From d4fcb5852a52e29400f74e0bfceac76d979658d7 Mon Sep 17 00:00:00 2001
From: Andreas Coroiu <acoroiu@bitwarden.com>
Date: Wed, 11 Dec 2024 13:20:32 +0100
Subject: [PATCH 1/8] fix: text-drag directive ts-strict error (#12346)

---
 libs/angular/src/directives/text-drag.directive.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libs/angular/src/directives/text-drag.directive.ts b/libs/angular/src/directives/text-drag.directive.ts
index da3e70d1de2..443fbdac157 100644
--- a/libs/angular/src/directives/text-drag.directive.ts
+++ b/libs/angular/src/directives/text-drag.directive.ts
@@ -17,6 +17,6 @@ export class TextDragDirective {
 
   @HostListener("dragstart", ["$event"])
   onDragStart(event: DragEvent) {
-    event.dataTransfer.setData("text", this.data);
+    event.dataTransfer?.setData("text", this.data);
   }
 }

From b502e2bc251dfbfee2c5220ab3ccd4629ddcbbd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 11 Dec 2024 14:47:49 +0000
Subject: [PATCH 2/8] [PM-15154] Domain verification copy update (#12217)

* refactor: update domain verification terminology to claimed domains

* feat: add description for claimed domains in domain verification

* Add informational link to claimed domains description in domain verification component

* Update domain verification references to claimed domains in organization layout and SSO component

* Add validation message for invalid domain name format in domain verification

* Add domain claim messages and descriptions to localization files

* Update domain verification navigation text based on feature flag

* Update domain verification dialog to support account deprovisioning feature flag

* Update domain verification component to support account deprovisioning feature flag

* Refactor domain verification dialog to use synchronous feature flag for account deprovisioning

* Refactor domain verification routing to resolve title based on account deprovisioning feature flag

* Update SSO component to conditionally display domain verification link based on account deprovisioning feature flag

* Update event service to conditionally display domain verification messages based on account deprovisioning feature flag

* Update domain verification warning message

* Refactor domain verification navigation text handling based on account deprovisioning feature flag

* Refactor domain verification dialog to use observable for account deprovisioning feature flag

* Refactor domain verification component to use observable for account deprovisioning feature flag
---
 .../organization-layout.component.html        |  2 +-
 .../layouts/organization-layout.component.ts  |  9 +++
 apps/web/src/app/core/event.service.ts        | 17 +++++-
 apps/web/src/locales/en/messages.json         | 61 ++++++++++++++++++-
 .../domain-add-edit-dialog.component.html     | 40 +++++++++---
 .../domain-add-edit-dialog.component.ts       | 58 ++++++++++++------
 .../domain-verification.component.html        | 29 ++++++++-
 .../domain-verification.component.ts          | 22 +++++--
 .../organizations-routing.module.ts           | 13 +++-
 .../src/app/auth/sso/sso.component.html       |  5 +-
 .../bit-web/src/app/auth/sso/sso.component.ts | 11 +++-
 11 files changed, 223 insertions(+), 44 deletions(-)

diff --git a/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.html b/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.html
index fa4d027d0f6..8387c53e5e3 100644
--- a/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.html
+++ b/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.html
@@ -98,7 +98,7 @@
         *ngIf="canAccessExport$ | async"
       ></bit-nav-item>
       <bit-nav-item
-        [text]="'domainVerification' | i18n"
+        [text]="domainVerificationNavigationTextKey | i18n"
         route="settings/domain-verification"
         *ngIf="organization?.canManageDomainVerification"
       ></bit-nav-item>
diff --git a/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.ts b/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.ts
index 91c965658a3..6ead83b01d8 100644
--- a/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.ts
+++ b/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.ts
@@ -23,6 +23,7 @@ import { Organization } from "@bitwarden/common/admin-console/models/domain/orga
 import { ProductTierType } from "@bitwarden/common/billing/enums";
 import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { getById } from "@bitwarden/common/platform/misc";
 import { BannerModule, IconModule } from "@bitwarden/components";
@@ -49,6 +50,7 @@ export class OrganizationLayoutComponent implements OnInit {
   protected readonly logo = AdminConsoleLogo;
 
   protected orgFilter = (org: Organization) => canAccessOrgAdmin(org);
+  protected domainVerificationNavigationTextKey: string;
 
   protected integrationPageEnabled$: Observable<boolean>;
 
