PM-19498: Update cipher migration logic (#4921)

Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>

.checkmarx/config.yml

@@ -8,4 +8,4 @@ checkmarx:
     configs:
       sast:
         # Exclude test directories
-        filter: "!app/src/test/**"
+        filter: "**/test/**,!**/androidTest/**,!**/commonTest/**,!**/jvmTest/**,!**/jsTest/**,!**/iosTest/**"

.editorconfig

@@ -12,127 +12,20 @@ end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
-guidelines = 120
-
-# Code files
-[*.{cs,csx,vb,vbx}]
-indent_size = 4
-
-# Xml project files
-[*.{csproj,vbproj,vcxproj,vcxproj.filters,proj,projitems,shproj}]
-indent_size = 2
-
-# Xml config files
-[*.{props,targets,ruleset,config,nuspec,resx,vsixmanifest,vsct}]
-indent_size = 2
 
 # JSON files
 [*.json]
 indent_size = 2
 
-# JS files
-[*.{js,ts,scss,html}]
+# Kotlin files
+# noinspection EditorConfigKeyCorrectness
+[*.{kt,kts}]
+# https://pinterest.github.io/ktlint/1.0.1/rules/configuration-ktlint/#trailing-comma-on-declaration-site
+ij_kotlin_allow_trailing_comma = true
+# https://pinterest.github.io/ktlint/1.0.1/rules/configuration-ktlint/#trailing-comma-on-declaration-site
+trailing-comma-on-declaration-site = true
+# https://pinterest.github.io/ktlint/1.0.1/rules/configuration-ktlint/#trailing-comma-on-call-site
+ij_kotlin_allow_trailing_comma_on_call_site = true
+
+[*.{scss,yml}]
 indent_size = 2
-
-[*.{ts}]
-quote_type = single
-
-[*.{scss,yml,csproj}]
-indent_size = 2
-
-[*.sln]
-indent_style = tab
-
-# Dotnet code style settings:
-[*.{cs,vb}]
-# Sort using and Import directives with System.* appearing first
-dotnet_sort_system_directives_first = true
-# Avoid "this." and "Me." if not necessary
-dotnet_style_qualification_for_field = false:suggestion
-dotnet_style_qualification_for_property = false:suggestion
-dotnet_style_qualification_for_method = false:suggestion
-dotnet_style_qualification_for_event = false:suggestion
-
-# Use language keywords instead of framework type names for type references
-dotnet_style_predefined_type_for_locals_parameters_members = true:suggestion
-dotnet_style_predefined_type_for_member_access = true:suggestion
-
-# Suggest more modern language features when available
-dotnet_style_object_initializer = true:suggestion
-dotnet_style_collection_initializer = true:suggestion
-dotnet_style_coalesce_expression = true:suggestion
-dotnet_style_null_propagation = true:suggestion
-dotnet_style_explicit_tuple_names = true:suggestion
-
-# Prefix private members with underscore
-dotnet_naming_rule.private_members_with_underscore.symbols = private_fields
-dotnet_naming_rule.private_members_with_underscore.style = prefix_underscore
-dotnet_naming_rule.private_members_with_underscore.severity = suggestion
-
-dotnet_naming_symbols.private_fields.applicable_kinds = field
-dotnet_naming_symbols.private_fields.applicable_accessibilities = private
-
-dotnet_naming_style.prefix_underscore.capitalization = camel_case
-dotnet_naming_style.prefix_underscore.required_prefix = _
-
-# Async methods should have "Async" suffix
-dotnet_naming_rule.async_methods_end_in_async.symbols = any_async_methods
-dotnet_naming_rule.async_methods_end_in_async.style = end_in_async
-dotnet_naming_rule.async_methods_end_in_async.severity = suggestion
-
-dotnet_naming_symbols.any_async_methods.applicable_kinds = method
-dotnet_naming_symbols.any_async_methods.applicable_accessibilities = *
-dotnet_naming_symbols.any_async_methods.required_modifiers = async
-
-dotnet_naming_style.end_in_async.required_prefix = 
-dotnet_naming_style.end_in_async.required_suffix = Async
-dotnet_naming_style.end_in_async.capitalization = pascal_case
-dotnet_naming_style.end_in_async.word_separator = 
-
-# Obsolete warnings, this should be removed or changed to warning once we address some of the obsolete items.
-dotnet_diagnostic.CS0618.severity = suggestion
-
-# Obsolete warnings, this should be removed or changed to warning once we address some of the obsolete items.
-dotnet_diagnostic.CS0612.severity = suggestion
-
-# Remove unnecessary using directives https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/style-rules/ide0005
-dotnet_diagnostic.IDE0005.severity = warning
-
-# CSharp code style settings:
-[*.cs]
-# Prefer "var" everywhere
-csharp_style_var_for_built_in_types = true:suggestion
-csharp_style_var_when_type_is_apparent = true:suggestion
-csharp_style_var_elsewhere = true:suggestion
-
-# Prefer method-like constructs to have a expression-body
-csharp_style_expression_bodied_methods = true:none
-csharp_style_expression_bodied_constructors = true:none
-csharp_style_expression_bodied_operators = true:none
-
-# Prefer property-like constructs to have an expression-body
-csharp_style_expression_bodied_properties = true:none
-csharp_style_expression_bodied_indexers = true:none
-csharp_style_expression_bodied_accessors = true:none
-
-# Suggest more modern language features when available
-csharp_style_pattern_matching_over_is_with_cast_check = true:suggestion
-csharp_style_pattern_matching_over_as_with_null_check = true:suggestion
-csharp_style_inlined_variable_declaration = true:suggestion
-csharp_style_throw_expression = true:suggestion
-csharp_style_conditional_delegate_call = true:suggestion
-
-# Newline settings
-csharp_new_line_before_open_brace = all
-csharp_new_line_before_else = true
-csharp_new_line_before_catch = true
-csharp_new_line_before_finally = true
-csharp_new_line_before_members_in_object_initializers = true
-csharp_new_line_before_members_in_anonymous_types = true
-
-# Namespace settings
-csharp_style_namespace_declarations = file_scoped:warning
-
-# Switch expression
-dotnet_diagnostic.CS8509.severity = error # missing switch case for named enum value
-dotnet_diagnostic.CS8524.severity = none # missing switch case for unnamed enum value

.github/CODEOWNERS

@@ -5,7 +5,10 @@
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
 # Default file owners.
-# * @bitwarden/tech-leads
+* @bitwarden/team-android @brian-livefront @david-livefront @dseverns-livefront @ahaisting-livefront @phil-livefront
+
+# Actions and workflow changes.
+.github/ @bitwarden/dept-development-mobile
 
 # Auth
 # app/src/main/java/com/x8bit/bitwarden/data/auth @bitwarden/team-auth-dev

.github/ISSUE_TEMPLATE/bug-bwa.yml

@@ -0,0 +1,84 @@
+name: Authenticator Android App Bug Report
+description: File a bug report
+labels: [ "app:authenticator", "bug" ]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+
+        Please do not submit feature requests. The [Community Forums](https://community.bitwarden.com) has a section for submitting, voting for, and discussing product feature requests.
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps To Reproduce
+      description: How can we reproduce the behavior.
+      value: |
+        1. Go to '...'
+        2. Click on '...'
+        3. Scroll down to '...'
+        4. Click on '...'
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Result
+      description: A clear and concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Result
+      description: A clear and concise description of what is happening.
+    validations:
+      required: true
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots or Videos
+      description: If applicable, add screenshots and/or a short video to help explain your problem.
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional Context
+      description: Add any other context about the problem here.
+  - type: input
+    id: version
+    attributes:
+      label: Build Version
+      description: What version of our software are you running?
+    validations:
+      required: true
+  - type: dropdown
+    id: server-region
+    attributes:
+      label: What server are you connecting to?
+      options:
+        - US
+        - EU
+        - Self-host
+        - N/A
+    validations:
+      required: true
+  - type: input
+    id: server-version
+    attributes:
+      label: Self-host Server Version
+      description: If self-hosting, what version of Bitwarden Server are you running?
+  - type: textarea
+    id: environment-details
+    attributes:
+      label: Environment Details
+      placeholder: |
+        - Device: [e.g. Pixel Tablet, Samsung Galaxy S24 ]
+        - OS Version: [e.g. API 32, Tiramisu ]
+  - type: checkboxes
+    id: issue-tracking-info
+    attributes:
+      label: Issue Tracking Info
+      description: |
+        Issue tracking information
+      options:
+        - label: I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

.github/ISSUE_TEMPLATE/bug-passkey.yml

@@ -0,0 +1,64 @@
+name: Passkey Bug Report
+description: File a Passkey / FIDO2 related bug report
+labels: [ "app:password-manager", "bug-passkey" ]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this Passkey-related bug report!
+
+        Please provide as much detail as possible to help us investigate the issue.
+
+  - type: dropdown
+    id: origin
+    attributes:
+      label: Origin
+      description: Are you using a web browser or a native application?
+      options:
+        - Web (Browser)
+        - Native Application (non-browser app)
+    validations:
+      required: true
+
+  - type: input
+    id: rp-id
+    attributes:
+      label: Web URL or App name
+      description: The website domain or app name you were trying to use the Passkey with
+      placeholder: "e.g. example.com or ExampleApp"
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: operation-type
+    attributes:
+      label: Passkey Action
+      description: What passkey related action(s) were you trying to perform?
+      options:
+        - label: Creating new passkey (Registration)
+        - label: Signing in (Authentication)
+    validations:
+      required: true
+
+  - type: textarea
+    id: build-info
+    attributes:
+      label: Build Information
+      description: Please retrieve the build information from the About screen by tapping the Version number field
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional-info
+    attributes:
+      label: Additional Information
+      description: Any additional context, steps to reproduce, error messages, or relevant information about the issue
+
+  - type: checkboxes
+    id: issue-tracking-info
+    attributes:
+      label: Issue Tracking Info
+      description: |
+        Issue tracking information
+      options:
+        - label: I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

.github/ISSUE_TEMPLATE/bug.yml

@@ -1,25 +1,13 @@
-name: Android Beta Bug Report
+name: Password Manager Android App Bug Report
 description: File a bug report
-labels: [ bug ]
+labels: [ "app:password-manager", "bug" ]
 body:
   - type: markdown
     attributes:
       value: |
         Thanks for taking the time to fill out this bug report!
 
-        > [!WARNING]
-        > This is the new native Bitwarden Beta app repository. For the publicly available apps in App Store / Play Store, submit your report in [bitwarden/mobile](https://github.com/bitwarden/mobile)
-
-
         Please do not submit feature requests. The [Community Forums](https://community.bitwarden.com) has a section for submitting, voting for, and discussing product feature requests.
-  - type: checkboxes
-    id: beta
-    attributes:
-      label: Bitwarden Beta
-      options:
-        - label: "I'm using the new native Bitwarden Beta app and I'm aware that legacy .NET app bugs should be reported in [bitwarden/mobile](https://github.com/bitwarden/mobile)"
-    validations:
-      required: true
   - type: textarea
     id: reproduce
     attributes:
@@ -63,6 +51,22 @@ body:
       description: What version of our software are you running?
     validations:
       required: true
+  - type: dropdown
+    id: server-region
+    attributes:
+      label: What server are you connecting to?
+      options:
+        - US
+        - EU
+        - Self-host
+        - N/A
+    validations:
+      required: true
+  - type: input
+    id: server-version
+    attributes:
+      label: Self-host Server Version
+      description: If self-hosting, what version of Bitwarden Server are you running?
   - type: textarea
     id: environment-details
     attributes:

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,5 @@
 blank_issues_enabled: false
 contact_links:
-  - name: Legacy Android Bug Reports
-    url: https://github.com/bitwarden/mobile/issues
-    about: Bugs found in the publicly available .NET MAUI app should be reported in [bitwarden/mobile](https://github.com/bitwarden/mobile)
   - name: Feature Requests
     url: https://community.bitwarden.com/c/feature-requests/
     about: Request new features using the Community Forums. Please search existing feature requests before making a new one.
@@ -15,3 +12,5 @@ contact_links:
   - name: Security Issues
     url: https://hackerone.com/bitwarden
     about: We use HackerOne to manage security disclosures.
+  - name: Report mobile autofill failure
+    url: https://docs.google.com/forms/d/e/1FAIpQLScMopHyN7KGJs8hW562VTzbIGL4KcFnx0wJcsW0GYE1BnPiGA/viewform

.github/PULL_REQUEST_TEMPLATE.md

@@ -15,10 +15,11 @@
 - Contributor guidelines followed
 - All formatters and local linters executed and passed
 - Written new unit and / or integration tests where applicable
+- Protected functional changes with optionality (feature flags)
 - Used internationalization (i18n) for all UI strings
 - CI builds passed
 - Communicated to DevOps any deployment requirements
-- Updated any necessary documentation or informed the documentation team
+- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
 
 ## 🦮 Reviewer guidelines
 
@@ -27,8 +28,7 @@
 - 👍 (`:+1:`) or similar for great changes
 - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
 - ❓ (`:question:`) for questions
-- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed
-  issue and could potentially benefit from discussion
+- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
 - 🎨 (`:art:`) for suggestions / improvements
 - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention
 - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt

.github/codecov.yml

@@ -0,0 +1,2 @@
+ignore:
+  - "src/test/**" # Tests

.github/renovate.json

@@ -1,32 +1,56 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>bitwarden/renovate-config"],
-  "enabledManagers": ["github-actions", "gradle", "bundler"],
+  "extends": [
+    "github>bitwarden/renovate-config"
+  ],
+  "enabledManagers": [
+    "github-actions",
+    "gradle",
+    "bundler"
+  ],
   "packageRules": [
     {
       "groupName": "gh minor",
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"]
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ]
     },
     {
       "groupName": "gradle minor",
-      "matchUpdateTypes": ["minor", "patch"],
-      "matchManagers": ["gradle"]
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "matchManagers": [
+        "gradle"
+      ]
     },
     {
       "groupName": "kotlin",
       "description": "Kotlin and Compose dependencies that must be updated together to maintain compatibility.",
-      "matchPackagePatterns": [
-        "androidx.compose:compose-bom",
-        "org.jetbrains.kotlin.*",
-        "com.google.devtools.ksp"
+      "matchManagers": [
+        "gradle"
       ],
-      "matchManagers": ["gradle"]
+      "matchPackageNames": [
+        "/androidx.compose:compose-bom/",
+        "/androidx.lifecycle:*/",
+        "/org.jetbrains.kotlin.*/",
+        "/com.google.devtools.ksp/"
+      ]
     },
     {
       "groupName": "bundler minor",
-      "matchUpdateTypes": ["minor", "patch"],
-      "matchManagers": ["bundler"]
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "matchManagers": [
+        "bundler"
+      ]
     }
   ]
 }

.github/scripts/validate-json/.python-version

@@ -0,0 +1 @@
+3.13

.github/scripts/validate-json/README.md

@@ -0,0 +1,39 @@
+# JSON Validation Scripts
+
+Utility scripts for validating JSON files and checking for duplicate package names between Google and Community privileged browser lists.
+
+## Usage
+
+### Validate a JSON file
+
+```bash
+python validate_json.py validate <json_file>
+```
+
+### Check for duplicates between two JSON files
+
+```bash
+python validate_json.py duplicates <json_file1> <json_file2> [output_file]
+```
+
+If `output_file` is not specified, duplicates will be saved to `duplicates.txt`.
+
+## Running Tests
+
+```bash
+# Run all tests
+python -m unittest test_validate_json.py
+
+# Run the invalid JSON test individually
+python -m unittest test_validate_json.TestValidateJson.test_validate_json_invalid
+```
+
+## Examples
+
+```bash
+# Validate Google privileged browsers list
+python validate_json.py validate ../../app/src/main/assets/fido2_privileged_google.json
+
+# Check for duplicates between Google and Community lists
+python validate_json.py duplicates ../../app/src/main/assets/fido2_privileged_google.json ../../app/src/main/assets/fido2_privileged_community.json duplicates.txt
+```

.github/scripts/validate-json/fixtures/sample-invalid.json

@@ -0,0 +1,20 @@
+{
+  "apps": [
+
+      "type": "android",
+      "info": {
+        "package_name": "com.android.chrome",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "F0:FD:6C:5B:41:0F:25:CB:25:C3:B5:33:46:C8:97:2F:AE:30:F8:EE:74:11:DF:91:04:80:AD:6B:2D:60:DB:83"
+          },
+          {
+            "build": "userdebug",
+            "cert_fingerprint_sha256": "19:75:B2:F1:71:77:BC:89:A5:DF:F3:1F:9E:64:A6:CA:E2:81:A5:3D:C1:D1:D5:9B:1D:14:7F:E1:C8:2A:FA:00"
+          }
+        ]
+      }
+    }
+  ]
+}

.github/scripts/validate-json/fixtures/sample-valid1.json

@@ -0,0 +1,48 @@
+{
+  "apps": [
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.android.chrome",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "F0:FD:6C:5B:41:0F:25:CB:25:C3:B5:33:46:C8:97:2F:AE:30:F8:EE:74:11:DF:91:04:80:AD:6B:2D:60:DB:83"
+          },
+          {
+            "build": "userdebug",
+            "cert_fingerprint_sha256": "19:75:B2:F1:71:77:BC:89:A5:DF:F3:1F:9E:64:A6:CA:E2:81:A5:3D:C1:D1:D5:9B:1D:14:7F:E1:C8:2A:FA:00"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.chrome.dev",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "90:44:EE:5F:EE:4B:BC:5E:21:DD:44:66:54:31:C4:EB:1F:1F:71:A3:27:16:A0:BC:92:7B:CB:B3:92:33:CA:BF"
+          },
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "3D:7A:12:23:01:9A:A3:9D:9E:A0:E3:43:6A:B7:C0:89:6B:FB:4F:B6:79:F4:DE:5F:E7:C2:3F:32:6C:8F:99:4A"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.chrome.canary",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "DF:A1:FB:23:EF:BF:70:C5:BC:D1:44:3C:5B:EA:B0:4F:3F:2F:F4:36:6E:9A:C1:E3:45:76:39:A2:4C:FC"
+          }
+        ]
+      }
+    }
+  ]
+}

.github/scripts/validate-json/fixtures/sample-valid2.json

@@ -0,0 +1,20 @@
+{
+  "apps": [
+    {
+      "type": "android",
+      "info": {
+        "package_name": "org.chromium.chrome",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "C6:AD:B8:B8:3C:6D:4C:17:D2:92:AF:DE:56:FD:48:8A:51:D3:16:FF:8F:2C:11:C5:41:02:23:BF:F8:A7:DB:B3"
+          },
+          {
+            "build": "userdebug",
+            "cert_fingerprint_sha256": "19:75:B2:F1:71:77:BC:89:A5:DF:F3:1F:9E:64:A6:CA:E2:81:A5:3D:C1:D1:D5:9B:1D:14:7F:E1:C8:2A:FA:00"
+          }
+        ]
+      }
+    }
+  ]
+}

.github/scripts/validate-json/test_validate_json.py

@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+import unittest
+import os
+import json
+from validate_json import validate_json, find_duplicates, get_package_names
+from unittest.mock import patch
+import io
+
+
+class TestValidateJson(unittest.TestCase):
+    def setUp(self):
+        self.valid_file = os.path.join(os.path.dirname(__file__), "fixtures/sample-valid1.json")
+        self.valid_file2 = os.path.join(os.path.dirname(__file__), "fixtures/sample-valid2.json")
+        self.invalid_file = os.path.join(os.path.dirname(__file__), "fixtures/sample-invalid.json")
+
+        # Suppress stdout
+        self.stdout_patcher = patch('sys.stdout', new=io.StringIO())
+        self.stdout_patcher.start()
+
+    def tearDown(self):
+        self.stdout_patcher.stop()
+
+    def test_validate_json_valid(self):
+        """Test validation of valid JSON file"""
+        self.assertTrue(validate_json(self.valid_file))
+
+    def test_validate_json_invalid(self):
+        """Test validation of invalid JSON file"""
+        self.assertFalse(validate_json(self.invalid_file))
+
+    def test_find_duplicates(self):
+        """Test when using the same file (should find duplicates)"""
+        expected_package_names = get_package_names(self.valid_file)
+
+        duplicates = find_duplicates(self.valid_file, self.valid_file)
+
+        self.assertEqual(len(duplicates), len(expected_package_names))
+        for package_name in expected_package_names:
+            self.assertIn(package_name, duplicates)
+
+    def test_find_duplicates_returns_empty_list_when_no_duplicates(self):
+        """Test when using different files (should not find duplicates)"""
+        duplicates = find_duplicates(self.valid_file, self.valid_file2)
+        self.assertEqual(len(duplicates), 0)
+
+
+if __name__ == "__main__":
+    unittest.main()

.github/scripts/validate-json/validate_json.py

@@ -0,0 +1,145 @@
+#!/usr/bin/env python3
+import json
+import sys
+import os
+from typing import List, Dict, Any, Set
+
+
+def get_package_names(file_path: str) -> Set[str]:
+    """
+    Extracts package names from a JSON file.
+
+    Args:
+        file_path: Path to the JSON file
+
+    Returns:
+        Set of package names
+    """
+    with open(file_path, 'r') as f:
+        data = json.load(f)
+
+    package_names = set()
+    for app in data["apps"]:
+        package_names.add(app["info"]["package_name"])
+
+    return package_names
+
+
+def validate_json(file_path: str) -> bool:
+    """
+    Validates if a JSON file is correctly formatted by attempting to deserialize it.
+
+    Args:
+        file_path: Path to the JSON file to validate
+
+    Returns:
+        True if valid, False otherwise
+    """
+    try:
+        if not os.path.exists(file_path):
+            print(f"Error: File {file_path} does not exist")
+            return False
+
+        with open(file_path, 'r') as f:
+            json.load(f)
+        print(f"✅ JSON file {file_path} is valid")
+        return True
+    except json.JSONDecodeError as e:
+        print(f"❌ Invalid JSON in {file_path}: {str(e)}")
+        return False
+    except Exception as e:
+        print(f"❌ Error validating {file_path}: {str(e)}")
+        return False
+
+
+def find_duplicates(file1_path: str, file2_path: str) -> List[str]:
+    """
+    Checks for duplicate package_name entries between two JSON files.
+
+    Args:
+        file1_path: Path to the first JSON file
+        file2_path: Path to the second JSON file
+
+    Returns:
+        List of duplicate package names, empty list if none found
+    """
+    try:
+        # Get package names from both files
+        packages1 = get_package_names(file1_path)
+        packages2 = get_package_names(file2_path)
+
+        # Find duplicates
+        duplicates = list(packages1.intersection(packages2))
+
+        if duplicates:
+            print(f"❌ Found {len(duplicates)} duplicate package names between {file1_path} and {file2_path}:")
+            for dup in duplicates:
+                print(f"  - {dup}")
+            return duplicates
+        else:
+            print(f"✅ No duplicate package names found between {file1_path} and {file2_path}")
+            return []
+
+    except Exception as e:
+        print(f"❌ Error checking duplicates: {str(e)}")
+        return []
+
+
+def save_duplicates_to_file(duplicates: List[str], output_file: str) -> None:
+    """
+    Saves the list of duplicates to a file.
+
+    Args:
+        duplicates: List of duplicate package names
+        output_file: Path to save the list of duplicates
+    """
+    try:
+        with open(output_file, 'w') as f:
+            for dup in duplicates:
+                f.write(f"{dup}\n")
+        print(f"Duplicates saved to {output_file}")
+    except Exception as e:
+        print(f"❌ Error saving duplicates to file: {str(e)}")
+
+
+def main():
+    if len(sys.argv) < 2:
+        print("Usage:")
+        print("  Validate JSON: python validate_json.py validate <json_file>")
+        print("  Check duplicates: python validate_json.py duplicates <json_file1> <json_file2> [output_file]")
+        sys.exit(1)
+
+    command = sys.argv[1]
+
+    match command:
+        case "validate":
+            if len(sys.argv) < 3:
+                print("Error: Missing JSON file path")
+                sys.exit(1)
+
+            file_path = sys.argv[2]
+            success = validate_json(file_path)
+            sys.exit(0 if success else 1)
+
+        case "duplicates":
+            if len(sys.argv) < 4:
+                print("Error: Missing JSON file paths")
+                sys.exit(1)
+
+            file1_path = sys.argv[2]
+            file2_path = sys.argv[3]
+            output_file = sys.argv[4] if len(sys.argv) > 4 else "duplicates.txt"
+
+            duplicates = find_duplicates(file1_path, file2_path)
+            if duplicates:
+                save_duplicates_to_file(duplicates, output_file)
+
+            sys.exit(0)
+
+        case _:
+            print(f"Unknown command: {command}")
+            sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

