssoLauncher,
+            webAuthn = webAuthnLauncher,
+            cookie = cookieLauncher,
+            premiumCheckout = premiumCheckoutLauncher,
+            stripePortal = stripePortalLauncher,
+        )
+    }
+
    override fun onCreate(savedInstanceState: Bundle?) {
        intent = intent.validate()
        var shouldShowSplashScreen = true
@@ -115,13 +128,7 @@ class MainActivity : AppCompatActivity() {
            updateScreenCapture(isScreenCaptureAllowed = state.isScreenCaptureAllowed)
            LocalManagerProvider(
                featureFlagsState = state.featureFlagsState,
-                authTabLaunchers = AuthTabLaunchers(
-                    duo = duoLauncher,
-                    sso = ssoLauncher,
-                    webAuthn = webAuthnLauncher,
-                    cookie = cookieLauncher,
-                    premiumCheckout = premiumCheckoutLauncher,
-                ),
+                authTabLaunchers = authTabLaunchers,
            ) {
                ObserveScreenDataEffect(
                    onDataUpdate = remember(mainViewModel) {
@@ -134,23 +141,17 @@ class MainActivity : AppCompatActivity() {
                ) {
                    NavHost(
                        navController = navController,
-                        startDestination = RootNavigationRoute,
+                        startDestination = OverlayNavRoute,
                        modifier = Modifier
                            .background(color = BitwardenTheme.colorScheme.background.primary),
                    ) {
-                        // Root navigation, debug menu, and cookie acquisition exist at
-                        // this top level. They can appear on top of the rest of the app
-                        // without interacting with the state-based navigation used by
-                        // RootNavScreen.
-                        rootNavDestination { shouldShowSplashScreen = false }
+                        // The OverlayNav and Debug destinations are the only UIs that can be
+                        // displayed here, everything else should be inside the OverlayNav.
+                        overlayNavDestination { shouldShowSplashScreen = false }
                        debugMenuDestination(
                            onNavigateBack = { navController.popBackStack() },
                            onSplashScreenRemoved = { shouldShowSplashScreen = false },
                        )
-                        cookieAcquisitionDestination(
-                            onDismiss = { navController.popBackStack() },
-                            onSplashScreenRemoved = { shouldShowSplashScreen = false },
-                        )
                    }
                }
            }
@@ -185,7 +186,7 @@ class MainActivity : AppCompatActivity() {
                locales.get(0)?.appLanguage
            }
        } else {
-            // For older versions, use what ever language is available from the repository.
+            // For older versions, use whatever language is available from the repository.
            settingsRepository.appLanguage
        }

@@ -234,8 +235,6 @@ class MainActivity : AppCompatActivity() {
                is MainEvent.CompleteAutofill -> handleCompleteAutofill(event)
                MainEvent.Recreate -> handleRecreate()
                MainEvent.NavigateToDebugMenu -> navController.navigateToDebugMenuScreen()
-                MainEvent.NavigateToCookieAcquisition -> navController.navigateToCookieAcquisition()
-
                is MainEvent.UpdateAppLocale -> {
                    AppCompatDelegate.setApplicationLocales(
                        LocaleListCompat.forLanguageTags(event.localeName),
--- a/app/src/main/kotlin/com/x8bit/bitwarden/MainViewModel.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/MainViewModel.kt
@@ -31,7 +31,6 @@ import com.x8bit.bitwarden.data.billing.util.getPremiumCheckoutCallbackResult
 import com.x8bit.bitwarden.data.credentials.manager.CredentialProviderRequestManager
 import com.x8bit.bitwarden.data.credentials.manager.model.CredentialProviderRequest
 import com.x8bit.bitwarden.data.platform.manager.AppResumeManager
-import com.x8bit.bitwarden.data.platform.manager.CookieAcquisitionRequestManager
 import com.x8bit.bitwarden.data.platform.manager.SpecialCircumstanceManager
 import com.x8bit.bitwarden.data.platform.manager.garbage.GarbageCollectionManager
 import com.x8bit.bitwarden.data.platform.manager.model.AppResumeScreenData
@@ -42,6 +41,7 @@ import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
 import com.x8bit.bitwarden.data.platform.util.isAddTotpLoginItemFromAuthenticator
 import com.x8bit.bitwarden.data.vault.manager.model.VaultStateEvent
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
+import com.x8bit.bitwarden.ui.platform.feature.rootnav.RootNavViewModel
 import com.x8bit.bitwarden.ui.platform.feature.settings.appearance.model.AppLanguage
 import com.x8bit.bitwarden.ui.platform.model.FeatureFlagsState
 import com.x8bit.bitwarden.ui.platform.util.isAccountSecurityShortcut
@@ -55,7 +55,6 @@ import kotlinx.coroutines.flow.debounce
 import kotlinx.coroutines.flow.distinctUntilChanged
 import kotlinx.coroutines.flow.drop
 import kotlinx.coroutines.flow.filter
-import kotlinx.coroutines.flow.filterNotNull
 import kotlinx.coroutines.flow.first
 import kotlinx.coroutines.flow.launchIn
 import kotlinx.coroutines.flow.map
@@ -79,7 +78,6 @@ private const val ANIMATION_DEBOUNCE_DELAY_MS = 500L
 class MainViewModel @Inject constructor(
    accessibilitySelectionManager: AccessibilitySelectionManager,
    autofillSelectionManager: AutofillSelectionManager,
-    cookieAcquisitionRequestManager: CookieAcquisitionRequestManager,
    private val addTotpItemFromAuthenticatorManager: AddTotpItemFromAuthenticatorManager,
    private val specialCircumstanceManager: SpecialCircumstanceManager,
    private val garbageCollectionManager: GarbageCollectionManager,
@@ -168,13 +166,6 @@ class MainViewModel @Inject constructor(
            .onEach(::sendAction)
            .launchIn(viewModelScope)

-        cookieAcquisitionRequestManager
-            .cookieAcquisitionRequestFlow
-            .filterNotNull()
-            .map { MainAction.Internal.CookieAcquisitionReady }
-            .onEach(::sendAction)
-            .launchIn(viewModelScope)
-
        // On app launch, mark all active users as having previously logged in.
        // This covers any users who are active prior to this value being recorded.
        viewModelScope.launch {
@@ -201,6 +192,7 @@ class MainViewModel @Inject constructor(
            is MainAction.WebAuthnResult -> handleWebAuthnResult(action)
            is MainAction.CookieAcquisitionResult -> handleCookieAcquisitionResult(action)
            is MainAction.PremiumCheckoutResult -> handlePremiumCheckoutResult(action)
+            is MainAction.StripePortalResult -> handleStripePortalResult()
            is MainAction.Internal -> handleInternalAction(action)
        }
    }
@@ -222,7 +214,6 @@ class MainViewModel @Inject constructor(
            is MainAction.Internal.ScreenCaptureUpdate -> handleScreenCaptureUpdate(action)
            is MainAction.Internal.ThemeUpdate -> handleAppThemeUpdated(action)
            is MainAction.Internal.DynamicColorsUpdate -> handleDynamicColorsUpdate(action)
-            is MainAction.Internal.CookieAcquisitionReady -> handleCookieAcquisitionReady()
            is MainAction.Internal.ResizeHasBeenRequested -> handleResizeHasBeenRequested()
        }
    }
@@ -257,6 +248,10 @@ class MainViewModel @Inject constructor(
        )
    }

+    private fun handleStripePortalResult() {
+        specialCircumstanceManager.specialCircumstance = SpecialCircumstance.StripePortal
+    }
+
    private fun handleAppResumeDataUpdated(action: MainAction.ResumeScreenDataReceived) {
        when (val data = action.screenResumeData) {
            null -> appResumeManager.clearResumeScreen()
@@ -300,10 +295,6 @@ class MainViewModel @Inject constructor(
        mutableStateFlow.update { it.copy(isDynamicColorsEnabled = action.isDynamicColorsEnabled) }
    }

-    private fun handleCookieAcquisitionReady() {
-        sendEvent(MainEvent.NavigateToCookieAcquisition)
-    }
-
    private fun handleResizeHasBeenRequested() {
        mutableStateFlow.update { it.copy(hasResizeBeenRequested = true) }
    }
@@ -579,6 +570,14 @@ sealed class MainAction {
        val authResult: AuthTabIntent.AuthResult,
    ) : MainAction()

+    /**
+     * Receive the result from the Stripe customer portal flow. The AuthTab does not return a
+     * payload — closing the tab is the only signal that the user is back in the app.
+     */
+    data class StripePortalResult(
+        val authResult: AuthTabIntent.AuthResult,
+    ) : MainAction()
+
    /**
     * Receive first Intent by the application.
     */
@@ -650,12 +649,6 @@ sealed class MainAction {
            val isDynamicColorsEnabled: Boolean,
        ) : Internal()

-        /**
-         * Indicates that the cookie acquisition conditions are met and navigation
-         * should proceed.
-         */
-        data object CookieAcquisitionReady : Internal()
-
        /**
         * Indicates that resize has been requested on the Activity
         */
@@ -689,11 +682,6 @@ sealed class MainEvent {
     */
    data object NavigateToDebugMenu : MainEvent()

-    /**
-     * Navigate to the cookie acquisition screen.
-     */
-    data object NavigateToCookieAcquisition : MainEvent()
-
    /**
     * Indicates that the app language has been updated.
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSource.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSource.kt
@@ -1,6 +1,6 @@
 package com.x8bit.bitwarden.data.auth.datasource.disk

-import com.bitwarden.network.model.AccountKeysJson
+import com.bitwarden.core.WrappedAccountCryptographicState
 import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.provider.AppIdProvider
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
@@ -114,16 +114,6 @@ interface AuthDiskSource : AppIdProvider {
        invalidUnlockAttempts: Int?,
    )

-    /**
-     * Retrieves a user key using a [userId].
-     */
-    fun getUserKey(userId: String): String?
-
-    /**
-     * Stores a user key using a [userId].
-     */
-    fun storeUserKey(userId: String, userKey: String?)
-
    /**
     * Retrieves the local user data key for the given [userId].
     */
@@ -135,34 +125,16 @@ interface AuthDiskSource : AppIdProvider {
    fun storeLocalUserDataKey(userId: String, wrappedKey: String?)

    /**
-     * Retrieves a private key using a [userId].
+     * Returns the Wrapped Account Cryptographic State for the given [userId].
     */
-    @Deprecated(
-        message = "Use getAccountKeys instead.",
-        replaceWith = ReplaceWith("getAccountKeys"),
-    )
-    fun getPrivateKey(userId: String): String?
+    fun getAccountCryptographicState(userId: String): WrappedAccountCryptographicState?

    /**
-     * Stores a private key using a [userId].
+     * Stores the Wrapped Account Cryptographic State for a given [userId].
     */
-    @Deprecated(
-        message = "Use storeAccountKeys instead.",
-        replaceWith = ReplaceWith("storeAccountKeys"),
-    )
-    fun storePrivateKey(userId: String, privateKey: String?)
-
-    /**
-     * Returns the profile account keys for the given [userId].
-     */
-    fun getAccountKeys(userId: String): AccountKeysJson?
-
-    /**
-     * Stores the profile account keys for the given [userId].
-     */
-    fun storeAccountKeys(
+    fun storeAccountCryptographicState(
        userId: String,
-        accountKeys: AccountKeysJson?,
+        accountCryptographicState: WrappedAccountCryptographicState?,
    )

    /**
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt
@@ -1,7 +1,9 @@
 package com.x8bit.bitwarden.data.auth.datasource.disk

 import android.content.SharedPreferences
+import com.bitwarden.core.WrappedAccountCryptographicState
 import com.bitwarden.core.data.repository.util.bufferedMutableSharedFlow
+import com.bitwarden.core.data.serializer.SafeMapSerializer
 import com.bitwarden.core.data.util.decodeFromStringOrNull
 import com.bitwarden.data.datasource.disk.BaseEncryptedDiskSource
 import com.bitwarden.network.model.AccountKeysJson
@@ -10,10 +12,13 @@ import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.PendingAuthRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
+import com.x8bit.bitwarden.data.auth.datasource.disk.serializer.WrappedAccountCryptographicStateSerializer
+import com.x8bit.bitwarden.data.auth.repository.util.toAccountCryptographicState
 import com.x8bit.bitwarden.data.platform.datasource.disk.legacy.LegacySecureStorageMigrator
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.MutableSharedFlow
 import kotlinx.coroutines.flow.onSubscription
+import kotlinx.serialization.builtins.serializer
 import kotlinx.serialization.json.Json
 import java.time.Instant
 import java.util.UUID
@@ -52,6 +57,7 @@ private const val ONBOARDING_STATUS_KEY = "onboardingStatus"
 private const val SHOW_IMPORT_LOGINS_KEY = "showImportLogins"
 private const val LAST_LOCK_TIMESTAMP = "lastLockTimestamp"
 private const val PROFILE_ACCOUNT_KEYS_KEY = "profileAccountKeys"
+private const val ACCOUNT_CRYPTOGRAPHIC_STATE_KEY = "accountCryptographicState"

 /**
 * Primary implementation of [AuthDiskSource].
@@ -89,6 +95,10 @@ class AuthDiskSourceImpl(
        mutableMapOf<String, MutableSharedFlow<String?>>()
    private val mutableUserStateFlow = bufferedMutableSharedFlow<UserStateJson?>(replay = 1)

+    private val wrappedAccountCryptographicStateSerializer by lazy {
+        WrappedAccountCryptographicStateSerializer()
+    }
+
    override var userState: UserStateJson?
        get() = getString(key = STATE_KEY)?.let { json.decodeFromStringOrNull(it) }
        set(value) {
@@ -107,6 +117,14 @@ class AuthDiskSourceImpl(
        // We must migrate the tokens from being stored in the UserState(shared preferences) to
        // being stored separately in encrypted shared preferences.
        migrateAccountTokens()
+
+        // We want to make sure that any left over encrypted user keys are scrubbed from storage
+        // Since it is no longer supported.
+        removeLegacyUserKeys()
+
+        // We must migrate the Private Key and Account Keys to use the Account Cryptographic state
+        // from now on.
+        migrateAccountKeys()
    }

    override var authenticatorSyncSymmetricKey: ByteArray?
@@ -144,11 +162,9 @@ class AuthDiskSourceImpl(

    override fun clearData(userId: String) {
        storeInvalidUnlockAttempts(userId = userId, invalidUnlockAttempts = null)
-        storeUserKey(userId = userId, userKey = null)
        storeLocalUserDataKey(userId = userId, wrappedKey = null)
        storeUserAutoUnlockKey(userId = userId, userAutoUnlockKey = null)
-        storePrivateKey(userId = userId, privateKey = null)
-        storeAccountKeys(userId = userId, accountKeys = null)
+        storeAccountCryptographicState(userId = userId, accountCryptographicState = null)
        storeOrganizationKeys(userId = userId, organizationKeys = null)
        storeOrganizations(userId = userId, organizations = null)
        storeUserBiometricInitVector(userId = userId, iv = null)
@@ -229,16 +245,6 @@ class AuthDiskSourceImpl(
        )
    }

-    override fun getUserKey(userId: String): String? =
-        getString(key = MASTER_KEY_ENCRYPTION_USER_KEY.appendIdentifier(userId))
-
-    override fun storeUserKey(userId: String, userKey: String?) {
-        putString(
-            key = MASTER_KEY_ENCRYPTION_USER_KEY.appendIdentifier(userId),
-            value = userKey,
-        )
-    }
-
    override fun getLocalUserDataKey(userId: String): String? =
        getString(key = LOCAL_USER_DATA_KEY.appendIdentifier(userId))

@@ -246,29 +252,20 @@ class AuthDiskSourceImpl(
        putString(key = LOCAL_USER_DATA_KEY.appendIdentifier(userId), value = wrappedKey)
    }

-    @Deprecated("Use getAccountKeys instead.", replaceWith = ReplaceWith("getAccountKeys"))
-    override fun getPrivateKey(userId: String): String? =
-        getString(key = MASTER_KEY_ENCRYPTION_PRIVATE_KEY.appendIdentifier(userId))
+    override fun getAccountCryptographicState(userId: String): WrappedAccountCryptographicState? =
+        getEncryptedString(key = ACCOUNT_CRYPTOGRAPHIC_STATE_KEY.appendIdentifier(userId))?.let {
+            json.decodeFromStringOrNull(wrappedAccountCryptographicStateSerializer, it)
+        }

-    @Deprecated("Use storeAccountKeys instead.", replaceWith = ReplaceWith("storeAccountKeys"))
-    override fun storePrivateKey(userId: String, privateKey: String?) {
-        putString(
-            key = MASTER_KEY_ENCRYPTION_PRIVATE_KEY.appendIdentifier(userId),
-            value = privateKey,
-        )
-    }
-
-    override fun getAccountKeys(userId: String): AccountKeysJson? =
-        getEncryptedString(key = PROFILE_ACCOUNT_KEYS_KEY.appendIdentifier(userId))
-            ?.let { json.decodeFromStringOrNull(it) }
-
-    override fun storeAccountKeys(
+    override fun storeAccountCryptographicState(
        userId: String,
-        accountKeys: AccountKeysJson?,
+        accountCryptographicState: WrappedAccountCryptographicState?,
    ) {
        putEncryptedString(
-            key = PROFILE_ACCOUNT_KEYS_KEY.appendIdentifier(userId),
-            value = accountKeys?.let { json.encodeToString(it) },
+            key = ACCOUNT_CRYPTOGRAPHIC_STATE_KEY.appendIdentifier(userId),
+            value = accountCryptographicState?.let {
+                json.encodeToString(wrappedAccountCryptographicStateSerializer, it)
+            },
        )
    }

@@ -485,8 +482,13 @@ class AuthDiskSourceImpl(
        getString(key = POLICIES_KEY.appendIdentifier(userId))
            ?.let {
                // The policies are stored as a map.
-                val policiesMap: Map<String, SyncResponseJson.Policy>? =
-                    json.decodeFromStringOrNull(it)
+                val policiesMap = json.decodeFromStringOrNull(
+                    deserializer = SafeMapSerializer(
+                        keySerializer = String.serializer(),
+                        valueSerializer = SyncResponseJson.Policy.serializer(),
+                    ),
+                    string = it,
+                )
                policiesMap?.values?.toList()
            }

@@ -655,4 +657,35 @@ class AuthDiskSourceImpl(
                .orEmpty(),
        )
    }
+
+    private fun removeLegacyUserKeys() {
+        removeWithPrefix(prefix = MASTER_KEY_ENCRYPTION_USER_KEY)
+    }
+
+    private fun migrateAccountKeys() {
+        userState
+            ?.accounts
+            .orEmpty()
+            .values
+            .forEach { account ->
+                val userId = account.profile.userId
+                val accountKeysKey = PROFILE_ACCOUNT_KEYS_KEY.appendIdentifier(userId)
+                val privateKeyKey = MASTER_KEY_ENCRYPTION_PRIVATE_KEY.appendIdentifier(userId)
+                val accountKeys = getEncryptedString(key = accountKeysKey)
+                    ?.let { json.decodeFromStringOrNull<AccountKeysJson>(it) }
+                val privateKey = accountKeys
+                    ?.publicKeyEncryptionKeyPair
+                    ?.wrappedPrivateKey
+                    ?: getString(key = privateKeyKey)
+                privateKey?.let {
+                    storeAccountCryptographicState(
+                        userId = userId,
+                        accountCryptographicState = accountKeys.toAccountCryptographicState(it),
+                    )
+                    // Remove the Account Keys and Private Key
+                    putEncryptedString(key = accountKeysKey, value = null)
+                    putString(key = privateKeyKey, value = null)
+                }
+            }
+    }
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/model/AccountJson.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/model/AccountJson.kt
@@ -42,7 +42,11 @@ data class AccountJson(
     * @property name The user's name (if applicable).
     * @property stamp The account's security stamp (if applicable).
     * @property organizationId The ID of the associated organization (if applicable).
-     * @property hasPremium True if the user has a Premium account.
+     * @property hasPremiumPersonally True if the user has personal Premium (i.e., a personal
+     * subscription not derived from any organization membership).
+     * @property hasPremiumFromOrganization True if any organization the user is a member of grants
+     * Premium features. `null` when the value has not yet been synced (e.g., immediately after
+     * token-based login before the first sync completes).
     * @property avatarColorHex Hex color value for a user's avatar in the "#AARRGGBB" format.
     * @property forcePasswordResetReason Describes the reason for a forced password reset.
     * @property kdfType The KDF type.
@@ -80,7 +84,10 @@ data class AccountJson(
        val avatarColorHex: String?,

        @SerialName("hasPremiumPersonally")
-        val hasPremium: Boolean?,
+        val hasPremiumPersonally: Boolean?,
+
+        @SerialName("hasPremiumFromOrganization")
+        val hasPremiumFromOrganization: Boolean?,

        @SerialName("forcePasswordResetReason")
        val forcePasswordResetReason: ForcePasswordResetReason?,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/serializer/WrappedAccountCryptographicStateSerializer.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/serializer/WrappedAccountCryptographicStateSerializer.kt
@@ -0,0 +1,85 @@
+package com.x8bit.bitwarden.data.auth.datasource.disk.serializer
+
+import com.bitwarden.core.WrappedAccountCryptographicState
+import kotlinx.serialization.KSerializer
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.descriptors.SerialDescriptor
+import kotlinx.serialization.encoding.Decoder
+import kotlinx.serialization.encoding.Encoder
+
+/**
+ * Custom [KSerializer] for [WrappedAccountCryptographicState].
+ *
+ * Encodes the sealed class with a `"type"` discriminator field:
+ * - `"v1"`: [WrappedAccountCryptographicState.V1] — wrapped private key only.
+ * - `"v2"`: [WrappedAccountCryptographicState.V2] — wrapped private key, signing key, signed
+ *   public key, and signed security state.
+ */
+internal class WrappedAccountCryptographicStateSerializer :
+    KSerializer<WrappedAccountCryptographicState> {
+
+    private val surrogateSerializer = Surrogate.serializer()
+
+    override val descriptor: SerialDescriptor = surrogateSerializer.descriptor
+
+    override fun deserialize(decoder: Decoder): WrappedAccountCryptographicState =
+        when (val surrogate = decoder.decodeSerializableValue(surrogateSerializer)) {
+            is Surrogate.V1 -> {
+                WrappedAccountCryptographicState.V1(privateKey = surrogate.privateKey)
+            }
+
+            is Surrogate.V2 -> {
+                WrappedAccountCryptographicState.V2(
+                    privateKey = surrogate.privateKey,
+                    signingKey = surrogate.signingKey,
+                    signedPublicKey = surrogate.signedPublicKey,
+                    securityState = surrogate.securityState,
+                )
+            }
+        }
+
+    override fun serialize(encoder: Encoder, value: WrappedAccountCryptographicState) {
+        val surrogate = when (value) {
+            is WrappedAccountCryptographicState.V1 -> {
+                Surrogate.V1(privateKey = value.privateKey)
+            }
+
+            is WrappedAccountCryptographicState.V2 -> {
+                Surrogate.V2(
+                    privateKey = value.privateKey,
+                    signingKey = value.signingKey,
+                    signedPublicKey = value.signedPublicKey,
+                    securityState = value.securityState,
+                )
+            }
+        }
+        encoder.encodeSerializableValue(surrogateSerializer, surrogate)
+    }
+}
+
+@Serializable
+private sealed class Surrogate {
+    @Serializable
+    @SerialName("v1")
+    data class V1(
+        @SerialName("privateKey")
+        val privateKey: String,
+    ) : Surrogate()
+
+    @Serializable
+    @SerialName("v2")
+    data class V2(
+        @SerialName("privateKey")
+        val privateKey: String,
+
+        @SerialName("signingKey")
+        val signingKey: String,
+
+        @SerialName("signedPublicKey")
+        val signedPublicKey: String?,
+
+        @SerialName("securityState")
+        val securityState: String,
+    ) : Surrogate()
+}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/AuthSdkSource.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/AuthSdkSource.kt
@@ -11,6 +11,9 @@ import com.bitwarden.core.RegisterKeyResponse
 import com.bitwarden.core.RegisterTdeKeyResponse
 import com.bitwarden.crypto.HashPurpose
 import com.bitwarden.crypto.Kdf
+import com.bitwarden.policies.OrganizationUserPolicyContext
+import com.bitwarden.policies.PolicyType
+import com.bitwarden.policies.PolicyView
 import com.x8bit.bitwarden.data.auth.datasource.sdk.model.PasswordStrength

 /**
@@ -134,4 +137,13 @@ interface AuthSdkSource {
        passwordStrength: PasswordStrength,
        policy: MasterPasswordPolicyOptions,
    ): Result<Boolean>
+
+    /**
+     * Applies the appropriate filters for determining what policies apply to the user.
+     */
+    fun filterPolicies(
+        policies: List<PolicyView>,
+        organizations: List<OrganizationUserPolicyContext>,
+        policyType: PolicyType,
+    ): Result<List<PolicyView>>
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/AuthSdkSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/AuthSdkSourceImpl.kt
@@ -13,14 +13,19 @@ import com.bitwarden.core.KeyConnectorResponse
 import com.bitwarden.core.MasterPasswordPolicyOptions
 import com.bitwarden.core.RegisterKeyResponse
 import com.bitwarden.core.RegisterTdeKeyResponse
+import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.crypto.HashPurpose
 import com.bitwarden.crypto.Kdf
+import com.bitwarden.policies.OrganizationUserPolicyContext
+import com.bitwarden.policies.PolicyType
+import com.bitwarden.policies.PolicyView
 import com.bitwarden.sdk.AuthClient
 import com.x8bit.bitwarden.data.auth.datasource.sdk.model.PasswordStrength
 import com.x8bit.bitwarden.data.auth.datasource.sdk.util.toPasswordStrengthOrNull
 import com.x8bit.bitwarden.data.auth.datasource.sdk.util.toUByte
 import com.x8bit.bitwarden.data.platform.datasource.sdk.BaseSdkSource
 import com.x8bit.bitwarden.data.platform.manager.SdkClientManager
+import kotlinx.coroutines.withContext

