[PM-26355] Improve SelectAccountScreen state handling (#5965)

Co-authored-by: bw-ghapp[bot] <178206702+bw-ghapp[bot]@users.noreply.github.com>
Co-authored-by: Hinton <hinton@users.noreply.github.com>
Co-authored-by: Carlos Gonçalves <cgoncalves@bitwarden.com>

.github/CODEOWNERS

@@ -48,3 +48,9 @@
 # app/src/main/java/com/x8bit/bitwarden/ui/vault  @bitwarden/team-vault-dev
 # app/src/test/java/com/x8bit/bitwarden/data/vault @bitwarden/team-vault-dev
 # app/src/test/java/com/x8bit/bitwarden/ui/vault  @bitwarden/team-vault-dev
+
+# Docker-related files
+**/Dockerfile @bitwarden/team-appsec @bitwarden/dept-bre
+**/*.dockerignore @bitwarden/team-appsec @bitwarden/dept-bre
+**/entrypoint.sh @bitwarden/team-appsec @bitwarden/dept-bre
+**/docker-compose.yml @bitwarden/team-appsec @bitwarden/dept-bre

.github/actions/log-inputs/action.yml

@@ -0,0 +1,20 @@
+name: 'Log Inputs to Job Summary'
+description: 'Log workflow inputs to the GitHub Actions job summary'
+
+inputs:
+  inputs:
+    description: 'Workflow inputs as JSON'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Log inputs to job summary
+      shell: bash
+      run: |
+        echo "<details><summary>Job Inputs</summary>" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo '```json' >> $GITHUB_STEP_SUMMARY
+        echo '${{ inputs.inputs }}' >> $GITHUB_STEP_SUMMARY
+        echo '```' >> $GITHUB_STEP_SUMMARY
+        echo "</details>" >> $GITHUB_STEP_SUMMARY

.github/actions/setup-android-build/action.yml

@@ -0,0 +1,49 @@
+name: 'Setup Android Build'
+description: 'Setup Android build environment with Gradle, Ruby, and Fastlane'
+inputs:
+  java-version:
+    description: 'Java version to use'
+    required: false
+    default: '21'
+runs:
+  using: 'composite'
+  steps:
+    - name: Validate Gradle wrapper
+      uses: gradle/actions/wrapper-validation@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+
+    - name: Cache Gradle files
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-v2-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties', '**/libs.versions.toml') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-v2-
+
+    - name: Cache build output
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: |
+          ${{ github.workspace }}/build-cache
+        key: ${{ runner.os }}-build-cache-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-build-
+
+    - name: Configure Ruby
+      uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
+      with:
+        bundler-cache: true
+
+    - name: Configure JDK
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+      with:
+        distribution: "temurin"
+        java-version: ${{ inputs.java-version }}
+
+    - name: Install Fastlane
+      shell: bash
+      run: |
+        gem install bundler:2.2.27
+        bundle config path vendor/bundle
+        bundle install --jobs 4 --retry 3

.github/renovate.json

@@ -27,6 +27,9 @@
       ],
       "matchManagers": [
         "gradle"
+      ],
+      "excludePackageNames": [
+        "com.github.bumptech.glide:compose"
       ]
     },
     {

.github/workflows/build-authenticator.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - release/**/*
   workflow_dispatch:
     inputs:
       version-name:
@@ -27,7 +28,7 @@ on:
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  JAVA_VERSION: 17
+  JAVA_VERSION: 21
 
 permissions:
   contents: read
@@ -50,13 +51,13 @@ jobs:
           echo "</details>" >> $GITHUB_STEP_SUMMARY
 
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
+        uses: gradle/actions/wrapper-validation@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
 
       - name: Cache Gradle files
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ~/.gradle/caches
@@ -66,7 +67,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -75,13 +76,13 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
+        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
         with:
           bundler-cache: true
 
@@ -109,10 +110,10 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
+        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
         with:
           bundler-cache: true
 
@@ -188,10 +189,10 @@ jobs:
           json_key:${{ github.workspace }}/secrets/authenticator_play_store-creds.json }}
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
+        uses: gradle/actions/wrapper-validation@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
 
       - name: Cache Gradle files
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ~/.gradle/caches
@@ -201,7 +202,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -210,21 +211,30 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
+      - name: Update app CI Build info
+        run: |
+          ./scripts/update_app_ci_build_info.sh \
+          $GITHUB_REPOSITORY \
+          $GITHUB_REF_NAME \
+          $GITHUB_SHA \
+          $GITHUB_RUN_ID \
+          $GITHUB_RUN_ATTEMPT
+
       - name: Increment version
         run: |
           DEFAULT_VERSION_CODE=$GITHUB_RUN_NUMBER
           VERSION_CODE="${{ inputs.version-code || '$DEFAULT_VERSION_CODE' }}"
-          bundle exec fastlane setAuthenticatorBuildVersionInfo \
+          bundle exec fastlane setBuildVersionInfo \
           versionCode:$VERSION_CODE \
           versionName:${{ inputs.version-name || '' }}
 
-          regex='versionName = "([^"]+)"'
-          if [[ "$(cat authenticator/build.gradle.kts)" =~ $regex ]]; then
+          regex='appVersionName = "([^"]+)"'
+          if [[ "$(cat gradle/libs.versions.toml)" =~ $regex ]]; then
             VERSION_NAME="${BASH_REMATCH[1]}"
           fi
           echo "Version Name: ${VERSION_NAME}" >> $GITHUB_STEP_SUMMARY

.github/workflows/build.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - release/**/*
   workflow_dispatch:
     inputs:
       version-name:
@@ -17,17 +18,17 @@ on:
       distribute-to-firebase:
         description: "Optional. Distribute artifacts to Firebase."
         required: false
-        default: false
+        default: true
         type: boolean
       publish-to-play-store:
         description: "Optional. Deploy bundle artifact to Google Play Store"
         required: false
-        default: false
+        default: true
         type: boolean
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  JAVA_VERSION: 17
+  JAVA_VERSION: 21
   GITHUB_ACTION_RUN_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
 
 permissions:
@@ -51,13 +52,13 @@ jobs:
           echo "</details>" >> $GITHUB_STEP_SUMMARY
 
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
+        uses: gradle/actions/wrapper-validation@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
 
       - name: Cache Gradle files
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ~/.gradle/caches
@@ -67,7 +68,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -76,13 +77,13 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
+        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
         with:
           bundler-cache: true
 
@@ -117,10 +118,10 @@ jobs:
         artifact: ["apk", "aab"]
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
+        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
         with:
           bundler-cache: true
 
@@ -183,10 +184,10 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
+        uses: gradle/actions/wrapper-validation@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
 
       - name: Cache Gradle files
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ~/.gradle/caches
@@ -196,7 +197,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -205,7 +206,7 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
@@ -416,7 +417,7 @@ jobs:
           bundle exec fastlane run validate_play_store_json_key
 
       - name: Publish Play Store bundle
-        if: ${{ matrix.variant == 'prod' && matrix.artifact == 'aab' && (inputs.publish-to-play-store || github.ref_name == 'main') }}
+        if: ${{ matrix.variant == 'prod' && matrix.artifact == 'aab' && (inputs.publish-to-play-store || github.event_name == 'push') }}
         run: |
           bundle exec fastlane publishProdToPlayStore
           bundle exec fastlane publishBetaToPlayStore
@@ -428,10 +429,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
+        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
         with:
           bundler-cache: true
 
@@ -480,10 +481,10 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
+        uses: gradle/actions/wrapper-validation@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
 
       - name: Cache Gradle files
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ~/.gradle/caches
@@ -493,7 +494,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -502,7 +503,7 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
@@ -525,8 +526,8 @@ jobs:
           versionCode:$VERSION_CODE \
           versionName:${{ inputs.version-name || '' }}
 
-          regex='versionName = "([^"]+)"'
-          if [[ "$(cat app/build.gradle.kts)" =~ $regex ]]; then
+          regex='appVersionName = "([^"]+)"'
+          if [[ "$(cat gradle/libs.versions.toml)" =~ $regex ]]; then
             VERSION_NAME="${BASH_REMATCH[1]}"
           fi
           echo "Version Name: ${VERSION_NAME}" >> $GITHUB_STEP_SUMMARY

.github/workflows/cron-sync-google-priviledged-browsers.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Download Google Privileged Browsers List
         run: curl -s $SOURCE_URL -o $GOOGLE_FILE

.github/workflows/crowdin-pull.yml

@@ -8,26 +8,15 @@ on:
 
 jobs:
   crowdin-sync:
-    name: Crowdin Pull - ${{ matrix.name }} - ${{ github.event_name }}
+    name: Crowdin Pull - ${{ github.event_name }}
     runs-on: ubuntu-24.04
     permissions:
       contents: write
       pull-requests: write
       id-token: write
-    strategy:
-      matrix:
-        include:
-          - name: Password Manager
-            project_id: 269690
-            config: crowdin-bwpm.yml
-            branch: crowdin-pull-bwpm
-          - name: Authenticator
-            project_id: 673718
-            config: crowdin-bwa.yml
-            branch: crowdin-pull-bwa
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -54,29 +43,29 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
 
-      - name: Download translations for ${{ matrix.name }}
-        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0
+      - name: Download translations
+        uses: crowdin/github-action@0749939f635900a2521aa6aac7a3766642b2dc71 # v2.11.0
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}
-          _CROWDIN_PROJECT_ID: ${{ matrix.project_id }}
+          _CROWDIN_PROJECT_ID: "269690"
         with:
-          config: ${{ matrix.config }}
+          config: crowdin.yml
           upload_sources: false
           upload_translations: false
           download_translations: true
           github_user_name: "bitwarden-devops-bot"
           github_user_email: "106330231+bitwarden-devops-bot@users.noreply.github.com"
-          commit_message: "Crowdin Pull - ${{ matrix.name }}"
-          localization_branch_name: ${{ matrix.branch }}
+          commit_message: "Crowdin Pull"
+          localization_branch_name: "crowdin-pull"
           create_pull_request: true
-          pull_request_title: "Crowdin Pull - ${{ matrix.name }}"
-          pull_request_body: ":inbox_tray: New translations for ${{ matrix.name }} received!"
+          pull_request_title: "Crowdin Pull"
+          pull_request_body: ":inbox_tray: New translations received!"
           gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
           gpg_passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}

.github/workflows/crowdin-push.yml

@@ -16,7 +16,7 @@ jobs:
       id-token: write
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -32,27 +32,16 @@ jobs:
           keyvault: "bitwarden-ci"
           secrets: "crowdin-api-token"
 
-      - name: Upload sources for Password Manager
-        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0
+      - name: Upload sources
+        uses: crowdin/github-action@0749939f635900a2521aa6aac7a3766642b2dc71 # v2.11.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}
           _CROWDIN_PROJECT_ID: "269690"
         with:
-          config: crowdin-bwpm.yml
+          config: crowdin.yml
           upload_sources: true
           upload_translations: false
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Upload sources for Authenticator
-        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}
-          _CROWDIN_PROJECT_ID: "673718"
-        with:
-          config: crowdin-bwa.yml
-          upload_sources: true
-          upload_translations: false

.github/workflows/github-release.yml

@@ -25,10 +25,15 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
+      - name: Log inputs to job summary
+        uses: ./.github/actions/log-inputs
+        with:
+          inputs: ${{ toJson(inputs) }}
+
       - name: Get branch from workflow run
         id: get_release_branch
         env:
@@ -45,23 +50,29 @@ jobs:
             exit 1
           fi
 
+          echo "🔖 Release branch: $release_branch"
+          echo "🔖 Workflow name: $workflow_name"
           echo "release_branch=$release_branch" >> $GITHUB_OUTPUT
           echo "workflow_name=$workflow_name" >> $GITHUB_OUTPUT
 
           case "$workflow_name" in
             *"Password Manager"* | "Build")
-              echo "app_name=Password Manager" >> $GITHUB_OUTPUT
-              echo "app_name_suffix=bwpm" >> $GITHUB_OUTPUT
+              app_name="Password Manager"
+              app_name_suffix="bwpm"
               ;;
             *"Authenticator"*)
-              echo "app_name=Authenticator" >> $GITHUB_OUTPUT
-              echo "app_name_suffix=bwa" >> $GITHUB_OUTPUT
+              app_name="Authenticator"
+              app_name_suffix="bwa"
               ;;
             *)
               echo "::error::Unknown workflow name: $workflow_name"
               exit 1
               ;;
           esac
+          echo "🔖 App name: $app_name"
+          echo "🔖 App name suffix: $app_name_suffix"
+          echo "app_name=$app_name" >> $GITHUB_OUTPUT
+          echo "app_name_suffix=$app_name_suffix" >> $GITHUB_OUTPUT
 
       - name: Get version info from run logs and set release tag name
         id: get_release_info
@@ -99,7 +110,7 @@ jobs:
           echo "🔖 New tag name: $tag_name"
           echo "tag_name=$tag_name" >> $GITHUB_OUTPUT
 
-          last_release_tag=$(git tag -l --sort=-authordate | grep "$APP_NAME_SUFFIX" | head -n 1)
+          last_release_tag=$(git tag -l --sort=-authordate | grep "$_APP_NAME_SUFFIX" | head -n 1)
           echo "🔖 Last release tag: $last_release_tag"
           echo "last_release_tag=$last_release_tag" >> $GITHUB_OUTPUT
 
@@ -116,6 +127,34 @@ jobs:
             find $ARTIFACTS_PATH -type f
           fi
 
+          # Files that won't be included in any release
+          files_to_remove=(
+            "com.x8bit.bitwarden.aab"
+            "com.x8bit.bitwarden.aab-sha256.txt"
+
+            "com.x8bit.bitwarden.beta.apk"
+            "com.x8bit.bitwarden.beta.apk-sha256.txt"
+            "com.x8bit.bitwarden.beta.aab"
+            "com.x8bit.bitwarden.beta.aab-sha256.txt"
+
+            "com.x8bit.bitwarden.beta-fdroid.apk"
+            "com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt"
+
+            "com.x8bit.bitwarden.dev.apk"
+            "com.x8bit.bitwarden.dev.apk-sha256.txt"
+
+            "com.bitwarden.authenticator.aab"
+            "authenticator-android-aab-sha256.txt"
+          )
+
+          for file in "${files_to_remove[@]}"; do
+            find $ARTIFACTS_PATH -name "$file" -type f -delete
+          done
+          echo "🔖 Removed internal artifacts."
+          echo ""
+          echo "🔖 Files to be included in the release:"
+          find $ARTIFACTS_PATH -type f
+
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
         with:
@@ -167,34 +206,39 @@ jobs:
           _TAG_NAME: ${{ steps.get_release_info.outputs.tag_name }}
           _LAST_RELEASE_TAG: ${{ steps.get_release_info.outputs.last_release_tag }}
         run: |
+          is_latest_release=false
+          if [[ "$_APP_NAME" == "Password Manager" ]]; then
+            is_latest_release=true
+          fi
+
           echo "⌛️ Creating release for $_APP_NAME $_VERSION_NAME ($_VERSION_NUMBER) on $_TARGET_COMMIT"
           release_url=$(gh release create "$_TAG_NAME" \
             --title "$_APP_NAME $_VERSION_NAME ($_VERSION_NUMBER)" \
             --target "$_TARGET_COMMIT" \
             --generate-notes \
             --notes-start-tag "$_LAST_RELEASE_TAG" \
+            --latest=$is_latest_release \
             --draft \
             $ARTIFACTS_PATH/*/*)
 
-          echo "✅ Release created: $release_url"
-
-          # Get release info for outputs
-          release_data=$(gh release view "$_TAG_NAME" --json id)
-          release_id=$(echo "$release_data" | jq -r .id)
-
-          echo "id=$release_id" >> $GITHUB_OUTPUT
+          # Extract release tag from URL
+          release_id_from_url=$(echo "$release_url" | sed 's/.*\/tag\///')
+          echo "release_id_from_url=$release_id_from_url" >> $GITHUB_OUTPUT
           echo "url=$release_url" >> $GITHUB_OUTPUT
 
+          echo "✅ Release created: $release_url"
+          echo "🔖 Release ID from URL: $release_id_from_url"
+
       - name: Update Release Description
         id: update_release_description
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ARTIFACT_RUN_ID: ${{ inputs.artifact-run-id }}
           _VERSION_NAME: ${{ steps.get_release_info.outputs.version_name }}
-          _TAG_NAME: ${{ steps.get_release_info.outputs.tag_name }}
+          _RELEASE_ID: ${{ steps.create_release.outputs.release_id_from_url }}
         run: |
-          echo "Getting current release body. Tag: $_TAG_NAME"
-          current_body=$(gh release view "$_TAG_NAME" --json body --jq .body)
+          echo "Getting current release body. Release ID: $_RELEASE_ID"
+          current_body=$(gh release view "$_RELEASE_ID" --json body --jq .body)
 
           product_release_notes=$(cat product_release_notes.txt)
 
@@ -205,7 +249,7 @@ jobs:
           ${current_body}
           **Builds Source:** https://github.com/${{ github.repository }}/actions/runs/$ARTIFACT_RUN_ID"
 
-          new_release_url=$(gh release edit "$_TAG_NAME" --notes "$updated_body")
+          new_release_url=$(gh release edit "$_RELEASE_ID" --notes "$updated_body")
 
           # draft release links change after editing
           echo "release_url=$new_release_url" >> $GITHUB_OUTPUT

.github/workflows/publish-store.yml

@@ -71,10 +71,10 @@ jobs:
             echo "</details>" >> $GITHUB_STEP_SUMMARY
 
         - name: Check out repo
-          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+          uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
         - name: Configure Ruby
-          uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
+          uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
           with:
             bundler-cache: true
 
@@ -147,7 +147,8 @@ jobs:
 
             bundle exec fastlane updateReleaseNotes \
               releaseNotes:"$RELEASE_NOTES" \
-              versionCode:"$VERSION_CODE"
+              versionCode:"$VERSION_CODE" \
+              packageName:"$PACKAGE_NAME"
 
             bundle exec fastlane promoteToProduction \
               versionCode:"$VERSION_CODE" \

.github/workflows/release-branch.yml

@@ -9,7 +9,9 @@ on:
         type: choice
         options:
           - RC
-          - Hotfix
+          - Hotfix Password Manager
+          - Hotfix Authenticator
+          - Test
 
 jobs:
   create-release-branch:
@@ -17,38 +19,54 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       contents: write
+      actions: write
     steps:
       - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
-      - name: Create RC Branch
-        if: inputs.release_type == 'RC'
+      - name: Create RC or Test Branch
+        id: rc_branch
+        if: inputs.release_type == 'RC' || inputs.release_type == 'Test'
         env:
-          RC_PREFIX_DATE: "true" # replace with input if needed
+          _TEST_MODE: ${{ inputs.release_type == 'Test' }}
+          _RELEASE_TYPE: ${{ inputs.release_type }}
         run: |
-          if [ "$RC_PREFIX_DATE" = "true" ]; then
-            current_date=$(date +'%Y.%m')
-            branch_name="release/${current_date}-rc${{ github.run_number }}"
-          else
-            branch_name="release/rc${{ github.run_number }}"
+          current_date=$(date +'%Y.%-m')
+          branch_name="${current_date}-rc${{ github.run_number }}"
+
+          if [ "$_TEST_MODE" = "true" ]; then
+            branch_name="WORKFLOW-TEST-${branch_name}"
           fi
+          branch_name="release/${branch_name}"
+
           git switch main
           git switch -c $branch_name
           git push origin $branch_name
-          echo "# :cherry_blossom: RC branch: ${branch_name}" >> $GITHUB_STEP_SUMMARY
+          echo "# :cherry_blossom: ${_RELEASE_TYPE} branch: ${branch_name}" >> $GITHUB_STEP_SUMMARY
+          echo "branch_name=$branch_name" >> $GITHUB_OUTPUT
 
       - name: Create Hotfix Branch
-        if: inputs.release_type == 'Hotfix'
+        id: hotfix_branch
+        if: startsWith(inputs.release_type, 'Hotfix')
+        env:
+          _RELEASE_TYPE: ${{ inputs.release_type }}
         run: |
-          latest_tag=$(git tag -l --sort=-creatordate | head -n 1)
+          app_codename="bwpm"
+          if [ "$_RELEASE_TYPE" == "Hotfix Authenticator" ]; then
+            app_codename="bwa"
+          fi
+          echo "🌿 app codename: $app_codename"
+
+          latest_tag=$(git tag -l --sort=-creatordate | grep "$app_codename" | head -n 1)
           if [ -z "$latest_tag" ]; then
             echo "::error::No tags found in the repository"
             exit 1
           fi
           branch_name="release/hotfix-${latest_tag}"
           echo "🌿 branch name: $branch_name"
+          echo "branch_name=$branch_name" >> $GITHUB_OUTPUT
           if git show-ref --verify --quiet "refs/remotes/origin/$branch_name"; then
             echo "# :fire: :warning: Hotfix branch already exists: ${branch_name}" >> $GITHUB_STEP_SUMMARY
             exit 0
@@ -56,3 +74,12 @@ jobs:
           git switch -c $branch_name $latest_tag
           git push origin $branch_name
           echo "# :fire: Hotfix branch: ${branch_name}" >> $GITHUB_STEP_SUMMARY
+
+      - name: Trigger CI Workflows
+        env:
+          GH_TOKEN: ${{ github.token }}
+          _BRANCH_NAME: ${{ steps.rc_branch.outputs.branch_name || steps.hotfix_branch.outputs.branch_name }}
+        run: |
+          echo "🌿 branch name: $_BRANCH_NAME"
+          gh workflow run build.yml --ref $_BRANCH_NAME -f distribute-to-firebase=true -f publish-to-play-store=true
+          gh workflow run build-authenticator.yml --ref $_BRANCH_NAME -f distribute-to-firebase=true -f publish-to-play-store=true

.github/workflows/scan-ci.yml

@@ -6,92 +6,30 @@ on:
     branches:
       - "main"
 
+permissions: {}
+
 jobs:
   sast:
-    name: SAST scan
-    runs-on: ubuntu-24.04
+    name: Checkmarx
+    uses: bitwarden/gh-actions/.github/workflows/_checkmarx.yml@main
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
     permissions:
       contents: read
+      pull-requests: write
       security-events: write
       id-token: write
 
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-org-bitwarden
-          secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19
-        with:
-          project_name: ${{ github.repository }}
-          cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
-          base_uri: https://ast.checkmarx.net/
-          cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
-          cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
-          additional_params: |
-            --report-format sarif \
-            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
-            --output-path .
-
-      - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
-        with:
-          sarif_file: cx_result.sarif
-
   quality:
-    name: Quality scan
-    runs-on: ubuntu-24.04
+    name: Sonar
+    uses: bitwarden/gh-actions/.github/workflows/_sonar.yml@main
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
     permissions:
       contents: read
+      pull-requests: write
       id-token: write
-
-    steps:
-
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-org-bitwarden
-          secrets: "SONAR-TOKEN"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Scan with SonarCloud
-        uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0
-        env:
-          SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
-        with:
-          args: >
-            -Dsonar.organization=${{ github.repository_owner }}
-            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}

.github/workflows/scan.yml

@@ -21,99 +21,28 @@ jobs:
       contents: read
 
   sast:
-    name: SAST scan
-    runs-on: ubuntu-24.04
+    name: Checkmarx
+    uses: bitwarden/gh-actions/.github/workflows/_checkmarx.yml@main
     needs: check-run
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
     permissions:
       contents: read
       pull-requests: write
       security-events: write
       id-token: write
 
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{  github.event.pull_request.head.sha }}
-
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-org-bitwarden
-          secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19
-        env:
-          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
-        with:
-          project_name: ${{ github.repository }}
-          cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
-          base_uri: https://ast.checkmarx.net/
-          cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
-          cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
-          additional_params: |
-            --report-format sarif \
-            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
-            --output-path . ${{ env.INCREMENTAL }}
-
-      - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
-        with:
-          sarif_file: cx_result.sarif
-          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
-          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
-
   quality:
-    name: Quality scan
-    runs-on: ubuntu-24.04
+    name: Sonar
+    uses: bitwarden/gh-actions/.github/workflows/_sonar.yml@main
     needs: check-run
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
     permissions:
       contents: read
       pull-requests: write
       id-token: write
-
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          ref: ${{  github.event.pull_request.head.sha }}
-
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-org-bitwarden
-          secrets: "SONAR-TOKEN"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Scan with SonarCloud
-        uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0
-        env:
-          SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
-        with:
-          args: >
-            -Dsonar.organization=${{ github.repository_owner }}
-            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
-            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}

.github/workflows/sdlc-sdk-update.yml

@@ -0,0 +1,227 @@
+name: SDLC / SDK Update
+run-name: "SDK ${{inputs.run-mode == 'Update' && format('Update - {0}', inputs.sdk-version) || format('Test #{0} - {1}', inputs.pr-id, inputs.sdk-version)}}"
+
+on:
+  workflow_dispatch:
+    inputs:
+      run-mode:
+        description: "Run Mode"
+        type: choice
+        options:
+          - Test # used for testing sdk-internal repo PRs
+          - Update # opens a PR in this repo updating the SDK
+        default: Test
+      sdk-package:
+        description: "SDK Package ID"
+        required: true
+        default: "com.bitwarden:sdk-android.dev"
+      sdk-version:
+        description: "SDK Version"
+        required: true
+        default: "1.0.0-2686-km-update-kdf-sdk"
+      pr-id:
+        description: "Pull Request ID"
+
+env:
+  _BOT_NAME: "bw-ghapp[bot]"
+  _BOT_EMAIL: "178206702+bw-ghapp[bot]@users.noreply.github.com"
+
+jobs:
+  update:
+    name: Update and PR
+    if: ${{ inputs.run-mode == 'Update' }}
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-pull-requests: write
+          permission-actions: read
+          permission-contents: write
+
+      - name: Check out repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Log inputs to job summary
+        uses: ./.github/actions/log-inputs
+        with:
+          inputs: ${{ toJson(inputs) }}
+
+      - name: Switch to branch
+        id: switch-branch
+        run: |
+          BRANCH_NAME="sdlc/sdk-update"
+          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+
+          if git switch $BRANCH_NAME; then
+            echo "✅ Switched to existing branch: $BRANCH_NAME"
+            echo "updating_existing_branch=true" >> $GITHUB_OUTPUT
+          else
+            echo "📝 Creating new branch: $BRANCH_NAME"
+            git switch -c $BRANCH_NAME
+            echo "updating_existing_branch=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Prevent updating the branch when the last committer isn't the bot
+        if: ${{ steps.switch-branch.outputs.updating_existing_branch == 'true' }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          _BRANCH_NAME: ${{ steps.switch-branch.outputs.branch_name }}
+        run: |
+          LATEST_COMMIT_AUTHOR=$(git log -1 --format='%ae' $_BRANCH_NAME)
+
+          echo "Latest commit author in branch ($_BRANCH_NAME): $LATEST_COMMIT_AUTHOR"
+          echo "Expected bot email: $_BOT_EMAIL"
+
+          if [ "$LATEST_COMMIT_AUTHOR" != "$_BOT_EMAIL" ]; then
+            echo "::error::Branch $_BRANCH_NAME has a commit not made by the bot." \
+              "This indicates manual changes have been made to the branch," \
+              "PR has to be merged or closed before running this workflow again."
+            echo "👀 Fetching existing PR..."
+            gh pr list --head $_BRANCH_NAME --base main --state open --json number --jq '.[0].number // empty'
+            EXISTING_PR=$(gh pr list --head $_BRANCH_NAME --base main --state open --json number --jq '.[0].number // empty')
+            if [ -z "$EXISTING_PR" ]; then
+              echo "::error::Couldn't find an existing PR for branch $_BRANCH_NAME."
+              exit 1
+            fi
+            PR_URL="https://github.com/${{ github.repository }}/pull/$EXISTING_PR"
+            echo "## ❌ Merge or close: $PR_URL" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+          echo "✅ Branch tip commit was made by the bot. Safe to proceed."
+
+      # Using main to retrieve the changelog on consecutive updates of the same PR.
+      - name: Get current SDK version from main branch
+        id: get-current-sdk
+        run: |
+          git show origin/main:gradle/libs.versions.toml
+          SDK_VERSION=$(git show origin/main:gradle/libs.versions.toml | grep "bitwardenSdk =" | cut -d'"' -f2)
+          if [ -z "$SDK_VERSION" ]; then
+            echo "::error::Failed to get current SDK version from main branch."
+            exit 1
+          fi
+          GIT_REF=$(echo "$SDK_VERSION" | cut -d'-' -f3-) # handles both commit hashes and branch names
+          echo "Current SDK version (from main): $SDK_VERSION"
+          echo "Current SDK git ref: $GIT_REF"
+          echo "version=$SDK_VERSION" >> $GITHUB_OUTPUT
+          echo "git_ref=$GIT_REF" >> $GITHUB_OUTPUT
+
+      - name: Update SDK Version
+        env:
+          _SDK_PACKAGE: ${{ inputs.sdk-package }}
+          _SDK_VERSION: ${{ inputs.sdk-version }}
+        run: |
+          ./scripts/update-sdk-version.sh "$_SDK_PACKAGE" "$_SDK_VERSION"
+
+      - name: Create branch and commit
+        env:
+          _SDK_PACKAGE: ${{ inputs.sdk-package }}
+          _SDK_VERSION: ${{ inputs.sdk-version }}
+          _BRANCH_NAME: ${{ steps.switch-branch.outputs.branch_name }}
+        run: |
+          echo "👀 Committing SDK version update..."
+
+          git config user.name "$_BOT_NAME"
+          git config user.email "$_BOT_EMAIL"
+
+          git add gradle/libs.versions.toml
+          git commit -m "SDK Update - $_SDK_PACKAGE $_SDK_VERSION"
+          git push origin $_BRANCH_NAME
+
+      - name: Create or Update Pull Request
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          _BRANCH_NAME: ${{ steps.switch-branch.outputs.branch_name }}
+          _SDK_PACKAGE: ${{ inputs.sdk-package }}
+          _SDK_VERSION: ${{ inputs.sdk-version }}
+          _OLD_SDK_VERSION: ${{ steps.get-current-sdk.outputs.version }}
+          _OLD_SDK_GIT_REF: ${{ steps.get-current-sdk.outputs.git_ref }}
+        run: |
+          NEW_SDK_GIT_REF=$(echo "$_SDK_VERSION" | cut -d'-' -f3-)
+          CHANGELOG=$(./scripts/get-repo-changelog.sh "bitwarden/sdk-internal" "$_OLD_SDK_GIT_REF" "$NEW_SDK_GIT_REF")
+          PR_BODY="Updates the SDK version from \`$_OLD_SDK_VERSION\` to \`$_SDK_PACKAGE $_SDK_VERSION\`
+
+          ## What's Changed
+
+          $CHANGELOG"
+
+          EXISTING_PR=$(gh pr list --head $_BRANCH_NAME --base main --state open --json number --jq '.[0].number // empty')
+
+          if [ -n "$EXISTING_PR" ]; then
+            echo "🔄 Updating existing PR #$EXISTING_PR..."
+            echo -e "$PR_BODY" | gh pr edit $EXISTING_PR \
+              --title "Update SDK to $_SDK_VERSION" \
+              --body-file -
+            PR_URL="https://github.com/${{ github.repository }}/pull/$EXISTING_PR"
+            echo "## ✅ Updated PR: $PR_URL" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "📝 Creating new PR..."
+            PR_URL=$(echo -e "$PR_BODY" | gh pr create \
+              --title "Update SDK to $_SDK_VERSION" \
+              --body-file - \
+              --base main \
+              --head $_BRANCH_NAME \
+              --label "automated-pr" \
+              --label "t:ci")
+            echo "## 🚀 Created PR: $PR_URL" >> $GITHUB_STEP_SUMMARY
+          fi
+
+  test:
+    name: Test Update
+    if: ${{ inputs.run-mode == 'Test' }}
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Log inputs to job summary
+        uses: ./.github/actions/log-inputs
+        with:
+          inputs: ${{ toJson(inputs) }}
+
+      - name: Setup Android Build
+        uses: ./.github/actions/setup-android-build
+
+      - name: Update SDK Version
+        env:
+          _SDK_PACKAGE: ${{ inputs.sdk-package }}
+          _SDK_VERSION: ${{ inputs.sdk-version }}
+        run: |
+          ./scripts/update-sdk-version.sh "$_SDK_PACKAGE" "$_SDK_VERSION"
+
+      - name: Build
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Used in settings.gradle.kts to download the SDK from GitHub Maven Packages
+        run: |
+          ./gradlew assembleDebug --warn

.github/workflows/test.yml

@@ -13,7 +13,7 @@ on:
   workflow_dispatch:
 
 env:
-  _JAVA_VERSION: 17
+  _JAVA_VERSION: 21
   _GITHUB_ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}
 
 
@@ -27,13 +27,13 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
+        uses: gradle/actions/wrapper-validation@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
 
       - name: Cache Gradle files
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ~/.gradle/caches
@@ -43,7 +43,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -52,12 +52,12 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
+        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
         with:
           bundler-cache: true
 
       - name: Configure JDK
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: "temurin"
           java-version: ${{ env._JAVA_VERSION }}
@@ -91,7 +91,7 @@ jobs:
 
       - name: Upload to codecov.io
         id: upload-to-codecov
-        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
         if: github.event_name == 'push' || github.event_name == 'pull_request'
         continue-on-error: true
         with:

.gitignore

@@ -3,6 +3,13 @@
 fastlane/report.xml
 fastlane/README.md
 
+# Ruby / Bundler
+.bundle/
+vendor/
+
+# Backup files
+*.bak
+
 # General
 .DS_Store
 Thumbs.db

Gemfile.lock

@@ -11,25 +11,27 @@ GEM
     artifactory (3.0.17)
     atomos (0.1.3)
     aws-eventstream (1.4.0)
-    aws-partitions (1.1131.0)
-    aws-sdk-core (3.226.3)
+    aws-partitions (1.1166.0)
+    aws-sdk-core (3.233.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
       base64
+      bigdecimal
       jmespath (~> 1, >= 1.6.1)
       logger
-    aws-sdk-kms (1.106.0)
-      aws-sdk-core (~> 3, >= 3.225.0)
+    aws-sdk-kms (1.113.0)
+      aws-sdk-core (~> 3, >= 3.231.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.193.0)
-      aws-sdk-core (~> 3, >= 3.225.0)
+    aws-sdk-s3 (1.199.1)
+      aws-sdk-core (~> 3, >= 3.231.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
     aws-sigv4 (1.12.1)
       aws-eventstream (~> 1, >= 1.0.2)
     babosa (1.0.4)
     base64 (0.3.0)
+    bigdecimal (3.2.3)
     claide (1.1.0)
     colored (1.2)
     colored2 (3.1.2)
@@ -167,7 +169,7 @@ GEM
     httpclient (2.9.0)
       mutex_m
     jmespath (1.6.2)
-    json (2.13.0)
+    json (2.15.0)
     jwt (2.10.2)
       base64
     logger (1.7.0)
@@ -190,15 +192,15 @@ GEM
       trailblazer-option (>= 0.1.1, < 0.2.0)
       uber (< 0.2.0)
     retriable (3.1.2)
-    rexml (3.4.1)
+    rexml (3.4.4)
     rouge (3.28.0)
     ruby2_keywords (0.0.5)
     rubyzip (2.4.1)
     security (0.1.5)
-    signet (0.20.0)
+    signet (0.21.0)
       addressable (~> 2.8)
       faraday (>= 0.17.5, < 3.a)
-      jwt (>= 1.5, < 3.0)
+      jwt (>= 1.5, < 4.0)
       multi_json (~> 1.10)
     simctl (1.6.10)
       CFPropertyList

README.md

@@ -52,16 +52,47 @@
 
     Please avoid mixing formatting and logical changes in the same commit/PR. When possible, fix any large formatting issues in a separate PR before opening one to make logical changes to the same code. This helps others focus on the meaningful code changes when reviewing the code.
 