@@ -67,6 +69,7 @@ export class OrganizationLayoutComponent implements OnInit {
     private configService: ConfigService,
     private policyService: PolicyService,
     private providerService: ProviderService,
+    private i18nService: I18nService,
   ) {}
 
   async ngOnInit() {
@@ -116,6 +119,12 @@ export class OrganizationLayoutComponent implements OnInit {
           org.productTierType === ProductTierType.Enterprise && featureFlagEnabled,
       ),
     );
+
+    this.domainVerificationNavigationTextKey = (await this.configService.getFeatureFlag(
+      FeatureFlag.AccountDeprovisioning,
+    ))
+      ? "claimedDomains"
+      : "domainVerification";
   }
 
   canShowVaultTab(organization: Organization): boolean {
diff --git a/apps/web/src/app/core/event.service.ts b/apps/web/src/app/core/event.service.ts
index 412423a3a24..aedad9b26ea 100644
--- a/apps/web/src/app/core/event.service.ts
+++ b/apps/web/src/app/core/event.service.ts
@@ -6,7 +6,9 @@ import { PolicyService } from "@bitwarden/common/admin-console/abstractions/poli
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { Policy } from "@bitwarden/common/admin-console/models/domain/policy";
 import { DeviceType, EventType } from "@bitwarden/common/enums";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { EventResponse } from "@bitwarden/common/models/response/event.response";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 
 @Injectable()
@@ -16,6 +18,7 @@ export class EventService {
   constructor(
     private i18nService: I18nService,
     policyService: PolicyService,
+    private configService: ConfigService,
   ) {
     policyService.policies$.subscribe((policies) => {
       this.policies = policies;
@@ -451,10 +454,20 @@ export class EventService {
         msg = humanReadableMsg = this.i18nService.t("removedDomain", ev.domainName);
         break;
       case EventType.OrganizationDomain_Verified:
-        msg = humanReadableMsg = this.i18nService.t("domainVerifiedEvent", ev.domainName);
+        msg = humanReadableMsg = this.i18nService.t(
+          (await this.configService.getFeatureFlag(FeatureFlag.AccountDeprovisioning))
+            ? "domainClaimedEvent"
+            : "domainVerifiedEvent",
+          ev.domainName,
+        );
         break;
       case EventType.OrganizationDomain_NotVerified:
-        msg = humanReadableMsg = this.i18nService.t("domainNotVerifiedEvent", ev.domainName);
+        msg = humanReadableMsg = this.i18nService.t(
+          (await this.configService.getFeatureFlag(FeatureFlag.AccountDeprovisioning))
+            ? "domainNotClaimedEvent"
+            : "domainNotVerifiedEvent",
+          ev.domainName,
+        );
         break;
       // Secrets Manager
       case EventType.Secret_Retrieved:
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index 06728929912..b1203230688 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -9801,8 +9801,8 @@
   "selfHostingTitleProper": {
     "message": "Self-Hosting"
   },
-  "verified-domain-single-org-warning" : {
-    "message": "Verifying a domain will turn on the single organization policy."
+  "claim-domain-single-org-warning" : {
+    "message": "Claiming a domain will turn on the single organization policy."
   },
   "single-org-revoked-user-warning": {
     "message": "Non-compliant members will be revoked. Administrators can restore members once they leave all other organizations."
@@ -9902,5 +9902,62 @@
   },
   "removeMembers": {
     "message": "Remove members"
+  },
+  "claimedDomains": {
+    "message": "Claimed domains"
+  },
+  "claimDomain": {
+    "message": "Claim domain"
+  },
+  "reclaimDomain": {
+    "message": "Reclaim domain"
+  },
+  "claimDomainNameInputHint": {
+    "message": "Example: mydomain.com. Subdomains require separate entries to be claimed."
+  },
+  "automaticClaimedDomains": {
+    "message": "Automatic Claimed Domains"
+  },
+  "automaticDomainClaimProcess": {
+    "message": "Bitwarden will attempt to claim the domain 3 times during the first 72 hours. If the domain can’t be claimed, check the DNS record in your host and manually claim. The domain will be removed from your organization in 7 days if it is not claimed."
+  },
+  "domainNotClaimed": {
+    "message": "$DOMAIN$ not claimed. Check your DNS records.",
+    "placeholders": {
+      "DOMAIN": {
+        "content": "$1",
+        "example": "bitwarden.com"
+      }
+    }
+  },
+  "domainStatusClaimed": {
+    "message": "Claimed"
+  },
+  "domainStatusUnderVerification": {
+    "message": "Under verification"
+  },
+  "claimedDomainsDesc": {
+    "message": "Claim a domain to own all member accounts whose email address matches the domain. Members will be able to skip the SSO identifier when logging in. Administrators will also be able to delete member accounts."
+  },
+  "invalidDomainNameClaimMessage": {
+    "message": "Input is not a valid format. Format: mydomain.com. Subdomains require separate entries to be claimed."
+  },
+  "domainClaimedEvent": {
+    "message": "$DOMAIN$ claimed",
+    "placeholders": {
+      "DOMAIN": {
+        "content": "$1",
+        "example": "bitwarden.com"
+      }
+    }
+  },
+  "domainNotClaimedEvent": {
+    "message": "$DOMAIN$ not claimed",
+    "placeholders": {
+      "DOMAIN": {
+        "content": "$1",
+        "example": "bitwarden.com"
+      }
+    }
   }
 }
diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.html b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.html
index 15120eed92a..7226c957598 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.html
+++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.html
@@ -6,24 +6,37 @@
   <bit-dialog [dialogSize]="'default'" [disablePadding]="false">
     <span bitDialogTitle>
       <span *ngIf="!data.orgDomain">{{ "newDomain" | i18n }}</span>
-      <span *ngIf="data.orgDomain"> {{ "verifyDomain" | i18n }}</span>
+      <span *ngIf="data.orgDomain">
+        {{
+          ((accountDeprovisioningEnabled$ | async) ? "claimDomain" : "verifyDomain") | i18n
+        }}</span
+      >
 