.github/workflows/build-authenticator.yml

@@ -0,0 +1,289 @@
+name: Build Authenticator
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      version-name:
+        description: "Optional. Version string to use, in X.Y.Z format. Overrides default in the project."
+        required: false
+        type: string
+      version-code:
+        description: "Optional. Build number to use. Overrides default of GitHub run number."
+        required: false
+        type: number
+      distribute-to-firebase:
+        description: "Optional. Distribute artifacts to Firebase."
+        required: false
+        default: false
+        type: boolean
+      publish-to-play-store:
+        description: "Optional. Deploy bundle artifact to Google Play Store"
+        required: false
+        default: false
+        type: boolean
+
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  JAVA_VERSION: 17
+
+jobs:
+  build:
+    name: Build Authenticator
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Validate Gradle wrapper
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+
+      - name: Cache Gradle files
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            ~/.gradle/caches
+            ~/.gradle/wrapper
+          key: ${{ runner.os }}-gradle-v2-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties', '**/libs.versions.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-v2-
+
+      - name: Cache build output
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            ${{ github.workspace }}/build-cache
+          key: ${{ runner.os }}-build-cache-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-build-
+
+      - name: Configure JDK
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        with:
+          distribution: "temurin"
+          java-version: ${{ env.JAVA_VERSION }}
+
+      - name: Configure Ruby
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
+        with:
+          bundler-cache: true
+
+      - name: Install Fastlane
+        run: |
+          gem install bundler:2.2.27
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+
+      - name: Check Authenticator
+        run: bundle exec fastlane checkAuthenticator
+
+      - name: Build Authenticator
+        run: bundle exec fastlane buildAuthenticatorDebug
+
+  publish_playstore:
+    name: Publish Authenticator Play Store artifacts
+    needs:
+      - build
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        variant: ["aab", "apk"]
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Configure Ruby
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
+        with:
+          bundler-cache: true
+
+      - name: Install Fastlane
+        run: |
+          gem install bundler:2.2.27
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+
+      - name: Log in to Azure
+        uses: Azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve secrets
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
+        run: |
+          mkdir -p ${{ github.workspace }}/secrets
+          mkdir -p ${{ github.workspace }}/keystores
+
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name authenticator_apk-keystore.jks --file ${{ github.workspace }}/keystores/authenticator_apk-keystore.jks --output none
+
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name authenticator_aab-keystore.jks --file ${{ github.workspace }}/keystores/authenticator_aab-keystore.jks --output none
+
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name com.bitwarden.authenticator-google-services.json --file ${{ github.workspace }}/authenticator/src/google-services.json --output none
+
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name com.bitwarden.authenticator.dev-google-services.json --file ${{ github.workspace }}/authenticator/src/debug/google-services.json --output none
+
+      - name: Download Firebase credentials
+        if : ${{ inputs.distribute-to-firebase || github.event_name == 'push' }}
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
+        run: |
+          mkdir -p ${{ github.workspace }}/secrets
+
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name authenticator_play_firebase-creds.json --file ${{ github.workspace }}/secrets/authenticator_play_firebase-creds.json --output none
+
+      - name: Download Play Store credentials
+        if: ${{ inputs.publish-to-play-store }}
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
+        run: |
+          mkdir -p ${{ github.workspace }}/secrets
+
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name authenticator_play_store-creds.json --file ${{ github.workspace }}/secrets/authenticator_play_store-creds.json --output none
+
+      - name: Verify Play Store credentials
+        if: ${{ inputs.publish-to-play-store }}
+        run: |
+          bundle exec fastlane run validate_play_store_json_key \
+          json_key:${{ github.workspace }}/secrets/authenticator_play_store-creds.json }}
+
+      - name: Validate Gradle wrapper
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+
+      - name: Cache Gradle files
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            ~/.gradle/caches
+            ~/.gradle/wrapper
+          key: ${{ runner.os }}-gradle-v2-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties', '**/libs.versions.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-v2-
+
+      - name: Cache build output
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            ${{ github.workspace }}/build-cache
+          key: ${{ runner.os }}-build-cache-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-build-
+
+      - name: Configure JDK
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        with:
+          distribution: "temurin"
+          java-version: ${{ env.JAVA_VERSION }}
+
+      - name: Increment version
+        run: |
+          DEFAULT_VERSION_CODE=$GITHUB_RUN_NUMBER
+          VERSION_CODE="${{ inputs.version-code || '$DEFAULT_VERSION_CODE' }}"
+          bundle exec fastlane setAuthenticatorBuildVersionInfo \
+          versionCode:$VERSION_CODE \
+          versionName:${{ inputs.version-name || '' }}
+
+          regex='versionName = "([^"]+)"'
+          if [[ "$(cat authenticator/build.gradle.kts)" =~ $regex ]]; then
+            VERSION_NAME="${BASH_REMATCH[1]}"
+          fi
+          echo "Version Name: ${VERSION_NAME}" >> $GITHUB_STEP_SUMMARY
+          echo "Version Number: $VERSION_CODE" >> $GITHUB_STEP_SUMMARY
+
+      - name: Generate release Play Store bundle
+        if: ${{ matrix.variant == 'aab' }}
+        run: |
+          bundle exec fastlane bundleAuthenticatorRelease \
+          storeFile:${{ github.workspace }}/keystores/authenticator_aab-keystore.jks \
+          storePassword:'${{ secrets.BWA_AAB_KEYSTORE_STORE_PASSWORD }}' \
+          keyAlias:authenticatorupload \
+          keyPassword:'${{ secrets.BWA_AAB_KEYSTORE_KEY_PASSWORD }}'
+
+      - name: Generate release Play Store APK
+        if: ${{ matrix.variant == 'apk' }}
+        run: |
+          bundle exec fastlane buildAuthenticatorRelease \
+          storeFile:${{ github.workspace }}/keystores/authenticator_apk-keystore.jks \
+          storePassword:'${{ secrets.BWA_APK_KEYSTORE_STORE_PASSWORD }}' \
+          keyAlias:bitwardenauthenticator \
+          keyPassword:'${{ secrets.BWA_APK_KEYSTORE_KEY_PASSWORD }}'
+
+      - name: Upload release Play Store .aab artifact
+        if: ${{ matrix.variant == 'aab' }}
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: com.bitwarden.authenticator.aab
+          path: authenticator/build/outputs/bundle/release/com.bitwarden.authenticator.aab
+          if-no-files-found: error
+
+      - name: Upload release .apk artifact
+        if: ${{ matrix.variant == 'apk' }}
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: com.bitwarden.authenticator.apk
+          path: authenticator/build/outputs/apk/release/com.bitwarden.authenticator.apk
+          if-no-files-found: error
+
+      - name: Create checksum file for Release AAB
+        if: ${{ matrix.variant == 'aab' }}
+        run: |
+          sha256sum "authenticator/build/outputs/bundle/release/com.bitwarden.authenticator.aab" \
+            > ./authenticator-android-aab-sha256.txt
+
+      - name: Create checksum for release .apk artifact
+        if: ${{ matrix.variant == 'apk' }}
+        run: |
+          sha256sum "authenticator/build/outputs/apk/release/com.bitwarden.authenticator.apk" \
+            > ./authenticator-android-apk-sha256.txt
+
+      - name: Upload .apk SHA file for release
+        if: ${{ matrix.variant == 'apk' }}
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: authenticator-android-apk-sha256.txt
+          path: ./authenticator-android-apk-sha256.txt
+          if-no-files-found: error
+
+      - name: Upload .aab SHA file for release
+        if: ${{ matrix.variant == 'aab' }}
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: authenticator-android-aab-sha256.txt
+          path: ./authenticator-android-aab-sha256.txt
+          if-no-files-found: error
+
+      - name: Install Firebase app distribution plugin
+        if: ${{ inputs.distribute-to-firebase || github.event_name == 'push' }}
+        run: bundle exec fastlane add_plugin firebase_app_distribution
+
+      - name: Publish release bundle to Firebase
+        if: ${{ matrix.variant == 'aab' && (inputs.distribute-to-firebase || github.event_name == 'push') }}
+        env:
+          FIREBASE_CREDS_PATH: ${{ github.workspace }}/secrets/authenticator_play_firebase-creds.json
+        run: |
+          bundle exec fastlane distributeAuthenticatorReleaseBundleToFirebase \
+          serviceCredentialsFile:${{ env.FIREBASE_CREDS_PATH }}
+
+      # Only publish bundles to Play Store when `publish-to-play-store` is true while building
+      # bundles
+      - name: Publish release bundle to Google Play Store
+        if: ${{ inputs.publish-to-play-store && matrix.variant == 'aab' }}
+        env:
+          PLAY_STORE_CREDS_FILE: ${{ github.workspace }}/secrets/authenticator_play_store-creds.json
+        run: |
+          bundle exec fastlane publishAuthenticatorReleaseToGooglePlayStore \
+          serviceCredentialsFile:${{ env.PLAY_STORE_CREDS_FILE }} \

.github/workflows/build.yml

@@ -28,21 +28,22 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   JAVA_VERSION: 17
+  GITHUB_ACTION_RUN_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
 
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
 
       - name: Cache Gradle files
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ~/.gradle/caches
@@ -52,7 +53,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -61,13 +62,13 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@3a77c29278ae80936b4cb030fefc7d21c96c786f # v1.185.0
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
         with:
           bundler-cache: true
 
@@ -83,22 +84,29 @@ jobs:
       - name: Build
         run: bundle exec fastlane assembleDebugApks
 
+      - name: Upload test reports on failure
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        if: failure()
+        with:
+          name: test-reports
+          path: app/build/reports/tests/
+
   publish_playstore:
     name: Publish Play Store artifacts
     needs:
       - build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
-        variant: ["prod", "qa"]
+        variant: ["prod", "dev"]
         artifact: ["apk", "aab"]
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@3a77c29278ae80936b4cb030fefc7d21c96c786f # v1.185.0
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
         with:
           bundler-cache: true
 
@@ -149,10 +157,10 @@ jobs:
           --name app_play_prod_firebase-creds.json --file ${{ github.workspace }}/secrets/app_play_prod_firebase-creds.json --output none
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
 
       - name: Cache Gradle files
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ~/.gradle/caches
@@ -162,7 +170,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -171,11 +179,20 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
+      - name: Update app CI Build info
+        run: |
+          ./scripts/update_app_ci_build_info.sh \
+          $GITHUB_REPOSITORY \
+          $GITHUB_REF_NAME \
+          $GITHUB_SHA \
+          $GITHUB_RUN_ID \
+          $GITHUB_RUN_ATTEMPT
+
       - name: Increment version
         run: |
           DEFAULT_VERSION_CODE=$((11000+$GITHUB_RUN_NUMBER))
@@ -229,140 +246,142 @@ jobs:
           keyAlias:bitwarden-beta \
           keyPassword:${{ env.PLAY_BETA_KEY_PASSWORD }}
 
-      - name: Generate QA Play Store APKs
+      - name: Generate debug Play Store APKs
         if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
         run: |
           bundle exec fastlane assembleDebugApks
 
       - name: Upload release Play Store .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.aab
-          path: app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden-standard-release.aab
+          path: app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden.aab
           if-no-files-found: error
 
       - name: Upload beta Play Store .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.beta.aab
-          path: app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden-standard-beta.aab
+          path: app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden.beta.aab
           if-no-files-found: error
 
       - name: Upload release .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.apk
-          path: app/build/outputs/apk/standard/release/com.x8bit.bitwarden-standard-release.apk
+          path: app/build/outputs/apk/standard/release/com.x8bit.bitwarden.apk
           if-no-files-found: error
 
       - name: Upload beta .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.beta.apk
-          path: app/build/outputs/apk/standard/beta/com.x8bit.bitwarden-standard-beta.apk
+          path: app/build/outputs/apk/standard/beta/com.x8bit.bitwarden.beta.apk
           if-no-files-found: error
 
       # When building variants other than 'prod'
-      - name: Upload other .apk artifact
+      - name: Upload debug .apk artifact
         if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: com.x8bit.bitwarden-${{ matrix.variant }}.apk
-          path: app/build/outputs/apk/standard/debug/com.x8bit.bitwarden-standard-debug.apk
+          name: com.x8bit.bitwarden.${{ matrix.variant }}.apk
+          path: app/build/outputs/apk/standard/debug/com.x8bit.bitwarden.dev.apk
           if-no-files-found: error
 
       - name: Create checksum for release .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
         run: |
-          sha256sum "app/build/outputs/apk/standard/release/com.x8bit.bitwarden-standard-release.apk" \
-            > ./bw-android-apk-sha256.txt
+          sha256sum "app/build/outputs/apk/standard/release/com.x8bit.bitwarden.apk" \
+            > ./com.x8bit.bitwarden.apk-sha256.txt
 
       - name: Create checksum for beta .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
         run: |
-          sha256sum "app/build/outputs/apk/standard/beta/com.x8bit.bitwarden-standard-beta.apk" \
-            > ./bw-android-beta-apk-sha256.txt
+          sha256sum "app/build/outputs/apk/standard/beta/com.x8bit.bitwarden.beta.apk" \
+            > ./com.x8bit.bitwarden.beta.apk-sha256.txt
 
       - name: Create checksum for release .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
         run: |
-          sha256sum "app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden-standard-release.aab" \
-            > ./bw-android-aab-sha256.txt
+          sha256sum "app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden.aab" \
+            > ./com.x8bit.bitwarden.aab-sha256.txt
 
       - name: Create checksum for beta .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
         run: |
-          sha256sum "app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden-standard-beta.aab" \
-            > ./bw-android-beta-aab-sha256.txt
+          sha256sum "app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden.beta.aab" \
+            > ./com.x8bit.bitwarden.beta.aab-sha256.txt
 
-      - name: Create checksum for other .apk artifact
+      - name: Create checksum for Debug .apk artifact
         if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
         run: |
-          sha256sum "app/build/outputs/apk/standard/debug/com.x8bit.bitwarden-standard-debug.apk" \
-           > ./bw-android-${{ matrix.variant }}-apk-sha256.txt
+          sha256sum "app/build/outputs/apk/standard/debug/com.x8bit.bitwarden.dev.apk" \
+           > ./com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
 
       - name: Upload .apk SHA file for release
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: bw-android-apk-sha256.txt
-          path: ./bw-android-apk-sha256.txt
+          name: com.x8bit.bitwarden.apk-sha256.txt
+          path: ./com.x8bit.bitwarden.apk-sha256.txt
           if-no-files-found: error
 
       - name: Upload .apk SHA file for beta
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: bw-android-beta-apk-sha256.txt
-          path: ./bw-android-beta-apk-sha256.txt
+          name: com.x8bit.bitwarden.beta.apk-sha256.txt
+          path: ./com.x8bit.bitwarden.beta.apk-sha256.txt
           if-no-files-found: error
 
       - name: Upload .aab SHA file for release
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: bw-android-aab-sha256.txt
-          path: ./bw-android-aab-sha256.txt
+          name: com.x8bit.bitwarden.aab-sha256.txt
+          path: ./com.x8bit.bitwarden.aab-sha256.txt
           if-no-files-found: error
 
       - name: Upload .aab SHA file for beta
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: bw-android-beta-aab-sha256.txt
-          path: ./bw-android-beta-aab-sha256.txt
+          name: com.x8bit.bitwarden.beta.aab-sha256.txt
+          path: ./com.x8bit.bitwarden.beta.aab-sha256.txt
           if-no-files-found: error
 
-      - name: Upload .apk SHA file for other
+      - name: Upload .apk SHA file for debug
         if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: bw-android-${{ matrix.variant }}-apk-sha256.txt
-          path: ./bw-android-${{ matrix.variant }}-apk-sha256.txt
+          name: com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
+          path: ./com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
           if-no-files-found: error
 
       - name: Install Firebase app distribution plugin
-        if: ${{ matrix.variant == 'prod' && github.ref_name == 'main' && (inputs.distribute-to-firebase || github.event_name == 'push') }}
+        if: ${{ matrix.variant == 'prod' && (inputs.distribute-to-firebase || github.event_name == 'push') }}
         run: bundle exec fastlane add_plugin firebase_app_distribution
 
       - name: Publish release artifacts to Firebase
-        if: ${{ matrix.variant == 'prod' && matrix.artifact == 'apk' && github.ref_name == 'main' && (inputs.distribute-to-firebase || github.event_name == 'push') }}
+        if: ${{ matrix.variant == 'prod' && matrix.artifact == 'apk' && (inputs.distribute-to-firebase || github.event_name == 'push') }}
         env:
           APP_PLAY_FIREBASE_CREDS_PATH: ${{ github.workspace }}/secrets/app_play_prod_firebase-creds.json
         run: |
           bundle exec fastlane distributeReleasePlayStoreToFirebase \
+          actionUrl:${{ env.GITHUB_ACTION_RUN_URL }} \
           service_credentials_file:${{ env.APP_PLAY_FIREBASE_CREDS_PATH }}
 
       - name: Publish beta artifacts to Firebase
-        if: ${{ (matrix.variant == 'prod' && matrix.artifact == 'apk') && github.ref_name == 'main' && (inputs.distribute-to-firebase || github.event_name == 'push') }}
+        if: ${{ (matrix.variant == 'prod' && matrix.artifact == 'apk') && (inputs.distribute-to-firebase || github.event_name == 'push') }}
         env:
           APP_PLAY_FIREBASE_CREDS_PATH: ${{ github.workspace }}/secrets/app_play_prod_firebase-creds.json
         run: |
           bundle exec fastlane distributeBetaPlayStoreToFirebase \
+          actionUrl:${{ env.GITHUB_ACTION_RUN_URL }} \
           service_credentials_file:${{ env.APP_PLAY_FIREBASE_CREDS_PATH }}
 
       - name: Verify Play Store credentials
@@ -372,19 +391,21 @@ jobs:
 
       - name: Publish Play Store bundle
         if: ${{ matrix.variant == 'prod' && matrix.artifact == 'aab' && (inputs.publish-to-play-store || github.ref_name == 'main') }}
-        run: bundle exec fastlane publishBetaToPlayStore
+        run: |
+          bundle exec fastlane publishProdToPlayStore
+          bundle exec fastlane publishBetaToPlayStore
 
   publish_fdroid:
     name: Publish F-Droid artifacts
     needs:
       - build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@3a77c29278ae80936b4cb030fefc7d21c96c786f # v1.185.0
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
         with:
           bundler-cache: true
 
@@ -421,10 +442,10 @@ jobs:
           --name app_fdroid_firebase-creds.json --file ${{ github.workspace }}/secrets/app_fdroid_firebase-creds.json --output none
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
 
       - name: Cache Gradle files
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ~/.gradle/caches
@@ -434,7 +455,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -443,19 +464,35 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
+      - name: Update app CI Build info
+        run: |
+          ./scripts/update_app_ci_build_info.sh \
+          $GITHUB_REPOSITORY \
+          $GITHUB_REF_NAME \
+          $GITHUB_SHA \
+          $GITHUB_RUN_ID \
+          $GITHUB_RUN_ATTEMPT
+
       # Start from 11000 to prevent collisions with mobile build version codes
       - name: Increment version
         run: |
           DEFAULT_VERSION_CODE=$((11000+$GITHUB_RUN_NUMBER))
+          VERSION_CODE="${{ inputs.version-code || '$DEFAULT_VERSION_CODE' }}"
           bundle exec fastlane setBuildVersionInfo \
-          versionCode:${{ inputs.version-code || '$DEFAULT_VERSION_CODE' }} \
+          versionCode:$VERSION_CODE \
           versionName:${{ inputs.version-name || '' }}
 
+          regex='versionName = "([^"]+)"'
+          if [[ "$(cat app/build.gradle.kts)" =~ $regex ]]; then
+            VERSION_NAME="${BASH_REMATCH[1]}"
+          fi
+          echo "Version Name: ${VERSION_NAME}" >> $GITHUB_STEP_SUMMARY
+          echo "Version Number: $VERSION_CODE" >> $GITHUB_STEP_SUMMARY
       - name: Generate F-Droid artifacts
         env:
           FDROID_STORE_PASSWORD: ${{ secrets.FDROID_KEYSTORE_PASSWORD }}
@@ -466,7 +503,6 @@ jobs:
           keyAlias:bitwarden \
           keyPassword:"${{ env.FDROID_STORE_PASSWORD }}"
 
-            # Generate the F-Droid APK for publishing
       - name: Generate F-Droid Beta Artifacts
         env:
           FDROID_BETA_KEYSTORE_PASSWORD: ${{ secrets.FDROID_BETA_KEYSTORE_PASSWORD }}
@@ -479,51 +515,52 @@ jobs:
           keyPassword:"${{ env.FDROID_BETA_KEY_PASSWORD }}"
 
       - name: Upload F-Droid .apk artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden-fdroid.apk
-          path: app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid-release.apk
+          path: app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid.apk
           if-no-files-found: error
 
       - name: Create checksum for F-Droid artifact
         run: |
-          sha256sum "app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid-release.apk" \
-          > ./bw-fdroid-apk-sha256.txt
+          sha256sum "app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid.apk" \
+          > ./com.x8bit.bitwarden-fdroid.apk-sha256.txt
 
       - name: Upload F-Droid SHA file
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: bw-fdroid-apk-sha256.txt
-          path: ./bw-fdroid-apk-sha256.txt
+          name: com.x8bit.bitwarden-fdroid.apk-sha256.txt
+          path: ./com.x8bit.bitwarden-fdroid.apk-sha256.txt
           if-no-files-found: error
 
       - name: Upload F-Droid Beta .apk artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: com.x8bit.bitwarden-fdroid-beta.apk
-          path: app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden-fdroid-beta.apk
+          name: com.x8bit.bitwarden.beta-fdroid.apk
+          path: app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden.beta-fdroid.apk
           if-no-files-found: error
 
       - name: Create checksum for F-Droid Beta artifact
         run: |
-          sha256sum "app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden-fdroid-beta.apk" \
-          > ./bw-fdroid-beta-apk-sha256.txt
+          sha256sum "app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden.beta-fdroid.apk" \
+          > ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
 
       - name: Upload F-Droid Beta SHA file
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: bw-fdroid-beta-apk-sha256.txt
-          path: ./bw-fdroid-beta-apk-sha256.txt
+          name: com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
+          path: ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
           if-no-files-found: error
 
       - name: Install Firebase app distribution plugin
-        if: ${{ github.ref_name == 'main' && inputs.distribute_to_firebase }}
+        if: ${{ inputs.distribute-to-firebase || github.event_name == 'push' }}
         run: bundle exec fastlane add_plugin firebase_app_distribution
 
       - name: Publish release F-Droid artifacts to Firebase
-        if: ${{ github.ref_name == 'main' && inputs.distribute_to_firebase }}
+        if: ${{ inputs.distribute-to-firebase || github.event_name == 'push' }}
         env:
           APP_FDROID_FIREBASE_CREDS_PATH: ${{ github.workspace }}/secrets/app_fdroid_firebase-creds.json
         run: |
           bundle exec fastlane distributeReleaseFDroidToFirebase \
+          actionUrl:${{ env.GITHUB_ACTION_RUN_URL }} \
           service_credentials_file:${{ env.APP_FDROID_FIREBASE_CREDS_PATH }}

.github/workflows/cron-sync-google-priviledged-browsers.yml

@@ -0,0 +1,98 @@
+name: Cron / Sync Google Privileged Browsers List
+
+on:
+  schedule:
+    # Run weekly on Monday at 00:00 UTC
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+env:
+  SOURCE_URL: https://www.gstatic.com/gpm-passkeys-privileged-apps/apps.json
+  GOOGLE_FILE: app/src/main/assets/fido2_privileged_google.json
+  COMMUNITY_FILE: app/src/main/assets/fido2_privileged_community.json
+
+jobs:
+  sync-privileged-browsers:
+    name: Sync Google Privileged Browsers List
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+
+      - name: Download Google Privileged Browsers List
+        run: curl -s $SOURCE_URL -o $GOOGLE_FILE
+
+      - name: Check for changes
+        id: check-changes
+        run: |
+          if git diff --quiet -- $GOOGLE_FILE; then
+            echo "👀 No changes detected, skipping..."
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "has_changes=true" >> $GITHUB_OUTPUT
+          echo "👀 Changes detected, validating fido2_privileged_google.json..."
+
+          python .github/scripts/validate-json/validate_json.py validate $GOOGLE_FILE
+          if [ $? -ne 0 ]; then
+            echo "::error::JSON validation failed for $GOOGLE_FILE"
+            exit 1
+          fi
+
+          echo "👀 fido2_privileged_google.json is valid, checking for duplicates..."
+
+          # Check for duplicates between Google and Community files
+          python .github/scripts/validate-json/validate_json.py duplicates $GOOGLE_FILE $COMMUNITY_FILE duplicates.txt
+
+          if [ -f duplicates.txt ]; then
+            echo "::warning::Duplicate package names found between Google and Community files."
+            echo "duplicates_found=true" >> $GITHUB_OUTPUT
+          else
+            echo "✅ No duplicate package names found between Google and Community files"
+            echo "duplicates_found=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create branch and commit
+        if: steps.check-changes.outputs.has_changes == 'true'
+        run: |
+          echo "👀 Committing fido2_privileged_google.json..."
+
+          BRANCH_NAME="cron-sync-privileged-browsers/$GITHUB_RUN_NUMBER-sync"
+          git config user.name "GitHub Actions Bot"
+          git config user.email "actions@github.com"
+          git checkout -b $BRANCH_NAME
+          git add $GOOGLE_FILE
+          git commit -m "Update Google privileged browsers list"
+          git push origin $BRANCH_NAME
+          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+          echo "🌱 Branch created: $BRANCH_NAME"
+
+      - name: Create Pull Request
+        if: steps.check-changes.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DUPLICATES_FOUND: ${{ steps.check-changes.outputs.duplicates_found }}
+          BASE_PR_URL: ${{ github.server_url }}/${{ github.repository }}/pull/
+        run: |
+          PR_BODY="Updates the Google privileged browsers list with the latest data from $SOURCE_URL"
+
+          if [ "$DUPLICATES_FOUND" = "true" ]; then
+            PR_BODY="$PR_BODY\n\n> [!WARNING]\n> :suspect: The following package(s) appear in both Google and Community files:"
+            while IFS= read -r line; do
+              PR_BODY="$PR_BODY\n> - $line"
+            done < duplicates.txt
+          fi
+
+          # Use echo -e to interpret escape sequences and pipe to gh pr create
+          PR_URL=$(echo -e "$PR_BODY" | gh pr create \
+            --title "Update Google privileged browsers list" \
+            --body-file - \
+            --base main \
+            --head $BRANCH_NAME \
+            --label "automated-pr" \
+            --label "t:ci")

.github/workflows/crowdin-pull-authenticator.yml

@@ -0,0 +1,56 @@
+name: Crowdin Sync - Authenticator
+
+on:
+  workflow_dispatch:
+    inputs: {}
+  schedule:
+    - cron: '0 0 * * 5'
+
+jobs:
+  crowdin-sync:
+    name: Autosync
+    runs-on: ubuntu-24.04
+    env:
+      _CROWDIN_PROJECT_ID: "673718"
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Log in to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve secrets
+        id: retrieve-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"
+
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
+
+      - name: Download translations
+        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          CROWDIN_API_TOKEN: ${{ secrets.CROWDIN_API_TOKEN }}
+        with:
+          config: crowdin-bwa.yml
+          upload_sources: false
+          upload_translations: false
+          download_translations: true
+          github_user_name: "bitwarden-devops-bot"
+          github_user_email: "106330231+bitwarden-devops-bot@users.noreply.github.com"
+          commit_message: "Autosync the updated translations"
+          localization_branch_name: crowdin-auto-sync
+          create_pull_request: true
+          pull_request_title: "Autosync Crowdin Translations"
+          pull_request_body: "Autosync the updated translations"
+          gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
+          gpg_passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}

.github/workflows/crowdin-pull.yml

@@ -1,21 +1,20 @@
----
 name: Crowdin Sync
 
 on:
   workflow_dispatch:
-    inputs: { }
+    inputs: {}
   schedule:
     - cron: '0 0 * * 5'
 
 jobs:
   crowdin-sync:
     name: Autosync
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     env:
       _CROWDIN_PROJECT_ID: "269690"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Login to Azure - CI Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -29,10 +28,17 @@ jobs:
           keyvault: "bitwarden-ci"
           secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase"
 
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
+
       - name: Download translations
-        uses: crowdin/github-action@61ac8b980551f674046220c3e104bddae2916ac5 # v2.0.0
+        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}
         with:
           config: crowdin.yml

.github/workflows/crowdin-push-authenticator.yml

@@ -0,0 +1,30 @@
+name: Crowdin Push - Authenticator
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  JAVA_VERSION: 17
+
+jobs:
+  crowdin-push:
+    name: Crowdin Push
+    runs-on: ubuntu-24.04
+    env:
+      _CROWDIN_PROJECT_ID: "673718"
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Upload sources
+        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CROWDIN_API_TOKEN: ${{ secrets.CROWDIN_API_TOKEN }}
+        with:
+          config: crowdin-bwa.yml
+          upload_sources: true
+          upload_translations: false

.github/workflows/crowdin-push.yml

@@ -9,12 +9,12 @@ on:
 jobs:
   crowdin-push:
     name: Crowdin Push
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       _CROWDIN_PROJECT_ID: "269690"
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Log in to Azure
         uses: Azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
@@ -23,13 +23,13 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@2bd1450c2cdb2a8ac886232b8589696f22794229 # v0.2.0
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
           keyvault: "bitwarden-ci"
           secrets: "crowdin-api-token"
 
       - name: Upload sources
-        uses: crowdin/github-action@61ac8b980551f674046220c3e104bddae2916ac5 # v2.0.0
+        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/github-release.yml