-4. Setup JDK `Version` `17`:
+4. Setup JDK `Version` `21`:
 
     - Navigate to `Preferences > Build, Execution, Deployment > Build Tools > Gradle`.
     - Hit the selected Gradle JDK next to `Gradle JDK:`.
-    - Select a `17.x` version or hit `Download JDK...` if not present.
-    - Select `Version` `17`.
+    - Select a `21.x` version or hit `Download JDK...` if not present.
+    - Select `Version` `21`.
     - Select your preferred `Vendor`.
     - Hit `Download`.
     - Hit `Apply`.
 
+5. Setup `detekt` pre-commit hook (optional):
+
+Run the following script from the root of the repository to install the hook. This will overwrite any existing pre-commit hook if present.
+
+```shell
+echo "Writing detekt pre-commit hook..."
+cat << 'EOL' > .git/hooks/pre-commit
+#!/usr/bin/env bash
+
+echo "Running detekt check..."
+OUTPUT="/tmp/detekt-$(date +%s)"
+./gradlew -Pprecommit=true detekt > $OUTPUT
+EXIT_CODE=$?
+if [ $EXIT_CODE -ne 0 ]; then
+  cat $OUTPUT
+  rm $OUTPUT
+  echo "***********************************************"
+  echo "                 detekt failed                 "
+  echo " Please fix the above issues before committing "
+  echo "***********************************************"
+  exit $EXIT_CODE
+fi
+rm $OUTPUT
+EOL
+echo "detekt pre-commit hook written to .git/hooks/pre-commit"
+echo "Making the hook executable"
+chmod +x .git/hooks/pre-commit
+
+echo "detekt pre-commit hook installed successfully to .git/hooks/pre-commit"
+```
+
 ## Theme
 
 ### Icons & Illustrations

app/build.gradle.kts

@@ -55,13 +55,15 @@ android {
         applicationId = "com.x8bit.bitwarden"
         minSdk = libs.versions.minSdk.get().toInt()
         targetSdk = libs.versions.targetSdk.get().toInt()
-        versionCode = 1
-        versionName = "2025.7.0"
-
-        setProperty("archivesBaseName", "com.x8bit.bitwarden")
+        versionCode = libs.versions.appVersionCode.get().toInt()
+        versionName = libs.versions.appVersionName.get()
 
         testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
 
+        // Set the base archive name for publishing purposes. This is used to derive the APK and AAB
+        // artifact names when uploading to Firebase and Play Store.
+        base.archivesName = "com.x8bit.bitwarden"
+
         buildConfigField(
             type = "String",
             name = "CI_INFO",
@@ -222,6 +224,7 @@ dependencies {
 
     implementation(project(":annotation"))
     implementation(project(":core"))
+    implementation(project(":cxf"))
     implementation(project(":data"))
     implementation(project(":network"))
     implementation(project(":ui"))
@@ -243,6 +246,8 @@ dependencies {
     implementation(libs.androidx.compose.ui.graphics)
     implementation(libs.androidx.compose.ui.tooling.preview)
     implementation(libs.androidx.core.ktx)
+    implementation(libs.androidx.credentials)
+    implementation(libs.androidx.credentials.providerevents)
     implementation(libs.androidx.hilt.navigation.compose)
     implementation(libs.androidx.lifecycle.process)
     implementation(libs.androidx.lifecycle.runtime.compose)
@@ -256,7 +261,6 @@ dependencies {
     implementation(libs.androidx.work.runtime.ktx)
     implementation(libs.bitwarden.sdk)
     implementation(libs.bumptech.glide)
-    implementation(libs.androidx.credentials)
     implementation(libs.google.hilt.android)
     ksp(libs.google.hilt.compiler)
     implementation(libs.kotlinx.collections.immutable)
@@ -326,6 +330,7 @@ private fun renameFile(path: String, newName: String) {
     if (originalFile.renameTo(newFile)) {
         println("Renamed $originalFile to $newFile")
     } else {
+        @Suppress("TooGenericExceptionThrown")
         throw RuntimeException("Failed to rename $originalFile to $newFile")
     }
 }

app/schemas/com.x8bit.bitwarden.data.vault.datasource.disk.database.VaultDatabase/8.json

@@ -0,0 +1,264 @@
+{
+  "formatVersion": 1,
+  "database": {
+    "version": 8,
+    "identityHash": "11387825dab701f9d2dd2e940ffbd794",
+    "entities": [
+      {
+        "tableName": "ciphers",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `has_totp` INTEGER NOT NULL DEFAULT 1, `cipher_type` TEXT NOT NULL, `cipher_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "hasTotp",
+            "columnName": "has_totp",
+            "affinity": "INTEGER",
+            "notNull": true,
+            "defaultValue": "1"
+          },
+          {
+            "fieldPath": "cipherType",
+            "columnName": "cipher_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherJson",
+            "columnName": "cipher_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_ciphers_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_ciphers_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ]
+      },
+      {
+        "tableName": "collections",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `organization_id` TEXT NOT NULL, `should_hide_passwords` INTEGER NOT NULL, `name` TEXT NOT NULL, `external_id` TEXT, `read_only` INTEGER NOT NULL, `manage` INTEGER, `default_user_collection_email` TEXT, `type` TEXT NOT NULL DEFAULT '0', PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "organizationId",
+            "columnName": "organization_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "shouldHidePasswords",
+            "columnName": "should_hide_passwords",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "externalId",
+            "columnName": "external_id",
+            "affinity": "TEXT"
+          },
+          {
+            "fieldPath": "isReadOnly",
+            "columnName": "read_only",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "canManage",
+            "columnName": "manage",
+            "affinity": "INTEGER"
+          },
+          {
+            "fieldPath": "defaultUserCollectionEmail",
+            "columnName": "default_user_collection_email",
+            "affinity": "TEXT"
+          },
+          {
+            "fieldPath": "type",
+            "columnName": "type",
+            "affinity": "TEXT",
+            "notNull": true,
+            "defaultValue": "'0'"
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_collections_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_collections_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ]
+      },
+      {
+        "tableName": "domains",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`user_id` TEXT NOT NULL, `domains_json` TEXT, PRIMARY KEY(`user_id`))",
+        "fields": [
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "domainsJson",
+            "columnName": "domains_json",
+            "affinity": "TEXT"
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "user_id"
+          ]
+        }
+      },
+      {
+        "tableName": "folders",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `name` TEXT, `revision_date` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT"
+          },
+          {
+            "fieldPath": "revisionDate",
+            "columnName": "revision_date",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_folders_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_folders_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ]
+      },
+      {
+        "tableName": "sends",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `send_type` TEXT NOT NULL, `send_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendType",
+            "columnName": "send_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendJson",
+            "columnName": "send_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_sends_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_sends_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ]
+      }
+    ],
+    "setupQueries": [
+      "CREATE TABLE IF NOT EXISTS room_master_table (id INTEGER PRIMARY KEY,identity_hash TEXT)",
+      "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, '11387825dab701f9d2dd2e940ffbd794')"
+    ]
+  }
+}

app/src/debug/AndroidManifest.xml

@@ -20,6 +20,18 @@
                 <data android:host="*.bitwarden.pw" />
                 <data android:pathPattern="/redirect-connector.*" />
             </intent-filter>
+
+            <!-- Handle Credential Exchange transfer requests -->
+            <intent-filter
+                android:autoVerify="true"
+                tools:ignore="AppLinkUrlError">
+                <action android:name="androidx.identitycredentials.action.IMPORT_CREDENTIALS" />
+                <category android:name="android.intent.category.DEFAULT" />
+                <data
+                    android:mimeType="application/octet-stream"
+                    android:scheme="content"
+                    tools:ignore="AppLinkUriRelativeFilterGroupError" />
+            </intent-filter>
         </activity>
     </application>
 

app/src/main/AndroidManifest.xml

@@ -115,11 +115,11 @@
             android:theme="@android:style/Theme.NoDisplay" />
 
         <activity
-            android:name=".AutofillTotpCopyActivity"
+            android:name=".AutofillCallbackActivity"
             android:exported="true"
             android:launchMode="singleTop"
             android:noHistory="true"
-            android:theme="@style/AutofillTotpCopyTheme" />
+            android:theme="@style/AutofillCallbackTheme" />
 
         <activity
             android:name=".AuthCallbackActivity"
@@ -133,16 +133,6 @@
                 <category android:name="android.intent.category.DEFAULT" />
                 <category android:name="android.intent.category.BROWSABLE" />
 
-                <data
-                    android:host="captcha-callback"
-                    android:scheme="bitwarden" />
-            </intent-filter>
-            <intent-filter>
-                <action android:name="android.intent.action.VIEW" />
-
-                <category android:name="android.intent.category.DEFAULT" />
-                <category android:name="android.intent.category.BROWSABLE" />
-
                 <data
                     android:host="duo-callback"
                     android:scheme="bitwarden" />
@@ -259,7 +249,7 @@
             android:name="com.x8bit.bitwarden.AutofillTileService"
             android:exported="true"
             android:icon="@drawable/ic_notification"
-            android:label="@string/autofill"
+            android:label="@string/autofill_title"
             android:permission="android.permission.BIND_QUICK_SETTINGS_TILE"
             tools:ignore="MissingClass">
             <intent-filter>

app/src/main/kotlin/com/x8bit/bitwarden/AuthCallbackViewModel.kt

@@ -3,7 +3,6 @@ package com.x8bit.bitwarden
 import android.content.Intent
 import com.bitwarden.ui.platform.base.BaseViewModel
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
-import com.x8bit.bitwarden.data.auth.repository.util.getCaptchaCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.getDuoCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.getSsoCallbackResult
 import com.x8bit.bitwarden.data.auth.repository.util.getWebAuthResultOrNull
@@ -27,7 +26,6 @@ class AuthCallbackViewModel @Inject constructor(
     private fun handleIntentReceived(action: AuthCallbackAction.IntentReceive) {
         val yubiKeyResult = action.intent.getYubiKeyResultOrNull()
         val webAuthResult = action.intent.getWebAuthResultOrNull()
-        val captchaCallbackTokenResult = action.intent.getCaptchaCallbackTokenResult()
         val duoCallbackTokenResult = action.intent.getDuoCallbackTokenResult()
         val ssoCallbackResult = action.intent.getSsoCallbackResult()
         when {
@@ -35,12 +33,6 @@ class AuthCallbackViewModel @Inject constructor(
                 authRepository.setYubiKeyResult(yubiKeyResult = yubiKeyResult)
             }
 
-            captchaCallbackTokenResult != null -> {
-                authRepository.setCaptchaCallbackTokenResult(
-                    tokenResult = captchaCallbackTokenResult,
-                )
-            }
-
             duoCallbackTokenResult != null -> {
                 authRepository.setDuoCallbackTokenResult(
                     tokenResult = duoCallbackTokenResult,

app/src/main/kotlin/com/x8bit/bitwarden/AutofillCallbackActivity.kt

@@ -15,18 +15,18 @@ import kotlinx.coroutines.flow.onEach
 import javax.inject.Inject
 
 /**
- * An activity for copying a TOTP code to the clipboard. This is done when an autofill item is
- * selected and it requires TOTP authentication. Due to the constraints of the autofill framework,
- * we also have to re-fulfill the autofill for the views that are being filled.
+ * An activity that is launched to complete Autofill. This is done when an autofill item is selected
+ * and is associated with a valid cipher. Due to the constraints of the autofill framework, we also
+ * have to re-fulfill the autofill for the views that are being filled.
  */
 @OmitFromCoverage
 @AndroidEntryPoint
-class AutofillTotpCopyActivity : AppCompatActivity() {
+class AutofillCallbackActivity : AppCompatActivity() {
 
     @Inject
     lateinit var autofillCompletionManager: AutofillCompletionManager
 
-    private val autofillTotpCopyViewModel: AutofillTotpCopyViewModel by viewModels()
+    private val viewModel: AutofillCallbackViewModel by viewModels()
 
     override fun onCreate(savedInstanceState: Bundle?) {
         intent = intent.validate()
@@ -34,11 +34,7 @@ class AutofillTotpCopyActivity : AppCompatActivity() {
 
         observeViewModelEvents()
 
-        autofillTotpCopyViewModel.trySendAction(
-            AutofillTotpCopyAction.IntentReceived(
-                intent = intent,
-            ),
-        )
+        viewModel.trySendAction(AutofillCallbackAction.IntentReceived(intent = intent))
     }
 
     override fun onNewIntent(intent: Intent) {
@@ -50,17 +46,12 @@ class AutofillTotpCopyActivity : AppCompatActivity() {
     }
 
     private fun observeViewModelEvents() {
-        autofillTotpCopyViewModel
+        viewModel
             .eventFlow
             .onEach { event ->
                 when (event) {
-                    is AutofillTotpCopyEvent.CompleteAutofill -> {
-                        handleCompleteAutofill(event)
-                    }
-
-                    is AutofillTotpCopyEvent.FinishActivity -> {
-                        finishActivity()
-                    }
+                    is AutofillCallbackEvent.CompleteAutofill -> handleCompleteAutofill(event)
+                    is AutofillCallbackEvent.FinishActivity -> finishActivity()
                 }
             }
             .launchIn(lifecycleScope)
@@ -69,7 +60,7 @@ class AutofillTotpCopyActivity : AppCompatActivity() {
     /**
      * Complete autofill with the provided data.
      */
-    private fun handleCompleteAutofill(event: AutofillTotpCopyEvent.CompleteAutofill) {
+    private fun handleCompleteAutofill(event: AutofillCallbackEvent.CompleteAutofill) {
         autofillCompletionManager.completeAutofill(
             activity = this,
             cipherView = event.cipherView,

app/src/main/kotlin/com/x8bit/bitwarden/AutofillCallbackViewModel.kt

@@ -5,7 +5,7 @@ import androidx.lifecycle.viewModelScope
 import com.bitwarden.ui.platform.base.BaseViewModel
 import com.bitwarden.vault.CipherView
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
-import com.x8bit.bitwarden.data.autofill.util.getTotpCopyIntentOrNull
+import com.x8bit.bitwarden.data.autofill.util.getAutofillCallbackIntentOrNull
 import com.x8bit.bitwarden.data.platform.util.launchWithTimeout
 import com.x8bit.bitwarden.data.vault.manager.model.GetCipherResult
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
@@ -13,6 +13,7 @@ import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockData
 import com.x8bit.bitwarden.data.vault.repository.util.statusFor
 import dagger.hilt.android.lifecycle.HiltViewModel
 import kotlinx.coroutines.flow.first
+import timber.log.Timber
 import javax.inject.Inject
 
 /**
@@ -21,45 +22,63 @@ import javax.inject.Inject
 private const val CIPHER_WAIT_TIMEOUT_MILLIS: Long = 500
 
 /**
- * A view model that handles logic for the [AutofillTotpCopyActivity].
+ * A view model that handles logic for the [AutofillCallbackActivity].
  */
 @HiltViewModel
-class AutofillTotpCopyViewModel @Inject constructor(
+class AutofillCallbackViewModel @Inject constructor(
     private val authRepository: AuthRepository,
     private val vaultRepository: VaultRepository,
-) : BaseViewModel<Unit, AutofillTotpCopyEvent, AutofillTotpCopyAction>(Unit) {
+) : BaseViewModel<Unit, AutofillCallbackEvent, AutofillCallbackAction>(Unit) {
     private val activeUserId: String? get() = authRepository.activeUserId
 
-    override fun handleAction(action: AutofillTotpCopyAction): Unit = when (action) {
-        is AutofillTotpCopyAction.IntentReceived -> handleIntentReceived(action)
+    override fun handleAction(action: AutofillCallbackAction): Unit = when (action) {
+        is AutofillCallbackAction.IntentReceived -> handleIntentReceived(action)
     }
 
     /**
      * Process the received intent and alert the activity of what to do next.
      */
-    private fun handleIntentReceived(action: AutofillTotpCopyAction.IntentReceived) {
+    private fun handleIntentReceived(action: AutofillCallbackAction.IntentReceived) {
         viewModelScope
             .launchWithTimeout(
-                timeoutBlock = { finishActivity() },
+                timeoutBlock = {
+                    Timber.w("Autofill -- Timeout")
+                    finishActivity()
+                },
                 timeoutDuration = CIPHER_WAIT_TIMEOUT_MILLIS,
             ) {
                 // Extract TOTP copy data from the intent.
                 val cipherId = action
                     .intent
-                    .getTotpCopyIntentOrNull()
+                    .getAutofillCallbackIntentOrNull()
                     ?.cipherId
 
-                if (cipherId == null || isVaultLocked()) {
+                if (cipherId == null) {
+                    Timber.w("Autofill -- Cipher was not provided")
+                    finishActivity()
+                    return@launchWithTimeout
+                }
+                if (isVaultLocked()) {
+                    Timber.w("Autofill -- Vault is locked")
                     finishActivity()
                     return@launchWithTimeout
                 }
 
                 // Try and find the matching cipher.
                 when (val result = vaultRepository.getCipher(cipherId = cipherId)) {
-                    GetCipherResult.CipherNotFound -> finishActivity()
-                    is GetCipherResult.Failure -> finishActivity()
+                    GetCipherResult.CipherNotFound -> {
+                        Timber.w("Autofill -- Cipher not found")
+                        finishActivity()
+                    }
+
+                    is GetCipherResult.Failure -> {
+                        Timber.w(result.error, "Autofill -- Get cipher failure")
+                        finishActivity()
+                    }
+
                     is GetCipherResult.Success -> {
-                        sendEvent(AutofillTotpCopyEvent.CompleteAutofill(result.cipherView))
+                        Timber.d("Autofill -- Cipher found")
+                        sendEvent(AutofillCallbackEvent.CompleteAutofill(result.cipherView))
                     }
                 }
             }
@@ -69,7 +88,7 @@ class AutofillTotpCopyViewModel @Inject constructor(
      * Send an event to the activity that signals it to finish.
      */
     private fun finishActivity() {
-        sendEvent(AutofillTotpCopyEvent.FinishActivity)
+        sendEvent(AutofillCallbackEvent.FinishActivity)
     }
 
     private suspend fun isVaultLocked(): Boolean {
@@ -86,30 +105,30 @@ class AutofillTotpCopyViewModel @Inject constructor(
 }
 
 /**
- * Represents actions that can be sent to the [AutofillTotpCopyViewModel].
+ * Represents actions that can be sent to the [AutofillCallbackViewModel].
  */
-sealed class AutofillTotpCopyAction {
+sealed class AutofillCallbackAction {
     /**
      * An [intent] has been received and is ready to be processed.
      */
     data class IntentReceived(
         val intent: Intent,
-    ) : AutofillTotpCopyAction()
+    ) : AutofillCallbackAction()
 }
 
 /**
- * Represents events emitted by the [AutofillTotpCopyViewModel].
+ * Represents events emitted by the [AutofillCallbackViewModel].
  */
-sealed class AutofillTotpCopyEvent {
+sealed class AutofillCallbackEvent {
     /**
      * Complete autofill with the provided [cipherView].
      */
     data class CompleteAutofill(
         val cipherView: CipherView,
-    ) : AutofillTotpCopyEvent()
+    ) : AutofillCallbackEvent()
 
     /**
      * Finish the activity.
      */
-    data object FinishActivity : AutofillTotpCopyEvent()
+    data object FinishActivity : AutofillCallbackEvent()
 }

app/src/main/kotlin/com/x8bit/bitwarden/BitwardenApplication.kt

@@ -8,6 +8,7 @@ import com.x8bit.bitwarden.data.platform.manager.event.OrganizationEventManager
 import com.x8bit.bitwarden.data.platform.manager.network.NetworkConfigManager
 import com.x8bit.bitwarden.data.platform.manager.network.NetworkConnectionManager
 import com.x8bit.bitwarden.data.platform.manager.restriction.RestrictionManager
+import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import dagger.hilt.android.HiltAndroidApp
 import timber.log.Timber
 import javax.inject.Inject
@@ -38,6 +39,17 @@ class BitwardenApplication : Application() {
     @Inject
     lateinit var restrictionManager: RestrictionManager
 
+    @Inject
+    lateinit var environmentRepository: EnvironmentRepository
+
+    override fun onCreate() {
+        super.onCreate()
+        // These must be initialized in order to ensure that the restrictionManager does not
+        // override the environmentRepository values.
+        restrictionManager.initialize()
+        environmentRepository.initialize()
+    }
+
     override fun onLowMemory() {
         super.onLowMemory()
         Timber.w("onLowMemory")

app/src/main/kotlin/com/x8bit/bitwarden/MainActivity.kt

@@ -7,7 +7,6 @@ import android.os.Bundle
 import android.view.KeyEvent
 import android.view.MotionEvent
 import android.view.WindowManager
-import android.widget.Toast
 import androidx.activity.compose.setContent
 import androidx.activity.viewModels
 import androidx.appcompat.app.AppCompatActivity
@@ -15,6 +14,7 @@ import androidx.appcompat.app.AppCompatDelegate
 import androidx.compose.runtime.Composable
 import androidx.compose.runtime.getValue
 import androidx.compose.runtime.remember
+import androidx.core.app.ActivityCompat
 import androidx.core.os.LocaleListCompat
 import androidx.core.splashscreen.SplashScreen.Companion.installSplashScreen
 import androidx.lifecycle.compose.collectAsStateWithLifecycle
@@ -183,12 +183,6 @@ class MainActivity : AppCompatActivity() {
                 is MainEvent.CompleteAutofill -> handleCompleteAutofill(event)
                 MainEvent.Recreate -> handleRecreate()
                 MainEvent.NavigateToDebugMenu -> navController.navigateToDebugMenuScreen()
-                is MainEvent.ShowToast -> {
-                    Toast
-                        .makeText(baseContext, event.message.invoke(resources), Toast.LENGTH_SHORT)
-                        .show()
-                }
-
                 is MainEvent.UpdateAppLocale -> {
                     AppCompatDelegate.setApplicationLocales(
                         LocaleListCompat.forLanguageTags(event.localeName),
@@ -221,7 +215,7 @@ class MainActivity : AppCompatActivity() {
     }
 
     private fun handleRecreate() {
-        recreate()
+        ActivityCompat.recreate(this)
     }
 
     private fun updateScreenCapture(isScreenCaptureAllowed: Boolean) {

app/src/main/kotlin/com/x8bit/bitwarden/MainViewModel.kt

@@ -4,11 +4,13 @@ import android.content.Intent
 import android.os.Parcelable
 import androidx.lifecycle.SavedStateHandle
 import androidx.lifecycle.viewModelScope
+import com.bitwarden.core.data.manager.toast.ToastManager
+import com.bitwarden.cxf.model.ImportCredentialsRequestData
+import com.bitwarden.cxf.util.getProviderImportCredentialsRequest
 import com.bitwarden.ui.platform.base.BaseViewModel
 import com.bitwarden.ui.platform.feature.settings.appearance.model.AppTheme
+import com.bitwarden.ui.platform.manager.IntentManager
 import com.bitwarden.ui.platform.resource.BitwardenString
-import com.bitwarden.ui.util.Text
-import com.bitwarden.ui.util.asText
 import com.bitwarden.vault.CipherView
 import com.x8bit.bitwarden.data.auth.manager.AddTotpItemFromAuthenticatorManager
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
@@ -36,7 +38,6 @@ import com.x8bit.bitwarden.data.platform.util.isAddTotpLoginItemFromAuthenticato
 import com.x8bit.bitwarden.data.vault.manager.model.VaultStateEvent
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.ui.platform.feature.settings.appearance.model.AppLanguage
-import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
 import com.x8bit.bitwarden.ui.platform.model.FeatureFlagsState
 import com.x8bit.bitwarden.ui.platform.util.isAccountSecurityShortcut
 import com.x8bit.bitwarden.ui.platform.util.isMyVaultShortcut
@@ -44,12 +45,15 @@ import com.x8bit.bitwarden.ui.platform.util.isPasswordGeneratorShortcut
 import com.x8bit.bitwarden.ui.vault.model.TotpData
 import com.x8bit.bitwarden.ui.vault.util.getTotpDataOrNull
 import dagger.hilt.android.lifecycle.HiltViewModel
-import kotlinx.coroutines.delay
+import kotlinx.coroutines.FlowPreview
+import kotlinx.coroutines.flow.debounce
 import kotlinx.coroutines.flow.distinctUntilChanged
 import kotlinx.coroutines.flow.drop
+import kotlinx.coroutines.flow.filter
 import kotlinx.coroutines.flow.first
 import kotlinx.coroutines.flow.launchIn
 import kotlinx.coroutines.flow.map
+import kotlinx.coroutines.flow.merge
 import kotlinx.coroutines.flow.onEach
 import kotlinx.coroutines.flow.update
 import kotlinx.coroutines.launch
@@ -58,11 +62,12 @@ import java.time.Clock
 import javax.inject.Inject
 
 private const val SPECIAL_CIRCUMSTANCE_KEY = "special-circumstance"
-private const val ANIMATION_REFRESH_DELAY = 500L
+private const val ANIMATION_DEBOUNCE_DELAY_MS = 500L
 
 /**
  * A view model that helps launch actions for the [MainActivity].
  */
+@OptIn(FlowPreview::class)
 @Suppress("LongParameterList", "TooManyFunctions")
 @HiltViewModel
 class MainViewModel @Inject constructor(
@@ -80,6 +85,7 @@ class MainViewModel @Inject constructor(
     private val savedStateHandle: SavedStateHandle,
     private val appResumeManager: AppResumeManager,
     private val clock: Clock,
+    private val toastManager: ToastManager,
 ) : BaseViewModel<MainState, MainEvent, MainAction>(
     initialState = MainState(
         theme = settingsRepository.appTheme,
@@ -135,36 +141,23 @@ class MainViewModel @Inject constructor(
             .onEach(::trySendAction)
             .launchIn(viewModelScope)
 
-        authRepository
-            .userStateFlow
-            .drop(count = 1)
-            // Trigger an action whenever the current user changes or we go into/out of a pending
-            // account state (which acts like switching to a temporary user).
-            .map { it?.activeUserId to it?.hasPendingAccountAddition }
-            .distinctUntilChanged()
-            .onEach {
-                // Switching between account states often involves some kind of animation (ex:
-                // account switcher) that we might want to give time to finish before triggering
-                // a refresh.
-                delay(ANIMATION_REFRESH_DELAY)
-                trySendAction(MainAction.Internal.CurrentUserStateChange)
-            }
-            .launchIn(viewModelScope)
-
-        vaultRepository
-            .vaultStateEventFlow
-            .onEach {
-                when (it) {
-                    is VaultStateEvent.Locked -> {
-                        // Similar to account switching, triggering this action too soon can
-                        // interfere with animations or navigation logic, so we will delay slightly.
-                        delay(ANIMATION_REFRESH_DELAY)
-                        trySendAction(MainAction.Internal.VaultUnlockStateChange)
-                    }
-
-                    is VaultStateEvent.Unlocked -> Unit
-                }
-            }
+        merge(
+            authRepository
+                .userStateFlow
+                .drop(count = 1)
+                // Trigger an action whenever the current user changes or we go into/out of a
+                // pending account state (which acts like switching to a temporary user).
+                .map { it?.activeUserId to it?.hasPendingAccountAddition }
+                .distinctUntilChanged(),
+            vaultRepository
+                .vaultStateEventFlow
+                .filter { it is VaultStateEvent.Locked },
+        )
+            // This debounce ensure we do not emit multiple times rapidly and also acts as a short
+            // delay to give animations time to finish (ex: account switcher).
+            .debounce(timeoutMillis = ANIMATION_DEBOUNCE_DELAY_MS)
+            .map { MainAction.Internal.CurrentUserOrVaultStateChange }
+            .onEach(::sendAction)
             .launchIn(viewModelScope)
 
         // On app launch, mark all active users as having previously logged in.
@@ -202,10 +195,12 @@ class MainViewModel @Inject constructor(
                 handleAutofillSelectionReceive(action)
             }
 
-            is MainAction.Internal.CurrentUserStateChange -> handleCurrentUserStateChange()
+            is MainAction.Internal.CurrentUserOrVaultStateChange -> {
+                handleCurrentUserOrVaultStateChange()
+            }
+
             is MainAction.Internal.ScreenCaptureUpdate -> handleScreenCaptureUpdate(action)
             is MainAction.Internal.ThemeUpdate -> handleAppThemeUpdated(action)
-            is MainAction.Internal.VaultUnlockStateChange -> handleVaultUnlockStateChange()
             is MainAction.Internal.DynamicColorsUpdate -> handleDynamicColorsUpdate(action)
         }
     }
@@ -239,8 +234,9 @@ class MainViewModel @Inject constructor(
         sendEvent(MainEvent.CompleteAutofill(cipherView = action.cipherView))
     }
 
-    private fun handleCurrentUserStateChange() {
-        recreateUiAndGarbageCollect()
+    private fun handleCurrentUserOrVaultStateChange() {
+        sendEvent(MainEvent.Recreate)
+        garbageCollectionManager.tryCollect()
     }
 
     private fun handleScreenCaptureUpdate(action: MainAction.Internal.ScreenCaptureUpdate) {
@@ -252,10 +248,6 @@ class MainViewModel @Inject constructor(
         sendEvent(MainEvent.UpdateAppTheme(osTheme = action.theme.osValue))
     }
 
-    private fun handleVaultUnlockStateChange() {
-        recreateUiAndGarbageCollect()
-    }
-
     private fun handleDynamicColorsUpdate(action: MainAction.Internal.DynamicColorsUpdate) {
         mutableStateFlow.update { it.copy(isDynamicColorsEnabled = action.isDynamicColorsEnabled) }
     }
@@ -305,6 +297,7 @@ class MainViewModel @Inject constructor(
         val getCredentialsRequest = intent.getGetCredentialsRequestOrNull()
         val fido2AssertCredentialRequest = intent.getFido2AssertionRequestOrNull()
         val providerGetPasswordRequest = intent.getProviderGetPasswordRequestOrNull()
+        val importCredentialsRequest = intent.getProviderImportCredentialsRequest()
         when {
             passwordlessRequestData != null -> {
                 authRepository.activeUserId?.let {
@@ -428,12 +421,17 @@ class MainViewModel @Inject constructor(
                 specialCircumstanceManager.specialCircumstance =
                     SpecialCircumstance.AccountSecurityShortcut
             }
-        }
-    }
 
-    private fun recreateUiAndGarbageCollect() {
-        sendEvent(MainEvent.Recreate)
-        garbageCollectionManager.tryCollect()
+            importCredentialsRequest != null -> {
+                specialCircumstanceManager.specialCircumstance =
+                    SpecialCircumstance.CredentialExchangeExport(
+                        data = ImportCredentialsRequestData(
+                            uri = importCredentialsRequest.uri,
+                            requestJson = importCredentialsRequest.request.requestJson,
+                        ),
+                    )
+            }
+        }
     }
 
     private fun handleCompleteRegistrationData(data: CompleteRegistrationData) {
@@ -448,16 +446,15 @@ class MainViewModel @Inject constructor(
             )
             when (emailTokenResult) {
                 is EmailTokenResult.Error -> {
-                    sendEvent(
-                        MainEvent.ShowToast(
-                            message = emailTokenResult
-                                .message
-                                ?.asText()
-                                ?: BitwardenString
-                                    .there_was_an_issue_validating_the_registration_token
-                                    .asText(),
-                        ),
-                    )
+                    emailTokenResult
+                        .message
+                        ?.let { toastManager.show(message = it) }
+                        ?: run {
+                            toastManager.show(
+                                messageId = BitwardenString
+                                    .there_was_an_issue_validating_the_registration_token,
+                            )
+                        }
                 }
 
                 EmailTokenResult.Expired -> {
@@ -547,9 +544,9 @@ sealed class MainAction {
         ) : Internal()
 
         /**
-         * Indicates a relevant change in the current user state.
+         * Indicates a relevant change in the current user state or vault locked state.
          */
-        data object CurrentUserStateChange : Internal()
+        data object CurrentUserOrVaultStateChange : Internal()
 
         /**
          * Indicates that the screen capture state has changed.
@@ -565,11 +562,6 @@ sealed class MainAction {
             val theme: AppTheme,
         ) : Internal()
 
-        /**
-         * Indicates a relevant change in the current vault lock state.
-         */
-        data object VaultUnlockStateChange : Internal()
-
         /**
          * Indicates that the dynamic colors state has changed.
          */
@@ -605,11 +597,6 @@ sealed class MainEvent {
      */
     data object NavigateToDebugMenu : MainEvent()
 
-    /**
-     * Show a toast with the given [message].
-     */
-    data class ShowToast(val message: Text) : MainEvent()
-
     /**
      * Indicates that the app language has been updated.
      */

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSource.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.auth.datasource.disk
 
+import com.bitwarden.network.model.AccountKeysJson
 import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.provider.AppIdProvider
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
@@ -126,13 +127,34 @@ interface AuthDiskSource : AppIdProvider {
     /**
      * Retrieves a private key using a [userId].
      */
+    @Deprecated(
+        message = "Use getAccountKeys instead.",
+        replaceWith = ReplaceWith("getAccountKeys"),
+    )
     fun getPrivateKey(userId: String): String?
 