       <span *ngIf="data.orgDomain" class="tw-text-xs tw-text-muted">{{
         data.orgDomain.domainName
       }}</span>
 
       <span *ngIf="data?.orgDomain && !data.orgDomain?.verifiedDate" bitBadge variant="warning">{{
-        "domainStatusUnverified" | i18n
+        ((accountDeprovisioningEnabled$ | async)
+          ? "domainStatusUnderVerification"
+          : "domainStatusUnverified"
+        ) | i18n
       }}</span>
       <span *ngIf="data?.orgDomain && data?.orgDomain?.verifiedDate" bitBadge variant="success">{{
-        "domainStatusVerified" | i18n
+        ((accountDeprovisioningEnabled$ | async) ? "domainStatusClaimed" : "domainStatusVerified")
+          | i18n
       }}</span>
     </span>
     <div bitDialogContent>
       <bit-form-field>
         <bit-label>{{ "domainName" | i18n }}</bit-label>
         <input bitInput appAutofocus formControlName="domainName" [showErrorsWhenDisabled]="true" />
-        <bit-hint>{{ "domainNameInputHint" | i18n }}</bit-hint>
+        <bit-hint>{{
+          ((accountDeprovisioningEnabled$ | async)
+            ? "claimDomainNameInputHint"
+            : "domainNameInputHint"
+          ) | i18n
+        }}</bit-hint>
       </bit-form-field>
 