@@ -0,0 +1,129 @@
+name: Create GitHub Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version-name:
+        description: 'Version Name - E.g. "2024.11.1"'
+        required: true
+        type: string
+      version-number:
+        description: 'Version Number - E.g. "123456"'
+        required: true
+        type: string
+      artifact-run-id:
+        description: 'GitHub Action Run ID containing artifacts'
+        required: true
+        type: string
+      draft:
+        description: 'Create as draft release'
+        type: boolean
+        default: true
+      prerelease:
+        description: 'Mark as pre-release'
+        type: boolean
+        default: true
+      make-latest:
+        description: 'Set as the latest release'
+        type: boolean
+      branch-protection-type:
+        description: 'Branch protection type'
+        type: choice
+        options:
+          - Branch Name
+          - GitHub API
+        default: Branch Name
+env:
+    ARTIFACTS_PATH: artifacts
+jobs:
+  create-release:
+    name: Create GitHub Release
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      actions: read
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Get branch from workflow run
+        id: get_release_branch
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ARTIFACT_RUN_ID: ${{ inputs.artifact-run-id }}
+          BRANCH_PROTECTION_TYPE: ${{ inputs.branch-protection-type }}
+        run: |
+          release_branch=$(gh run view $ARTIFACT_RUN_ID --json headBranch -q .headBranch)
+
+          case "$BRANCH_PROTECTION_TYPE" in
+            "Branch Name")
+              if [[ "$release_branch" != "main" && ! "$release_branch" =~ ^release/ ]]; then
+                echo "::error::Branch '$release_branch' is not 'main' or a release branch starting with 'release/'. Releases must be created from protected branches."
+                exit 1
+              fi
+              ;;
+            "GitHub API")
+              #NOTE requires token with "administration:read" scope
+              if ! gh api "repos/${{ github.repository }}/branches/$release_branch/protection" | grep -q "required_status_checks"; then
+                echo "::error::Branch '$release_branch' is not protected. Releases must be created from protected branches. If that's not correct, confirm if the github token user has the 'administration:read' scope."
+                exit 1
+              fi
+              ;;
+            *)
+              echo "::error::Unsupported branch protection type: $BRANCH_PROTECTION_TYPE"
+              exit 1
+              ;;
+          esac
+
+          echo "release_branch=$release_branch" >> $GITHUB_OUTPUT
+
+      - name: Download artifacts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ARTIFACT_RUN_ID: ${{ inputs.artifact-run-id }}
+        run: |
+          gh run download $ARTIFACT_RUN_ID -D $ARTIFACTS_PATH
+          file_count=$(find $ARTIFACTS_PATH -type f | wc -l)
+          echo "Downloaded $file_count file(s)."
+          if [ "$file_count" -gt 0 ]; then
+            echo "Downloaded files:"
+            find $ARTIFACTS_PATH -type f
+          fi
+
+      - name: Create Release
+        id: create_release
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+        with:
+          tag_name: "v${{ inputs.version-name }}"
+          name: "${{ inputs.version-name }} (${{ inputs.version-number }})"
+          prerelease: ${{ inputs.prerelease }}
+          draft: ${{ inputs.draft }}
+          make_latest: ${{ inputs.make-latest }}
+          target_commitish: ${{ steps.get_release_branch.outputs.release_branch }}
+          generate_release_notes: true
+          files: |
+            artifacts/**/*
+
+      - name: Update Release Description
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_ID: ${{ steps.create_release.outputs.id }}
+          RELEASE_URL: ${{ steps.create_release.outputs.url }}
+          ARTIFACT_RUN_ID: ${{ inputs.artifact-run-id }}
+        run: |
+          # Get current release body
+          current_body=$(gh api /repos/${{ github.repository }}/releases/$RELEASE_ID --jq .body)
+
+          # Append build source to the end
+          updated_body="${current_body}
+          **Builds Source:** https://github.com/${{ github.repository }}/actions/runs/$ARTIFACT_RUN_ID"
+
+          # Update release
+          gh api --method PATCH /repos/${{ github.repository }}/releases/$RELEASE_ID \
+            -f body="$updated_body"
+
+          echo "# :rocket: Release ready at:" >> $GITHUB_STEP_SUMMARY
+          echo "$RELEASE_URL" >> $GITHUB_STEP_SUMMARY

.github/workflows/release-branch.yml

@@ -0,0 +1,58 @@
+name: Cut Release Branch
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_type:
+        description: 'Release Type'
+        required: true
+        type: choice
+        options:
+          - RC
+          - Hotfix
+
+jobs:
+  create-release-branch:
+    name: Create Release Branch
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Create RC Branch
+        if: inputs.release_type == 'RC'
+        env:
+          RC_PREFIX_DATE: "true" # replace with input if needed
+        run: |
+          if [ "$RC_PREFIX_DATE" = "true" ]; then
+            current_date=$(date +'%Y.%m')
+            branch_name="release/${current_date}-rc${{ github.run_number }}"
+          else
+            branch_name="release/rc${{ github.run_number }}"
+          fi
+          git switch main
+          git switch -c $branch_name
+          git push origin $branch_name
+          echo "# :cherry_blossom: RC branch: ${branch_name}" >> $GITHUB_STEP_SUMMARY
+
+      - name: Create Hotfix Branch
+        if: inputs.release_type == 'Hotfix'
+        run: |
+          latest_tag=$(git tag -l --sort=-creatordate | head -n 1)
+          if [ -z "$latest_tag" ]; then
+            echo "::error::No tags found in the repository"
+            exit 1
+          fi
+          branch_name="release/hotfix-${latest_tag}"
+          echo "🌿 branch name: $branch_name"
+          if git show-ref --verify --quiet "refs/remotes/origin/$branch_name"; then
+            echo "# :fire: :warning: Hotfix branch already exists: ${branch_name}" >> $GITHUB_STEP_SUMMARY
+            exit 0
+          fi
+          git switch -c $branch_name $latest_tag
+          git push origin $branch_name
+          echo "# :fire: Hotfix branch: ${branch_name}" >> $GITHUB_STEP_SUMMARY

.github/workflows/scan-authenticator.yml

@@ -0,0 +1,78 @@
+name: Scan Authenticator
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "rc"
+      - "hotfix-rc"
+  pull_request_target:
+    types: [opened, synchronize]
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  sast:
+    name: SAST scan
+    runs-on: ubuntu-24.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Scan with Checkmarx
+        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
+        env:
+          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: |
+            --report-format sarif \
+            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
+            --output-path . ${{ env.INCREMENTAL }}
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          sarif_file: cx_result.sarif
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-24.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Scan with SonarCloud
+        uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ github.repository_owner }}
+            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
+            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}

.github/workflows/scan-ci.yml

@@ -0,0 +1,63 @@
+name: Scan Protected Branches On Push
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  sast:
+    name: SAST scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Scan with Checkmarx
+        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: |
+            --report-format sarif \
+            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
+            --output-path .
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        with:
+          sarif_file: cx_result.sarif
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Scan with SonarCloud
+        uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ github.repository_owner }}
+            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
+            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}

.github/workflows/scan.yml

@@ -1,12 +1,7 @@
-name: Scan
+name: Scan Pull Requests
 
 on:
   workflow_dispatch:
-  push:
-    branches:
-      - "main"
-      - "rc"
-      - "hotfix-rc"
   pull_request_target:
     types: [opened, synchronize]
 
@@ -17,7 +12,7 @@ jobs:
 
   sast:
     name: SAST scan
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: check-run
     permissions:
       contents: read
@@ -26,12 +21,12 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@92b6d52097badece63efe997ffe75207010bb80c # 2.0.29
+        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
         env:
           INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
         with:
@@ -46,13 +41,15 @@ jobs:
             --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: cx_result.sarif
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
   quality:
     name: Quality scan
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: check-run
     permissions:
       contents: read
@@ -60,17 +57,17 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with SonarCloud
-        uses: sonarsource/sonarcloud-github-action@e44258b109568baa0df60ed515909fc6c72cba92 # v2.3.0
+        uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           args: >
             -Dsonar.organization=${{ github.repository_owner }}
             -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
+            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}

.github/workflows/test-authenticator.yml

@@ -0,0 +1,82 @@
+name: Test Authenticator
+
+on:
+  push:
+    branches:
+      - "main"
+      - "rc"
+      - "hotfix-rc"
+  pull_request_target:
+    types: [opened, synchronize]
+
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  JAVA_VERSION: 17
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  test:
+    name: Test
+    runs-on: ubuntu-24.04
+    needs: check-run
+    permissions:
+      contents: read
+      packages: read
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Validate Gradle wrapper
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+
+      - name: Cache Gradle files
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            ~/.gradle/caches
+            ~/.gradle/wrapper
+          key: ${{ runner.os }}-gradle-v2-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties', '**/libs.versions.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-v2-
+
+      - name: Cache build output
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            ${{ github.workspace }}/build-cache
+          key: ${{ runner.os }}-build-cache-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-build-
+
+      - name: Configure Ruby
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
+        with:
+          bundler-cache: true
+
+      - name: Configure JDK
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        with:
+          distribution: "temurin"
+          java-version: ${{ env.JAVA_VERSION }}
+
+      - name: Install Fastlane
+        run: |
+          gem install bundler:2.2.27
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+
+      - name: Build and test Authenticator
+        run: |
+          bundle exec fastlane checkAuthenticator
+
+      - name: Upload to codecov.io
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
+        with:
+          files: authenticator/build/reports/kover/reportDebug.xml

.github/workflows/test.yml

@@ -6,40 +6,33 @@ on:
       - "main"
       - "rc"
       - "hotfix-rc"
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize]
+  merge_group:
+    type: [checks_requested]
   workflow_dispatch:
 
 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  JAVA_VERSION: 17
+  _JAVA_VERSION: 17
+  _GITHUB_ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}
+
 
 jobs:
-  check-run:
-    name: Check PR run
-    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
-
   test:
     name: Test
-    runs-on: ubuntu-22.04
-    needs: check-run
+    runs-on: ubuntu-24.04
     permissions:
-      contents: read
-      issues: write
       packages: read
-      pull-requests: write
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          ref: ${{  github.event.pull_request.head.sha }}
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
 
       - name: Cache Gradle files
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ~/.gradle/caches
@@ -49,7 +42,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -58,15 +51,15 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@3a77c29278ae80936b4cb030fefc7d21c96c786f # v1.185.0
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
         with:
           bundler-cache: true
 
       - name: Configure JDK
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           distribution: "temurin"
-          java-version: ${{ env.JAVA_VERSION }}
+          java-version: ${{ env._JAVA_VERSION }}
 
       - name: Install Fastlane
         run: |
@@ -75,12 +68,58 @@ jobs:
           bundle install --jobs 4 --retry 3
 
       - name: Build and test
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Used in settings.gradle.kts to download the SDK from GitHub Maven Packages
         run: |
           bundle exec fastlane check
 
-      - name: Upload to codecov.io
-        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+      - name: Upload test reports
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        if: always()
         with:
-          file: app/build/reports/kover/reportStandardDebug.xml
+          name: test-reports
+          path: |
+            app/build/reports/tests/
+            app/build/reports/kover/reportStandardDebug.xml
+
+  report:
+    name: Process Test Reports
+    needs: test
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    if: success()
+
+    steps:
+      - name: Download test artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        if: github.event_name == 'push' || github.event_name == 'pull_request'
+        with:
+          name: test-reports
+
+      - name: Upload to codecov.io
+        id: upload-to-codecov
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
+        if: github.event_name == 'push' || github.event_name == 'pull_request'
+        continue-on-error: true
+        with:
+          os: linux
+          files: kover/reportStandardDebug.xml
+          fail_ci_if_error: true
+
+      - name: Comment PR if tests failed
+        if: steps.upload-to-codecov.outcome == 'failure' && (github.event_name == 'push' || github.event_name == 'pull_request')
         env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+            PR_NUMBER: ${{ github.event.number }}
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            RUN_ACTOR: ${{ github.triggering_actor }}
+        run: |
+          echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+          echo "> Uploading code coverage report failed. Please check the \"Upload to codecov.io\" step of \"Process Test Reports\" job for more details." >> $GITHUB_STEP_SUMMARY
+
+          if [ ! -z "$PR_NUMBER" ]; then
+            message=$'> [!WARNING]\n> @'$RUN_ACTOR' Uploading code coverage report failed. Please check the "Upload to codecov.io" step of [Process Test Reports job]('$_GITHUB_ACTION_RUN_URL') for more details.'
+            gh pr comment --repo $GITHUB_REPOSITORY $PR_NUMBER --body "$message"
+          fi

.gitignore

@@ -25,5 +25,13 @@ user.properties
 
 # Secrets
 /keystores/*.jks
-/app/src/standardDebug/google-services.json
+/app/src/standardBeta/google-services.json
 /app/src/standardRelease/google-services.json
+/authenticator/src/google-services.json
+
+# Python
+.python-version
+__pycache__/
+
+# Generated by .github/scripts/validate-json/validate-json.py
+duplicates.txt

.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

Dangerfile

@@ -1 +0,0 @@
-shroud.reportKover 'App', 'app/build/reports/kover/reportStandardDebug.xml', 80, 80, false

Gemfile.lock

@@ -9,21 +9,22 @@ GEM
       public_suffix (>= 2.0.2, < 7.0)
     artifactory (3.0.17)
     atomos (0.1.3)
-    aws-eventstream (1.3.0)
-    aws-partitions (1.947.0)
-    aws-sdk-core (3.199.0)
+    aws-eventstream (1.3.2)
+    aws-partitions (1.1067.0)
+    aws-sdk-core (3.220.1)
       aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.8)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.87.0)
-      aws-sdk-core (~> 3, >= 3.199.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.154.0)
-      aws-sdk-core (~> 3, >= 3.199.0)
+    aws-sdk-kms (1.99.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-s3 (1.182.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.8)
-    aws-sigv4 (1.8.0)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.11.0)
       aws-eventstream (~> 1, >= 1.0.2)
     babosa (1.0.4)
     base64 (0.2.0)
@@ -32,15 +33,15 @@ GEM
     colored2 (3.1.2)
     commander (4.6.0)
       highline (~> 2.0.0)
-    date (3.3.4)
+    date (3.4.1)
     declarative (0.0.20)
-    digest-crc (0.6.5)
+    digest-crc (0.7.0)
       rake (>= 12.0.0, < 14.0.0)
     domain_name (0.6.20240107)
     dotenv (2.8.1)
     emoji_regex (3.2.3)
-    excon (0.110.0)
-    faraday (1.10.3)
+    excon (0.112.0)
+    faraday (1.10.4)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)
@@ -59,17 +60,17 @@ GEM
     faraday-em_synchrony (1.0.0)
     faraday-excon (1.1.0)
     faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.4)
-      multipart-post (~> 2)
-    faraday-net_http (1.0.1)
+    faraday-multipart (1.1.0)
+      multipart-post (~> 2.0)
+    faraday-net_http (1.0.2)
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)
     faraday-rack (1.0.0)
     faraday-retry (1.0.3)
-    faraday_middleware (1.2.0)
+    faraday_middleware (1.2.1)
       faraday (~> 1.0)
-    fastimage (2.3.1)
-    fastlane (2.221.1)
+    fastimage (2.4.0)
+    fastlane (2.227.0)
       CFPropertyList (>= 2.3, < 4.0.0)
       addressable (>= 2.8, < 3.0.0)
       artifactory (~> 3.0)
@@ -85,6 +86,7 @@ GEM
       faraday-cookie_jar (~> 0.0.6)
       faraday_middleware (~> 1.0)
       fastimage (>= 2.1.0, < 3.0.0)
+      fastlane-sirp (>= 1.0.0)
       gh_inspector (>= 1.1.2, < 2.0.0)
       google-apis-androidpublisher_v3 (~> 0.3)
       google-apis-playcustomapp_v1 (~> 0.1)
@@ -108,11 +110,13 @@ GEM
       tty-spinner (>= 0.8.0, < 1.0.0)
       word_wrap (~> 1.0.0)
       xcodeproj (>= 1.13.0, < 2.0.0)
-      xcpretty (~> 0.3.0)
+      xcpretty (~> 0.4.0)
       xcpretty-travis-formatter (>= 0.0.3, < 2.0.0)
-    fastlane-plugin-firebase_app_distribution (0.9.1)
+    fastlane-plugin-firebase_app_distribution (0.10.0)
       google-apis-firebaseappdistribution_v1 (~> 0.3.0)
       google-apis-firebaseappdistribution_v1alpha (~> 0.2.0)
+    fastlane-sirp (1.0.0)
+      sysrandom (~> 1.0)
     gh_inspector (1.1.3)
     google-apis-androidpublisher_v3 (0.54.0)
       google-apis-core (>= 0.11.0, < 2.a)
@@ -134,12 +138,12 @@ GEM
       google-apis-core (>= 0.11.0, < 2.a)
     google-apis-storage_v1 (0.31.0)
       google-apis-core (>= 0.11.0, < 2.a)
-    google-cloud-core (1.7.0)
+    google-cloud-core (1.8.0)
       google-cloud-env (>= 1.0, < 3.a)
       google-cloud-errors (~> 1.0)
     google-cloud-env (1.6.0)
       faraday (>= 0.17.3, < 3.0)
-    google-cloud-errors (1.4.0)
+    google-cloud-errors (1.5.0)
     google-cloud-storage (1.47.0)
       addressable (~> 2.8)
       digest-crc (~> 0.4)
@@ -155,35 +159,36 @@ GEM
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
     highline (2.0.3)
-    http-cookie (1.0.6)
+    http-cookie (1.0.8)
       domain_name (~> 0.5)
-    httpclient (2.8.3)
+    httpclient (2.9.0)
+      mutex_m
     jmespath (1.6.2)
-    json (2.7.2)
-    jwt (2.8.2)
+    json (2.10.2)
+    jwt (2.10.1)
       base64
-    mini_magick (4.13.1)
+    mini_magick (4.13.2)
     mini_mime (1.1.5)
     multi_json (1.15.0)
     multipart-post (2.4.1)
-    nanaimo (0.3.0)
+    mutex_m (0.3.0)
+    nanaimo (0.4.0)
     naturally (2.2.1)
     nkf (0.2.0)
-    optparse (0.5.0)
+    optparse (0.6.0)
     os (1.1.4)
-    plist (3.7.1)
-    public_suffix (6.0.0)
+    plist (3.7.2)
+    public_suffix (6.0.1)
     rake (13.2.1)
     representable (3.2.0)
       declarative (< 0.1.0)
       trailblazer-option (>= 0.1.1, < 0.2.0)
       uber (< 0.2.0)
     retriable (3.1.2)
-    rexml (3.2.9)
-      strscan
-    rouge (2.0.7)
+    rexml (3.4.1)
+    rouge (3.28.0)
     ruby2_keywords (0.0.5)
-    rubyzip (2.3.2)
+    rubyzip (2.4.1)
     security (0.1.5)
     signet (0.19.0)
       addressable (~> 2.8)
@@ -193,11 +198,11 @@ GEM
     simctl (1.6.10)
       CFPropertyList
       naturally
-    strscan (3.1.0)
+    sysrandom (1.0.5)
     terminal-notifier (2.0.0)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
-    time (0.3.0)
+    time (0.4.1)
       date
     trailblazer-option (0.1.2)
     tty-cursor (0.7.1)
@@ -205,17 +210,17 @@ GEM
     tty-spinner (0.9.3)
       tty-cursor (~> 0.7)
     uber (0.1.0)
-    unicode-display_width (2.5.0)
+    unicode-display_width (2.6.0)
     word_wrap (1.0.0)
-    xcodeproj (1.24.0)
+    xcodeproj (1.27.0)
       CFPropertyList (>= 2.3.3, < 4.0)
       atomos (~> 0.1.3)
       claide (>= 1.0.2, < 2.0)
       colored2 (~> 3.1)
-      nanaimo (~> 0.3.0)
-      rexml (~> 3.2.4)
-    xcpretty (0.3.0)
-      rouge (~> 2.0.7)
+      nanaimo (~> 0.4.0)
+      rexml (>= 3.3.6, < 4.0)
+    xcpretty (0.4.0)
+      rouge (~> 3.28.0)
     xcpretty-travis-formatter (1.0.1)
       xcpretty (~> 0.2, >= 0.0.7)
 

README-bwa.md

@@ -0,0 +1,61 @@
+[![Github Workflow build on main](https://github.com/bitwarden/authenticator-android/actions/workflows/build-authenticator.yml/badge.svg?branch=main)](https://github.com/bitwarden/authenticator-android/actions/workflows/build-authenticator.yml?query=branch:main)
+[![Join the chat at https://gitter.im/bitwarden/Lobby](https://badges.gitter.im/bitwarden/Lobby.svg)](https://gitter.im/bitwarden/Lobby)
+
+# Bitwarden Authenticator Android App
+
+<a href="https://play.google.com/store/apps/details?id=com.bitwarden.authenticator" target="_blank"><img alt="Get it on Google Play" src="https://imgur.com/YQzmZi9.png" width="153" height="46"></a>
+
+Bitwarden Authenticator allows you easily store and generate two-factor authentication codes on your device. The Bitwarden Authenticator Android application is written in Kotlin.
+
+<img src="https://raw.githubusercontent.com/bitwarden/brand/master/screenshots/authenticator-android-codes.png" alt="" width="325" height="650" />
+
+## Compatibility
+
+- **Minimum SDK**: 28
+- **Target SDK**: 34
+- **Device Types Supported**: Phone and Tablet
+- **Orientations Supported**: Portrait and Landscape
+
+## Setup
+
+
+1. Clone the repository:
+
+    ```sh
+    $ git clone https://github.com/bitwarden/authenticator-android
+    ```
+
+2. Create a `user.properties` file in the root directory of the project and add the following properties:
+
+    - `gitHubToken`: A "classic" Github Personal Access Token (PAT) with the `read:packages` scope (ex: `gitHubToken=gph_xx...xx`). These can be generated by going to the [Github tokens page](https://github.com/settings/tokens). See [the Github Packages user documentation concerning authentication](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-gradle-registry#authenticating-to-github-packages) for more details.
+
+3. Setup the code style formatter:
+
+    All code must follow the guidelines described in the [Code Style Guidelines document](docs/STYLE_AND_BEST_PRACTICES.md). To aid in adhering to these rules, all contributors should apply `docs/bitwarden-style.xml` as their code style scheme. In IntelliJ / Android Studio:
+
+    - Navigate to `Preferences > Editor > Code Style`.
+    - Hit the `Manage` button next to `Scheme`.
+    - Select `Import`.
+    - Find the `bitwarden-style.xml` file in the project's `docs/` directory.
+    - Import "from" `BitwardenStyle` "to" `BitwardenStyle`.
+    - Hit `Apply` and `OK` to save the changes and exit Preferences.
+
+    Note that in some cases you may need to restart Android Studio for the changes to take effect.
+
+    All code should be formatted before submitting a pull request. This can be done manually but it can also be helpful to create a macro with a custom keyboard binding to auto-format when saving. In Android Studio on OS X:
+
+    - Select `Edit > Macros > Start Macro Recording`
+    - Select `Code > Optimize Imports`
+    - Select `Code > Reformat Code`
+    - Select `File > Save All`
+    - Select `Edit > Macros > Stop Macro Recording`
+
+    This can then be mapped to a set of keys by navigating to `Android Studio > Preferences` and editing the macro under `Keymap` (ex : shift + command + s).
+
+    Please avoid mixing formatting and logical changes in the same commit/PR. When possible, fix any large formatting issues in a separate PR before opening one to make logical changes to the same code. This helps others focus on the meaningful code changes when reviewing the code.
+
+## Contribute
+
+Code contributions are welcome! Please commit any pull requests against the `main` branch. Learn more about how to contribute by reading the [Contributing Guidelines](https://contributing.bitwarden.com/contributing/). Check out the [Contributing Documentation](https://contributing.bitwarden.com/) for how to get started with your first contribution.
+
+Security audits and feedback are welcome. Please open an issue or email us privately if the report is sensitive in nature. You can read our security policy in the [`SECURITY.md`](SECURITY.md) file.

README.md

@@ -1,7 +1,4 @@
-# Bitwarden Android (BETA)
-
-> [!TIP]
-> This repo has the new native Android app, currently in [Beta](https://community.bitwarden.com/t/about-the-beta-program/39185). Looking for the legacy .NET MAUI apps? Head on over to [bitwarden/mobile](https://github.com/bitwarden/mobile)
+# Bitwarden Android
 
 ## Contents
 
@@ -11,8 +8,8 @@
 
 ## Compatibility
 
-- **Minimum SDK**: 28
-- **Target SDK**: 34
+- **Minimum SDK**: 29
+- **Target SDK**: 35
 - **Device Types Supported**: Phone and Tablet
 - **Orientations Supported**: Portrait and Landscape
 
@@ -28,6 +25,7 @@
 2. Create a `user.properties` file in the root directory of the project and add the following properties:
 
     - `gitHubToken`: A "classic" Github Personal Access Token (PAT) with the `read:packages` scope (ex: `gitHubToken=gph_xx...xx`). These can be generated by going to the [Github tokens page](https://github.com/settings/tokens). See [the Github Packages user documentation concerning authentication](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-gradle-registry#authenticating-to-github-packages) for more details.
+    - `localSdk`: A boolean value to determine if the SDK should be loaded from the local maven artifactory (ex: `localSdk=true`). This is particularly useful when developing new SDK capabilities. Review [Linking SDK to clients](https://contributing.bitwarden.com/getting-started/sdk/#linking-the-sdk-to-clients) for more details.
 
 3. Setup the code style formatter:
 
@@ -134,6 +132,11 @@ The following is a list of all third-party dependencies included as part of the
     - https://github.com/firebase/firebase-android-sdk
     - Purpose: SDK for crash and non-fatal error reporting. (**NOTE:** This dependency is not included in builds distributed via F-Droid.)
     - License: Apache 2.0
+  
+- **Google Play Reviews**
+  - https://developer.android.com/reference/com/google/android/play/core/release-notes
+  - Purpose: On standard builds provide an interface to add a review for the password manager application in Google Play.
+  - License: Apache 2.0
 
 - **Glide**
     - https://github.com/bumptech/glide
@@ -170,6 +173,11 @@ The following is a list of all third-party dependencies included as part of the
     - Purpose: A networking layer interface.
     - License: Apache 2.0
 
+- **Timber**
+    - https://github.com/JakeWharton/timber
+    - Purpose: Extensible logging library for Android.
+    - License: Apache 2.0
+
 - **zxcvbn4j**
     - https://github.com/nulab/zxcvbn4j
     - Purpose: Password strength estimation.

SECURITY.md

@@ -1,21 +1,32 @@
-Bitwarden believes that working with security researchers across the globe is crucial to keeping our users safe. If you believe you've found a security issue in our product or service, we encourage you to please submit a report through our [HackerOne Program](https://hackerone.com/bitwarden/). We welcome working with you to resolve the issue promptly. Thanks in advance!
+Bitwarden believes that working with security researchers across the globe is crucial to keeping our
+users safe. If you believe you've found a security issue in our product or service, we encourage you
+to please submit a report through our [HackerOne Program](https://hackerone.com/bitwarden/). We
+welcome working with you to resolve the issue promptly. Thanks in advance!
 
 # Disclosure Policy
 
--   Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
--   Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.
--   Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
--   If you would like to encrypt your report, please use the PGP key with long ID `0xDE6887086F892325FEC04CC0D847525B6931381F` (available in the public keyserver pool).
+- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every
+  effort to quickly resolve the issue.
+- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or
+  a third-party. We may publicly disclose the issue before resolving it, if appropriate.
+- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or
+  degradation of our service. Only interact with accounts you own or with explicit permission of the
+  account holder.
+- If you would like to encrypt your report, please use the PGP key with long ID
+  `0xDE6887086F892325FEC04CC0D847525B6931381F` (available in the public keyserver pool).
 