     /**
      * Stores a private key using a [userId].
      */
+    @Deprecated(
+        message = "Use storeAccountKeys instead.",
+        replaceWith = ReplaceWith("storeAccountKeys"),
+    )
     fun storePrivateKey(userId: String, privateKey: String?)
 
+    /**
+     * Returns the profile account keys for the given [userId].
+     */
+    fun getAccountKeys(userId: String): AccountKeysJson?
+
+    /**
+     * Stores the profile account keys for the given [userId].
+     */
+    fun storeAccountKeys(
+        userId: String,
+        accountKeys: AccountKeysJson?,
+    )
+
     /**
      * Retrieves a user auto-unlock key for the given [userId].
      */

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt

@@ -4,6 +4,7 @@ import android.content.SharedPreferences
 import com.bitwarden.core.data.repository.util.bufferedMutableSharedFlow
 import com.bitwarden.core.data.util.decodeFromStringOrNull
 import com.bitwarden.data.datasource.disk.BaseEncryptedDiskSource
+import com.bitwarden.network.model.AccountKeysJson
 import com.bitwarden.network.model.SyncResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
@@ -48,6 +49,7 @@ private const val USES_KEY_CONNECTOR = "usesKeyConnector"
 private const val ONBOARDING_STATUS_KEY = "onboardingStatus"
 private const val SHOW_IMPORT_LOGINS_KEY = "showImportLogins"
 private const val LAST_LOCK_TIMESTAMP = "lastLockTimestamp"
+private const val PROFILE_ACCOUNT_KEYS_KEY = "profileAccountKeys"
 
 /**
  * Primary implementation of [AuthDiskSource].
@@ -142,6 +144,7 @@ class AuthDiskSourceImpl(
         storePinProtectedUserKey(userId = userId, pinProtectedUserKey = null)
         storeEncryptedPin(userId = userId, encryptedPin = null)
         storePrivateKey(userId = userId, privateKey = null)
+        storeAccountKeys(userId = userId, accountKeys = null)
         storeOrganizationKeys(userId = userId, organizationKeys = null)
         storeOrganizations(userId = userId, organizations = null)
         storeUserBiometricInitVector(userId = userId, iv = null)
@@ -228,9 +231,11 @@ class AuthDiskSourceImpl(
         )
     }
 
+    @Deprecated("Use getAccountKeys instead.", replaceWith = ReplaceWith("getAccountKeys"))
     override fun getPrivateKey(userId: String): String? =
         getString(key = MASTER_KEY_ENCRYPTION_PRIVATE_KEY.appendIdentifier(userId))
 
+    @Deprecated("Use storeAccountKeys instead.", replaceWith = ReplaceWith("storeAccountKeys"))
     override fun storePrivateKey(userId: String, privateKey: String?) {
         putString(
             key = MASTER_KEY_ENCRYPTION_PRIVATE_KEY.appendIdentifier(userId),
@@ -238,6 +243,20 @@ class AuthDiskSourceImpl(
         )
     }
 
+    override fun getAccountKeys(userId: String): AccountKeysJson? =
+        getEncryptedString(key = PROFILE_ACCOUNT_KEYS_KEY.appendIdentifier(userId))
+            ?.let { json.decodeFromStringOrNull(it) }
+
+    override fun storeAccountKeys(
+        userId: String,
+        accountKeys: AccountKeysJson?,
+    ) {
+        putEncryptedString(
+            key = PROFILE_ACCOUNT_KEYS_KEY.appendIdentifier(userId),
+            value = accountKeys?.let { json.encodeToString(it) },
+        )
+    }
+
     override fun getUserAutoUnlockKey(userId: String): String? =
         getEncryptedString(
             key = USER_AUTO_UNLOCK_KEY_KEY.appendIdentifier(userId),

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/model/AccountTokensJson.kt

@@ -2,12 +2,14 @@ package com.x8bit.bitwarden.data.auth.datasource.disk.model
 
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import java.time.Instant
 
 /**
  * Container for the user's API tokens.
  *
  * @property accessToken The user's primary access token.
  * @property refreshToken The user's refresh token.
+ * @property expiresAtSec The time at which the token expires in epoch seconds.
  */
 @Serializable
 data class AccountTokensJson(
@@ -16,6 +18,9 @@ data class AccountTokensJson(
 
     @SerialName("refreshToken")
     val refreshToken: String?,
+
+    @SerialName("expiresAtSec")
+    val expiresAtSec: Long = Instant.MAX.epochSecond,
 ) {
     /**
      * Returns `true` if the user is logged in, `false otherwise.

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/model/OnboardingStatus.kt

@@ -27,6 +27,12 @@ enum class OnboardingStatus {
     @SerialName("autofillSetup")
     AUTOFILL_SETUP,
 
+    /**
+     * The user is completing the browser autofill service setup.
+     */
+    @SerialName("browserAutofillSetup")
+    BROWSER_AUTOFILL_SETUP,
+
     /**
      * The user is completing the final step of the onboarding process.
      */

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/AuthRequestNotificationManagerImpl.kt

@@ -8,12 +8,12 @@ import androidx.core.app.NotificationChannelCompat
 import androidx.core.app.NotificationCompat
 import androidx.core.app.NotificationManagerCompat
 import com.bitwarden.annotation.OmitFromCoverage
+import com.bitwarden.core.util.toPendingIntentMutabilityFlag
 import com.bitwarden.data.manager.DispatcherManager
 import com.bitwarden.ui.platform.resource.BitwardenDrawable
 import com.bitwarden.ui.platform.resource.BitwardenString
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.util.createPasswordlessRequestDataIntent
-import com.x8bit.bitwarden.data.autofill.util.toPendingIntentMutabilityFlag
 import com.x8bit.bitwarden.data.platform.manager.PushManager
 import com.x8bit.bitwarden.data.platform.manager.model.PasswordlessRequestData
 import kotlinx.coroutines.CoroutineScope

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/AuthTokenManagerImpl.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.auth.manager
 
+import com.bitwarden.network.model.AuthTokenData
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 
 /**
@@ -9,9 +10,19 @@ class AuthTokenManagerImpl(
     private val authDiskSource: AuthDiskSource,
 ) : AuthTokenManager {
 
-    override fun getActiveAccessTokenOrNull(): String? = authDiskSource
+    override fun getAuthTokenDataOrNull(): AuthTokenData? = authDiskSource
         .userState
         ?.activeUserId
-        ?.let { authDiskSource.getAccountTokens(it) }
-        ?.accessToken
+        ?.let { userId ->
+            authDiskSource
+                .getAccountTokens(userId = userId)
+                ?.takeIf { it.accessToken != null }
+                ?.let {
+                    AuthTokenData(
+                        userId = userId,
+                        accessToken = requireNotNull(it.accessToken),
+                        expiresAtSec = it.expiresAtSec,
+                    )
+                }
+        }
 }

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/UserStateManager.kt

@@ -0,0 +1,43 @@
+package com.x8bit.bitwarden.data.auth.manager
+
+import com.x8bit.bitwarden.data.auth.repository.model.UserState
+import kotlinx.coroutines.flow.StateFlow
+
+/**
+ * Manages the global state of all users.
+ */
+interface UserStateManager {
+    /**
+     * Emits updates for changes to the [UserState].
+     */
+    val userStateFlow: StateFlow<UserState?>
+
+    /**
+     * Tracks whether there is an additional account that is pending login/registration in order to
+     * have multiple accounts available.
+     *
+     * This allows a direct view into and modification of [UserState.hasPendingAccountAddition].
+     * Note that this call has no effect when there is no [UserState] information available.
+     */
+    var hasPendingAccountAddition: Boolean
+
+    /**
+     * Emits updates for changes to the [UserState.hasPendingAccountAddition] flag.
+     */
+    val hasPendingAccountAdditionStateFlow: StateFlow<Boolean>
+
+    /**
+     * Tracks whether there is an account that is pending deletion in order to allow the account to
+     * remain active until the deletion is finalized.
+     */
+    var hasPendingAccountDeletion: Boolean
+
+    /**
+     * Run the given [block] while preventing any updates to [UserState]. This is useful in cases
+     * where many individual changes might occur that would normally affect the [UserState] but we
+     * only want a single final emission. In the rare case that multiple threads are running
+     * transactions simultaneously, there will be no [UserState] updates until the last
+     * transaction completes.
+     */
+    suspend fun <T> userStateTransaction(block: suspend () -> T): T
+}

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/UserStateManagerImpl.kt

@@ -0,0 +1,162 @@
+package com.x8bit.bitwarden.data.auth.manager
+
+import com.bitwarden.data.manager.DispatcherManager
+import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
+import com.x8bit.bitwarden.data.auth.repository.model.UserAccountTokens
+import com.x8bit.bitwarden.data.auth.repository.model.UserKeyConnectorState
+import com.x8bit.bitwarden.data.auth.repository.model.UserOrganizations
+import com.x8bit.bitwarden.data.auth.repository.model.UserState
+import com.x8bit.bitwarden.data.auth.repository.model.VaultUnlockType
+import com.x8bit.bitwarden.data.auth.repository.util.currentOnboardingStatus
+import com.x8bit.bitwarden.data.auth.repository.util.onboardingStatusChangesFlow
+import com.x8bit.bitwarden.data.auth.repository.util.toUserState
+import com.x8bit.bitwarden.data.auth.repository.util.userAccountTokens
+import com.x8bit.bitwarden.data.auth.repository.util.userAccountTokensFlow
+import com.x8bit.bitwarden.data.auth.repository.util.userKeyConnectorStateFlow
+import com.x8bit.bitwarden.data.auth.repository.util.userKeyConnectorStateList
+import com.x8bit.bitwarden.data.auth.repository.util.userOrganizationsList
+import com.x8bit.bitwarden.data.auth.repository.util.userOrganizationsListFlow
+import com.x8bit.bitwarden.data.platform.manager.FirstTimeActionManager
+import com.x8bit.bitwarden.data.platform.manager.model.FirstTimeState
+import com.x8bit.bitwarden.data.vault.manager.VaultLockManager
+import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockData
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.flow.MutableStateFlow
+import kotlinx.coroutines.flow.SharingStarted
+import kotlinx.coroutines.flow.StateFlow
+import kotlinx.coroutines.flow.combine
+import kotlinx.coroutines.flow.filterNot
+import kotlinx.coroutines.flow.merge
+import kotlinx.coroutines.flow.stateIn
+import kotlinx.coroutines.flow.update
+
+/**
+ * The default implementation of the [UserStateManager].
+ */
+class UserStateManagerImpl(
+    private val authDiskSource: AuthDiskSource,
+    firstTimeActionManager: FirstTimeActionManager,
+    vaultLockManager: VaultLockManager,
+    dispatcherManager: DispatcherManager,
+) : UserStateManager {
+    private val unconfinedScope = CoroutineScope(dispatcherManager.unconfined)
+
+    //region Pending Account Addition
+    private val mutableHasPendingAccountAdditionStateFlow = MutableStateFlow(value = false)
+
+    override val hasPendingAccountAdditionStateFlow: StateFlow<Boolean>
+        get() = mutableHasPendingAccountAdditionStateFlow
+
+    override var hasPendingAccountAddition: Boolean
+        by mutableHasPendingAccountAdditionStateFlow::value
+    //endregion Pending Account Addition
+
+    //region Pending Account Deletion
+    /**
+     * If there is a pending account deletion, continue showing the original UserState until it
+     * is confirmed. This is accomplished by blocking the emissions of the [userStateFlow]
+     * whenever set to `true`.
+     */
+    private val mutableHasPendingAccountDeletionStateFlow = MutableStateFlow(value = false)
+
+    override var hasPendingAccountDeletion: Boolean
+        by mutableHasPendingAccountDeletionStateFlow::value
+    //endregion Pending Account Deletion
+
+    /**
+     * Whenever a function needs to update multiple underlying data-points that contribute to the
+     * [UserState], we update this [MutableStateFlow] and continue to show the original `UserState`
+     * until the transaction is complete. This is accomplished by blocking the emissions of the
+     * [userStateFlow] whenever this is set to a value above 0 (a count is used if more than one
+     * process is updating data simultaneously).
+     */
+    private val mutableUserStateTransactionCountStateFlow = MutableStateFlow(0)
+
+    @Suppress("UNCHECKED_CAST", "MagicNumber")
+    override val userStateFlow: StateFlow<UserState?> = combine(
+        authDiskSource.userStateFlow,
+        authDiskSource.userAccountTokensFlow,
+        authDiskSource.userOrganizationsListFlow,
+        authDiskSource.userKeyConnectorStateFlow,
+        authDiskSource.onboardingStatusChangesFlow,
+        firstTimeActionManager.firstTimeStateFlow,
+        vaultLockManager.vaultUnlockDataStateFlow,
+        hasPendingAccountAdditionStateFlow,
+        // Ignore the data in the merge, but trigger an update when they emit.
+        merge(
+            mutableHasPendingAccountDeletionStateFlow,
+            mutableUserStateTransactionCountStateFlow,
+            vaultLockManager.isActiveUserUnlockingFlow,
+        ),
+    ) { array ->
+        val userStateJson = array[0] as UserStateJson?
+        val userAccountTokens = array[1] as List<UserAccountTokens>
+        val userOrganizationsList = array[2] as List<UserOrganizations>
+        val userIsUsingKeyConnectorList = array[3] as List<UserKeyConnectorState>
+        val onboardingStatus = array[4] as OnboardingStatus?
+        val firstTimeState = array[5] as FirstTimeState
+        val vaultState = array[6] as List<VaultUnlockData>
+        val hasPendingAccountAddition = array[7] as Boolean
+        userStateJson?.toUserState(
+            vaultState = vaultState,
+            userAccountTokens = userAccountTokens,
+            userOrganizationsList = userOrganizationsList,
+            userIsUsingKeyConnectorList = userIsUsingKeyConnectorList,
+            hasPendingAccountAddition = hasPendingAccountAddition,
+            onboardingStatus = onboardingStatus,
+            isBiometricsEnabledProvider = ::isBiometricsEnabled,
+            vaultUnlockTypeProvider = ::getVaultUnlockType,
+            isDeviceTrustedProvider = ::isDeviceTrusted,
+            firstTimeState = firstTimeState,
+        )
+    }
+        .filterNot {
+            mutableHasPendingAccountDeletionStateFlow.value ||
+                mutableUserStateTransactionCountStateFlow.value > 0 ||
+                vaultLockManager.isActiveUserUnlockingFlow.value
+        }
+        .stateIn(
+            scope = unconfinedScope,
+            started = SharingStarted.Eagerly,
+            initialValue = authDiskSource
+                .userState
+                ?.toUserState(
+                    vaultState = vaultLockManager.vaultUnlockDataStateFlow.value,
+                    userAccountTokens = authDiskSource.userAccountTokens,
+                    userOrganizationsList = authDiskSource.userOrganizationsList,
+                    userIsUsingKeyConnectorList = authDiskSource.userKeyConnectorStateList,
+                    hasPendingAccountAddition = mutableHasPendingAccountAdditionStateFlow.value,
+                    onboardingStatus = authDiskSource.currentOnboardingStatus,
+                    isBiometricsEnabledProvider = ::isBiometricsEnabled,
+                    vaultUnlockTypeProvider = ::getVaultUnlockType,
+                    isDeviceTrustedProvider = ::isDeviceTrusted,
+                    firstTimeState = firstTimeActionManager.currentOrDefaultUserFirstTimeState,
+                ),
+        )
+
+    override suspend fun <T> userStateTransaction(block: suspend () -> T): T {
+        mutableUserStateTransactionCountStateFlow.update { it.inc() }
+        return try {
+            block()
+        } finally {
+            mutableUserStateTransactionCountStateFlow.update { it.dec() }
+        }
+    }
+
+    private fun isBiometricsEnabled(
+        userId: String,
+    ): Boolean = authDiskSource.getUserBiometricUnlockKey(userId = userId) != null
+
+    private fun isDeviceTrusted(
+        userId: String,
+    ): Boolean = authDiskSource.getDeviceKey(userId = userId) != null
+
+    private fun getVaultUnlockType(
+        userId: String,
+    ): VaultUnlockType = authDiskSource
+        .getPinProtectedUserKey(userId = userId)
+        ?.let { VaultUnlockType.PIN }
+        ?: VaultUnlockType.MASTER_PASSWORD
+}

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/util/TrustDeviceResponseExtensions.kt

@@ -26,6 +26,7 @@ fun TrustDeviceResponse.toUserStateJson(
             hasMasterPassword = false,
             trustedDeviceUserDecryptionOptions = null,
             keyConnectorUserDecryptionOptions = null,
+            masterPasswordUnlock = null,
         )
     val deviceOptions = decryptionOptions
         .trustedDeviceUserDecryptionOptions

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepository.kt

@@ -6,6 +6,7 @@ import com.bitwarden.network.model.TwoFactorDataModel
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.ForcePasswordResetReason
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.manager.AuthRequestManager
+import com.x8bit.bitwarden.data.auth.manager.UserStateManager
 import com.x8bit.bitwarden.data.auth.repository.model.AuthState
 import com.x8bit.bitwarden.data.auth.repository.model.BreachCountResult
 import com.x8bit.bitwarden.data.auth.repository.model.DeleteAccountResult
@@ -27,12 +28,10 @@ import com.x8bit.bitwarden.data.auth.repository.model.ResetPasswordResult
 import com.x8bit.bitwarden.data.auth.repository.model.SendVerificationEmailResult
 import com.x8bit.bitwarden.data.auth.repository.model.SetPasswordResult
 import com.x8bit.bitwarden.data.auth.repository.model.SwitchAccountResult
-import com.x8bit.bitwarden.data.auth.repository.model.UserState
 import com.x8bit.bitwarden.data.auth.repository.model.ValidatePasswordResult
 import com.x8bit.bitwarden.data.auth.repository.model.ValidatePinResult
 import com.x8bit.bitwarden.data.auth.repository.model.VerifiedOrganizationDomainSsoDetailsResult
 import com.x8bit.bitwarden.data.auth.repository.model.VerifyOtpResult
-import com.x8bit.bitwarden.data.auth.repository.util.CaptchaCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.DuoCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.SsoCallbackResult
 import com.x8bit.bitwarden.data.auth.repository.util.WebAuthResult
@@ -45,23 +44,12 @@ import kotlinx.coroutines.flow.StateFlow
  * Provides an API for observing an modifying authentication state.
  */
 @Suppress("TooManyFunctions")
-interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
+interface AuthRepository : AuthenticatorProvider, AuthRequestManager, UserStateManager {
     /**
      * Models the current auth state.
      */
     val authStateFlow: StateFlow<AuthState>
 
-    /**
-     * Emits updates for changes to the [UserState].
-     */
-    val userStateFlow: StateFlow<UserState?>
-
-    /**
-     * Flow of the current [CaptchaCallbackTokenResult]. Subscribers should listen to the flow
-     * in order to receive updates whenever [setCaptchaCallbackTokenResult] is called.
-     */
-    val captchaTokenResultFlow: Flow<CaptchaCallbackTokenResult>
-
     /**
      * Flow of the current [DuoCallbackTokenResult]. Subscribers should listen to the flow
      * in order to receive updates whenever [setDuoCallbackTokenResult] is called.
@@ -117,15 +105,6 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
      */
     var shouldTrustDevice: Boolean
 
-    /**
-     * Tracks whether there is an additional account that is pending login/registration in order to
-     * have multiple accounts available.
-     *
-     * This allows a direct view into and modification of [UserState.hasPendingAccountAddition].
-     * Note that this call has no effect when there is no [UserState] information available.
-     */
-    var hasPendingAccountAddition: Boolean
-
     /**
      * Return the cached password policies for the current user.
      */
@@ -147,11 +126,6 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
      */
     val showWelcomeCarousel: Boolean
 
-    /**
-     * Clears the pending deletion state that occurs when the an account is successfully deleted.
-     */
-    fun clearPendingAccountDeletion()
-
     /**
      * Attempt to delete the current account using the [masterPassword] and log them out
      * upon success.
@@ -186,7 +160,6 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
     suspend fun login(
         email: String,
         password: String,
-        captchaToken: String?,
     ): LoginResult
 
     /**
@@ -201,7 +174,6 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
         asymmetricalKey: String,
         requestPrivateKey: String,
         masterPasswordHash: String?,
-        captchaToken: String?,
     ): LoginResult
 
     /**
@@ -213,7 +185,6 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
         email: String,
         password: String?,
         twoFactorData: TwoFactorDataModel,
-        captchaToken: String?,
         orgIdentifier: String?,
     ): LoginResult
 
@@ -226,7 +197,6 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
         ssoCode: String,
         ssoCodeVerifier: String,
         ssoRedirectUri: String,
-        captchaToken: String?,
         organizationIdentifier: String,
     ): LoginResult
 
@@ -239,7 +209,6 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
         email: String,
         password: String?,
         newDeviceOtp: String,
-        captchaToken: String?,
         orgIdentifier: String?,
     ): LoginResult
 
@@ -294,7 +263,6 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
         masterPassword: String,
         masterPasswordHint: String?,
         emailVerificationToken: String? = null,
-        captchaToken: String?,
         shouldCheckDataBreaches: Boolean,
         isMasterPasswordStrong: Boolean,
     ): RegisterResult
@@ -332,11 +300,6 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
         passwordHint: String?,
     ): SetPasswordResult
 
-    /**
-     * Set the value of [captchaTokenResultFlow].
-     */
-    fun setCaptchaCallbackTokenResult(tokenResult: CaptchaCallbackTokenResult)
-
     /**
      * Set the value of [duoTokenResultFlow].
      */

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryImpl.kt

@@ -33,6 +33,8 @@ import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.model.TrustedDeviceUserDecryptionOptionsJson
 import com.bitwarden.network.model.TwoFactorAuthMethod
 import com.bitwarden.network.model.TwoFactorDataModel
+import com.bitwarden.network.model.VerificationCodeResponseJson
+import com.bitwarden.network.model.VerificationOtpResponseJson
 import com.bitwarden.network.model.VerifyEmailTokenRequestJson
 import com.bitwarden.network.model.VerifyEmailTokenResponseJson
 import com.bitwarden.network.service.AccountsService
@@ -46,7 +48,6 @@ import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.ForcePasswordResetReason
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
-import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.DeviceDataModel
 import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
 import com.x8bit.bitwarden.data.auth.datasource.sdk.util.toInt
@@ -55,6 +56,7 @@ import com.x8bit.bitwarden.data.auth.manager.AuthRequestManager
 import com.x8bit.bitwarden.data.auth.manager.KeyConnectorManager
 import com.x8bit.bitwarden.data.auth.manager.TrustedDeviceManager
 import com.x8bit.bitwarden.data.auth.manager.UserLogoutManager
+import com.x8bit.bitwarden.data.auth.manager.UserStateManager
 import com.x8bit.bitwarden.data.auth.manager.model.MigrateExistingUserToKeyConnectorResult
 import com.x8bit.bitwarden.data.auth.repository.model.AuthState
 import com.x8bit.bitwarden.data.auth.repository.model.BreachCountResult
@@ -77,51 +79,35 @@ import com.x8bit.bitwarden.data.auth.repository.model.ResetPasswordResult
 import com.x8bit.bitwarden.data.auth.repository.model.SendVerificationEmailResult
 import com.x8bit.bitwarden.data.auth.repository.model.SetPasswordResult
 import com.x8bit.bitwarden.data.auth.repository.model.SwitchAccountResult
-import com.x8bit.bitwarden.data.auth.repository.model.UserAccountTokens
-import com.x8bit.bitwarden.data.auth.repository.model.UserKeyConnectorState
-import com.x8bit.bitwarden.data.auth.repository.model.UserOrganizations
-import com.x8bit.bitwarden.data.auth.repository.model.UserState
 import com.x8bit.bitwarden.data.auth.repository.model.ValidatePasswordResult
 import com.x8bit.bitwarden.data.auth.repository.model.ValidatePinResult
-import com.x8bit.bitwarden.data.auth.repository.model.VaultUnlockType
 import com.x8bit.bitwarden.data.auth.repository.model.VerifiedOrganizationDomainSsoDetailsResult
 import com.x8bit.bitwarden.data.auth.repository.model.VerifyOtpResult
 import com.x8bit.bitwarden.data.auth.repository.model.toLoginErrorResult
-import com.x8bit.bitwarden.data.auth.repository.util.CaptchaCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.DuoCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.SsoCallbackResult
 import com.x8bit.bitwarden.data.auth.repository.util.WebAuthResult
 import com.x8bit.bitwarden.data.auth.repository.util.activeUserIdChangesFlow
-import com.x8bit.bitwarden.data.auth.repository.util.currentOnboardingStatus
-import com.x8bit.bitwarden.data.auth.repository.util.onboardingStatusChangesFlow
 import com.x8bit.bitwarden.data.auth.repository.util.policyInformation
 import com.x8bit.bitwarden.data.auth.repository.util.toRemovedPasswordUserStateJson
 import com.x8bit.bitwarden.data.auth.repository.util.toSdkParams
 import com.x8bit.bitwarden.data.auth.repository.util.toUserState
 import com.x8bit.bitwarden.data.auth.repository.util.toUserStateJsonWithPassword
-import com.x8bit.bitwarden.data.auth.repository.util.userAccountTokens
-import com.x8bit.bitwarden.data.auth.repository.util.userAccountTokensFlow
-import com.x8bit.bitwarden.data.auth.repository.util.userKeyConnectorStateFlow
-import com.x8bit.bitwarden.data.auth.repository.util.userKeyConnectorStateList
-import com.x8bit.bitwarden.data.auth.repository.util.userOrganizationsList
-import com.x8bit.bitwarden.data.auth.repository.util.userOrganizationsListFlow
 import com.x8bit.bitwarden.data.auth.repository.util.userSwitchingChangesFlow
 import com.x8bit.bitwarden.data.auth.util.KdfParamsConstants.DEFAULT_PBKDF2_ITERATIONS
 import com.x8bit.bitwarden.data.auth.util.YubiKeyResult
 import com.x8bit.bitwarden.data.auth.util.toSdkParams
+import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.error.MissingPropertyException
 import com.x8bit.bitwarden.data.platform.error.NoActiveUserException
-import com.x8bit.bitwarden.data.platform.manager.FirstTimeActionManager
 import com.x8bit.bitwarden.data.platform.manager.LogsManager
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
 import com.x8bit.bitwarden.data.platform.manager.PushManager
-import com.x8bit.bitwarden.data.platform.manager.model.FirstTimeState
 import com.x8bit.bitwarden.data.platform.manager.util.getActivePolicies
 import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
-import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockData
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockError
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockResult
 import kotlinx.coroutines.CoroutineScope
@@ -129,13 +115,11 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.ExperimentalCoroutinesApi
 import kotlinx.coroutines.channels.Channel
 import kotlinx.coroutines.flow.Flow
-import kotlinx.coroutines.flow.MutableStateFlow
 import kotlinx.coroutines.flow.SharingStarted
 import kotlinx.coroutines.flow.StateFlow
 import kotlinx.coroutines.flow.asSharedFlow
 import kotlinx.coroutines.flow.combine
 import kotlinx.coroutines.flow.filter
-import kotlinx.coroutines.flow.filterNot
 import kotlinx.coroutines.flow.flatMapLatest
 import kotlinx.coroutines.flow.flowOf
 import kotlinx.coroutines.flow.launchIn
@@ -145,7 +129,7 @@ import kotlinx.coroutines.flow.merge
 import kotlinx.coroutines.flow.onEach
 import kotlinx.coroutines.flow.receiveAsFlow
 import kotlinx.coroutines.flow.stateIn
-import kotlinx.coroutines.flow.update
+import java.time.Clock
 import javax.inject.Singleton
 