       <bit-form-field *ngIf="data?.orgDomain">
@@ -42,18 +55,29 @@
       <bit-callout
         *ngIf="data?.orgDomain && !data?.orgDomain?.verifiedDate"
         type="info"
-        title="{{ 'automaticDomainVerification' | i18n }}"
+        title="{{
+          (accountDeprovisioningEnabled$ | async)
+            ? ('automaticClaimedDomains' | i18n | uppercase)
+            : ('automaticDomainVerification' | i18n)
+        }}"
       >
-        {{ "automaticDomainVerificationProcess" | i18n }}
+        {{
+          ((accountDeprovisioningEnabled$ | async)
+            ? "automaticDomainClaimProcess"
+            : "automaticDomainVerificationProcess"
+          ) | i18n
+        }}
       </bit-callout>
     </div>
     <ng-container bitDialogFooter>
       <button type="submit" bitButton bitFormButton buttonType="primary">
         <span *ngIf="!data?.orgDomain">{{ "next" | i18n }}</span>
         <span *ngIf="data?.orgDomain && !data?.orgDomain?.verifiedDate">{{
-          "verifyDomain" | i18n
+          ((accountDeprovisioningEnabled$ | async) ? "claimDomain" : "verifyDomain") | i18n
+        }}</span>
+        <span *ngIf="data?.orgDomain?.verifiedDate">{{
+          ((accountDeprovisioningEnabled$ | async) ? "reclaimDomain" : "reverifyDomain") | i18n
         }}</span>
-        <span *ngIf="data?.orgDomain?.verifiedDate">{{ "reverifyDomain" | i18n }}</span>
       </button>
       <button bitButton buttonType="secondary" (click)="dialogRef.close()" type="button">
         {{ "cancel" | i18n }}
diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.ts b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.ts
index ae3dfc28d9e..01dc93aa7e1 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.ts
@@ -3,14 +3,16 @@
 import { DialogRef, DIALOG_DATA } from "@angular/cdk/dialog";
 import { Component, Inject, OnDestroy, OnInit } from "@angular/core";
 import { FormBuilder, FormControl, FormGroup, ValidatorFn, Validators } from "@angular/forms";
-import { Subject, takeUntil } from "rxjs";
+import { Subject, takeUntil, Observable, firstValueFrom } from "rxjs";
 
 import { OrgDomainApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization-domain/org-domain-api.service.abstraction";
 import { OrgDomainServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization-domain/org-domain.service.abstraction";
 import { OrganizationDomainResponse } from "@bitwarden/common/admin-console/abstractions/organization-domain/responses/organization-domain.response";
 import { OrganizationDomainRequest } from "@bitwarden/common/admin-console/services/organization-domain/requests/organization-domain.request";
 import { HttpStatusCode } from "@bitwarden/common/enums";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { CryptoFunctionService as CryptoFunctionServiceAbstraction } from "@bitwarden/common/platform/abstractions/crypto-function.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
@@ -31,20 +33,8 @@ export interface DomainAddEditDialogData {
 export class DomainAddEditDialogComponent implements OnInit, OnDestroy {
   private componentDestroyed$: Subject<void> = new Subject();
 
-  domainForm: FormGroup = this.formBuilder.group({
-    domainName: [
-      "",
-      [
-        Validators.required,
-        domainNameValidator(this.i18nService.t("invalidDomainNameMessage")),
-        uniqueInArrayValidator(
-          this.data.existingDomainNames,
-          this.i18nService.t("duplicateDomainError"),
-        ),
-      ],
-    ],
-    txt: [{ value: null, disabled: true }],
-  });
+  accountDeprovisioningEnabled$: Observable<boolean>;
+  domainForm: FormGroup;
 
   get domainNameCtrl(): FormControl {
     return this.domainForm.controls.domainName as FormControl;
@@ -69,11 +59,34 @@ export class DomainAddEditDialogComponent implements OnInit, OnDestroy {
     private validationService: ValidationService,
     private dialogService: DialogService,
     private toastService: ToastService,
-  ) {}
+    private configService: ConfigService,
+  ) {
+    this.accountDeprovisioningEnabled$ = this.configService.getFeatureFlag$(
+      FeatureFlag.AccountDeprovisioning,
+    );
+  }
 