 /**
 * Primary implementation of [AuthSdkSource] that serves as a convenience wrapper around a
@@ -28,6 +33,7 @@ import com.x8bit.bitwarden.data.platform.manager.SdkClientManager
 */
@Suppress("TooManyFunctions")
 class AuthSdkSourceImpl(
+    private val dispatcherManager: DispatcherManager,
    sdkClientManager: SdkClientManager,
 ) : BaseSdkSource(sdkClientManager = sdkClientManager),
    AuthSdkSource {
@@ -42,10 +48,8 @@ class AuthSdkSourceImpl(
        masterPasswordHint: String?,
        shouldResetPasswordEnroll: Boolean,
    ): Result<JitMasterPasswordRegistrationResponse> = runCatchingWithLogs {
-        getClient(userId = userId)
-            .auth()
-            .registration()
-            .postKeysForJitPasswordRegistration(
+        withContext(context = dispatcherManager.io) {
+            getClient(userId = userId).auth().registration().postKeysForJitPasswordRegistration(
                request = JitMasterPasswordRegistrationRequest(
                    orgId = organizationId,
                    orgPublicKey = organizationPublicKey,
@@ -57,6 +61,7 @@ class AuthSdkSourceImpl(
                    resetPasswordEnroll = shouldResetPasswordEnroll,
                ),
            )
+        }
    }

    override suspend fun postKeysForKeyConnectorRegistration(
@@ -65,11 +70,13 @@ class AuthSdkSourceImpl(
        keyConnectorUrl: String,
        ssoOrganizationIdentifier: String,
    ): Result<KeyConnectorRegistrationResult> = runCatchingWithLogs {
-        useClient(userId = userId, accessToken = accessToken) {
-            auth().registration().postKeysForKeyConnectorRegistration(
-                keyConnectorUrl = keyConnectorUrl,
-                ssoOrgIdentifier = ssoOrganizationIdentifier,
-            )
+        withContext(context = dispatcherManager.io) {
+            useClient(userId = userId, accessToken = accessToken) {
+                auth().registration().postKeysForKeyConnectorRegistration(
+                    keyConnectorUrl = keyConnectorUrl,
+                    ssoOrgIdentifier = ssoOrganizationIdentifier,
+                )
+            }
        }
    }

@@ -80,10 +87,8 @@ class AuthSdkSourceImpl(
        deviceIdentifier: String,
        shouldTrustDevice: Boolean,
    ): Result<TdeRegistrationResponse> = runCatchingWithLogs {
-        getClient(userId = userId)
-            .auth()
-            .registration()
-            .postKeysForTdeRegistration(
+        withContext(context = dispatcherManager.io) {
+            getClient(userId = userId).auth().registration().postKeysForTdeRegistration(
                request = TdeRegistrationRequest(
                    orgId = organizationId,
                    orgPublicKey = organizationPublicKey,
@@ -92,6 +97,7 @@ class AuthSdkSourceImpl(
                    trustDevice = shouldTrustDevice,
                ),
            )
+        }
    }

    override suspend fun postKeysForUserPasswordRegistration(
@@ -101,23 +107,25 @@ class AuthSdkSourceImpl(
        masterPasswordHint: String?,
        emailVerificationToken: String,
    ): Result<UserMasterPasswordRegistrationResponse> = runCatchingWithLogs {
-        useClient {
-            auth().registration().postKeysForUserPasswordRegistration(
-                request = UserMasterPasswordRegistrationRequest(
-                    email = email,
-                    salt = salt,
-                    masterPassword = masterPassword,
-                    masterPasswordHint = masterPasswordHint,
-                    emailVerificationToken = emailVerificationToken,
-                    organizationUserId = null,
-                    orgInviteToken = null,
-                    orgSponsoredFreeFamilyPlanToken = null,
-                    acceptEmergencyAccessInviteToken = null,
-                    acceptEmergencyAccessId = null,
-                    providerInviteToken = null,
-                    providerUserId = null,
-                ),
-            )
+        withContext(context = dispatcherManager.io) {
+            useClient {
+                auth().registration().postKeysForUserPasswordRegistration(
+                    request = UserMasterPasswordRegistrationRequest(
+                        email = email,
+                        salt = salt,
+                        masterPassword = masterPassword,
+                        masterPasswordHint = masterPasswordHint,
+                        emailVerificationToken = emailVerificationToken,
+                        organizationUserId = null,
+                        orgInviteToken = null,
+                        orgSponsoredFreeFamilyPlanToken = null,
+                        acceptEmergencyAccessInviteToken = null,
+                        acceptEmergencyAccessId = null,
+                        providerInviteToken = null,
+                        providerUserId = null,
+                    ),
+                )
+            }
        }
    }

@@ -221,4 +229,16 @@ class AuthSdkSourceImpl(
            )
        }
    }
+
+    override fun filterPolicies(
+        policies: List<PolicyView>,
+        organizations: List<OrganizationUserPolicyContext>,
+        policyType: PolicyType,
+    ): Result<List<PolicyView>> = runCatchingWithLogs {
+        globalClient.policies().filterByType(
+            policies = policies,
+            organizationUserPolicyContexts = organizations,
+            policyType = policyType,
+        )
+    }
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/di/AuthSdkModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/di/AuthSdkModule.kt
@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.auth.datasource.sdk.di

+import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
 import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSourceImpl
 import com.x8bit.bitwarden.data.platform.manager.SdkClientManager
@@ -19,8 +20,10 @@ object AuthSdkModule {
    @Provides
    @Singleton
    fun provideAuthSdkSource(
+        dispatcherManager: DispatcherManager,
        sdkClientManager: SdkClientManager,
    ): AuthSdkSource = AuthSdkSourceImpl(
+        dispatcherManager = dispatcherManager,
        sdkClientManager = sdkClientManager,
    )
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/KeyConnectorManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/KeyConnectorManager.kt
@@ -3,7 +3,6 @@ package com.x8bit.bitwarden.data.auth.manager
 import com.bitwarden.crypto.Kdf
 import com.bitwarden.network.model.AccountKeysJson
 import com.bitwarden.network.model.KdfTypeJson
-import com.bitwarden.network.model.KeyConnectorMasterKeyResponseJson
 import com.x8bit.bitwarden.data.auth.manager.model.MigrateExistingUserToKeyConnectorResult
 import com.x8bit.bitwarden.data.auth.manager.model.MigrateNewUserToKeyConnectorResult

@@ -11,14 +10,6 @@ import com.x8bit.bitwarden.data.auth.manager.model.MigrateNewUserToKeyConnectorR
 * Manager used to interface with a key connector.
 */
 interface KeyConnectorManager {
-    /**
-     * Retrieves the master key from the key connector.
-     */
-    suspend fun getMasterKeyFromKeyConnector(
-        url: String,
-        accessToken: String,
-    ): Result<KeyConnectorMasterKeyResponseJson>
-
    /**
     * Migrates an existing user to use the key connector.
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/KeyConnectorManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/KeyConnectorManagerImpl.kt
@@ -1,14 +1,12 @@
 package com.x8bit.bitwarden.data.auth.manager

 import com.bitwarden.core.WrappedAccountCryptographicState
-import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.core.data.manager.model.FlagKey
 import com.bitwarden.core.data.util.flatMap
 import com.bitwarden.crypto.Kdf
 import com.bitwarden.network.model.AccountKeysJson
 import com.bitwarden.network.model.KdfTypeJson
 import com.bitwarden.network.model.KeyConnectorKeyRequestJson
-import com.bitwarden.network.model.KeyConnectorMasterKeyResponseJson
 import com.bitwarden.network.service.AccountsService
 import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
 import com.x8bit.bitwarden.data.auth.manager.model.MigrateExistingUserToKeyConnectorResult
@@ -17,7 +15,6 @@ import com.x8bit.bitwarden.data.auth.repository.util.toAccountCryptographicState
 import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.datasource.sdk.model.DeriveKeyConnectorResult
-import kotlinx.coroutines.withContext

 /**
 * The default implementation of the [KeyConnectorManager].
@@ -27,17 +24,7 @@ class KeyConnectorManagerImpl(
    private val authSdkSource: AuthSdkSource,
    private val vaultSdkSource: VaultSdkSource,
    private val featureFlagManager: FeatureFlagManager,
-    private val dispatcherManager: DispatcherManager,
 ) : KeyConnectorManager {
-    override suspend fun getMasterKeyFromKeyConnector(
-        url: String,
-        accessToken: String,
-    ): Result<KeyConnectorMasterKeyResponseJson> =
-        accountsService.getMasterKeyFromKeyConnector(
-            url = url,
-            accessToken = accessToken,
-        )
-
    override suspend fun migrateExistingUserToKeyConnector(
        userId: String,
        url: String,
@@ -97,26 +84,24 @@ class KeyConnectorManagerImpl(
        organizationIdentifier: String,
    ): Result<MigrateNewUserToKeyConnectorResult> =
        if (featureFlagManager.getFeatureFlag(FlagKey.V2EncryptionKeyConnector)) {
-            withContext(dispatcherManager.io) {
-                authSdkSource
-                    .postKeysForKeyConnectorRegistration(
-                        userId = userId,
-                        accessToken = accessToken,
-                        keyConnectorUrl = url,
-                        ssoOrganizationIdentifier = organizationIdentifier,
+            authSdkSource
+                .postKeysForKeyConnectorRegistration(
+                    userId = userId,
+                    accessToken = accessToken,
+                    keyConnectorUrl = url,
+                    ssoOrganizationIdentifier = organizationIdentifier,
+                )
+                .map {
+                    MigrateNewUserToKeyConnectorResult(
+                        masterKey = it.keyConnectorKey,
+                        encryptedUserKey = it.keyConnectorKeyWrappedUserKey,
+                        privateKey = when (val state = it.accountCryptographicState) {
+                            is WrappedAccountCryptographicState.V1 -> state.privateKey
+                            is WrappedAccountCryptographicState.V2 -> state.privateKey
+                        },
+                        accountCryptographicState = it.accountCryptographicState,
                    )
-                    .map {
-                        MigrateNewUserToKeyConnectorResult(
-                            masterKey = it.keyConnectorKey,
-                            encryptedUserKey = it.keyConnectorKeyWrappedUserKey,
-                            privateKey = when (val state = it.accountCryptographicState) {
-                                is WrappedAccountCryptographicState.V1 -> state.privateKey
-                                is WrappedAccountCryptographicState.V2 -> state.privateKey
-                            },
-                            accountCryptographicState = it.accountCryptographicState,
-                        )
-                    }
-            }
+                }
        } else {
            legacyMigrateNewUserToKeyConnector(
                accountKeys = accountKeys,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/UserStateManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/UserStateManagerImpl.kt
@@ -1,8 +1,8 @@
 package com.x8bit.bitwarden.data.auth.manager

 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
-import com.bitwarden.network.model.PolicyTypeJson
-import com.bitwarden.network.model.SyncResponseJson
+import com.bitwarden.policies.PolicyType
+import com.bitwarden.policies.PolicyView
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
@@ -168,8 +168,8 @@ class UserStateManagerImpl(

    private fun existingPolicies(
        userId: String,
-        policyType: PolicyTypeJson,
-    ): List<SyncResponseJson.Policy> = policyManager.getUserPolicies(
+        policyType: PolicyType,
+    ): List<PolicyView> = policyManager.getUserPolicies(
        userId = userId,
        type = policyType,
    )
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/di/AuthManagerModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/di/AuthManagerModule.kt
@@ -90,14 +90,12 @@ object AuthManagerModule {
        authSdkSource: AuthSdkSource,
        vaultSdkSource: VaultSdkSource,
        featureFlagManager: FeatureFlagManager,
-        dispatcherManager: DispatcherManager,
    ): KeyConnectorManager =
        KeyConnectorManagerImpl(
            accountsService = accountsService,
            authSdkSource = authSdkSource,
            vaultSdkSource = vaultSdkSource,
            featureFlagManager = featureFlagManager,
-            dispatcherManager = dispatcherManager,
        )

    @Provides
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepository.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepository.kt
@@ -11,6 +11,7 @@ import com.x8bit.bitwarden.data.auth.repository.model.AuthState
 import com.x8bit.bitwarden.data.auth.repository.model.BreachCountResult
 import com.x8bit.bitwarden.data.auth.repository.model.DeleteAccountResult
 import com.x8bit.bitwarden.data.auth.repository.model.EmailTokenResult
+import com.x8bit.bitwarden.data.auth.repository.model.GetDevicesResult
 import com.x8bit.bitwarden.data.auth.repository.model.KnownDeviceResult
 import com.x8bit.bitwarden.data.auth.repository.model.LeaveOrganizationResult
 import com.x8bit.bitwarden.data.auth.repository.model.LoginResult
@@ -357,6 +358,11 @@ interface AuthRepository :
     */
    fun setCookieCallbackResult(result: CookieCallbackResult)

+    /**
+     * Retrieves all devices registered to the current user.
+     */
+    suspend fun getDevices(): GetDevicesResult
+
    /**
     * Get a [Boolean] indicating whether this is a known device.
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryImpl.kt
@@ -25,9 +25,9 @@ import com.bitwarden.network.model.GetTokenResponseJson
 import com.bitwarden.network.model.IdentityTokenAuthModel
 import com.bitwarden.network.model.OrganizationAutoEnrollStatusResponseJson
 import com.bitwarden.network.model.OrganizationKeysResponseJson
+import com.bitwarden.network.model.OrganizationStatusType
 import com.bitwarden.network.model.OrganizationType
 import com.bitwarden.network.model.PasswordHintResponseJson
-import com.bitwarden.network.model.PolicyTypeJson
 import com.bitwarden.network.model.PrevalidateSsoResponseJson
 import com.bitwarden.network.model.RefreshTokenResponseJson
 import com.bitwarden.network.model.RegisterFinishRequestJson
@@ -38,7 +38,6 @@ import com.bitwarden.network.model.ResetPasswordRequestJson
 import com.bitwarden.network.model.SendVerificationEmailRequestJson
 import com.bitwarden.network.model.SendVerificationEmailResponseJson
 import com.bitwarden.network.model.SetPasswordRequestJson
-import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.model.TrustedDeviceUserDecryptionOptionsJson
 import com.bitwarden.network.model.TwoFactorAuthMethod
 import com.bitwarden.network.model.TwoFactorDataModel
@@ -52,6 +51,8 @@ import com.bitwarden.network.service.HaveIBeenPwnedService
 import com.bitwarden.network.service.IdentityService
 import com.bitwarden.network.service.OrganizationService
 import com.bitwarden.network.util.isSslHandShakeError
+import com.bitwarden.policies.PolicyType
+import com.bitwarden.policies.PolicyView
 import com.bitwarden.ui.platform.resource.BitwardenString
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountJson
@@ -73,6 +74,7 @@ import com.x8bit.bitwarden.data.auth.repository.model.AuthState
 import com.x8bit.bitwarden.data.auth.repository.model.BreachCountResult
 import com.x8bit.bitwarden.data.auth.repository.model.DeleteAccountResult
 import com.x8bit.bitwarden.data.auth.repository.model.EmailTokenResult
+import com.x8bit.bitwarden.data.auth.repository.model.GetDevicesResult
 import com.x8bit.bitwarden.data.auth.repository.model.KnownDeviceResult
 import com.x8bit.bitwarden.data.auth.repository.model.LeaveOrganizationResult
 import com.x8bit.bitwarden.data.auth.repository.model.LoginResult
@@ -102,11 +104,10 @@ import com.x8bit.bitwarden.data.auth.repository.util.CookieCallbackResult
 import com.x8bit.bitwarden.data.auth.repository.util.DuoCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.SsoCallbackResult
 import com.x8bit.bitwarden.data.auth.repository.util.WebAuthResult
-import com.x8bit.bitwarden.data.auth.repository.util.accountKeysJson
 import com.x8bit.bitwarden.data.auth.repository.util.activeUserIdChangesFlow
 import com.x8bit.bitwarden.data.auth.repository.util.policyInformation
-import com.x8bit.bitwarden.data.auth.repository.util.privateKey
 import com.x8bit.bitwarden.data.auth.repository.util.toAccountCryptographicState
+import com.x8bit.bitwarden.data.auth.repository.util.toDeviceInfo
 import com.x8bit.bitwarden.data.auth.repository.util.toOrganizations
 import com.x8bit.bitwarden.data.auth.repository.util.toRemovedPasswordUserStateJson
 import com.x8bit.bitwarden.data.auth.repository.util.toSdkParams
@@ -130,6 +131,7 @@ import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockError
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockResult
+import com.x8bit.bitwarden.data.vault.repository.model.onVaultUnlockSuccess
 import com.x8bit.bitwarden.data.vault.repository.util.toSdkMasterPasswordUnlock
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
@@ -150,7 +152,6 @@ import kotlinx.coroutines.flow.merge
 import kotlinx.coroutines.flow.onEach
 import kotlinx.coroutines.flow.receiveAsFlow
 import kotlinx.coroutines.flow.stateIn
-import kotlinx.coroutines.withContext
 import timber.log.Timber
 import java.time.Clock
 import javax.inject.Singleton
@@ -187,7 +188,7 @@ class AuthRepositoryImpl(
    private val featureFlagManager: FeatureFlagManager,
    logsManager: LogsManager,
    pushManager: PushManager,
-    private val dispatcherManager: DispatcherManager,
+    dispatcherManager: DispatcherManager,
 ) : AuthRepository,
    AuthRequestManager by authRequestManager,
    BiometricsEncryptionManager by biometricsEncryptionManager,
@@ -310,6 +311,7 @@ class AuthRepositoryImpl(
    override val organizations: List<Organization>
        get() = activeUserId
            ?.let { authDiskSource.getOrganizations(it) }
+            ?.filter { it.status == OrganizationStatusType.CONFIRMED }
            .orEmpty()
            .toOrganizations()

@@ -364,7 +366,7 @@ class AuthRepositoryImpl(

        // When the policies for the user have been set, complete the login process.
        policyManager
-            .getActivePoliciesFlow(type = PolicyTypeJson.MASTER_PASSWORD)
+            .getActivePoliciesFlow(type = PolicyType.MASTER_PASSWORD)
            .onEach { policies ->
                val userId = activeUserId ?: return@onEach

@@ -532,17 +534,13 @@ class AuthRepositoryImpl(
                    .map { registerTdeKeyResponse to createAccountKeysResponse }
            }
            .onSuccess { (registerTdeKeyResponse, createAccountKeysResponse) ->
-                authDiskSource.storeAccountKeys(
+                authDiskSource.storeAccountCryptographicState(
                    userId = userId,
-                    accountKeys = createAccountKeysResponse.accountKeys,
-                )
-                // TDE and SSO user creation still uses crypto-v1. These users are not expected to
-                // have the AEAD keys so we only store the private key for now.
-                // See https://github.com/bitwarden/android/pull/5682#discussion_r2273940332
-                // for more details.
-                authDiskSource.storePrivateKey(
-                    userId = userId,
-                    privateKey = registerTdeKeyResponse.privateKey,
+                    accountCryptographicState = createAccountKeysResponse
+                        .accountKeys
+                        .toAccountCryptographicState(
+                            privateKey = registerTdeKeyResponse.privateKey,
+                        ),
                )
                vaultRepository.syncVaultState(userId = userId)
                registerTdeKeyResponse.deviceKey?.let { response ->
@@ -561,15 +559,14 @@ class AuthRepositoryImpl(
    ): Result<VaultUnlockResult> {
        val userId = profile.userId
        val shouldTrustDevice = authDiskSource.getShouldTrustDevice(userId = userId) == true
-        return withContext(dispatcherManager.io) {
-            authSdkSource.postKeysForTdeRegistration(
+        return authSdkSource
+            .postKeysForTdeRegistration(
                userId = userId,
                organizationId = orgAutoEnrollStatus.organizationId,
                organizationPublicKey = orgKeys.publicKey,
                deviceIdentifier = authDiskSource.uniqueAppId,
                shouldTrustDevice = shouldTrustDevice,
            )
-        }
            .map { response ->
                // Clear the 'should trust device' flag, since the SDK trusted the device above.
                authDiskSource.storeShouldTrustDevice(userId = userId, shouldTrustDevice = null)
@@ -581,25 +578,16 @@ class AuthRepositoryImpl(
                            decryptedUserKey = response.userKey,
                        ),
                    )
-                    .also { result ->
-                        if (result is VaultUnlockResult.Success) {
-                            authDiskSource.storeAccountKeys(
+                    .onVaultUnlockSuccess {
+                        authDiskSource.storeAccountCryptographicState(
+                            userId = userId,
+                            accountCryptographicState = response.accountCryptographicState,
+                        )
+                        if (shouldTrustDevice) {
+                            authDiskSource.storeDeviceKey(
                                userId = userId,
-                                accountKeys = response.accountCryptographicState.accountKeysJson,
+                                deviceKey = response.deviceKey,
                            )
-
-                            // Storing the private key here for legacy purposes, the
-                            // `accountKeysJson` stored above will be used for most purposes.
-                            authDiskSource.storePrivateKey(
-                                userId = userId,
-                                privateKey = response.accountCryptographicState.privateKey,
-                            )
-                            if (shouldTrustDevice) {
-                                authDiskSource.storeDeviceKey(
-                                    userId = userId,
-                                    deviceKey = response.deviceKey,
-                                )
-                            }
                        }
                    }
            }
@@ -610,25 +598,18 @@ class AuthRepositoryImpl(
        asymmetricalKey: String,
    ): LoginResult {
        val profile = authDiskSource.userState?.activeAccount?.profile
-            ?: return LoginResult.Error(errorMessage = null, error = NoActiveUserException())
+            ?: return LoginResult.Error(error = NoActiveUserException())
        val userId = profile.userId
-        val accountKeys = authDiskSource.getAccountKeys(userId = userId)
-        val privateKey = accountKeys?.publicKeyEncryptionKeyPair?.wrappedPrivateKey
-            ?: authDiskSource.getPrivateKey(userId = userId)
-            ?: return LoginResult.Error(
-                errorMessage = null,
-                error = MissingPropertyException("Private Key"),
-            )
-
+        val accountCryptographicState = authDiskSource
+            .getAccountCryptographicState(userId = userId)
+            ?: return LoginResult.Error(MissingPropertyException("Account Cryptographic State"))
        checkForVaultUnlockError(
            onVaultUnlockError = { error ->
                return error.toLoginErrorResult()
            },
        ) {
            unlockVault(
-                accountCryptographicState = accountKeys.toAccountCryptographicState(
-                    privateKey = privateKey,
-                ),
+                accountCryptographicState = accountCryptographicState,
                accountProfile = profile,
                initUserCryptoMethod = InitUserCryptoMethod.AuthRequest(
                    requestPrivateKey = requestPrivateKey,
@@ -668,7 +649,7 @@ class AuthRepositoryImpl(
            onFailure = { throwable ->
                when {
                    throwable.isSslHandShakeError() -> LoginResult.CertificateError
-                    else -> LoginResult.Error(errorMessage = null, error = throwable)
+                    else -> LoginResult.Error(error = throwable)
                }
            },
            onSuccess = { it },
@@ -713,10 +694,7 @@ class AuthRepositoryImpl(
                orgIdentifier = orgIdentifier,
            )
        }
-        ?: LoginResult.Error(
-            errorMessage = null,
-            error = MissingPropertyException("Identity Token Auth Model"),
-        )
+        ?: LoginResult.Error(error = MissingPropertyException("Identity Token Auth Model"))

    override suspend fun login(
        email: String,
@@ -734,17 +712,13 @@ class AuthRepositoryImpl(
                orgIdentifier = orgIdentifier,
            )
        }
-        ?: LoginResult.Error(
-            errorMessage = null,
-            error = MissingPropertyException("Identity Token Auth Model"),
-        )
+        ?: LoginResult.Error(error = MissingPropertyException("Identity Token Auth Model"))

    override suspend fun continueKeyConnectorLogin(
        orgIdentifier: String,
        email: String,
    ): LoginResult {
        val response = keyConnectorResponse ?: return LoginResult.Error(
-            errorMessage = null,
            error = MissingPropertyException("Key Connector Response"),
        )
        return handleLoginCommonSuccess(
@@ -972,15 +946,14 @@ class AuthRepositoryImpl(
            return RegisterResult.WeakPassword
        }
        if (featureFlagManager.getFeatureFlag(key = FlagKey.V2EncryptionPassword)) {
-            return withContext(dispatcherManager.io) {
-                authSdkSource.postKeysForUserPasswordRegistration(
+            return authSdkSource
+                .postKeysForUserPasswordRegistration(
                    email = email,
                    salt = email,
                    masterPassword = masterPassword,
                    masterPasswordHint = masterPasswordHint,
                    emailVerificationToken = emailVerificationToken,
                )
-            }
                .fold(
                    onSuccess = { RegisterResult.Success },
                    onFailure = { RegisterResult.Error(errorMessage = null, error = it) },
@@ -1045,18 +1018,20 @@ class AuthRepositoryImpl(
    }

    override suspend fun removePassword(masterPassword: String): RemovePasswordResult {
-        val activeAccount = authDiskSource
+        val profile = authDiskSource
            .userState
            ?.activeAccount
+            ?.profile
            ?: return RemovePasswordResult.Error(error = NoActiveUserException())
-        val profile = activeAccount.profile
        val userId = profile.userId
-        val userKey = authDiskSource
-            .getUserKey(userId = userId)
+        val userKey = profile
+            .userDecryptionOptions
+            ?.masterPasswordUnlock
+            ?.masterKeyWrappedUserKey
            ?: return RemovePasswordResult.Error(error = MissingPropertyException("User Key"))
        val keyConnectorUrl = organizations
            .find {
-                it.shouldUseKeyConnector &&
+                it.isKeyConnectorEnabled &&
                    it.role != OrganizationType.OWNER &&
                    it.role != OrganizationType.ADMIN
            }
@@ -1221,9 +1196,6 @@ class AuthRepositoryImpl(
                            keys = null,
                        ),
                    )
-                    .onSuccess {
-                        authDiskSource.storeUserKey(userId = userId, userKey = response.newKey)
-                    }
                    .map { response.passwordHash }
            }
            .flatMap { masterPasswordHash ->
@@ -1277,31 +1249,21 @@ class AuthRepositoryImpl(
                    .map { orgKeys -> enrollStatus to orgKeys }
            }
            .flatMap { (enrollStatus, orgKeys) ->
-                withContext(dispatcherManager.io) {
-                    authSdkSource.postKeysForJitPasswordRegistration(
-                        userId = userId,
-                        organizationId = enrollStatus.organizationId,
-                        organizationPublicKey = orgKeys.publicKey,
-                        organizationSsoIdentifier = organizationIdentifier,
-                        salt = profile.email,
-                        masterPassword = password,
-                        masterPasswordHint = passwordHint,
-                        shouldResetPasswordEnroll = enrollStatus.isResetPasswordEnabled,
-                    )
-                }
+                authSdkSource.postKeysForJitPasswordRegistration(
+                    userId = userId,
+                    organizationId = enrollStatus.organizationId,
+                    organizationPublicKey = orgKeys.publicKey,
+                    organizationSsoIdentifier = organizationIdentifier,
+                    salt = profile.email,
+                    masterPassword = password,
+                    masterPasswordHint = passwordHint,
+                    shouldResetPasswordEnroll = enrollStatus.isResetPasswordEnabled,
+                )
            }
            .onSuccess { response ->
-                authDiskSource.storeAccountKeys(
+                authDiskSource.storeAccountCryptographicState(
                    userId = userId,
-                    accountKeys = response.accountCryptographicState.accountKeysJson,
-                )
-                // TDE and SSO user creation still uses crypto-v1. These users are not
-                // expected to have the AEAD keys so we only store the private key for now.
-                // See https://github.com/bitwarden/android/pull/5682#discussion_r2273940332
-                // for more details.
-                authDiskSource.storePrivateKey(
-                    userId = userId,
-                    privateKey = response.accountCryptographicState.privateKey,
+                    accountCryptographicState = response.accountCryptographicState,
                )
                authDiskSource.userState = authDiskSource.userState?.toUserStateJsonWithPassword(
                    masterPasswordUnlock = response.masterPasswordUnlock,
@@ -1358,16 +1320,11 @@ class AuthRepositoryImpl(
                        ),
                    )
                    .onSuccess {
-                        // This process is used by TDE and Enterprise accounts during initial
-                        // login. We continue to store the locally generated keys
-                        // until TDE and Enterprise accounts support AEAD keys.
-                        authDiskSource.storePrivateKey(
+                        authDiskSource.storeAccountCryptographicState(
                            userId = userId,
-                            privateKey = response.keys.private,
-                        )
-                        authDiskSource.storeUserKey(
-                            userId = userId,
-                            userKey = response.encryptedUserKey,
+                            accountCryptographicState = WrappedAccountCryptographicState.V1(
+                                privateKey = response.keys.private,
+                            ),
                        )
                    }
                    .map { response.masterPasswordHash }
@@ -1461,6 +1418,20 @@ class AuthRepositoryImpl(
        mutableCookieCallbackResultFlow.tryEmit(result)
    }