 /**
@@ -154,6 +138,7 @@ import javax.inject.Singleton
 @Suppress("LargeClass", "LongParameterList", "TooManyFunctions")
 @Singleton
 class AuthRepositoryImpl(
+    private val clock: Clock,
     private val accountsService: AccountsService,
     private val devicesService: DevicesService,
     private val haveIBeenPwnedService: HaveIBeenPwnedService,
@@ -162,6 +147,7 @@ class AuthRepositoryImpl(
     private val authSdkSource: AuthSdkSource,
     private val vaultSdkSource: VaultSdkSource,
     private val authDiskSource: AuthDiskSource,
+    private val settingsDiskSource: SettingsDiskSource,
     private val configDiskSource: ConfigDiskSource,
     private val environmentRepository: EnvironmentRepository,
     private val settingsRepository: SettingsRepository,
@@ -171,12 +157,13 @@ class AuthRepositoryImpl(
     private val trustedDeviceManager: TrustedDeviceManager,
     private val userLogoutManager: UserLogoutManager,
     private val policyManager: PolicyManager,
-    firstTimeActionManager: FirstTimeActionManager,
+    private val userStateManager: UserStateManager,
     logsManager: LogsManager,
     pushManager: PushManager,
     dispatcherManager: DispatcherManager,
 ) : AuthRepository,
-    AuthRequestManager by authRequestManager {
+    AuthRequestManager by authRequestManager,
+    UserStateManager by userStateManager {
     /**
      * A scope intended for use when simply collecting multiple flows in order to combine them. The
      * use of [Dispatchers.Unconfined] allows for this to happen synchronously whenever any of
@@ -189,24 +176,6 @@ class AuthRepositoryImpl(
      */
     private val ioScope = CoroutineScope(dispatcherManager.io)
 
-    private val mutableHasPendingAccountAdditionStateFlow = MutableStateFlow(false)
-
-    /**
-     * If there is a pending account deletion, continue showing the original UserState until it
-     * is confirmed. This is accomplished by blocking the emissions of the [userStateFlow]
-     * whenever set to `true`.
-     */
-    private val mutableHasPendingAccountDeletionStateFlow = MutableStateFlow(false)
-
-    /**
-     * Whenever a function needs to update multiple underlying data-points that contribute to the
-     * [UserState], we update this [MutableStateFlow] and continue to show the original `UserState`
-     * until the transaction is complete. This is accomplished by blocking the emissions of the
-     * [userStateFlow] whenever this is set to a value above 0 (a count is used if more than one
-     * process is updating data simultaneously).
-     */
-    private val mutableUserStateTransactionCountStateFlow = MutableStateFlow(0)
-
     /**
      * The auth information to make the identity token request will need to be
      * cached to make the request again in the case of two-factor authentication.
@@ -267,72 +236,6 @@ class AuthRepositoryImpl(
             initialValue = AuthState.Uninitialized,
         )
 
-    @Suppress("UNCHECKED_CAST", "MagicNumber")
-    override val userStateFlow: StateFlow<UserState?> = combine(
-        authDiskSource.userStateFlow,
-        authDiskSource.userAccountTokensFlow,
-        authDiskSource.userOrganizationsListFlow,
-        authDiskSource.userKeyConnectorStateFlow,
-        authDiskSource.onboardingStatusChangesFlow,
-        firstTimeActionManager.firstTimeStateFlow,
-        vaultRepository.vaultUnlockDataStateFlow,
-        mutableHasPendingAccountAdditionStateFlow,
-        // Ignore the data in the merge, but trigger an update when they emit.
-        merge(
-            mutableHasPendingAccountDeletionStateFlow,
-            mutableUserStateTransactionCountStateFlow,
-            vaultRepository.isActiveUserUnlockingFlow,
-        ),
-    ) { array ->
-        val userStateJson = array[0] as UserStateJson?
-        val userAccountTokens = array[1] as List<UserAccountTokens>
-        val userOrganizationsList = array[2] as List<UserOrganizations>
-        val userIsUsingKeyConnectorList = array[3] as List<UserKeyConnectorState>
-        val onboardingStatus = array[4] as OnboardingStatus?
-        val firstTimeState = array[5] as FirstTimeState
-        val vaultState = array[6] as List<VaultUnlockData>
-        val hasPendingAccountAddition = array[7] as Boolean
-        userStateJson?.toUserState(
-            vaultState = vaultState,
-            userAccountTokens = userAccountTokens,
-            userOrganizationsList = userOrganizationsList,
-            userIsUsingKeyConnectorList = userIsUsingKeyConnectorList,
-            hasPendingAccountAddition = hasPendingAccountAddition,
-            onboardingStatus = onboardingStatus,
-            isBiometricsEnabledProvider = ::isBiometricsEnabled,
-            vaultUnlockTypeProvider = ::getVaultUnlockType,
-            isDeviceTrustedProvider = ::isDeviceTrusted,
-            firstTimeState = firstTimeState,
-        )
-    }
-        .filterNot {
-            mutableHasPendingAccountDeletionStateFlow.value ||
-                mutableUserStateTransactionCountStateFlow.value > 0 ||
-                vaultRepository.isActiveUserUnlockingFlow.value
-        }
-        .stateIn(
-            scope = unconfinedScope,
-            started = SharingStarted.Eagerly,
-            initialValue = authDiskSource
-                .userState
-                ?.toUserState(
-                    vaultState = vaultRepository.vaultUnlockDataStateFlow.value,
-                    userAccountTokens = authDiskSource.userAccountTokens,
-                    userOrganizationsList = authDiskSource.userOrganizationsList,
-                    userIsUsingKeyConnectorList = authDiskSource.userKeyConnectorStateList,
-                    hasPendingAccountAddition = mutableHasPendingAccountAdditionStateFlow.value,
-                    onboardingStatus = authDiskSource.currentOnboardingStatus,
-                    isBiometricsEnabledProvider = ::isBiometricsEnabled,
-                    vaultUnlockTypeProvider = ::getVaultUnlockType,
-                    isDeviceTrustedProvider = ::isDeviceTrusted,
-                    firstTimeState = firstTimeActionManager.currentOrDefaultUserFirstTimeState,
-                ),
-        )
-
-    private val captchaTokenChannel = Channel<CaptchaCallbackTokenResult>(capacity = Int.MAX_VALUE)
-    override val captchaTokenResultFlow: Flow<CaptchaCallbackTokenResult> =
-        captchaTokenChannel.receiveAsFlow()
-
     private val duoTokenChannel = Channel<DuoCallbackTokenResult>(capacity = Int.MAX_VALUE)
     override val duoTokenResultFlow: Flow<DuoCallbackTokenResult> = duoTokenChannel.receiveAsFlow()
 
@@ -361,9 +264,6 @@ class AuthRepositoryImpl(
             }
         }
 
-    override var hasPendingAccountAddition: Boolean
-        by mutableHasPendingAccountAdditionStateFlow::value
-
     override val passwordPolicies: List<PolicyInformation.MasterPassword>
         get() = policyManager.getActivePolicies()
 
@@ -382,7 +282,7 @@ class AuthRepositoryImpl(
 
     init {
         combine(
-            mutableHasPendingAccountAdditionStateFlow,
+            userStateManager.hasPendingAccountAdditionStateFlow,
             authDiskSource.userStateFlow,
             environmentRepository.environmentStateFlow,
         ) { hasPendingAddition, userState, environment ->
@@ -401,14 +301,16 @@ class AuthRepositoryImpl(
             .launchIn(unconfinedScope)
         pushManager
             .syncOrgKeysFlow
-            .onEach {
-                val userId = activeUserId ?: return@onEach
-                // TODO: [PM-20593] Investigate why tokens are explicitly refreshed.
-                refreshAccessTokenSynchronouslyInternal(
-                    userId = userId,
-                    logOutOnFailure = false,
-                )
-                vaultRepository.sync(forced = true)
+            .onEach { userId ->
+                if (userId == activeUserId) {
+                    // TODO: [PM-20593] Investigate why tokens are explicitly refreshed.
+                    refreshAccessTokenSynchronously(userId = userId)
+                    // We just sync now to get the latest data
+                    vaultRepository.sync(forced = true)
+                } else {
+                    // We clear the last sync time to ensure we sync when we become the active user
+                    settingsDiskSource.storeLastSyncTime(userId = userId, lastSyncTime = null)
+                }
             }
             // This requires the ioScope to ensure that refreshAccessTokenSynchronously
             // happens on a background thread
@@ -466,16 +368,12 @@ class AuthRepositoryImpl(
             .launchIn(unconfinedScope)
     }
 
-    override fun clearPendingAccountDeletion() {
-        mutableHasPendingAccountDeletionStateFlow.value = false
-    }
-
     override suspend fun deleteAccountWithMasterPassword(
         masterPassword: String,
     ): DeleteAccountResult {
         val profile = authDiskSource.userState?.activeAccount?.profile
             ?: return DeleteAccountResult.Error(message = null, error = NoActiveUserException())
-        mutableHasPendingAccountDeletionStateFlow.value = true
+        userStateManager.hasPendingAccountDeletion = true
         return authSdkSource
             .hashPassword(
                 email = profile.email,
@@ -495,7 +393,7 @@ class AuthRepositoryImpl(
     override suspend fun deleteAccountWithOneTimePassword(
         oneTimePassword: String,
     ): DeleteAccountResult {
-        mutableHasPendingAccountDeletionStateFlow.value = true
+        userStateManager.hasPendingAccountDeletion = true
         return accountsService
             .deleteAccount(
                 masterPasswordHash = null,
@@ -507,13 +405,13 @@ class AuthRepositoryImpl(
     private fun Result<DeleteAccountResponseJson>.finalizeDeleteAccount(): DeleteAccountResult =
         fold(
             onFailure = {
-                clearPendingAccountDeletion()
+                userStateManager.hasPendingAccountDeletion = false
                 DeleteAccountResult.Error(error = it, message = null)
             },
             onSuccess = { response ->
                 when (response) {
                     is DeleteAccountResponseJson.Invalid -> {
-                        clearPendingAccountDeletion()
+                        userStateManager.hasPendingAccountDeletion = false
                         DeleteAccountResult.Error(message = response.message, error = null)
                     }
 
@@ -564,6 +462,10 @@ class AuthRepositoryImpl(
                             .map { keys }
                     }
                     .onSuccess { keys ->
+                        // TDE and SSO user creation still uses crypto-v1. These users are not
+                        // expected to have the AEAD keys so we only store the private key for now.
+                        // See https://github.com/bitwarden/android/pull/5682#discussion_r2273940332
+                        // for more details.
                         authDiskSource.storePrivateKey(
                             userId = userId,
                             privateKey = keys.privateKey,
@@ -592,11 +494,15 @@ class AuthRepositoryImpl(
         val profile = authDiskSource.userState?.activeAccount?.profile
             ?: return LoginResult.Error(errorMessage = null, error = NoActiveUserException())
         val userId = profile.userId
-        val privateKey = authDiskSource.getPrivateKey(userId = userId)
+        val accountKeys = authDiskSource.getAccountKeys(userId = userId)
+        val privateKey = accountKeys?.publicKeyEncryptionKeyPair?.wrappedPrivateKey
+            ?: authDiskSource.getPrivateKey(userId = userId)
             ?: return LoginResult.Error(
                 errorMessage = null,
                 error = MissingPropertyException("Private Key"),
             )
+        val signingKey = accountKeys?.signatureKeyPair?.wrappedSigningKey
+        val securityState = accountKeys?.securityState?.securityState
 
         checkForVaultUnlockError(
             onVaultUnlockError = { error ->
@@ -606,6 +512,8 @@ class AuthRepositoryImpl(
             unlockVault(
                 accountProfile = profile,
                 privateKey = privateKey,
+                signingKey = signingKey,
+                securityState = securityState,
                 initUserCryptoMethod = InitUserCryptoMethod.AuthRequest(
                     requestPrivateKey = requestPrivateKey,
                     method = AuthRequestMethod.UserKey(protectedUserKey = asymmetricalKey),
@@ -620,7 +528,6 @@ class AuthRepositoryImpl(
     override suspend fun login(
         email: String,
         password: String,
-        captchaToken: String?,
     ): LoginResult = identityService
         .preLogin(email = email)
         .flatMap {
@@ -639,7 +546,6 @@ class AuthRepositoryImpl(
                     username = email,
                     password = passwordHash,
                 ),
-                captchaToken = captchaToken,
             )
         }
         .fold(
@@ -659,7 +565,6 @@ class AuthRepositoryImpl(
         asymmetricalKey: String,
         requestPrivateKey: String,
         masterPasswordHash: String?,
-        captchaToken: String?,
     ): LoginResult =
         loginCommon(
             email = email,
@@ -674,14 +579,12 @@ class AuthRepositoryImpl(
                 asymmetricalKey = asymmetricalKey,
                 privateKey = requestPrivateKey,
             ),
-            captchaToken = captchaToken,
         )
 
     override suspend fun login(
         email: String,
         password: String?,
         twoFactorData: TwoFactorDataModel,
-        captchaToken: String?,
         orgIdentifier: String?,
     ): LoginResult = identityTokenAuthModel
         ?.let {
@@ -690,7 +593,6 @@ class AuthRepositoryImpl(
                 password = password,
                 authModel = it,
                 twoFactorData = twoFactorData,
-                captchaToken = captchaToken ?: twoFactorResponse?.captchaToken,
                 deviceData = twoFactorDeviceData,
                 orgIdentifier = orgIdentifier,
             )
@@ -704,7 +606,6 @@ class AuthRepositoryImpl(
         email: String,
         password: String?,
         newDeviceOtp: String,
-        captchaToken: String?,
         orgIdentifier: String?,
     ): LoginResult = identityTokenAuthModel
         ?.let {
@@ -713,7 +614,6 @@ class AuthRepositoryImpl(
                 password = password,
                 authModel = it,
                 newDeviceOtp = newDeviceOtp,
-                captchaToken = captchaToken ?: twoFactorResponse?.captchaToken,
                 deviceData = twoFactorDeviceData,
                 orgIdentifier = orgIdentifier,
             )
@@ -747,7 +647,6 @@ class AuthRepositoryImpl(
         ssoCode: String,
         ssoCodeVerifier: String,
         ssoRedirectUri: String,
-        captchaToken: String?,
         organizationIdentifier: String,
     ): LoginResult = loginCommon(
         email = email,
@@ -756,15 +655,62 @@ class AuthRepositoryImpl(
             ssoCodeVerifier = ssoCodeVerifier,
             ssoRedirectUri = ssoRedirectUri,
         ),
-        captchaToken = captchaToken,
         orgIdentifier = organizationIdentifier,
     )
 
-    override fun refreshAccessTokenSynchronously(userId: String): Result<RefreshTokenResponseJson> =
-        refreshAccessTokenSynchronouslyInternal(
-            userId = userId,
-            logOutOnFailure = true,
-        )
+    override fun refreshAccessTokenSynchronously(
+        userId: String,
+    ): Result<String> {
+        val refreshToken = authDiskSource
+            .getAccountTokens(userId = userId)
+            ?.refreshToken
+            ?: return IllegalStateException("Must be logged in.").asFailure()
+        return identityService
+            .refreshTokenSynchronously(refreshToken)
+            .flatMap { refreshTokenResponse ->
+                // Check to make sure the user is still logged in after making the request
+                authDiskSource
+                    .userState
+                    ?.accounts
+                    ?.get(userId)
+                    ?.let { refreshTokenResponse.asSuccess() }
+                    ?: IllegalStateException("Must be logged in.").asFailure()
+            }
+            .flatMap { refreshTokenResponse ->
+                when (refreshTokenResponse) {
+                    is RefreshTokenResponseJson.Error -> {
+                        if (refreshTokenResponse.isInvalidGrant) {
+                            logout(userId = userId, reason = LogoutReason.InvalidGrant)
+                        }
+                        IllegalStateException(refreshTokenResponse.error).asFailure()
+                    }
+
+                    is RefreshTokenResponseJson.Forbidden -> {
+                        logout(userId = userId, reason = LogoutReason.RefreshForbidden)
+                        refreshTokenResponse.error.asFailure()
+                    }
+
+                    is RefreshTokenResponseJson.Unauthorized -> {
+                        logout(userId = userId, reason = LogoutReason.RefreshUnauthorized)
+                        refreshTokenResponse.error.asFailure()
+                    }
+
+                    is RefreshTokenResponseJson.Success -> {
+                        // Store the new token information
+                        authDiskSource.storeAccountTokens(
+                            userId = userId,
+                            accountTokens = AccountTokensJson(
+                                accessToken = refreshTokenResponse.accessToken,
+                                refreshToken = refreshTokenResponse.refreshToken,
+                                expiresAtSec = clock.instant().epochSecond +
+                                    refreshTokenResponse.expiresIn,
+                            ),
+                        )
+                        refreshTokenResponse.accessToken.asSuccess()
+                    }
+                }
+            }
+    }
 
     override fun logout(reason: LogoutReason) {
         activeUserId?.let { userId -> logout(userId = userId, reason = reason) }
@@ -796,7 +742,17 @@ class AuthRepositoryImpl(
             ?.let { jsonRequest ->
                 accountsService.resendVerificationCodeEmail(body = jsonRequest).fold(
                     onFailure = { ResendEmailResult.Error(message = it.message, error = it) },
-                    onSuccess = { ResendEmailResult.Success },
+                    onSuccess = {
+                        when (it) {
+                            VerificationCodeResponseJson.Success -> ResendEmailResult.Success
+                            is VerificationCodeResponseJson.Invalid -> {
+                                ResendEmailResult.Error(
+                                    message = it.firstValidationErrorMessage,
+                                    error = null,
+                                )
+                            }
+                        }
+                    },
                 )
             }
             ?: ResendEmailResult.Error(
@@ -809,7 +765,17 @@ class AuthRepositoryImpl(
             ?.let { jsonRequest ->
                 accountsService.resendNewDeviceOtp(body = jsonRequest).fold(
                     onFailure = { ResendEmailResult.Error(message = it.message, error = it) },
-                    onSuccess = { ResendEmailResult.Success },
+                    onSuccess = {
+                        when (it) {
+                            VerificationOtpResponseJson.Success -> ResendEmailResult.Success
+                            is VerificationOtpResponseJson.Invalid -> {
+                                ResendEmailResult.Error(
+                                    message = it.firstValidationErrorMessage,
+                                    error = null,
+                                )
+                            }
+                        }
+                    },
                 )
             }
             ?: ResendEmailResult.Error(
@@ -832,7 +798,7 @@ class AuthRepositoryImpl(
             // We need to make sure that the environment is set back to the correct spot.
             updateEnvironment()
             // No switching to do but clear any pending account additions
-            hasPendingAccountAddition = false
+            userStateManager.hasPendingAccountAddition = false
             return SwitchAccountResult.NoChange
         }
 
@@ -847,7 +813,7 @@ class AuthRepositoryImpl(
         authDiskSource.userState = currentUserState.copy(activeUserId = userId)
 
         // Clear any pending account additions
-        hasPendingAccountAddition = false
+        userStateManager.hasPendingAccountAddition = false
 
         return SwitchAccountResult.AccountSwitched
     }
@@ -858,7 +824,6 @@ class AuthRepositoryImpl(
         masterPassword: String,
         masterPasswordHint: String?,
         emailVerificationToken: String?,
-        captchaToken: String?,
         shouldCheckDataBreaches: Boolean,
         isMasterPasswordStrong: Boolean,
     ): RegisterResult {
@@ -893,7 +858,6 @@ class AuthRepositoryImpl(
                             email = email,
                             masterPasswordHash = registerKeyResponse.masterPasswordHash,
                             masterPasswordHint = masterPasswordHint,
-                            captchaResponse = captchaToken,
                             key = registerKeyResponse.encryptedUserKey,
                             keys = RegisterRequestJson.Keys(
                                 publicKey = registerKeyResponse.keys.public,
@@ -910,7 +874,6 @@ class AuthRepositoryImpl(
                             masterPasswordHash = registerKeyResponse.masterPasswordHash,
                             masterPasswordHint = masterPasswordHint,
                             emailVerificationToken = emailVerificationToken,
-                            captchaResponse = captchaToken,
                             userSymmetricKey = registerKeyResponse.encryptedUserKey,
                             userAsymmetricKeys = RegisterFinishRequestJson.Keys(
                                 publicKey = registerKeyResponse.keys.public,
@@ -925,18 +888,9 @@ class AuthRepositoryImpl(
             .fold(
                 onSuccess = {
                     when (it) {
-                        is RegisterResponseJson.CaptchaRequired -> {
-                            it.validationErrors.captchaKeys.firstOrNull()
-                                ?.let { key -> RegisterResult.CaptchaRequired(captchaId = key) }
-                                ?: RegisterResult.Error(
-                                    errorMessage = null,
-                                    error = MissingPropertyException("Captcha ID"),
-                                )
-                        }
-
                         is RegisterResponseJson.Success -> {
                             settingsRepository.hasUserLoggedInOrCreatedAccount = true
-                            RegisterResult.Success(captchaToken = it.captchaBypassToken)
+                            RegisterResult.Success
                         }
 
                         is RegisterResponseJson.Invalid -> {
@@ -1150,6 +1104,9 @@ class AuthRepositoryImpl(
                     )
                     .onSuccess {
                         rsaKeys?.private?.let {
+                            // This process is used by TDE and Enterprise accounts during initial
+                            // login. We continue to store the locally generated keys
+                            // until TDE and Enterprise accounts support AEAD keys.
                             authDiskSource.storePrivateKey(userId = userId, privateKey = it)
                         }
                         authDiskSource.storeUserKey(userId = userId, userKey = encryptedUserKey)
@@ -1182,10 +1139,6 @@ class AuthRepositoryImpl(
             )
     }
 
-    override fun setCaptchaCallbackTokenResult(tokenResult: CaptchaCallbackTokenResult) {
-        captchaTokenChannel.trySend(tokenResult)
-    }
-
     override fun setDuoCallbackTokenResult(tokenResult: DuoCallbackTokenResult) {
         duoTokenChannel.trySend(tokenResult)
     }
@@ -1422,42 +1375,6 @@ class AuthRepositoryImpl(
             onFailure = { LeaveOrganizationResult.Error(error = it) },
         )
 
-    private fun refreshAccessTokenSynchronouslyInternal(
-        userId: String,
-        logOutOnFailure: Boolean,
-    ): Result<RefreshTokenResponseJson> {
-        val refreshToken = authDiskSource
-            .getAccountTokens(userId = userId)
-            ?.refreshToken
-            ?: return IllegalStateException("Must be logged in.").asFailure()
-        return identityService
-            .refreshTokenSynchronously(refreshToken)
-            .flatMap { refreshTokenResponse ->
-                // Check to make sure the user is still logged in after making the request
-                authDiskSource
-                    .userState
-                    ?.accounts
-                    ?.get(userId)
-                    ?.let { refreshTokenResponse.asSuccess() }
-                    ?: IllegalStateException("Must be logged in.").asFailure()
-            }
-            .onFailure {
-                if (logOutOnFailure) {
-                    logout(userId = userId, reason = LogoutReason.TokenRefreshFail)
-                }
-            }
-            .onSuccess { refreshTokenResponse ->
-                // Update the existing UserState with updated token information
-                authDiskSource.storeAccountTokens(
-                    userId = userId,
-                    accountTokens = AccountTokensJson(
-                        accessToken = refreshTokenResponse.accessToken,
-                        refreshToken = refreshTokenResponse.refreshToken,
-                    ),
-                )
-            }
-    }
-
     @Suppress("CyclomaticComplexMethod")
     private suspend fun validatePasswordAgainstPolicy(
         password: String,
@@ -1559,27 +1476,6 @@ class AuthRepositoryImpl(
             )
         }
 
-    private fun isBiometricsEnabled(
-        userId: String,
-    ): Boolean = authDiskSource.getUserBiometricUnlockKey(userId = userId) != null
-
-    private fun isDeviceTrusted(
-        userId: String,
-    ): Boolean = authDiskSource.getDeviceKey(userId = userId) != null
-
-    private fun getVaultUnlockType(
-        userId: String,
-    ): VaultUnlockType =
-        when {
-            authDiskSource.getPinProtectedUserKey(userId = userId) != null -> {
-                VaultUnlockType.PIN
-            }
-
-            else -> {
-                VaultUnlockType.MASTER_PASSWORD
-            }
-        }
-
     /**
      * Update the saved state with the force password reset reason.
      */
@@ -1613,7 +1509,6 @@ class AuthRepositoryImpl(
         twoFactorData: TwoFactorDataModel? = null,
         deviceData: DeviceDataModel? = null,
         orgIdentifier: String? = null,
-        captchaToken: String?,
         newDeviceOtp: String? = null,
     ): LoginResult = identityService
         .getToken(
@@ -1621,7 +1516,6 @@ class AuthRepositoryImpl(
             email = email,
             authModel = authModel,
             twoFactorData = twoFactorData ?: getRememberedTwoFactorData(email),
-            captchaToken = captchaToken,
             newDeviceOtp = newDeviceOtp,
         )
         .fold(
@@ -1640,10 +1534,6 @@ class AuthRepositoryImpl(
             },
             onSuccess = { loginResponse ->
                 when (loginResponse) {
-                    is GetTokenResponseJson.CaptchaRequired -> LoginResult.CaptchaRequired(
-                        captchaId = loginResponse.captchaKey,
-                    )
-
                     is GetTokenResponseJson.TwoFactorRequired -> handleLoginCommonTwoFactorRequired(
                         loginResponse = loginResponse,
                         email = email,
@@ -1696,7 +1586,7 @@ class AuthRepositoryImpl(
         deviceData: DeviceDataModel?,
         orgIdentifier: String?,
         userConfirmedKeyConnector: Boolean,
-    ): LoginResult = userStateTransaction {
+    ): LoginResult = userStateManager.userStateTransaction {
         val userStateJson = loginResponse.toUserState(
             previousUserState = authDiskSource.userState,
             environmentUrlData = environmentRepository.environment.environmentUrlData,
@@ -1735,7 +1625,7 @@ class AuthRepositoryImpl(
                 // we should ask him to confirm the domain
                 if (isNewKeyConnectorUser && isNotConfirmed) {
                     keyConnectorResponse = loginResponse
-                    return LoginResult.ConfirmKeyConnectorDomain(
+                    return@userStateTransaction LoginResult.ConfirmKeyConnectorDomain(
                         domain = keyConnectorUrl,
                     )
                 }
@@ -1780,6 +1670,7 @@ class AuthRepositoryImpl(
             accountTokens = AccountTokensJson(
                 accessToken = loginResponse.accessToken,
                 refreshToken = loginResponse.refreshToken,
+                expiresAtSec = clock.instant().epochSecond + loginResponse.expiresInSeconds,
             ),
         )
         settingsRepository.hasUserLoggedInOrCreatedAccount = true
@@ -1790,11 +1681,18 @@ class AuthRepositoryImpl(
             // when we completed the pending admin auth request.
             authDiskSource.storeUserKey(userId = userId, userKey = it)
         }
+        // We continue to store the private key for backwards compatibility. Key connector
+        // conversion still relies on the private key.
         loginResponse.privateKey?.let {
             // Only set the value if it's present, since we may have set it already
             // when we completed the key connector conversion.
             authDiskSource.storePrivateKey(userId = userId, privateKey = it)
         }
+        loginResponse.accountKeys?.let {
+            // Only set the value if it's present, since we may have set it already
+            // when we completed the key connector conversion.
+            authDiskSource.storeAccountKeys(userId = userId, accountKeys = it)
+        }
         // If the user just authenticated with a two-factor code and selected the option to
         // remember it, then the API response will return a token that will be used in place
         // of the two-factor code on the next login attempt.
@@ -1895,6 +1793,8 @@ class AuthRepositoryImpl(
                             masterKey = it.masterKey,
                             userKey = key,
                         ),
+                        securityState = loginResponse.accountKeys?.securityState?.securityState,
+                        signingKey = loginResponse.accountKeys?.signatureKeyPair?.wrappedSigningKey,
                     )
                 }
                 .fold(
@@ -1918,6 +1818,8 @@ class AuthRepositoryImpl(
                     val result = unlockVault(
                         accountProfile = profile,
                         privateKey = keyConnectorResponse.keys.private,
+                        securityState = loginResponse.accountKeys?.securityState?.securityState,
+                        signingKey = loginResponse.accountKeys?.signatureKeyPair?.wrappedSigningKey,
                         initUserCryptoMethod = InitUserCryptoMethod.KeyConnector(
                             masterKey = keyConnectorResponse.masterKey,
                             userKey = keyConnectorResponse.encryptedUserKey,
@@ -1930,10 +1832,16 @@ class AuthRepositoryImpl(
                             userId = profile.userId,
                             userKey = keyConnectorResponse.encryptedUserKey,
                         )
+                        // We continue to store the private key for backwards compatibility since
+                        // key connector conversion still relies on the private key.
                         authDiskSource.storePrivateKey(
                             userId = profile.userId,
                             privateKey = keyConnectorResponse.keys.private,
                         )
+                        authDiskSource.storeAccountKeys(
+                            userId = profile.userId,
+                            accountKeys = loginResponse.accountKeys,
+                        )
                     }
                     result
                 }
@@ -1955,11 +1863,13 @@ class AuthRepositoryImpl(
     ): VaultUnlockResult? {
         // Attempt to unlock the vault with password if possible.
         val masterPassword = password ?: return null
-        val privateKey = loginResponse.privateKey ?: return null
+        val privateKey = loginResponse.privateKeyOrNull() ?: return null
         val key = loginResponse.key ?: return null
         return unlockVault(
             accountProfile = profile,
             privateKey = privateKey,
+            securityState = loginResponse.accountKeys?.securityState?.securityState,
+            signingKey = loginResponse.accountKeys?.signatureKeyPair?.wrappedSigningKey,
             initUserCryptoMethod = InitUserCryptoMethod.Password(
                 password = masterPassword,
                 userKey = key,
@@ -1977,13 +1887,15 @@ class AuthRepositoryImpl(
     ): VaultUnlockResult? {
         // Attempt to unlock the vault with auth request if possible.
         // These values will only be null during the Just-in-Time provisioning flow.
-        val privateKey = loginResponse.privateKey
+        val privateKey = loginResponse.privateKeyOrNull()
         val key = loginResponse.key
         if (privateKey != null && key != null) {
             deviceData?.let { model ->
                 return unlockVault(
                     accountProfile = profile,
                     privateKey = privateKey,
+                    securityState = loginResponse.accountKeys?.securityState?.securityState,
+                    signingKey = loginResponse.accountKeys?.signatureKeyPair?.wrappedSigningKey,
                     initUserCryptoMethod = InitUserCryptoMethod.AuthRequest(
                         requestPrivateKey = model.privateKey,
                         method = model
@@ -2008,13 +1920,26 @@ class AuthRepositoryImpl(
             .userDecryptionOptions
             ?.trustedDeviceUserDecryptionOptions
             ?.let { options ->
-                loginResponse.privateKey?.let { privateKey ->
-                    unlockVaultWithTrustedDeviceUserDecryptionOptionsAndStoreKeys(
-                        options = options,
-                        profile = profile,
-                        privateKey = privateKey,
-                    )
-                }
+                loginResponse.accountKeys
+                    ?.let { accountKeys ->
+                        unlockVaultWithTrustedDeviceUserDecryptionOptionsAndStoreKeys(
+                            options = options,
+                            profile = profile,
+                            privateKey = accountKeys.publicKeyEncryptionKeyPair.wrappedPrivateKey,
+                            securityState = accountKeys.securityState?.securityState,
+                            signingKey = accountKeys.signatureKeyPair?.wrappedSigningKey,
+                        )
+                    }
+                    ?: loginResponse.privateKey
+                        ?.let { privateKey ->
+                            unlockVaultWithTrustedDeviceUserDecryptionOptionsAndStoreKeys(
+                                options = options,
+                                profile = profile,
+                                privateKey = privateKey,
+                                securityState = null,
+                                signingKey = null,
+                            )
+                        }
             }
     }
 