 While researching, we'd like to ask you to refrain from:
 
--   Denial of service
--   Spamming
--   Social engineering (including phishing) of Bitwarden staff or contractors
--   Any physical attempts against Bitwarden property or data centers
+- Denial of service
+- Spamming
+- Social engineering (including phishing) of Bitwarden staff or contractors
+- Any physical attempts against Bitwarden property or data centers
 
 # We want to help you!
 
-If you have something that you feel is close to exploitation, or if you'd like some information regarding the internal API, or generally have any questions regarding the app that would help in your efforts, please email us at https://bitwarden.com/contact and ask for that information. As stated above, Bitwarden wants to help you find issues, and is more than willing to help.
+If you have something that you feel is close to exploitation, or if you'd like some information
+regarding the internal API, or generally have any questions regarding the app that would help in
+your efforts, please email us at https://bitwarden.com/contact and ask for that information. As
+stated above, Bitwarden wants to help you find issues, and is more than willing to help.
 
 Thank you for helping keep Bitwarden and our users safe!

app/build.gradle.kts

@@ -1,7 +1,12 @@
+import com.android.build.gradle.internal.api.BaseVariantOutputImpl
+import com.android.utils.cxx.io.removeExtensionIfPresent
 import com.google.firebase.crashlytics.buildtools.gradle.tasks.InjectMappingFileIdTask
 import com.google.firebase.crashlytics.buildtools.gradle.tasks.UploadMappingFileTask
 import com.google.gms.googleservices.GoogleServicesTask
+import dagger.hilt.android.plugin.util.capitalize
 import org.jetbrains.kotlin.gradle.dsl.JvmTarget
+import java.io.FileInputStream
+import java.util.Properties
 
 plugins {
     alias(libs.plugins.android.application)
@@ -20,6 +25,26 @@ plugins {
     alias(libs.plugins.sonarqube)
 }
 
+/**
+ * Loads local user-specific build properties that are not checked into source control.
+ */
+val userProperties = Properties().apply {
+    val buildPropertiesFile = File(rootDir, "user.properties")
+    if (buildPropertiesFile.exists()) {
+        FileInputStream(buildPropertiesFile).use { load(it) }
+    }
+}
+
+/**
+ * Loads CI-specific build properties that are not checked into source control.
+ */
+val ciProperties = Properties().apply {
+    val ciPropsFile = File(rootDir, "ci.properties")
+    if (ciPropsFile.exists()) {
+        FileInputStream(ciPropsFile).use { load(it) }
+    }
+}
+
 android {
     namespace = "com.x8bit.bitwarden"
     compileSdk = libs.versions.compileSdk.get().toInt()
@@ -29,7 +54,7 @@ android {
         minSdk = libs.versions.minSdk.get().toInt()
         targetSdk = libs.versions.targetSdk.get().toInt()
         versionCode = 1
-        versionName = "2024.06.00"
+        versionName = "2024.9.0"
 
         setProperty("archivesBaseName", "com.x8bit.bitwarden")
 
@@ -39,6 +64,12 @@ android {
         }
 
         testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
+
+        buildConfigField(
+            type = "String",
+            name = "CI_INFO",
+            value = "${ciProperties.getOrDefault("ci.info", "\"local\"")}",
+        )
     }
 
     androidResources {
@@ -61,20 +92,34 @@ android {
             signingConfig = signingConfigs.getByName("debug")
             isDebuggable = true
             isMinifyEnabled = false
+
+            buildConfigField(type = "boolean", name = "HAS_DEBUG_MENU", value = "true")
+            buildConfigField(type = "boolean", name = "HAS_LOGS_ENABLED", value = "true")
         }
 
         // Beta and Release variants are identical except beta has a different package name
         create("beta") {
-            initWith(buildTypes.getByName("release"))
             applicationIdSuffix = ".beta"
+            isDebuggable = false
+            isMinifyEnabled = true
+            proguardFiles(
+                getDefaultProguardFile("proguard-android-optimize.txt"),
+                "proguard-rules.pro",
+            )
+
+            buildConfigField(type = "boolean", name = "HAS_DEBUG_MENU", value = "false")
+            buildConfigField(type = "boolean", name = "HAS_LOGS_ENABLED", value = "false")
         }
         release {
             isDebuggable = false
             isMinifyEnabled = true
             proguardFiles(
                 getDefaultProguardFile("proguard-android-optimize.txt"),
-                "proguard-rules.pro"
+                "proguard-rules.pro",
             )
+
+            buildConfigField(type = "boolean", name = "HAS_DEBUG_MENU", value = "false")
+            buildConfigField(type = "boolean", name = "HAS_LOGS_ENABLED", value = "false")
         }
     }
 
@@ -89,6 +134,39 @@ android {
         }
     }
 
+    applicationVariants.all {
+        val bundlesDir = "${layout.buildDirectory.get()}/outputs/bundle"
+        outputs
+            .mapNotNull { it as? BaseVariantOutputImpl }
+            .forEach { output ->
+                val fileNameWithoutExtension = when (flavorName) {
+                    "fdroid" -> "$applicationId-$flavorName"
+                    "standard" -> "$applicationId"
+                    else -> output.outputFileName.removeExtensionIfPresent(".apk")
+                }
+
+                // Set the APK output filename.
+                output.outputFileName = "$fileNameWithoutExtension.apk"
+
+                val variantName = name
+                val renameTaskName = "rename${variantName.capitalize()}AabFiles"
+                tasks.register(renameTaskName) {
+                    group = "build"
+                    description = "Renames the bundle files for $variantName variant"
+                    doLast {
+                        renameFile(
+                            "$bundlesDir/$variantName/$namespace-$flavorName-${buildType.name}.aab",
+                            "$fileNameWithoutExtension.aab",
+                        )
+                    }
+                }
+                // Force renaming task to execute after the variant is built.
+                tasks
+                    .getByName("bundle${variantName.capitalize()}")
+                    .finalizedBy(renameTaskName)
+            }
+    }
+
     compileOptions {
         sourceCompatibility(libs.versions.jvmTarget.get())
         targetCompatibility(libs.versions.jvmTarget.get())
@@ -102,14 +180,16 @@ android {
             excludes += "/META-INF/{AL2.0,LGPL2.1}"
         }
     }
-    @Suppress("UnstableApiUsage")
     testOptions {
         // Required for Robolectric
         unitTests.isIncludeAndroidResources = true
         unitTests.isReturnDefaultValues = true
     }
     lint {
-        disable.add("MissingTranslation")
+        disable += listOf(
+            "MissingTranslation",
+            "ExtraTranslation",
+        )
     }
 }
 
@@ -119,11 +199,22 @@ kotlin {
     }
 }
 
+configurations.all {
+    resolutionStrategy.dependencySubstitution {
+        if ((userProperties["localSdk"] as String?).toBoolean()) {
+            substitute(module("com.bitwarden:sdk-android"))
+                .using(module("com.bitwarden:sdk-android:LOCAL"))
+        }
+    }
+}
+
 dependencies {
     fun standardImplementation(dependencyNotation: Any) {
         add("standardImplementation", dependencyNotation)
     }
 
+    implementation(files("libs/authenticatorbridge-1.0.0-release.aar"))
+
     implementation(libs.androidx.activity.compose)
     implementation(libs.androidx.appcompat)
     implementation(libs.androidx.autofill)
@@ -165,6 +256,7 @@ dependencies {
     implementation(platform(libs.square.retrofit.bom))
     implementation(libs.square.retrofit)
     implementation(libs.square.retrofit.kotlinx.serialization)
+    implementation(libs.timber)
     implementation(libs.zxing.zxing.core)
 
     // For now we are restricted to running Compose tests for debug builds only
@@ -175,9 +267,12 @@ dependencies {
     standardImplementation(libs.google.firebase.cloud.messaging)
     standardImplementation(platform(libs.google.firebase.bom))
     standardImplementation(libs.google.firebase.crashlytics)
+    standardImplementation(libs.google.play.review)
 
     testImplementation(libs.androidx.compose.ui.test)
     testImplementation(libs.google.hilt.android.testing)
+    testImplementation(platform(libs.junit.bom))
+    testRuntimeOnly(libs.junit.platform.launcher)
     testImplementation(libs.junit.junit5)
     testImplementation(libs.junit.vintage)
     testImplementation(libs.kotlinx.coroutines.test)
@@ -208,6 +303,7 @@ kover {
                 annotatedBy(
                     // Compose previews
                     "androidx.compose.ui.tooling.preview.Preview",
+                    "androidx.compose.ui.tooling.preview.PreviewScreenSizes",
                     // Manually excluded classes/files/etc.
                     "com.x8bit.bitwarden.data.platform.annotation.OmitFromCoverage",
                 )
@@ -230,6 +326,7 @@ kover {
                     "*_*Factory\$*",
                     "*.Hilt_*",
                     "*_HiltModules",
+                    "*_HiltModules*",
                     "*_HiltModules\$*",
                     "*_Impl",
                     "*_Impl\$*",
@@ -256,6 +353,10 @@ tasks {
         dependsOn("detekt")
     }
 
+    getByName("sonar") {
+        dependsOn("check")
+    }
+
     withType<io.gitlab.arturbosch.detekt.Detekt>().configureEach {
         jvmTarget = libs.versions.jvmTarget.get()
     }
@@ -268,15 +369,16 @@ tasks {
         maxHeapSize = "2g"
         maxParallelForks = Runtime.getRuntime().availableProcessors()
         jvmArgs = jvmArgs.orEmpty() + "-XX:+UseParallelGC"
+        android.sourceSets["main"].res.srcDirs("src/test/res")
     }
 }
 
 afterEvaluate {
     // Disable Fdroid-specific tasks that we want to exclude
-    val tasks = tasks.withType<GoogleServicesTask>() +
+    val fdroidTasksToDisable = tasks.withType<GoogleServicesTask>() +
         tasks.withType<InjectMappingFileIdTask>() +
         tasks.withType<UploadMappingFileTask>()
-    tasks
+    fdroidTasksToDisable
         .filter { it.name.contains("Fdroid") }
         .forEach { it.enabled = false }
 }
@@ -293,8 +395,17 @@ sonar {
     }
 }
 
-tasks {
-    getByName("sonar") {
-        dependsOn("check")
+private fun renameFile(path: String, newName: String) {
+    val originalFile = File(path)
+    if (!originalFile.exists()) {
+        println("File $originalFile does not exist!")
+        return
     }
-} 
+
+    val newFile = File(originalFile.parentFile, newName)
+    if (originalFile.renameTo(newFile)) {
+        println("Renamed $originalFile to $newFile")
+    } else {
+        throw RuntimeException("Failed to rename $originalFile to $newFile")
+    }
+}

app/proguard-rules.pro

@@ -6,6 +6,10 @@
 # we keep it here.
 -keep class com.bitwarden.** { *; }
 
+# The Android Verifier component must be kept because it looks like dead code. Proguard is unable to
+# see any JNI usage, so our rules must manually opt into keeping it.
+-keep, includedescriptorclasses class org.rustls.platformverifier.** { *; }
+
 ################################################################################
 # Bitwarden Models
 ################################################################################

app/schemas/com.x8bit.bitwarden.data.vault.datasource.disk.database.VaultDatabase/4.json

@@ -0,0 +1,256 @@
+{
+  "formatVersion": 1,
+  "database": {
+    "version": 4,
+    "identityHash": "f7906c69e0a2c065d4d3be140fc721b6",
+    "entities": [
+      {
+        "tableName": "ciphers",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `cipher_type` TEXT NOT NULL, `cipher_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherType",
+            "columnName": "cipher_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherJson",
+            "columnName": "cipher_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_ciphers_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_ciphers_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "collections",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `organization_id` TEXT NOT NULL, `should_hide_passwords` INTEGER NOT NULL, `name` TEXT NOT NULL, `external_id` TEXT, `read_only` INTEGER NOT NULL, `manage` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "organizationId",
+            "columnName": "organization_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "shouldHidePasswords",
+            "columnName": "should_hide_passwords",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "externalId",
+            "columnName": "external_id",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "isReadOnly",
+            "columnName": "read_only",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "canManage",
+            "columnName": "manage",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_collections_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_collections_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "domains",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`user_id` TEXT NOT NULL, `domains_json` TEXT NOT NULL, PRIMARY KEY(`user_id`))",
+        "fields": [
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "domainsJson",
+            "columnName": "domains_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "user_id"
+          ]
+        },
+        "indices": [],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "folders",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `name` TEXT, `revision_date` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "revisionDate",
+            "columnName": "revision_date",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_folders_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_folders_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "sends",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `send_type` TEXT NOT NULL, `send_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendType",
+            "columnName": "send_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendJson",
+            "columnName": "send_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_sends_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_sends_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      }
+    ],
+    "views": [],
+    "setupQueries": [
+      "CREATE TABLE IF NOT EXISTS room_master_table (id INTEGER PRIMARY KEY,identity_hash TEXT)",
+      "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, 'f7906c69e0a2c065d4d3be140fc721b6')"
+    ]
+  }
+}

app/schemas/com.x8bit.bitwarden.data.vault.datasource.disk.database.VaultDatabase/5.json

@@ -0,0 +1,256 @@
+{
+  "formatVersion": 1,
+  "database": {
+    "version": 5,
+    "identityHash": "ee697e71290c92fe5b607d0b7665481b",
+    "entities": [
+      {
+        "tableName": "ciphers",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `cipher_type` TEXT NOT NULL, `cipher_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherType",
+            "columnName": "cipher_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherJson",
+            "columnName": "cipher_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_ciphers_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_ciphers_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "collections",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `organization_id` TEXT NOT NULL, `should_hide_passwords` INTEGER NOT NULL, `name` TEXT NOT NULL, `external_id` TEXT, `read_only` INTEGER NOT NULL, `manage` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "organizationId",
+            "columnName": "organization_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "shouldHidePasswords",
+            "columnName": "should_hide_passwords",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "externalId",
+            "columnName": "external_id",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "isReadOnly",
+            "columnName": "read_only",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "canManage",
+            "columnName": "manage",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_collections_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_collections_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "domains",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`user_id` TEXT NOT NULL, `domains_json` TEXT, PRIMARY KEY(`user_id`))",
+        "fields": [
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "domainsJson",
+            "columnName": "domains_json",
+            "affinity": "TEXT",
+            "notNull": false
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "user_id"
+          ]
+        },
+        "indices": [],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "folders",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `name` TEXT, `revision_date` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "revisionDate",
+            "columnName": "revision_date",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_folders_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_folders_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "sends",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `send_type` TEXT NOT NULL, `send_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendType",
+            "columnName": "send_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendJson",
+            "columnName": "send_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_sends_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_sends_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      }
+    ],
+    "views": [],
+    "setupQueries": [
+      "CREATE TABLE IF NOT EXISTS room_master_table (id INTEGER PRIMARY KEY,identity_hash TEXT)",
+      "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, 'ee697e71290c92fe5b607d0b7665481b')"
+    ]
+  }
+}

app/schemas/com.x8bit.bitwarden.data.vault.datasource.disk.database.VaultDatabase/6.json

@@ -0,0 +1,256 @@
+{
+  "formatVersion": 1,
+  "database": {
+    "version": 6,
+    "identityHash": "ee158c483edfe5102504670f3d9845d4",
+    "entities": [
+      {
+        "tableName": "ciphers",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `cipher_type` TEXT NOT NULL, `cipher_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherType",
+            "columnName": "cipher_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherJson",
+            "columnName": "cipher_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_ciphers_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_ciphers_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "collections",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `organization_id` TEXT NOT NULL, `should_hide_passwords` INTEGER NOT NULL, `name` TEXT NOT NULL, `external_id` TEXT, `read_only` INTEGER NOT NULL, `manage` INTEGER, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "organizationId",
+            "columnName": "organization_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "shouldHidePasswords",
+            "columnName": "should_hide_passwords",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "externalId",
+            "columnName": "external_id",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "isReadOnly",
+            "columnName": "read_only",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "canManage",
+            "columnName": "manage",
+            "affinity": "INTEGER",
+            "notNull": false
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_collections_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_collections_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "domains",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`user_id` TEXT NOT NULL, `domains_json` TEXT, PRIMARY KEY(`user_id`))",
+        "fields": [
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "domainsJson",
+            "columnName": "domains_json",
+            "affinity": "TEXT",
+            "notNull": false
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "user_id"
+          ]
+        },
+        "indices": [],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "folders",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `name` TEXT, `revision_date` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "revisionDate",
+            "columnName": "revision_date",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_folders_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_folders_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "sends",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `send_type` TEXT NOT NULL, `send_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendType",
+            "columnName": "send_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendJson",
+            "columnName": "send_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_sends_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_sends_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      }
+    ],
+    "views": [],
+    "setupQueries": [
+      "CREATE TABLE IF NOT EXISTS room_master_table (id INTEGER PRIMARY KEY,identity_hash TEXT)",
+      "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, 'ee158c483edfe5102504670f3d9845d4')"
+    ]
+  }
+}

app/src/beta/res/values/manifest.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <!-- For beta variant, we don't have a matching variant of the Bitwarden Authenticator app.
+    Therefore, we leave the known app cert null here so that no clients can connect to
+    AuthenticatorBridgeService in the beta variant. If later another variant of the
+    Bitwarden Authenticator app is added, a SHA-256 digest of that variant's APK can be added here.
+    -->
+    <string-array name="known_authenticator_app_certs" />
+</resources>

app/src/beta/res/xml/shortcuts.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<shortcuts xmlns:android="http://schemas.android.com/apk/res/android">
+    <shortcut
+        android:enabled="true"
+        android:icon="@mipmap/ic_generator_shortcut"
+        android:shortcutId="bitwarden_password_generator"
+        android:shortcutLongLabel="@string/password_generator"
+        android:shortcutShortLabel="@string/password_generator">
+        <intent
+            android:action="android.intent.action.VIEW"
+            android:data="bitwarden://password_generator"
+            android:targetClass="com.x8bit.bitwarden.MainActivity"
+            android:targetPackage="com.x8bit.bitwarden.beta" />
+    </shortcut>
+    <shortcut
+        android:enabled="true"
+        android:icon="@mipmap/ic_vault_shortcut"
+        android:shortcutId="bitwarden_my_vault"
+        android:shortcutLongLabel="@string/my_vault"
+        android:shortcutShortLabel="@string/my_vault">
+        <intent
+            android:action="android.intent.action.VIEW"
+            android:data="bitwarden://my_vault"
+            android:targetClass="com.x8bit.bitwarden.MainActivity"
+            android:targetPackage="com.x8bit.bitwarden.beta" />
+    </shortcut>
+</shortcuts>

app/src/debug/AndroidManifest.xml

@@ -3,15 +3,6 @@
     xmlns:tools="http://schemas.android.com/tools">
 
     <application tools:ignore="MissingApplicationIcon">
-
-        <activity
-            android:name=".MainActivity"
-            android:exported="true">
-            <intent-filter>
-                <action android:name="com.x8bit.bitwarden.fido2.ACTION_CREATE_PASSKEY" />
-                <category android:name="android.intent.category.DEFAULT" />
-            </intent-filter>
-        </activity>
         <!-- Disable Crashlytics for debug builds -->
         <meta-data
             android:name="firebase_crashlytics_collection_enabled"

app/src/debug/res/values/manifest.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <string-array name="known_authenticator_app_certs">
+        <!-- This is the SHA-256 digest for the Authenticator App debug variant:-->
+        <item>13144ab52af797a88c2fe292674461ef1715e0e1e4f5f538f63f1c174696f476</item>
+    </string-array>
+</resources>

app/src/fdroid/java/com/x8bit/bitwarden/data/platform/manager/CrashLogsManagerImpl.kt

@@ -1,16 +0,0 @@
-package com.x8bit.bitwarden.data.platform.manager
-
-import com.x8bit.bitwarden.data.platform.datasource.disk.legacy.LegacyAppCenterMigrator
-import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
-
-/**
- * CrashLogsManager implementation for F-droid flavor builds.
- */
-class CrashLogsManagerImpl(
-    settingsRepository: SettingsRepository,
-    legacyAppCenterMigrator: LegacyAppCenterMigrator,
-) : CrashLogsManager {
-    override var isEnabled: Boolean = true
-
-    override fun trackNonFatalException(e: Exception) = Unit
-}

app/src/fdroid/java/com/x8bit/bitwarden/data/platform/manager/LogsManagerImpl.kt

@@ -0,0 +1,27 @@
+package com.x8bit.bitwarden.data.platform.manager
+
+import com.x8bit.bitwarden.BuildConfig
+import com.x8bit.bitwarden.data.platform.datasource.disk.legacy.LegacyAppCenterMigrator
+import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
+import com.x8bit.bitwarden.data.platform.repository.model.Environment
+import timber.log.Timber
+
+/**
+ * [LogsManager] implementation for F-droid flavor builds.
+ */
+class LogsManagerImpl(
+    settingsRepository: SettingsRepository,
+    legacyAppCenterMigrator: LegacyAppCenterMigrator,
+) : LogsManager {
+    init {
+        if (BuildConfig.HAS_LOGS_ENABLED) {
+            Timber.plant(Timber.DebugTree())
+        }
+    }
+
+    override var isEnabled: Boolean = false
+
+    override fun setUserData(userId: String?, environmentType: Environment.Type) = Unit
+
+    override fun trackNonFatalException(throwable: Throwable) = Unit
+}

app/src/fdroid/java/com/x8bit/bitwarden/ui/platform/manager/review/AppReviewManagerImpl.kt

@@ -0,0 +1,12 @@
+package com.x8bit.bitwarden.ui.platform.manager.review
+
+import android.app.Activity
+
+/**
+ * No-op implementation of [AppReviewManager] for F-Droid builds.
+ */
+class AppReviewManagerImpl(
+    activity: Activity,
+) : AppReviewManager {
+    override fun promptForReview() = Unit
+}

app/src/main/AndroidManifest.xml

@@ -15,6 +15,20 @@
     <uses-permission android:name="android.permission.CAMERA" />
     <uses-permission android:name="android.permission.INTERNET" />
     <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+    <uses-permission android:name="android.permission.READ_USER_DICTIONARY"/>
+    <!-- Protect access to AuthenticatorBridgeService using this custom permission.
+
+    Note that each build type uses a different value for knownCerts.
+
+    This in effect means that the only application that can connect to the debug/release/etc
+    variant AuthenticatorBridgeService is the debug/release/etc variant Bitwarden Authenticator
+    app. -->
+    <permission
+        android:name="${applicationId}.permission.AUTHENTICATOR_BRIDGE_SERVICE"
+        android:knownCerts="@array/known_authenticator_app_certs"
+        android:label="Bitwarden Bridge"
+        android:protectionLevel="signature|knownSigner"
+        tools:targetApi="s" />
 
     <application
         android:name=".BitwardenApplication"
@@ -55,8 +69,49 @@
                 <data android:mimeType="video/*" />
                 <data android:mimeType="text/*" />
             </intent-filter>
+            <intent-filter android:autoVerify="true">
+                <action android:name="android.intent.action.VIEW" />
+
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+
+                <data android:scheme="https" />
+
+                <data android:host="vault.bitwarden.com" />
+                <data android:host="vault.bitwarden.eu" />
+                <data android:host="*.bitwarden.pw" />
+                <data android:pathPattern="/redirect-connector.*" />
+            </intent-filter>
+            <intent-filter>
+                <action android:name="com.x8bit.bitwarden.fido2.ACTION_CREATE_PASSKEY" />
+                <action android:name="com.x8bit.bitwarden.fido2.ACTION_GET_PASSKEY" />
+                <action android:name="com.x8bit.bitwarden.fido2.ACTION_UNLOCK_ACCOUNT" />
+
+                <category android:name="android.intent.category.DEFAULT" />
+            </intent-filter>
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+
+                <data android:scheme="otpauth" />
+                <data android:host="totp" />
+            </intent-filter>
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+                <category android:name="android.intent.category.DEFAULT" />
+                <data android:scheme="bitwarden" />
+            </intent-filter>
         </activity>
 
+        <activity
+            android:name=".AccessibilityActivity"
+            android:exported="false"
+            android:launchMode="singleTop"
+            android:noHistory="true"
+            android:theme="@android:style/Theme.NoDisplay" />
+
         <activity
             android:name=".AutofillTotpCopyActivity"
             android:exported="true"
@@ -141,6 +196,47 @@
             </intent-filter>
         </service>
 
+        <!--
+        The AccessibilityService name below refers to the legacy Xamarin app's service name. This
+        must always match in order for the app to properly query if it is providing accessibility
+        services.
+        -->
+        <!--suppress AndroidDomInspection -->
+        <service
+            android:name="com.x8bit.bitwarden.Accessibility.AccessibilityService"
+            android:exported="true"
+            android:label="@string/app_name"
+            android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE"
+            tools:ignore="MissingClass">
+            <intent-filter>
+                <action android:name="android.accessibilityservice.AccessibilityService" />
+            </intent-filter>
+            <meta-data
+                android:name="android.accessibilityservice"
+                android:resource="@xml/accessibility_service" />
+        </service>
+
+        <!--
+        The CredentialProviderService name below refers to the legacy Xamarin app's service name.
+        This must always match in order for the app to properly query if it is providing credential
+        services.
+        -->
+        <!--suppress AndroidDomInspection -->
+        <service
+            android:name="com.x8bit.bitwarden.Autofill.CredentialProviderService"
+            android:enabled="true"
+            android:exported="true"
+            android:label="@string/bitwarden"
+            android:permission="android.permission.BIND_CREDENTIAL_PROVIDER_SERVICE"
+            tools:ignore="MissingClass">
+            <intent-filter>
+                <action android:name="android.service.credentials.CredentialProviderService" />
+            </intent-filter>
+            <meta-data
+                android:name="android.credentials.provider"
+                android:resource="@xml/provider" />
+        </service>
+
         <!-- This is required to support in-app language picker in Android 12 (API 32) and below -->
         <service
             android:name="androidx.appcompat.app.AppLocalesMetadataHolderService"
@@ -151,16 +247,84 @@
                 android:value="true" />
         </service>
 
+        <!--
+        The AutofillTileService name below refers to the legacy Xamarin app's service name.
+        This must always match in order for the app to properly query if it is providing autofill
+        tile services.
+        -->
+        <!--suppress AndroidDomInspection -->
+        <service
+            android:name="com.x8bit.bitwarden.AutofillTileService"
+            android:exported="true"
+            android:icon="@drawable/ic_notification"
+            android:label="@string/autofill"
+            android:permission="android.permission.BIND_QUICK_SETTINGS_TILE"
+            tools:ignore="MissingClass">
+            <intent-filter>
+                <action android:name="android.service.quicksettings.action.QS_TILE" />
+            </intent-filter>
+        </service>
+
+        <!--
+        The GeneratorTileService name below refers to the legacy Xamarin app's service name.
+        This must always match in order for the app to properly query if it is providing generator
+        tile services.
+        -->
+        <!--suppress AndroidDomInspection -->
+        <service
+            android:name="com.x8bit.bitwarden.GeneratorTileService"
+            android:exported="true"
+            android:icon="@drawable/ic_generator"
+            android:label="@string/password_generator"
+            android:permission="android.permission.BIND_QUICK_SETTINGS_TILE"
+            tools:ignore="MissingClass">
+            <intent-filter>
+                <action android:name="android.service.quicksettings.action.QS_TILE" />
+            </intent-filter>
+        </service>
+
+        <!--
+        The MyVaultTileService name below refers to the legacy Xamarin app's service name.
+        This must always match in order for the app to properly query if it is providing vault
+        tile services.
+        -->
+        <!--suppress AndroidDomInspection -->
+        <service
+            android:name="com.x8bit.bitwarden.MyVaultTileService"
+            android:exported="true"
+            android:icon="@drawable/ic_notification"
+            android:label="@string/my_vault"
+            android:permission="android.permission.BIND_QUICK_SETTINGS_TILE"
+            tools:ignore="MissingClass">
+            <intent-filter>
+                <action android:name="android.service.quicksettings.action.QS_TILE" />
+            </intent-filter>
+        </service>
+
         <meta-data
             android:name="android.content.APP_RESTRICTIONS"
             android:resource="@xml/app_restrictions" />
 