+    override suspend fun getDevices(): GetDevicesResult =
+        devicesService
+            .getDevices()
+            .fold(
+                onFailure = { GetDevicesResult.Error },
+                onSuccess = { response ->
+                    GetDevicesResult.Success(
+                        devices = response.devices.map { json ->
+                            json.toDeviceInfo(currentDeviceIdentifier = authDiskSource.uniqueAppId)
+                        },
+                    )
+                },
+            )
+
    override suspend fun getIsKnownDevice(emailAddress: String): KnownDeviceResult =
        devicesService
            .getIsKnownDevice(
@@ -1500,7 +1471,12 @@ class AuthRepositoryImpl(
            )

    override suspend fun validatePassword(password: String): ValidatePasswordResult {
-        val userId = activeUserId ?: return ValidatePasswordResult.Error(NoActiveUserException())
+        val profile = authDiskSource
+            .userState
+            ?.activeAccount
+            ?.profile
+            ?: return ValidatePasswordResult.Error(error = NoActiveUserException())
+        val userId = profile.userId
        return authDiskSource
            .getMasterPasswordHash(userId = userId)
            ?.let { masterPasswordHash ->
@@ -1516,8 +1492,10 @@ class AuthRepositoryImpl(
                    )
            }
            ?: run {
-                val encryptedKey = authDiskSource
-                    .getUserKey(userId)
+                val encryptedKey = profile
+                    .userDecryptionOptions
+                    ?.masterPasswordUnlock
+                    ?.masterKeyWrappedUserKey
                    ?: return ValidatePasswordResult.Error(MissingPropertyException("UserKey"))
                vaultSdkSource
                    .validatePasswordUserKey(
@@ -1535,8 +1513,8 @@ class AuthRepositoryImpl(
                        onSuccess = { ValidatePasswordResult.Success(isValid = true) },
                        onFailure = {
                            // We currently assume that all errors are caused by the user entering
-                            // an invalid password, this is not necessarily the case but we have no
-                            // way to differentiate between the different errors.
+                            // an invalid password, this is not necessarily the case, but we have
+                            // no way to differentiate between the different errors.
                            ValidatePasswordResult.Success(isValid = false)
                        },
                    )
@@ -1690,7 +1668,7 @@ class AuthRepositoryImpl(
     */
    private suspend fun passwordPassesPolicies(
        password: String,
-        policies: List<SyncResponseJson.Policy>,
+        policies: List<PolicyView>,
    ): Boolean {
        // If there are no master password policies that are enabled and should be
        // enforced on login, the check should complete.
@@ -1800,10 +1778,7 @@ class AuthRepositoryImpl(
                        LoginResult.UnofficialServerError
                    }

-                    else -> LoginResult.Error(
-                        errorMessage = null,
-                        error = throwable,
-                    )
+                    else -> LoginResult.Error(error = throwable)
                }
            },
            onSuccess = { loginResponse ->
@@ -1867,6 +1842,14 @@ class AuthRepositoryImpl(
        )
        val profile = userStateJson.activeAccount.profile
        val userId = profile.userId
+        authDiskSource.storeAccountTokens(
+            userId = userId,
+            accountTokens = AccountTokensJson(
+                accessToken = loginResponse.accessToken,
+                refreshToken = loginResponse.refreshToken,
+                expiresAtSec = clock.instant().epochSecond + loginResponse.expiresInSeconds,
+            ),
+        )

        checkForVaultUnlockError(
            onVaultUnlockError = { vaultUnlockError ->
@@ -1899,6 +1882,7 @@ class AuthRepositoryImpl(
                // If a new KeyConnector user is logging in for the first time,
                // we should ask him to confirm the domain
                if (isNewKeyConnectorUser && isNotConfirmed) {
+                    authDiskSource.storeAccountTokens(userId = profile.userId, accountTokens = null)
                    keyConnectorResponse = loginResponse
                    return@userStateTransaction LoginResult.ConfirmKeyConnectorDomain(
                        domain = keyConnectorUrl,
@@ -1940,16 +1924,7 @@ class AuthRepositoryImpl(
            passwordsToCheckMap.put(userId, it)
        }

-        authDiskSource.storeAccountTokens(
-            userId = userId,
-            accountTokens = AccountTokensJson(
-                accessToken = loginResponse.accessToken,
-                refreshToken = loginResponse.refreshToken,
-                expiresAtSec = clock.instant().epochSecond + loginResponse.expiresInSeconds,
-            ),
-        )
        settingsRepository.hasUserLoggedInOrCreatedAccount = true
-
        authDiskSource.userState = userStateJson
        password?.let {
            // Automatically update kdf to minimums after password unlock and userState update
@@ -1961,22 +1936,16 @@ class AuthRepositoryImpl(
                    }
                }
        }
-        loginResponse.key?.let {
-            // Only set the value if it's present, since we may have set it already
-            // when we completed the pending admin auth request.
-            authDiskSource.storeUserKey(userId = userId, userKey = it)
-        }
-        // We continue to store the private key for backwards compatibility. Key connector
-        // conversion still relies on the private key.
-        loginResponse.privateKeyOrNull()?.let {
-            // Only set the value if it's present, since we may have set it already
-            // when we completed the key connector conversion.
-            authDiskSource.storePrivateKey(userId = userId, privateKey = it)
-        }
-        loginResponse.accountKeys?.let {
-            // Only set the value if it's present, since we may have set it already
-            // when we completed the key connector conversion.
-            authDiskSource.storeAccountKeys(userId = userId, accountKeys = it)
+
+        loginResponse.privateKeyOrNull()?.let { privateKey ->
+            // Only set the value if the private key is present, since we may have set
+            // the value already when we completed the key connector conversion.
+            authDiskSource.storeAccountCryptographicState(
+                userId = userId,
+                accountCryptographicState = loginResponse.accountKeys.toAccountCryptographicState(
+                    privateKey = privateKey,
+                ),
+            )
        }
        // If the user just authenticated with a two-factor code and selected the option to
        // remember it, then the API response will return a token that will be used in place
@@ -2065,28 +2034,16 @@ class AuthRepositoryImpl(
            null
        } else if (key != null && privateKey != null) {
            // This is a returning user who should already have the key connector setup
-            keyConnectorManager
-                .getMasterKeyFromKeyConnector(
+            unlockVault(
+                accountCryptographicState = loginResponse
+                    .accountKeys
+                    .toAccountCryptographicState(privateKey = privateKey),
+                accountProfile = profile,
+                initUserCryptoMethod = InitUserCryptoMethod.KeyConnectorUrl(
                    url = keyConnectorUrl,
-                    accessToken = loginResponse.accessToken,
-                )
-                .map {
-                    unlockVault(
-                        accountCryptographicState = loginResponse
-                            .accountKeys
-                            .toAccountCryptographicState(privateKey = privateKey),
-                        accountProfile = profile,
-                        initUserCryptoMethod = InitUserCryptoMethod.KeyConnector(
-                            masterKey = it.masterKey,
-                            userKey = key,
-                        ),
-                    )
-                }
-                .fold(
-                    // If the request failed, we want to abort the login process
-                    onFailure = { VaultUnlockResult.GenericError(error = it) },
-                    onSuccess = { it },
-                )
+                    keyConnectorKeyWrappedUserKey = key,
+                ),
+            )
        } else {
            // This is a new user who needs to set up the key connector
            val userId = profile.userId
@@ -2103,35 +2060,21 @@ class AuthRepositoryImpl(
                    organizationIdentifier = orgIdentifier,
                )
                .map { keyConnector ->
+                    val accountCryptographicState = keyConnector.accountCryptographicState
                    this
                        .unlockVault(
-                            accountCryptographicState = keyConnector.accountCryptographicState,
+                            accountCryptographicState = accountCryptographicState,
                            accountProfile = profile,
                            initUserCryptoMethod = InitUserCryptoMethod.KeyConnector(
                                masterKey = keyConnector.masterKey,
                                userKey = keyConnector.encryptedUserKey,
                            ),
                        )
-                        .also { result ->
-                            if (result is VaultUnlockResult.Success) {
-                                // We now know that login/unlock was successful, so we store the
-                                // userKey and privateKey we now have since it didn't exist on the
-                                // loginResponse.
-                                authDiskSource.storeUserKey(
-                                    userId = userId,
-                                    userKey = keyConnector.encryptedUserKey,
-                                )
-                                // We continue to store the private key for backwards compatibility
-                                // since key connector conversion still relies on the private key.
-                                authDiskSource.storePrivateKey(
-                                    userId = userId,
-                                    privateKey = keyConnector.privateKey,
-                                )
-                                authDiskSource.storeAccountKeys(
-                                    userId = userId,
-                                    accountKeys = loginResponse.accountKeys,
-                                )
-                            }
+                        .onVaultUnlockSuccess {
+                            authDiskSource.storeAccountCryptographicState(
+                                userId = userId,
+                                accountCryptographicState = accountCryptographicState,
+                            )
                        }
                }
                .fold(
@@ -2206,8 +2149,8 @@ class AuthRepositoryImpl(
                    ),
                )
                // We are purposely not storing the master password hash here since it is not
-                // formatted in in a manner that we can use. We will store it properly the next
-                // time the user enters their master password and it is validated.
+                // formatted in a manner that we can use. We will store it properly the next
+                // time the user enters their master password, and it is validated.
            }
        }

@@ -2261,7 +2204,6 @@ class AuthRepositoryImpl(
                            method = AuthRequestMethod.UserKey(protectedUserKey = userKey),
                        ),
                    )
-                    authDiskSource.storeUserKey(userId = userId, userKey = userKey)
                }
            authDiskSource.storePendingAuthRequest(
                userId = userId,
@@ -2291,10 +2233,6 @@ class AuthRepositoryImpl(
                deviceProtectedUserKey = encryptedUserKey,
            ),
        )
-
-        if (vaultUnlockResult is VaultUnlockResult.Success) {
-            authDiskSource.storeUserKey(userId = userId, userKey = encryptedUserKey)
-        }
        return vaultUnlockResult
    }

@@ -2317,7 +2255,7 @@ class AuthRepositoryImpl(
            // unlock the vault for organization data after receiving the sync response if this
            // data is currently absent. These keys may be present during certain multi-phase login
            // processes or if we needed to delete the user's token due to an encrypted data
-            // corruption issue and they are forced to log back in.
+            // corruption issue, and they are forced to log back in.
            organizationKeys = authDiskSource.getOrganizationKeys(userId = userId),
        )
    }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/DeviceInfo.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/DeviceInfo.kt
@@ -0,0 +1,32 @@
+package com.x8bit.bitwarden.data.auth.repository.model
+
+import android.os.Parcelable
+import com.bitwarden.network.model.DeviceType
+import kotlinx.parcelize.Parcelize
+import java.time.Instant
+
+/**
+ * Domain model for a device registered to the current user.
+ *
+ * @property id The unique identifier of the device.
+ * @property name The name of the device.
+ * @property identifier The unique device install identifier of the device.
+ * @property type The type of the device.
+ * @property isTrusted Whether this device is trusted.
+ * @property creationDate The date and time on which this device was created.
+ * @property lastActivityDate The date and time of the device's last activity, if available.
+ * @property pendingAuthRequest The pending auth request for this device, if any.
+ * @property isCurrentDevice If this is the current device being used.
+ */
+@Parcelize
+data class DeviceInfo(
+    val id: String,
+    val name: String,
+    val identifier: String,
+    val type: DeviceType,
+    val isTrusted: Boolean,
+    val creationDate: Instant,
+    val lastActivityDate: Instant?,
+    val pendingAuthRequest: DevicePendingAuthRequest?,
+    val isCurrentDevice: Boolean,
+) : Parcelable
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/DevicePendingAuthRequest.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/DevicePendingAuthRequest.kt
@@ -0,0 +1,17 @@
+package com.x8bit.bitwarden.data.auth.repository.model
+
+import android.os.Parcelable
+import kotlinx.parcelize.Parcelize
+import java.time.Instant
+
+/**
+ * Domain model for a pending auth request associated with a device.
+ *
+ * @property id The unique identifier of the pending auth request.
+ * @property creationDate The date and time on which this auth request was created.
+ */
+@Parcelize
+data class DevicePendingAuthRequest(
+    val id: String,
+    val creationDate: Instant,
+) : Parcelable
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/GetDevicesResult.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/GetDevicesResult.kt
@@ -0,0 +1,16 @@
+package com.x8bit.bitwarden.data.auth.repository.model
+
+/**
+ * Models result of retrieving all devices registered to the current user.
+ */
+sealed class GetDevicesResult {
+    /**
+     * Contains the list of [DeviceInfo] for the current user's registered devices.
+     */
+    data class Success(val devices: List<DeviceInfo>) : GetDevicesResult()
+
+    /**
+     * There was an error retrieving the devices.
+     */
+    data object Error : GetDevicesResult()
+}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/LoginResult.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/LoginResult.kt
@@ -1,5 +1,7 @@
 package com.x8bit.bitwarden.data.auth.repository.model

+import com.x8bit.bitwarden.data.platform.util.userFriendlyMessage
+
 /**
 * Models result of logging in.
 */
@@ -30,8 +32,8 @@ sealed class LoginResult {
     * There was an error logging in.
     */
    data class Error(
-        val errorMessage: String?,
        val error: Throwable?,
+        val errorMessage: String? = error?.userFriendlyMessage,
    ) : LoginResult()

    /**
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/LoginResultExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/LoginResultExtensions.kt
@@ -15,5 +15,5 @@ fun VaultUnlockError.toLoginErrorResult(): LoginResult.Error = when (this) {
    is VaultUnlockResult.BiometricDecodingError,
    is VaultUnlockResult.GenericError,
    is VaultUnlockResult.InvalidStateError,
-        -> LoginResult.Error(errorMessage = null, error = this.error)
+        -> LoginResult.Error(error = this.error)
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/Organization.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/Organization.kt
@@ -9,7 +9,7 @@ import com.bitwarden.network.model.OrganizationType
 * @property name The name of the organization (if applicable).
 * @property shouldManageResetPassword Indicates that this user has the permission to manage their
 * own password.
- * @property shouldUseKeyConnector Indicates that the organization uses a key connector.
+ * @property isKeyConnectorEnabled Indicates that the organization uses a key connector.
 * @property role The user's role in the organization.
 * @property keyConnectorUrl The key connector domain (if applicable).
 * @property userIsClaimedByOrganization Indicates that the user is claimed by the organization.
@@ -20,7 +20,7 @@ data class Organization(
    val id: String,
    val name: String,
    val shouldManageResetPassword: Boolean,
-    val shouldUseKeyConnector: Boolean,
+    val isKeyConnectorEnabled: Boolean,
    val role: OrganizationType,
    val keyConnectorUrl: String?,
    val userIsClaimedByOrganization: Boolean,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/UserState.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/UserState.kt
@@ -42,7 +42,12 @@ data class UserState(
     * @property name The user's name (if applicable).
     * @property avatarColorHex Hex color value for a user's avatar in the "#AARRGGBB" format.
     * @property environment The [Environment] associated with the user's account.
-     * @property isPremium `true` if the account has a Premium membership.
+     * @property isPremium `true` if the account has a Premium membership from any source (personal
+     * subscription or organization-granted).
+     * @property isPremiumFromSelf `true` if the account has a personal Premium subscription. This
+     * is `false` for users whose only Premium access is granted by an organization they are a
+     * member of. Use this when behavior should be gated on the user's own subscription, not on
+     * organization-granted Premium.
     * @property isLoggedIn `true` if the account is logged in, or `false` if it requires additional
     * authentication to view their vault.
     * @property isVaultUnlocked Whether the user's vault is currently unlocked.
@@ -66,6 +71,7 @@ data class UserState(
        val avatarColorHex: String,
        val environment: Environment,
        val isPremium: Boolean,
+        val isPremiumFromSelf: Boolean,
        val isLoggedIn: Boolean,
        val isVaultUnlocked: Boolean,
        val needsPasswordReset: Boolean,
@@ -113,6 +119,7 @@ data class UserState(
            avatarColorHex = "".toHexColorRepresentation(),
            environment = Environment.Us,
            isPremium = false,
+            isPremiumFromSelf = false,
            isLoggedIn = false,
            isVaultUnlocked = false,
            needsPasswordReset = false,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/AccountKeysJsonExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/AccountKeysJsonExtensions.kt
@@ -2,7 +2,6 @@ package com.x8bit.bitwarden.data.auth.repository.util

 import com.bitwarden.core.WrappedAccountCryptographicState
 import com.bitwarden.network.model.AccountKeysJson
-import com.x8bit.bitwarden.data.vault.repository.util.createWrappedAccountCryptographicState

 /**
 * Creates a [WrappedAccountCryptographicState] based on the available cryptographic parameters.
@@ -15,9 +14,20 @@ import com.x8bit.bitwarden.data.vault.repository.util.createWrappedAccountCrypto
 */
 fun AccountKeysJson?.toAccountCryptographicState(
    privateKey: String,
-): WrappedAccountCryptographicState = createWrappedAccountCryptographicState(
-    privateKey = privateKey,
-    securityState = this?.securityState?.securityState,
-    signingKey = this?.signatureKeyPair?.wrappedSigningKey,
-    signedPublicKey = this?.publicKeyEncryptionKeyPair?.signedPublicKey,
-)
+): WrappedAccountCryptographicState {
+    val securityState = this?.securityState?.securityState
+    val signingKey = this?.signatureKeyPair?.wrappedSigningKey
+    val signedPublicKey = this?.publicKeyEncryptionKeyPair?.signedPublicKey
+    return if (signingKey != null && securityState != null && signedPublicKey != null) {
+        WrappedAccountCryptographicState.V2(
+            privateKey = privateKey,
+            securityState = securityState,
+            signingKey = signingKey,
+            signedPublicKey = signedPublicKey,
+        )
+    } else {
+        WrappedAccountCryptographicState.V1(
+            privateKey = privateKey,
+        )
+    }
+}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/AuthDiskSourceExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/AuthDiskSourceExtensions.kt
@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.auth.repository.util

+import com.bitwarden.network.model.OrganizationStatusType
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.repository.model.UserAccountTokens
@@ -27,6 +28,7 @@ val AuthDiskSource.userOrganizationsList: List<UserOrganizations>
                userId = userId,
                organizations = this
                    .getOrganizations(userId = userId)
+                    ?.filter { it.status == OrganizationStatusType.CONFIRMED }
                    .orEmpty()
                    .toOrganizations(),
            )
@@ -48,10 +50,15 @@ val AuthDiskSource.userOrganizationsListFlow: Flow<List<UserOrganizations>>
                        .map { (userId, _) ->
                            this
                                .getOrganizationsFlow(userId = userId)
-                                .map {
+                                .map { organizations ->
                                    UserOrganizations(
                                        userId = userId,
-                                        organizations = it.orEmpty().toOrganizations(),
+                                        organizations = organizations
+                                            ?.filter {
+                                                it.status == OrganizationStatusType.CONFIRMED
+                                            }
+                                            .orEmpty()
+                                            .toOrganizations(),
                                    )
                                }
                        },
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/DeviceResponseJsonExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/DeviceResponseJsonExtensions.kt
@@ -0,0 +1,26 @@
+package com.x8bit.bitwarden.data.auth.repository.util
+
+import com.bitwarden.network.model.DeviceResponseJson
+import com.x8bit.bitwarden.data.auth.repository.model.DeviceInfo
+import com.x8bit.bitwarden.data.auth.repository.model.DevicePendingAuthRequest
+
+/**
+ * Maps the given [DeviceResponseJson] to a [DeviceInfo].
+ */
+fun DeviceResponseJson.toDeviceInfo(currentDeviceIdentifier: String): DeviceInfo =
+    DeviceInfo(
+        id = id,
+        name = name,
+        identifier = identifier,
+        type = type,
+        isTrusted = isTrusted,
+        creationDate = creationDate,
+        lastActivityDate = lastActivityDate,
+        pendingAuthRequest = devicePendingAuthRequest?.let {
+            DevicePendingAuthRequest(
+                id = it.id,
+                creationDate = it.creationDate,
+            )
+        },
+        isCurrentDevice = identifier == currentDeviceIdentifier,
+    )
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/GetTokenResponseExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/GetTokenResponseExtensions.kt
@@ -31,7 +31,8 @@ fun GetTokenResponseJson.Success.toUserState(
            stamp = null,
            organizationId = null,
            avatarColorHex = null,
-            hasPremium = jwtTokenData.hasPremium,
+            hasPremiumPersonally = jwtTokenData.hasPremium,
+            hasPremiumFromOrganization = null,
            forcePasswordResetReason = this.toForcePasswordResetReason(),
            kdfType = this.kdfType,
            kdfIterations = this.kdfIterations,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/SyncResponseJsonExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/SyncResponseJsonExtensions.kt
@@ -1,11 +1,24 @@
 package com.x8bit.bitwarden.data.auth.repository.util

 import com.bitwarden.core.data.util.decodeFromStringOrNull
-import com.bitwarden.network.model.PolicyTypeJson
+import com.bitwarden.network.model.MemberDecryptionType
+import com.bitwarden.network.model.OrganizationStatusType
+import com.bitwarden.network.model.OrganizationType
+import com.bitwarden.network.model.ProductTierType
+import com.bitwarden.network.model.ProviderType
 import com.bitwarden.network.model.SyncResponseJson
+import com.bitwarden.organizations.OrganizationUserStatusType
+import com.bitwarden.organizations.OrganizationUserType
+import com.bitwarden.organizations.Permissions
+import com.bitwarden.organizations.ProfileOrganization
+import com.bitwarden.policies.PolicyType
+import com.bitwarden.policies.PolicyView
 import com.x8bit.bitwarden.data.auth.repository.model.Organization
 import com.x8bit.bitwarden.data.auth.repository.model.PolicyInformation
 import kotlinx.serialization.json.Json
+import com.bitwarden.organizations.MemberDecryptionType as SdkMemberDecryptionType
+import com.bitwarden.organizations.ProductTierType as SdkProductTierType
+import com.bitwarden.organizations.ProviderType as SdkProviderType

 private val JSON = Json {
    ignoreUnknownKeys = true
@@ -21,7 +34,7 @@ fun SyncResponseJson.Profile.Organization.toOrganization(): Organization? =
        Organization(
            id = this.id,
            name = it,
-            shouldUseKeyConnector = this.shouldUseKeyConnector,
+            isKeyConnectorEnabled = this.isKeyConnectorEnabled,
            role = this.type,
            shouldManageResetPassword = this.permissions.shouldManageResetPassword,
            keyConnectorUrl = this.keyConnectorUrl,
@@ -39,28 +52,164 @@ fun List<SyncResponseJson.Profile.Organization>.toOrganizations(): List<Organiza
    this.mapNotNull { it.toOrganization() }

 /**
- * Convert the JSON data of the [SyncResponseJson.Policy] object into [PolicyInformation] data.
+ * Maps the given list of [SyncResponseJson.Profile.Organization] to a list of
+ * [ProfileOrganization]s.
 */
-val SyncResponseJson.Policy.policyInformation: PolicyInformation?
-    get() = data?.toString()?.let {
+@Suppress("MaxLineLength")
+fun List<SyncResponseJson.Profile.Organization>.toSdkProfileOrganizations(): List<ProfileOrganization> =
+    this.mapNotNull { it.toSdkProfileOrganization() }

+/**
+ * Maps the given [SyncResponseJson.Profile.Organization] to a [ProfileOrganization] or `null` if
+ * the [SyncResponseJson.Profile.Organization.name] is not present.
+ */
+@Suppress("LongMethod")
+private fun SyncResponseJson.Profile.Organization.toSdkProfileOrganization(): ProfileOrganization? =
+    this.name?.let {
+        ProfileOrganization(
+            id = this.id,
+            name = it,
+            status = this.status.toSdkOrganizationUserStatusType(),
+            type = this.type.toSdkOrganizationUserType(),
+            enabled = this.isEnabled,
+            usePolicies = this.shouldUsePolicies,
+            useGroups = this.shouldUseGroups,
+            useDirectory = this.shouldUseDirectory,
+            useEvents = this.shouldUseEvents,
+            useTotp = this.shouldUseTotp,
+            use2fa = this.use2fa,
+            useApi = this.shouldUseApi,
+            useSso = this.useSso,
+            useOrganizationDomains = this.useOrganizationDomains,
+            useKeyConnector = this.shouldUseKeyConnector,
+            useScim = this.useScim,
+            useCustomPermissions = this.useCustomPermissions,
+            useResetPassword = this.useResetPassword,
+            useSecretsManager = this.useSecretsManager,
+            usePasswordManager = this.usePasswordManager,
+            useActivateAutofillPolicy = this.useActivateAutofillPolicy,
+            useAutomaticUserConfirmation = this.useAutomaticUserConfirmation,
+            selfHost = this.isSelfHost,
+            usersGetPremium = this.shouldUsersGetPremium,
+            seats = this.seats,
+            maxCollections = this.maxCollections,
+            maxStorageGb = this.maxStorageGb,
+            ssoBound = this.ssoBound,
+            identifier = this.identifier,
+            permissions = this.permissions.toSdkPermissions(),
+            resetPasswordEnrolled = this.resetPasswordEnrolled,
+            userId = this.userId,
+            organizationUserId = this.organizationUserId,
+            hasPublicAndPrivateKeys = this.hasPublicAndPrivateKeys,
+            providerId = this.providerId,
+            providerName = this.providerName,
+            providerType = this.providerType?.toSdkProviderType(),
+            isProviderUser = this.isProviderUser,
+            isMember = this.isMember,
+            familySponsorshipFriendlyName = this.familySponsorshipFriendlyName,
+            familySponsorshipAvailable = this.familySponsorshipAvailable,
+            productTierType = this.productTierType.toSdkProductTierType(),
+            keyConnectorEnabled = this.isKeyConnectorEnabled,
+            keyConnectorUrl = this.keyConnectorUrl,
+            familySponsorshipLastSyncDate = this.familySponsorshipLastSyncDate,
+            familySponsorshipValidUntil = this.familySponsorshipValidUntil,
+            familySponsorshipToDelete = this.familySponsorshipToDelete,
+            accessSecretsManager = this.accessSecretsManager,
+            limitCollectionCreation = this.limitCollectionCreation,
+            limitCollectionDeletion = this.limitCollectionDeletion,
+            limitItemDeletion = this.limitItemDeletion,
+            allowAdminAccessToAllCollectionItems = this.allowAdminAccessToAllCollectionItems,
+            userIsManagedByOrganization = this.userIsClaimedByOrganization,
+            useAccessIntelligence = this.useAccessIntelligence,
+            useAdminSponsoredFamilies = this.useAdminSponsoredFamilies,
+            useDisableSmAdsForUsers = this.useDisableSmAdsForUsers,
+            isAdminInitiated = this.isAdminInitiated,
+            ssoEnabled = this.ssoEnabled,
+            ssoMemberDecryptionType = this.ssoMemberDecryptionType?.toSdkMemberDecryptionType(),
+            usePhishingBlocker = this.usePhishingBlocker,
+            useMyItems = this.useMyItems,
+        )
+    }
+
+/**
+ * Convert the JSON data of the [PolicyView] object into [PolicyInformation] data.
+ */
+val PolicyView.policyInformation: PolicyInformation?
+    get() = data?.let {
        when (type) {
-            PolicyTypeJson.MASTER_PASSWORD -> {
+            PolicyType.MASTER_PASSWORD -> {
                JSON.decodeFromStringOrNull<PolicyInformation.MasterPassword>(it)
            }