@@ -2026,6 +1951,8 @@ class AuthRepositoryImpl(
         options: TrustedDeviceUserDecryptionOptionsJson,
         profile: AccountJson.Profile,
         privateKey: String,
+        securityState: String?,
+        signingKey: String?,
     ): VaultUnlockResult? {
         var vaultUnlockResult: VaultUnlockResult? = null
         val userId = profile.userId
@@ -2044,6 +1971,8 @@ class AuthRepositoryImpl(
                     vaultUnlockResult = unlockVault(
                         accountProfile = profile,
                         privateKey = privateKey,
+                        signingKey = signingKey,
+                        securityState = securityState,
                         initUserCryptoMethod = InitUserCryptoMethod.AuthRequest(
                             requestPrivateKey = pendingRequest.requestPrivateKey,
                             method = AuthRequestMethod.UserKey(protectedUserKey = userKey),
@@ -2071,6 +2000,8 @@ class AuthRepositoryImpl(
         vaultUnlockResult = unlockVault(
             accountProfile = profile,
             privateKey = privateKey,
+            securityState = securityState,
+            signingKey = signingKey,
             initUserCryptoMethod = InitUserCryptoMethod.DeviceKey(
                 deviceKey = deviceKey,
                 protectedDevicePrivateKey = encryptedPrivateKey,
@@ -2090,6 +2021,8 @@ class AuthRepositoryImpl(
     private suspend fun unlockVault(
         accountProfile: AccountJson.Profile,
         privateKey: String,
+        securityState: String?,
+        signingKey: String?,
         initUserCryptoMethod: InitUserCryptoMethod,
     ): VaultUnlockResult {
         val userId = accountProfile.userId
@@ -2098,6 +2031,8 @@ class AuthRepositoryImpl(
             email = accountProfile.email,
             kdf = accountProfile.toSdkParams(),
             privateKey = privateKey,
+            signingKey = signingKey,
+            securityState = securityState,
             initUserCryptoMethod = initUserCryptoMethod,
             // The value for the organization keys here will typically be null. We can separately
             // unlock the vault for organization data after receiving the sync response if this
@@ -2124,20 +2059,12 @@ class AuthRepositoryImpl(
     }
 
     //endregion LoginCommon
-
-    /**
-     * Run the given [block] while preventing any updates to [UserState]. This is useful in cases
-     * where many individual changes might occur that would normally affect the [UserState] but we
-     * only want a single final emission. In the rare case that multiple threads are running
-     * transactions simultaneously, there will be no [UserState] updates until the last
-     * transaction completes.
-     */
-    private inline fun <T> userStateTransaction(block: () -> T): T {
-        mutableUserStateTransactionCountStateFlow.update { it.inc() }
-        return try {
-            block()
-        } finally {
-            mutableUserStateTransactionCountStateFlow.update { it.dec() }
-        }
-    }
 }
+
+/**
+ * Convenience function to extract the private key from the
+ * [GetTokenResponseJson.Success] response.
+ */
+private fun GetTokenResponseJson.Success.privateKeyOrNull(): String? =
+    this.accountKeys?.publicKeyEncryptionKeyPair?.wrappedPrivateKey
+        ?: this.privateKey

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/di/AuthRepositoryModule.kt

@@ -13,8 +13,11 @@ import com.x8bit.bitwarden.data.auth.manager.AuthRequestManager
 import com.x8bit.bitwarden.data.auth.manager.KeyConnectorManager
 import com.x8bit.bitwarden.data.auth.manager.TrustedDeviceManager
 import com.x8bit.bitwarden.data.auth.manager.UserLogoutManager
+import com.x8bit.bitwarden.data.auth.manager.UserStateManager
+import com.x8bit.bitwarden.data.auth.manager.UserStateManagerImpl
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.auth.repository.AuthRepositoryImpl
+import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.manager.FirstTimeActionManager
 import com.x8bit.bitwarden.data.platform.manager.LogsManager
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
@@ -22,11 +25,13 @@ import com.x8bit.bitwarden.data.platform.manager.PushManager
 import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
+import com.x8bit.bitwarden.data.vault.manager.VaultLockManager
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
 import dagger.hilt.components.SingletonComponent
+import java.time.Clock
 import javax.inject.Singleton
 
 /**
@@ -39,6 +44,7 @@ object AuthRepositoryModule {
     @Provides
     @Singleton
     fun providesAuthRepository(
+        clock: Clock,
         accountsService: AccountsService,
         devicesService: DevicesService,
         identityService: IdentityService,
@@ -47,6 +53,7 @@ object AuthRepositoryModule {
         authSdkSource: AuthSdkSource,
         vaultSdkSource: VaultSdkSource,
         authDiskSource: AuthDiskSource,
+        settingsDiskSource: SettingsDiskSource,
         configDiskSource: ConfigDiskSource,
         dispatcherManager: DispatcherManager,
         environmentRepository: EnvironmentRepository,
@@ -58,9 +65,10 @@ object AuthRepositoryModule {
         userLogoutManager: UserLogoutManager,
         pushManager: PushManager,
         policyManager: PolicyManager,
-        firstTimeActionManager: FirstTimeActionManager,
         logsManager: LogsManager,
+        userStateManager: UserStateManager,
     ): AuthRepository = AuthRepositoryImpl(
+        clock = clock,
         accountsService = accountsService,
         devicesService = devicesService,
         identityService = identityService,
@@ -68,6 +76,7 @@ object AuthRepositoryModule {
         authSdkSource = authSdkSource,
         vaultSdkSource = vaultSdkSource,
         authDiskSource = authDiskSource,
+        settingsDiskSource = settingsDiskSource,
         configDiskSource = configDiskSource,
         haveIBeenPwnedService = haveIBeenPwnedService,
         dispatcherManager = dispatcherManager,
@@ -80,7 +89,21 @@ object AuthRepositoryModule {
         userLogoutManager = userLogoutManager,
         pushManager = pushManager,
         policyManager = policyManager,
-        firstTimeActionManager = firstTimeActionManager,
         logsManager = logsManager,
+        userStateManager = userStateManager,
+    )
+
+    @Provides
+    @Singleton
+    fun providesUserStateManager(
+        authDiskSource: AuthDiskSource,
+        firstTimeActionManager: FirstTimeActionManager,
+        vaultLockManager: VaultLockManager,
+        dispatcherManager: DispatcherManager,
+    ): UserStateManager = UserStateManagerImpl(
+        authDiskSource = authDiskSource,
+        firstTimeActionManager = firstTimeActionManager,
+        vaultLockManager = vaultLockManager,
+        dispatcherManager = dispatcherManager,
     )
 }

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/LoginResult.kt

@@ -9,11 +9,6 @@ sealed class LoginResult {
      */
     data object Success : LoginResult()
 
-    /**
-     * Captcha verification is required.
-     */
-    data class CaptchaRequired(val captchaId: String) : LoginResult()
-
     /**
      * Encryption key migration is required.
      */

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/LogoutReason.kt

@@ -29,6 +29,24 @@ sealed class LogoutReason {
         data object NoLongerSupported : Biometrics()
     }
 
+    /**
+     * Indicates that the logout is happening because the there was an "invalid_grant" response
+     * from the network.
+     */
+    data object InvalidGrant : LogoutReason()
+
+    /**
+     * Indicates that the logout is happening because the there was a "Forbidden" response from
+     * token refresh API.
+     */
+    data object RefreshForbidden : LogoutReason()
+
+    /**
+     * Indicates that the logout is happening because the there was a "Unauthorized" response from
+     * token refresh API.
+     */
+    data object RefreshUnauthorized : LogoutReason()
+
     /**
      * Indicates that the logout is happening because of an invalid state.
      */
@@ -58,11 +76,6 @@ sealed class LogoutReason {
      */
     data object Timeout : LogoutReason()
 
-    /**
-     * Indicates that the logout is happening because the access token could not be refreshed.
-     */
-    data object TokenRefreshFail : LogoutReason()
-
     /**
      * Indicates that the logout is happening because the user tried to unlock the vault
      * unsuccessfully too many times.

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/RegisterResult.kt

@@ -7,16 +7,8 @@ sealed class RegisterResult {
     /**
      * Register succeeded.
      *
-     * @param captchaToken the captcha bypass token to bypass future captcha verifications.
      */
-    data class Success(val captchaToken: String?) : RegisterResult()
-
-    /**
-     * Captcha verification is required.
-     *
-     * @param captchaId the captcha id for performing the captcha verification.
-     */
-    data class CaptchaRequired(val captchaId: String) : RegisterResult()
+    data object Success : RegisterResult()
 
     /**
      * There was an error logging in.

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/ResendEmailResult.kt

@@ -15,6 +15,6 @@ sealed class ResendEmailResult {
      */
     data class Error(
         val message: String?,
-        val error: Throwable,
+        val error: Throwable?,
     ) : ResendEmailResult()
 }

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/CaptchaUtils.kt

@@ -1,74 +0,0 @@
-package com.x8bit.bitwarden.data.auth.repository.util
-
-import android.content.Intent
-import android.net.Uri
-import kotlinx.serialization.json.buildJsonObject
-import kotlinx.serialization.json.put
-import java.net.URLEncoder
-import java.util.Base64
-import java.util.Locale
-
-private const val CAPTCHA_HOST: String = "captcha-callback"
-private const val CALLBACK_URI = "bitwarden://$CAPTCHA_HOST"
-
-/**
- * Generates a [Uri] to display a CAPTCHA challenge for Bitwarden authentication.
- */
-fun generateUriForCaptcha(captchaId: String): Uri {
-    val json = buildJsonObject {
-        put(key = "siteKey", value = captchaId)
-        put(key = "locale", value = Locale.getDefault().toString())
-        put(key = "callbackUri", value = CALLBACK_URI)
-        put(key = "captchaRequiredText", value = "Captcha required")
-    }
-    val base64Data = Base64
-        .getEncoder()
-        .encodeToString(
-            json
-                .toString()
-                .toByteArray(Charsets.UTF_8),
-        )
-    val parentParam = URLEncoder.encode(CALLBACK_URI, "UTF-8")
-    val url = "https://vault.bitwarden.com/captcha-mobile-connector.html" +
-        "?data=$base64Data&parent=$parentParam&v=1"
-    return Uri.parse(url)
-}
-
-/**
- * Retrieves a [CaptchaCallbackTokenResult] from an Intent. There are three possible cases.
- *
- * - `null`: Intent is not a captcha callback, or data is null.
- *
- * - [CaptchaCallbackTokenResult.MissingToken]:
- * Intent is the captcha callback, but its missing a token value.
- *
- * - [CaptchaCallbackTokenResult.Success]:
- * Intent is the captcha callback, and it has a token.
- */
-fun Intent.getCaptchaCallbackTokenResult(): CaptchaCallbackTokenResult? {
-    val localData = data
-    return if (
-        action == Intent.ACTION_VIEW && localData != null && localData.host == CAPTCHA_HOST
-    ) {
-        localData.getQueryParameter("token")?.let {
-            CaptchaCallbackTokenResult.Success(token = it)
-        } ?: CaptchaCallbackTokenResult.MissingToken
-    } else {
-        null
-    }
-}
-
-/**
- * Sealed class representing the result of captcha callback token extraction.
- */
-sealed class CaptchaCallbackTokenResult {
-    /**
-     * Represents a missing token in the captcha callback.
-     */
-    data object MissingToken : CaptchaCallbackTokenResult()
-
-    /**
-     * Represents a token present in the captcha callback.
-     */
-    data class Success(val token: String) : CaptchaCallbackTokenResult()
-}

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/UserStateJsonExtensions.kt

@@ -32,6 +32,7 @@ fun UserStateJson.toRemovedPasswordUserStateJson(
             hasMasterPassword = false,
             trustedDeviceUserDecryptionOptions = null,
             keyConnectorUserDecryptionOptions = null,
+            masterPasswordUnlock = null,
         )
     val updatedProfile = profile.copy(userDecryptionOptions = updatedUserDecryptionOptions)
     val updatedAccount = account.copy(profile = updatedProfile)
@@ -54,6 +55,23 @@ fun UserStateJson.toUpdatedUserStateJson(
     val userId = syncProfile.id
     val account = this.accounts[userId] ?: return this
     val profile = account.profile
+    val userDecryptionOptions = syncResponse
+        .userDecryption
+        ?.let { syncUserDecryption ->
+            profile
+                .userDecryptionOptions
+                ?.copy(masterPasswordUnlock = syncUserDecryption.masterPasswordUnlock)
+                ?: UserDecryptionOptionsJson(
+                    hasMasterPassword = syncUserDecryption.masterPasswordUnlock != null,
+                    trustedDeviceUserDecryptionOptions = null,
+                    keyConnectorUserDecryptionOptions = null,
+                    masterPasswordUnlock = syncUserDecryption.masterPasswordUnlock,
+                )
+        }
+        ?: profile
+            .userDecryptionOptions
+            ?.copy(masterPasswordUnlock = null)
+
     val updatedProfile = profile
         .copy(
             avatarColorHex = syncProfile.avatarColor,
@@ -61,6 +79,7 @@ fun UserStateJson.toUpdatedUserStateJson(
             hasPremium = syncProfile.isPremium || syncProfile.isPremiumFromOrganization,
             isTwoFactorEnabled = syncProfile.isTwoFactorEnabled,
             creationDate = syncProfile.creationDate,
+            userDecryptionOptions = userDecryptionOptions,
         )
     val updatedAccount = account.copy(profile = updatedProfile)
     return this
@@ -90,6 +109,7 @@ fun UserStateJson.toUserStateJsonWithPassword(): UserStateJson {
                     hasMasterPassword = true,
                     keyConnectorUserDecryptionOptions = null,
                     trustedDeviceUserDecryptionOptions = null,
+                    masterPasswordUnlock = null,
                 ),
         )
     val updatedAccount = account.copy(profile = updatedProfile)

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/util/PasswordlessRequestDataUtils.kt

@@ -2,9 +2,9 @@ package com.x8bit.bitwarden.data.auth.util
 
 import android.content.Context
 import android.content.Intent
+import com.bitwarden.ui.platform.util.getSafeParcelableExtra
 import com.x8bit.bitwarden.MainActivity
 import com.x8bit.bitwarden.data.platform.manager.model.PasswordlessRequestData
-import com.bitwarden.ui.platform.util.getSafeParcelableExtra
 
 private const val NOTIFICATION_DATA: String = "notificationData"
 

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/builder/FillResponseBuilderImpl.kt

@@ -8,7 +8,7 @@ import com.x8bit.bitwarden.data.autofill.model.FilledData
 import com.x8bit.bitwarden.data.autofill.model.FilledPartition
 import com.x8bit.bitwarden.data.autofill.util.buildDataset
 import com.x8bit.bitwarden.data.autofill.util.buildVaultItemDataset
-import com.x8bit.bitwarden.data.autofill.util.createTotpCopyIntentSender
+import com.x8bit.bitwarden.data.autofill.util.createAutofillCallbackIntentSender
 import com.x8bit.bitwarden.data.autofill.util.fillableAutofillIds
 import timber.log.Timber
 
@@ -23,7 +23,7 @@ class FillResponseBuilderImpl : FillResponseBuilder {
         saveInfo: SaveInfo?,
     ): FillResponse? =
         if (filledData.fillableAutofillIds.isNotEmpty()) {
-            Timber.w("Autofill request constructing FillResponse")
+            Timber.d("Autofill request constructing FillResponse")
             val fillResponseBuilder = FillResponse.Builder()
             saveInfo?.let { nonNullSaveInfo -> fillResponseBuilder.setSaveInfo(nonNullSaveInfo) }
 
@@ -65,8 +65,8 @@ class FillResponseBuilderImpl : FillResponseBuilder {
 }
 
 /**
- * Convert this [FilledPartition] and [autofillAppInfo] into an [IntentSender] if totp is enabled
- * and there the [FilledPartition.autofillCipher] has a valid cipher id.
+ * Convert this [FilledPartition] and [autofillAppInfo] into an [IntentSender] if the
+ * [FilledPartition.autofillCipher] has a valid cipher id.
  */
 private fun FilledPartition.toAuthIntentSenderOrNull(
     autofillAppInfo: AutofillAppInfo,
@@ -74,8 +74,7 @@ private fun FilledPartition.toAuthIntentSenderOrNull(
     autofillCipher
         .cipherId
         ?.let { cipherId ->
-            // We always do this even if there is no TOTP code because we want to log the events
-            createTotpCopyIntentSender(
+            createAutofillCallbackIntentSender(
                 cipherId = cipherId,
                 context = autofillAppInfo.context,
             )

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/builder/FilledDataBuilderImpl.kt

@@ -116,15 +116,13 @@ class FilledDataBuilderImpl(
     ): FilledPartition {
         val filledItems = autofillViews
             .mapNotNull { autofillView ->
-                val value = when (autofillView) {
-                    is AutofillView.Card.ExpirationMonth -> autofillCipher.expirationMonth
-                    is AutofillView.Card.ExpirationYear -> autofillCipher.expirationYear
-                    is AutofillView.Card.Number -> autofillCipher.number
-                    is AutofillView.Card.SecurityCode -> autofillCipher.code
-                }
-                autofillView.buildFilledItemOrNull(
-                    value = value,
-                )
+                autofillCipher
+                    .getAutofillValueOrNull(autofillView)
+                    ?.let { value ->
+                        autofillView.buildFilledItemOrNull(
+                            value = value,
+                        )
+                    }
             }
 
         return FilledPartition(
@@ -162,6 +160,48 @@ class FilledDataBuilderImpl(
     }
 }
 
+/**
+ * Get the autofill value for the given [autofillView], or null if no value is available.
+ */
+private fun AutofillCipher.Card.getAutofillValueOrNull(autofillView: AutofillView.Card): String? =
+    when (autofillView) {
+        is AutofillView.Card.CardholderName -> {
+            cardholderName.takeIf { it.isNotEmpty() }
+        }
+
+        is AutofillView.Card.ExpirationMonth -> {
+            expirationMonth.takeIf { it.isNotEmpty() }
+        }
+
+        is AutofillView.Card.ExpirationYear -> {
+            expirationYear.takeIf { it.isNotEmpty() }
+        }
+
+        is AutofillView.Card.Number -> {
+            number
+                .filter { it.isDigit() }
+                .takeIf { it.isNotEmpty() }
+        }
+
+        is AutofillView.Card.SecurityCode -> {
+            code
+                .filter { it.isDigit() }
+                .takeIf { it.isNotEmpty() }
+        }
+
+        is AutofillView.Card.ExpirationDate -> {
+            if (expirationMonth.isNotBlank() && expirationYear.isNotBlank()) {
+                expirationMonth.padStart(2, '0') + expirationYear.takeLast(2)
+            } else {
+                null
+            }
+        }
+
+        is AutofillView.Card.Brand -> {
+            brand.takeIf { it.isNotEmpty() }
+        }
+    }
+
 /**
  * Get the item at the [index]. If that fails, return the last item in the list. If that also fails,
  * return null.

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/di/AutofillModule.kt

@@ -16,6 +16,8 @@ import com.x8bit.bitwarden.data.autofill.manager.AutofillEnabledManager
 import com.x8bit.bitwarden.data.autofill.manager.AutofillEnabledManagerImpl
 import com.x8bit.bitwarden.data.autofill.manager.AutofillTotpManager
 import com.x8bit.bitwarden.data.autofill.manager.AutofillTotpManagerImpl
+import com.x8bit.bitwarden.data.autofill.manager.browser.BrowserAutofillDialogManager
+import com.x8bit.bitwarden.data.autofill.manager.browser.BrowserAutofillDialogManagerImpl
 import com.x8bit.bitwarden.data.autofill.manager.browser.BrowserThirdPartyAutofillEnabledManager
 import com.x8bit.bitwarden.data.autofill.manager.browser.BrowserThirdPartyAutofillEnabledManagerImpl
 import com.x8bit.bitwarden.data.autofill.parser.AutofillParser
@@ -24,6 +26,8 @@ import com.x8bit.bitwarden.data.autofill.processor.AutofillProcessor
 import com.x8bit.bitwarden.data.autofill.processor.AutofillProcessorImpl
 import com.x8bit.bitwarden.data.autofill.provider.AutofillCipherProvider
 import com.x8bit.bitwarden.data.autofill.provider.AutofillCipherProviderImpl
+import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
+import com.x8bit.bitwarden.data.platform.manager.FirstTimeActionManager
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
 import com.x8bit.bitwarden.data.platform.manager.ciphermatching.CipherMatchingManager
 import com.x8bit.bitwarden.data.platform.manager.clipboard.BitwardenClipboardManager
@@ -61,6 +65,22 @@ object AutofillModule {
     fun providesBrowserAutofillEnabledManager(): BrowserThirdPartyAutofillEnabledManager =
         BrowserThirdPartyAutofillEnabledManagerImpl()
 
+    @Singleton
+    @Provides
+    fun providesBrowserAutofillDialogManager(
+        autofillEnabledManager: AutofillEnabledManager,
+        browserThirdPartyAutofillEnabledManager: BrowserThirdPartyAutofillEnabledManager,
+        clock: Clock,
+        firstTimeActionManager: FirstTimeActionManager,
+        settingsDiskSource: SettingsDiskSource,
+    ): BrowserAutofillDialogManager = BrowserAutofillDialogManagerImpl(
+        autofillEnabledManager = autofillEnabledManager,
+        browserThirdPartyAutofillEnabledManager = browserThirdPartyAutofillEnabledManager,
+        clock = clock,
+        firstTimeActionManager = firstTimeActionManager,
+        settingsDiskSource = settingsDiskSource,
+    )
+
     @Singleton
     @Provides
     fun provideAutofillCompletionManager(
@@ -108,11 +128,13 @@ object AutofillModule {
         authRepository: AuthRepository,
         cipherMatchingManager: CipherMatchingManager,
         vaultRepository: VaultRepository,
+        policyManager: PolicyManager,
     ): AutofillCipherProvider =
         AutofillCipherProviderImpl(
             authRepository = authRepository,
             cipherMatchingManager = cipherMatchingManager,
             vaultRepository = vaultRepository,
+            policyManager = policyManager,
         )
 
     @Singleton

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/manager/AutofillCompletionManagerImpl.kt

@@ -17,6 +17,7 @@ import com.x8bit.bitwarden.data.platform.manager.event.OrganizationEventManager
 import com.x8bit.bitwarden.data.platform.manager.model.OrganizationEvent
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.launch
+import timber.log.Timber
 
 /**
  * Primary implementation of [AutofillCompletionManager].
@@ -41,6 +42,7 @@ class AutofillCompletionManagerImpl(
             .intent
             ?.getAutofillAssistStructureOrNull()
             ?: run {
+                Timber.w("Assist structure not found")
                 activity.cancelAndFinish()
                 return
             }
@@ -51,6 +53,7 @@ class AutofillCompletionManagerImpl(
                 assistStructure = assistStructure,
             )
         if (autofillRequest !is AutofillRequest.Fillable) {
+            Timber.w("Request is not fillable")
             activity.cancelAndFinish()
             return
         }
@@ -68,11 +71,13 @@ class AutofillCompletionManagerImpl(
                     authIntentSender = null,
                 )
                 ?: run {
+                    Timber.w("Dataset not found")
                     activity.cancelAndFinish()
                     return@launch
                 }
             totpManager.tryCopyTotpToClipboard(cipherView = cipherView)
             val resultIntent = createAutofillSelectionResultIntent(dataset)
+            Timber.d("Autofill success")
             activity.setResultAndFinish(resultIntent = resultIntent)
             cipherView.id?.let {
                 organizationEventManager.trackEvent(

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/manager/AutofillTotpManagerImpl.kt

@@ -24,11 +24,12 @@ class AutofillTotpManagerImpl(
         if (settingsRepository.isAutoCopyTotpDisabled) return
         val isPremium = authRepository.userStateFlow.value?.activeAccount?.isPremium == true
         if (!isPremium && !cipherView.organizationUseTotp) return
-        val totpCode = cipherView.login?.totp ?: return
+        cipherView.login?.totp ?: return
+        val cipherId = cipherView.id ?: return
 
         val totpResult = vaultRepository.generateTotp(
             time = clock.instant(),
-            totpCode = totpCode,
+            cipherId = cipherId,
         )
 
         if (totpResult is GenerateTotpResult.Success) {

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/manager/browser/BrowserAutofillDialogManager.kt

@@ -0,0 +1,21 @@
+package com.x8bit.bitwarden.data.autofill.manager.browser
+
+/**
+ * Manager to handle whether the Browser Autofill Dialog should be displayed.
+ */
+interface BrowserAutofillDialogManager {
+    /**
+     * Number of browsers installed that may need autofill enabled.
+     */
+    val browserCount: Int
+
+    /**
+     * Indicates whether the dialog should be displayed to the user.
+     */
+    val shouldShowDialog: Boolean
+
+    /**
+     * The dialog has been dismissed and we should delay displaying it again.
+     */
+    fun delayDialog()
+}

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/manager/browser/BrowserAutofillDialogManagerImpl.kt

@@ -0,0 +1,42 @@
+package com.x8bit.bitwarden.data.autofill.manager.browser
+
+import com.x8bit.bitwarden.data.autofill.manager.AutofillEnabledManager
+import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
+import com.x8bit.bitwarden.data.platform.manager.FirstTimeActionManager
+import java.time.Clock
+
+/**
+ * We only show the dialog once per 24 hour period.
+ */
+private const val SHOW_DIALOG_DELAY_MS: Long = 24L * 60L * 60L * 1000L
+
+/**
+ * The default implementation of the [BrowserAutofillDialogManager].
+ */
+internal class BrowserAutofillDialogManagerImpl(
+    private val autofillEnabledManager: AutofillEnabledManager,
+    private val browserThirdPartyAutofillEnabledManager: BrowserThirdPartyAutofillEnabledManager,
+    private val clock: Clock,
+    private val firstTimeActionManager: FirstTimeActionManager,
+    private val settingsDiskSource: SettingsDiskSource,
+) : BrowserAutofillDialogManager {
+    override val browserCount: Int
+        get() = browserThirdPartyAutofillEnabledManager
+            .browserThirdPartyAutofillStatus
+            .availableCount
+
+    override val shouldShowDialog: Boolean
+        get() = autofillEnabledManager.isAutofillEnabled &&
+            browserThirdPartyAutofillEnabledManager
+                .browserThirdPartyAutofillStatus
+                .isAnyIsAvailableAndDisabled &&
+            !firstTimeActionManager
+                .currentOrDefaultUserFirstTimeState
+                .showSetupBrowserAutofillCard &&
+            settingsDiskSource.browserAutofillDialogReshowTime?.isBefore(clock.instant()) != false
+
+    override fun delayDialog() {
+        settingsDiskSource.browserAutofillDialogReshowTime =
+            clock.instant().plusMillis(SHOW_DIALOG_DELAY_MS)
+    }
+}

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/model/AutofillCallbackData.kt

@@ -0,0 +1,14 @@
+package com.x8bit.bitwarden.data.autofill.model
+
+import android.os.Parcelable
+import kotlinx.parcelize.Parcelize
+
+/**
+ * Represents data for the autofill flow via authentication intents.
+ *
+ * @property cipherId The ID of the cipher associated with this Autofill instance.
+ */
+@Parcelize
+data class AutofillCallbackData(
+    val cipherId: String,
+) : Parcelable

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/model/AutofillCipher.kt

@@ -46,6 +46,7 @@ sealed class AutofillCipher {
         val expirationMonth: String,
         val expirationYear: String,
         val number: String,
+        val brand: String,
     ) : AutofillCipher() {
         override val iconRes: Int
             @DrawableRes get() = BitwardenDrawable.ic_payment_card

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/model/AutofillHint.kt

@@ -0,0 +1,16 @@
+package com.x8bit.bitwarden.data.autofill.model
+
+/**
+ * Autofill hints used to determine what data an input field is associated with.
+ */
+enum class AutofillHint {
+    CARD_CARDHOLDER,
+    CARD_EXPIRATION_DATE,
+    CARD_EXPIRATION_MONTH,
+    CARD_EXPIRATION_YEAR,
+    CARD_NUMBER,
+    CARD_SECURITY_CODE,
+    CARD_BRAND,
+    PASSWORD,
+    USERNAME,
+}

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/model/AutofillSaveItem.kt

@@ -16,13 +16,16 @@ sealed class AutofillSaveItem : Parcelable {
      * @property expirationMonth The expiration month in string form (if applicable).
      * @property expirationYear The expiration year in string form (if applicable).
      * @property securityCode The security code for the card (if applicable).
+     * @property cardholderName The name on the card (if applicable).
      */
     @Parcelize
     data class Card(
+        val cardholderName: String?,
         val number: String?,
         val expirationMonth: String?,
         val expirationYear: String?,
         val securityCode: String?,
+        val brand: String?,
     ) : AutofillSaveItem()
 
     /**

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/model/AutofillTotpCopyData.kt

@@ -1,14 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.model
-
-import android.os.Parcelable
-import kotlinx.parcelize.Parcelize
-
-/**
- * Represents data for a TOTP copying during the autofill flow via authentication intents.
- *
- * @property cipherId The cipher for which we are copying a TOTP to the clipboard.
- */
-@Parcelize
-data class AutofillTotpCopyData(
-    val cipherId: String,
-) : Parcelable

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/model/AutofillView.kt

@@ -48,10 +48,28 @@ sealed class AutofillView {
         ) : Card()
 
         /**
-         * The expiration year [AutofillView] for the [Card] data partition.
+         * The expiration year [AutofillView] for the [Card] data partition. This implementation
+         * also has its own [yearValue] because it can be present in lists, in which case there
+         * is specialized logic for determining its [yearValue]. The [Data.textValue] is very
+         * likely going to be a very different value.
          */
         data class ExpirationYear(
             override val data: Data,
+            val yearValue: String?,
+        ) : Card()
+
+        /**
+         * The expiration date [AutofillView] for the [Card] data partition.
+         */
+        data class ExpirationDate(
+            override val data: Data,
+        ) : Card()
+
+        /**
+         * The cardholder name [AutofillView] for the [Card] data partition.
+         */
+        data class CardholderName(
+            override val data: Data,
         ) : Card()
 
         /**
@@ -67,6 +85,17 @@ sealed class AutofillView {
         data class SecurityCode(
             override val data: Data,
         ) : Card()
+
+        /**
+         * The brand [AutofillView] for the [Card] data partition. This implementation also has its
+         * own [brandValue] because it can be present in lists, in which case there is specialized
+         * logic for determining its [brandValue]. The [Data.textValue] is very likely going to be
+         * a very different value.
+         */
+        data class Brand(
+            override val data: Data,
+            val brandValue: String?,
+        ) : Card()
     }
 
     /**

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/model/browser/BrowserThirdPartyAutoFillData.kt

@@ -6,7 +6,9 @@ package com.x8bit.bitwarden.data.autofill.model.browser
 data class BrowserThirdPartyAutoFillData(
     val isAvailable: Boolean,
     val isThirdPartyEnabled: Boolean,
-)
+) {
+    val isAvailableButDisabled: Boolean = isAvailable && !isThirdPartyEnabled
+}
 
 /**
  * The overall status for all relevant browsers.
@@ -15,4 +17,20 @@ data class BrowserThirdPartyAutofillStatus(
     val braveStableStatusData: BrowserThirdPartyAutoFillData,
     val chromeStableStatusData: BrowserThirdPartyAutoFillData,
     val chromeBetaChannelStatusData: BrowserThirdPartyAutoFillData,
-)
+) {
+    /**
+     * The total number of available browsers.
+     */
+    val availableCount: Int
+        get() = (if (braveStableStatusData.isAvailable) 1 else 0) +
+            (if (chromeStableStatusData.isAvailable) 1 else 0) +
+            (if (chromeBetaChannelStatusData.isAvailable) 1 else 0)
+
+    /**
+     * Whether any of the available browsers have third party autofill disabled.
+     */
+    val isAnyIsAvailableAndDisabled: Boolean
+        get() = braveStableStatusData.isAvailableButDisabled ||
+            chromeStableStatusData.isAvailableButDisabled ||
+            chromeBetaChannelStatusData.isAvailableButDisabled
+}

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/parser/AutofillParserImpl.kt

@@ -135,7 +135,7 @@ class AutofillParserImpl(
 
         // Get inline information if available
         val isInlineAutofillEnabled = settingsRepository.isInlineAutofillEnabled
-        Timber.e("Autofill request isInlineEnabled=$isInlineAutofillEnabled -- ${fillRequest?.id}")
+        Timber.d("Autofill request isInlineEnabled=$isInlineAutofillEnabled -- ${fillRequest?.id}")
         val maxInlineSuggestionsCount = fillRequest.getMaxInlineSuggestionsCount(
             autofillAppInfo = autofillAppInfo,
             isInlineAutofillEnabled = isInlineAutofillEnabled,

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/provider/AutofillCipherProviderImpl.kt

@@ -1,11 +1,13 @@
 package com.x8bit.bitwarden.data.autofill.provider
 
+import com.bitwarden.network.model.PolicyTypeJson
 import com.bitwarden.vault.CipherListView
 import com.bitwarden.vault.CipherListViewType
 import com.bitwarden.vault.CipherRepromptType
 import com.bitwarden.vault.CipherView
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.autofill.model.AutofillCipher
+import com.x8bit.bitwarden.data.platform.manager.PolicyManager
 import com.x8bit.bitwarden.data.platform.manager.ciphermatching.CipherMatchingManager
 import com.x8bit.bitwarden.data.platform.util.firstWithTimeoutOrNull
 import com.x8bit.bitwarden.data.platform.util.subtitle
@@ -34,6 +36,7 @@ class AutofillCipherProviderImpl(
     private val authRepository: AuthRepository,
     private val cipherMatchingManager: CipherMatchingManager,
     private val vaultRepository: VaultRepository,
+    private val policyManager: PolicyManager,
 ) : AutofillCipherProvider {
     private val activeUserId: String? get() = authRepository.activeUserId
 