+        <service
+            android:name="com.x8bit.bitwarden.data.platform.service.AuthenticatorBridgeService"
+            android:exported="true"
+            android:permission="${applicationId}.permission.AUTHENTICATOR_BRIDGE_SERVICE" />
+
     </application>
 
     <queries>
         <intent>
             <action android:name="android.media.action.IMAGE_CAPTURE" />
         </intent>
+        <intent>
+            <action android:name="android.intent.action.MAIN" />
+            <category android:name="android.intent.category.HOME" />
+        </intent>
+        <!-- To Query Chrome Beta: -->
+        <package android:name="com.chrome.beta" />
+
+        <!-- To Query Chrome Stable: -->
+        <package android:name="com.android.chrome" />
     </queries>
 
 </manifest>

app/src/main/assets/fido2_privileged_community.json

@@ -0,0 +1,90 @@
+{
+  "apps": [
+    {
+      "type": "android",
+      "info": {
+        "package_name": "io.github.forkmaintainers.iceraven",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "9C:0D:22:37:9F:48:7B:70:A4:F9:F8:BE:C0:17:3C:F9:1A:16:44:F0:8F:93:38:5B:5B:78:2C:E3:76:60:BA:81"
+          }
+        ]
+      }
+    },
+
+    {
+      "type": "android",
+      "info": {
+        "package_name": "net.quetta.browser",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "BE:FE:E7:31:12:6A:A5:6E:7E:FD:AE:AF:5E:F3:FA:EA:44:1C:19:CC:E0:CA:EC:42:6B:65:BB:F8:2C:59:46:80"
+          }
+        ]
+      }
+    },
+
+    {
+      "type": "android",
+      "info": {
+        "package_name": "org.chromium.chrome",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "A8:56:48:50:79:BC:B3:57:BF:BE:69:BA:19:A9:BA:43:CD:0A:D9:AB:22:67:52:C7:80:B6:88:8A:FD:48:21:6B"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "org.cromite.cromite",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "63:3F:A4:1D:82:11:D6:D0:91:6A:81:9B:89:66:8C:6D:E9:2E:64:23:2D:A6:7F:9D:16:FD:81:C3:B7:E9:23:FF"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "org.ironfoxoss.ironfox",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "C5:E2:91:B5:A5:71:F9:C8:CD:9A:97:99:C2:C9:4E:02:EC:97:03:94:88:93:F2:CA:75:6D:67:B9:42:04:F9:04"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "org.mozilla.fenix",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "50:04:77:90:88:E7:F9:88:D5:BC:5C:C5:F8:79:8F:EB:F4:F8:CD:08:4A:1B:2A:46:EF:D4:C8:EE:4A:EA:F2:11"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "org.mozilla.fennec_fdroid",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "06:66:53:58:EF:D8:BA:05:BE:23:6A:47:A1:2C:B0:95:8D:7D:75:DD:93:9D:77:C2:B3:1F:53:98:53:7E:BD:C5"
+          }
+        ]
+      }
+    }
+  ]
+}

app/src/main/assets/fido2_privileged_google.json

@@ -475,7 +475,102 @@
           }
         ]
       }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.talonsec.talon",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "A3:66:03:44:A6:F6:AF:CA:81:8C:BF:43:96:A2:3C:CF:D5:ED:7A:78:1B:B4:A3:D1:85:03:01:E2:F4:6D:23:83"
+          },
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "E2:A5:64:74:EA:23:7B:06:67:B6:F5:2C:DC:E9:04:5E:24:88:3B:AE:D0:82:59:9A:A2:DF:0B:60:3A:CF:6A:3B"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.talonsec.talon_beta",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "F5:86:62:7A:32:C8:9F:E6:7E:00:6D:B1:8C:34:31:9E:01:7F:B3:B2:BE:D6:9D:01:01:B7:F9:43:E7:7C:48:AE"
+          },
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "9A:A1:25:D5:E5:5E:3F:B0:DE:96:72:D9:A9:5D:04:65:3F:49:4A:1E:C3:EE:76:1E:94:C4:4E:5D:2F:65:8E:2F"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.duckduckgo.mobile.android.debug",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "C4:F0:9E:2B:D7:25:AD:F5:AD:92:0B:A2:80:27:66:AC:16:4A:C1:53:B3:EA:9E:08:48:B0:57:98:37:F7:6A:29"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.duckduckgo.mobile.android",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "BB:7B:B3:1C:57:3C:46:A1:DA:7F:C5:C5:28:A6:AC:F4:32:10:84:56:FE:EC:50:81:0C:7F:33:69:4E:B3:D2:D4"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.naver.whale",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "0B:8B:85:23:BB:4A:EF:FA:34:6E:4B:DD:4F:BF:7D:19:34:50:56:9A:A1:4A:AA:D4:AD:FD:94:A3:F7:B2:27:BB"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.fido.fido2client",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "FC:98:DA:E6:3A:D3:96:26:C8:C6:7F:BE:83:F2:F0:6F:74:93:2A:9C:D1:46:B9:2C:EC:FC:6A:04:7A:90:43:86"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "com.heytap.browser",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "AF:F8:A7:49:CF:0E:7D:75:44:65:D0:FB:FA:7B:8D:0C:64:5E:22:5C:10:C6:E2:32:AD:A0:D9:74:88:36:B8:E5"
+          },
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "A8:FE:A4:CA:FB:93:32:DA:26:B8:E6:81:08:17:C1:DA:90:A5:03:0E:35:A6:0A:79:E0:6C:90:97:AA:C6:A4:42"
+          }
+        ]
+      }
     }
   ]
 }
-

app/src/main/java/com/x8bit/bitwarden/AccessibilityActivity.kt

@@ -0,0 +1,17 @@
+package com.x8bit.bitwarden
+
+import android.os.Bundle
+import androidx.appcompat.app.AppCompatActivity
+import com.x8bit.bitwarden.data.platform.annotation.OmitFromCoverage
+
+/**
+ * An activity to be launched and then immediately closed so that the OS Shade can be collapsed
+ * after the user clicks on the Autofill Quick Tile.
+ */
+@OmitFromCoverage
+class AccessibilityActivity : AppCompatActivity() {
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+        finish()
+    }
+}

app/src/main/java/com/x8bit/bitwarden/BitwardenAppComponentFactory.kt

@@ -3,37 +3,62 @@ package com.x8bit.bitwarden
 import android.app.Service
 import android.content.Intent
 import android.os.Build
+import androidx.annotation.Keep
 import androidx.core.app.AppComponentFactory
 import com.x8bit.bitwarden.data.autofill.BitwardenAutofillService
+import com.x8bit.bitwarden.data.autofill.accessibility.BitwardenAccessibilityService
 import com.x8bit.bitwarden.data.autofill.fido2.BitwardenFido2ProviderService
 import com.x8bit.bitwarden.data.platform.annotation.OmitFromCoverage
-
-private const val LEGACY_AUTOFILL_SERVICE_NAME = "com.x8bit.bitwarden.Autofill.AutofillService"
-private const val LEGACY_CREDENTIAL_SERVICE_NAME =
-    "com.x8bit.bitwarden.Autofill.CredentialProviderService"
+import com.x8bit.bitwarden.data.tiles.BitwardenAutofillTileService
+import com.x8bit.bitwarden.data.tiles.BitwardenGeneratorTileService
+import com.x8bit.bitwarden.data.tiles.BitwardenVaultTileService
 
 /**
  * A factory class that allows us to intercept when a manifest element is being instantiated
  * and modify various characteristics before initialization.
  */
 @Suppress("unused")
+@Keep
 @OmitFromCoverage
 class BitwardenAppComponentFactory : AppComponentFactory() {
     /**
-     * Used to intercept when the [BitwardenAutofillService] or [BitwardenFido2ProviderService] is
-     * being instantiated and modify which service is created. This is required because the
-     * [className] used in the manifest must match the legacy Xamarin app service name but the
-     * service name in this app is different.
+     * Used to intercept when certain legacy services are being instantiated and modify which
+     * service is created. This is required because the [className] used in the manifest must match
+     * the legacy Xamarin app service name but the service name in this app is different.
+     *
+     * Services currently being managed:
+     * * [BitwardenAccessibilityService]
+     * * [BitwardenAutofillService]
+     * * [BitwardenAutofillTileService]
+     * * [BitwardenFido2ProviderService]
+     * * [BitwardenVaultTileService]
+     * * [BitwardenGeneratorTileService]
      */
     override fun instantiateServiceCompat(
         cl: ClassLoader,
         className: String,
         intent: Intent?,
     ): Service = when (className) {
+        LEGACY_ACCESSIBILITY_SERVICE_NAME -> {
+            super.instantiateServiceCompat(
+                cl,
+                BitwardenAccessibilityService::class.java.name,
+                intent,
+            )
+        }
+
         LEGACY_AUTOFILL_SERVICE_NAME -> {
             super.instantiateServiceCompat(cl, BitwardenAutofillService::class.java.name, intent)
         }
 
+        LEGACY_AUTOFILL_TILE_SERVICE_NAME -> {
+            super.instantiateServiceCompat(
+                cl,
+                BitwardenAutofillTileService::class.java.name,
+                intent,
+            )
+        }
+
         LEGACY_CREDENTIAL_SERVICE_NAME -> {
             if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
                 super.instantiateServiceCompat(
@@ -48,6 +73,18 @@ class BitwardenAppComponentFactory : AppComponentFactory() {
             }
         }
 
+        LEGACY_VAULT_TILE_SERVICE_NAME -> {
+            super.instantiateServiceCompat(cl, BitwardenVaultTileService::class.java.name, intent)
+        }
+
+        LEGACY_GENERATOR_TILE_SERVICE_NAME -> {
+            super.instantiateServiceCompat(
+                cl,
+                BitwardenGeneratorTileService::class.java.name,
+                intent,
+            )
+        }
+
         else -> super.instantiateServiceCompat(cl, className, intent)
     }
 }

app/src/main/java/com/x8bit/bitwarden/BitwardenApplication.kt

@@ -3,9 +3,9 @@ package com.x8bit.bitwarden
 import android.app.Application
 import com.x8bit.bitwarden.data.auth.manager.AuthRequestNotificationManager
 import com.x8bit.bitwarden.data.platform.annotation.OmitFromCoverage
-import com.x8bit.bitwarden.data.platform.manager.CrashLogsManager
-import com.x8bit.bitwarden.data.platform.manager.NetworkConfigManager
+import com.x8bit.bitwarden.data.platform.manager.LogsManager
 import com.x8bit.bitwarden.data.platform.manager.event.OrganizationEventManager
+import com.x8bit.bitwarden.data.platform.manager.network.NetworkConfigManager
 import com.x8bit.bitwarden.data.platform.manager.restriction.RestrictionManager
 import dagger.hilt.android.HiltAndroidApp
 import javax.inject.Inject
@@ -19,10 +19,10 @@ class BitwardenApplication : Application() {
     // Inject classes here that must be triggered on startup but are not otherwise consumed by
     // other callers.
     @Inject
-    lateinit var networkConfigManager: NetworkConfigManager
+    lateinit var logsManager: LogsManager
 
     @Inject
-    lateinit var crashLogsManager: CrashLogsManager
+    lateinit var networkConfigManager: NetworkConfigManager
 
     @Inject
     lateinit var authRequestNotificationManager: AuthRequestNotificationManager

app/src/main/java/com/x8bit/bitwarden/BitwardenLegacyAppComponents.kt

@@ -0,0 +1,38 @@
+package com.x8bit.bitwarden
+
+/**
+ * The legacy name for the accessibility service.
+ */
+const val LEGACY_ACCESSIBILITY_SERVICE_NAME: String =
+    "com.x8bit.bitwarden.Accessibility.AccessibilityService"
+
+/**
+ * The short form legacy name for the accessibility service.
+ */
+const val LEGACY_SHORT_ACCESSIBILITY_SERVICE_NAME: String = ".Accessibility.AccessibilityService"
+
+/**
+ * The legacy name for the autofill service.
+ */
+const val LEGACY_AUTOFILL_SERVICE_NAME: String = "com.x8bit.bitwarden.Autofill.AutofillService"
+
+/**
+ * The legacy name for the accessibility autofill tile service.
+ */
+const val LEGACY_AUTOFILL_TILE_SERVICE_NAME: String = "com.x8bit.bitwarden.AutofillTileService"
+
+/**
+ * The legacy name for the credential service.
+ */
+const val LEGACY_CREDENTIAL_SERVICE_NAME: String =
+    "com.x8bit.bitwarden.Autofill.CredentialProviderService"
+
+/**
+ * The legacy name for the generator tile service.
+ */
+const val LEGACY_GENERATOR_TILE_SERVICE_NAME: String = "com.x8bit.bitwarden.GeneratorTileService"
+
+/**
+ * The legacy name for the vault tile service.
+ */
+const val LEGACY_VAULT_TILE_SERVICE_NAME: String = "com.x8bit.bitwarden.MyVaultTileService"

app/src/main/java/com/x8bit/bitwarden/MainActivity.kt

@@ -1,32 +1,45 @@
 package com.x8bit.bitwarden
 
 import android.content.Intent
+import android.os.Build
 import android.os.Bundle
+import android.view.KeyEvent
+import android.view.MotionEvent
 import android.view.WindowManager
+import android.widget.Toast
 import androidx.activity.compose.setContent
 import androidx.activity.viewModels
 import androidx.appcompat.app.AppCompatActivity
 import androidx.appcompat.app.AppCompatDelegate
 import androidx.compose.runtime.getValue
+import androidx.compose.runtime.remember
 import androidx.core.os.LocaleListCompat
 import androidx.core.splashscreen.SplashScreen.Companion.installSplashScreen
 import androidx.lifecycle.compose.collectAsStateWithLifecycle
-import androidx.lifecycle.lifecycleScope
+import androidx.navigation.compose.NavHost
+import androidx.navigation.compose.rememberNavController
+import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityCompletionManager
 import com.x8bit.bitwarden.data.autofill.manager.AutofillActivityManager
 import com.x8bit.bitwarden.data.autofill.manager.AutofillCompletionManager
 import com.x8bit.bitwarden.data.platform.annotation.OmitFromCoverage
+import com.x8bit.bitwarden.data.platform.manager.util.ObserveScreenDataEffect
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
+import com.x8bit.bitwarden.ui.platform.base.util.EventsEffect
 import com.x8bit.bitwarden.ui.platform.composition.LocalManagerProvider
-import com.x8bit.bitwarden.ui.platform.feature.rootnav.RootNavScreen
+import com.x8bit.bitwarden.ui.platform.feature.debugmenu.debugMenuDestination
+import com.x8bit.bitwarden.ui.platform.feature.debugmenu.manager.DebugMenuLaunchManager
+import com.x8bit.bitwarden.ui.platform.feature.debugmenu.navigateToDebugMenuScreen
+import com.x8bit.bitwarden.ui.platform.feature.rootnav.ROOT_ROUTE
+import com.x8bit.bitwarden.ui.platform.feature.rootnav.rootNavDestination
 import com.x8bit.bitwarden.ui.platform.theme.BitwardenTheme
+import com.x8bit.bitwarden.ui.platform.util.appLanguage
 import dagger.hilt.android.AndroidEntryPoint
-import kotlinx.coroutines.flow.launchIn
-import kotlinx.coroutines.flow.onEach
 import javax.inject.Inject
 
 /**
  * Primary entry point for the application.
  */
+@Suppress("TooManyFunctions")
 @OmitFromCoverage
 @AndroidEntryPoint
 class MainActivity : AppCompatActivity() {
@@ -39,16 +52,21 @@ class MainActivity : AppCompatActivity() {
     @Inject
     lateinit var autofillCompletionManager: AutofillCompletionManager
 
+    @Inject
+    lateinit var accessibilityCompletionManager: AccessibilityCompletionManager
+
     @Inject
     lateinit var settingsRepository: SettingsRepository
 
+    @Inject
+    lateinit var debugLaunchManager: DebugMenuLaunchManager
+
+    @Suppress("LongMethod")
     override fun onCreate(savedInstanceState: Bundle?) {
         var shouldShowSplashScreen = true
         installSplashScreen().setKeepOnScreenCondition { shouldShowSplashScreen }
         super.onCreate(savedInstanceState)
 
-        observeViewModelEvents()
-
         if (savedInstanceState == null) {
             mainViewModel.trySendAction(
                 MainAction.ReceiveFirstIntent(
@@ -57,21 +75,68 @@ class MainActivity : AppCompatActivity() {
             )
         }
 
-        // Within the app the language will change dynamically and will be managed
-        // by the OS, but we need to ensure we properly set the language when
-        // upgrading from older versions that handle this differently.
-        settingsRepository.appLanguage.localeName?.let { localeName ->
-            val localeList = LocaleListCompat.forLanguageTags(localeName)
-            AppCompatDelegate.setApplicationLocales(localeList)
-        }
+        // Within the app the theme will change dynamically and will be managed by the
+        // OS, but we need to ensure we properly set the values when upgrading from older versions
+        // that handle this differently or when the activity restarts.
+        AppCompatDelegate.setDefaultNightMode(settingsRepository.appTheme.osValue)
         setContent {
             val state by mainViewModel.stateFlow.collectAsStateWithLifecycle()
+            val navController = rememberNavController()
+            EventsEffect(viewModel = mainViewModel) { event ->
+                when (event) {
+                    is MainEvent.CompleteAccessibilityAutofill -> {
+                        handleCompleteAccessibilityAutofill(event)
+                    }
+
+                    is MainEvent.CompleteAutofill -> handleCompleteAutofill(event)
+                    MainEvent.Recreate -> handleRecreate()
+                    MainEvent.NavigateToDebugMenu -> navController.navigateToDebugMenuScreen()
+                    is MainEvent.ShowToast -> {
+                        Toast
+                            .makeText(
+                                baseContext,
+                                event.message.invoke(resources),
+                                Toast.LENGTH_SHORT,
+                            )
+                            .show()
+                    }
+
+                    is MainEvent.UpdateAppLocale -> {
+                        AppCompatDelegate.setApplicationLocales(
+                            LocaleListCompat.forLanguageTags(event.localeName),
+                        )
+                    }
+
+                    is MainEvent.UpdateAppTheme -> {
+                        AppCompatDelegate.setDefaultNightMode(event.osTheme)
+                    }
+                }
+            }
             updateScreenCapture(isScreenCaptureAllowed = state.isScreenCaptureAllowed)
-            LocalManagerProvider {
+            LocalManagerProvider(featureFlagsState = state.featureFlagsState) {
+                ObserveScreenDataEffect(
+                    onDataUpdate = remember(mainViewModel) {
+                        {
+                            mainViewModel.trySendAction(
+                                MainAction.ResumeScreenDataReceived(it),
+                            )
+                        }
+                    },
+                )
                 BitwardenTheme(theme = state.theme) {
-                    RootNavScreen(
-                        onSplashScreenRemoved = { shouldShowSplashScreen = false },
-                    )
+                    NavHost(
+                        navController = navController,
+                        startDestination = ROOT_ROUTE,
+                    ) {
+                        // Nothing else should end up at this top level, we just want the ability
+                        // to have the debug menu appear on top of the rest of the app without
+                        // interacting with the state-based navigation used by the RootNavScreen.
+                        rootNavDestination { shouldShowSplashScreen = false }
+                        debugMenuDestination(
+                            onNavigateBack = { navController.popBackStack() },
+                            onSplashScreenRemoved = { shouldShowSplashScreen = false },
+                        )
+                    }
                 }
             }
         }
@@ -86,6 +151,31 @@ class MainActivity : AppCompatActivity() {
         )
     }
 
+    override fun onResume() {
+        super.onResume()
+        // When the app resumes check for any app specific language which may have been
+        // set via the device settings. Similar to the theme setting in onCreate this
+        // ensures we properly set the values when upgrading from older versions
+        // that handle this differently or when the activity restarts.
+        val appSpecificLanguage = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+            val locales: LocaleListCompat = AppCompatDelegate.getApplicationLocales()
+            if (locales.isEmpty) {
+                // App is using the system language
+                null
+            } else {
+                // App has specific language settings
+                locales.get(0)?.appLanguage
+            }
+        } else {
+            // For older versions, use what ever language is available from the repository.
+            settingsRepository.appLanguage
+        }
+
+        appSpecificLanguage?.let {
+            mainViewModel.trySendAction(MainAction.AppSpecificLanguageUpdate(it))
+        }
+    }
+
     override fun onStop() {
         super.onStop()
         // In some scenarios on an emulator the Activity can leak when recreated
@@ -93,16 +183,27 @@ class MainActivity : AppCompatActivity() {
         currentFocus?.clearFocus()
     }
 
-    private fun observeViewModelEvents() {
-        mainViewModel
-            .eventFlow
-            .onEach { event ->
-                when (event) {
-                    is MainEvent.CompleteAutofill -> handleCompleteAutofill(event)
-                    MainEvent.Recreate -> handleRecreate()
-                }
-            }
-            .launchIn(lifecycleScope)
+    override fun dispatchTouchEvent(event: MotionEvent): Boolean = debugLaunchManager
+        .actionOnInputEvent(event = event, action = ::sendOpenDebugMenuEvent)
+        .takeIf { it }
+        ?: super.dispatchTouchEvent(event)
+
+    override fun dispatchKeyEvent(event: KeyEvent): Boolean = debugLaunchManager
+        .actionOnInputEvent(event = event, action = ::sendOpenDebugMenuEvent)
+        .takeIf { it }
+        ?: super.dispatchKeyEvent(event)
+
+    private fun sendOpenDebugMenuEvent() {
+        mainViewModel.trySendAction(MainAction.OpenDebugMenu)
+    }
+
+    private fun handleCompleteAccessibilityAutofill(
+        event: MainEvent.CompleteAccessibilityAutofill,
+    ) {
+        accessibilityCompletionManager.completeAccessibilityAutofill(
+            activity = this,
+            cipherView = event.cipherView,
+        )
     }
 
     private fun handleCompleteAutofill(event: MainEvent.CompleteAutofill) {

app/src/main/java/com/x8bit/bitwarden/MainViewModel.kt

@@ -5,36 +5,60 @@ import android.os.Parcelable
 import androidx.lifecycle.SavedStateHandle
 import androidx.lifecycle.viewModelScope
 import com.bitwarden.vault.CipherView
+import com.x8bit.bitwarden.data.auth.manager.AddTotpItemFromAuthenticatorManager
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
+import com.x8bit.bitwarden.data.auth.repository.model.EmailTokenResult
+import com.x8bit.bitwarden.data.auth.util.getCompleteRegistrationDataIntentOrNull
 import com.x8bit.bitwarden.data.auth.util.getPasswordlessRequestDataIntentOrNull
+import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilitySelectionManager
 import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2CredentialManager
-import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2CredentialRequestOrNull
+import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2AssertionRequestOrNull
+import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2CreateCredentialRequestOrNull
+import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2GetCredentialsRequestOrNull
 import com.x8bit.bitwarden.data.autofill.manager.AutofillSelectionManager
 import com.x8bit.bitwarden.data.autofill.util.getAutofillSaveItemOrNull
 import com.x8bit.bitwarden.data.autofill.util.getAutofillSelectionDataOrNull
+import com.x8bit.bitwarden.data.platform.manager.AppResumeManager
+import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.SpecialCircumstanceManager
 import com.x8bit.bitwarden.data.platform.manager.garbage.GarbageCollectionManager
+import com.x8bit.bitwarden.data.platform.manager.model.AppResumeScreenData
+import com.x8bit.bitwarden.data.platform.manager.model.CompleteRegistrationData
+import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
 import com.x8bit.bitwarden.data.platform.manager.model.SpecialCircumstance
+import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
+import com.x8bit.bitwarden.data.platform.util.isAddTotpLoginItemFromAuthenticator
 import com.x8bit.bitwarden.data.vault.manager.model.VaultStateEvent
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.ui.platform.base.BaseViewModel
+import com.x8bit.bitwarden.ui.platform.base.util.Text
+import com.x8bit.bitwarden.ui.platform.base.util.asText
+import com.x8bit.bitwarden.ui.platform.feature.settings.appearance.model.AppLanguage
 import com.x8bit.bitwarden.ui.platform.feature.settings.appearance.model.AppTheme
 import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
+import com.x8bit.bitwarden.ui.platform.model.FeatureFlagsState
+import com.x8bit.bitwarden.ui.platform.util.isAccountSecurityShortcut
 import com.x8bit.bitwarden.ui.platform.util.isMyVaultShortcut
 import com.x8bit.bitwarden.ui.platform.util.isPasswordGeneratorShortcut
+import com.x8bit.bitwarden.ui.vault.model.TotpData
+import com.x8bit.bitwarden.ui.vault.util.getTotpDataOrNull
 import dagger.hilt.android.lifecycle.HiltViewModel
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.flow.distinctUntilChanged
 import kotlinx.coroutines.flow.drop
+import kotlinx.coroutines.flow.first
 import kotlinx.coroutines.flow.launchIn
 import kotlinx.coroutines.flow.map
 import kotlinx.coroutines.flow.onEach
 import kotlinx.coroutines.flow.update
+import kotlinx.coroutines.launch
 import kotlinx.parcelize.Parcelize
+import java.time.Clock
 import javax.inject.Inject
 
 private const val SPECIAL_CIRCUMSTANCE_KEY = "special-circumstance"
+private const val ANIMATION_REFRESH_DELAY = 500L
 
 /**
  * A view model that helps launch actions for the [MainActivity].
@@ -42,19 +66,28 @@ private const val SPECIAL_CIRCUMSTANCE_KEY = "special-circumstance"
 @Suppress("LongParameterList", "TooManyFunctions")
 @HiltViewModel
 class MainViewModel @Inject constructor(
+    accessibilitySelectionManager: AccessibilitySelectionManager,
     autofillSelectionManager: AutofillSelectionManager,
+    featureFlagManager: FeatureFlagManager,
+    private val addTotpItemFromAuthenticatorManager: AddTotpItemFromAuthenticatorManager,
     private val specialCircumstanceManager: SpecialCircumstanceManager,
     private val garbageCollectionManager: GarbageCollectionManager,
     private val fido2CredentialManager: Fido2CredentialManager,
     private val intentManager: IntentManager,
-    settingsRepository: SettingsRepository,
+    private val settingsRepository: SettingsRepository,
     private val vaultRepository: VaultRepository,
     private val authRepository: AuthRepository,
+    private val environmentRepository: EnvironmentRepository,
     private val savedStateHandle: SavedStateHandle,
+    private val appResumeManager: AppResumeManager,
+    private val clock: Clock,
 ) : BaseViewModel<MainState, MainEvent, MainAction>(
     initialState = MainState(
         theme = settingsRepository.appTheme,
         isScreenCaptureAllowed = settingsRepository.isScreenCaptureAllowed,
+        isErrorReportingDialogEnabled = featureFlagManager.getFeatureFlag(
+            key = FlagKey.MobileErrorReporting,
+        ),
     ),
 ) {
     private var specialCircumstance: SpecialCircumstance?
@@ -72,6 +105,18 @@ class MainViewModel @Inject constructor(
             .onEach { specialCircumstance = it }
             .launchIn(viewModelScope)
 