-            PolicyTypeJson.PASSWORD_GENERATOR -> {
+            PolicyType.PASSWORD_GENERATOR -> {
                JSON.decodeFromStringOrNull<PolicyInformation.PasswordGenerator>(it)
            }

-            PolicyTypeJson.MAXIMUM_VAULT_TIMEOUT -> {
+            PolicyType.MAXIMUM_VAULT_TIMEOUT -> {
                JSON.decodeFromStringOrNull<PolicyInformation.VaultTimeout>(it)
            }

-            PolicyTypeJson.SEND_OPTIONS -> {
+            PolicyType.SEND_OPTIONS -> {
                JSON.decodeFromStringOrNull<PolicyInformation.SendOptions>(it)
            }

            else -> null
        }
    }
+
+private fun SyncResponseJson.Profile.Permissions.toSdkPermissions(): Permissions =
+    Permissions(
+        accessEventLogs = this.accessEventLogs,
+        accessImportExport = this.accessImportExport,
+        accessReports = this.accessReports,
+        createNewCollections = this.createNewCollections,
+        editAnyCollection = this.editAnyCollection,
+        deleteAnyCollection = this.deleteAnyCollection,
+        manageGroups = this.manageGroups,
+        manageSso = this.manageSso,
+        managePolicies = this.shouldManagePolicies,
+        manageUsers = this.manageUsers,
+        manageResetPassword = this.shouldManageResetPassword,
+        manageScim = this.manageScim,
+    )
+
+private fun OrganizationStatusType.toSdkOrganizationUserStatusType(): OrganizationUserStatusType =
+    when (this) {
+        OrganizationStatusType.REVOKED -> OrganizationUserStatusType.REVOKED
+        OrganizationStatusType.INVITED -> OrganizationUserStatusType.INVITED
+        OrganizationStatusType.ACCEPTED -> OrganizationUserStatusType.ACCEPTED
+        OrganizationStatusType.CONFIRMED -> OrganizationUserStatusType.CONFIRMED
+    }
+
+private fun OrganizationType.toSdkOrganizationUserType(): OrganizationUserType =
+    when (this) {
+        OrganizationType.OWNER -> OrganizationUserType.OWNER
+        OrganizationType.ADMIN -> OrganizationUserType.ADMIN
+        OrganizationType.USER -> OrganizationUserType.USER
+        OrganizationType.CUSTOM -> OrganizationUserType.CUSTOM
+    }
+
+private fun ProviderType.toSdkProviderType(): SdkProviderType =
+    when (this) {
+        ProviderType.MSP -> SdkProviderType.MSP
+        ProviderType.RESELLER -> SdkProviderType.RESELLER
+        ProviderType.BUSINESS_UNIT -> SdkProviderType.BUSINESS_UNIT
+    }
+
+private fun ProductTierType.toSdkProductTierType(): SdkProductTierType =
+    when (this) {
+        ProductTierType.FREE -> SdkProductTierType.FREE
+        ProductTierType.FAMILIES -> SdkProductTierType.FAMILIES
+        ProductTierType.TEAMS -> SdkProductTierType.TEAMS
+        ProductTierType.ENTERPRISE -> SdkProductTierType.ENTERPRISE
+        ProductTierType.TEAMS_STARTER -> SdkProductTierType.TEAMS_STARTER
+    }
+
+private fun MemberDecryptionType.toSdkMemberDecryptionType(): SdkMemberDecryptionType =
+    when (this) {
+        MemberDecryptionType.MASTER_PASSWORD -> SdkMemberDecryptionType.MASTER_PASSWORD
+        MemberDecryptionType.KEY_CONNECTOR -> SdkMemberDecryptionType.KEY_CONNECTOR
+        MemberDecryptionType.TRUSTED_DEVICE_ENCRYPTION -> {
+            SdkMemberDecryptionType.TRUSTED_DEVICE_ENCRYPTION
+        }
+    }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/UserStateJsonExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/UserStateJsonExtensions.kt
@@ -5,9 +5,10 @@ import com.bitwarden.data.repository.util.toEnvironmentUrlsOrDefault
 import com.bitwarden.network.model.KdfTypeJson
 import com.bitwarden.network.model.MasterPasswordUnlockDataJson
 import com.bitwarden.network.model.OrganizationType
-import com.bitwarden.network.model.PolicyTypeJson
 import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.model.UserDecryptionOptionsJson
+import com.bitwarden.policies.PolicyType
+import com.bitwarden.policies.PolicyView
 import com.bitwarden.ui.platform.base.util.toHexColorRepresentation
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
@@ -33,7 +34,10 @@ fun UserStateJson.toRemovedPasswordUserStateJson(
    val profile = account.profile
    val updatedUserDecryptionOptions = profile
        .userDecryptionOptions
-        ?.copy(hasMasterPassword = false)
+        ?.copy(
+            hasMasterPassword = false,
+            masterPasswordUnlock = null,
+        )
        ?: UserDecryptionOptionsJson(
            hasMasterPassword = false,
            trustedDeviceUserDecryptionOptions = null,
@@ -67,7 +71,10 @@ fun UserStateJson.toUpdatedUserStateJson(
        ?.let { syncUserDecryption ->
            profile
                .userDecryptionOptions
-                ?.copy(masterPasswordUnlock = syncUserDecryption.masterPasswordUnlock)
+                ?.copy(
+                    hasMasterPassword = syncUserDecryption.masterPasswordUnlock != null,
+                    masterPasswordUnlock = syncUserDecryption.masterPasswordUnlock,
+                )
                ?: UserDecryptionOptionsJson(
                    hasMasterPassword = syncUserDecryption.masterPasswordUnlock != null,
                    trustedDeviceUserDecryptionOptions = null,
@@ -83,7 +90,8 @@ fun UserStateJson.toUpdatedUserStateJson(
        .copy(
            avatarColorHex = syncProfile.avatarColor,
            stamp = syncProfile.securityStamp,
-            hasPremium = syncProfile.isPremium || syncProfile.isPremiumFromOrganization,
+            hasPremiumPersonally = syncProfile.isPremium,
+            hasPremiumFromOrganization = syncProfile.isPremiumFromOrganization,
            isTwoFactorEnabled = syncProfile.isTwoFactorEnabled,
            creationDate = syncProfile.creationDate,
            userDecryptionOptions = userDecryptionOptions,
@@ -191,7 +199,7 @@ fun UserStateJson.toUserState(
    isBiometricsEnabledProvider: (userId: String) -> Boolean,
    vaultUnlockTypeProvider: (userId: String) -> VaultUnlockType,
    isDeviceTrustedProvider: (userId: String) -> Boolean,
-    getUserPolicies: (userId: String, policy: PolicyTypeJson) -> List<SyncResponseJson.Policy>,
+    getUserPolicies: (userId: String, policy: PolicyType) -> List<PolicyView>,
 ): UserState =
    UserState(
        activeUserId = this.activeUserId,
@@ -234,15 +242,15 @@ fun UserStateJson.toUserState(

                val hasPersonalOwnershipRestrictedOrg = getUserPolicies(
                    userId,
-                    PolicyTypeJson.PERSONAL_OWNERSHIP,
+                    PolicyType.ORGANIZATION_DATA_OWNERSHIP,
                )
-                    .any { it.isEnabled }
+                    .any { it.enabled }

                val hasPersonalVaultExportRestrictedOrg = getUserPolicies(
                    userId,
-                    PolicyTypeJson.DISABLE_PERSONAL_VAULT_EXPORT,
+                    PolicyType.DISABLE_PERSONAL_VAULT_EXPORT,
                )
-                    .any { it.isEnabled }
+                    .any { it.enabled }

                UserState.Account(
                    userId = userId,
@@ -253,7 +261,9 @@ fun UserStateJson.toUserState(
                        .settings
                        .environmentUrlData
                        .toEnvironmentUrlsOrDefault(),
-                    isPremium = profile.hasPremium == true,
+                    isPremium = profile.hasPremiumPersonally == true ||
+                        profile.hasPremiumFromOrganization == true,
+                    isPremiumFromSelf = profile.hasPremiumPersonally == true,
                    isLoggedIn = userAccountTokens
                        .find { it.userId == userId }
                        ?.isLoggedIn == true,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/accessibility/model/Browser.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/accessibility/model/Browser.kt
@@ -6,6 +6,7 @@ package com.x8bit.bitwarden.data.autofill.accessibility.model
 data class Browser(
    val packageName: String,
    val possibleUrlFieldIds: List<String>,
+    val possibleUrlSemanticIds: List<String> = emptyList(),
    val urlExtractor: (String) -> String? = { it },
 ) {
    constructor(
@@ -15,6 +16,7 @@ data class Browser(
    ) : this(
        packageName = packageName,
        possibleUrlFieldIds = listOf(urlFieldId),
+        possibleUrlSemanticIds = emptyList(),
        urlExtractor = urlExtractor,
    )
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/accessibility/parser/AccessibilityParserImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/accessibility/parser/AccessibilityParserImpl.kt
@@ -43,22 +43,34 @@ class AccessibilityParserImpl(
        return browser
            .possibleUrlFieldIds
            .flatMap { viewId ->
-                rootNode
-                    .findAccessibilityNodeInfosByViewId("$packageName:id/$viewId")
-                    .map { accessibilityNodeInfo ->
-                        browser
-                            .urlExtractor(accessibilityNodeInfo.text.toString())
-                            ?.trim()
-                            ?.let { rawUrl ->
-                                if (rawUrl.contains(other = ".") && !rawUrl.hasHttpProtocol()) {
-                                    "https://$rawUrl"
-                                } else {
-                                    rawUrl
-                                }
-                            }
+                rootNode.findAccessibilityNodeInfosByViewId("$packageName:id/$viewId")
+            }
+            .ifEmpty {
+                browser
+                    .possibleUrlSemanticIds
+                    .flatMap { semanticId ->
+                        // Semantic IDs are exposed as viewIdResourceName via testTagsAsResourceId
+                        // and cannot be found via findAccessibilityNodeInfosByViewId on Firefox.
+                        accessibilityNodeInfoManager.findAccessibilityNodeInfoList(rootNode) {
+                            it.viewIdResourceName == semanticId
+                        }
+                    }
+            }
+            .firstNotNullOfOrNull { node ->
+                val urlText = node.text?.toString()?.takeIf { it.isNotEmpty() }
+                    ?: node.contentDescription?.toString()?.takeIf { it.isNotEmpty() }
+                    ?: return@firstNotNullOfOrNull null
+                browser
+                    .urlExtractor(urlText)
+                    ?.trim()
+                    ?.let { rawUrl ->
+                        if (rawUrl.contains(other = ".") && !rawUrl.hasHttpProtocol()) {
+                            "https://$rawUrl"
+                        } else {
+                            rawUrl
+                        }
                    }
            }
-            .firstOrNull()
            ?.toUriOrNull()
    }
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/accessibility/util/BrowserUtil.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/accessibility/util/BrowserUtil.kt
@@ -2,6 +2,15 @@ package com.x8bit.bitwarden.data.autofill.accessibility.util

 import com.x8bit.bitwarden.data.autofill.accessibility.model.Browser

+/**
+ * URL extractor for Mozilla browsers whose toolbar exposes the URL via [contentDescription]
+ * rather than [text]. The content description format is " $url. Search or enter address".
+ * Falls back to [text] for builds where the URL is still exposed via [text].
+ */
+private val mozillaUrlExtractor: (String) -> String? = { text ->
+    text.trim().split(" ").firstOrNull()?.trimEnd('.')?.takeIf { it.isNotEmpty() }
+}
+
 /**
 * Determines if the [String] receiver is a package name for a supported browser and returns that
 * [Browser] if it is a match.
@@ -36,14 +45,21 @@ private val ACCESSIBILITY_SUPPORTED_BROWSERS = listOf(
    Browser(packageName = "com.cookiegames.smartcookie", urlFieldId = "search"),
    Browser(
        packageName = "com.cookiejarapps.android.smartcookieweb",
-        urlFieldId = "mozac_browser_toolbar_url_view",
+        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view"),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(packageName = "com.duckduckgo.mobile.android", urlFieldId = "omnibarTextInput"),
    Browser(packageName = "com.ecosia.android", urlFieldId = "url_bar"),
    Browser(packageName = "com.google.android.apps.chrome", urlFieldId = "url_bar"),
    Browser(packageName = "com.google.android.apps.chrome_dev", urlFieldId = "url_bar"),
    // "com.google.android.captiveportallogin": URL displayed in ActionBar subtitle without viewId
-    Browser(packageName = "com.iode.firefox", urlFieldId = "mozac_browser_toolbar_url_view"),
+    Browser(
+        packageName = "com.iode.firefox",
+        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view"),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
+    ),
    Browser(packageName = "com.jamal2367.styx", urlFieldId = "search"),
    Browser(packageName = "com.kiwibrowser.browser", urlFieldId = "url_bar"),
    Browser(packageName = "com.kiwibrowser.browser.dev", urlFieldId = "url_bar"),
@@ -67,7 +83,12 @@ private val ACCESSIBILITY_SUPPORTED_BROWSERS = listOf(
    Browser(
        packageName = "com.qwant.liberty",
        // 2nd = Legacy (before v4)
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "url_bar_title",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(packageName = "com.rainsee.create", urlFieldId = "search_box"),
    Browser(packageName = "com.sec.android.app.sbrowser", urlFieldId = "location_bar_edit_text"),
@@ -102,7 +123,9 @@ private val ACCESSIBILITY_SUPPORTED_BROWSERS = listOf(
    Browser(packageName = "idm.internet.download.manager.plus", urlFieldId = "search"),
    Browser(
        packageName = "io.github.forkmaintainers.iceraven",
-        urlFieldId = "mozac_browser_toolbar_url_view",
+        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view"),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(packageName = "mark.via", urlFieldId = "am,an"),
    Browser(packageName = "mark.via.gp", urlFieldId = "as"),
@@ -129,78 +152,155 @@ private val ACCESSIBILITY_SUPPORTED_BROWSERS = listOf(
    Browser(
        packageName = "org.gnu.icecat",
        // 2nd = Anticipation
-        possibleUrlFieldIds = listOf("url_bar_title", "mozac_browser_toolbar_url_view"),
+        possibleUrlFieldIds = listOf(
+            "url_bar_title",
+            "mozac_browser_toolbar_url_view",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.ironfoxoss.ironfox",
        // 2nd = Legacy
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "url_bar_title",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.ironfoxoss.ironfox.nightly",
        // 2nd = Legacy
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "url_bar_title",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
+    ),
+    Browser(
+        packageName = "org.mozilla.fenix",
+        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view"),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
-    Browser(packageName = "org.mozilla.fenix", urlFieldId = "mozac_browser_toolbar_url_view"),
    // [DEPRECATED ENTRY]
    Browser(
        packageName = "org.mozilla.fenix.nightly",
-        urlFieldId = "mozac_browser_toolbar_url_view",
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    // [DEPRECATED ENTRY]
    Browser(
        packageName = "org.mozilla.fennec_aurora",
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+        // 2nd = Legacy
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "url_bar_title",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.mozilla.fennec_fdroid",
        // 2nd = Legacy
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "url_bar_title",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.mozilla.firefox",
        // 2nd = Legacy
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "url_bar_title",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.mozilla.firefox_beta",
        // 2nd = Legacy
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "url_bar_title",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.mozilla.focus",
        // 2nd = Legacy
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "display_url"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "display_url",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.mozilla.focus.beta",
        // 2nd = Legacy
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "display_url"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "display_url",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.mozilla.focus.nightly",
        // 2nd = Legacy
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "display_url"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "display_url",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.mozilla.klar",
        // 2nd = Legacy
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "display_url"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "display_url",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.mozilla.reference.browser",
-        urlFieldId = "mozac_browser_toolbar_url_view",
+        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view"),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(packageName = "org.mozilla.rocket", urlFieldId = "display_url"),
    Browser(
        packageName = "org.torproject.torbrowser",
        // 2nd = Legacy (before v10.0.3)
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "url_bar_title",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(
        packageName = "org.torproject.torbrowser_alpha",
        // 2nd = Legacy (before v10.0a8)
-        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+        possibleUrlFieldIds = listOf(
+            "mozac_browser_toolbar_url_view",
+            "url_bar_title",
+        ),
+        possibleUrlSemanticIds = listOf("ADDRESSBAR_URL_BOX"),
+        urlExtractor = mozillaUrlExtractor,
    ),
    Browser(packageName = "org.ungoogled.chromium.extensions.stable", urlFieldId = "url_bar"),
    Browser(packageName = "org.ungoogled.chromium.stable", urlFieldId = "url_bar"),
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/processor/AutofillProcessorImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/processor/AutofillProcessorImpl.kt
@@ -6,7 +6,7 @@ import android.service.autofill.FillRequest
 import android.service.autofill.SaveCallback
 import android.service.autofill.SaveRequest
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
-import com.bitwarden.network.model.PolicyTypeJson
+import com.bitwarden.policies.PolicyType
 import com.x8bit.bitwarden.data.autofill.builder.FillResponseBuilder
 import com.x8bit.bitwarden.data.autofill.builder.FilledDataBuilder
 import com.x8bit.bitwarden.data.autofill.builder.SaveInfoBuilder
@@ -80,7 +80,7 @@ class AutofillProcessorImpl(
            return
        }

-        if (policyManager.getActivePolicies(PolicyTypeJson.PERSONAL_OWNERSHIP).any()) {
+        if (policyManager.getActivePolicies(PolicyType.ORGANIZATION_DATA_OWNERSHIP).any()) {
            saveCallback.onSuccess()
            return
        }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/provider/AutofillCipherProviderImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/provider/AutofillCipherProviderImpl.kt
@@ -1,6 +1,6 @@
 package com.x8bit.bitwarden.data.autofill.provider

-import com.bitwarden.network.model.PolicyTypeJson
+import com.bitwarden.policies.PolicyType
 import com.bitwarden.vault.CipherListView
 import com.bitwarden.vault.CipherListViewType
 import com.bitwarden.vault.CipherRepromptType
@@ -58,7 +58,7 @@ class AutofillCipherProviderImpl(
    override suspend fun getCardAutofillCiphers(): List<AutofillCipher.Card> {
        val cipherListViews = getUnlockedCipherListViewsOrNull() ?: return emptyList()
        val organizationIdsWithCardTypeRestrictions = policyManager
-            .getActivePolicies(PolicyTypeJson.RESTRICT_ITEM_TYPES)
+            .getActivePolicies(PolicyType.RESTRICTED_ITEM_TYPES)
            .map { it.organizationId }
        return cipherListViews
            .mapNotNull { cipherListView ->
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/di/BillingModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/di/BillingModule.kt
@@ -4,7 +4,6 @@ import android.content.Context
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.network.service.BillingService
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
-import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.billing.manager.PlayBillingManager
 import com.x8bit.bitwarden.data.billing.manager.PlayBillingManagerImpl
 import com.x8bit.bitwarden.data.billing.manager.PremiumStateManager
@@ -14,6 +13,7 @@ import com.x8bit.bitwarden.data.billing.repository.BillingRepositoryImpl
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.PushManager
+import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import dagger.Module
 import dagger.Provides
@@ -54,21 +54,21 @@ object BillingModule {
    @Singleton
    fun providePremiumStateManager(
        authDiskSource: AuthDiskSource,
-        authRepository: AuthRepository,
        billingRepository: BillingRepository,
        settingsDiskSource: SettingsDiskSource,
        vaultRepository: VaultRepository,
        featureFlagManager: FeatureFlagManager,
+        environmentRepository: EnvironmentRepository,
        pushManager: PushManager,
        clock: Clock,
        dispatcherManager: DispatcherManager,
    ): PremiumStateManager = PremiumStateManagerImpl(
        authDiskSource = authDiskSource,
-        authRepository = authRepository,
        billingRepository = billingRepository,
        settingsDiskSource = settingsDiskSource,
        vaultRepository = vaultRepository,
        featureFlagManager = featureFlagManager,
+        environmentRepository = environmentRepository,
        pushManager = pushManager,
        clock = clock,
        dispatcherManager = dispatcherManager,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/manager/PremiumStateManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/manager/PremiumStateManager.kt
@@ -1,5 +1,7 @@
 package com.x8bit.bitwarden.data.billing.manager

+import com.x8bit.bitwarden.data.billing.repository.model.SubscriptionStatusState
+import com.x8bit.bitwarden.data.billing.repository.model.UpgradeLifecycleState
 import kotlinx.coroutines.flow.StateFlow

 /**
@@ -26,6 +28,34 @@ interface PremiumStateManager {
     */
    val isUpgradedToPremiumCardEligibleFlow: StateFlow<Boolean>

+    /**
+     * Emits `true` when the active user is eligible to see the Plan row in Settings, or `false`
+     * otherwise.
+     */
+    val isPlanRowEligibleFlow: StateFlow<Boolean>
+
+    /**
+     * Emits the active user's latest [SubscriptionStatusState].
+     */
+    val subscriptionStatusStateFlow: StateFlow<SubscriptionStatusState>
+
+    /**
+     * Emits the active user's current [UpgradeLifecycleState].
+     */
+    val upgradeLifecycleStateFlow: StateFlow<UpgradeLifecycleState>
+
+    /**
+     * Emits whether the current state should be treated as self-hosted for premium upgrade
+     * gating. Reactive equivalent of [isSelfHosted].
+     */
+    val isSelfHostedFlow: StateFlow<Boolean>
+
+    /**
+     * `true` when the current state should be treated as self-hosted for premium upgrade
+     * gating, or `false` otherwise.
+     */
+    val isSelfHosted: Boolean
+
    /**
     * Returns `true` when the in-app upgrade flow is available, or `false` otherwise.
     */
@@ -42,4 +72,10 @@ interface PremiumStateManager {
     * never re-appears for that user.
     */
    fun dismissUpgradedToPremiumCard()
+
+    /**
+     * Marks the active user as having a Premium upgrade in flight (Stripe checkout completed
+     * but the server has not yet flipped `isPremium`).
+     */
+    fun markPremiumUpgradePending(userId: String)
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/manager/PremiumStateManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/manager/PremiumStateManagerImpl.kt
@@ -3,27 +3,37 @@ package com.x8bit.bitwarden.data.billing.manager
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.core.data.manager.model.FlagKey
 import com.bitwarden.core.data.repository.model.DataState
+import com.bitwarden.data.repository.model.Environment
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
-import com.x8bit.bitwarden.data.auth.repository.AuthRepository
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
 import com.x8bit.bitwarden.data.auth.repository.util.activeUserIdChangesFlow
 import com.x8bit.bitwarden.data.billing.repository.BillingRepository
+import com.x8bit.bitwarden.data.billing.repository.model.PremiumSubscriptionStatus
+import com.x8bit.bitwarden.data.billing.repository.model.SubscriptionResult
+import com.x8bit.bitwarden.data.billing.repository.model.SubscriptionStatusState
+import com.x8bit.bitwarden.data.billing.repository.model.UpgradeLifecycleState
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.PushManager
+import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import com.x8bit.bitwarden.data.platform.util.isActive
 import com.x8bit.bitwarden.data.platform.util.scanPairs
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.data.vault.repository.model.VaultData
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.ExperimentalCoroutinesApi
+import kotlinx.coroutines.flow.Flow
+import kotlinx.coroutines.flow.MutableSharedFlow
 import kotlinx.coroutines.flow.SharingStarted
 import kotlinx.coroutines.flow.StateFlow
 import kotlinx.coroutines.flow.combine
 import kotlinx.coroutines.flow.distinctUntilChanged
 import kotlinx.coroutines.flow.flatMapLatest
+import kotlinx.coroutines.flow.flow
 import kotlinx.coroutines.flow.flowOf
 import kotlinx.coroutines.flow.launchIn
 import kotlinx.coroutines.flow.map
+import kotlinx.coroutines.flow.merge
 import kotlinx.coroutines.flow.onEach
 import kotlinx.coroutines.flow.stateIn
 import java.time.Clock
@@ -33,14 +43,14 @@ import java.time.Instant
 /**
 * Default implementation of [PremiumStateManager].
 */
-@Suppress("LongParameterList")
+@Suppress("LongParameterList", "LargeClass")
 class PremiumStateManagerImpl(
    private val authDiskSource: AuthDiskSource,
-    authRepository: AuthRepository,
    private val billingRepository: BillingRepository,
    private val settingsDiskSource: SettingsDiskSource,
    vaultRepository: VaultRepository,
    private val featureFlagManager: FeatureFlagManager,
+    private val environmentRepository: EnvironmentRepository,
    pushManager: PushManager,
    private val clock: Clock,
    dispatcherManager: DispatcherManager,
@@ -48,10 +58,74 @@ class PremiumStateManagerImpl(

    private val unconfinedScope = CoroutineScope(dispatcherManager.unconfined)