@@ -53,7 +56,9 @@ class AutofillCipherProviderImpl(
 
     override suspend fun getCardAutofillCiphers(): List<AutofillCipher.Card> {
         val cipherListViews = getUnlockedCipherListViewsOrNull() ?: return emptyList()
-
+        val organizationIdsWithCardTypeRestrictions = policyManager
+            .getActivePolicies(PolicyTypeJson.RESTRICT_ITEM_TYPES)
+            .map { it.organizationId }
         return cipherListViews
             .mapNotNull { cipherListView ->
                 cipherListView
@@ -64,7 +69,11 @@ class AutofillCipherProviderImpl(
                             // Must not be deleted.
                             it.deletedDate == null &&
                             // Must not require a reprompt.
-                            it.reprompt == CipherRepromptType.NONE
+                            it.reprompt == CipherRepromptType.NONE &&
+                            // Must not be restricted by organization.
+                            !it.isExcludedByOrgCardRestrictions(
+                                organizationIdsWithCardTypeRestrictions,
+                            )
                     }
                     ?.let { nonNullCipherListView ->
                         nonNullCipherListView.id?.let { cipherId ->
@@ -78,6 +87,7 @@ class AutofillCipherProviderImpl(
                                     expirationMonth = cipherView.card?.expMonth.orEmpty(),
                                     expirationYear = cipherView.card?.expYear.orEmpty(),
                                     number = cipherView.card?.number.orEmpty(),
+                                    brand = cipherView.card?.brand.orEmpty(),
                                 )
                             }
                         }
@@ -138,10 +148,33 @@ class AutofillCipherProviderImpl(
                 Timber.e("Cipher not found for autofill.")
                 null
             }
+
             is GetCipherResult.Failure -> {
                 Timber.e(result.error, "Failed to decrypt cipher for autofill.")
                 null
             }
+
             is GetCipherResult.Success -> result.cipherView
         }
+
+    /**
+     * Checks if this [CipherListView] item should be excluded from autofill due to
+     * organization-based card type restrictions.
+     *
+     * It's considered restricted if:
+     * 1. There are organizations with card type restrictions AND this item is a personal vault item
+     * (organizationId is null).
+     * 2. OR this item belongs to an organization that has card type restrictions.
+     */
+    private fun CipherListView.isExcludedByOrgCardRestrictions(
+        restrictingOrgIds: List<String>,
+    ): Boolean {
+        if (restrictingOrgIds.isEmpty()) {
+            return false
+        }
+        // If personal vault (no orgId), restricted if any org has restrictions.
+        return organizationId == null ||
+            // If part of an org, restricted if that org is in the restricting list.
+            organizationId in restrictingOrgIds
+    }
 }

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/AutofillIntentUtils.kt

@@ -12,18 +12,19 @@ import android.service.autofill.Dataset
 import android.view.autofill.AutofillManager
 import androidx.core.os.bundleOf
 import com.bitwarden.annotation.OmitFromCoverage
-import com.x8bit.bitwarden.AutofillTotpCopyActivity
+import com.bitwarden.core.util.toPendingIntentMutabilityFlag
+import com.bitwarden.ui.platform.util.getSafeParcelableExtra
+import com.x8bit.bitwarden.AutofillCallbackActivity
 import com.x8bit.bitwarden.MainActivity
 import com.x8bit.bitwarden.data.autofill.model.AutofillAppInfo
+import com.x8bit.bitwarden.data.autofill.model.AutofillCallbackData
 import com.x8bit.bitwarden.data.autofill.model.AutofillSaveItem
 import com.x8bit.bitwarden.data.autofill.model.AutofillSelectionData
-import com.x8bit.bitwarden.data.autofill.model.AutofillTotpCopyData
-import com.bitwarden.ui.platform.util.getSafeParcelableExtra
 import kotlin.random.Random
 
 private const val AUTOFILL_SAVE_ITEM_DATA_KEY = "autofill-save-item-data"
 private const val AUTOFILL_SELECTION_DATA_KEY = "autofill-selection-data"
-private const val AUTOFILL_TOTP_COPY_DATA_KEY = "autofill-totp-copy-data"
+private const val AUTOFILL_CALLBACK_DATA_KEY = "autofill-callback-data"
 private const val AUTOFILL_BUNDLE_KEY = "autofill-bundle-key"
 
 /**
@@ -54,21 +55,21 @@ fun createAutofillSelectionIntent(
         }
 
 /**
- * Creates an [IntentSender] built with the data required for performing a TOTP copying during
- * the autofill flow.
+ * Creates an [IntentSender] built with the data required for performing an Autofill callback
+ * during the autofill flow.
  */
-fun createTotpCopyIntentSender(
+fun createAutofillCallbackIntentSender(
     cipherId: String,
     context: Context,
 ): IntentSender {
     val intent = Intent(
         context,
-        AutofillTotpCopyActivity::class.java,
+        AutofillCallbackActivity::class.java,
     )
         .putExtra(
             AUTOFILL_BUNDLE_KEY,
             bundleOf(
-                AUTOFILL_TOTP_COPY_DATA_KEY to AutofillTotpCopyData(cipherId = cipherId),
+                AUTOFILL_CALLBACK_DATA_KEY to AutofillCallbackData(cipherId = cipherId),
             ),
         )
     return PendingIntent
@@ -142,12 +143,12 @@ fun Intent.getAutofillSelectionDataOrNull(): AutofillSelectionData? =
         ?.getSafeParcelableExtra(AUTOFILL_SELECTION_DATA_KEY)
 
 /**
- * Checks if the given [Intent] contains data for TOTP copying. The [AutofillTotpCopyData] will be
+ * Checks if the given [Intent] contains Autofill callback data. The [AutofillCallbackData] will be
  * returned when present.
  */
-fun Intent.getTotpCopyIntentOrNull(): AutofillTotpCopyData? =
+fun Intent.getAutofillCallbackIntentOrNull(): AutofillCallbackData? =
     getBundleExtra(AUTOFILL_BUNDLE_KEY)
-        ?.getSafeParcelableExtra(AUTOFILL_TOTP_COPY_DATA_KEY)
+        ?.getSafeParcelableExtra(AUTOFILL_CALLBACK_DATA_KEY)
 
 /**
  * Checks if the given [Activity] was created for Autofill. This is useful to avoid locking the

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/AutofillPartitionExtensions.kt

@@ -9,16 +9,19 @@ import com.x8bit.bitwarden.data.autofill.model.AutofillView
 val AutofillPartition.Card.expirationMonthSaveValue: String?
     get() = this
         .views
-        .firstOrNull { it is AutofillView.Card.ExpirationMonth && it.monthValue != null }
-        ?.data
-        ?.textValue
+        .filterIsInstance<AutofillView.Card.ExpirationMonth>()
+        .firstOrNull { it.monthValue != null }
+        ?.monthValue
 
 /**
  * The text value representation of the year from the [AutofillPartition.Card].
  */
 val AutofillPartition.Card.expirationYearSaveValue: String?
     get() = this
-        .extractNonNullTextValueOrNull { it is AutofillView.Card.ExpirationYear }
+        .views
+        .filterIsInstance<AutofillView.Card.ExpirationYear>()
+        .firstOrNull { it.yearValue != null }
+        ?.yearValue
 
 /**
  * The text value representation of the card number from the [AutofillPartition.Card].
@@ -34,6 +37,24 @@ val AutofillPartition.Card.securityCodeSaveValue: String?
     get() = this
         .extractNonNullTextValueOrNull { it is AutofillView.Card.SecurityCode }
 
+/**
+ * The text value representation of the cardholder name from the [AutofillPartition.Card].
+ */
+val AutofillPartition.Card.cardholderNameSaveValue: String?
+    get() = this
+        .extractNonNullTextValueOrNull { it is AutofillView.Card.CardholderName }
+
+/**
+ * The text value representation of the brand from the [AutofillPartition.Card].
+ */
+val AutofillPartition.Card.brandSaveValue: String?
+    get() = this
+        .views
+        .filterIsInstance<AutofillView.Card.Brand>()
+        .firstOrNull { it.brandValue != null }
+        ?.brandValue
+        ?: this.extractNonNullTextValueOrNull { it is AutofillView.Card.Brand }
+
 /**
  * The text value representation of the password from the [AutofillPartition.Login].
  */

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/AutofillRequestExtensions.kt

@@ -11,10 +11,12 @@ fun AutofillRequest.Fillable.toAutofillSaveItem(): AutofillSaveItem =
     when (this.partition) {
         is AutofillPartition.Card -> {
             AutofillSaveItem.Card(
+                cardholderName = partition.cardholderNameSaveValue,
                 number = partition.numberSaveValue,
                 expirationMonth = partition.expirationMonthSaveValue,
                 expirationYear = partition.expirationYearSaveValue,
                 securityCode = partition.securityCodeSaveValue,
+                brand = partition.brandSaveValue,
             )
         }
 

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/AutofillValueExtensions.kt

@@ -35,3 +35,39 @@ fun AutofillValue.extractTextValue(): String? =
     } else {
         null
     }
+
+/**
+ * Extract a year value from this [AutofillValue].
+ */
+fun AutofillValue.extractYearValue(
+    autofillOptions: List<String>,
+): String? =
+    when {
+        this.isList && autofillOptions.isNotEmpty() -> {
+            autofillOptions.getOrNull(listValue)
+        }
+
+        this.isText -> {
+            this.textValue.toString()
+        }
+
+        else -> null
+    }
+
+/**
+ * Extract a card brand value from this [AutofillValue].
+ */
+fun AutofillValue.extractCardBrandValue(
+    autofillOptions: List<String>,
+): String? =
+    when {
+        this.isList && autofillOptions.isNotEmpty() -> {
+            autofillOptions.getOrNull(listValue)
+        }
+
+        this.isText -> {
+            this.textValue.toString()
+        }
+
+        else -> null
+    }

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/AutofillViewExtensions.kt

@@ -4,6 +4,8 @@ import android.view.View
 import android.view.autofill.AutofillValue
 import com.x8bit.bitwarden.data.autofill.model.AutofillView
 import com.x8bit.bitwarden.data.autofill.model.FilledItem
+import com.x8bit.bitwarden.ui.vault.model.VaultCardBrand
+import com.x8bit.bitwarden.ui.vault.model.findVaultCardBrandWithNameOrNull
 
 /**
  * Convert this [AutofillView] into a [FilledItem]. Return null if not possible.
@@ -11,29 +13,34 @@ import com.x8bit.bitwarden.data.autofill.model.FilledItem
 fun AutofillView.buildFilledItemOrNull(
     value: String,
 ): FilledItem? =
-    when (this.data.autofillType) {
-        View.AUTOFILL_TYPE_DATE -> {
-            value
-                .toLongOrNull()
-                ?.let { AutofillValue.forDate(it) }
-        }
+    // Do not try to autofill fields that are empty in the vault
+    if (value.isEmpty()) {
+        null
+    } else {
+        when (this.data.autofillType) {
+            View.AUTOFILL_TYPE_DATE -> {
+                value
+                    .toLongOrNull()
+                    ?.let { AutofillValue.forDate(it) }
+            }
 
-        View.AUTOFILL_TYPE_LIST -> this.buildListAutofillValueOrNull(value = value)
-        View.AUTOFILL_TYPE_TEXT -> AutofillValue.forText(value)
-        View.AUTOFILL_TYPE_TOGGLE -> {
-            value
-                .toBooleanStrictOrNull()
-                ?.let { AutofillValue.forToggle(it) }
-        }
+            View.AUTOFILL_TYPE_LIST -> this.buildListAutofillValueOrNull(value = value)
+            View.AUTOFILL_TYPE_TEXT -> AutofillValue.forText(value)
+            View.AUTOFILL_TYPE_TOGGLE -> {
+                value
+                    .toBooleanStrictOrNull()
+                    ?.let { AutofillValue.forToggle(it) }
+            }
 
-        else -> null
+            else -> null
+        }
+            ?.let { autofillValue ->
+                FilledItem(
+                    autofillId = this.data.autofillId,
+                    value = autofillValue,
+                )
+            }
     }
-        ?.let { autofillValue ->
-            FilledItem(
-                autofillId = this.data.autofillId,
-                value = autofillValue,
-            )
-        }
 
 /**
  * Build a list [AutofillValue] out of [value] or return null if not possible.
@@ -42,22 +49,50 @@ fun AutofillView.buildFilledItemOrNull(
 private fun AutofillView.buildListAutofillValueOrNull(
     value: String,
 ): AutofillValue? =
-    if (this is AutofillView.Card.ExpirationMonth) {
-        val autofillOptionsSize = this.data.autofillOptions.size
-        // The idea here is that `value` is a numerical representation of a month.
-        val monthIndex = value.toIntOrNull()
-        when {
-            monthIndex == null -> null
-            // We expect there is some placeholder or empty space at the beginning of the list.
-            autofillOptionsSize == 13 -> AutofillValue.forList(monthIndex)
-            autofillOptionsSize >= monthIndex -> AutofillValue.forList(monthIndex - 1)
-            else -> null
+    when (this) {
+        is AutofillView.Card.ExpirationMonth -> {
+            val autofillOptionsSize = this.data.autofillOptions.size
+            // The idea here is that `value` is a numerical representation of a month.
+            val monthIndex = value.toIntOrNull()
+            when {
+                monthIndex == null -> null
+                // We expect there is some placeholder or empty space at the beginning of the list.
+                autofillOptionsSize == 13 -> AutofillValue.forList(monthIndex)
+                autofillOptionsSize >= monthIndex -> AutofillValue.forList(monthIndex - 1)
+                else -> null
+            }
+        }
+
+        is AutofillView.Card.ExpirationYear -> {
+            val autofillOptions = this.data.autofillOptions
+            autofillOptions
+                .firstOrNull { it == value || it.takeLast(2) == value.takeLast(2) }
+                ?.let { AutofillValue.forList(autofillOptions.indexOf(it)) }
+        }
+
+        is AutofillView.Card.Brand -> {
+            value.findVaultCardBrandWithNameOrNull()
+                ?.takeUnless { it == VaultCardBrand.SELECT }
+                ?.let { vaultCardBrand ->
+                    this.data.autofillOptions
+                        .firstOrNull { it.findVaultCardBrandWithNameOrNull() == vaultCardBrand }
+                        ?.let { AutofillValue.forList(this.data.autofillOptions.indexOf(it)) }
+                }
+        }
+
+        is AutofillView.Card.CardholderName,
+        is AutofillView.Card.ExpirationDate,
+        is AutofillView.Card.Number,
+        is AutofillView.Card.SecurityCode,
+        is AutofillView.Login.Password,
+        is AutofillView.Login.Username,
+        is AutofillView.Unused,
+            -> {
+            this
+                .data
+                .autofillOptions
+                .indexOfFirst { it == value }
+                .takeIf { it != -1 }
+                ?.let { AutofillValue.forList(it) }
         }
-    } else {
-        this
-            .data
-            .autofillOptions
-            .indexOfFirst { it == value }
-            .takeIf { it != -1 }
-            ?.let { AutofillValue.forList(it) }
     }

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/CipherViewExtensions.kt

@@ -24,6 +24,7 @@ fun CipherView.toAutofillCipherProvider(): AutofillCipherProvider =
                     expirationMonth = card.expMonth.orEmpty(),
                     expirationYear = card.expYear.orEmpty(),
                     number = card.number.orEmpty(),
+                    brand = card.brand.orEmpty(),
                 ),
             )
         }

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/FilledDataExtensions.kt

@@ -9,6 +9,7 @@ import android.view.autofill.AutofillValue
 import android.widget.RemoteViews
 import android.widget.inline.InlinePresentationSpec
 import androidx.annotation.RequiresApi
+import com.bitwarden.core.util.toPendingIntentMutabilityFlag
 import com.x8bit.bitwarden.data.autofill.model.AutofillAppInfo
 import com.x8bit.bitwarden.data.autofill.model.AutofillPartition
 import com.x8bit.bitwarden.data.autofill.model.AutofillSelectionData

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/HtmlInfoExtensions.kt

@@ -1,53 +1,121 @@
+@file:Suppress("TooManyFunctions")
+
 package com.x8bit.bitwarden.data.autofill.util
 
 import android.view.ViewStructure.HtmlInfo
-import com.bitwarden.annotation.OmitFromCoverage
 
 /**
  * Whether this [HtmlInfo] represents a password field.
- *
- * This function is untestable as [HtmlInfo] contains [android.util.Pair] which requires
- * instrumentation testing.
  */
-@OmitFromCoverage
-fun HtmlInfo?.isPasswordField(): Boolean =
-    this
-        ?.let { htmlInfo ->
-            if (htmlInfo.isInputField) {
-                htmlInfo
-                    .attributes
-                    ?.any {
-                        it.first == "type" && it.second == "password"
-                    }
-            } else {
-                false
-            }
-        }
-        ?: false
+fun HtmlInfo?.isPasswordField(): Boolean = isInputField &&
+    hints().containsAnyTerms(SUPPORTED_RAW_PASSWORD_HINTS)
 
 /**
  * Whether this [HtmlInfo] represents a username field.
+ */
+fun HtmlInfo?.isUsernameField(): Boolean = isInputField &&
+    hints().containsAnyTerms(SUPPORTED_RAW_USERNAME_HINTS)
+
+/**
+ * Whether this [HtmlInfo] represents a cardholder name field.
+ */
+fun HtmlInfo?.isCardholderNameField(): Boolean = isInputField &&
+    hints().containsAnyPatterns(SUPPORTED_RAW_CARDHOLDER_NAME_HINT_PATTERNS)
+
+/**
+ * Whether this [HtmlInfo] represents a card number field.
+ */
+fun HtmlInfo?.isCardNumberField(): Boolean = isInputField &&
+    hints().containsAnyPatterns(SUPPORTED_RAW_CARD_NUMBER_HINT_PATTERNS)
+
+/**
+ * Whether this [HtmlInfo] represents a card expiration month field.
+ */
+fun HtmlInfo?.isCardExpirationMonthField(): Boolean = isInputField &&
+    hints().containsAnyPatterns(SUPPORTED_RAW_CARD_EXP_MONTH_HINT_PATTERNS)
+
+/**
+ * Whether this [HtmlInfo] represents a card expiration year field.
+ */
+fun HtmlInfo?.isCardExpirationYearField(): Boolean = isInputField &&
+    hints().containsAnyPatterns(SUPPORTED_RAW_CARD_EXP_YEAR_HINT_PATTERNS)
+
+/**
+ * Whether this [HtmlInfo] represents a card expiration date field.
+ */
+fun HtmlInfo?.isCardExpirationDateField(): Boolean = isInputField &&
+    hints().containsAnyPatterns(SUPPORTED_RAW_CARD_EXP_DATE_HINT_PATTERNS)
+
+/**
+ * Whether this [HtmlInfo] represents a card security code field.
+ */
+fun HtmlInfo?.isCardSecurityCodeField(): Boolean = isInputField &&
+    hints().containsAnyPatterns(SUPPORTED_RAW_CARD_SECURITY_CODE_HINT_PATTERNS)
+
+/**
+ * Whether this [HtmlInfo] represents a card brand field.
+ */
+fun HtmlInfo?.isCardBrandField(): Boolean = isInputField &&
+    hints().containsAnyTerms(SUPPORTED_RAW_CARD_BRAND_HINTS)
+
+/**
+ * Attributes that can be used as hints to determine the type of data the associated node expects.
  *
  * This function is untestable as [HtmlInfo] contains [android.util.Pair] which requires
  * instrumentation testing.
+ *
+ * @see IGNORED_RAW_HINTS
+ * @see SUPPORTED_HTML_ATTRIBUTE_HINTS
  */
-@OmitFromCoverage
-fun HtmlInfo?.isUsernameField(): Boolean =
-    this
-        ?.let { htmlInfo ->
-            if (htmlInfo.isInputField) {
-                htmlInfo
-                    .attributes
-                    ?.any {
-                        it.first == "type" && it.second == "email"
-                    }
-            } else {
-                false
+fun HtmlInfo?.hints(): List<String> = this
+    ?.let { htmlInfo ->
+        htmlInfo
+            .attributes
+            // Filter out attributes with null values or values that match ignored raw hints
+            ?.filter { attribute ->
+                attribute.second != null &&
+                    !attribute.second.containsAnyTerms(IGNORED_RAW_HINTS)
             }
-        }
-        ?: false
+            // Filter attributes that match supported HTML attribute hints
+            ?.filter { attribute ->
+                attribute.first.containsAnyTerms(
+                    terms = SUPPORTED_HTML_ATTRIBUTE_HINTS,
+                    ignoreCase = true,
+                )
+            }
+            .orEmpty()
+            .mapNotNull { it.second }
+    }
+    .orEmpty()
 
 /**
  * Whether this [HtmlInfo] represents an input field.
  */
 val HtmlInfo?.isInputField: Boolean get() = this?.tag == "input"
+
+/**
+ * Checks if the list of strings contains any of the specified patterns.
+ */
+private fun List<String>.containsAnyPatterns(patterns: List<Regex>): Boolean = this
+    .any { string -> patterns.any { pattern -> string.matches(pattern) } }
+
+/**
+ * Checks if the list of strings contains any of the specified terms.
+ */
+private fun List<String>.containsAnyTerms(terms: List<String>): Boolean =
+    this.any { string ->
+        string
+            .toLowerCaseAndStripNonAlpha()
+            .containsAnyTerms(terms)
+    }
+
+/**
+ * The supported attribute keys whose value can represent an autofill hint.
+ */
+private val SUPPORTED_HTML_ATTRIBUTE_HINTS: List<String> = listOf(
+    "name",
+    "label",
+    "type",
+    "hint",
+    "autofill",
+)

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/IntExtensions.kt

@@ -1,9 +1,6 @@
 package com.x8bit.bitwarden.data.autofill.util
 
-import android.app.PendingIntent
-import android.os.Build
 import android.text.InputType
-import com.bitwarden.annotation.OmitFromCoverage
 
 /**
  * Whether this [Int] is a password [InputType].
@@ -32,15 +29,3 @@ val Int.isUsernameInputType: Boolean
  * Whether this [Int] contains [flag].
  */
 private fun Int.hasFlag(flag: Int): Boolean = (this and flag) == flag
-
-/**
- * Starting from an initial pending intent flag. (ex: [PendingIntent.FLAG_CANCEL_CURRENT])
- */
-@OmitFromCoverage
-fun Int.toPendingIntentMutabilityFlag(): Int =
-    // Mutable flag was added on API level 31
-    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.S) {
-        this or PendingIntent.FLAG_MUTABLE
-    } else {
-        this
-    }

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/StringExtensions.kt

@@ -16,3 +16,20 @@ fun String.containsAnyTerms(
             ignoreCase = ignoreCase,
         )
     }
+
+/**
+ * Check whether this string matches any of these [expressions].
+ */
+fun String.matchesAnyExpressions(
+    expressions: List<Regex>,
+): Boolean =
+    expressions.any {
+        this.matches(regex = it)
+    }
+
+/**
+ * Convert this [String] to lowercase and remove all non-alpha characters.
+ */
+fun String.toLowerCaseAndStripNonAlpha(): String = this
+    .lowercase()
+    .replace(Regex("[^a-z]"), "")

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/ViewNodeExtensions.kt

@@ -3,7 +3,9 @@ package com.x8bit.bitwarden.data.autofill.util
 import android.app.assist.AssistStructure
 import android.view.View
 import android.widget.EditText
+import androidx.annotation.VisibleForTesting
 import com.bitwarden.ui.platform.base.util.orNullIfBlank
+import com.x8bit.bitwarden.data.autofill.model.AutofillHint
 import com.x8bit.bitwarden.data.autofill.model.AutofillView
 
 /**
@@ -11,39 +13,13 @@ import com.x8bit.bitwarden.data.autofill.model.AutofillView
  */
 private const val DEFAULT_SCHEME: String = "https"
 
-/**
- * The set of raw autofill hints that should be ignored.
- */
-private val IGNORED_RAW_HINTS: List<String> = listOf(
-    "search",
-    "find",
-    "recipient",
-    "edit",
-)
-
-/**
- * The supported password autofill hints.
- */
-private val SUPPORTED_RAW_PASSWORD_HINTS: List<String> = listOf(
-    "password",
-    "pswd",
-)
-
-/**
- * The supported raw autofill hints.
- */
-private val SUPPORTED_RAW_USERNAME_HINTS: List<String> = listOf(
-    "email",
-    "phone",
-    "username",
-)
-
 /**
  * The supported autofill Android View hints.
  */
 private val SUPPORTED_VIEW_HINTS: List<String> = listOf(
     View.AUTOFILL_HINT_CREDIT_CARD_EXPIRATION_MONTH,
     View.AUTOFILL_HINT_CREDIT_CARD_EXPIRATION_YEAR,
+    View.AUTOFILL_HINT_CREDIT_CARD_EXPIRATION_DATE,
     View.AUTOFILL_HINT_CREDIT_CARD_NUMBER,
     View.AUTOFILL_HINT_CREDIT_CARD_SECURITY_CODE,
     View.AUTOFILL_HINT_EMAIL_ADDRESS,
@@ -60,7 +36,7 @@ private val AssistStructure.ViewNode.isInputField: Boolean
             ?.let {
                 try {
                     Class.forName(it)
-                } catch (e: ClassNotFoundException) {
+                } catch (_: ClassNotFoundException) {
                     null
                 }
             }
@@ -78,11 +54,7 @@ fun AssistStructure.ViewNode.toAutofillView(): AutofillView? =
         .autofillId
         // We only care about nodes with a valid `AutofillId`.
         ?.let { nonNullAutofillId ->
-            val supportedHint = this
-                .autofillHints
-                ?.firstOrNull { SUPPORTED_VIEW_HINTS.contains(it) }
-
-            if (supportedHint != null || this.isInputField) {
+            if (supportedAutofillHint != null || this.isInputField) {
                 val autofillOptions = this
                     .autofillOptions
                     .orEmpty()
@@ -99,22 +71,65 @@ fun AssistStructure.ViewNode.toAutofillView(): AutofillView? =
                 buildAutofillView(
                     autofillOptions = autofillOptions,
                     autofillViewData = autofillViewData,
-                    supportedHint = supportedHint,
+                    autofillHint = supportedAutofillHint,
                 )
             } else {
                 null
             }
         }
 
+/**
+ * The first supported autofill hint for this view node, or null if none are found.
+ */
+private val AssistStructure.ViewNode.supportedAutofillHint: AutofillHint?
+    get() = firstSupportedAutofillHintOrNull()
+        ?: when {
+            this.isUsernameField -> AutofillHint.USERNAME
+            this.isPasswordField -> AutofillHint.PASSWORD
+            this.isCardExpirationMonthField -> AutofillHint.CARD_EXPIRATION_MONTH
+            this.isCardExpirationYearField -> AutofillHint.CARD_EXPIRATION_YEAR
+            this.isCardExpirationDateField -> AutofillHint.CARD_EXPIRATION_DATE
+            this.isCardNumberField -> AutofillHint.CARD_NUMBER
+            this.isCardSecurityCodeField -> AutofillHint.CARD_SECURITY_CODE
+            this.isCardholderNameField -> AutofillHint.CARD_CARDHOLDER
+            this.isCardBrandField -> AutofillHint.CARD_BRAND
+            else -> null
+        }
+
+/**
+ * Get the first supported autofill hint from the view node's autofillHints, or null if none are
+ * found.
+ */
+private fun AssistStructure.ViewNode.firstSupportedAutofillHintOrNull(): AutofillHint? =
+    autofillHints
+        ?.firstOrNull { SUPPORTED_VIEW_HINTS.contains(it) }
+        ?.toBitwardenAutofillHintOrNull()
+
+private fun String.toBitwardenAutofillHintOrNull(): AutofillHint? =
+    when (this) {
+        View.AUTOFILL_HINT_CREDIT_CARD_EXPIRATION_MONTH -> AutofillHint.CARD_EXPIRATION_MONTH
+        View.AUTOFILL_HINT_CREDIT_CARD_EXPIRATION_YEAR -> AutofillHint.CARD_EXPIRATION_YEAR
+        View.AUTOFILL_HINT_CREDIT_CARD_EXPIRATION_DATE -> AutofillHint.CARD_EXPIRATION_DATE
+        View.AUTOFILL_HINT_CREDIT_CARD_NUMBER -> AutofillHint.CARD_NUMBER
+        View.AUTOFILL_HINT_CREDIT_CARD_SECURITY_CODE -> AutofillHint.CARD_SECURITY_CODE
+        View.AUTOFILL_HINT_PASSWORD -> AutofillHint.PASSWORD
+        View.AUTOFILL_HINT_EMAIL_ADDRESS,
+        View.AUTOFILL_HINT_USERNAME,
+            -> AutofillHint.USERNAME
+
+        else -> null
+    }
+
 /**
  * Attempt to convert this [AssistStructure.ViewNode] and [autofillViewData] into an [AutofillView].
  */
+@Suppress("LongMethod")
 private fun AssistStructure.ViewNode.buildAutofillView(
     autofillOptions: List<String>,
     autofillViewData: AutofillView.Data,
-    supportedHint: String?,
-): AutofillView = when {
-    supportedHint == View.AUTOFILL_HINT_CREDIT_CARD_EXPIRATION_MONTH -> {
+    autofillHint: AutofillHint?,
+): AutofillView = when (autofillHint) {
+    AutofillHint.CARD_EXPIRATION_MONTH -> {
         val monthValue = this
             .autofillValue
             ?.extractMonthValue(
@@ -127,37 +142,67 @@ private fun AssistStructure.ViewNode.buildAutofillView(
         )
     }
 
-    supportedHint == View.AUTOFILL_HINT_CREDIT_CARD_EXPIRATION_YEAR -> {
+    AutofillHint.CARD_EXPIRATION_YEAR -> {
+        val yearValue = this
+            .autofillValue
+            ?.extractYearValue(
+                autofillOptions = autofillOptions,
+            )
+
         AutofillView.Card.ExpirationYear(
             data = autofillViewData,
+            yearValue = yearValue,
+        )
+    }
+
+    AutofillHint.CARD_EXPIRATION_DATE -> {
+        AutofillView.Card.ExpirationDate(
+            data = autofillViewData,
         )
     }
 
-    supportedHint == View.AUTOFILL_HINT_CREDIT_CARD_NUMBER -> {
+    AutofillHint.CARD_NUMBER -> {
         AutofillView.Card.Number(
             data = autofillViewData,
         )
     }
 
-    supportedHint == View.AUTOFILL_HINT_CREDIT_CARD_SECURITY_CODE -> {
+    AutofillHint.CARD_SECURITY_CODE -> {
         AutofillView.Card.SecurityCode(
             data = autofillViewData,
         )
     }
 
-    this.isPasswordField(supportedHint) -> {
+    AutofillHint.CARD_CARDHOLDER -> {
+        AutofillView.Card.CardholderName(
+            data = autofillViewData,
+        )
+    }
+
+    AutofillHint.PASSWORD -> {
         AutofillView.Login.Password(
             data = autofillViewData,
         )
     }
 
-    this.isUsernameField(supportedHint) -> {
+    AutofillHint.USERNAME -> {
         AutofillView.Login.Username(
             data = autofillViewData,
         )
     }
 
-    else -> {
+    AutofillHint.CARD_BRAND -> {
+        val brandValue = this.autofillValue
+            ?.extractCardBrandValue(
+                autofillOptions = autofillOptions,
+            )
+        AutofillView.Card.Brand(
+            data = autofillViewData,
+            brandValue = brandValue,
+        )
+    }
+
+    null -> {
         AutofillView.Unused(
             data = autofillViewData,
         )
@@ -167,41 +212,117 @@ private fun AssistStructure.ViewNode.buildAutofillView(
 /**
  * Check whether this [AssistStructure.ViewNode] represents a password field.
  */
-fun AssistStructure.ViewNode.isPasswordField(
-    supportedHint: String?,
-): Boolean {
-    if (supportedHint == View.AUTOFILL_HINT_PASSWORD) return true
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal val AssistStructure.ViewNode.isPasswordField: Boolean
+    get() {
+        val isUsernameField = this.isUsernameField
+        if (
+            this.inputType.isPasswordInputType &&
+            !this.containsIgnoredHintTerms() &&
+            !isUsernameField
+        ) {
+            return true
+        }
 