   // Angular Method Implementations
 
   async ngOnInit(): Promise<void> {
+    this.domainForm = this.formBuilder.group({
+      domainName: [
+        "",
+        [
+          Validators.required,
+          domainNameValidator(
+            (await firstValueFrom(this.accountDeprovisioningEnabled$))
+              ? this.i18nService.t("invalidDomainNameClaimMessage")
+              : this.i18nService.t("invalidDomainNameMessage"),
+          ),
+          uniqueInArrayValidator(
+            this.data.existingDomainNames,
+            this.i18nService.t("duplicateDomainError"),
+          ),
+        ],
+      ],
+      txt: [{ value: null, disabled: true }],
+    });
     // If we have data.orgDomain, then editing, otherwise creating new domain
     await this.populateForm();
   }
@@ -211,13 +224,22 @@ export class DomainAddEditDialogComponent implements OnInit, OnDestroy {
         this.toastService.showToast({
           variant: "success",
           title: null,
-          message: this.i18nService.t("domainVerified"),
+          message: this.i18nService.t(
+            (await firstValueFrom(this.accountDeprovisioningEnabled$))
+              ? "domainClaimed"
+              : "domainVerified",
+          ),
         });
         this.dialogRef.close();
       } else {
         this.domainNameCtrl.setErrors({
           errorPassthrough: {
-            message: this.i18nService.t("domainNotVerified", this.domainNameCtrl.value),
+            message: this.i18nService.t(
+              (await firstValueFrom(this.accountDeprovisioningEnabled$))
+                ? "domainNotClaimed"
+                : "domainNotVerified",
+              this.domainNameCtrl.value,
+            ),
           },
         });
         // For the case where user opens dialog and reverifies when domain name formControl disabled.
diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.html b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.html
index dee663eb199..0c28e4b13d5 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.html
+++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.html
@@ -4,6 +4,20 @@
   </button>
 </app-header>
 
+<p class="tw-text-muted tw-w-1/3" *ngIf="accountDeprovisioningEnabled$ | async">
+  {{ "claimedDomainsDesc" | i18n }}
+  <a
+    bitLink
+    target="_blank"
+    rel="noreferrer"
+    appA11yTitle="{{ 'learnMore' | i18n }}"
+    href="https://bitwarden.com/help/claimed-accounts/"
+    slot="end"
+  >
+    <i class="bwi bwi-question-circle" aria-hidden="true"></i>
+  </a>
+</p>
+
 <ng-container *ngIf="loading">
   <i
     class="bwi bwi-spinner bwi-spin text-muted"
@@ -40,10 +54,16 @@
             </td>
             <td bitCell>
               <span *ngIf="!orgDomain?.verifiedDate" bitBadge variant="warning">{{
-                "domainStatusUnverified" | i18n
+                ((accountDeprovisioningEnabled$ | async)
+                  ? "domainStatusUnderVerification"
+                  : "domainStatusUnverified"
+                ) | i18n
               }}</span>
               <span *ngIf="orgDomain?.verifiedDate" bitBadge variant="success">{{
-                "domainStatusVerified" | i18n
+                ((accountDeprovisioningEnabled$ | async)
+                  ? "domainStatusClaimed"
+                  : "domainStatusVerified"
+                ) | i18n
               }}</span>
             </td>
             <td bitCell class="tw-text-muted">
@@ -70,7 +90,10 @@
                   type="button"
                 >
                   <i class="bwi bwi-fw bwi-check" aria-hidden="true"></i>
-                  {{ "verifyDomain" | i18n }}
+                  {{
+                    ((accountDeprovisioningEnabled$ | async) ? "claimDomain" : "verifyDomain")
+                      | i18n
+                  }}
                 </button>
                 <button bitMenuItem (click)="deleteDomain(orgDomain.id)" type="button">
                   <span class="tw-text-danger">
diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.ts b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.ts
index 26347a515a0..2a2ae73227a 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.ts
@@ -43,6 +43,7 @@ export class DomainVerificationComponent implements OnInit, OnDestroy {
 
   organizationId: string;
   orgDomains$: Observable<OrganizationDomainResponse[]>;
+  accountDeprovisioningEnabled$: Observable<boolean>;
 
   constructor(
     private route: ActivatedRoute,
@@ -54,7 +55,11 @@ export class DomainVerificationComponent implements OnInit, OnDestroy {
     private toastService: ToastService,
     private configService: ConfigService,
     private policyApiService: PolicyApiServiceAbstraction,
-  ) {}
+  ) {
+    this.accountDeprovisioningEnabled$ = this.configService.getFeatureFlag$(
+      FeatureFlag.AccountDeprovisioning,
+    );
+  }
 