+    private val subscriptionRefreshTriggerFlow =
+        MutableSharedFlow<Unit>(replay = 0, extraBufferCapacity = 1)
+
+    /**
+     * Keyed on the active user's id so a logout/switch retriggers the fetch. Runs whenever
+     * there is an active user regardless of `Account.isPremium` — users whose Stripe
+     * subscription has moved to a terminal state need their substate surfaced even though
+     * the server reports them as non-premium. Emits [SubscriptionStatusState.NoSubscription]
+     * when there is no active user or when the server returns 404 (no `GatewaySubscriptionId`,
+     * i.e. genuinely free users).
+     */
+    @OptIn(ExperimentalCoroutinesApi::class)
+    override val subscriptionStatusStateFlow: StateFlow<SubscriptionStatusState> =
+        authDiskSource
+            .activeUserIdChangesFlow
+            .flatMapLatest { userId ->
+                if (userId != null) {
+                    fetchSubscriptionStatusFlow()
+                } else {
+                    flowOf(SubscriptionStatusState.NoSubscription)
+                }
+            }
+            .stateIn(
+                scope = unconfinedScope,
+                started = SharingStarted.Eagerly,
+                initialValue = SubscriptionStatusState.Loading,
+            )
+
+    @OptIn(ExperimentalCoroutinesApi::class)
+    override val upgradeLifecycleStateFlow: StateFlow<UpgradeLifecycleState> =
+        combine(
+            authDiskSource.userStateFlow,
+            subscriptionStatusStateFlow,
+            authDiskSource.activeUserIdChangesFlow
+                .flatMapLatest { userId ->
+                    userId
+                        ?.let { id ->
+                            settingsDiskSource
+                                .getPremiumUpgradePendingFlow(id)
+                                .map { it ?: false }
+                        }
+                        ?: flowOf(false)
+                },
+        ) { userState, subscriptionStatus, isPending ->
+            deriveLifecycleState(
+                userState = userState,
+                subscriptionStatus = subscriptionStatus,
+                isPending = isPending,
+            )
+        }
+            .distinctUntilChanged()
+            .stateIn(
+                scope = unconfinedScope,
+                started = SharingStarted.Eagerly,
+                initialValue = deriveLifecycleState(
+                    userState = authDiskSource.userState,
+                    subscriptionStatus = subscriptionStatusStateFlow.value,
+                    isPending = authDiskSource.userState
+                        ?.activeUserId
+                        ?.let { settingsDiskSource.getPremiumUpgradePending(userId = it) }
+                        ?: false,
+                ),
+            )
+
    @OptIn(ExperimentalCoroutinesApi::class)
    override val isPremiumUpgradeBannerEligibleFlow: StateFlow<Boolean> =
        combine(
-            authRepository.userStateFlow,
+            authDiskSource.userStateFlow,
            billingRepository.isInAppBillingSupportedFlow,
            featureFlagManager.getFeatureFlagFlow(FlagKey.MobilePremiumUpgrade),
            authDiskSource.activeUserIdChangesFlow
@@ -72,21 +146,71 @@ class PremiumStateManagerImpl(
                isDismissed,
                vaultDataState,
            ->
-            val activeAccount = userState?.activeAccount
-                ?: return@combine false
-            val isPremium = activeAccount.isPremium
-            val isAccountOldEnough = activeAccount.creationDate.isOlderThanDays(
-                days = PREMIUM_UPGRADE_MINIMUM_ACCOUNT_AGE_DAYS,
-                clock = clock,
+            BannerInputs(
+                userState = userState,
+                isInAppBillingSupported = isInAppBillingSupported,
+                featureFlagEnabled = featureFlagEnabled,
+                isDismissed = isDismissed,
+                vaultDataState = vaultDataState,
            )
-            val itemCount = vaultDataState.activeVaultItemCount()
+        }
+            .combine(upgradeLifecycleStateFlow) { inputs, lifecycle ->
+                val profile = inputs.userState?.activeAccount?.profile
+                    ?: return@combine false
+                val isAccountOldEnough = profile.creationDate.isOlderThanDays(
+                    days = PREMIUM_UPGRADE_MINIMUM_ACCOUNT_AGE_DAYS,
+                    clock = clock,
+                )
+                val itemCount = inputs.vaultDataState.activeVaultItemCount()
+                val lifecycleAllowsBanner = lifecycle is UpgradeLifecycleState.Free ||
+                    (
+                        lifecycle is UpgradeLifecycleState.Premium &&
+                            lifecycle.subscriptionStatus.isInTroubleState()
+                        )

-            !isPremium &&
-                isInAppBillingSupported &&
-                featureFlagEnabled &&
-                !isDismissed &&
-                isAccountOldEnough &&
-                itemCount >= PREMIUM_UPGRADE_MINIMUM_VAULT_ITEMS
+                lifecycleAllowsBanner &&
+                    inputs.isInAppBillingSupported &&
+                    inputs.featureFlagEnabled &&
+                    !inputs.isDismissed &&
+                    isAccountOldEnough &&
+                    itemCount >= PREMIUM_UPGRADE_MINIMUM_VAULT_ITEMS
+            }
+            .stateIn(
+                scope = unconfinedScope,
+                started = SharingStarted.Eagerly,
+                initialValue = false,
+            )
+
+    override val isSelfHostedFlow: StateFlow<Boolean> =
+        combine(
+            environmentRepository.environmentStateFlow,
+            featureFlagManager.getFeatureFlagFlow(FlagKey.DebugDisableSelfHostPremiumCheck),
+        ) { environment, isDebugBypassEnabled ->
+            environment is Environment.SelfHosted && !isDebugBypassEnabled
+        }
+            .stateIn(
+                scope = unconfinedScope,
+                started = SharingStarted.Eagerly,
+                initialValue = environmentRepository.environment is Environment.SelfHosted &&
+                    !featureFlagManager.getFeatureFlag(FlagKey.DebugDisableSelfHostPremiumCheck),
+            )
+
+    /**
+     * Eligibility is keyed on the user holding personal Premium (or being eligible to purchase
+     * it). Organization-granted Premium does not surface the Plan row, since the user has no
+     * personal subscription to manage.
+     */
+    override val isPlanRowEligibleFlow: StateFlow<Boolean> =
+        combine(
+            authDiskSource.userStateFlow,
+            featureFlagManager.getFeatureFlagFlow(FlagKey.MobilePremiumUpgrade),
+        ) { userState, featureFlagEnabled ->
+            val profile = userState?.activeAccount?.profile ?: return@combine false
+            val hasPremium = profile.hasPremiumPersonally == true ||
+                profile.hasPremiumFromOrganization == true
+            val isPremiumFromSelf = profile.hasPremiumPersonally == true
+            val isOrgOnlyPremium = hasPremium && !isPremiumFromSelf
+            featureFlagEnabled && !isOrgOnlyPremium
        }
            .stateIn(
                scope = unconfinedScope,
@@ -94,6 +218,12 @@ class PremiumStateManagerImpl(
                initialValue = false,
            )

+    /**
+     * The card surfaces only while the active user holds personal Premium. This guards against
+     * non-personal upgrade signals (e.g., the debug menu trigger or a stray
+     * `PREMIUM_STATUS_CHANGED` push for an organization grant) marking the card pending for users
+     * with no personal subscription to celebrate.
+     */
    @OptIn(ExperimentalCoroutinesApi::class)
    override val isUpgradedToPremiumCardEligibleFlow: StateFlow<Boolean> =
        authDiskSource
@@ -109,7 +239,14 @@ class PremiumStateManagerImpl(
                        settingsDiskSource
                            .getUpgradedToPremiumCardConsumedFlow(userId)
                            .map { it ?: false },
-                    ) { isPending, isConsumed -> isPending && !isConsumed }
+                        authDiskSource
+                            .userStateFlow
+                            .map {
+                                it?.activeAccount?.profile?.hasPremiumPersonally == true
+                            },
+                    ) { isPending, isConsumed, isPremiumFromSelf ->
+                        isPending && !isConsumed && isPremiumFromSelf
+                    }
                }
            }
            .distinctUntilChanged()
@@ -128,33 +265,41 @@ class PremiumStateManagerImpl(
                if (data.isPremium) {
                    markUpgradedToPremiumCardPending(userId = data.userId)
                }
+                // Push always re-fetches: a status push can mean either "newly premium" or
+                // "subscription moved into a trouble state" (e.g. past_due → unpaid).
+                subscriptionRefreshTriggerFlow.tryEmit(Unit)
            }
            .launchIn(unconfinedScope)

-        // Sync-delta detection: observe the active user's premium flag transitioning false → true
-        // (e.g., F-Droid users without push support). NOTE: UserState.Account.isPremium is
-        // derived from `hasPremium = isPremium || isPremiumFromOrganization` so this path may
-        // also fire for organization-granted premium. The push path (above) is personal-only and
-        // takes precedence on flavors that support it.
-        authRepository
+        // Sync-delta detection: observe the active user's personal premium flag transitioning
+        // false → true (e.g., F-Droid users without push support). Keyed on
+        // `hasPremiumPersonally` so that organization-granted premium does not trigger the
+        // personal-upgrade card.
+        authDiskSource
            .userStateFlow
            .map { state ->
-                state?.activeAccount?.let { it.userId to it.isPremium }
+                state?.activeAccount?.profile?.let {
+                    it.userId to (it.hasPremiumPersonally == true)
+                }
            }
            .distinctUntilChanged()
            .scanPairs()
            .onEach { (previous, current) ->
                if (current == null) return@onEach
-                val (currentUserId, currentIsPremium) = current
-                if (!currentIsPremium) return@onEach
-                // Same user transitioning from non-premium to premium counts as an upgrade.
+                val (currentUserId, currentIsPremiumFromSelf) = current
+                if (!currentIsPremiumFromSelf) return@onEach
+                // Same user transitioning from non-personal-premium to personal-premium counts as
+                // an upgrade.
                if (previous?.first == currentUserId && !previous.second) {
                    markUpgradedToPremiumCardPending(userId = currentUserId)
+                    clearPremiumUpgradePending(userId = currentUserId)
                }
            }
            .launchIn(unconfinedScope)
    }

+    override val isSelfHosted: Boolean get() = isSelfHostedFlow.value
+
    override fun isInAppUpgradeAvailable(): Boolean =
        billingRepository.isInAppBillingSupportedFlow.value &&
            featureFlagManager.getFeatureFlag(FlagKey.MobilePremiumUpgrade)
@@ -179,6 +324,35 @@ class PremiumStateManagerImpl(
        )
    }

+    override fun markPremiumUpgradePending(userId: String) {
+        settingsDiskSource.storePremiumUpgradePending(
+            userId = userId,
+            isPending = true,
+        )
+    }
+
+    private fun clearPremiumUpgradePending(userId: String) {
+        settingsDiskSource.storePremiumUpgradePending(
+            userId = userId,
+            isPending = null,
+        )
+    }
+
+    private fun deriveLifecycleState(
+        userState: UserStateJson?,
+        subscriptionStatus: SubscriptionStatusState,
+        isPending: Boolean,
+    ): UpgradeLifecycleState {
+        val profile = userState?.activeAccount?.profile ?: return UpgradeLifecycleState.Free
+        val hasPremium = profile.hasPremiumPersonally == true ||
+            profile.hasPremiumFromOrganization == true
+        return when {
+            hasPremium -> UpgradeLifecycleState.Premium(subscriptionStatus = subscriptionStatus)
+            isPending -> UpgradeLifecycleState.UpgradePending
+            else -> UpgradeLifecycleState.Free
+        }
+    }
+
    private fun markUpgradedToPremiumCardPending(userId: String) {
        // Don't re-arm the card if the user has already consumed it for this account.
        if (settingsDiskSource.getUpgradedToPremiumCardConsumed(userId = userId) == true) {
@@ -189,8 +363,58 @@ class PremiumStateManagerImpl(
            isPending = true,
        )
    }
+
+    @OptIn(ExperimentalCoroutinesApi::class)
+    private fun fetchSubscriptionStatusFlow(): Flow<SubscriptionStatusState> =
+        merge(
+            flowOf(Unit),
+            subscriptionRefreshTriggerFlow,
+        )
+            .flatMapLatest {
+                flow {
+                    emit(SubscriptionStatusState.Loading)
+                    emit(fetchSubscriptionStatusOnce())
+                }
+            }
+
+    private suspend fun fetchSubscriptionStatusOnce(): SubscriptionStatusState =
+        when (val result = billingRepository.getSubscription()) {
+            is SubscriptionResult.Success -> {
+                SubscriptionStatusState.Available(status = result.subscription.status)
+            }
+
+            SubscriptionResult.NotFound -> SubscriptionStatusState.NoSubscription
+            is SubscriptionResult.Error -> SubscriptionStatusState.Error(throwable = result.error)
+        }
 }

+private data class BannerInputs(
+    val userState: UserStateJson?,
+    val isInAppBillingSupported: Boolean,
+    val featureFlagEnabled: Boolean,
+    val isDismissed: Boolean,
+    val vaultDataState: DataState<VaultData>,
+)
+
+/**
+ * Returns `true` when the given [SubscriptionStatusState] represents a subscription substate
+ * that should disqualify a user from being treated as effectively premium.
+ */
+private fun SubscriptionStatusState.isInTroubleState(): Boolean =
+    this is SubscriptionStatusState.Available &&
+        when (this.status) {
+            PremiumSubscriptionStatus.CANCELED,
+            PremiumSubscriptionStatus.EXPIRED,
+            PremiumSubscriptionStatus.PAST_DUE,
+            PremiumSubscriptionStatus.PAUSED,
+            PremiumSubscriptionStatus.UPDATE_PAYMENT,
+                -> true
+
+            PremiumSubscriptionStatus.ACTIVE,
+            PremiumSubscriptionStatus.PENDING_CANCELLATION,
+                -> false
+        }
+
 /**
 * Returns `true` if this [Instant] is older than the given number of [days] based on
 * the provided [clock]. Returns `false` if the receiver is `null`.
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/BillingRepository.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/BillingRepository.kt
@@ -32,7 +32,9 @@ interface BillingRepository {
    suspend fun getPremiumPlanPricing(): PremiumPlanPricingResult

    /**
-     * Fetches the current user's premium subscription details.
+     * Fetches the current user's premium subscription details. The endpoint 404s when the
+     * user has no `GatewaySubscriptionId` (free user); callers receive
+     * [SubscriptionResult.NotFound] in that case instead of [SubscriptionResult.Error].
     */
    suspend fun getSubscription(): SubscriptionResult
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/BillingRepositoryImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/BillingRepositoryImpl.kt
@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.billing.repository

+import com.bitwarden.network.model.GetSubscriptionResponse
 import com.bitwarden.network.service.BillingService
 import com.x8bit.bitwarden.data.billing.manager.PlayBillingManager
 import com.x8bit.bitwarden.data.billing.repository.model.CheckoutSessionResult
@@ -54,10 +55,14 @@ class BillingRepositoryImpl(
        billingService
            .getSubscription()
            .fold(
-                onSuccess = {
-                    SubscriptionResult.Success(
-                        subscription = it.toSubscriptionInfo(),
-                    )
+                onSuccess = { response ->
+                    when (response) {
+                        is GetSubscriptionResponse.Success -> SubscriptionResult.Success(
+                            subscription = response.subscription.toSubscriptionInfo(),
+                        )
+
+                        is GetSubscriptionResponse.NotFound -> SubscriptionResult.NotFound
+                    }
                },
                onFailure = { SubscriptionResult.Error(error = it) },
            )
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/PremiumSubscriptionStatus.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/PremiumSubscriptionStatus.kt
@@ -6,7 +6,19 @@ package com.x8bit.bitwarden.data.billing.repository.model
 enum class PremiumSubscriptionStatus {
    ACTIVE,
    CANCELED,
-    OVERDUE_PAYMENT,
+
+    /**
+     * The subscription's initial payment never succeeded and Stripe voided the invoice, so
+     * the subscription never became active. Distinct from [CANCELED], which describes a
+     * subscription that was previously active.
+     */
+    EXPIRED,
+
+    /**
+     * The subscription is scheduled to cancel at a future date but is still active until then.
+     */
+    PENDING_CANCELLATION,
    PAST_DUE,
    PAUSED,
+    UPDATE_PAYMENT,
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/SubscriptionInfo.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/SubscriptionInfo.kt
@@ -17,6 +17,8 @@ import java.time.Instant
 * @property nextChargeTotal The total of the next invoice:
 * `seatsCost + (storageCost ?: 0) - (discountAmount ?: 0) + estimatedTax`.
 * @property nextCharge The date of the next charge, or null if not applicable.
+ * @property cancelAt The date the subscription is scheduled to cancel at (the subscription is
+ * still active until this date), or null if no future cancellation is scheduled.
 * @property canceledDate The date the subscription was canceled, or null.
 * @property suspensionDate The date the subscription will be suspended, or null.
 * @property gracePeriodDays The grace period in days, or null.
@@ -30,6 +32,7 @@ data class SubscriptionInfo(
    val estimatedTax: BigDecimal,
    val nextChargeTotal: BigDecimal,
    val nextCharge: Instant?,
+    val cancelAt: Instant?,
    val canceledDate: Instant?,
    val suspensionDate: Instant?,
    val gracePeriodDays: Int?,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/SubscriptionResult.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/SubscriptionResult.kt
@@ -11,6 +11,13 @@ sealed class SubscriptionResult {
        val subscription: SubscriptionInfo,
    ) : SubscriptionResult()

+    /**
+     * The endpoint returned 404, indicating the user has no subscription on record
+     * (e.g., the active account has never had a Stripe `GatewaySubscriptionId`).
+     * Consumers should treat this as a free user.
+     */
+    data object NotFound : SubscriptionResult()
+
    /**
     * An error occurred while fetching subscription details.
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/SubscriptionStatusState.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/SubscriptionStatusState.kt
@@ -0,0 +1,36 @@
+package com.x8bit.bitwarden.data.billing.repository.model
+
+/**
+ * Latest observed substate of the active user's premium subscription.
+ *
+ * The subscription endpoint is only meaningful for users who have a `GatewaySubscriptionId`
+ * on the server, so [NoSubscription] is emitted both for users we never queried (no personal
+ * premium signal) and for users whose fetch returned 404. [Error] preserves the failure for
+ * retry, while [Available] surfaces the raw status so consumers can apply their own policy.
+ */
+sealed class SubscriptionStatusState {
+
+    /**
+     * No fetch has been attempted yet for the active user.
+     */
+    data object Loading : SubscriptionStatusState()
+
+    /**
+     * The active user has no recorded premium subscription.
+     */
+    data object NoSubscription : SubscriptionStatusState()
+
+    /**
+     * The active user has a subscription with the given [status].
+     */
+    data class Available(
+        val status: PremiumSubscriptionStatus,
+    ) : SubscriptionStatusState()
+
+    /**
+     * The fetch failed for a reason other than 404.
+     */
+    data class Error(
+        val throwable: Throwable,
+    ) : SubscriptionStatusState()
+}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/UpgradeLifecycleState.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/model/UpgradeLifecycleState.kt
@@ -0,0 +1,33 @@
+package com.x8bit.bitwarden.data.billing.repository.model
+
+/**
+ * Represents the active user's position in the Premium upgrade lifecycle.
+ *
+ * Transitions:
+ * - [Free] → [UpgradePending] when the user completes Stripe checkout and the post-checkout
+ *   sync still reports the user as non-premium — checkout is done, backend reconciliation
+ *   is in flight.
+ * - [UpgradePending] → [Premium] when the server flips `isPremium` to `true`.
+ *
+ * Cancellation, expiration, and other terminal substates are surfaced via
+ * [Premium.subscriptionStatus] rather than as separate leaves.
+ */
+sealed class UpgradeLifecycleState {
+
+    /**
+     * The user has no Premium subscription and no upgrade is in flight.
+     */
+    data object Free : UpgradeLifecycleState()
+
+    /**
+     * Stripe checkout completed but the server has not yet flipped `isPremium`.
+     */
+    data object UpgradePending : UpgradeLifecycleState()
+
+    /**
+     * The user holds Premium; [subscriptionStatus] carries the substate (active, canceled, etc).
+     */
+    data class Premium(
+        val subscriptionStatus: SubscriptionStatusState,
+    ) : UpgradeLifecycleState()
+}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/util/BitwardenSubscriptionResponseJsonExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/billing/repository/util/BitwardenSubscriptionResponseJsonExtensions.kt
@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.billing.repository.util
 import com.bitwarden.network.model.BitwardenDiscountJson
 import com.bitwarden.network.model.BitwardenSubscriptionResponseJson
 import com.bitwarden.network.model.CadenceTypeJson
+import com.bitwarden.network.model.CartItemJson
 import com.bitwarden.network.model.DiscountTypeJson
 import com.bitwarden.network.model.SubscriptionStatusJson
 import com.x8bit.bitwarden.data.billing.repository.model.PlanCadence
@@ -11,33 +12,40 @@ import com.x8bit.bitwarden.data.billing.repository.model.SubscriptionInfo
 import java.math.BigDecimal
 import java.math.RoundingMode

-private val PERCENT_DIVISOR: BigDecimal = BigDecimal("100")
 private const val MONEY_SCALE: Int = 2

 /**
 * Maps a [BitwardenSubscriptionResponseJson] into a [SubscriptionInfo] domain
 * model.
 *
- * `discountAmount` is resolved at mapping time: fixed-amount discounts pass
- * through as-is; percent-off discounts apply to the password manager subtotal
- * (`seatsCost + storageCost`). `nextChargeTotal` is computed client-side as
- * `seatsCost + storageCost - discountAmount + estimatedTax` because the server
+ * Each line item's `cost` is a per-unit price, so its contribution is
+ * `cost * quantity`. Two discount channels are combined into `discountAmount`:
+ * the cart-level discount applies to the password manager subtotal
+ * (`seatsCost + storageCost`), and the Password Manager seats item-level
+ * discount applies to the seats line total. Item-level discounts on other line
+ * items are intentionally ignored, mirroring the web client. Fixed-amount
+ * discounts pass through as-is; percent-off discounts treat a value below 1 as
+ * an already-decimal fraction and round half-up. `nextChargeTotal` is computed
+ * client-side as `subtotal - discountAmount + estimatedTax` because the server
 * does not expose a precomputed total.
 */
 fun BitwardenSubscriptionResponseJson.toSubscriptionInfo(): SubscriptionInfo {
-    val seatsCost = cart.passwordManager.seats.cost
-    val storageCost = cart.passwordManager.additionalStorage?.cost
-    val discountAmount = cart.discount?.toMoneyAmount(
-        subtotal = seatsCost + (storageCost ?: BigDecimal.ZERO),
-    )
+    val seatsCost = cart.passwordManager.seats.lineTotal()
+    val storageCost = cart.passwordManager.additionalStorage?.lineTotal()
+    val subtotal = seatsCost + (storageCost ?: BigDecimal.ZERO)
+    val cartDiscount = cart.discount?.toDiscountAmount(baseAmount = subtotal)
+    val seatsDiscount = cart.passwordManager.seats.discount
+        ?.toDiscountAmount(baseAmount = seatsCost)
+    val discountAmount = listOfNotNull(cartDiscount, seatsDiscount)
+        .takeIf { it.isNotEmpty() }
+        ?.reduce(BigDecimal::add)
    val estimatedTax = cart.estimatedTax
-    val nextChargeTotal = seatsCost +
-        (storageCost ?: BigDecimal.ZERO) -
+    val nextChargeTotal = subtotal -
        (discountAmount ?: BigDecimal.ZERO) +
        estimatedTax

    return SubscriptionInfo(
-        status = status.toPremiumSubscriptionStatus(),
+        status = toPremiumSubscriptionStatus(),
        cadence = cart.cadence.toPlanCadence(),
        seatsCost = seatsCost,
        storageCost = storageCost,
@@ -45,41 +53,49 @@ fun BitwardenSubscriptionResponseJson.toSubscriptionInfo(): SubscriptionInfo {
        estimatedTax = estimatedTax,
        nextChargeTotal = nextChargeTotal,
        nextCharge = nextCharge,
+        cancelAt = cancelAt,
        canceledDate = canceled,
        suspensionDate = suspension,
        gracePeriodDays = gracePeriod,
    )
 }

-private fun SubscriptionStatusJson.toPremiumSubscriptionStatus(): PremiumSubscriptionStatus =
-    when (this) {
-        SubscriptionStatusJson.ACTIVE,
-        SubscriptionStatusJson.TRIALING,
-        -> PremiumSubscriptionStatus.ACTIVE
-
-        SubscriptionStatusJson.CANCELED,
-        SubscriptionStatusJson.INCOMPLETE_EXPIRED,
-        -> PremiumSubscriptionStatus.CANCELED
-
-        SubscriptionStatusJson.INCOMPLETE,
-        SubscriptionStatusJson.UNPAID,
-        -> PremiumSubscriptionStatus.OVERDUE_PAYMENT
-
-        SubscriptionStatusJson.PAST_DUE -> PremiumSubscriptionStatus.PAST_DUE
-
-        SubscriptionStatusJson.PAUSED -> PremiumSubscriptionStatus.PAUSED
+private fun BitwardenSubscriptionResponseJson.toPremiumSubscriptionStatus():
+    PremiumSubscriptionStatus = when (status) {
+    SubscriptionStatusJson.ACTIVE,
+    SubscriptionStatusJson.TRIALING,
+        -> {
+        if (cancelAt != null) {
+            PremiumSubscriptionStatus.PENDING_CANCELLATION
+        } else {
+            PremiumSubscriptionStatus.ACTIVE
+        }
    }

+    SubscriptionStatusJson.CANCELED -> PremiumSubscriptionStatus.CANCELED
+
+    SubscriptionStatusJson.INCOMPLETE_EXPIRED -> PremiumSubscriptionStatus.EXPIRED
+    SubscriptionStatusJson.INCOMPLETE,
+    SubscriptionStatusJson.UNPAID,
+        -> PremiumSubscriptionStatus.UPDATE_PAYMENT
+
+    SubscriptionStatusJson.PAST_DUE -> PremiumSubscriptionStatus.PAST_DUE
+
+    SubscriptionStatusJson.PAUSED -> PremiumSubscriptionStatus.PAUSED
+}
+
+private fun CartItemJson.lineTotal(): BigDecimal = cost.multiply(quantity.toBigDecimal())
+
 private fun CadenceTypeJson.toPlanCadence(): PlanCadence = when (this) {
    CadenceTypeJson.ANNUALLY -> PlanCadence.ANNUALLY
    CadenceTypeJson.MONTHLY -> PlanCadence.MONTHLY
 }

-private fun BitwardenDiscountJson.toMoneyAmount(subtotal: BigDecimal): BigDecimal =
+private fun BitwardenDiscountJson.toDiscountAmount(baseAmount: BigDecimal): BigDecimal =
    when (type) {
        DiscountTypeJson.AMOUNT_OFF -> value
-        DiscountTypeJson.PERCENT_OFF ->
-            subtotal
-                .multiply(value)
-                .divide(PERCENT_DIVISOR, MONEY_SCALE, RoundingMode.HALF_EVEN)
+        DiscountTypeJson.PERCENT_OFF -> {
+            val percentage = if (value < BigDecimal.ONE) value else value.movePointLeft(2)
+            baseAmount.multiply(percentage).setScale(MONEY_SCALE, RoundingMode.HALF_UP)
+        }
    }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/BitwardenCredentialManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/BitwardenCredentialManagerImpl.kt
@@ -45,7 +45,6 @@ import com.x8bit.bitwarden.data.vault.datasource.sdk.model.RegisterFido2Credenti
 import com.x8bit.bitwarden.data.vault.datasource.sdk.util.toAndroidAttestationResponse
 import com.x8bit.bitwarden.data.vault.datasource.sdk.util.toAndroidFido2PublicKeyCredential
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
-import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.flow.fold
 import kotlinx.coroutines.withContext
 import kotlinx.serialization.json.Json
@@ -65,12 +64,10 @@ class BitwardenCredentialManagerImpl(
    private val vaultRepository: VaultRepository,
    private val cipherMatchingManager: CipherMatchingManager,
    private val passkeyAttestationOptionsSanitizer: PasskeyAttestationOptionsSanitizer,
-    dispatcherManager: DispatcherManager,
+    private val dispatcherManager: DispatcherManager,
 ) : BitwardenCredentialManager,
    Fido2CredentialStore by fido2CredentialStore {

-    private val ioScope = CoroutineScope(dispatcherManager.io)
-
    override var isUserVerified: Boolean = false

    override var authenticationAttempts: Int = 0
@@ -179,7 +176,7 @@ class BitwardenCredentialManagerImpl(

    override suspend fun getCredentialEntries(
        getCredentialsRequest: GetCredentialsRequest,
-    ): Result<List<CredentialEntry>> = withContext(ioScope.coroutineContext) {
+    ): Result<List<CredentialEntry>> = withContext(dispatcherManager.io) {
        val cipherListViews = vaultRepository
            .decryptCipherListResultStateFlow
            .takeUntilLoaded()
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/repository/PrivilegedAppRepositoryImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/repository/PrivilegedAppRepositoryImpl.kt
@@ -39,7 +39,7 @@ private const val RELEASE_BUILD = "release"
 class PrivilegedAppRepositoryImpl(
    private val privilegedAppDiskSource: PrivilegedAppDiskSource,
    private val assetManager: AssetManager,
-    dispatcherManager: DispatcherManager,
+    private val dispatcherManager: DispatcherManager,
    private val json: Json,
 ) : PrivilegedAppRepository {

@@ -118,7 +118,7 @@ class PrivilegedAppRepositoryImpl(
            .toPrivilegedAppAllowListJson()

    override suspend fun getGoogleTrustedPrivilegedAppsOrNull(): PrivilegedAppAllowListJson? =
-        withContext(ioScope.coroutineContext) {
+        withContext(dispatcherManager.io) {
            assetManager
                .readAsset(fileName = GOOGLE_ALLOW_LIST_FILE_NAME)
                .map { json.decodeFromStringOrNull<PrivilegedAppAllowListJson>(it) }
@@ -126,7 +126,7 @@ class PrivilegedAppRepositoryImpl(
        }

    override suspend fun getCommunityTrustedPrivilegedAppsOrNull(): PrivilegedAppAllowListJson? {
-        return withContext(ioScope.coroutineContext) {
+        return withContext(dispatcherManager.io) {
            assetManager
                .readAsset(fileName = COMMUNITY_ALLOW_LIST_FILE_NAME)
                .map { json.decodeFromStringOrNull<PrivilegedAppAllowListJson>(it) }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSource.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSource.kt
@@ -40,6 +40,17 @@ interface SettingsDiskSource : FlightRecorderDiskSource {
     */
    var initialAutofillDialogShown: Boolean?