-    val isInvalidField = this.idEntry?.containsAnyTerms(IGNORED_RAW_HINTS) == true ||
-        this.hint?.containsAnyTerms(IGNORED_RAW_HINTS) == true
-    val isUsernameField = this.isUsernameField(supportedHint)
-    if (this.inputType.isPasswordInputType && !isInvalidField && !isUsernameField) return true
-
-    return this
-        .htmlInfo
-        .isPasswordField()
-}
+        return hint?.containsAnyTerms(SUPPORTED_RAW_PASSWORD_HINTS) == true ||
+            htmlInfo.isPasswordField()
+    }
 
 /**
  * Check whether this [AssistStructure.ViewNode] includes any password specific terms.
  */
-fun AssistStructure.ViewNode.hasPasswordTerms(): Boolean =
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal fun AssistStructure.ViewNode.hasPasswordTerms(): Boolean =
     this.idEntry?.containsAnyTerms(SUPPORTED_RAW_PASSWORD_HINTS) == true ||
-        this.hint?.containsAnyTerms(SUPPORTED_RAW_PASSWORD_HINTS) == true
+        this.hint?.containsAnyTerms(SUPPORTED_RAW_PASSWORD_HINTS) == true ||
+        this.htmlInfo.hints().any { it.containsAnyTerms(SUPPORTED_RAW_PASSWORD_HINTS) }
 
 /**
  * Check whether this [AssistStructure.ViewNode] represents a username field.
  */
-fun AssistStructure.ViewNode.isUsernameField(
-    supportedHint: String?,
-): Boolean =
-    supportedHint == View.AUTOFILL_HINT_USERNAME ||
-        supportedHint == View.AUTOFILL_HINT_EMAIL_ADDRESS ||
-        inputType.isUsernameInputType ||
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal val AssistStructure.ViewNode.isUsernameField: Boolean
+    get() = inputType.isUsernameInputType ||
         idEntry?.containsAnyTerms(SUPPORTED_RAW_USERNAME_HINTS) == true ||
         hint?.containsAnyTerms(SUPPORTED_RAW_USERNAME_HINTS) == true ||
         htmlInfo.isUsernameField()
 
+/**
+ * Check whether this [AssistStructure.ViewNode] represents a card expiration month field.
+ */
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal val AssistStructure.ViewNode.isCardExpirationMonthField: Boolean
+    get() = idEntry?.matchesAnyExpressions(SUPPORTED_RAW_CARD_EXP_MONTH_HINT_PATTERNS) == true ||
+        hint?.matchesAnyExpressions(SUPPORTED_RAW_CARD_EXP_MONTH_HINT_PATTERNS) == true ||
+        htmlInfo.isCardExpirationMonthField()
+
+/**
+ * Check whether this [AssistStructure.ViewNode] represents a card expiration year field.
+ */
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal val AssistStructure.ViewNode.isCardExpirationYearField: Boolean
+    get() = idEntry?.matchesAnyExpressions(SUPPORTED_RAW_CARD_EXP_YEAR_HINT_PATTERNS) == true ||
+        hint?.matchesAnyExpressions(SUPPORTED_RAW_CARD_EXP_YEAR_HINT_PATTERNS) == true ||
+        htmlInfo.isCardExpirationYearField()
+
+/**
+ * Check whether this [AssistStructure.ViewNode] represents a card expiration date field.
+ */
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal val AssistStructure.ViewNode.isCardExpirationDateField: Boolean
+    get() = idEntry?.matchesAnyExpressions(SUPPORTED_RAW_CARD_EXP_DATE_HINT_PATTERNS) == true ||
+        hint?.matchesAnyExpressions(SUPPORTED_RAW_CARD_EXP_DATE_HINT_PATTERNS) == true ||
+        htmlInfo.isCardExpirationDateField()
+
+/**
+ * Check whether this [AssistStructure.ViewNode] represents a card number field based.
+ */
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal val AssistStructure.ViewNode.isCardNumberField: Boolean
+    get() = idEntry?.matchesAnyExpressions(SUPPORTED_RAW_CARD_NUMBER_HINT_PATTERNS) == true ||
+        hint?.matchesAnyExpressions(SUPPORTED_RAW_CARD_NUMBER_HINT_PATTERNS) == true ||
+        htmlInfo.isCardNumberField()
+
+/**
+ * Check whether this [AssistStructure.ViewNode] represents a card security code field based.
+ */
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal val AssistStructure.ViewNode.isCardSecurityCodeField: Boolean
+    get() =
+        idEntry?.matchesAnyExpressions(SUPPORTED_RAW_CARD_SECURITY_CODE_HINT_PATTERNS) == true ||
+            hint?.matchesAnyExpressions(SUPPORTED_RAW_CARD_SECURITY_CODE_HINT_PATTERNS) == true ||
+            htmlInfo.isCardSecurityCodeField()
+
+/**
+ * Check whether this [AssistStructure.ViewNode] represents a cardholder name field based.
+ */
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal val AssistStructure.ViewNode.isCardholderNameField: Boolean
+    get() = idEntry?.matchesAnyExpressions(SUPPORTED_RAW_CARDHOLDER_NAME_HINT_PATTERNS) == true ||
+        hint?.matchesAnyExpressions(SUPPORTED_RAW_CARDHOLDER_NAME_HINT_PATTERNS) == true ||
+        htmlInfo.isCardholderNameField()
+
+/**
+ * Check whether this [AssistStructure.ViewNode] represents a card brand field.
+ */
+@VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+internal val AssistStructure.ViewNode.isCardBrandField: Boolean
+    get() = idEntry
+        ?.toLowerCaseAndStripNonAlpha()
+        ?.containsAnyTerms(SUPPORTED_RAW_CARD_BRAND_HINTS) == true ||
+        hint
+            ?.toLowerCaseAndStripNonAlpha()
+            ?.containsAnyTerms(SUPPORTED_RAW_CARD_BRAND_HINTS) == true ||
+        htmlInfo.isCardBrandField()
+
+/**
+ * Check whether this [AssistStructure.ViewNode] contains any ignored hint terms.
+ */
+private fun AssistStructure.ViewNode.containsIgnoredHintTerms(): Boolean =
+    this.idEntry?.containsAnyTerms(IGNORED_RAW_HINTS) == true ||
+        this.hint?.containsAnyTerms(IGNORED_RAW_HINTS) == true ||
+        this.htmlInfo.hints().any { it.containsAnyTerms(IGNORED_RAW_HINTS) }
+
 /**
  * The website that this [AssistStructure.ViewNode] is a part of representing.
  */

app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/ViewStructureUtils.kt

@@ -0,0 +1,149 @@
+package com.x8bit.bitwarden.data.autofill.util
+
+/**
+ * The set of raw autofill hints that should be ignored.
+ */
+val IGNORED_RAW_HINTS: List<String> = listOf(
+    "search",
+    "find",
+    "recipient",
+    "edit",
+)
+
+/**
+ * The supported password autofill hints.
+ */
+val SUPPORTED_RAW_PASSWORD_HINTS: List<String> = listOf(
+    "password",
+    "pswd",
+)
+
+/**
+ * The supported raw autofill hints.
+ */
+val SUPPORTED_RAW_USERNAME_HINTS: List<String> = listOf(
+    "email",
+    "phone",
+    "username",
+)
+
+/**
+ * Matches common patterns for cardholder name hints.
+ * - `\b(?i)`: Case-insensitive word boundary to ensure we match whole words.
+ * - `(?:credit[\\s_-])?`: Optionally matches "credit" followed by a space, underscore, or hyphen.
+ * - `(?:cc|card)[\\s_-](?:name|cardholder).*`: Matches "cc" or "card" followed by a space,
+ * underscore, or hyphen, then "name" or "cardholder", and finally any characters. This covers
+ * variations like "cc name", "card_cardholder", "credit-card-name something else".
+ * - `|`: OR operator, allowing for an alternative pattern.
+ * - `name[\\s_-]on[\\s_-]card`: Matches "name" followed by a space, underscore, or hyphen, then
+ * "on", another space, underscore, or hyphen, and finally "card". This covers phrases like "name on
+ * card" or "name_on_card".
+ * - `\b`: Word boundary to ensure we match whole words.
+ */
+val SUPPORTED_RAW_CARDHOLDER_NAME_HINT_PATTERNS: List<Regex> = listOf(
+    "\\b(?i)(?:credit[\\s_-])?(?:cc|card)[\\s_-](?:name|cardholder).*\\b".toRegex(),
+    "\\b(?i)name[\\s_-]on[\\s_-]card\\b".toRegex(),
+)
+
+/**
+ * Matches common patterns for card number hints.
+ * - `\b(?i)`: Case-insensitive word boundary to ensure we match whole words.
+ * - `(?:credit[\\s_-])?`: Optionally matches "credit" followed by a space, underscore, or hyphen.
+ * - `(?:cc|card)`: Matches "cc" or "card".
+ * - `[\\s_-]number`: Matches "number" preceded by a space, underscore, or hyphen.
+ * - `\b`: Word boundary to ensure we match whole words.
+ */
+val SUPPORTED_RAW_CARD_NUMBER_HINT_PATTERNS: List<Regex> = listOf(
+    "\\b(?i)(?:credit[\\s_-])?(?:cc|card)[\\s_-]number\\b".toRegex(),
+)
+
+/**
+ * Matches common patterns for card expiration month hints.
+ * - `\b(?i)`: Case-insensitive word boundary to ensure we match whole words.
+ * - `(?:credit[\\s_-])?`: Optionally matches "credit" followed by a space, underscore, or hyphen.
+ * - `(?:cc|card)`: Matches "cc" or "card".
+ * - `[\\s_-]exp[\\s_-]month`: Matches "exp" followed by a space, underscore, or hyphen, then
+ * "month".
+ * - `\b`: Word boundary to ensure we match whole words.
+ *
+ * Examples:
+ * - "credit card exp month"
+ * - "cc_exp_month"
+ * - "card-exp-month"
+ */
+val SUPPORTED_RAW_CARD_EXP_MONTH_HINT_PATTERNS: List<Regex> = listOf(
+    "\\b(?i)(?:credit[\\s_-])?(?:(cc|card)[\\s_-])?(?:exp|expiration|expiry)[\\s_-]month\\b"
+        .toRegex(),
+)
+
+/**
+ * Matches common patterns for card expiration year hints.
+ * - `\b(?i)`: Case-insensitive word boundary to ensure we match whole words.
+ * - `(?:credit[\\s_-])?`: Optionally matches "credit" followed by a space, underscore, or hyphen.
+ * - `(?:cc|card)`: Matches "cc" or "card".
+ * - `[\\s_-]exp[\\s_-]year`: Matches "exp" followed by a space, underscore, or hyphen, then "year".
+ * - `\b`: Word boundary to ensure we match whole words.
+ *
+ * Similar to [SUPPORTED_RAW_CARD_EXP_MONTH_HINT_PATTERNS], but for "year" instead of "month".
+ * @see SUPPORTED_RAW_CARD_EXP_MONTH_HINT_PATTERNS
+ */
+val SUPPORTED_RAW_CARD_EXP_YEAR_HINT_PATTERNS: List<Regex> = listOf(
+    "\\b(?i)(?:credit[\\s_-])?(?:(cc|card)[\\s_-])?(?:exp|expiration|expiry)[\\s_-]year\\b"
+        .toRegex(),
+)
+
+/**
+ * Matches common patterns for card expiration date hints.
+ * - `\b(?i)`: Case-insensitive word boundary to ensure we match whole words.
+ * - `(?:credit[\\s_-])?`: Optionally matches "credit" followed by a space, underscore, or hyphen.
+ * - `(?:cc|card)`: Matches "cc" or "card".
+ * - `[\\s_-]exp[\\s_-]date`: Matches "exp" followed by a space, underscore, or hyphen, then "date".
+ * - `.*`: Matches any characters following "date" (e.g., "MM/YY", "month/year").
+ * - `\b`: Word boundary to ensure we match whole words.
+ *
+ * Examples:
+ * - "credit card exp date"
+ * - "cc_exp_date_mm_yy"
+ * - "card-exp-date month/year"
+ */
+val SUPPORTED_RAW_CARD_EXP_DATE_HINT_PATTERNS: List<Regex> = listOf(
+    "\\b(?i)(?:credit[\\s_-])?(?:(cc|card)[\\s_-])?(?:exp|expiration|expiry)[\\s_-]date\\b"
+        .toRegex(),
+)
+
+/**
+ * Matches common patterns for card security code hints.
+ * - `\b(?i)`: Case-insensitive word boundary to ensure we match whole words.
+ * - `(?:credit[\\s_-])?`: Optionally matches "credit" followed by a space, underscore, or hyphen.
+ * - The first pattern `(?:cc|card[\\s_-])(cvc|cvv)\b`:
+ *    - `(?:cc|card[\\s_-])`: Matches "cc" or "card" followed by a space, underscore, or hyphen.
+ *    - `(cvc|cvv)\b`: Matches "cvc" or "cvv" followed by a word boundary.
+ * - The second pattern `(?:cc|card)(?:[\\s_-]verification)?([\\s_-]code)\b`:
+ *    - `(?:cc|card)`: Matches "cc" or "card".
+ *    - `(?:[\\s_-]verification)?`: Optionally matches "verification" preceded by a space,
+ *    underscore, or hyphen.
+ * - `([\\s_-]code)\b`: Matches "code" preceded by a space, underscore, or hyphen, and
+ * followed by a word boundary.
+ *
+ * Examples:
+ * - "credit card cvc"
+ * - "cc_verification_code"
+ * - "card-code"
+ */
+val SUPPORTED_RAW_CARD_SECURITY_CODE_HINT_PATTERNS: List<Regex> = listOf(
+    "\\b(?i)(?:credit[\\s_-])?(?:cc|card[\\s_-])?(cvc|cvv)2?\\b".toRegex(),
+    "\\b(?i)(?:credit[\\s_-])?(?:cc|card)(?:[\\s_-](?:verification|security))?([\\s_-]code)\\b"
+        .toRegex(),
+)
+
+/**
+ * The supported card brand autofill hints.
+ */
+val SUPPORTED_RAW_CARD_BRAND_HINTS: List<String> = listOf(
+    "cctype",
+    "creditcardtype",
+    "cardtype",
+    "cardbrand",
+    "creditcardbrand",
+    "ccbrand",
+)

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/builder/CredentialEntryBuilderImpl.kt

@@ -12,22 +12,16 @@ import com.bitwarden.ui.platform.resource.BitwardenDrawable
 import com.bitwarden.ui.platform.resource.BitwardenString
 import com.bitwarden.vault.CipherListView
 import com.x8bit.bitwarden.data.autofill.util.login
-import com.x8bit.bitwarden.data.credentials.processor.GET_PASSKEY_INTENT
-import com.x8bit.bitwarden.data.credentials.processor.GET_PASSWORD_INTENT
+import com.x8bit.bitwarden.data.credentials.manager.CredentialManagerPendingIntentManager
 import com.x8bit.bitwarden.data.credentials.util.setBiometricPromptDataIfSupported
 import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
-import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
-import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
-import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
-import kotlin.random.Random
 
 /**
  * Primary implementation of [CredentialEntryBuilder].
  */
 class CredentialEntryBuilderImpl(
     private val context: Context,
-    private val intentManager: IntentManager,
-    private val featureFlagManager: FeatureFlagManager,
+    private val pendingIntentManager: CredentialManagerPendingIntentManager,
     private val biometricsEncryptionManager: BiometricsEncryptionManager,
 ) : CredentialEntryBuilder {
 
@@ -72,15 +66,12 @@ class CredentialEntryBuilderImpl(
                     context = context,
                     username = fido2AutofillView.userNameForUi
                         ?: context.getString(BitwardenString.no_username),
-                    pendingIntent = intentManager
-                        .createFido2GetCredentialPendingIntent(
-                            action = GET_PASSKEY_INTENT,
-                            userId = userId,
-                            credentialId = fido2AutofillView.credentialId.toString(),
-                            cipherId = fido2AutofillView.cipherId,
-                            isUserVerified = isUserVerified,
-                            requestCode = Random.nextInt(),
-                        ),
+                    pendingIntent = pendingIntentManager.createFido2GetCredentialPendingIntent(
+                        userId = userId,
+                        credentialId = fido2AutofillView.credentialId.toString(),
+                        cipherId = fido2AutofillView.cipherId,
+                        isUserVerified = isUserVerified,
+                    ),
                     beginGetPublicKeyCredentialOption = option,
                 )
                 .setIcon(
@@ -91,10 +82,7 @@ class CredentialEntryBuilderImpl(
                 .also { builder ->
                     if (!isUserVerified) {
                         builder.setBiometricPromptDataIfSupported(
-                            cipher = biometricsEncryptionManager
-                                .getOrCreateCipher(userId),
-                            isSingleTapAuthEnabled = featureFlagManager
-                                .getFeatureFlag(FlagKey.SingleTapPasskeyAuthentication),
+                            cipher = biometricsEncryptionManager.getOrCreateCipher(userId),
                         )
                     }
                 }
@@ -112,14 +100,11 @@ class CredentialEntryBuilderImpl(
                     context = context,
                     username = cipherView.login?.username
                         ?: context.getString(BitwardenString.no_username),
-                    pendingIntent = intentManager
-                        .createPasswordGetCredentialPendingIntent(
-                            action = GET_PASSWORD_INTENT,
-                            userId = userId,
-                            cipherId = cipherView.id,
-                            isUserVerified = isUserVerified,
-                            requestCode = Random.nextInt(),
-                        ),
+                    pendingIntent = pendingIntentManager.createPasswordGetCredentialPendingIntent(
+                        userId = userId,
+                        cipherId = cipherView.id,
+                        isUserVerified = isUserVerified,
+                    ),
                     beginGetPasswordOption = option,
                 )
                 .setDisplayName(cipherView.name)

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/di/CredentialProviderModule.kt

@@ -12,6 +12,8 @@ import com.x8bit.bitwarden.data.credentials.builder.CredentialEntryBuilderImpl
 import com.x8bit.bitwarden.data.credentials.datasource.disk.PrivilegedAppDiskSource
 import com.x8bit.bitwarden.data.credentials.manager.BitwardenCredentialManager
 import com.x8bit.bitwarden.data.credentials.manager.BitwardenCredentialManagerImpl
+import com.x8bit.bitwarden.data.credentials.manager.CredentialManagerPendingIntentManager
+import com.x8bit.bitwarden.data.credentials.manager.CredentialManagerPendingIntentManagerImpl
 import com.x8bit.bitwarden.data.credentials.manager.OriginManager
 import com.x8bit.bitwarden.data.credentials.manager.OriginManagerImpl
 import com.x8bit.bitwarden.data.credentials.parser.RelyingPartyParser
@@ -22,11 +24,9 @@ import com.x8bit.bitwarden.data.credentials.repository.PrivilegedAppRepository
 import com.x8bit.bitwarden.data.credentials.repository.PrivilegedAppRepositoryImpl
 import com.x8bit.bitwarden.data.platform.manager.AssetManager
 import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
-import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.ciphermatching.CipherMatchingManager
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
-import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
@@ -51,20 +51,18 @@ object CredentialProviderModule {
         authRepository: AuthRepository,
         bitwardenCredentialManager: BitwardenCredentialManager,
         dispatcherManager: DispatcherManager,
-        intentManager: IntentManager,
+        pendingIntentManager: CredentialManagerPendingIntentManager,
         biometricsEncryptionManager: BiometricsEncryptionManager,
-        featureFlagManager: FeatureFlagManager,
         clock: Clock,
     ): CredentialProviderProcessor =
         CredentialProviderProcessorImpl(
-            context,
-            authRepository,
-            bitwardenCredentialManager,
-            intentManager,
-            clock,
-            biometricsEncryptionManager,
-            featureFlagManager,
-            dispatcherManager,
+            context = context,
+            authRepository = authRepository,
+            bitwardenCredentialManager = bitwardenCredentialManager,
+            pendingIntentManager = pendingIntentManager,
+            clock = clock,
+            biometricsEncryptionManager = biometricsEncryptionManager,
+            dispatcherManager = dispatcherManager,
         )
 
     @Provides
@@ -94,26 +92,22 @@ object CredentialProviderModule {
         assetManager: AssetManager,
         digitalAssetLinkService: DigitalAssetLinkService,
         privilegedAppRepository: PrivilegedAppRepository,
-        featureFlagManager: FeatureFlagManager,
     ): OriginManager =
         OriginManagerImpl(
             assetManager = assetManager,
             digitalAssetLinkService = digitalAssetLinkService,
             privilegedAppRepository = privilegedAppRepository,
-            featureFlagManager = featureFlagManager,
         )
 
     @Provides
     @Singleton
     fun provideCredentialEntryBuilder(
         @ApplicationContext context: Context,
-        intentManager: IntentManager,
-        featureFlagManager: FeatureFlagManager,
+        pendingIntentManager: CredentialManagerPendingIntentManager,
         biometricsEncryptionManager: BiometricsEncryptionManager,
     ): CredentialEntryBuilder = CredentialEntryBuilderImpl(
         context = context,
-        intentManager = intentManager,
-        featureFlagManager = featureFlagManager,
+        pendingIntentManager = pendingIntentManager,
         biometricsEncryptionManager = biometricsEncryptionManager,
     )
 
@@ -136,4 +130,13 @@ object CredentialProviderModule {
     fun provideRelyingPartyParser(
         json: Json,
     ): RelyingPartyParser = RelyingPartyParserImpl(json)
+
+    @Provides
+    @Singleton
+    fun provideCredentialManagerPendingIntentManager(
+        @ApplicationContext context: Context,
+    ): CredentialManagerPendingIntentManager =
+        CredentialManagerPendingIntentManagerImpl(
+            context = context,
+        )
 }

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/BitwardenCredentialManagerImpl.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.credentials.manager
 
+import android.util.Base64
 import androidx.credentials.CreatePublicKeyCredentialRequest
 import androidx.credentials.GetPublicKeyCredentialOption
 import androidx.credentials.exceptions.GetCredentialUnknownException
@@ -15,6 +16,7 @@ import com.bitwarden.core.data.util.asSuccess
 import com.bitwarden.core.data.util.decodeFromStringOrNull
 import com.bitwarden.data.manager.DispatcherManager
 import com.bitwarden.fido.ClientData
+import com.bitwarden.fido.Fido2CredentialAutofillView
 import com.bitwarden.fido.Origin
 import com.bitwarden.fido.UnverifiedAssetLink
 import com.bitwarden.sdk.Fido2CredentialStore
@@ -24,7 +26,6 @@ import com.bitwarden.vault.CipherListView
 import com.bitwarden.vault.CipherView
 import com.x8bit.bitwarden.data.autofill.util.isActiveWithCopyablePassword
 import com.x8bit.bitwarden.data.autofill.util.isActiveWithFido2Credentials
-import com.x8bit.bitwarden.data.autofill.util.login
 import com.x8bit.bitwarden.data.credentials.builder.CredentialEntryBuilder
 import com.x8bit.bitwarden.data.credentials.model.Fido2CredentialAssertionResult
 import com.x8bit.bitwarden.data.credentials.model.Fido2RegisterCredentialResult
@@ -41,7 +42,6 @@ import com.x8bit.bitwarden.data.vault.datasource.sdk.model.AuthenticateFido2Cred
 import com.x8bit.bitwarden.data.vault.datasource.sdk.model.RegisterFido2CredentialRequest
 import com.x8bit.bitwarden.data.vault.datasource.sdk.util.toAndroidAttestationResponse
 import com.x8bit.bitwarden.data.vault.datasource.sdk.util.toAndroidFido2PublicKeyCredential
-import com.x8bit.bitwarden.data.vault.manager.model.GetCipherResult
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.flow.fold
@@ -207,8 +207,6 @@ class BitwardenCredentialManagerImpl(
             .beginGetPublicKeyCredentialOptions
             .toPublicKeyCredentialEntries(
                 userId = getCredentialsRequest.userId,
-                cipherListViews = cipherListViews
-                    .filter { it.isActiveWithFido2Credentials },
             )
             .onFailure { Timber.e(it, "Failed to get FIDO 2 credential entries.") }
 
@@ -225,65 +223,72 @@ class BitwardenCredentialManagerImpl(
 
     private suspend fun List<BeginGetPublicKeyCredentialOption>.toPublicKeyCredentialEntries(
         userId: String,
-        cipherListViews: List<CipherListView>,
     ): Result<List<CredentialEntry>> {
         if (this.isEmpty()) return emptyList<CredentialEntry>().asSuccess()
+        val assertionOptions = this
+            .mapNotNull { getPasskeyAssertionOptionsOrNull(it.requestJson) }
+            .ifEmpty {
+                return GetCredentialUnknownException(
+                    "Passkey assertion options required.",
+                )
+                    .asFailure()
+            }
 
-        val relyingPartyIds = this
-            .mapNotNull { getPasskeyAssertionOptionsOrNull(it.requestJson)?.relyingPartyId }
-            .distinct()
+        val relyingPartyIds = assertionOptions
+            .mapNotNull { it.relyingPartyId }
+            .toSet()
             .ifEmpty {
                 return GetCredentialUnknownException("Relying party id required.").asFailure()
             }
 
-        val cipherViews = cipherListViews
-            .filter { cipherListView ->
-                cipherListView.login
-                    ?.fido2Credentials
+        val allowedCredentials = assertionOptions
+            .flatMap { option ->
+                option
+                    .allowCredentials
+                    ?.map { it.id }
                     .orEmpty()
-                    .any { credential -> credential.rpId in relyingPartyIds }
             }
-            .mapNotNull { cipherListView ->
-                when (val result = vaultRepository.getCipher(cipherListView.id.orEmpty())) {
-                    GetCipherResult.CipherNotFound -> {
-                        Timber.e("Cipher not found while building public key credential entries.")
-                        null
-                    }
 
-                    is GetCipherResult.Failure -> {
-                        Timber.e(
-                            result.error,
-                            "Failed to decrypt cipher while building credential entries.",
-                        )
-                        null
-                    }
-
-                    is GetCipherResult.Success -> result.cipherView
-                }
+        val discoveredCredentials = relyingPartyIds
+            .flatMap { relyingPartyId ->
+                vaultSdkSource
+                    .silentlyDiscoverCredentials(
+                        userId = userId,
+                        fido2CredentialStore = fido2CredentialStore,
+                        relyingPartyId = relyingPartyId,
+                    )
+                    .fold(
+                        onSuccess = { it },
+                        onFailure = {
+                            Timber.e(it, "Failed to discover credentials.")
+                            emptyList()
+                        },
+                    )
             }
-            .toTypedArray()
-            .ifEmpty { return emptyList<CredentialEntry>().asSuccess() }
+            .filterAllowedCredentialsIfNecessary(allowedCredentials)
 
-        return vaultSdkSource
-            .decryptFido2CredentialAutofillViews(
+        return credentialEntryBuilder
+            .buildPublicKeyCredentialEntries(
                 userId = userId,
-                cipherViews = cipherViews,
-            )
-            .fold(
-                onSuccess = { fido2AutofillViews ->
-                    credentialEntryBuilder
-                        .buildPublicKeyCredentialEntries(
-                            userId = userId,
-                            fido2CredentialAutofillViews = fido2AutofillViews,
-                            beginGetPublicKeyCredentialOptions = this,
-                            isUserVerified = isUserVerified,
-                        )
-                        .asSuccess()
-                },
-                onFailure = {
-                    GetCredentialUnknownException("Error decrypting credentials.").asFailure()
-                },
+                fido2CredentialAutofillViews = discoveredCredentials,
+                beginGetPublicKeyCredentialOptions = this,
+                isUserVerified = isUserVerified,
             )
+            .asSuccess()
+    }
+
+    private fun List<Fido2CredentialAutofillView>.filterAllowedCredentialsIfNecessary(
+        allowedCredentialIds: List<String>,
+    ): List<Fido2CredentialAutofillView> = if (allowedCredentialIds.isEmpty()) {
+        this
+    } else {
+        this.filter {
+            Base64
+                .encodeToString(
+                    it.credentialId,
+                    Base64.URL_SAFE or Base64.NO_WRAP or Base64.NO_PADDING,
+                ) in allowedCredentialIds
+        }
     }
 
     private suspend fun registerFido2CredentialForUnprivilegedApp(

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/CredentialManagerPendingIntentManager.kt

@@ -0,0 +1,69 @@
+package com.x8bit.bitwarden.data.credentials.manager
+
+import android.app.PendingIntent
+
+/**
+ * Key for the user id included in Credential provider "create entries".
+ *
+ * @see CredentialManagerPendingIntentManager.createFido2CreationPendingIntent
+ */
+const val EXTRA_KEY_USER_ID: String = "user_id"
+
+/**
+ * Key for the credential id included in FIDO 2 provider "get entries".
+ *
+ * @see CredentialManagerPendingIntentManager.createFido2GetCredentialPendingIntent
+ */
+const val EXTRA_KEY_CREDENTIAL_ID: String = "credential_id"
+
+/**
+ * Key for the cipher id included in FIDO 2 provider "get entries".
+ *
+ * @see CredentialManagerPendingIntentManager.createFido2GetCredentialPendingIntent
+ */
+const val EXTRA_KEY_CIPHER_ID: String = "cipher_id"
+
+/**
+ * Key for the user verification performed during vault unlock while
+ * processing a Credential request.
+ */
+const val EXTRA_KEY_UV_PERFORMED_DURING_UNLOCK: String = "uv_performed_during_unlock"
+
+/**
+ * A manager class for creating pending intents used in credential management operations.
+ */
+interface CredentialManagerPendingIntentManager {
+
+    /**
+     * Creates a pending intent to use when providing options for FIDO 2 credential creation.
+     */
+    fun createFido2CreationPendingIntent(
+        userId: String,
+    ): PendingIntent
+
+    /**
+     * Creates a pending intent to use when providing options for FIDO 2 credential filling.
+     */
+    fun createFido2GetCredentialPendingIntent(
+        userId: String,
+        credentialId: String,
+        cipherId: String,
+        isUserVerified: Boolean,
+    ): PendingIntent
+
+    /**
+     * Creates a pending intent to use when providing unlock options for FIDO 2 credential filling.
+     */
+    fun createFido2UnlockPendingIntent(
+        userId: String,
+    ): PendingIntent
+
+    /**
+     * Creates a pending intent to use when providing options for Password credential filling.
+     */
+    fun createPasswordGetCredentialPendingIntent(
+        userId: String,
+        cipherId: String?,
+        isUserVerified: Boolean,
+    ): PendingIntent
+}

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/CredentialManagerPendingIntentManagerImpl.kt