+        featureFlagManager
+            .getFeatureFlagFlow(key = FlagKey.MobileErrorReporting)
+            .map { MainAction.Internal.OnMobileErrorReportingReceive(it) }
+            .onEach(::sendAction)
+            .launchIn(viewModelScope)
+
+        accessibilitySelectionManager
+            .accessibilitySelectionFlow
+            .map { MainAction.Internal.AccessibilitySelectionReceive(it) }
+            .onEach(::sendAction)
+            .launchIn(viewModelScope)
+
         autofillSelectionManager
             .autofillSelectionFlow
             .onEach { trySendAction(MainAction.Internal.AutofillSelectionReceive(it)) }
@@ -81,6 +126,11 @@ class MainViewModel @Inject constructor(
             .appThemeStateFlow
             .onEach { trySendAction(MainAction.Internal.ThemeUpdate(it)) }
             .launchIn(viewModelScope)
+        settingsRepository
+            .appLanguageStateFlow
+            .map { MainEvent.UpdateAppLocale(it.localeName) }
+            .onEach(::sendEvent)
+            .launchIn(viewModelScope)
 
         settingsRepository
             .isScreenCaptureAllowedStateFlow
@@ -99,8 +149,7 @@ class MainViewModel @Inject constructor(
                 // Switching between account states often involves some kind of animation (ex:
                 // account switcher) that we might want to give time to finish before triggering
                 // a refresh.
-                @Suppress("MagicNumber")
-                delay(500)
+                delay(ANIMATION_REFRESH_DELAY)
                 trySendAction(MainAction.Internal.CurrentUserStateChange)
             }
             .launchIn(viewModelScope)
@@ -110,6 +159,9 @@ class MainViewModel @Inject constructor(
             .onEach {
                 when (it) {
                     is VaultStateEvent.Locked -> {
+                        // Similar to account switching, triggering this action too soon can
+                        // interfere with animations or navigation logic, so we will delay slightly.
+                        delay(ANIMATION_REFRESH_DELAY)
                         trySendAction(MainAction.Internal.VaultUnlockStateChange)
                     }
 
@@ -117,10 +169,38 @@ class MainViewModel @Inject constructor(
                 }
             }
             .launchIn(viewModelScope)
+
+        // On app launch, mark all active users as having previously logged in.
+        // This covers any users who are active prior to this value being recorded.
+        viewModelScope.launch {
+            val userState = authRepository
+                .userStateFlow
+                .first()
+            userState
+                ?.accounts
+                ?.forEach {
+                    settingsRepository.storeUserHasLoggedInValue(it.userId)
+                }
+        }
     }
 
     override fun handleAction(action: MainAction) {
         when (action) {
+            is MainAction.ReceiveFirstIntent -> handleFirstIntentReceived(action)
+            is MainAction.ReceiveNewIntent -> handleNewIntentReceived(action)
+            MainAction.OpenDebugMenu -> handleOpenDebugMenu()
+            is MainAction.ResumeScreenDataReceived -> handleAppResumeDataUpdated(action)
+            is MainAction.AppSpecificLanguageUpdate -> handleAppSpecificLanguageUpdate(action)
+            is MainAction.Internal -> handleInternalAction(action)
+        }
+    }
+
+    private fun handleInternalAction(action: MainAction.Internal) {
+        when (action) {
+            is MainAction.Internal.AccessibilitySelectionReceive -> {
+                handleAccessibilitySelectionReceive(action)
+            }
+
             is MainAction.Internal.AutofillSelectionReceive -> {
                 handleAutofillSelectionReceive(action)
             }
@@ -129,14 +209,46 @@ class MainViewModel @Inject constructor(
             is MainAction.Internal.ScreenCaptureUpdate -> handleScreenCaptureUpdate(action)
             is MainAction.Internal.ThemeUpdate -> handleAppThemeUpdated(action)
             is MainAction.Internal.VaultUnlockStateChange -> handleVaultUnlockStateChange()
-            is MainAction.ReceiveFirstIntent -> handleFirstIntentReceived(action)
-            is MainAction.ReceiveNewIntent -> handleNewIntentReceived(action)
+            is MainAction.Internal.OnMobileErrorReportingReceive -> {
+                handleOnMobileErrorReportingReceive(action)
+            }
         }
     }
 
+    private fun handleOnMobileErrorReportingReceive(
+        action: MainAction.Internal.OnMobileErrorReportingReceive,
+    ) {
+        mutableStateFlow.update {
+            it.copy(isErrorReportingDialogEnabled = action.isErrorReportingEnabled)
+        }
+    }
+
+    private fun handleAppSpecificLanguageUpdate(action: MainAction.AppSpecificLanguageUpdate) {
+        settingsRepository.appLanguage = action.appLanguage
+    }
+
+    private fun handleAppResumeDataUpdated(action: MainAction.ResumeScreenDataReceived) {
+        when (val data = action.screenResumeData) {
+            null -> appResumeManager.clearResumeScreen()
+            else -> appResumeManager.setResumeScreen(data)
+        }
+    }
+
+    private fun handleOpenDebugMenu() {
+        sendEvent(MainEvent.NavigateToDebugMenu)
+    }
+
+    private fun handleAccessibilitySelectionReceive(
+        action: MainAction.Internal.AccessibilitySelectionReceive,
+    ) {
+        specialCircumstanceManager.specialCircumstance = null
+        sendEvent(MainEvent.CompleteAccessibilityAutofill(cipherView = action.cipherView))
+    }
+
     private fun handleAutofillSelectionReceive(
         action: MainAction.Internal.AutofillSelectionReceive,
     ) {
+        specialCircumstanceManager.specialCircumstance = null
         sendEvent(MainEvent.CompleteAutofill(cipherView = action.cipherView))
     }
 
@@ -150,6 +262,7 @@ class MainViewModel @Inject constructor(
 
     private fun handleAppThemeUpdated(action: MainAction.Internal.ThemeUpdate) {
         mutableStateFlow.update { it.copy(theme = action.theme) }
+        sendEvent(MainEvent.UpdateAppTheme(osTheme = action.theme.osValue))
     }
 
     private fun handleVaultUnlockStateChange() {
@@ -170,6 +283,7 @@ class MainViewModel @Inject constructor(
         )
     }
 
+    @Suppress("LongMethod", "CyclomaticComplexMethod")
     private fun handleIntent(
         intent: Intent,
         isFirstIntent: Boolean,
@@ -178,11 +292,39 @@ class MainViewModel @Inject constructor(
         val autofillSaveItem = intent.getAutofillSaveItemOrNull()
         val autofillSelectionData = intent.getAutofillSelectionDataOrNull()
         val shareData = intentManager.getShareDataFromIntent(intent)
+        val totpData: TotpData? =
+            // First grab TOTP URI directly from the intent data:
+            intent.getTotpDataOrNull()
+                ?: run {
+                    // Then check to see if the intent is coming from the Authenticator app:
+                    if (intent.isAddTotpLoginItemFromAuthenticator()) {
+                        addTotpItemFromAuthenticatorManager.pendingAddTotpLoginItemData.also {
+                            // Clear pending add TOTP data so it is only handled once:
+                            addTotpItemFromAuthenticatorManager.pendingAddTotpLoginItemData = null
+                        }
+                    } else {
+                        null
+                    }
+                }
         val hasGeneratorShortcut = intent.isPasswordGeneratorShortcut
         val hasVaultShortcut = intent.isMyVaultShortcut
-        val fido2CredentialRequestData = intent.getFido2CredentialRequestOrNull()
+        val hasAccountSecurityShortcut = intent.isAccountSecurityShortcut
+        val fido2CreateCredentialRequestData = intent.getFido2CreateCredentialRequestOrNull()
+        val completeRegistrationData = intent.getCompleteRegistrationDataIntentOrNull()
+        val fido2CredentialAssertionRequest = intent.getFido2AssertionRequestOrNull()
+        val fido2GetCredentialsRequest = intent.getFido2GetCredentialsRequestOrNull()
         when {
             passwordlessRequestData != null -> {
+                authRepository.activeUserId?.let {
+                    if (it != passwordlessRequestData.userId &&
+                        !vaultRepository.isVaultUnlocked(it)
+                    ) {
+                        // We only switch the account here if the current user's vault is not
+                        // unlocked, otherwise prompt the user to allow us to change the account
+                        // in the LoginApprovalScreen
+                        authRepository.switchAccount(passwordlessRequestData.userId)
+                    }
+                }
                 specialCircumstanceManager.specialCircumstance =
                     SpecialCircumstance.PasswordlessRequest(
                         passwordlessRequestData = passwordlessRequestData,
@@ -192,6 +334,10 @@ class MainViewModel @Inject constructor(
                     )
             }
 
+            completeRegistrationData != null -> {
+                handleCompleteRegistrationData(completeRegistrationData)
+            }
+
             autofillSaveItem != null -> {
                 specialCircumstanceManager.specialCircumstance =
                     SpecialCircumstance.AutofillSave(
@@ -209,6 +355,11 @@ class MainViewModel @Inject constructor(
                     )
             }
 
+            totpData != null -> {
+                specialCircumstanceManager.specialCircumstance =
+                    SpecialCircumstance.AddTotpLoginItem(data = totpData)
+            }
+
             shareData != null -> {
                 specialCircumstanceManager.specialCircumstance =
                     SpecialCircumstance.ShareNewSend(
@@ -219,24 +370,44 @@ class MainViewModel @Inject constructor(
                     )
             }
 
-            fido2CredentialRequestData != null -> {
+            fido2CreateCredentialRequestData != null -> {
                 // Set the user's verification status when a new FIDO 2 request is received to force
                 // explicit verification if the user's vault is unlocked when the request is
                 // received.
-                fido2CredentialManager.isUserVerified = false
+                fido2CreateCredentialRequestData.isUserVerified
+                    ?.let { isVerified -> fido2CredentialManager.isUserVerified = isVerified }
                 specialCircumstanceManager.specialCircumstance =
                     SpecialCircumstance.Fido2Save(
-                        fido2CredentialRequest = fido2CredentialRequestData,
+                        fido2CreateCredentialRequest = fido2CreateCredentialRequestData,
                     )
 
                 // Switch accounts if the selected user is not the active user.
                 if (authRepository.activeUserId != null &&
-                    authRepository.activeUserId != fido2CredentialRequestData.userId
+                    authRepository.activeUserId != fido2CreateCredentialRequestData.userId
                 ) {
-                    authRepository.switchAccount(fido2CredentialRequestData.userId)
+                    authRepository.switchAccount(fido2CreateCredentialRequestData.userId)
                 }
             }
 
+            fido2CredentialAssertionRequest != null -> {
+                // If device biometric verification was performed as part of single-tap
+                // authentication, set the user's verification state to the device result.
+                // Otherwise, retain the verification state as-is.
+                fido2CredentialAssertionRequest.isUserVerified
+                    ?.let { isVerified -> fido2CredentialManager.isUserVerified = isVerified }
+                specialCircumstanceManager.specialCircumstance =
+                    SpecialCircumstance.Fido2Assertion(
+                        fido2AssertionRequest = fido2CredentialAssertionRequest,
+                    )
+            }
+
+            fido2GetCredentialsRequest != null -> {
+                specialCircumstanceManager.specialCircumstance =
+                    SpecialCircumstance.Fido2GetCredentials(
+                        fido2GetCredentialsRequest = fido2GetCredentialsRequest,
+                    )
+            }
+
             hasGeneratorShortcut -> {
                 specialCircumstanceManager.specialCircumstance =
                     SpecialCircumstance.GeneratorShortcut
@@ -245,6 +416,11 @@ class MainViewModel @Inject constructor(
             hasVaultShortcut -> {
                 specialCircumstanceManager.specialCircumstance = SpecialCircumstance.VaultShortcut
             }
+
+            hasAccountSecurityShortcut -> {
+                specialCircumstanceManager.specialCircumstance =
+                    SpecialCircumstance.AccountSecurityShortcut
+            }
         }
     }
 
@@ -252,6 +428,49 @@ class MainViewModel @Inject constructor(
         sendEvent(MainEvent.Recreate)
         garbageCollectionManager.tryCollect()
     }
+
+    private fun handleCompleteRegistrationData(data: CompleteRegistrationData) {
+        viewModelScope.launch {
+            // Attempt to load the environment for the user if they have a pre-auth environment
+            // saved.
+            environmentRepository.loadEnvironmentForEmail(userEmail = data.email)
+            // Determine if the token is still valid.
+            val emailTokenResult = authRepository.validateEmailToken(
+                email = data.email,
+                token = data.verificationToken,
+            )
+            when (emailTokenResult) {
+                is EmailTokenResult.Error -> {
+                    sendEvent(
+                        MainEvent.ShowToast(
+                            message = emailTokenResult
+                                .message
+                                ?.asText()
+                                ?: R.string.there_was_an_issue_validating_the_registration_token
+                                    .asText(),
+                        ),
+                    )
+                }
+
+                EmailTokenResult.Expired -> {
+                    specialCircumstanceManager.specialCircumstance = SpecialCircumstance
+                        .RegistrationEvent
+                        .ExpiredRegistrationLink
+                }
+
+                EmailTokenResult.Success -> {
+                    if (authRepository.activeUserId != null) {
+                        authRepository.hasPendingAccountAddition = true
+                    }
+                    specialCircumstanceManager.specialCircumstance =
+                        SpecialCircumstance.RegistrationEvent.CompleteRegistration(
+                            completeRegistrationData = data,
+                            timestamp = clock.millis(),
+                        )
+                }
+            }
+        }
+    }
 }
 
 /**
@@ -261,7 +480,16 @@ class MainViewModel @Inject constructor(
 data class MainState(
     val theme: AppTheme,
     val isScreenCaptureAllowed: Boolean,
-) : Parcelable
+    private val isErrorReportingDialogEnabled: Boolean,
+) : Parcelable {
+    /**
+     * Contains all feature flags that are available to the UI.
+     */
+    val featureFlagsState: FeatureFlagsState
+        get() = FeatureFlagsState(
+            isErrorReportingDialogEnabled = isErrorReportingDialogEnabled,
+        )
+}
 
 /**
  * Models actions for the [MainActivity].
@@ -277,10 +505,41 @@ sealed class MainAction {
      */
     data class ReceiveNewIntent(val intent: Intent) : MainAction()
 
+    /**
+     * Receive event to open the debug menu.
+     */
+    data object OpenDebugMenu : MainAction()
+
+    /**
+     * Receive event to save the app resume screen
+     */
+    data class ResumeScreenDataReceived(val screenResumeData: AppResumeScreenData?) : MainAction()
+
+    /**
+     * Receive if there is an app specific locale selection made by user
+     * in the device's settings.
+     */
+    data class AppSpecificLanguageUpdate(val appLanguage: AppLanguage) : MainAction()
+
     /**
      * Actions for internal use by the ViewModel.
      */
     sealed class Internal : MainAction() {
+        /**
+         * Indicates the user has manually selected the given [cipherView] for accessibility
+         * autofill.
+         */
+        data class AccessibilitySelectionReceive(
+            val cipherView: CipherView,
+        ) : Internal()
+
+        /**
+         * Indicates the Mobile Error Reporting feature flag has been updated.
+         */
+        data class OnMobileErrorReportingReceive(
+            val isErrorReportingEnabled: Boolean,
+        ) : Internal()
+
         /**
          * Indicates the user has manually selected the given [cipherView] for autofill.
          */
@@ -318,6 +577,12 @@ sealed class MainAction {
  * Represents events that are emitted by the [MainViewModel].
  */
 sealed class MainEvent {
+    /**
+     * Event indicating that the user has chosen the given [cipherView] for accessibility autofill
+     * and that the process is ready to complete.
+     */
+    data class CompleteAccessibilityAutofill(val cipherView: CipherView) : MainEvent()
+
     /**
      * Event indicating that the user has chosen the given [cipherView] for autofill and that the
      * process is ready to complete.
@@ -328,4 +593,28 @@ sealed class MainEvent {
      * Event indicating that the UI should recreate itself.
      */
     data object Recreate : MainEvent()
+
+    /**
+     * Navigate to the debug menu.
+     */
+    data object NavigateToDebugMenu : MainEvent()
+
+    /**
+     * Show a toast with the given [message].
+     */
+    data class ShowToast(val message: Text) : MainEvent()
+
+    /**
+     * Indicates that the app language has been updated.
+     */
+    data class UpdateAppLocale(
+        val localeName: String?,
+    ) : MainEvent()
+
+    /**
+     * Indicates that the app theme has been updated.
+     */
+    data class UpdateAppTheme(
+        val osTheme: Int,
+    ) : MainEvent()
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSource.kt

@@ -1,16 +1,26 @@
 package com.x8bit.bitwarden.data.auth.datasource.disk
 
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.NewDeviceNoticeState
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.PendingAuthRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
 import com.x8bit.bitwarden.data.vault.datasource.network.model.SyncResponseJson
 import kotlinx.coroutines.flow.Flow
+import java.time.Instant
 
 /**
  * Primary access point for disk information.
  */
 @Suppress("TooManyFunctions")
 interface AuthDiskSource {
+
+    /**
+     * The currently persisted authenticator sync symmetric key. This key is used for
+     * encrypting IPC traffic.
+     */
+    var authenticatorSyncSymmetricKey: ByteArray?
+
     /**
      * Retrieves a unique ID for the application that is stored locally. This will generate a new
      * one if it does not yet exist and it will only be reset for new installs or when clearing
@@ -45,12 +55,49 @@ interface AuthDiskSource {
      */
     fun clearData(userId: String)
 
+    /**
+     * Get the authenticator sync unlock key. Null means there is no key, which means the user
+     * has not enabled authenticator syncing
+     */
+    fun getAuthenticatorSyncUnlockKey(userId: String): String?
+
+    /**
+     * Store the authenticator sync unlock key. Storing a null key effectively disables
+     * authenticator syncing.
+     */
+    fun storeAuthenticatorSyncUnlockKey(userId: String, authenticatorSyncUnlockKey: String?)
+
+    /**
+     * Retrieves the state indicating that the user should use a key connector.
+     */
+    fun getShouldUseKeyConnector(userId: String): Boolean?
+
+    /**
+     * Retrieves the state indicating that the user should use a key connector as a flow.
+     */
+    fun getShouldUseKeyConnectorFlow(userId: String): Flow<Boolean?>
+
+    /**
+     * Stores the boolean indicating that the user should use a key connector.
+     */
+    fun storeShouldUseKeyConnector(userId: String, shouldUseKeyConnector: Boolean?)
+
+    /**
+     * Retrieves the state indicating that the user has completed login with TDE.
+     */
+    fun getIsTdeLoginComplete(userId: String): Boolean?
+
+    /**
+     * Stores the boolean indicating that the user has completed login with TDE.
+     */
+    fun storeIsTdeLoginComplete(userId: String, isTdeLoginComplete: Boolean?)
+
     /**
      * Retrieves the state indicating that the user has chosen to trust this device.
      *
      * Note: This indicates intent to trust the device, the device may not be trusted yet.
      */
-    fun getShouldTrustDevice(userId: String): Boolean
+    fun getShouldTrustDevice(userId: String): Boolean?
 
     /**
      * Stores the boolean indicating that the user has chosen to trust this device for the given
@@ -60,25 +107,6 @@ interface AuthDiskSource {
      */
     fun storeShouldTrustDevice(userId: String, shouldTrustDevice: Boolean?)
 
-    /**
-     * Retrieves the "last active time" for the given [userId], in milliseconds.
-     *
-     * This time is intended to be derived from a call to
-     * [SystemClock.elapsedRealtime()](https://developer.android.com/reference/android/os/SystemClock#elapsedRealtime())
-     */
-    fun getLastActiveTimeMillis(userId: String): Long?
-
-    /**
-     * Stores the [lastActiveTimeMillis] for the given [userId].
-     *
-     * This time is intended to be derived from a call to
-     * [SystemClock.elapsedRealtime()](https://developer.android.com/reference/android/os/SystemClock#elapsedRealtime())
-     */
-    fun storeLastActiveTimeMillis(
-        userId: String,
-        lastActiveTimeMillis: Long?,
-    )
-
     /**
      * Retrieves the number of consecutive invalid lock attempts for the given [userId].
      */
@@ -145,6 +173,16 @@ interface AuthDiskSource {
         pendingAuthRequest: PendingAuthRequestJson?,
     )
 
+    /**
+     * Gets the biometrics initialization vector for the given [userId].
+     */
+    fun getUserBiometricInitVector(userId: String): ByteArray?
+
+    /**
+     * Stores the biometrics initialization vector for the given [userId].
+     */
+    fun storeUserBiometricInitVector(userId: String, iv: ByteArray?)
+
     /**
      * Gets the biometrics key for the given [userId].
      */
@@ -155,6 +193,11 @@ interface AuthDiskSource {
      */
     fun storeUserBiometricUnlockKey(userId: String, biometricsKey: String?)
 
+    /**
+     * Gets the flow for the biometrics key for the given [userId].
+     */
+    fun getUserBiometicUnlockKeyFlow(userId: String): Flow<String?>
+
     /**
      * Retrieves a pin-protected user key for the given [userId].
      */
@@ -172,6 +215,11 @@ interface AuthDiskSource {
         inMemoryOnly: Boolean = false,
     )
 
+    /**
+     * Retrieves a flow for the pin-protected user key for the given [userId].
+     */
+    fun getPinProtectedUserKeyFlow(userId: String): Flow<String?>
+
     /**
      * Gets a two-factor auth token using a user's [email].
      */
@@ -264,4 +312,55 @@ interface AuthDiskSource {
      * Stores the [accountTokens] for the given [userId].
      */
     fun storeAccountTokens(userId: String, accountTokens: AccountTokensJson?)
+
+    /**
+     * Gets the onboarding status for the given [userId].
+     */
+    fun getOnboardingStatus(userId: String): OnboardingStatus?
+
+    /**
+     * Stores the [onboardingStatus] for the given [userId].
+     */
+    fun storeOnboardingStatus(userId: String, onboardingStatus: OnboardingStatus?)
+
+    /**
+     *  Emits updates that track [getOnboardingStatus]. This will replay the last known value,
+     *  if any exists.
+     */
+    fun getOnboardingStatusFlow(userId: String): Flow<OnboardingStatus?>
+
+    /**
+     * Gets the show import logins flag for the given [userId].
+     */
+    fun getShowImportLogins(userId: String): Boolean?
+
+    /**
+     * Stores the show import logins flag for the given [userId].
+     */
+    fun storeShowImportLogins(userId: String, showImportLogins: Boolean?)
+
+    /**
+     * Emits updates that track [getShowImportLogins]. This will replay the last known value.
+     */
+    fun getShowImportLoginsFlow(userId: String): Flow<Boolean?>
+
+    /**
+     * Gets the new device notice state for the given [userId].
+     */
+    fun getNewDeviceNoticeState(userId: String): NewDeviceNoticeState
+
+    /**
+     * Stores the new device notice state for the given [userId].
+     */
+    fun storeNewDeviceNoticeState(userId: String, newState: NewDeviceNoticeState?)
+
+    /**
+     * Gets the last lock timestamp for the given [userId].
+     */
+    fun getLastLockTimestamp(userId: String): Instant?
+
+    /**
+     * Stores the last lock timestamp for the given [userId].
+     */
+    fun storeLastLockTimestamp(userId: String, lastLockTimestamp: Instant?)
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt

@@ -2,6 +2,9 @@ package com.x8bit.bitwarden.data.auth.datasource.disk
 
 import android.content.SharedPreferences
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.NewDeviceNoticeDisplayStatus
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.NewDeviceNoticeState
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.PendingAuthRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
 import com.x8bit.bitwarden.data.platform.datasource.disk.BaseEncryptedDiskSource
@@ -12,12 +15,15 @@ import com.x8bit.bitwarden.data.vault.datasource.network.model.SyncResponseJson
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.MutableSharedFlow
 import kotlinx.coroutines.flow.onSubscription
-import kotlinx.serialization.encodeToString
 import kotlinx.serialization.json.Json
+import java.time.Instant
 import java.util.UUID
 
 // These keys should be encrypted
 private const val ACCOUNT_TOKENS_KEY = "accountTokens"
+private const val AUTHENTICATOR_SYNC_SYMMETRIC_KEY = "authenticatorSyncSymmetric"
+private const val AUTHENTICATOR_SYNC_UNLOCK_KEY = "authenticatorSyncUnlock"
+private const val BIOMETRICS_INIT_VECTOR_KEY = "biometricInitializationVector"
 private const val BIOMETRICS_UNLOCK_KEY = "userKeyBiometricUnlock"
 private const val USER_AUTO_UNLOCK_KEY_KEY = "userKeyAutoUnlock"
 private const val DEVICE_KEY_KEY = "deviceKey"
@@ -28,7 +34,6 @@ private const val UNIQUE_APP_ID_KEY = "appId"
 private const val REMEMBERED_EMAIL_ADDRESS_KEY = "rememberedEmail"
 private const val REMEMBERED_ORG_IDENTIFIER_KEY = "rememberedOrgIdentifier"
 private const val STATE_KEY = "state"
-private const val LAST_ACTIVE_TIME_KEY = "lastActiveTime"
 private const val INVALID_UNLOCK_ATTEMPTS_KEY = "invalidUnlockAttempts"
 private const val MASTER_KEY_ENCRYPTION_USER_KEY = "masterKeyEncryptedUserKey"
 private const val MASTER_KEY_ENCRYPTION_PRIVATE_KEY = "encPrivateKey"
@@ -40,6 +45,12 @@ private const val TWO_FACTOR_TOKEN_KEY = "twoFactorToken"
 private const val MASTER_PASSWORD_HASH_KEY = "keyHash"
 private const val POLICIES_KEY = "policies"
 private const val SHOULD_TRUST_DEVICE_KEY = "shouldTrustDevice"
+private const val TDE_LOGIN_COMPLETE = "tdeLoginComplete"
+private const val USES_KEY_CONNECTOR = "usesKeyConnector"
+private const val ONBOARDING_STATUS_KEY = "onboardingStatus"
+private const val SHOW_IMPORT_LOGINS_KEY = "showImportLogins"
+private const val NEW_DEVICE_NOTICE_STATE = "newDeviceNoticeState"
+private const val LAST_LOCK_TIMESTAMP = "lastLockTimestamp"
 
 /**
  * Primary implementation of [AuthDiskSource].
@@ -57,12 +68,21 @@ class AuthDiskSourceImpl(
     AuthDiskSource {
 
     private val inMemoryPinProtectedUserKeys = mutableMapOf<String, String?>()
+    private val mutableShouldUseKeyConnectorFlowMap =
+        mutableMapOf<String, MutableSharedFlow<Boolean?>>()
     private val mutableOrganizationsFlowMap =
         mutableMapOf<String, MutableSharedFlow<List<SyncResponseJson.Profile.Organization>?>>()
     private val mutablePoliciesFlowMap =
         mutableMapOf<String, MutableSharedFlow<List<SyncResponseJson.Policy>?>>()
     private val mutableAccountTokensFlowMap =
         mutableMapOf<String, MutableSharedFlow<AccountTokensJson?>>()
+    private val mutableOnboardingStatusFlowMap =
+        mutableMapOf<String, MutableSharedFlow<OnboardingStatus?>>()
+    private val mutableShowImportLoginsFlowMap = mutableMapOf<String, MutableSharedFlow<Boolean?>>()
+    private val mutableBiometricUnlockKeyFlowMap =
+        mutableMapOf<String, MutableSharedFlow<String?>>()
+    private val mutablePinProtectedUserKeyFlowMap =
+        mutableMapOf<String, MutableSharedFlow<String?>>()
     private val mutableUserStateFlow = bufferedMutableSharedFlow<UserStateJson?>(replay = 1)
 
     override var userState: UserStateJson?
@@ -85,6 +105,14 @@ class AuthDiskSourceImpl(
         migrateAccountTokens()
     }
 