+    /**
+     * Indicates if the accessibility disclaimer has been displayed to the user.
+     */
+    var hasShownAccessibilityDisclaimer: Boolean?
+
+    /**
+     * Emits up-to-date values indicating if the accessibility disclaimer has been displayed to
+     * the user.
+     */
+    val hasShownAccessibilityDisclaimerFlow: Flow<Boolean?>
+
    /**
     * The currently persisted app theme (or `null` if not set).
     */
@@ -182,6 +193,25 @@ interface SettingsDiskSource : FlightRecorderDiskSource {
     */
    fun getUpgradedToPremiumCardPendingFlow(userId: String): Flow<Boolean?>

+    /**
+     * Retrieves the stored value of whether a Premium upgrade is awaiting server confirmation
+     * for the given [userId].
+     */
+    fun getPremiumUpgradePending(userId: String): Boolean?
+
+    /**
+     * Stores whether a Premium upgrade is awaiting server confirmation for the given [userId].
+     */
+    fun storePremiumUpgradePending(
+        userId: String,
+        isPending: Boolean?,
+    )
+
+    /**
+     * Emits updates that track [getPremiumUpgradePending] for the given [userId].
+     */
+    fun getPremiumUpgradePendingFlow(userId: String): Flow<Boolean?>
+
    /**
     * Retrieves the biometric integrity validity for the given [userId] and
     * [systemBioIntegrityState].
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSourceImpl.kt
@@ -35,6 +35,7 @@ private const val ACCOUNT_BIOMETRIC_INTEGRITY_VALID_KEY = "accountBiometricInteg
 private const val CRASH_LOGGING_ENABLED_KEY = "crashLoggingEnabled"
 private const val CLEAR_CLIPBOARD_INTERVAL_KEY = "clearClipboard"
 private const val INITIAL_AUTOFILL_DIALOG_SHOWN = "addSitePromptShown"
+private const val HAS_SHOWN_ACCESSIBILITY_DISCLAIMER_KEY = "hasShownAccessibilityDisclaimer"
 private const val HAS_USER_LOGGED_IN_OR_CREATED_AN_ACCOUNT_KEY = "hasUserLoggedInOrCreatedAccount"
 private const val SHOW_AUTOFILL_SETTING_BADGE = "showAutofillSettingBadge"
 private const val SHOW_BROWSER_AUTOFILL_SETTING_BADGE = "showBrowserAutofillSettingBadge"
@@ -57,11 +58,13 @@ private const val UPGRADED_TO_PREMIUM_CARD_CONSUMED =
    "upgradedToPremiumCardConsumed"
 private const val UPGRADED_TO_PREMIUM_CARD_PENDING =
    "upgradedToPremiumCardPending"
+private const val PREMIUM_UPGRADE_PENDING =
+    "premiumUpgradePending"

 /**
 * Primary implementation of [SettingsDiskSource].
 */
-@Suppress("TooManyFunctions")
+@Suppress("TooManyFunctions", "LargeClass")
 class SettingsDiskSourceImpl(
    private val sharedPreferences: SharedPreferences,
    private val json: Json,
@@ -107,6 +110,9 @@ class SettingsDiskSourceImpl(
    private val mutableUpgradedToPremiumCardPendingFlowMap =
        mutableMapOf<String, MutableSharedFlow<Boolean?>>()

+    private val mutablePremiumUpgradePendingFlowMap =
+        mutableMapOf<String, MutableSharedFlow<Boolean?>>()
+
    private val mutableIsIconLoadingDisabledFlow = bufferedMutableSharedFlow<Boolean?>()

    private val mutableIsCrashLoggingEnabledFlow = bufferedMutableSharedFlow<Boolean?>()
@@ -123,6 +129,8 @@ class SettingsDiskSourceImpl(

    private val mutableIsDynamicColorsEnabledFlow = bufferedMutableSharedFlow<Boolean?>()

+    private val mutableHasShownAccessibilityDisclaimerFlow = bufferedMutableSharedFlow<Boolean?>()
+
    init {
        migrateScreenCaptureSetting()
    }
@@ -162,6 +170,17 @@ class SettingsDiskSourceImpl(
            )
        }

+    override var hasShownAccessibilityDisclaimer: Boolean?
+        set(value) {
+            putBoolean(HAS_SHOWN_ACCESSIBILITY_DISCLAIMER_KEY, value)
+            mutableHasShownAccessibilityDisclaimerFlow.tryEmit(value)
+        }
+        get() = getBoolean(HAS_SHOWN_ACCESSIBILITY_DISCLAIMER_KEY)
+
+    override val hasShownAccessibilityDisclaimerFlow: Flow<Boolean?>
+        get() = mutableHasShownAccessibilityDisclaimerFlow
+            .onSubscription { emit(hasShownAccessibilityDisclaimer) }
+
    override var systemBiometricIntegritySource: String?
        get() = getString(key = SYSTEM_BIOMETRIC_INTEGRITY_SOURCE_KEY)
        set(value) {
@@ -264,6 +283,8 @@ class SettingsDiskSourceImpl(
        // - Premium upgrade banner dismissed
        // - Upgraded to Premium action card consumed
        // - Upgraded to Premium action card pending
+        // - Premium upgrade pending
+        // - Has shown accessibility disclaimer dialog
    }

    override fun getIntroducingArchiveActionCardDismissed(userId: String): Boolean? =
@@ -346,6 +367,26 @@ class SettingsDiskSourceImpl(
        getMutableUpgradedToPremiumCardPendingFlow(userId = userId)
            .onSubscription { emit(getUpgradedToPremiumCardPending(userId = userId)) }

+    override fun getPremiumUpgradePending(userId: String): Boolean? =
+        getBoolean(
+            key = PREMIUM_UPGRADE_PENDING.appendIdentifier(identifier = userId),
+        )
+
+    override fun storePremiumUpgradePending(
+        userId: String,
+        isPending: Boolean?,
+    ) {
+        putBoolean(
+            key = PREMIUM_UPGRADE_PENDING.appendIdentifier(identifier = userId),
+            value = isPending,
+        )
+        getMutablePremiumUpgradePendingFlow(userId = userId).tryEmit(isPending)
+    }
+
+    override fun getPremiumUpgradePendingFlow(userId: String): Flow<Boolean?> =
+        getMutablePremiumUpgradePendingFlow(userId = userId)
+            .onSubscription { emit(getPremiumUpgradePending(userId = userId)) }
+
    override fun getAccountBiometricIntegrityValidity(
        userId: String,
        systemBioIntegrityState: String,
@@ -711,6 +752,13 @@ class SettingsDiskSourceImpl(
            bufferedMutableSharedFlow(replay = 1)
        }

+    private fun getMutablePremiumUpgradePendingFlow(
+        userId: String,
+    ): MutableSharedFlow<Boolean?> =
+        mutablePremiumUpgradePendingFlowMap.getOrPut(userId) {
+            bufferedMutableSharedFlow(replay = 1)
+        }
+
    private fun getMutableLastSyncFlow(
        userId: String,
    ): MutableSharedFlow<Instant?> =
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/network/di/PlatformNetworkModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/network/di/PlatformNetworkModule.kt
@@ -15,6 +15,7 @@ import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_VALUE_CL
 import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_VALUE_USER_AGENT
 import com.x8bit.bitwarden.data.platform.manager.CertificateManager
 import com.x8bit.bitwarden.data.platform.manager.network.NetworkCookieManager
+import com.x8bit.bitwarden.data.platform.manager.network.NetworkPermissionManager
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
@@ -58,6 +59,7 @@ object PlatformNetworkModule {
        certificateManager: CertificateManager,
        buildInfoManager: BuildInfoManager,
        networkCookieManager: NetworkCookieManager,
+        networkPermissionManager: NetworkPermissionManager,
        clock: Clock,
    ): BitwardenServiceClientConfig = BitwardenServiceClientConfig(
        clock = clock,
@@ -72,6 +74,7 @@ object PlatformNetworkModule {
        certificateProvider = certificateManager,
        enableHttpBodyLogging = buildInfoManager.isDevBuild,
        cookieProvider = networkCookieManager,
+        permissionProvider = networkPermissionManager,
    )

    @Provides
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/sdk/BaseSdkSource.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/sdk/BaseSdkSource.kt
@@ -11,6 +11,11 @@ import timber.log.Timber
 abstract class BaseSdkSource(
    protected val sdkClientManager: SdkClientManager,
 ) {
+    /**
+     * Helper function to retrieve the global [Client] synchronously.
+     */
+    protected val globalClient get() = sdkClientManager.globalClient
+
    /**
     * Helper function to retrieve the [Client] associated with the given [userId].
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManager.kt
@@ -1,7 +1,7 @@
 package com.x8bit.bitwarden.data.platform.manager

-import com.bitwarden.network.model.PolicyTypeJson
-import com.bitwarden.network.model.SyncResponseJson
+import com.bitwarden.policies.PolicyType
+import com.bitwarden.policies.PolicyView
 import kotlinx.coroutines.flow.Flow

 /**
@@ -11,20 +11,20 @@ interface PolicyManager {
    /**
     * Returns a flow of all the active policies of the given type.
     */
-    fun getActivePoliciesFlow(type: PolicyTypeJson): Flow<List<SyncResponseJson.Policy>>
+    fun getActivePoliciesFlow(type: PolicyType): Flow<List<PolicyView>>

    /**
     * Get all the policies of the given [type] that are enabled and applicable to the user.
     */
-    fun getActivePolicies(type: PolicyTypeJson): List<SyncResponseJson.Policy>
+    fun getActivePolicies(type: PolicyType): List<PolicyView>

    /**
     * Get all the policies of the given [type] that are enabled and applicable to the [userId].
     */
    fun getUserPolicies(
        userId: String,
-        type: PolicyTypeJson,
-    ): List<SyncResponseJson.Policy>
+        type: PolicyType,
+    ): List<PolicyView>

    /**
     * Get the organization id of the personal ownership policy.
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManagerImpl.kt
@@ -1,17 +1,24 @@
 package com.x8bit.bitwarden.data.platform.manager

-import com.bitwarden.network.model.OrganizationStatusType
-import com.bitwarden.network.model.OrganizationType
-import com.bitwarden.network.model.PolicyTypeJson
-import com.bitwarden.network.model.SyncResponseJson
+import com.bitwarden.core.data.manager.model.FlagKey
+import com.bitwarden.organizations.OrganizationUserStatusType
+import com.bitwarden.organizations.OrganizationUserType
+import com.bitwarden.policies.OrganizationUserPolicyContext
+import com.bitwarden.policies.PolicyType
+import com.bitwarden.policies.PolicyView
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
+import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
 import com.x8bit.bitwarden.data.auth.repository.util.activeUserIdChangesFlow
+import com.x8bit.bitwarden.data.vault.repository.util.toSdkOrganizationPolicyContext
+import com.x8bit.bitwarden.data.vault.repository.util.toSdkPolicyViews
 import kotlinx.coroutines.ExperimentalCoroutinesApi
 import kotlinx.coroutines.flow.Flow
+import kotlinx.coroutines.flow.combine
 import kotlinx.coroutines.flow.distinctUntilChanged
 import kotlinx.coroutines.flow.emptyFlow
+import kotlinx.coroutines.flow.filterNotNull
 import kotlinx.coroutines.flow.flatMapLatest
-import kotlinx.coroutines.flow.mapNotNull
+import kotlinx.coroutines.flow.map

 /**
 * The default [PolicyManager] implementation. This class is responsible for
@@ -19,114 +26,151 @@ import kotlinx.coroutines.flow.mapNotNull
 */
 class PolicyManagerImpl(
    private val authDiskSource: AuthDiskSource,
+    private val authSdkSource: AuthSdkSource,
+    private val featureFlagManager: FeatureFlagManager,
 ) : PolicyManager {
    @OptIn(ExperimentalCoroutinesApi::class)
-    override fun getActivePoliciesFlow(type: PolicyTypeJson): Flow<List<SyncResponseJson.Policy>> =
+    override fun getActivePoliciesFlow(type: PolicyType): Flow<List<PolicyView>> =
        authDiskSource
            .activeUserIdChangesFlow
            .flatMapLatest { activeUserId ->
                activeUserId
-                    ?.let { userId ->
-                        authDiskSource
-                            .getPoliciesFlow(userId)
-                            .mapNotNull {
-                                filterPolicies(
-                                    userId = userId,
-                                    type = type,
-                                    policies = it,
-                                )
-                            }
-                    }
+                    ?.let { userId -> getAppliedPolicyViewsFlow(userId = userId, type = type) }
                    ?: emptyFlow()
            }
            .distinctUntilChanged()

-    override fun getActivePolicies(type: PolicyTypeJson): List<SyncResponseJson.Policy> =
+    override fun getActivePolicies(type: PolicyType): List<PolicyView> =
        authDiskSource
            .userState
            ?.activeUserId
-            ?.let { userId ->
-                filterPolicies(
-                    userId = userId,
-                    type = type,
-                    policies = authDiskSource.getPolicies(userId = userId),
-                )
-            }
-            ?: emptyList()
+            ?.let { userId -> getUserPolicies(userId = userId, type = type) }
+            .orEmpty()

    override fun getUserPolicies(
        userId: String,
-        type: PolicyTypeJson,
-    ): List<SyncResponseJson.Policy> =
+        type: PolicyType,
+    ): List<PolicyView> =
        this
            .filterPolicies(
-                userId = userId,
                type = type,
-                policies = authDiskSource.getPolicies(userId = userId),
+                policies = authDiskSource
+                    .getPolicies(userId = userId)
+                    ?.toSdkPolicyViews(),
+                organizations = authDiskSource
+                    .getOrganizations(userId = userId)
+                    ?.map {
+                        OrganizationPolicyData(
+                            organizationUserPolicyContext = it.toSdkOrganizationPolicyContext(),
+                            organizationShouldUsePolicies = it.permissions.shouldManagePolicies,
+                        )
+                    },
+                isPoliciesInAcceptedStateEnabled = featureFlagManager
+                    .getFeatureFlag(key = FlagKey.PoliciesInAcceptedState),
            )
            .orEmpty()

    override fun getPersonalOwnershipPolicyOrganizationId(): String? =
        this
-            .getActivePolicies(PolicyTypeJson.PERSONAL_OWNERSHIP)
+            .getActivePolicies(type = PolicyType.ORGANIZATION_DATA_OWNERSHIP)
            .sortedBy { it.revisionDate }
            .firstOrNull()
            ?.organizationId

-    /**
-     * A helper method to filter policies.
-     */
-    private fun filterPolicies(
+    private fun getAppliedPolicyViewsFlow(
        userId: String,
-        type: PolicyTypeJson,
-        policies: List<SyncResponseJson.Policy>?,
-    ): List<SyncResponseJson.Policy>? {
-        policies ?: return null
-        if (policies.isEmpty()) return emptyList()
-
-        // Get a list of the user's organizations that enforce policies.
-        val organizationIdsWithActivePolicies = authDiskSource
-            .getOrganizations(userId)
-            ?.filter {
-                it.shouldUsePolicies &&
-                    it.status >= OrganizationStatusType.ACCEPTED &&
-                    !isOrganizationExemptFromPolicies(it, type)
-            }
-            ?.map { it.id }
-            .orEmpty()
-
-        // Filter the policies based on the type, whether the policy is active,
-        // and whether the organization rules except the user from the policy.
-        return policies.filter {
-            it.type == type &&
-                it.isEnabled &&
-                organizationIdsWithActivePolicies.contains(it.organizationId)
-        }
+        type: PolicyType,
+    ): Flow<List<PolicyView>> = combine(
+        authDiskSource
+            .getPoliciesFlow(userId = userId)
+            .map { it?.toSdkPolicyViews() },
+        authDiskSource
+            .getOrganizationsFlow(userId = userId)
+            .map { organizations ->
+                organizations?.map {
+                    OrganizationPolicyData(
+                        organizationUserPolicyContext = it.toSdkOrganizationPolicyContext(),
+                        organizationShouldUsePolicies = it.permissions.shouldManagePolicies,
+                    )
+                }
+            },
+        featureFlagManager.getFeatureFlagFlow(key = FlagKey.PoliciesInAcceptedState),
+    ) { policies, organizations, isEnabled ->
+        filterPolicies(
+            type = type,
+            policies = policies,
+            organizations = organizations,
+            isPoliciesInAcceptedStateEnabled = isEnabled,
+        )
    }
+        // We do not have any policies yet if it is null, so do not emit at all.
+        .filterNotNull()
+
+    private fun filterPolicies(
+        type: PolicyType,
+        policies: List<PolicyView>?,
+        organizations: List<OrganizationPolicyData>?,
+        isPoliciesInAcceptedStateEnabled: Boolean,
+    ): List<PolicyView>? =
+        when {
+            policies == null -> null
+            policies.isEmpty() -> emptyList()
+            isPoliciesInAcceptedStateEnabled -> {
+                authSdkSource
+                    .filterPolicies(
+                        policies = policies,
+                        policyType = type,
+                        organizations = organizations
+                            ?.map { it.organizationUserPolicyContext }
+                            .orEmpty(),
+                    )
+                    .getOrElse { emptyList() }
+            }
+
+            else -> {
+                // Legacy flow
+                val organizationIdsWithActivePolicies = organizations
+                    ?.filter {
+                        @Suppress("MaxLineLength")
+                        it.organizationUserPolicyContext.usePolicies &&
+                            it.organizationUserPolicyContext.status >= OrganizationUserStatusType.ACCEPTED &&
+                            !it.isOrganizationExemptFromPolicies(policyType = type)
+                    }
+                    ?.map { it.organizationUserPolicyContext.id }
+                    .orEmpty()
+                return policies.filter {
+                    it.type == type &&
+                        it.enabled &&
+                        organizationIdsWithActivePolicies.contains(it.organizationId)
+                }
+            }
+        }

    /**
     * A helper method to determine if the organization is exempt from policies.
     */
-    private fun isOrganizationExemptFromPolicies(
-        organization: SyncResponseJson.Profile.Organization,
-        policyType: PolicyTypeJson,
+    private fun OrganizationPolicyData.isOrganizationExemptFromPolicies(
+        policyType: PolicyType,
    ): Boolean =
        when (policyType) {
-            PolicyTypeJson.MAXIMUM_VAULT_TIMEOUT -> {
-                organization.type == OrganizationType.OWNER
+            PolicyType.MAXIMUM_VAULT_TIMEOUT -> {
+                this.organizationUserPolicyContext.role == OrganizationUserType.OWNER
            }

-            PolicyTypeJson.PASSWORD_GENERATOR,
-            PolicyTypeJson.REMOVE_UNLOCK_WITH_PIN,
-            PolicyTypeJson.RESTRICT_ITEM_TYPES,
-                -> {
-                false
-            }
+            PolicyType.PASSWORD_GENERATOR,
+            PolicyType.REMOVE_UNLOCK_WITH_PIN,
+            PolicyType.RESTRICTED_ITEM_TYPES,
+                -> false

            else -> {
-                (organization.type == OrganizationType.OWNER ||
-                    organization.type == OrganizationType.ADMIN) ||
-                    organization.permissions.shouldManagePolicies
+                this.organizationUserPolicyContext.role == OrganizationUserType.OWNER ||
+                    this.organizationUserPolicyContext.role == OrganizationUserType.ADMIN ||
+                    this.organizationShouldUsePolicies
            }
        }
 }
+
+private data class OrganizationPolicyData(
+    val organizationUserPolicyContext: OrganizationUserPolicyContext,
+    val organizationShouldUsePolicies: Boolean,
+)
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/SdkClientManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/SdkClientManager.kt
@@ -7,6 +7,13 @@ import com.bitwarden.sdk.Client
 */
 interface SdkClientManager {

+    /**
+     * Synchronously returns a [Client] that is unassociated with any user. It cannot be used for
+     * anything that performs a network requests. If the client is not yet ready, this will block
+     * until it is ready.
+     */
+    val globalClient: Client
+
    /**
     * Returns the cached [Client] instance for the given [userId], otherwise creates and caches
     * a new one and returns it.
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/SdkClientManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/SdkClientManagerImpl.kt
@@ -1,17 +1,24 @@
 package com.x8bit.bitwarden.data.platform.manager

 import android.os.Build
+import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
+import com.bitwarden.core.data.util.concurrentMapOf
 import com.bitwarden.core.util.isBuildVersionAtLeast
 import com.bitwarden.data.manager.NativeLibraryManager
 import com.bitwarden.sdk.Client
 import com.x8bit.bitwarden.data.platform.manager.sdk.SdkPlatformApiFactory
 import com.x8bit.bitwarden.data.platform.manager.sdk.SdkRepositoryFactory
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Deferred
+import kotlinx.coroutines.async
+import kotlinx.coroutines.runBlocking

 /**
 * Primary implementation of [SdkClientManager].
 */
 class SdkClientManagerImpl(
    nativeLibraryManager: NativeLibraryManager,
+    dispatcherManager: DispatcherManager,
    sdkRepoFactory: SdkRepositoryFactory,
    sdkPlatformApiFactory: SdkPlatformApiFactory,
    private val featureFlagManager: FeatureFlagManager,
@@ -38,7 +45,9 @@ class SdkClientManagerImpl(
            }
    },
 ) : SdkClientManager {
-    private val userIdToClientMap = mutableMapOf<String, Client>()
+    private val userIdToClientMap = concurrentMapOf<String, Client>()
+    private val ioScope = CoroutineScope(context = dispatcherManager.io)
+    private val globalClientDeferred: Deferred<Client>

    init {
        // The SDK requires access to Android APIs that were not made public until API 31. In order
@@ -47,8 +56,13 @@ class SdkClientManagerImpl(
        if (!isBuildVersionAtLeast(Build.VERSION_CODES.S)) {
            nativeLibraryManager.loadLibrary("bitwarden_uniffi")
        }
+        // Initialize this now, so that we can access it synchronously later on.
+        globalClientDeferred = ioScope.async { clientProvider(null, null) }
    }