@@ -0,0 +1,104 @@
+package com.x8bit.bitwarden.data.credentials.manager
+
+import android.app.PendingIntent
+import android.content.Context
+import android.content.Intent
+import com.bitwarden.annotation.OmitFromCoverage
+import com.bitwarden.core.util.toPendingIntentMutabilityFlag
+import kotlin.random.Random
+
+/**
+ * Primary implementation of [CredentialManagerPendingIntentManager].
+ */
+@OmitFromCoverage
+class CredentialManagerPendingIntentManagerImpl(
+    private val context: Context,
+) : CredentialManagerPendingIntentManager {
+
+    /**
+     * Creates a pending intent to use when providing options for FIDO 2 credential creation.
+     */
+    override fun createFido2CreationPendingIntent(
+        userId: String,
+    ): PendingIntent {
+        val intent = Intent(CREATE_PASSKEY_ACTION)
+            .setPackage(context.packageName)
+            .putExtra(EXTRA_KEY_USER_ID, userId)
+
+        return PendingIntent.getActivity(
+            /* context = */ context,
+            /* requestCode = */ Random.nextInt(),
+            /* intent = */ intent,
+            /* flags = */ PendingIntent.FLAG_UPDATE_CURRENT.toPendingIntentMutabilityFlag(),
+        )
+    }
+
+    /**
+     * Creates a pending intent to use when providing options for FIDO 2 credential filling.
+     */
+    override fun createFido2GetCredentialPendingIntent(
+        userId: String,
+        credentialId: String,
+        cipherId: String,
+        isUserVerified: Boolean,
+    ): PendingIntent {
+        val intent = Intent(GET_PASSKEY_ACTION)
+            .setPackage(context.packageName)
+            .putExtra(EXTRA_KEY_USER_ID, userId)
+            .putExtra(EXTRA_KEY_CREDENTIAL_ID, credentialId)
+            .putExtra(EXTRA_KEY_CIPHER_ID, cipherId)
+            .putExtra(EXTRA_KEY_UV_PERFORMED_DURING_UNLOCK, isUserVerified)
+
+        return PendingIntent.getActivity(
+            /* context = */ context,
+            /* requestCode = */ Random.nextInt(),
+            /* intent = */ intent,
+            /* flags = */ PendingIntent.FLAG_UPDATE_CURRENT.toPendingIntentMutabilityFlag(),
+        )
+    }
+
+    /**
+     * Creates a pending intent to use when providing unlock options for FIDO 2 credential filling.
+     */
+    override fun createFido2UnlockPendingIntent(
+        userId: String,
+    ): PendingIntent {
+        val intent = Intent(UNLOCK_ACCOUNT_ACTION)
+            .setPackage(context.packageName)
+            .putExtra(EXTRA_KEY_USER_ID, userId)
+
+        return PendingIntent.getActivity(
+            /* context = */ context,
+            /* requestCode = */ Random.nextInt(),
+            /* intent = */ intent,
+            /* flags = */ PendingIntent.FLAG_UPDATE_CURRENT.toPendingIntentMutabilityFlag(),
+        )
+    }
+
+    /**
+     * Creates a pending intent to use when providing options for Password credential filling.
+     */
+    override fun createPasswordGetCredentialPendingIntent(
+        userId: String,
+        cipherId: String?,
+        isUserVerified: Boolean,
+    ): PendingIntent {
+        val intent = Intent(GET_PASSWORD_ACTION)
+            .setPackage(context.packageName)
+            .putExtra(EXTRA_KEY_USER_ID, userId)
+            .putExtra(EXTRA_KEY_CIPHER_ID, cipherId)
+            .putExtra(EXTRA_KEY_UV_PERFORMED_DURING_UNLOCK, isUserVerified)
+
+        return PendingIntent.getActivity(
+            /* context = */ context,
+            /* requestCode = */ Random.nextInt(),
+            /* intent = */ intent,
+            /* flags = */ PendingIntent.FLAG_UPDATE_CURRENT.toPendingIntentMutabilityFlag(),
+        )
+    }
+}
+
+private const val CREATE_PASSKEY_ACTION = "com.x8bit.bitwarden.credentials.ACTION_CREATE_PASSKEY"
+private const val UNLOCK_ACCOUNT_ACTION = "com.x8bit.bitwarden.credentials.ACTION_UNLOCK_ACCOUNT"
+private const val GET_PASSKEY_ACTION = "com.x8bit.bitwarden.credentials.ACTION_GET_PASSKEY"
+private const val GET_PASSWORD_ACTION = "com.x8bit.bitwarden.credentials.ACTION_GET_PASSWORD"

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/manager/OriginManagerImpl.kt

@@ -6,8 +6,6 @@ import com.bitwarden.ui.platform.base.util.prefixHttpsIfNecessary
 import com.x8bit.bitwarden.data.credentials.model.ValidateOriginResult
 import com.x8bit.bitwarden.data.credentials.repository.PrivilegedAppRepository
 import com.x8bit.bitwarden.data.platform.manager.AssetManager
-import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
-import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
 import com.x8bit.bitwarden.data.platform.util.getSignatureFingerprintAsHexString
 import com.x8bit.bitwarden.data.platform.util.validatePrivilegedApp
 import timber.log.Timber
@@ -23,7 +21,6 @@ class OriginManagerImpl(
     private val assetManager: AssetManager,
     private val digitalAssetLinkService: DigitalAssetLinkService,
     private val privilegedAppRepository: PrivilegedAppRepository,
-    private val featureFlagManager: FeatureFlagManager,
 ) : OriginManager {
 
     override suspend fun validateOrigin(
@@ -70,10 +67,7 @@ class OriginManagerImpl(
         validatePrivilegedAppSignatureWithGoogleList(callingAppInfo)
             .takeUnless { it is ValidateOriginResult.Error.PrivilegedAppNotAllowed }
             ?: validatePrivilegedAppSignatureWithCommunityList(callingAppInfo)
-                .takeUnless {
-                    it is ValidateOriginResult.Error.PrivilegedAppNotAllowed &&
-                        featureFlagManager.getFeatureFlag(FlagKey.UserManagedPrivilegedApps)
-                }
+                .takeUnless { it is ValidateOriginResult.Error.PrivilegedAppNotAllowed }
             ?: validatePrivilegedAppSignatureWithUserTrustList(callingAppInfo)
 
     private suspend fun validatePrivilegedAppSignatureWithGoogleList(

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/model/Fido2AttestationResponse.kt

@@ -20,7 +20,7 @@ data class Fido2AttestationResponse(
     @SerialName("response")
     val response: RegistrationResponse,
     @SerialName("clientExtensionResults")
-    val clientExtensionResults: ClientExtensionResults?,
+    val clientExtensionResults: ClientExtensionResults,
     @SerialName("authenticatorAttachment")
     val authenticatorAttachment: String?,
 ) {
@@ -50,7 +50,7 @@ data class Fido2AttestationResponse(
     @Serializable
     data class ClientExtensionResults(
         @SerialName("credProps")
-        val credentialProperties: CredentialProperties,
+        val credentialProperties: CredentialProperties? = null,
     ) {
         /**
          * Represents properties for newly created credential.

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/processor/CredentialProviderProcessorImpl.kt

@@ -31,22 +31,14 @@ import com.bitwarden.ui.platform.resource.BitwardenString
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.auth.repository.model.UserState
 import com.x8bit.bitwarden.data.credentials.manager.BitwardenCredentialManager
+import com.x8bit.bitwarden.data.credentials.manager.CredentialManagerPendingIntentManager
 import com.x8bit.bitwarden.data.credentials.model.GetCredentialsRequest
 import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
-import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
-import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
-import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.launch
 import java.time.Clock
-import java.util.concurrent.atomic.AtomicInteger
 import javax.crypto.Cipher
 
-private const val CREATE_PASSKEY_INTENT = "com.x8bit.bitwarden.credentials.ACTION_CREATE_PASSKEY"
-const val GET_PASSKEY_INTENT = "com.x8bit.bitwarden.credentials.ACTION_GET_PASSKEY"
-const val GET_PASSWORD_INTENT = "com.x8bit.bitwarden.credentials.ACTION_GET_PASSWORD"
-const val UNLOCK_ACCOUNT_INTENT = "com.x8bit.bitwarden.credentials.ACTION_UNLOCK_ACCOUNT"
-
 /**
  * The default implementation of [CredentialProviderProcessor]. Its purpose is to handle
  * [CredentialManager] requests from other applications.
@@ -57,14 +49,12 @@ class CredentialProviderProcessorImpl(
     private val context: Context,
     private val authRepository: AuthRepository,
     private val bitwardenCredentialManager: BitwardenCredentialManager,
-    private val intentManager: IntentManager,
+    private val pendingIntentManager: CredentialManagerPendingIntentManager,
     private val clock: Clock,
     private val biometricsEncryptionManager: BiometricsEncryptionManager,
-    private val featureFlagManager: FeatureFlagManager,
     dispatcherManager: DispatcherManager,
 ) : CredentialProviderProcessor {
 
-    private val requestCode = AtomicInteger()
     private val ioScope = CoroutineScope(dispatcherManager.io)
 
     override fun processCreateCredentialRequest(
@@ -107,10 +97,8 @@ class CredentialProviderProcessorImpl(
         if (!userState.activeAccount.isVaultUnlocked) {
             val authenticationAction = AuthenticationAction(
                 title = context.getString(BitwardenString.unlock),
-                pendingIntent = intentManager.createFido2UnlockPendingIntent(
-                    action = UNLOCK_ACCOUNT_INTENT,
+                pendingIntent = pendingIntentManager.createFido2UnlockPendingIntent(
                     userId = userState.activeUserId,
-                    requestCode = requestCode.getAndIncrement(),
                 ),
             )
 
@@ -185,10 +173,8 @@ class CredentialProviderProcessorImpl(
         val entryBuilder = CreateEntry
             .Builder(
                 accountName = accountName,
-                pendingIntent = intentManager.createFido2CreationPendingIntent(
-                    CREATE_PASSKEY_INTENT,
-                    userId,
-                    requestCode.getAndIncrement(),
+                pendingIntent = pendingIntentManager.createFido2CreationPendingIntent(
+                    userId = userId,
                 ),
             )
             .setDescription(
@@ -202,9 +188,7 @@ class CredentialProviderProcessorImpl(
             .setLastUsedTime(if (isActive) clock.instant() else null)
             .setAutoSelectAllowed(true)
 
-        if (isVaultUnlocked &&
-            featureFlagManager.getFeatureFlag(FlagKey.SingleTapPasskeyCreation)
-        ) {
+        if (isVaultUnlocked) {
             biometricsEncryptionManager
                 .getOrCreateCipher(userId)
                 ?.let { entryBuilder.setBiometricPromptDataIfSupported(cipher = it) }

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/util/CredentialEntryBuilderExtensions.kt

@@ -14,12 +14,8 @@ import javax.crypto.Cipher
  */
 fun PublicKeyCredentialEntry.Builder.setBiometricPromptDataIfSupported(
     cipher: Cipher?,
-    isSingleTapAuthEnabled: Boolean,
 ): PublicKeyCredentialEntry.Builder =
-    if (isBuildVersionAtLeast(Build.VERSION_CODES.VANILLA_ICE_CREAM) &&
-        cipher != null &&
-        isSingleTapAuthEnabled
-    ) {
+    if (isBuildVersionAtLeast(Build.VERSION_CODES.VANILLA_ICE_CREAM) && cipher != null) {
         setBiometricPromptData(
             biometricPromptData = buildPromptDataWithCipher(cipher),
         )

app/src/main/kotlin/com/x8bit/bitwarden/data/credentials/util/CredentialProviderIntentUtils.kt

@@ -8,14 +8,14 @@ import androidx.credentials.provider.PendingIntentHandler
 import androidx.credentials.provider.ProviderCreateCredentialRequest
 import androidx.credentials.provider.ProviderGetCredentialRequest
 import com.bitwarden.core.util.isBuildVersionAtLeast
+import com.x8bit.bitwarden.data.credentials.manager.EXTRA_KEY_CIPHER_ID
+import com.x8bit.bitwarden.data.credentials.manager.EXTRA_KEY_CREDENTIAL_ID
+import com.x8bit.bitwarden.data.credentials.manager.EXTRA_KEY_USER_ID
+import com.x8bit.bitwarden.data.credentials.manager.EXTRA_KEY_UV_PERFORMED_DURING_UNLOCK
 import com.x8bit.bitwarden.data.credentials.model.CreateCredentialRequest
 import com.x8bit.bitwarden.data.credentials.model.Fido2CredentialAssertionRequest
 import com.x8bit.bitwarden.data.credentials.model.GetCredentialsRequest
 import com.x8bit.bitwarden.data.credentials.model.ProviderGetPasswordCredentialRequest
-import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_CIPHER_ID
-import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_CREDENTIAL_ID
-import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_USER_ID
-import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_UV_PERFORMED_DURING_UNLOCK
 
 /**
  * Checks if this [Intent] contains a [CreateCredentialRequest] related to an ongoing

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/FeatureFlagOverrideDiskSource.kt

@@ -1,6 +1,6 @@
 package com.x8bit.bitwarden.data.platform.datasource.disk
 
-import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
+import com.bitwarden.core.data.manager.model.FlagKey
 
 /**
  * Disk data source for saved feature flag overrides.

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/FeatureFlagOverrideDiskSourceImpl.kt

@@ -1,8 +1,8 @@
 package com.x8bit.bitwarden.data.platform.datasource.disk
 
 import android.content.SharedPreferences
+import com.bitwarden.core.data.manager.model.FlagKey
 import com.bitwarden.data.datasource.disk.BaseDiskSource
-import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
 
 /**
  * Default implementation of the [FeatureFlagOverrideDiskSource]

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSource.kt

@@ -105,6 +105,11 @@ interface SettingsDiskSource {
      */
     val flightRecorderDataFlow: Flow<FlightRecorderDataSet?>
 
+    /**
+     * The time at which the browser autofill dialog is allowed to be shown to the user again.
+     */
+    var browserAutofillDialogReshowTime: Instant?
+
     /**
      * Clears all the settings data for the given user.
      */
@@ -281,6 +286,23 @@ interface SettingsDiskSource {
      */
     fun getUserHasSignedInPreviously(userId: String): Boolean
 
+    /**
+     * Gets whether or not the given [userId] has signalled they want to enable autofill in
+     * onboarding.
+     */
+    fun getShowBrowserAutofillSettingBadge(userId: String): Boolean?
+
+    /**
+     * Stores the given value for whether or not the given [userId] has signalled they want to
+     * enable the browser autofill integration in onboarding.
+     */
+    fun storeShowBrowserAutofillSettingBadge(userId: String, showBadge: Boolean?)
+
+    /**
+     * Emits updates that track [getShowAutoFillSettingBadge] for the given [userId].
+     */
+    fun getShowBrowserAutofillSettingBadgeFlow(userId: String): Flow<Boolean?>
+
     /**
      * Gets whether or not the given [userId] has signalled they want to enable autofill in
      * onboarding.

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSourceImpl.kt

@@ -37,6 +37,7 @@ private const val CLEAR_CLIPBOARD_INTERVAL_KEY = "clearClipboard"
 private const val INITIAL_AUTOFILL_DIALOG_SHOWN = "addSitePromptShown"
 private const val HAS_USER_LOGGED_IN_OR_CREATED_AN_ACCOUNT_KEY = "hasUserLoggedInOrCreatedAccount"
 private const val SHOW_AUTOFILL_SETTING_BADGE = "showAutofillSettingBadge"
+private const val SHOW_BROWSER_AUTOFILL_SETTING_BADGE = "showBrowserAutofillSettingBadge"
 private const val SHOW_UNLOCK_SETTING_BADGE = "showUnlockSettingBadge"
 private const val SHOW_IMPORT_LOGINS_SETTING_BADGE = "showImportLoginsSettingBadge"
 private const val IS_VAULT_REGISTERED_FOR_EXPORT = "isVaultRegisteredForExport"
@@ -48,6 +49,7 @@ private const val SHOULD_SHOW_GENERATOR_COACH_MARK = "shouldShowGeneratorCoachMa
 private const val RESUME_SCREEN = "resumeScreen"
 private const val FLIGHT_RECORDER_KEY = "flightRecorderData"
 private const val IS_DYNAMIC_COLORS_ENABLED = "isDynamicColorsEnabled"
+private const val BROWSER_AUTOFILL_DIALOG_RESHOW_TIME = "browserAutofillDialogReshowTime"
 
 /**
  * Primary implementation of [SettingsDiskSource].
@@ -72,6 +74,9 @@ class SettingsDiskSourceImpl(
     private val mutablePullToRefreshEnabledFlowMap =
         mutableMapOf<String, MutableSharedFlow<Boolean?>>()
 
+    private val mutableShowBrowserAutofillSettingBadgeFlowMap =
+        mutableMapOf<String, MutableSharedFlow<Boolean?>>()
+
     private val mutableShowAutoFillSettingBadgeFlowMap =
         mutableMapOf<String, MutableSharedFlow<Boolean?>>()
 
@@ -224,6 +229,12 @@ class SettingsDiskSourceImpl(
     override val flightRecorderDataFlow: Flow<FlightRecorderDataSet?>
         get() = mutableFlightRecorderDataFlow.onSubscription { emit(flightRecorderData) }
 
+    override var browserAutofillDialogReshowTime: Instant?
+        get() = getLong(key = BROWSER_AUTOFILL_DIALOG_RESHOW_TIME)?.let { Instant.ofEpochMilli(it) }
+        set(value) {
+            putLong(key = BROWSER_AUTOFILL_DIALOG_RESHOW_TIME, value = value?.toEpochMilli())
+        }
+
     override fun clearData(userId: String) {
         storeVaultTimeoutInMinutes(userId = userId, vaultTimeoutInMinutes = null)
         storeVaultTimeoutAction(userId = userId, vaultTimeoutAction = null)
@@ -431,6 +442,21 @@ class SettingsDiskSourceImpl(
             key = HAS_USER_LOGGED_IN_OR_CREATED_AN_ACCOUNT_KEY.appendIdentifier(userId),
         ) == true
 
+    override fun getShowBrowserAutofillSettingBadge(userId: String): Boolean? =
+        getBoolean(key = SHOW_BROWSER_AUTOFILL_SETTING_BADGE.appendIdentifier(userId))
+
+    override fun storeShowBrowserAutofillSettingBadge(userId: String, showBadge: Boolean?) {
+        putBoolean(
+            key = SHOW_BROWSER_AUTOFILL_SETTING_BADGE.appendIdentifier(userId),
+            value = showBadge,
+        )
+        getMutableShowBrowserAutofillSettingBadgeFlow(userId).tryEmit(showBadge)
+    }
+
+    override fun getShowBrowserAutofillSettingBadgeFlow(userId: String): Flow<Boolean?> =
+        getMutableShowBrowserAutofillSettingBadgeFlow(userId = userId)
+            .onSubscription { emit(getShowBrowserAutofillSettingBadge(userId)) }
+
     override fun getShowAutoFillSettingBadge(userId: String): Boolean? =
         getBoolean(
             key = SHOW_AUTOFILL_SETTING_BADGE.appendIdentifier(userId),
@@ -598,6 +624,13 @@ class SettingsDiskSourceImpl(
             bufferedMutableSharedFlow(replay = 1)
         }
 
+    private fun getMutableShowBrowserAutofillSettingBadgeFlow(
+        userId: String,
+    ): MutableSharedFlow<Boolean?> =
+        mutableShowBrowserAutofillSettingBadgeFlowMap.getOrPut(userId) {
+            bufferedMutableSharedFlow(replay = 1)
+        }
+
     private fun getMutableShowAutoFillSettingBadgeFlow(
         userId: String,
     ): MutableSharedFlow<Boolean?> = mutableShowAutoFillSettingBadgeFlowMap.getOrPut(userId) {

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/datasource/network/di/PlatformNetworkModule.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.platform.datasource.network.di
 
+import com.bitwarden.core.data.manager.BuildInfoManager
 import com.bitwarden.network.BitwardenServiceClient
 import com.bitwarden.network.bitwardenServiceClient
 import com.bitwarden.network.interceptor.BaseUrlsProvider
@@ -13,7 +14,6 @@ import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_VALUE_CL
 import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_VALUE_CLIENT_VERSION
 import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_VALUE_USER_AGENT
 import com.x8bit.bitwarden.data.platform.manager.CertificateManager
-import com.x8bit.bitwarden.data.platform.util.isDevBuild
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
@@ -54,6 +54,7 @@ object PlatformNetworkModule {
         baseUrlsProvider: BaseUrlsProvider,
         authDiskSource: AuthDiskSource,
         certificateManager: CertificateManager,
+        buildInfoManager: BuildInfoManager,
         clock: Clock,
     ): BitwardenServiceClient = bitwardenServiceClient(
         BitwardenServiceClientConfig(
@@ -67,7 +68,7 @@ object PlatformNetworkModule {
             authTokenProvider = authTokenManager,
             baseUrlsProvider = baseUrlsProvider,
             certificateProvider = certificateManager,
-            enableHttpBodyLogging = isDevBuild,
+            enableHttpBodyLogging = buildInfoManager.isDevBuild,
         ),
     )
 }

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/error/SecurityStampMismatchException.kt

@@ -0,0 +1,6 @@
+package com.x8bit.bitwarden.data.platform.error
+
+/**
+ * An exception indicating that the security stamps for the current user do not match.
+ */
+class SecurityStampMismatchException : IllegalStateException("Security stamps do not match!")

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/BiometricsEncryptionManagerImpl.kt

@@ -7,6 +7,7 @@ import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.BuildConfig
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
+import timber.log.Timber
 import java.security.InvalidAlgorithmParameterException
 import java.security.InvalidKeyException
 import java.security.KeyStore
@@ -45,9 +46,11 @@ class BiometricsEncryptionManagerImpl(
             }
         val cipher = try {
             Cipher.getInstance(CIPHER_TRANSFORMATION)
-        } catch (_: NoSuchAlgorithmException) {
+        } catch (nsae: NoSuchAlgorithmException) {
+            Timber.w(nsae, "createCipherOrNull failed to get cipher instance")
             return null
-        } catch (_: NoSuchPaddingException) {
+        } catch (nspe: NoSuchPaddingException) {
+            Timber.w(nspe, "createCipherOrNull failed to get cipher instance")
             return null
         }
         // Instantiate integrity values.
@@ -124,20 +127,25 @@ class BiometricsEncryptionManagerImpl(
     private fun generateKeyOrNull(userId: String): SecretKey? {
         val keyGen = try {
             KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, ENCRYPTION_KEYSTORE_NAME)
-        } catch (_: NoSuchAlgorithmException) {
+        } catch (nsae: NoSuchAlgorithmException) {
+            Timber.w(nsae, "generateKeyOrNull failed to get key generator instance")
             return null
-        } catch (_: NoSuchProviderException) {
+        } catch (nspe: NoSuchProviderException) {
+            Timber.w(nspe, "generateKeyOrNull failed to get key generator instance")
             return null
-        } catch (_: IllegalArgumentException) {
+        } catch (iae: IllegalArgumentException) {
+            Timber.w(iae, "generateKeyOrNull failed to get key generator instance")
             return null
         }
 
         return try {
             keyGen.init(getKeyGenParameterSpec(userId = userId))
             keyGen.generateKey()
-        } catch (_: InvalidAlgorithmParameterException) {
+        } catch (iape: InvalidAlgorithmParameterException) {
+            Timber.w(iape, "generateKeyOrNull failed to initialize and generate key")
             null
-        } catch (_: ProviderException) {
+        } catch (pe: ProviderException) {
+            Timber.w(pe, "generateKeyOrNull failed to initialize and generate key")
             null
         }
     }
@@ -150,14 +158,17 @@ class BiometricsEncryptionManagerImpl(
             keystore
                 .getKey(encryptionKeyName(userId = userId), null)
                 ?.let { it as SecretKey }
-        } catch (_: KeyStoreException) {
+        } catch (kse: KeyStoreException) {
             // keystore was not loaded
+            Timber.w(kse, "getSecretKeyOrNull failed to retrieve secret key")
             null
-        } catch (_: NoSuchAlgorithmException) {
+        } catch (nsae: NoSuchAlgorithmException) {
             // keystore algorithm cannot be found
+            Timber.w(nsae, "getSecretKeyOrNull failed to retrieve secret key")
             null
-        } catch (_: UnrecoverableKeyException) {
+        } catch (uke: UnrecoverableKeyException) {
             // key could not be recovered
+            Timber.w(uke, "getSecretKeyOrNull failed to retrieve secret key")
             null
         }
 
@@ -174,16 +185,19 @@ class BiometricsEncryptionManagerImpl(
                 ?.let { init(Cipher.DECRYPT_MODE, secretKey, IvParameterSpec(it)) }
                 ?: init(Cipher.ENCRYPT_MODE, secretKey)
             true
-        } catch (_: KeyPermanentlyInvalidatedException) {
+        } catch (kpie: KeyPermanentlyInvalidatedException) {
             // Biometric has changed
+            Timber.w(kpie, "initializeCipher failed to initialize cipher")
             destroyBiometrics(userId = userId)
             false
-        } catch (_: UnrecoverableKeyException) {
+        } catch (uke: UnrecoverableKeyException) {
             // Biometric was disabled and re-enabled
+            Timber.w(uke, "initializeCipher failed to initialize cipher")
             destroyBiometrics(userId = userId)
             false
-        } catch (_: InvalidKeyException) {
+        } catch (ike: InvalidKeyException) {
             // User has no key
+            Timber.w(ike, "initializeCipher failed to initialize cipher")
             destroyBiometrics(userId = userId)
             true
         }

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/DebugMenuFeatureFlagManagerImpl.kt

@@ -1,6 +1,6 @@
 package com.x8bit.bitwarden.data.platform.manager
 
-import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
+import com.bitwarden.core.data.manager.model.FlagKey
 import com.x8bit.bitwarden.data.platform.repository.DebugMenuRepository
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.map

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/FeatureFlagManager.kt

@@ -1,6 +1,6 @@
 package com.x8bit.bitwarden.data.platform.manager
 
-import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
+import com.bitwarden.core.data.manager.model.FlagKey
 import kotlinx.coroutines.flow.Flow
 
 /**

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/FeatureFlagManagerImpl.kt

@@ -1,8 +1,8 @@
 package com.x8bit.bitwarden.data.platform.manager
 
+import com.bitwarden.core.data.manager.model.FlagKey
 import com.bitwarden.data.datasource.disk.model.ServerConfig
 import com.bitwarden.data.repository.ServerConfigRepository
-import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
 import com.x8bit.bitwarden.data.platform.util.isServerVersionAtLeast
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.map

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/FirstTimeActionManager.kt

@@ -63,6 +63,12 @@ interface FirstTimeActionManager {
      */
     fun storeShowUnlockSettingBadge(showBadge: Boolean)
 
+    /**
+     * Stores the given value for whether or not the active user has signalled they want to
+     * enable the browser autofill integration later, during onboarding.
+     */
+    fun storeShowBrowserAutofillSettingBadge(showBadge: Boolean)
+
     /**
      * Stores the given value for whether or not the active user has signalled they want to
      * enable autofill later, during onboarding.

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/FirstTimeActionManagerImpl.kt

@@ -4,6 +4,7 @@ import com.bitwarden.data.manager.DispatcherManager
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.repository.util.activeUserIdChangesFlow
 import com.x8bit.bitwarden.data.autofill.manager.AutofillEnabledManager
+import com.x8bit.bitwarden.data.autofill.manager.browser.BrowserThirdPartyAutofillEnabledManager
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.manager.model.CoachMarkTourType
 import com.x8bit.bitwarden.data.platform.manager.model.FirstTimeState
@@ -25,12 +26,14 @@ import javax.inject.Inject
 /**
  * Implementation of [FirstTimeActionManager]
  */
+@Suppress("TooManyFunctions")
 class FirstTimeActionManagerImpl @Inject constructor(
     dispatcherManager: DispatcherManager,
     private val authDiskSource: AuthDiskSource,
     private val settingsDiskSource: SettingsDiskSource,
     private val vaultDiskSource: VaultDiskSource,
     private val autofillEnabledManager: AutofillEnabledManager,
+    private val thirdPartyAutofillEnabledManager: BrowserThirdPartyAutofillEnabledManager,
 ) : FirstTimeActionManager {
 
     private val unconfinedScope = CoroutineScope(dispatcherManager.unconfined)
@@ -78,11 +81,12 @@ class FirstTimeActionManagerImpl @Inject constructor(
             .activeUserIdChangesFlow
             .filterNotNull()
             .flatMapLatest {
-                // Can be expanded to support multiple autofill settings
-                getShowAutofillSettingBadgeFlowInternal(userId = it)
-                    .map { showAutofillBadge ->
-                        listOfNotNull(showAutofillBadge)
-                    }
+                combine(
+                    getShowAutofillSettingBadgeFlowInternal(userId = it),
+                    getShowBrowserAutofillSettingBadgeFlowInternal(userId = it),
+                ) { showAutofillBadge, showBrowserAutofillBadge ->
+                    listOf(showAutofillBadge, showBrowserAutofillBadge)
+                }
                     .map { list ->
                         list.count { showBadge -> showBadge }
                     }
@@ -124,6 +128,7 @@ class FirstTimeActionManagerImpl @Inject constructor(
                         settingsDiskSource.getShowUnlockSettingBadgeFlow(userId = activeUserId),
                         getShowAutofillSettingBadgeFlowInternal(userId = activeUserId),
                         getShowImportLoginsSettingBadgeFlowInternal(userId = activeUserId),
+                        getShowBrowserAutofillSettingBadgeFlowInternal(userId = activeUserId),
                     ),
                 ) {
                     FirstTimeState(
@@ -131,19 +136,11 @@ class FirstTimeActionManagerImpl @Inject constructor(
                         showSetupUnlockCard = it[1],
                         showSetupAutofillCard = it[2],
                         showImportLoginsCardInSettings = it[3],
+                        showSetupBrowserAutofillCard = it[4],
                     )
                 }
             }
-            .onStart {
-                emit(
-                    FirstTimeState(
-                        showImportLoginsCard = null,
-                        showSetupUnlockCard = null,
-                        showSetupAutofillCard = null,
-                        showImportLoginsCardInSettings = null,
-                    ),
-                )
-            }
+            .onStart { emit(currentOrDefaultUserFirstTimeState) }
             .distinctUntilChanged()
 
     override val shouldShowAddLoginCoachMarkFlow: Flow<Boolean>
@@ -176,14 +173,11 @@ class FirstTimeActionManagerImpl @Inject constructor(
                         showSetupAutofillCard = getShowAutofillSettingBadgeInternal(it),
                         showImportLoginsCardInSettings = settingsDiskSource
                             .getShowImportLoginsSettingBadge(it),
+                        showSetupBrowserAutofillCard = settingsDiskSource
+                            .getShowBrowserAutofillSettingBadge(it),
                     )
                 }
-                ?: FirstTimeState(
-                    showImportLoginsCard = null,
-                    showSetupUnlockCard = null,
-                    showSetupAutofillCard = null,
-                    showImportLoginsCardInSettings = null,
-                )
+                ?: FirstTimeState()
 
     override fun storeShowUnlockSettingBadge(showBadge: Boolean) {
         val activeUserId = authDiskSource.userState?.activeUserId ?: return
@@ -193,6 +187,14 @@ class FirstTimeActionManagerImpl @Inject constructor(
         )
     }
 
+    override fun storeShowBrowserAutofillSettingBadge(showBadge: Boolean) {
+        val activeUserId = authDiskSource.userState?.activeUserId ?: return
+        settingsDiskSource.storeShowBrowserAutofillSettingBadge(
+            userId = activeUserId,
+            showBadge = showBadge,
+        )
+    }
+
     override fun storeShowAutoFillSettingBadge(showBadge: Boolean) {
         val activeUserId = authDiskSource.userState?.activeUserId ?: return
         settingsDiskSource.storeShowAutoFillSettingBadge(
@@ -257,6 +259,19 @@ class FirstTimeActionManagerImpl @Inject constructor(
             }
     }
 
+    /**
+     * Internal implementation to get a flow of the showBrowserAutofill value which takes
+     * into account if autofill and if browser autofill is already enabled.
+     */
+    private fun getShowBrowserAutofillSettingBadgeFlowInternal(userId: String): Flow<Boolean> =
+        combine(
+            settingsDiskSource.getShowBrowserAutofillSettingBadgeFlow(userId = userId),
+            autofillEnabledManager.isAutofillEnabledStateFlow,
+            thirdPartyAutofillEnabledManager.browserThirdPartyAutofillStatusFlow,
+        ) { showBadge, autofillEnabled, status ->
+            showBadge ?: false && autofillEnabled && status.isAnyIsAvailableAndDisabled
+        }
+
     /**
      * Internal implementation to get a flow of the showAutofill value which takes
      * into account if autofill is already enabled globally.

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManagerImpl.kt

@@ -99,6 +99,7 @@ class PolicyManagerImpl(
 
             PolicyTypeJson.PASSWORD_GENERATOR,
             PolicyTypeJson.REMOVE_UNLOCK_WITH_PIN,
+            PolicyTypeJson.RESTRICT_ITEM_TYPES,
                 -> {
                 false
             }

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PushManager.kt

@@ -15,9 +15,9 @@ import kotlinx.coroutines.flow.Flow
  */
 interface PushManager {
     /**
-     * Flow that represents requests intended for full syncs.
+     * Flow that represents requests intended for full syncs for the user ID provided.
      */
-    val fullSyncFlow: Flow<Unit>
+    val fullSyncFlow: Flow<String>
 
     /**
      * Flow that represents requests intended to log a user out.
@@ -52,7 +52,7 @@ interface PushManager {
     /**
      * Flow that represents requests intended to trigger syncing organization keys.
      */
-    val syncOrgKeysFlow: Flow<Unit>
+    val syncOrgKeysFlow: Flow<String>
 
     /**
      * Flow that represents requests intended to trigger a sync send delete.