+    override var authenticatorSyncSymmetricKey: ByteArray?
+        set(value) {
+            val asString = value?.let { value.toString(Charsets.ISO_8859_1) }
+            putEncryptedString(AUTHENTICATOR_SYNC_SYMMETRIC_KEY, asString)
+        }
+        get() = getEncryptedString(AUTHENTICATOR_SYNC_SYMMETRIC_KEY)
+            ?.toByteArray(Charsets.ISO_8859_1)
+
     override val uniqueAppId: String
         get() = getString(key = UNIQUE_APP_ID_KEY) ?: generateAndStoreUniqueAppId()
 
@@ -111,7 +139,6 @@ class AuthDiskSourceImpl(
             .onSubscription { emit(userState) }
 
     override fun clearData(userId: String) {
-        storeLastActiveTimeMillis(userId = userId, lastActiveTimeMillis = null)
         storeInvalidUnlockAttempts(userId = userId, invalidUnlockAttempts = null)
         storeUserKey(userId = userId, userKey = null)
         storeUserAutoUnlockKey(userId = userId, userAutoUnlockKey = null)
@@ -120,37 +147,67 @@ class AuthDiskSourceImpl(
         storePrivateKey(userId = userId, privateKey = null)
         storeOrganizationKeys(userId = userId, organizationKeys = null)
         storeOrganizations(userId = userId, organizations = null)
+        storeUserBiometricInitVector(userId = userId, iv = null)
         storeUserBiometricUnlockKey(userId = userId, biometricsKey = null)
         storeMasterPasswordHash(userId = userId, passwordHash = null)
         storePolicies(userId = userId, policies = null)
         storeAccountTokens(userId = userId, accountTokens = null)
+        storeShouldUseKeyConnector(userId = userId, shouldUseKeyConnector = null)
+        storeIsTdeLoginComplete(userId = userId, isTdeLoginComplete = null)
+        storeAuthenticatorSyncUnlockKey(userId = userId, authenticatorSyncUnlockKey = null)
+        storeShowImportLogins(userId = userId, showImportLogins = null)
+        storeLastLockTimestamp(userId = userId, lastLockTimestamp = null)
 
         // Do not remove the DeviceKey or PendingAuthRequest on logout, these are persisted
         // indefinitely unless the TDE flow explicitly removes them.
+        // Do not remove OnboardingStatus we want to keep track of this even after logout.
     }
 
-    override fun getShouldTrustDevice(userId: String): Boolean =
-        requireNotNull(
-            getBoolean(key = SHOULD_TRUST_DEVICE_KEY.appendIdentifier(userId), default = false),
+    override fun getAuthenticatorSyncUnlockKey(userId: String): String? =
+        getEncryptedString(AUTHENTICATOR_SYNC_UNLOCK_KEY.appendIdentifier(userId))
+
+    override fun storeAuthenticatorSyncUnlockKey(
+        userId: String,
+        authenticatorSyncUnlockKey: String?,
+    ) {
+        putEncryptedString(
+            key = AUTHENTICATOR_SYNC_UNLOCK_KEY.appendIdentifier(userId),
+            value = authenticatorSyncUnlockKey,
         )
+    }
+
+    override fun getShouldUseKeyConnectorFlow(userId: String): Flow<Boolean?> =
+        getMutableShouldUseKeyConnectorFlowMap(userId = userId)
+            .onSubscription { emit(getShouldUseKeyConnector(userId = userId)) }
+
+    override fun getShouldUseKeyConnector(
+        userId: String,
+    ): Boolean? = getBoolean(key = USES_KEY_CONNECTOR.appendIdentifier(userId))
+
+    override fun storeShouldUseKeyConnector(userId: String, shouldUseKeyConnector: Boolean?) {
+        putBoolean(
+            key = USES_KEY_CONNECTOR.appendIdentifier(userId),
+            value = shouldUseKeyConnector,
+        )
+        getMutableShouldUseKeyConnectorFlowMap(userId = userId).tryEmit(shouldUseKeyConnector)
+    }
+
+    override fun getIsTdeLoginComplete(
+        userId: String,
+    ): Boolean? = getBoolean(key = TDE_LOGIN_COMPLETE.appendIdentifier(userId))
+
+    override fun storeIsTdeLoginComplete(userId: String, isTdeLoginComplete: Boolean?) {
+        putBoolean(TDE_LOGIN_COMPLETE.appendIdentifier(userId), isTdeLoginComplete)
+    }
+
+    override fun getShouldTrustDevice(
+        userId: String,
+    ): Boolean? = getBoolean(key = SHOULD_TRUST_DEVICE_KEY.appendIdentifier(userId))
 
     override fun storeShouldTrustDevice(userId: String, shouldTrustDevice: Boolean?) {
         putBoolean(SHOULD_TRUST_DEVICE_KEY.appendIdentifier(userId), shouldTrustDevice)
     }
 
-    override fun getLastActiveTimeMillis(userId: String): Long? =
-        getLong(key = LAST_ACTIVE_TIME_KEY.appendIdentifier(userId))
-
-    override fun storeLastActiveTimeMillis(
-        userId: String,
-        lastActiveTimeMillis: Long?,
-    ) {
-        putLong(
-            key = LAST_ACTIVE_TIME_KEY.appendIdentifier(userId),
-            value = lastActiveTimeMillis,
-        )
-    }
-
     override fun getInvalidUnlockAttempts(userId: String): Int? =
         getInt(key = INVALID_UNLOCK_ATTEMPTS_KEY.appendIdentifier(userId))
 
@@ -227,6 +284,17 @@ class AuthDiskSourceImpl(
         )
     }
 
+    override fun getUserBiometricInitVector(userId: String): ByteArray? =
+        getEncryptedString(key = BIOMETRICS_INIT_VECTOR_KEY.appendIdentifier(userId))
+            ?.toByteArray(Charsets.ISO_8859_1)
+
+    override fun storeUserBiometricInitVector(userId: String, iv: ByteArray?) {
+        putEncryptedString(
+            key = BIOMETRICS_INIT_VECTOR_KEY.appendIdentifier(userId),
+            value = iv?.toString(Charsets.ISO_8859_1),
+        )
+    }
+
     override fun getUserBiometricUnlockKey(userId: String): String? =
         getEncryptedString(key = BIOMETRICS_UNLOCK_KEY.appendIdentifier(userId))
 
@@ -238,8 +306,13 @@ class AuthDiskSourceImpl(
             key = BIOMETRICS_UNLOCK_KEY.appendIdentifier(userId),
             value = biometricsKey,
         )
+        getMutableBiometricUnlockKeyFlow(userId).tryEmit(biometricsKey)
     }
 
+    override fun getUserBiometicUnlockKeyFlow(userId: String): Flow<String?> =
+        getMutableBiometricUnlockKeyFlow(userId)
+            .onSubscription { emit(getUserBiometricUnlockKey(userId = userId)) }
+
     override fun getPinProtectedUserKey(userId: String): String? =
         inMemoryPinProtectedUserKeys[userId]
             ?: getString(key = PIN_PROTECTED_USER_KEY_KEY.appendIdentifier(userId))
@@ -255,8 +328,13 @@ class AuthDiskSourceImpl(
             key = PIN_PROTECTED_USER_KEY_KEY.appendIdentifier(userId),
             value = pinProtectedUserKey,
         )
+        getMutablePinProtectedUserKeyFlow(userId).tryEmit(pinProtectedUserKey)
     }
 
+    override fun getPinProtectedUserKeyFlow(userId: String): Flow<String?> =
+        getMutablePinProtectedUserKeyFlow(userId)
+            .onSubscription { emit(getPinProtectedUserKey(userId = userId)) }
+
     override fun getTwoFactorToken(email: String): String? =
         getString(key = TWO_FACTOR_TOKEN_KEY.appendIdentifier(email))
 
@@ -376,6 +454,70 @@ class AuthDiskSourceImpl(
         getMutableAccountTokensFlow(userId = userId).tryEmit(accountTokens)
     }
 
+    override fun getOnboardingStatus(userId: String): OnboardingStatus? {
+        return getString(key = ONBOARDING_STATUS_KEY.appendIdentifier(userId))?.let {
+            json.decodeFromStringOrNull(it)
+        }
+    }
+
+    override fun storeOnboardingStatus(userId: String, onboardingStatus: OnboardingStatus?) {
+        putString(
+            key = ONBOARDING_STATUS_KEY.appendIdentifier(userId),
+            value = onboardingStatus?.let { json.encodeToString(it) },
+        )
+        getMutableOnboardingStatusFlow(userId = userId).tryEmit(onboardingStatus)
+    }
+
+    override fun getOnboardingStatusFlow(userId: String): Flow<OnboardingStatus?> {
+        return getMutableOnboardingStatusFlow(userId = userId)
+            .onSubscription { emit(getOnboardingStatus(userId = userId)) }
+    }
+
+    override fun getShowImportLogins(userId: String): Boolean? {
+        return getBoolean(SHOW_IMPORT_LOGINS_KEY.appendIdentifier(userId))
+    }
+
+    override fun storeShowImportLogins(userId: String, showImportLogins: Boolean?) {
+        putBoolean(
+            key = SHOW_IMPORT_LOGINS_KEY.appendIdentifier(userId),
+            value = showImportLogins,
+        )
+        getMutableShowImportLoginsFlow(userId = userId).tryEmit(showImportLogins)
+    }
+
+    override fun getShowImportLoginsFlow(userId: String): Flow<Boolean?> =
+        getMutableShowImportLoginsFlow(userId)
+            .onSubscription { emit(getShowImportLogins(userId)) }
+
+    override fun getNewDeviceNoticeState(userId: String): NewDeviceNoticeState {
+        return getString(key = NEW_DEVICE_NOTICE_STATE.appendIdentifier(userId))?.let {
+            json.decodeFromStringOrNull(it)
+        } ?: NewDeviceNoticeState(
+            displayStatus = NewDeviceNoticeDisplayStatus.HAS_NOT_SEEN,
+            lastSeenDate = null,
+        )
+    }
+
+    override fun storeNewDeviceNoticeState(userId: String, newState: NewDeviceNoticeState?) {
+        putString(
+            key = NEW_DEVICE_NOTICE_STATE.appendIdentifier(userId),
+            value = newState?.let { json.encodeToString(it) },
+        )
+    }
+
+    override fun getLastLockTimestamp(userId: String): Instant? {
+        return getLong(key = LAST_LOCK_TIMESTAMP.appendIdentifier(userId))?.let {
+            Instant.ofEpochMilli(it)
+        }
+    }
+
+    override fun storeLastLockTimestamp(userId: String, lastLockTimestamp: Instant?) {
+        putLong(
+            key = LAST_LOCK_TIMESTAMP.appendIdentifier(userId),
+            value = lastLockTimestamp?.toEpochMilli(),
+        )
+    }
+
     private fun generateAndStoreUniqueAppId(): String =
         UUID
             .randomUUID()
@@ -384,6 +526,20 @@ class AuthDiskSourceImpl(
                 putString(key = UNIQUE_APP_ID_KEY, value = it)
             }
 
+    private fun getMutableOnboardingStatusFlow(
+        userId: String,
+    ): MutableSharedFlow<OnboardingStatus?> =
+        mutableOnboardingStatusFlowMap.getOrPut(userId) {
+            bufferedMutableSharedFlow(replay = 1)
+        }
+
+    private fun getMutableShouldUseKeyConnectorFlowMap(
+        userId: String,
+    ): MutableSharedFlow<Boolean?> =
+        mutableShouldUseKeyConnectorFlowMap.getOrPut(userId) {
+            bufferedMutableSharedFlow(replay = 1)
+        }
+
     private fun getMutableOrganizationsFlow(
         userId: String,
     ): MutableSharedFlow<List<SyncResponseJson.Profile.Organization>?> =
@@ -405,6 +561,24 @@ class AuthDiskSourceImpl(
             bufferedMutableSharedFlow(replay = 1)
         }
 
+    private fun getMutableShowImportLoginsFlow(
+        userId: String,
+    ): MutableSharedFlow<Boolean?> = mutableShowImportLoginsFlowMap.getOrPut(userId) {
+        bufferedMutableSharedFlow(replay = 1)
+    }
+
+    private fun getMutableBiometricUnlockKeyFlow(
+        userId: String,
+    ): MutableSharedFlow<String?> = mutableBiometricUnlockKeyFlowMap.getOrPut(userId) {
+        bufferedMutableSharedFlow(replay = 1)
+    }
+
+    private fun getMutablePinProtectedUserKeyFlow(
+        userId: String,
+    ): MutableSharedFlow<String?> = mutablePinProtectedUserKeyFlowMap.getOrPut(userId) {
+        bufferedMutableSharedFlow(replay = 1)
+    }
+
     private fun migrateAccountTokens() {
         userState
             ?.accounts

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/AccountJson.kt

@@ -2,8 +2,12 @@ package com.x8bit.bitwarden.data.auth.datasource.disk.model
 
 import com.x8bit.bitwarden.data.auth.datasource.network.model.KdfTypeJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.UserDecryptionOptionsJson
+import kotlinx.serialization.Contextual
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
+import java.time.ZonedDateTime
 
 /**
  * Represents the current account information for a given user.
@@ -33,6 +37,7 @@ data class AccountJson(
      * @property userId The ID of the user.
      * @property email The user's email address.
      * @property isEmailVerified Whether or not the user's email is verified.
+     * @property isTwoFactorEnabled If the profile has two factor authentication enabled.
      * @property name The user's name (if applicable).
      * @property stamp The account's security stamp (if applicable).
      * @property organizationId The ID of the associated organization (if applicable).
@@ -44,7 +49,9 @@ data class AccountJson(
      * @property kdfMemory The amount of memory to use when calculating a password hash (MB).
      * @property kdfParallelism The number of threads to use when calculating a password hash.
      * @property userDecryptionOptions The options available to a user for decryption.
+     * @property creationDate The creation date of the account.
      */
+    @OptIn(ExperimentalSerializationApi::class)
     @Serializable
     data class Profile(
         @SerialName("userId")
@@ -56,6 +63,9 @@ data class AccountJson(
         @SerialName("emailVerified")
         val isEmailVerified: Boolean?,
 
+        @SerialName("isTwoFactorEnabled")
+        val isTwoFactorEnabled: Boolean?,
+
         @SerialName("name")
         val name: String?,
 
@@ -86,8 +96,13 @@ data class AccountJson(
         @SerialName("kdfParallelism")
         val kdfParallelism: Int?,
 
-        @SerialName("accountDecryptionOptions")
+        @SerialName("userDecryptionOptions")
+        @JsonNames("accountDecryptionOptions")
         val userDecryptionOptions: UserDecryptionOptionsJson?,
+
+        @SerialName("creationDate")
+        @Contextual
+        val creationDate: ZonedDateTime?,
     )
 
     /**

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/EnvironmentUrlDataJson.kt

@@ -7,6 +7,7 @@ import kotlinx.serialization.Serializable
  * Represents URLs for various Bitwarden domains.
  *
  * @property base The overall base URL.
+ * @property keyUri A Uri containing the alias and host of the key used for mutual TLS.
  * @property api Separate base URL for the "/api" domain (if applicable).
  * @property identity Separate base URL for the "/identity" domain (if applicable).
  * @property icon Separate base URL for the icon domain (if applicable).
@@ -19,6 +20,9 @@ data class EnvironmentUrlDataJson(
     @SerialName("base")
     val base: String,
 
+    @SerialName("keyUri")
+    val keyUri: String? = null,
+
     @SerialName("api")
     val api: String? = null,
 
@@ -37,6 +41,7 @@ data class EnvironmentUrlDataJson(
     @SerialName("events")
     val events: String? = null,
 ) {
+    @Suppress("UndocumentedPublicClass")
     companion object {
         /**
          * Default [EnvironmentUrlDataJson] for the US region.
@@ -50,6 +55,7 @@ data class EnvironmentUrlDataJson(
          */
         val DEFAULT_LEGACY_US: EnvironmentUrlDataJson = EnvironmentUrlDataJson(
             base = "https://vault.bitwarden.com",
+            keyUri = null,
             api = "https://api.bitwarden.com",
             identity = "https://identity.bitwarden.com",
             icon = "https://icons.bitwarden.net",
@@ -70,6 +76,7 @@ data class EnvironmentUrlDataJson(
          */
         val DEFAULT_LEGACY_EU: EnvironmentUrlDataJson = EnvironmentUrlDataJson(
             base = "https://vault.bitwarden.eu",
+            keyUri = null,
             api = "https://api.bitwarden.eu",
             identity = "https://identity.bitwarden.eu",
             icon = "https://icons.bitwarden.eu",

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/NewDeviceNoticeDisplayStatus.kt

@@ -0,0 +1,60 @@
+package com.x8bit.bitwarden.data.auth.datasource.disk.model
+
+import kotlinx.serialization.Contextual
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+import java.time.ZonedDateTime
+
+/**
+ * Describes the current display status of the new device notice screen.
+ */
+@Serializable
+enum class NewDeviceNoticeDisplayStatus {
+    /**
+     * The user has seen the screen and indicated they can access their email.
+     */
+    @SerialName("canAccessEmail")
+    CAN_ACCESS_EMAIL,
+
+    /**
+     * The user has indicated they can access their email
+     * as specified by the Permanent mode of the notice.
+     */
+    @SerialName("canAccessEmailPermanent")
+    CAN_ACCESS_EMAIL_PERMANENT,
+
+    /**
+     * The user has not seen the screen.
+     */
+    @SerialName("hasNotSeen")
+    HAS_NOT_SEEN,
+
+    /**
+     * The user has seen the screen and selected "remind me later".
+     */
+    @SerialName("hasSeen")
+    HAS_SEEN,
+}
+
+/**
+ * The state of the new device notice screen.
+ */
+@Suppress("MagicNumber")
+@Serializable
+data class NewDeviceNoticeState(
+    @SerialName("displayStatus")
+    val displayStatus: NewDeviceNoticeDisplayStatus,
+
+    @SerialName("lastSeenDate")
+    @Contextual
+    val lastSeenDate: ZonedDateTime?,
+) {
+    /**
+     * Whether the [lastSeenDate] is at least 7 days old.
+     */
+    val shouldDisplayNoticeIfSeen = lastSeenDate
+        ?.isBefore(
+            ZonedDateTime.now().minusDays(7),
+        )
+        ?: false
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/OnboardingStatus.kt

@@ -0,0 +1,41 @@
+package com.x8bit.bitwarden.data.auth.datasource.disk.model
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * Describes the current status of a user in the account onboarding steps.
+ */
+@Serializable
+enum class OnboardingStatus {
+
+    /**
+     * Onboarding has not yet started.
+     */
+    @SerialName("notStarted")
+    NOT_STARTED,
+
+    /**
+     * The user is completing the account lock setup.
+     */
+    @SerialName("accountLockSetup")
+    ACCOUNT_LOCK_SETUP,
+
+    /**
+     * The user is completing the auto fill service setup.
+     */
+    @SerialName("autofillSetup")
+    AUTOFILL_SETUP,
+
+    /**
+     * The user is completing the final step of the onboarding process.
+     */
+    @SerialName("finalStep")
+    FINAL_STEP,
+
+    /**
+     * The user has completed all onboarding steps.
+     */
+    @SerialName("complete")
+    COMPLETE,
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/PendingAuthRequestJson.kt

@@ -7,13 +7,21 @@ import kotlinx.serialization.Serializable
  * Container for the user's API tokens.
  *
  * @property requestId The ID of the pending Auth Request.
- * @property requestPrivateKey The private of the pending Auth Request.
+ * @property requestPrivateKey The private key of the pending Auth Request.
+ * @property requestAccessCode The access code of the pending Auth Request.
+ * @property requestFingerprint The fingerprint of the pending Auth Request.
  */
 @Serializable
 data class PendingAuthRequestJson(
-    @SerialName("Id")
+    @SerialName("id")
     val requestId: String,
 
-    @SerialName("PrivateKey")
+    @SerialName("privateKey")
     val requestPrivateKey: String,
+
+    @SerialName("accessCode")
+    val requestAccessCode: String,
+
+    @SerialName("fingerprint")
+    val requestFingerprint: String,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AccountsApi.kt

@@ -1,21 +0,0 @@
-package com.x8bit.bitwarden.data.auth.datasource.network.api
-
-import com.x8bit.bitwarden.data.auth.datasource.network.model.PasswordHintRequestJson
-import com.x8bit.bitwarden.data.auth.datasource.network.model.ResendEmailRequestJson
-import retrofit2.http.Body
-import retrofit2.http.POST
-
-/**
- * Defines raw calls under the /accounts API.
- */
-interface AccountsApi {
-    @POST("/accounts/password-hint")
-    suspend fun passwordHintRequest(
-        @Body body: PasswordHintRequestJson,
-    ): Result<Unit>
-
-    @POST("/two-factor/send-email-login")
-    suspend fun resendVerificationCodeEmail(
-        @Body body: ResendEmailRequestJson,
-    ): Result<Unit>
-}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedAccountsApi.kt

@@ -5,6 +5,7 @@ import com.x8bit.bitwarden.data.auth.datasource.network.model.DeleteAccountReque
 import com.x8bit.bitwarden.data.auth.datasource.network.model.ResetPasswordRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.SetPasswordRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyOtpRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.HTTP
 import retrofit2.http.POST
@@ -13,41 +14,48 @@ import retrofit2.http.POST
  * Defines raw calls under the /accounts API with authentication applied.
  */
 interface AuthenticatedAccountsApi {
+
+    /**
+     * Converts the currently active account to a key-connector account.
+     */
+    @POST("/accounts/convert-to-key-connector")
+    suspend fun convertToKeyConnector(): NetworkResult<Unit>
+
     /**
      * Creates the keys for the current account.
      */
     @POST("/accounts/keys")
-    suspend fun createAccountKeys(@Body body: CreateAccountKeysRequest): Result<Unit>
+    suspend fun createAccountKeys(@Body body: CreateAccountKeysRequest): NetworkResult<Unit>
 
     /**
      * Deletes the current account.
      */
     @HTTP(method = "DELETE", path = "/accounts", hasBody = true)
-    suspend fun deleteAccount(@Body body: DeleteAccountRequestJson): Result<Unit>
+    suspend fun deleteAccount(@Body body: DeleteAccountRequestJson): NetworkResult<Unit>
 
     @POST("/accounts/request-otp")
-    suspend fun requestOtp(): Result<Unit>
+    suspend fun requestOtp(): NetworkResult<Unit>
 
     @POST("/accounts/verify-otp")
     suspend fun verifyOtp(
         @Body body: VerifyOtpRequestJson,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 
     /**
      * Resets the temporary password.
      */
     @HTTP(method = "PUT", path = "/accounts/update-temp-password", hasBody = true)
-    suspend fun resetTempPassword(@Body body: ResetPasswordRequestJson): Result<Unit>
+    suspend fun resetTempPassword(@Body body: ResetPasswordRequestJson): NetworkResult<Unit>
 
     /**
      * Resets the password.
      */
     @HTTP(method = "POST", path = "/accounts/password", hasBody = true)
-    suspend fun resetPassword(@Body body: ResetPasswordRequestJson): Result<Unit>
+    suspend fun resetPassword(@Body body: ResetPasswordRequestJson): NetworkResult<Unit>
 
     /**
      * Sets the password.
      */
     @POST("/accounts/set-password")
-    suspend fun setPassword(@Body body: SetPasswordRequestJson): Result<Unit>
+    suspend fun setPassword(@Body body: SetPasswordRequestJson): NetworkResult<Unit>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedAuthRequestsApi.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestUpdateRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestsResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.GET
 import retrofit2.http.Header
@@ -22,7 +23,7 @@ interface AuthenticatedAuthRequestsApi {
     suspend fun createAdminAuthRequest(
         @Header("Device-Identifier") deviceIdentifier: String,
         @Body body: AuthRequestRequestJson,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 
     /**
      * Updates an authentication request.
@@ -31,13 +32,13 @@ interface AuthenticatedAuthRequestsApi {
     suspend fun updateAuthRequest(
         @Path("id") userId: String,
         @Body body: AuthRequestUpdateRequestJson,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 
     /**
      * Gets a list of auth requests for this device.
      */
     @GET("/auth-requests")
-    suspend fun getAuthRequests(): Result<AuthRequestsResponseJson>
+    suspend fun getAuthRequests(): NetworkResult<AuthRequestsResponseJson>
 
     /**
      * Retrieves an existing authentication request by ID.
@@ -45,5 +46,5 @@ interface AuthenticatedAuthRequestsApi {
     @GET("/auth-requests/{requestId}")
     suspend fun getAuthRequest(
         @Path("requestId") requestId: String,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedDevicesApi.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 import androidx.annotation.Keep
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TrustedDeviceKeysRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TrustedDeviceKeysResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.PUT
 import retrofit2.http.Path
@@ -16,5 +17,5 @@ interface AuthenticatedDevicesApi {
     suspend fun updateTrustedDeviceKeys(
         @Path(value = "appId") appId: String,
         @Body request: TrustedDeviceKeysRequestJson,
-    ): Result<TrustedDeviceKeysResponseJson>
+    ): NetworkResult<TrustedDeviceKeysResponseJson>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedKeyConnectorApi.kt

@@ -0,0 +1,20 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.api
+
+import androidx.annotation.Keep
+import com.x8bit.bitwarden.data.auth.datasource.network.model.KeyConnectorMasterKeyRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
+import retrofit2.http.Body
+import retrofit2.http.POST
+import retrofit2.http.Url
+
+/**
+ * Defines raw calls specific for key connectors that use custom urls.
+ */
+@Keep
+interface AuthenticatedKeyConnectorApi {
+    @POST
+    suspend fun storeMasterKeyToKeyConnector(
+        @Url url: String,
+        @Body body: KeyConnectorMasterKeyRequestJson,
+    ): NetworkResult<Unit>
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedOrganizationApi.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationAutoEnrollStatusResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationKeysResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationResetPasswordEnrollRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.GET
 import retrofit2.http.PUT
@@ -20,7 +21,7 @@ interface AuthenticatedOrganizationApi {
         @Path("orgId") organizationId: String,
         @Path("userId") userId: String,
         @Body body: OrganizationResetPasswordEnrollRequestJson,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 
     /**
      * Checks whether this organization auto enrolls users in password reset.
@@ -28,7 +29,7 @@ interface AuthenticatedOrganizationApi {
     @GET("/organizations/{identifier}/auto-enroll-status")
     suspend fun getOrganizationAutoEnrollResponse(
         @Path("identifier") organizationIdentifier: String,
-    ): Result<OrganizationAutoEnrollStatusResponseJson>
+    ): NetworkResult<OrganizationAutoEnrollStatusResponseJson>
 
     /**
      * Gets the public and private keys for this organization.
@@ -36,5 +37,5 @@ interface AuthenticatedOrganizationApi {
     @GET("/organizations/{id}/keys")
     suspend fun getOrganizationKeys(
         @Path("id") organizationId: String,
-    ): Result<OrganizationKeysResponseJson>
+    ): NetworkResult<OrganizationKeysResponseJson>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/HaveIBeenPwnedApi.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.api
 