+    override val globalClient: Client
+        get() = runBlocking { globalClientDeferred.await() }
+
    override suspend fun getOrCreateClient(
        userId: String,
    ): Client = userIdToClientMap.getOrPut(key = userId) { clientProvider(userId, null) }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/di/PlatformManagerModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/di/PlatformManagerModule.kt
@@ -19,6 +19,7 @@ import com.bitwarden.network.model.BitwardenServiceClientConfig
 import com.bitwarden.network.service.EventService
 import com.bitwarden.network.service.PushService
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
+import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
 import com.x8bit.bitwarden.data.auth.manager.AddTotpItemFromAuthenticatorManager
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityEnabledManager
@@ -74,6 +75,8 @@ import com.x8bit.bitwarden.data.platform.manager.network.NetworkConnectionManage
 import com.x8bit.bitwarden.data.platform.manager.network.NetworkConnectionManagerImpl
 import com.x8bit.bitwarden.data.platform.manager.network.NetworkCookieManager
 import com.x8bit.bitwarden.data.platform.manager.network.NetworkCookieManagerImpl
+import com.x8bit.bitwarden.data.platform.manager.network.NetworkPermissionManager
+import com.x8bit.bitwarden.data.platform.manager.network.NetworkPermissionManagerImpl
 import com.x8bit.bitwarden.data.platform.manager.restriction.RestrictionManager
 import com.x8bit.bitwarden.data.platform.manager.restriction.RestrictionManagerImpl
 import com.x8bit.bitwarden.data.platform.manager.sdk.SdkPlatformApiFactory
@@ -89,6 +92,7 @@ import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
 import com.x8bit.bitwarden.data.vault.datasource.disk.VaultDiskSource
 import com.x8bit.bitwarden.data.vault.manager.VaultLockManager
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
+import com.x8bit.bitwarden.ui.platform.manager.resource.ResourceManager
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
@@ -217,11 +221,13 @@ object PlatformManagerModule {
    @Provides
    @Singleton
    fun provideSdkClientManager(
+        dispatcherManager: DispatcherManager,
        featureFlagManager: FeatureFlagManager,
        nativeLibraryManager: NativeLibraryManager,
        sdkRepositoryFactory: SdkRepositoryFactory,
        sdkPlatformApiFactory: SdkPlatformApiFactory,
    ): SdkClientManager = SdkClientManagerImpl(
+        dispatcherManager = dispatcherManager,
        featureFlagManager = featureFlagManager,
        nativeLibraryManager = nativeLibraryManager,
        sdkRepoFactory = sdkRepositoryFactory,
@@ -259,8 +265,12 @@ object PlatformManagerModule {
    @Singleton
    fun providePolicyManager(
        authDiskSource: AuthDiskSource,
+        authSdkSource: AuthSdkSource,
+        featureFlagManager: FeatureFlagManager,
    ): PolicyManager = PolicyManagerImpl(
        authDiskSource = authDiskSource,
+        authSdkSource = authSdkSource,
+        featureFlagManager = featureFlagManager,
    )

    @Provides
@@ -439,12 +449,24 @@ object PlatformManagerModule {
    @Provides
    @Singleton
    fun provideNetworkCookieManager(
+        resourceManager: ResourceManager,
        configDiskSource: ConfigDiskSource,
        cookieDiskSource: CookieDiskSource,
        cookieAcquisitionRequestManager: CookieAcquisitionRequestManager,
    ): NetworkCookieManager = NetworkCookieManagerImpl(
+        resourceManager = resourceManager,
        configDiskSource = configDiskSource,
        cookieDiskSource = cookieDiskSource,
        cookieAcquisitionRequestManager = cookieAcquisitionRequestManager,
    )
+
+    @Provides
+    @Singleton
+    fun provideNetworkPermissionManager(
+        @ApplicationContext context: Context,
+        resourceManager: ResourceManager,
+    ): NetworkPermissionManager = NetworkPermissionManagerImpl(
+        context = context,
+        resourceManager = resourceManager,
+    )
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/SpecialCircumstance.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/SpecialCircumstance.kt
@@ -5,9 +5,9 @@ import androidx.credentials.CredentialManager
 import com.bitwarden.cxf.model.ImportCredentialsRequestData
 import com.bitwarden.ui.platform.manager.share.model.ShareData
 import com.bitwarden.ui.platform.model.TotpData
-import com.x8bit.bitwarden.data.billing.util.PremiumCheckoutCallbackResult
 import com.x8bit.bitwarden.data.autofill.model.AutofillSaveItem
 import com.x8bit.bitwarden.data.autofill.model.AutofillSelectionData
+import com.x8bit.bitwarden.data.billing.util.PremiumCheckoutCallbackResult
 import com.x8bit.bitwarden.data.credentials.model.CreateCredentialRequest
 import com.x8bit.bitwarden.data.credentials.model.Fido2CredentialAssertionRequest
 import com.x8bit.bitwarden.data.credentials.model.GetCredentialsRequest
@@ -144,6 +144,13 @@ sealed class SpecialCircumstance : Parcelable {
        val callbackResult: PremiumCheckoutCallbackResult,
    ) : SpecialCircumstance()

+    /**
+     * The user has returned from the Stripe customer portal (launched to manage or cancel their
+     * subscription). The close of the portal is the only signal — there is no callback payload.
+     */
+    @Parcelize
+    data object StripePortal : SpecialCircumstance()
+
    /**
     * The app was launched to select an account to export credentials from.
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/network/NetworkCookieManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/network/NetworkCookieManagerImpl.kt
@@ -2,11 +2,13 @@ package com.x8bit.bitwarden.data.platform.manager.network

 import com.bitwarden.data.datasource.disk.ConfigDiskSource
 import com.bitwarden.network.model.NetworkCookie
+import com.bitwarden.ui.platform.resource.BitwardenString
 import com.x8bit.bitwarden.data.platform.datasource.disk.CookieDiskSource
 import com.x8bit.bitwarden.data.platform.datasource.disk.model.CookieConfigurationData
 import com.x8bit.bitwarden.data.platform.manager.CookieAcquisitionRequestManager
 import com.x8bit.bitwarden.data.platform.manager.model.CookieAcquisitionRequest
 import com.x8bit.bitwarden.data.platform.manager.util.toNetworkCookieList
+import com.x8bit.bitwarden.ui.platform.manager.resource.ResourceManager
 import timber.log.Timber

 private const val BOOTSTRAP_TYPE_SSO_COOKIE_VENDOR = "ssoCookieVendor"
@@ -15,6 +17,7 @@ private const val BOOTSTRAP_TYPE_SSO_COOKIE_VENDOR = "ssoCookieVendor"
 * Default implementation of [NetworkCookieManager].
 */
 class NetworkCookieManagerImpl(
+    private val resourceManager: ResourceManager,
    private val configDiskSource: ConfigDiskSource,
    private val cookieDiskSource: CookieDiskSource,
    private val cookieAcquisitionRequestManager: CookieAcquisitionRequestManager,
@@ -32,6 +35,12 @@ class NetworkCookieManagerImpl(
            ?.takeIf { it.type == BOOTSTRAP_TYPE_SSO_COOKIE_VENDOR }
            ?.cookieDomain

+    override val errorMessageString: String
+        get() = resourceManager.getString(
+            resId = BitwardenString
+                .your_request_was_interrupted_because_the_app_needed_to_reauthenticate,
+        )
+
    override fun needsBootstrap(hostname: String): Boolean {
        val result = configDiskSource
            .serverConfig
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/network/NetworkPermissionManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/network/NetworkPermissionManager.kt
@@ -0,0 +1,21 @@
+package com.x8bit.bitwarden.data.platform.manager.network
+
+import com.bitwarden.network.provider.PermissionProvider
+import kotlinx.coroutines.flow.StateFlow
+
+/**
+ * A manager class for handling network permissions.
+ */
+interface NetworkPermissionManager : PermissionProvider {
+    /**
+     * StateFlow indicating if local network access is being requested at this moment.
+     *
+     * Emits `true` when local network access is required, `false` otherwise.
+     */
+    val isLocalNetworkAccessRequiredStateFlow: StateFlow<Boolean>
+
+    /**
+     * Sets the local network access required state to `false`.
+     */
+    fun clearIsLocalNetworkAccessRequired()
+}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/network/NetworkPermissionManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/network/NetworkPermissionManagerImpl.kt
@@ -0,0 +1,49 @@
+package com.x8bit.bitwarden.data.platform.manager.network
+
+import android.Manifest
+import android.content.Context
+import android.content.pm.PackageManager
+import android.os.Build
+import androidx.core.content.ContextCompat
+import com.bitwarden.core.util.isBuildVersionAtLeast
+import com.bitwarden.ui.platform.resource.BitwardenString
+import com.x8bit.bitwarden.ui.platform.manager.resource.ResourceManager
+import kotlinx.coroutines.flow.MutableStateFlow
+import kotlinx.coroutines.flow.StateFlow
+
+/**
+ * The default implementation of [NetworkPermissionManager].
+ */
+internal class NetworkPermissionManagerImpl(
+    private val context: Context,
+    private val resourceManager: ResourceManager,
+) : NetworkPermissionManager {
+    private val mutableIsLocalNetworkAccessRequiredStateFlow = MutableStateFlow(value = false)
+
+    override val errorMessageString: String
+        get() = resourceManager.getString(
+            resId = BitwardenString
+                .your_request_was_interrupted_because_the_app_needs_local_network_access,
+        )
+
+    override val hasLocalNetworkAccessPermission: Boolean
+        get() = if (isBuildVersionAtLeast(version = Build.VERSION_CODES.CINNAMON_BUN)) {
+            ContextCompat.checkSelfPermission(
+                context,
+                Manifest.permission.ACCESS_LOCAL_NETWORK,
+            ) == PackageManager.PERMISSION_GRANTED
+        } else {
+            true
+        }
+
+    override val isLocalNetworkAccessRequiredStateFlow: StateFlow<Boolean> =
+        mutableIsLocalNetworkAccessRequiredStateFlow
+
+    override fun acquireLocalNetworkAccessPermission() {
+        mutableIsLocalNetworkAccessRequiredStateFlow.value = true
+    }
+
+    override fun clearIsLocalNetworkAccessRequired() {
+        mutableIsLocalNetworkAccessRequiredStateFlow.value = false
+    }
+}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/util/PolicyManagerExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/util/PolicyManagerExtensions.kt
@@ -1,6 +1,6 @@
 package com.x8bit.bitwarden.data.platform.manager.util

-import com.bitwarden.network.model.PolicyTypeJson
+import com.bitwarden.policies.PolicyType
 import com.x8bit.bitwarden.data.auth.repository.model.PolicyInformation
 import com.x8bit.bitwarden.data.auth.repository.util.policyInformation
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
@@ -12,7 +12,7 @@ import kotlinx.coroutines.flow.map
 */
 inline fun <reified T : PolicyInformation> PolicyManager.getActivePolicies(): List<T> =
    this
-        .getActivePolicies(type = getPolicyTypeJson<T>())
+        .getActivePolicies(type = getPolicyType<T>())
        .mapNotNull { it.policyInformation as? T }

 /**
@@ -20,21 +20,21 @@ inline fun <reified T : PolicyInformation> PolicyManager.getActivePolicies(): Li
 */
 inline fun <reified T : PolicyInformation> PolicyManager.getActivePoliciesFlow(): Flow<List<T>> =
    this
-        .getActivePoliciesFlow(type = getPolicyTypeJson<T>())
+        .getActivePoliciesFlow(type = getPolicyType<T>())
        .map { policies ->
            policies.mapNotNull { policy -> policy.policyInformation as? T }
        }

 /**
- * Helper method for mapping a specific [PolicyInformation] type to its [PolicyTypeJson]
+ * Helper method for mapping a specific [PolicyInformation] type to its [PolicyType]
 * counterpart.
 */
-inline fun <reified T : PolicyInformation> getPolicyTypeJson(): PolicyTypeJson =
+inline fun <reified T : PolicyInformation> getPolicyType(): PolicyType =
    when (T::class.java) {
-        PolicyInformation.MasterPassword::class.java -> PolicyTypeJson.MASTER_PASSWORD
-        PolicyInformation.PasswordGenerator::class.java -> PolicyTypeJson.PASSWORD_GENERATOR
-        PolicyInformation.SendOptions::class.java -> PolicyTypeJson.SEND_OPTIONS
-        PolicyInformation.VaultTimeout::class.java -> PolicyTypeJson.MAXIMUM_VAULT_TIMEOUT
+        PolicyInformation.MasterPassword::class.java -> PolicyType.MASTER_PASSWORD
+        PolicyInformation.PasswordGenerator::class.java -> PolicyType.PASSWORD_GENERATOR
+        PolicyInformation.SendOptions::class.java -> PolicyType.SEND_OPTIONS
+        PolicyInformation.VaultTimeout::class.java -> PolicyType.MAXIMUM_VAULT_TIMEOUT

        else -> {
            throw IllegalStateException(
@@ -43,9 +43,10 @@ inline fun <reified T : PolicyInformation> getPolicyTypeJson(): PolicyTypeJson =
            )
        }
    }
+
 /**
 * Helper method for verifying if user has enabled the restrict item policy.
 */
 fun PolicyManager.hasRestrictItemTypes(): Boolean =
-    getActivePolicies(type = PolicyTypeJson.RESTRICT_ITEM_TYPES)
-        .any { it.isEnabled }
+    getActivePolicies(type = PolicyType.RESTRICTED_ITEM_TYPES)
+        .any { it.enabled }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/AuthenticatorBridgeRepositoryImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/AuthenticatorBridgeRepositoryImpl.kt
@@ -10,9 +10,7 @@ import com.bitwarden.core.data.util.flatMap
 import com.bitwarden.data.repository.util.toEnvironmentUrlsOrDefault
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountJson
-import com.x8bit.bitwarden.data.auth.repository.util.toAccountCryptographicState
 import com.x8bit.bitwarden.data.auth.repository.util.toSdkParams
-import com.x8bit.bitwarden.data.platform.repository.util.sanitizeTotpUri
 import com.x8bit.bitwarden.data.vault.datasource.disk.VaultDiskSource
 import com.x8bit.bitwarden.data.vault.datasource.sdk.ScopedVaultSdkSource
 import com.x8bit.bitwarden.data.vault.datasource.sdk.model.InitializeCryptoResult
@@ -104,11 +102,6 @@ class AuthenticatorBridgeRepositoryImpl(
                                decryptedCipher.login?.totp?.let { rawTotp ->
                                    SharedAccountData.CipherData(
                                        uri = rawTotp,
-                                        // TODO: PM-34085 Remove the legacyUri.
-                                        legacyUri = rawTotp.sanitizeTotpUri(
-                                            issuer = cipherName,
-                                            username = username,
-                                        ),
                                        id = cipherId,
                                        name = cipherName,
                                        username = username,
@@ -141,20 +134,17 @@ class AuthenticatorBridgeRepositoryImpl(
        account: AccountJson,
        decryptedUserKey: String,
    ): VaultUnlockResult {
-        val accountKeys = authDiskSource.getAccountKeys(userId = userId)
-        val privateKey = accountKeys?.publicKeyEncryptionKeyPair?.wrappedPrivateKey
-            ?: authDiskSource.getPrivateKey(userId = userId)
+        val accountCryptographicState = authDiskSource
+            .getAccountCryptographicState(userId = userId)
            ?: return VaultUnlockResult.InvalidStateError(
-                MissingPropertyException("Private key"),
+                error = MissingPropertyException("Account Cryptographic State"),
            )

        return scopedVaultSdkSource
            .initializeCrypto(
                userId = userId,
                request = InitUserCryptoRequest(
-                    accountCryptographicState = accountKeys.toAccountCryptographicState(
-                        privateKey = privateKey,
-                    ),
+                    accountCryptographicState = accountCryptographicState,
                    userId = userId,
                    kdfParams = account.profile.toSdkParams(),
                    email = account.profile.email,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/SettingsRepository.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/SettingsRepository.kt
@@ -187,6 +187,16 @@ interface SettingsRepository : FlightRecorderManager {
     */
    val isScreenCaptureAllowedStateFlow: StateFlow<Boolean>

+    /**
+     * Whether the accessibility disclaimer has been displayed to the user.
+     */
+    val hasShownAccessibilityDisclaimerFlow: StateFlow<Boolean>
+
+    /**
+     * Stores that the accessibility disclaimer has been displayed to the user.
+     */
+    fun accessibilityDisclaimerHasBeenShown()
+
    /**
     * Disables autofill if it is currently enabled.
     */
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/SettingsRepositoryImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/SettingsRepositoryImpl.kt
@@ -4,8 +4,8 @@ import android.view.autofill.AutofillManager
 import com.bitwarden.authenticatorbridge.util.generateSecretKey
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.data.manager.flightrecorder.FlightRecorderManager
-import com.bitwarden.network.model.PolicyTypeJson
-import com.bitwarden.network.model.SyncResponseJson
+import com.bitwarden.policies.PolicyType
+import com.bitwarden.policies.PolicyView
 import com.bitwarden.ui.platform.feature.settings.appearance.model.AppTheme
 import com.x8bit.bitwarden.BuildConfig
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
@@ -372,13 +372,27 @@ class SettingsRepositoryImpl(
                initialValue = isScreenCaptureAllowed,
            )

+    override val hasShownAccessibilityDisclaimerFlow: StateFlow<Boolean>
+        get() = settingsDiskSource
+            .hasShownAccessibilityDisclaimerFlow
+            .map { it ?: false }
+            .stateIn(
+                scope = unconfinedScope,
+                started = SharingStarted.Lazily,
+                initialValue = settingsDiskSource.hasShownAccessibilityDisclaimer ?: false,
+            )
+
    init {
        policyManager
-            .getActivePoliciesFlow(type = PolicyTypeJson.MAXIMUM_VAULT_TIMEOUT)
+            .getActivePoliciesFlow(type = PolicyType.MAXIMUM_VAULT_TIMEOUT)
            .onEach { updateVaultUnlockSettingsIfNecessary(it) }
            .launchIn(unconfinedScope)
    }

+    override fun accessibilityDisclaimerHasBeenShown() {
+        settingsDiskSource.hasShownAccessibilityDisclaimer = true
+    }
+
    override fun disableAutofill() {
        autofillManager.disableAutofillServices()

@@ -676,7 +690,7 @@ class SettingsRepositoryImpl(
     * settings to determine whether to update the user's settings.
     */
    private fun updateVaultUnlockSettingsIfNecessary(
-        policies: List<SyncResponseJson.Policy>,
+        policies: List<PolicyView>,
    ) {
        // The vault timeout policy can only be implemented in organizations that have
        // the single organization policy, meaning that if this is enabled, the user is
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/util/TotpUriSanitizer.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/util/TotpUriSanitizer.kt
@@ -1,75 +0,0 @@
-package com.x8bit.bitwarden.data.platform.repository.util
-
-import java.net.URLEncoder
-
-private const val OTPAUTH_PREFIX = "otpauth://totp/"
-private const val STEAM_PREFIX = "steam://"
-
-/**
- * Utility for ensuring that a given TOTP string is a properly formatted otpauth:// or steam:// URI.
- * If the input TOTP is already a valid URI, it is returned as-is.
- * If the TOTP is manually entered and does not follow the URI format,
- * this function reconstructs it using the provided issuer and username.
- *
- * Uses this as a guide for format
- * https://github.com/google/google-authenticator/wiki/Key-Uri-Format
- *
- * Replace spaces (+) with %20, and encode the label and issuer (per the above link)
- * https://datatracker.ietf.org/doc/html/rfc5234
- * */
-fun String?.sanitizeTotpUri(
-    issuer: String?,
-    username: String?,
-): String? {
-    if (this.isNullOrBlank()) return null
-
-    return if (this.startsWith(OTPAUTH_PREFIX) || this.startsWith(STEAM_PREFIX)) {
-        // ✅ Already a valid TOTP or Steam URI, return as-is.
-        this
-    } else {
-        // ❌ Manually entered secret, reconstruct as otpauth://totp/ URI.
-
-        // Trim spaces from issuer and username
-        val trimmedIssuer = issuer
-            ?.trim()
-            ?.takeIf { it.isNotEmpty() }
-
-        val trimmedUsername = username
-            ?.trim()
-            ?.takeIf { it.isNotEmpty() }
-
-        // Determine raw label correctly (avoid empty `:` issue)
-        val rawLabel = if (trimmedIssuer != null && trimmedUsername != null) {
-            "$trimmedIssuer:$trimmedUsername"
-        } else {
-            trimmedUsername
-        }
-
-        // Encode label only if it's not empty
-        val encodedLabel = rawLabel
-            ?.let {
-                URLEncoder
-                    .encode(it, "UTF-8")
-                    .replace("+", "%20")
-            }
-            .orEmpty()
-
-        // Encode issuer separately for the query parameter
-        val encodedIssuer = trimmedIssuer?.let {
-            URLEncoder
-                .encode(it, "UTF-8")
-                .replace("+", "%20")
-        }
-
-        // Construct the issuer query parameter.
-        val issuerParameter = encodedIssuer
-            ?.let { "&issuer=$it" }
-            .orEmpty()
-
-        // Remove spaces from the manually entered secret
-        val sanitizedSecret = this.filterNot { it.isWhitespace() }
-
-        // Construct final TOTP URI
-        "$OTPAUTH_PREFIX$encodedLabel?secret=$sanitizedSecret$issuerParameter"
-    }
-}
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/util/EnvironmentUrlDataJsonExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/util/EnvironmentUrlDataJsonExtensions.kt
@@ -23,23 +23,23 @@ private fun EnvironmentUrlDataJson.authTabData(
    kind: String,
 ): AuthTabData = when (this.environmentRegion) {
    EnvironmentRegion.UNITED_STATES -> {
-        // TODO: PM-26577 Update this to use a "HttpsScheme"
-        AuthTabData.CustomScheme(
-            callbackUrl = "bitwarden://$kind-callback",
+        AuthTabData.HttpsScheme(
+            host = "bitwarden.com",
+            path = "$kind-callback",
        )
    }

    EnvironmentRegion.EUROPEAN_UNION -> {
-        // TODO: PM-26577 Update this to use a "HttpsScheme"
-        AuthTabData.CustomScheme(
-            callbackUrl = "bitwarden://$kind-callback",
+        AuthTabData.HttpsScheme(
+            host = "bitwarden.eu",
+            path = "$kind-callback",
        )
    }

    EnvironmentRegion.INTERNAL -> {
-        // TODO: PM-26577 Update this to use a "HttpsScheme"
-        AuthTabData.CustomScheme(
-            callbackUrl = "bitwarden://$kind-callback",
+        AuthTabData.HttpsScheme(
+            host = "bitwarden.pw",
+            path = "$kind-callback",
        )
    }

--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/util/ThrowableExtensions.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/util/ThrowableExtensions.kt
@@ -1,6 +1,7 @@
 package com.x8bit.bitwarden.data.platform.util

 import com.bitwarden.network.exception.CookieRedirectException
+import com.bitwarden.network.exception.LocalNetworkAccessException

 /**
 * Returns a user-friendly error message if this [Throwable] is an allow-listed
@@ -8,6 +9,7 @@ import com.bitwarden.network.exception.CookieRedirectException
 */
 val Throwable.userFriendlyMessage: String?
    get() = when (this) {
+        is LocalNetworkAccessException -> message
        is CookieRedirectException -> message
        else -> null
    }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/tools/generator/datasource/sdk/GeneratorSdkSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/tools/generator/datasource/sdk/GeneratorSdkSourceImpl.kt
@@ -1,11 +1,13 @@
 package com.x8bit.bitwarden.data.tools.generator.datasource.sdk

+import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.generators.PassphraseGeneratorRequest
 import com.bitwarden.generators.PasswordGeneratorRequest
 import com.bitwarden.generators.UsernameGeneratorRequest
 import com.bitwarden.sdk.GeneratorClients
 import com.x8bit.bitwarden.data.platform.datasource.sdk.BaseSdkSource
 import com.x8bit.bitwarden.data.platform.manager.SdkClientManager
+import kotlinx.coroutines.withContext

 /**
 * Implementation of [GeneratorSdkSource] that delegates password generation.
@@ -14,6 +16,7 @@ import com.x8bit.bitwarden.data.platform.manager.SdkClientManager
 * [GeneratorClients] provided by the Bitwarden SDK.
 */
 class GeneratorSdkSourceImpl(
+    private val dispatcherManager: DispatcherManager,
    sdkClientManager: SdkClientManager,
 ) : BaseSdkSource(sdkClientManager = sdkClientManager),
    GeneratorSdkSource {
@@ -51,6 +54,8 @@ class GeneratorSdkSourceImpl(
    override suspend fun generateForwardedServiceEmail(
        request: UsernameGeneratorRequest.Forwarded,
    ): Result<String> = runCatchingWithLogs {
-        useClient { generators().username(request) }
+        withContext(context = dispatcherManager.io) {
+            useClient { generators().username(request) }
+        }
    }
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/tools/generator/datasource/sdk/di/GeneratorSdkModule.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/tools/generator/datasource/sdk/di/GeneratorSdkModule.kt
@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.tools.generator.datasource.sdk.di

+import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.x8bit.bitwarden.data.platform.manager.SdkClientManager
 import com.x8bit.bitwarden.data.tools.generator.datasource.sdk.GeneratorSdkSource
 import com.x8bit.bitwarden.data.tools.generator.datasource.sdk.GeneratorSdkSourceImpl
@@ -19,6 +20,10 @@ object GeneratorSdkModule {
    @Provides
    @Singleton
    fun provideGeneratorSdkSource(
+        dispatcherManager: DispatcherManager,
        sdkClientManager: SdkClientManager,
-    ): GeneratorSdkSource = GeneratorSdkSourceImpl(sdkClientManager = sdkClientManager)
+    ): GeneratorSdkSource = GeneratorSdkSourceImpl(
+        dispatcherManager = dispatcherManager,
+        sdkClientManager = sdkClientManager,
+    )
 }
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/tools/generator/repository/GeneratorRepositoryImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/tools/generator/repository/GeneratorRepositoryImpl.kt
@@ -38,7 +38,6 @@ import kotlinx.coroutines.flow.onEach
 import kotlinx.coroutines.flow.onStart
 import kotlinx.coroutines.flow.receiveAsFlow
 import kotlinx.coroutines.launch
-import kotlinx.coroutines.withContext
 import java.time.Clock
 import javax.inject.Singleton

@@ -193,8 +192,9 @@ class GeneratorRepositoryImpl(

    override suspend fun generateForwardedServiceUsername(
        forwardedServiceGeneratorRequest: UsernameGeneratorRequest.Forwarded,
-    ): GeneratedForwardedServiceUsernameResult = withContext(scope.coroutineContext) {
-        generatorSdkSource.generateForwardedServiceEmail(forwardedServiceGeneratorRequest)
+    ): GeneratedForwardedServiceUsernameResult =
+        generatorSdkSource
+            .generateForwardedServiceEmail(forwardedServiceGeneratorRequest)
            .fold(
                onSuccess = { generatedEmail ->
                    GeneratedForwardedServiceUsernameResult.Success(generatedEmail)
@@ -203,7 +203,6 @@ class GeneratorRepositoryImpl(
                    GeneratedForwardedServiceUsernameResult.InvalidRequest(it.message, error = it)
                },
            )
-    }

    override fun getPasscodeGenerationOptions(): PasscodeGenerationOptions? {
        val userId = authDiskSource.userState?.activeUserId
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/VaultDiskSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/VaultDiskSourceImpl.kt
@@ -4,6 +4,7 @@ import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
 import com.bitwarden.core.data.repository.util.bufferedMutableSharedFlow
 import com.bitwarden.core.data.util.decodeFromStringWithErrorCallback
 import com.bitwarden.network.model.SyncResponseJson
+import com.bitwarden.ui.platform.base.util.orNullIfBlank
 import com.x8bit.bitwarden.data.vault.datasource.disk.dao.CiphersDao
 import com.x8bit.bitwarden.data.vault.datasource.disk.dao.CollectionsDao
 import com.x8bit.bitwarden.data.vault.datasource.disk.dao.DomainsDao
@@ -134,7 +135,7 @@ class VaultDiskSourceImpl(
                .filter {
                    // A safety-check since after the DB migration, we will temporarily think
                    // all ciphers contain a totp code
-                    it.login?.totp != null
+                    it.login?.totp.orNullIfBlank() != null
                }
        }
    }
@@ -166,7 +167,7 @@ class VaultDiskSourceImpl(
                CipherEntity(
                    id = cipher.id,
                    userId = userId,
-                    hasTotp = cipher.login?.totp != null,
+                    hasTotp = cipher.login?.totp.orNullIfBlank() != null,
                    cipherType = json.encodeToString(cipher.type),
                    cipherJson = json.encodeToString(cipher),
                    organizationId = cipher.organizationId,
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/ScopedVaultSdkSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/ScopedVaultSdkSourceImpl.kt
@@ -21,6 +21,7 @@ class ScopedVaultSdkSourceImpl(
    sdkPlatformApiFactory: SdkPlatformApiFactory,
    vaultSdkSource: VaultSdkSource = VaultSdkSourceImpl(
        sdkClientManager = SdkClientManagerImpl(
+            dispatcherManager = dispatcherManager,
            // We do not want to have the real NativeLibraryManager used here to avoid
            // initializing the library twice.
            nativeLibraryManager = object : NativeLibraryManager {
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSourceImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSourceImpl.kt
@@ -190,9 +190,9 @@ class VaultSdkSourceImpl(
    ): Result<InitializeCryptoResult> =
        runCatchingWithLogs {
            try {
-                getClient(userId = userId)
-                    .crypto()
-                    .initializeUserCrypto(req = request)
+                withContext(context = dispatcherManager.io) {
+                    getClient(userId = userId).crypto().initializeUserCrypto(req = request)
+                }
                InitializeCryptoResult.Success
            } catch (exception: BitwardenException) {
                // The only truly expected error from the SDK is an incorrect key/password.
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CipherManager.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CipherManager.kt
@@ -130,7 +130,6 @@ interface CipherManager {
     */
    suspend fun updateCipherCollections(
        cipherId: String,
-        cipherView: CipherView,
        collectionIds: List<String>,
    ): ShareCipherResult

--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CipherManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CipherManagerImpl.kt
@@ -442,7 +442,6 @@ class CipherManagerImpl(

    override suspend fun updateCipherCollections(
        cipherId: String,
-        cipherView: CipherView,
        collectionIds: List<String>,
    ): ShareCipherResult {
        val userId = activeUserId ?: return ShareCipherResult.Error(error = NoActiveUserException())
@@ -451,17 +450,18 @@ class CipherManagerImpl(
                cipherId = cipherId,
                body = UpdateCipherCollectionsJsonRequest(collectionIds = collectionIds),
            )
-            .flatMap {
-                vaultSdkSource.encryptCipher(
-                    userId = userId,
-                    cipherView = cipherView.copy(collectionIds = collectionIds),
-                )
-            }
-            .onSuccess { encryptionContext ->
-                vaultDiskSource.saveCipher(
-                    userId = userId,
-                    cipher = encryptionContext.toEncryptedNetworkCipherResponse(),
-                )
+            .onSuccess { response ->
+                response
+                    .cipher
+                    ?.let {
+                        // Save the updated cipher to disk.
+                        vaultDiskSource.saveCipher(userId = userId, cipher = it)
+                    }
+                    ?: run {
+                        // The user no longer has any collection access to the cipher after
+                        // the update, so remove it from disk.
+                        vaultDiskSource.deleteCipher(userId = userId, cipherId = cipherId)
+                    }
            }
            .fold(
                onSuccess = { ShareCipherResult.Success },
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultLockManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultLockManagerImpl.kt
@@ -28,7 +28,6 @@ import com.x8bit.bitwarden.data.auth.manager.UserLogoutManager
 import com.x8bit.bitwarden.data.auth.repository.model.LogoutReason
 import com.x8bit.bitwarden.data.auth.repository.model.UpdateKdfMinimumsResult
 import com.x8bit.bitwarden.data.auth.repository.util.activeUserIdChangesFlow
-import com.x8bit.bitwarden.data.auth.repository.util.toAccountCryptographicState
 import com.x8bit.bitwarden.data.auth.repository.util.toSdkParams
 import com.x8bit.bitwarden.data.auth.repository.util.userAccountTokens
 import com.x8bit.bitwarden.data.auth.repository.util.userSwitchingChangesFlow
@@ -675,17 +674,14 @@ class VaultLockManagerImpl(
    ): VaultUnlockResult {
        val account = authDiskSource.userState?.accounts?.get(userId)
            ?: return VaultUnlockResult.InvalidStateError(error = NoActiveUserException())
-        val accountKeys = authDiskSource.getAccountKeys(userId = userId)
-        val privateKey = accountKeys?.publicKeyEncryptionKeyPair?.wrappedPrivateKey
-            ?: authDiskSource.getPrivateKey(userId = userId)
+        val accountCryptographicState = authDiskSource
+            .getAccountCryptographicState(userId = userId)
            ?: return VaultUnlockResult.InvalidStateError(
-                error = MissingPropertyException("Private key"),
+                error = MissingPropertyException("Account Cryptographic State"),
            )
        val organizationKeys = authDiskSource.getOrganizationKeys(userId = userId)
        return unlockVault(
-            accountCryptographicState = accountKeys.toAccountCryptographicState(
-                privateKey = privateKey,
-            ),
+            accountCryptographicState = accountCryptographicState,
            userId = userId,
            email = account.profile.email,
            kdf = account.profile.toSdkParams(),
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultMigrationManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultMigrationManagerImpl.kt
@@ -8,10 +8,11 @@ import com.bitwarden.core.data.util.asFailure
 import com.bitwarden.core.data.util.asSuccess
 import com.bitwarden.core.data.util.flatMap
 import com.bitwarden.network.model.BulkShareCiphersJsonRequest
-import com.bitwarden.network.model.PolicyTypeJson
+import com.bitwarden.network.model.OrganizationStatusType
 import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.model.toCipherWithIdJsonRequest
 import com.bitwarden.network.service.CiphersService
+import com.bitwarden.policies.PolicyType
 import com.bitwarden.vault.CipherView
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
@@ -144,6 +145,7 @@ class VaultMigrationManagerImpl(

            val orgName = authDiskSource
                .getOrganizations(userId = userId)
+                ?.filter { it.status == OrganizationStatusType.CONFIRMED }
                ?.firstOrNull { it.id == orgId }
                ?.name
                ?: return@update VaultMigrationData.NoMigrationRequired
@@ -167,9 +169,7 @@ class VaultMigrationManagerImpl(
        hasPersonalCiphers: Boolean,
        isNetworkConnected: Boolean,
    ): Boolean =
-        policyManager
-            .getActivePolicies(PolicyTypeJson.PERSONAL_OWNERSHIP)
-            .any() &&
+        policyManager.getActivePolicies(PolicyType.ORGANIZATION_DATA_OWNERSHIP).any() &&
            featureFlagManager.getFeatureFlag(FlagKey.MigrateMyVaultToMyItems) &&
            isNetworkConnected &&
            hasPersonalCiphers
--- a/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultSyncManagerImpl.kt
+++ b/app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultSyncManagerImpl.kt
@@ -7,6 +7,7 @@ import com.bitwarden.core.data.repository.model.DataState
 import com.bitwarden.core.data.repository.util.combineDataStates
 import com.bitwarden.core.data.repository.util.map
 import com.bitwarden.core.data.repository.util.updateToPendingOrLoading
+import com.bitwarden.network.model.OrganizationStatusType
 import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.service.SyncService
 import com.bitwarden.network.util.isNoConnectionError
@@ -16,6 +17,7 @@ import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.manager.UserLogoutManager
 import com.x8bit.bitwarden.data.auth.manager.UserStateManager
 import com.x8bit.bitwarden.data.auth.repository.model.LogoutReason
+import com.x8bit.bitwarden.data.auth.repository.util.toAccountCryptographicState
 import com.x8bit.bitwarden.data.auth.repository.util.toUpdatedUserStateJson
 import com.x8bit.bitwarden.data.auth.repository.util.userSwitchingChangesFlow
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
@@ -376,9 +378,14 @@ class VaultSyncManagerImpl(
        val profile = syncResponse.profile
        val userId = profile.id
        authDiskSource.apply {
-            storeUserKey(userId = userId, userKey = profile.key)
-            storePrivateKey(userId = userId, privateKey = profile.privateKey)
-            storeAccountKeys(userId = userId, accountKeys = profile.accountKeys)
+            storeAccountCryptographicState(
+                userId = userId,
+                accountCryptographicState = profile.privateKeyOrNull()?.let {
+                    profile.accountKeys.toAccountCryptographicState(
+                        privateKey = it,
+                    )
+                },
+            )
            storeOrganizationKeys(
                userId = userId,
                organizationKeys = profile.organizations
@@ -469,6 +476,9 @@ class VaultSyncManagerImpl(
                                data = collections.sortAlphabeticallyByTypeAndOrganization(
                                    userOrganizations = authDiskSource
                                        .getOrganizations(userId = userId)
+                                        ?.filter { org ->
+                                            org.status == OrganizationStatusType.CONFIRMED
+                                        }
                                        .orEmpty(),
                                ),
                            )
@@ -536,6 +546,13 @@ class VaultSyncManagerImpl(
            ?: DataState.Loading
 }

+/**
+ * Convenience function to extract the private key from the [SyncResponseJson.Profile] response.
+ */
+private fun SyncResponseJson.Profile.privateKeyOrNull(): String? =
+    this.accountKeys?.publicKeyEncryptionKeyPair?.wrappedPrivateKey
+        ?: this.privateKey
+
 private fun <T> Throwable.toNetworkOrErrorState(
    data: T?,
 ): DataState<T> =
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
David Perez	f43d2fad4c	Create a Overlay Navigation Screen	2026-06-09 17:27:17 -05:00
David Perez	2c7eef2b8c	PM-38637: Bug: Add additional CRL distrobution server to clear-text permitted list (#7045 )	2026-06-09 20:36:41 +00:00
David Perez	c431fcba9b	Chore: Update the local app version (#7043 )	2026-06-09 16:44:20 +00:00
David Perez	2706c89302	Chore: Add a VaultUnlockResult helper method to handle successes (#7041 )	2026-06-09 16:41:30 +00:00
bw-ghapp[bot]	af665cbe82	Update SDK to 3.0.0-7338-5bdc976f (#7007 ) Co-authored-by: bw-ghapp[bot] <178206702+bw-ghapp[bot]@users.noreply.github.com>	2026-06-09 16:22:07 +00:00
David Perez	2572757cda	PM-38745: feat: Update accessibility UI (#7037 )	2026-06-09 14:31:49 +00:00
Corbet	fbed80c904	[QA-1911] Add testTag to Flight Recorder logging duration dropdown (#7040 )	2026-06-08 19:31:40 +00:00
David Perez	6930d077aa	PM-38625: Chore: Store the WrappedAccountCryptographicState (#7030 )	2026-06-08 16:31:52 +00:00
renovate[bot]	fbbbe578e5	[deps]: Update kotlin to v2.3.9 (#7034 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-06-08 15:24:34 +00:00
renovate[bot]	378f77a55b	[deps]: Update mockk to v1.14.11 (#7035 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-06-08 14:32:26 +00:00
bw-ghapp[bot]	b3cd24c6e9	Crowdin Pull (#7032 ) Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>	2026-06-08 14:15:01 +00:00
David Perez	b85e30fba2	PM-38610: Bug: Update BitwardenBasicDialog to allow scrolling content (#7028 )	2026-06-08 13:48:48 +00:00
David Perez	2022507cc0	PM-38618: Feat: Update Accessibility Service disclosure text (#7026 )	2026-06-05 21:15:33 +00:00
David Perez	c0caaf9ce9	PM-38513: Bug: Do not emit policies before we have recieved them (#7023 )	2026-06-05 18:06:20 +00:00
David Perez	fdeafd7388	PM-38587: Feat: Add accessibility service disclaimer at startup (#7018 )	2026-06-04 21:43:09 +00:00
David Perez	9b85e028f7	PM-38534: bug: Update LoginResult to use friendly error message (#7017 )	2026-06-04 16:12:21 +00:00
David Perez	0cd9c99fcf	BWA-252: bug: Empty string totp codes should not be counted as a totp code (#7015 )	2026-06-04 16:12:04 +00:00
David Perez	86cf21602c	PM-38280: Fix: Update collection API to V2 (#7014 )	2026-06-04 14:06:02 +00:00
Patrick Honkonen	c45ae58b0e	[PM-37571] chore: Remove unused isSdkSupported guard (#7011 )	2026-06-03 15:03:50 +00:00
Patrick Honkonen	d44212d9bd	[PM-38364] fix: Multiply subscription line-item cost by quantity (#7012 )	2026-06-03 14:18:56 +00:00
aikido-autofix[bot]	1c90dc242f	[AppSec] AI Fix for Template Injection in GitHub Workflows Action (#6784 ) Co-authored-by: aikido-autofix[bot] <119856028+aikido-autofix[bot]@users.noreply.github.com>	2026-06-02 21:33:45 +00:00
David Perez	22ad8ec78f	Chore: Add gradle lockfiles (#7008 )	2026-06-02 20:52:53 +00:00
Patrick Honkonen	b5a6ab0ac0	[PM-37571] feat: Map Passport and License to SDK types (#7009 )	2026-06-02 20:29:20 +00:00
David Perez	ecbceb8baf	PM-37887: Feat: Update the Key Connector vault unlock to use the SDK (#6999 )	2026-06-02 20:20:10 +00:00
David Perez	bd45d5f56a	PM-38479: Feat: Update the RemovePasswordScreen UI (#7010 )	2026-06-02 20:02:04 +00:00
David Perez	051b8b53d1	PM-38358: Chore: Remove user key (#7004 )	2026-06-02 19:15:47 +00:00
bw-ghapp[bot]	9c8b4891a1	Crowdin Pull (#7001 ) Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>	2026-06-02 18:10:30 +00:00
David Perez	5fd32ab391	Deps: Update the Gradle Wrapper to v9.5.1 (#7006 )	2026-06-02 15:46:02 +00:00
bw-ghapp[bot]	57a14f2785	Update SDK to 3.0.0-7198-7bca9fca (#6983 ) Co-authored-by: bw-ghapp[bot] <178206702+bw-ghapp[bot]@users.noreply.github.com>	2026-06-02 15:01:01 +00:00
Álison Fernandes	c18dd58c41	[PM-38411] tech-debt: Update deprecated argument in actions/create-github-app-token (#7003 )	2026-06-01 18:42:45 +00:00
David Perez	227359bc26	PM-26577: Feat: Support multiple schemes for Duo, WebAuthn, and SSO callbacks (#6339 )	2026-06-01 16:09:16 +00:00
github-actions[bot]	fa219f6963	Update Google privileged browsers list (#7000 ) Co-authored-by: GitHub Actions Bot <actions@github.com>	2026-06-01 13:57:13 +00:00
David Perez	a3bcff9463	PM-37911: Feat: Update Organization model (#6960 )	2026-05-29 18:07:10 +00:00
Patrick Honkonen	aca9949874	[PM-37920] fix: Show Storage cost row when additional storage is present (#6997 )	2026-05-29 17:26:21 +00:00
David Perez	217bfc1097	Chore: Move dispatcher for sdk functions into SDK sources (#6995 )	2026-05-29 16:58:10 +00:00
David Perez	a94978c8e2	Deps: Update Firebase BOM to v34.14.0 (#6996 )	2026-05-29 16:34:23 +00:00
David Perez	0a920d5800	Deps: Update the Compose BOM to v2026.05.01 (#6998 )	2026-05-29 16:34:10 +00:00
Patrick Honkonen	09f0f5b9bf	[PM-38263] fix: Reference invoices in past due subscription description (#6994 )	2026-05-29 15:19:28 +00:00
ifernandezdiaz	b57fb9c437	[QA-1826] Adding missing `testTags` for Authenticator/PM apps (#6993 )	2026-05-29 13:37:12 +00:00
aj-rosado	124ce37bc3	[PM-38118] fix: Support Firefox updated toolbar in accessibility autofill (#6986 )	2026-05-29 13:35:50 +00:00
Patrick Honkonen	e7e2c26bef	[PM-36970] fix: Correct Update Payment status description (#6988 )	2026-05-28 21:37:06 +00:00
Patrick Honkonen	c89a52e5d2	[PM-38279] fix: Hide Cancel Premium action for Update payment status (#6989 )	2026-05-28 21:14:09 +00:00
David Perez	fb955e903f	Deps: Update the protobuf library to v4.35.0 (#6985 )	2026-05-28 20:44:14 +00:00
Patrick Honkonen	230c8f769d	[PM-37181] feat: Surface Expired subscription substate (#6982 )	2026-05-28 20:37:50 +00:00
David Perez	8661dfaf2f	PM-38285: Feat: Filter unconfirmed organizations from the app (#6987 )	2026-05-28 19:48:07 +00:00
David Perez	a872db128b	Chore: Remove the Manager type from OrganizationType (#6984 )	2026-05-28 19:47:41 +00:00
Patrick Honkonen	40604d0ec0	[PM-37804] fix: Drop redundant Stripe checkout confirmation on Upgrade Now (#6980 )	2026-05-28 19:08:00 +00:00
bw-ghapp[bot]	0f4b3fb9f0	Update SDK to 3.0.0-7126-025e5d85 (#6976 ) Co-authored-by: bw-ghapp[bot] <178206702+bw-ghapp[bot]@users.noreply.github.com>	2026-05-28 10:38:48 +00:00
David Perez	a0edef99e6	PM-38140 Feat: SDK policy filters (#6979 )	2026-05-27 20:59:53 +00:00
Patrick Honkonen	cc6fcecc5b	[PM-37232] fix: Hide upgrade CTAs while a Premium upgrade is pending (#6978 )	2026-05-27 20:53:06 +00:00
David Perez	58408bcd77	PM-38130: Feat: Parse new organizations and policies properties from sync response (#6977 )	2026-05-27 09:52:12 +00:00
David Perez	3732672ab4	PM-37985: Feat: Use PolicyView in the app (#6966 )	2026-05-26 16:34:10 +00:00
renovate[bot]	b53d3fbd29	[deps]: Update com.google.devtools.ksp to v2.3.8 (#6971 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-05-26 15:08:30 +00:00
bw-ghapp[bot]	f0f1f91c62	Update SDK to 3.0.0-7068-a635e32d (#6967 ) Co-authored-by: bw-ghapp[bot] <178206702+bw-ghapp[bot]@users.noreply.github.com>	2026-05-26 14:48:57 +00:00
Patrick Honkonen	ecc47005fb	[PM-37282] feat: Add Upgrade to Premium CTA to File Send dialog (#6968 )	2026-05-26 14:40:15 +00:00
bw-ghapp[bot]	3fc5965a05	Crowdin Pull (#6969 ) Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>	2026-05-26 14:25:24 +00:00
Patrick Honkonen	8cd52a716f	[PM-37916] feat: Add titleExtraLarge typography and apply to Premium header (#6962 )	2026-05-22 20:00:40 +00:00
David Perez	7b94daf3ae	Chore: Update Policy Types to conform to known values (#6965 )	2026-05-22 19:42:23 +00:00
Patrick Honkonen	a5f7288208	[PM-37916] chore: Align Premium subscription card line items with Web (#6961 )	2026-05-22 18:45:57 +00:00
David Perez	c6a439a791	Deps: Update to Junit v6.1.0 (#6964 )	2026-05-22 17:51:54 +00:00
bw-ghapp[bot]	34ce0edc03	Update SDK to 3.0.0-7038-1a2acacb (#6956 ) Co-authored-by: bw-ghapp[bot] <178206702+bw-ghapp[bot]@users.noreply.github.com>	2026-05-22 15:11:49 +00:00
Patrick Honkonen	f4507384e9	llm: Add interface KDoc rule to implementing-android-code skill (#6963 )	2026-05-22 13:32:25 +00:00
Mick Letofsky	0005ed7a2f	PM-36952 - Improve code review workflow with added triggers (#6933 )	2026-05-22 12:56:03 +00:00
renovate[bot]	bf14dfbf40	[deps]: Lock file maintenance (#6904 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Álison Fernandes <vvolkgang@users.noreply.github.com>	2026-05-21 22:35:54 +00:00
renovate[bot]	fc2786d809	[deps]: Update gh minor (#6926 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Álison Fernandes <vvolkgang@users.noreply.github.com>	2026-05-21 22:23:57 +00:00
David Perez	c6bef627a2	Deps: Update Coroutines to v1.11.0 (#6959 )	2026-05-21 19:42:39 +00:00
aj-rosado	afe296c3db	[PM-37254] feat: Add fill-assist-targeting-rules feature flag (#6952 )	2026-05-21 16:28:27 +00:00
David Perez	e4fb873d34	PM-34085: Chore: Remove the Authenticator Sync backwards compatibility (#6928 )	2026-05-21 14:45:23 +00:00
Patrick Honkonen	50960456c5	[PM-37691] feat: Surface pending cancellation status on Premium plan view (#6957 )	2026-05-21 12:18:54 +00:00
David Perez	ebc3bd8081	PM-37568: Feat: Remove feature flags (#6955 )	2026-05-20 22:28:30 +00:00
Patrick Honkonen	8f72c10f8e	[PM-37804] feat: Confirm before leaving the app to Stripe checkout (#6958 )	2026-05-20 22:28:05 +00:00
Patrick Honkonen	c6746fb369	[PM-37814] feat: Add debug flag to disable self-host premium check (#6954 )	2026-05-20 21:44:07 +00:00
Patrick Honkonen	31011b5789	[PM-37289] fix: Refresh archive row after premium upgrade (#6949 )	2026-05-20 19:19:58 +00:00
Patrick Honkonen	a9048c6393	[PM-37810] fix: Update cancel premium confirmation dialog (#6953 )	2026-05-20 19:03:13 +00:00
Patrick Honkonen	9e27b950e8	[PM-37284] fix: Show Upgraded to Premium card across all Send view states (#6947 )	2026-05-20 18:00:32 +00:00
bw-ghapp[bot]	8940a2c490	Update SDK to 3.0.0-6963-1256a563 (#6921 ) Co-authored-by: bw-ghapp[bot] <178206702+bw-ghapp[bot]@users.noreply.github.com>	2026-05-20 16:55:41 +00:00
Patrick Honkonen	2eab66ecd3	[PM-37076] fix: Manage Plan launches web vault subscription URL (#6944 )	2026-05-20 16:39:08 +00:00
Patrick Honkonen	fce814d6bd	[PM-36886] fix: Gate premium upgrade flow on self-hosted environments (#6939 )	2026-05-20 15:29:31 +00:00
Patrick Honkonen	8002794c59	[PM-37294] fix: Announce external-link affordance on premium upgrade CTAs (#6951 )	2026-05-20 15:15:20 +00:00
David Perez	304c32e1a4	PM-37705: Feat: Hide Send navigation when DISABLE_SEND policy is enabled (#6945 )	2026-05-20 14:40:47 +00:00
Patrick Honkonen	cc210a5764	[PM-37335] fix: Route attachments upgrade CTA through in-app plan modal (#6946 )	2026-05-20 01:17:24 +00:00
Patrick Honkonen	5f3f9d186c	[PM-36969] feat: Surface subscription substate to premium gates (#6931 ) Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>	2026-05-19 22:17:12 +00:00
Álison Fernandes	6cf7227973	[PM-35435] ci: Stop applying Change Type labels based on changed files (#6925 )	2026-05-19 21:02:39 +00:00
aj-rosado	e949dd710a	[PM-33982] feat: Add device management screen (#6754 )	2026-05-19 19:40:13 +00:00
David Perez	6ccb9d9f3e	Bug: Update BitwardenDatePickerDialog to match current designs (#6943 )	2026-05-19 16:41:21 +00:00
David Perez	83a9d35e32	PM-37690: feat: Update copy for adding a new item (#6940 )	2026-05-18 21:30:11 +00:00
David Perez	5f415e2deb	chore: Remove background event interface from action (#6941 )	2026-05-18 21:29:06 +00:00
Patrick Honkonen	1f8280f76d	[PM-37465] fix: Gate Plan row and Upgraded card on personal Premium (#6930 )	2026-05-18 20:48:48 +00:00
David Perez	bc93d7c311	PM-37573: feat: Add DatePicker functionality to VaultAddEditScreen (#6937 )	2026-05-18 17:47:32 +00:00
Patrick Honkonen	fcc1eebab1	[PM-32806] feat: Add Passport vault, listing, and search surfaces (#6929 )	2026-05-18 17:27:00 +00:00
Patrick Honkonen	e2ab1f5663	Update MobilePremiumUpgrade feature flag key to lowercase (#6934 )	2026-05-18 16:33:28 +00:00
David Perez	11bdb07bde	PM-37573: Feat: Create DatePickerDialog (#6924 )	2026-05-18 15:00:14 +00:00
bw-ghapp[bot]	4108811349	Crowdin Pull (#6932 ) Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>	2026-05-18 13:55:25 +00:00
David Perez	38a5e6fe55	PM-36508: Chore: Local network access permission (#6916 )	2026-05-15 19:30:02 +00:00
David Perez	2f6a36ce1a	bug: Update Passport and License date formats in VaultItemScreen (#6927 )	2026-05-15 19:03:42 +00:00
Patrick Honkonen	484d326e14	[PM-32806] feat: Add Add/Edit support for Passport item type (#6923 )	2026-05-15 16:14:13 +00:00
renovate[bot]	cc06636276	[deps]: Update fastlane to v2.233.1 (#6902 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Álison Fernandes <vvolkgang@users.noreply.github.com>	2026-05-14 21:56:06 +00:00
Patrick Honkonen	d390272c0c	[PM-32806] feat: View Passport item type (#6853 )	2026-05-14 19:28:31 +00:00
David Perez	92845c6a4d	Bug: Fix CipherType crash (#6922 )	2026-05-14 19:27:06 +00:00
bw-ghapp[bot]	f002c2c070	deps: Update SDK to 3.0.0-6822-fe351b43 (#6912 ) Co-authored-by: bw-ghapp[bot] <178206702+bw-ghapp[bot]@users.noreply.github.com>	2026-05-14 13:08:25 +00:00
renovate[bot]	4f2a364eec	[deps]: Update org.sonarqube to v7.3.0.8198 (#6903 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Álison Fernandes <vvolkgang@users.noreply.github.com>	2026-05-13 20:45:01 +00:00
David Perez	e4f030d0e3	Bug: Support translations for Cookie Acquisition error (#6917 )	2026-05-13 20:05:53 +00:00
Patrick Honkonen	8fe23ad275	[PM-32808] feat: Add Driver's License vault, listing, and search surfaces (#6909 )	2026-05-13 19:22:02 +00:00