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import okhttp3.ResponseBody
 import retrofit2.http.GET
 import retrofit2.http.Path
@@ -14,5 +15,5 @@ interface HaveIBeenPwnedApi {
     suspend fun fetchBreachedPasswords(
         @Path("hashPrefix")
         hashPrefix: String,
-    ): Result<ResponseBody>
+    ): NetworkResult<ResponseBody>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/OrganizationApi.kt

@@ -1,19 +0,0 @@
-package com.x8bit.bitwarden.data.auth.datasource.network.api
-
-import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationDomainSsoDetailsRequestJson
-import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationDomainSsoDetailsResponseJson
-import retrofit2.http.Body
-import retrofit2.http.POST
-
-/**
- * Defines raw calls under the /organizations API.
- */
-interface OrganizationApi {
-    /**
-     * Checks for the claimed domain organization of an email for SSO purposes.
-     */
-    @POST("/organizations/domain/sso/details")
-    suspend fun getClaimedDomainOrganizationDetails(
-        @Body body: OrganizationDomainSsoDetailsRequestJson,
-    ): Result<OrganizationDomainSsoDetailsResponseJson>
-}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedAccountsApi.kt

@@ -0,0 +1,37 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.api
+
+import com.x8bit.bitwarden.data.auth.datasource.network.model.KeyConnectorKeyRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.PasswordHintRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.ResendEmailRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.ResendNewDeviceOtpRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
+import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_KEY_AUTHORIZATION
+import retrofit2.http.Body
+import retrofit2.http.Header
+import retrofit2.http.POST
+
+/**
+ * Defines raw calls under the /accounts API.
+ */
+interface UnauthenticatedAccountsApi {
+    @POST("/accounts/password-hint")
+    suspend fun passwordHintRequest(
+        @Body body: PasswordHintRequestJson,
+    ): NetworkResult<Unit>
+
+    @POST("/two-factor/send-email-login")
+    suspend fun resendVerificationCodeEmail(
+        @Body body: ResendEmailRequestJson,
+    ): NetworkResult<Unit>
+
+    @POST("/accounts/set-key-connector-key")
+    suspend fun setKeyConnectorKey(
+        @Body body: KeyConnectorKeyRequestJson,
+        @Header(HEADER_KEY_AUTHORIZATION) bearerToken: String,
+    ): NetworkResult<Unit>
+
+    @POST("/accounts/resend-new-device-otp")
+    suspend fun resendNewDeviceOtp(
+        @Body body: ResendNewDeviceOtpRequestJson,
+    ): NetworkResult<Unit>
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedAuthRequestsApi.kt

@@ -2,6 +2,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestsResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.GET
 import retrofit2.http.Header
@@ -21,7 +22,7 @@ interface UnauthenticatedAuthRequestsApi {
     suspend fun createAuthRequest(
         @Header("Device-Identifier") deviceIdentifier: String,
         @Body body: AuthRequestRequestJson,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 
     /**
      * Queries for updates to a given auth request.
@@ -30,5 +31,5 @@ interface UnauthenticatedAuthRequestsApi {
     suspend fun getAuthRequestUpdate(
         @Path("requestId") requestId: String,
         @Query("code") accessCode: String,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedDevicesApi.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.api
 
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.GET
 import retrofit2.http.Header
 
@@ -11,5 +12,5 @@ interface UnauthenticatedDevicesApi {
     suspend fun getIsKnownDevice(
         @Header(value = "X-Request-Email") emailAddress: String,
         @Header(value = "X-Device-Identifier") deviceId: String,
-    ): Result<Boolean>
+    ): NetworkResult<Boolean>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedIdentityApi.kt

@@ -5,8 +5,13 @@ import com.x8bit.bitwarden.data.auth.datasource.network.model.PreLoginRequestJso
 import com.x8bit.bitwarden.data.auth.datasource.network.model.PreLoginResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.PrevalidateSsoResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.RefreshTokenResponseJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterFinishRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterResponseJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.SendVerificationEmailRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyEmailTokenRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
+import kotlinx.serialization.json.JsonPrimitive
 import retrofit2.Call
 import retrofit2.http.Body
 import retrofit2.http.Field
@@ -19,7 +24,7 @@ import retrofit2.http.Query
 /**
  * Defines raw calls under the /identity API.
  */
-interface IdentityApi {
+interface UnauthenticatedIdentityApi {
 
     @POST("/connect/token")
     @Suppress("LongParameterList")
@@ -42,12 +47,13 @@ interface IdentityApi {
         @Field(value = "twoFactorProvider") twoFactorMethod: String?,
         @Field(value = "twoFactorRemember") twoFactorRemember: String?,
         @Field(value = "authRequest") authRequestId: String?,
-    ): Result<GetTokenResponseJson.Success>
+        @Field(value = "newDeviceOtp") newDeviceOtp: String?,
+    ): NetworkResult<GetTokenResponseJson.Success>
 
     @GET("/sso/prevalidate")
     suspend fun prevalidateSso(
         @Query("domainHint") organizationIdentifier: String,
-    ): Result<PrevalidateSsoResponseJson>
+    ): NetworkResult<PrevalidateSsoResponseJson.Success>
 
     /**
      * This call needs to be synchronous so we need it to return a [Call] directly. The identity
@@ -62,8 +68,25 @@ interface IdentityApi {
     ): Call<RefreshTokenResponseJson>
 
     @POST("/accounts/prelogin")
-    suspend fun preLogin(@Body body: PreLoginRequestJson): Result<PreLoginResponseJson>
+    suspend fun preLogin(@Body body: PreLoginRequestJson): NetworkResult<PreLoginResponseJson>
 
     @POST("/accounts/register")
-    suspend fun register(@Body body: RegisterRequestJson): Result<RegisterResponseJson.Success>
+    suspend fun register(
+        @Body body: RegisterRequestJson,
+    ): NetworkResult<RegisterResponseJson.Success>
+
+    @POST("/accounts/register/finish")
+    suspend fun registerFinish(
+        @Body body: RegisterFinishRequestJson,
+    ): NetworkResult<RegisterResponseJson.Success>
+
+    @POST("/accounts/register/send-verification-email")
+    suspend fun sendVerificationEmail(
+        @Body body: SendVerificationEmailRequestJson,
+    ): NetworkResult<JsonPrimitive?>
+
+    @POST("/accounts/register/verification-email-clicked")
+    suspend fun verifyEmailToken(
+        @Body body: VerifyEmailTokenRequestJson,
+    ): NetworkResult<Unit>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedKeyConnectorApi.kt

@@ -0,0 +1,31 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.api
+
+import androidx.annotation.Keep
+import com.x8bit.bitwarden.data.auth.datasource.network.model.KeyConnectorMasterKeyRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.KeyConnectorMasterKeyResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
+import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_KEY_AUTHORIZATION
+import retrofit2.http.Body
+import retrofit2.http.GET
+import retrofit2.http.Header
+import retrofit2.http.POST
+import retrofit2.http.Url
+
+/**
+ * Defines raw calls specific for key connectors that use custom urls.
+ */
+@Keep
+interface UnauthenticatedKeyConnectorApi {
+    @POST
+    suspend fun storeMasterKeyToKeyConnector(
+        @Url url: String,
+        @Header(HEADER_KEY_AUTHORIZATION) bearerToken: String,
+        @Body body: KeyConnectorMasterKeyRequestJson,
+    ): NetworkResult<Unit>
+
+    @GET
+    suspend fun getMasterKeyFromKeyConnector(
+        @Url url: String,
+        @Header(HEADER_KEY_AUTHORIZATION) bearerToken: String,
+    ): NetworkResult<KeyConnectorMasterKeyResponseJson>
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedOrganizationApi.kt

@@ -0,0 +1,30 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.api
+
+import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationDomainSsoDetailsRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationDomainSsoDetailsResponseJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifiedOrganizationDomainSsoDetailsRequest
+import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifiedOrganizationDomainSsoDetailsResponse
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
+import retrofit2.http.Body
+import retrofit2.http.POST
+
+/**
+ * Defines raw calls under the /organizations API.
+ */
+interface UnauthenticatedOrganizationApi {
+    /**
+     * Checks for the claimed domain organization of an email for SSO purposes.
+     */
+    @POST("/organizations/domain/sso/details")
+    suspend fun getClaimedDomainOrganizationDetails(
+        @Body body: OrganizationDomainSsoDetailsRequestJson,
+    ): NetworkResult<OrganizationDomainSsoDetailsResponseJson>
+
+    /**
+     * Checks for the verfied organization domains of an email for SSO purposes.
+     */
+    @POST("/organizations/domain/sso/verified")
+    suspend fun getVerifiedOrganizationDomainsByEmail(
+        @Body body: VerifiedOrganizationDomainSsoDetailsRequest,
+    ): NetworkResult<VerifiedOrganizationDomainSsoDetailsResponse>
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/di/AuthNetworkModule.kt

@@ -36,8 +36,12 @@ object AuthNetworkModule {
         retrofits: Retrofits,
         json: Json,
     ): AccountsService = AccountsServiceImpl(
-        accountsApi = retrofits.unauthenticatedApiRetrofit.create(),
+        unauthenticatedAccountsApi = retrofits.unauthenticatedApiRetrofit.create(),
         authenticatedAccountsApi = retrofits.authenticatedApiRetrofit.create(),
+        unauthenticatedKeyConnectorApi = retrofits.createStaticRetrofit().create(),
+        authenticatedKeyConnectorApi = retrofits
+            .createStaticRetrofit(isAuthenticated = true)
+            .create(),
         json = json,
     )
 
@@ -64,7 +68,7 @@ object AuthNetworkModule {
         retrofits: Retrofits,
         json: Json,
     ): IdentityService = IdentityServiceImpl(
-        api = retrofits.unauthenticatedIdentityRetrofit.create(),
+        unauthenticatedIdentityApi = retrofits.unauthenticatedIdentityRetrofit.create(),
         json = json,
     )
 
@@ -73,10 +77,8 @@ object AuthNetworkModule {
     fun providesHaveIBeenPwnedService(
         retrofits: Retrofits,
     ): HaveIBeenPwnedService = HaveIBeenPwnedServiceImpl(
-        retrofits
-            .staticRetrofitBuilder
-            .baseUrl("https://api.pwnedpasswords.com")
-            .build()
+        api = retrofits
+            .createStaticRetrofit(baseUrl = "https://api.pwnedpasswords.com")
             .create(),
     )
 
@@ -95,6 +97,6 @@ object AuthNetworkModule {
         retrofits: Retrofits,
     ): OrganizationService = OrganizationServiceImpl(
         authenticatedOrganizationApi = retrofits.authenticatedApiRetrofit.create(),
-        organizationApi = retrofits.unauthenticatedApiRetrofit.create(),
+        unauthenticatedOrganizationApi = retrofits.unauthenticatedApiRetrofit.create(),
     )
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/AuthRequestTypeJson.kt

@@ -21,5 +21,7 @@ enum class AuthRequestTypeJson {
 }
 
 @Keep
-private class AuthRequestTypeSerializer :
-    BaseEnumeratedIntSerializer<AuthRequestTypeJson>(AuthRequestTypeJson.entries.toTypedArray())
+private class AuthRequestTypeSerializer : BaseEnumeratedIntSerializer<AuthRequestTypeJson>(
+    className = "AuthRequestTypeJson",
+    values = AuthRequestTypeJson.entries.toTypedArray(),
+)

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/DeleteAccountResponseJson.kt

@@ -23,6 +23,15 @@ sealed class DeleteAccountResponseJson {
     @Serializable
     data class Invalid(
         @SerialName("validationErrors")
-        val validationErrors: Map<String, List<String?>>?,
-    ) : DeleteAccountResponseJson()
+        private val validationErrors: Map<String, List<String?>>?,
+    ) : DeleteAccountResponseJson() {
+        /**
+         * A human readable error message.
+         */
+        val message: String?
+            get() = validationErrors
+                ?.values
+                ?.firstOrNull()
+                ?.firstOrNull()
+    }
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/GetTokenResponseJson.kt

@@ -1,7 +1,9 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.model
 
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
 import kotlinx.serialization.json.JsonObject
 
 /**
@@ -28,6 +30,7 @@ sealed class GetTokenResponseJson {
      * this token will be cached and used for future auth requests.
      * @property masterPasswordPolicyOptions The options available for a user's master password.
      * @property userDecryptionOptions The options available to a user for decryption.
+     * @property keyConnectorUrl URL to the user's key connector.
      */
     @Serializable
     data class Success(
@@ -75,6 +78,9 @@ sealed class GetTokenResponseJson {
 
         @SerialName("UserDecryptionOptions")
         val userDecryptionOptions: UserDecryptionOptionsJson?,
+
+        @SerialName("KeyConnectorUrl")
+        val keyConnectorUrl: String?,
     ) : GetTokenResponseJson()
 
     /**
@@ -88,18 +94,53 @@ sealed class GetTokenResponseJson {
 
     /**
      * Models json body of an invalid request.
+     *
+     * This model supports older versions of the error response model that used lower-case keys.
      */
+    @OptIn(ExperimentalSerializationApi::class)
     @Serializable
     data class Invalid(
+        @JsonNames("errorModel")
         @SerialName("ErrorModel")
-        val errorModel: ErrorModel,
+        private val errorModel: ErrorModel?,
     ) : GetTokenResponseJson() {
 
+        /**
+         * The error message returned from the server, or null.
+         */
+        val errorMessage: String? get() = errorModel?.errorMessage
+
+        /**
+         * The type of invalid responses that can be received.
+         */
+        sealed class InvalidType {
+            /**
+             * Represents an invalid response indicating that a new device verification is required.
+             */
+            data object NewDeviceVerification : InvalidType()
+
+            /**
+             * Represents generic invalid response
+             */
+            data object GenericInvalid : InvalidType()
+        }
+
+        val invalidType: InvalidType
+            get() = if (errorMessage?.lowercase() == "new device verification required") {
+                InvalidType.NewDeviceVerification
+            } else {
+                InvalidType.GenericInvalid
+            }
+
         /**
          * The error body of an invalid request containing a message.
+         *
+         * This model supports older versions of the error response model that used lower-case
+         * keys.
          */
         @Serializable
         data class ErrorModel(
+            @JsonNames("message")
             @SerialName("Message")
             val errorMessage: String,
         )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/KdfTypeJson.kt

@@ -18,5 +18,7 @@ enum class KdfTypeJson {
 }
 
 @Keep
-private class KdfTypeSerializer :
-    BaseEnumeratedIntSerializer<KdfTypeJson>(KdfTypeJson.entries.toTypedArray())
+private class KdfTypeSerializer : BaseEnumeratedIntSerializer<KdfTypeJson>(
+    className = "KdfTypeJson",
+    values = KdfTypeJson.entries.toTypedArray(),
+)

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/KeyConnectorKeyRequestJson.kt

@@ -0,0 +1,33 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.model
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * Represents the request body used to create the key connector keys for an account.
+ */
+@Serializable
+data class KeyConnectorKeyRequestJson(
+    @SerialName("key") val userKey: String,
+    @SerialName("keys") val keys: Keys,
+    @SerialName("kdf") val kdfType: KdfTypeJson,
+    @SerialName("kdfIterations") val kdfIterations: Int?,
+    @SerialName("kdfMemory") val kdfMemory: Int?,
+    @SerialName("kdfParallelism") val kdfParallelism: Int?,
+    @SerialName("orgIdentifier") val organizationIdentifier: String,
+) {
+    /**
+     * A keys object containing public and private keys.
+     *
+     * @param publicKey the public key (encrypted).
+     * @param encryptedPrivateKey the private key (encrypted).
+     */
+    @Serializable
+    data class Keys(
+        @SerialName("publicKey")
+        val publicKey: String,
+
+        @SerialName("encryptedPrivateKey")
+        val encryptedPrivateKey: String,
+    )
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/KeyConnectorMasterKeyRequestJson.kt

@@ -0,0 +1,12 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.model
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * Represents the request body used to store the master key in the cloud.
+ */
+@Serializable
+data class KeyConnectorMasterKeyRequestJson(
+    @SerialName("Key") val masterKey: String,
+)

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/KeyConnectorMasterKeyResponseJson.kt

@@ -0,0 +1,12 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.model
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * Represents the response body used to retrieve the master key from the cloud.
+ */
+@Serializable
+data class KeyConnectorMasterKeyResponseJson(
+    @SerialName("key") val masterKey: String,
+)

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/KeyConnectorUserDecryptionOptionsJson.kt

@@ -1,15 +1,19 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.model
 
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
 
 /**
  * Decryption options related to a user's key connector.
  *
  * @property keyConnectorUrl URL to the user's key connector.
  */
+@OptIn(ExperimentalSerializationApi::class)
 @Serializable
 data class KeyConnectorUserDecryptionOptionsJson(
-    @SerialName("KeyConnectorUrl")
+    @SerialName("keyConnectorUrl")
+    @JsonNames("KeyConnectorUrl")
     val keyConnectorUrl: String,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/OrganizationDomainSsoDetailsResponseJson.kt

@@ -9,17 +9,18 @@ import java.time.ZonedDateTime
  * Response object returned when requesting organization domain SSO details.
  *
  * @property isSsoAvailable Whether or not SSO is available for this domain.
- * @property domainName The organization's domain name.
  * @property organizationIdentifier The organization's identifier.
- * @property isSsoRequired Whether or not SSO is required.
- * @property verifiedDate The date these details were verified.
+ * @property verifiedDate The date the domain was verified.
  */
 @Serializable
 data class OrganizationDomainSsoDetailsResponseJson(
-    @SerialName("ssoAvailable") val isSsoAvailable: Boolean,
-    @SerialName("domainName") val domainName: String,
-    @SerialName("organizationIdentifier") val organizationIdentifier: String,
-    @SerialName("ssoRequired") val isSsoRequired: Boolean,
+    @SerialName("ssoAvailable")
+    val isSsoAvailable: Boolean,
+
+    @SerialName("organizationIdentifier")
+    val organizationIdentifier: String,
+
+    @SerialName("verifiedDate")
     @Contextual
-    @SerialName("verifiedDate") val verifiedDate: ZonedDateTime?,
+    val verifiedDate: ZonedDateTime?,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/PrevalidateSsoResponseJson.kt

@@ -7,6 +7,20 @@ import kotlinx.serialization.Serializable
  * Response body from the SSO prevalidate request.
  */
 @Serializable
-data class PrevalidateSsoResponseJson(
-    @SerialName("token") val token: String?,
-)
+sealed class PrevalidateSsoResponseJson {
+    /**
+     * Models json body of a successful response.
+     */
+    @Serializable
+    data class Success(
+        @SerialName("token") val token: String?,
+    ) : PrevalidateSsoResponseJson()
+
+    /**
+     * Models json body of an error response.
+     */
+    @Serializable
+    data class Error(
+        @SerialName("message") val message: String?,
+    ) : PrevalidateSsoResponseJson()
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/RegisterFinishRequestJson.kt

@@ -0,0 +1,64 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.model
+
+import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterFinishRequestJson.Keys
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * Request body for register.
+ *
+ * @param email the email to be registered.
+ * @param emailVerificationToken token used to finish the registration process.
+ * @param masterPasswordHash the master password (encrypted).
+ * @param masterPasswordHint the hint for the master password (nullable).
+ * @param captchaResponse the captcha bypass token.
+ * @param userSymmetricKey the user key for the request (encrypted).
+ * @param userAsymmetricKeys a [Keys] object containing public and private keys.
+ * @param kdfType the kdf type represented as an [Int].
+ * @param kdfIterations the number of kdf iterations.
+ */
+@Serializable
+data class RegisterFinishRequestJson(
+    @SerialName("email")
+    val email: String,
+
+    @SerialName("emailVerificationToken")
+    val emailVerificationToken: String,
+
+    @SerialName("masterPasswordHash")
+    val masterPasswordHash: String,
+
+    @SerialName("masterPasswordHint")
+    val masterPasswordHint: String?,
+
+    @SerialName("captchaResponse")
+    val captchaResponse: String?,
+
+    @SerialName("userSymmetricKey")
+    val userSymmetricKey: String,
+
+    @SerialName("userAsymmetricKeys")
+    val userAsymmetricKeys: Keys,
+
+    @SerialName("kdf")
+    val kdfType: KdfTypeJson,
+
+    @SerialName("kdfIterations")
+    val kdfIterations: UInt,
+) {
+
+    /**
+     * A keys object containing public and private keys.
+     *
+     * @param publicKey the public key (encrypted).
+     * @param encryptedPrivateKey the private key (encrypted).
+     */
+    @Serializable
+    data class Keys(
+        @SerialName("publicKey")
+        val publicKey: String,
+
+        @SerialName("encryptedPrivateKey")
+        val encryptedPrivateKey: String,
+    )
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/RegisterResponseJson.kt

@@ -1,7 +1,9 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.model
 
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
 
 /**
  * Models response bodies for the register request.
@@ -46,26 +48,28 @@ sealed class RegisterResponseJson {
     /**
      * Represents the json body of an invalid register request.
      *
-     * @param message
      * @param validationErrors a map where each value is a list of error messages for each key.
      * The values in the array should be used for display to the user, since the keys tend to come
      * back as nonsense. (eg: empty string key)
      */
+    @OptIn(ExperimentalSerializationApi::class)
     @Serializable
     data class Invalid(
-        @SerialName("message")
-        val message: String?,
+        @JsonNames("message")
+        @SerialName("Message")
+        private val invalidMessage: String? = null,
 
         @SerialName("validationErrors")
-        val validationErrors: Map<String, List<String>>?,
-    ) : RegisterResponseJson()
-
-    /**
-     * A different register error with a message.
-     */
-    @Serializable
-    data class Error(
-        @SerialName("Message")
-        val message: String?,
-    ) : RegisterResponseJson()
+        private val validationErrors: Map<String, List<String>>?,
+    ) : RegisterResponseJson() {
+        /**
+         * A generic error message.
+         */
+        val message: String?
+            get() = validationErrors
+                ?.values
+                ?.firstOrNull()
+                ?.firstOrNull()
+                ?: invalidMessage
+    }
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/ResendNewDeviceOtpRequestJson.kt

@@ -0,0 +1,20 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.model
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * Hold the information necessary to resend the email with the
+ * new device verification code.
+ *
+ * @property email The user's email address.
+ * @property passwordHash The master password hash
+ */
+@Serializable
+data class ResendNewDeviceOtpRequestJson(
+    @SerialName("Email")
+    val email: String,
+
+    @SerialName("MasterPasswordHash")
+    val passwordHash: String?,
+)

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/SendVerificationEmailRequestJson.kt

@@ -0,0 +1,23 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.model
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * Request body for send verification email.
+ *
+ * @param email the email to be registered.
+ * @param name the name to be registered.
+ * @param receiveMarketingEmails the answer to receive marketing emails.
+ */
+@Serializable
+data class SendVerificationEmailRequestJson(
+    @SerialName("email")
+    val email: String,
+
+    @SerialName("name")
+    val name: String?,
+
+    @SerialName("receiveMarketingEmails")
+    val receiveMarketingEmails: Boolean,
+)

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/SendVerificationEmailResponseJson.kt

@@ -0,0 +1,45 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.model
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * The response body for sending a verification email.
+ */
+@Serializable
+sealed class SendVerificationEmailResponseJson {
+
+    /**
+     * Models a successful json response.
+     *
+     * @param emailVerificationToken the token to verify the email.
+     */
+    @Serializable
+    data class Success(
+        val emailVerificationToken: String?,
+    ) : SendVerificationEmailResponseJson()
+
+    /**
+     * Represents the json body of an invalid request.
+     *
+     * @param validationErrors a map where each value is a list of error messages for each key.
+     * The values in the array should be used for display to the user, since the keys tend to come
+     * back as nonsense. (eg: empty string key)
+     */
+    @Serializable
+    data class Invalid(
+        @SerialName("message")
+        private val invalidMessage: String? = null,
+
+        @SerialName("Message")
+        private val errorMessage: String? = null,
+
+        @SerialName("validationErrors")
+        val validationErrors: Map<String, List<String>>?,
+    ) : SendVerificationEmailResponseJson() {
+        /**
+         * A generic error message.
+         */
+        val message: String? get() = invalidMessage ?: errorMessage
+    }
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/TrustedDeviceUserDecryptionOptionsJson.kt

@@ -1,7 +1,9 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.model
 
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
 
 /**
  * Decryption options related to a user's trusted device.
@@ -13,20 +15,26 @@ import kotlinx.serialization.Serializable
  * @property hasManageResetPasswordPermission Whether or not the user has manage reset password
  * permission.
  */
+@OptIn(ExperimentalSerializationApi::class)
 @Serializable
 data class TrustedDeviceUserDecryptionOptionsJson(
-    @SerialName("EncryptedPrivateKey")
+    @SerialName("encryptedPrivateKey")
+    @JsonNames("EncryptedPrivateKey")
     val encryptedPrivateKey: String?,
 
-    @SerialName("EncryptedUserKey")
+    @SerialName("encryptedUserKey")
+    @JsonNames("EncryptedUserKey")
     val encryptedUserKey: String?,
 
-    @SerialName("HasAdminApproval")
+    @SerialName("hasAdminApproval")
+    @JsonNames("HasAdminApproval")
     val hasAdminApproval: Boolean,
 
-    @SerialName("HasLoginApprovingDevice")
+    @SerialName("hasLoginApprovingDevice")
+    @JsonNames("HasLoginApprovingDevice")
     val hasLoginApprovingDevice: Boolean,
 
-    @SerialName("HasManageResetPasswordPermission")
+    @SerialName("hasManageResetPasswordPermission")
+    @JsonNames("HasManageResetPasswordPermission")
     val hasManageResetPasswordPermission: Boolean,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/TwoFactorAuthMethod.kt

@@ -39,5 +39,7 @@ enum class TwoFactorAuthMethod(val value: UInt) {
 }
 
 @Keep
-private class TwoFactorAuthMethodSerializer :
-    BaseEnumeratedIntSerializer<TwoFactorAuthMethod>(TwoFactorAuthMethod.entries.toTypedArray())
+private class TwoFactorAuthMethodSerializer : BaseEnumeratedIntSerializer<TwoFactorAuthMethod>(
+    className = "TwoFactorAuthMethod",
+    values = TwoFactorAuthMethod.entries.toTypedArray(),
+)

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/UserDecryptionOptionsJson.kt

@@ -1,7 +1,9 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.model
 
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
 
 /**
  * The options available to a user for decryption.
@@ -12,14 +14,18 @@ import kotlinx.serialization.Serializable
  * device.
  * @property keyConnectorUserDecryptionOptions Decryption options related to a user's key connector.
  */
+@OptIn(ExperimentalSerializationApi::class)
 @Serializable
 data class UserDecryptionOptionsJson(
-    @SerialName("HasMasterPassword")
+    @SerialName("hasMasterPassword")
+    @JsonNames("HasMasterPassword")
     val hasMasterPassword: Boolean,
 
-    @SerialName("TrustedDeviceOption")
+    @SerialName("trustedDeviceOption")
+    @JsonNames("TrustedDeviceOption")
     val trustedDeviceUserDecryptionOptions: TrustedDeviceUserDecryptionOptionsJson?,
 
-    @SerialName("KeyConnectorOption")
+    @SerialName("keyConnectorOption")
+    @JsonNames("KeyConnectorOption")
     val keyConnectorUserDecryptionOptions: KeyConnectorUserDecryptionOptionsJson?,
 )