   // eslint-disable-next-line @typescript-eslint/no-empty-function
   async ngOnInit() {
@@ -105,7 +110,7 @@ export class DomainVerificationComponent implements OnInit, OnDestroy {
             organizationDomains.every((domain) => domain.verifiedDate === null)
           ) {
             await this.dialogService.openSimpleDialog({
-              title: { key: "verified-domain-single-org-warning" },
+              title: { key: "claim-domain-single-org-warning" },
               content: { key: "single-org-revoked-user-warning" },
               cancelButtonText: { key: "cancel" },
               acceptButtonText: { key: "confirm" },
@@ -169,13 +174,22 @@ export class DomainVerificationComponent implements OnInit, OnDestroy {
         this.toastService.showToast({
           variant: "success",
           title: null,
-          message: this.i18nService.t("domainVerified"),
+          message: this.i18nService.t(
+            (await firstValueFrom(this.accountDeprovisioningEnabled$))
+              ? "domainClaimed"
+              : "domainVerified",
+          ),
         });
       } else {
         this.toastService.showToast({
           variant: "error",
           title: null,
-          message: this.i18nService.t("domainNotVerified", domainName),
+          message: this.i18nService.t(
+            (await firstValueFrom(this.accountDeprovisioningEnabled$))
+              ? "domainNotClaimed"
+              : "domainNotVerified",
+            domainName,
+          ),
         });
         // Update this item so the last checked date gets updated.
         await this.updateOrgDomain(orgDomainId);
diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/organizations-routing.module.ts b/bitwarden_license/bit-web/src/app/admin-console/organizations/organizations-routing.module.ts
index 3a76b92cede..c585e9dacd0 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/organizations/organizations-routing.module.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/organizations-routing.module.ts
@@ -1,8 +1,10 @@
-import { NgModule } from "@angular/core";
+import { inject, NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
 import { authGuard } from "@bitwarden/angular/auth/guards";
 import { canAccessSettingsTab } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { isEnterpriseOrgGuard } from "@bitwarden/web-vault/app/admin-console/organizations/guards/is-enterprise-org.guard";
 import { organizationPermissionsGuard } from "@bitwarden/web-vault/app/admin-console/organizations/guards/org-permissions.guard";
 import { OrganizationLayoutComponent } from "@bitwarden/web-vault/app/admin-console/organizations/layouts/organization-layout.component";
@@ -26,8 +28,13 @@ const routes: Routes = [
             path: "domain-verification",
             component: DomainVerificationComponent,
             canActivate: [organizationPermissionsGuard((org) => org.canManageDomainVerification)],
-            data: {
-              titleId: "domainVerification",
+            resolve: {
+              titleId: async () => {
+                const configService = inject(ConfigService);
+                return (await configService.getFeatureFlag(FeatureFlag.AccountDeprovisioning))
+                  ? "claimedDomains"
+                  : "domainVerification";
+              },
             },
           },
           {
diff --git a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.html b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.html
index fa9665ff457..0731820e413 100644
--- a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.html
+++ b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.html
@@ -31,7 +31,10 @@
         <input bitInput type="text" formControlName="ssoIdentifier" />
         <bit-hint>
           {{ "ssoIdentifierHintPartOne" | i18n }}
-          <a bitLink routerLink="../domain-verification">{{ "domainVerification" | i18n }}</a>
+          <a bitLink routerLink="../domain-verification">{{
+            ((accountDeprovisioningEnabled$ | async) ? "claimedDomains" : "domainVerification")
+              | i18n
+          }}</a>
         </bit-hint>
       </bit-form-field>
 
diff --git a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
index 87f2a3dd9d9..6449ef7a701 100644
--- a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
+++ b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
@@ -9,7 +9,7 @@ import {
   Validators,
 } from "@angular/forms";
 import { ActivatedRoute } from "@angular/router";
-import { concatMap, Subject, takeUntil } from "rxjs";
+import { concatMap, Observable, Subject, takeUntil } from "rxjs";
 
 import { ControlsOf } from "@bitwarden/angular/types/controls-of";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
@@ -28,6 +28,7 @@ import { SsoConfigApi } from "@bitwarden/common/auth/models/api/sso-config.api";
 import { OrganizationSsoRequest } from "@bitwarden/common/auth/models/request/organization-sso.request";
 import { OrganizationSsoResponse } from "@bitwarden/common/auth/models/response/organization-sso.response";
 import { SsoConfigView } from "@bitwarden/common/auth/models/view/sso-config.view";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
@@ -185,6 +186,8 @@ export class SsoComponent implements OnInit, OnDestroy {
     return this.ssoConfigForm?.controls?.configType as FormControl;
   }
 
+  accountDeprovisioningEnabled$: Observable<boolean>;
+
   constructor(
     private formBuilder: FormBuilder,
     private route: ActivatedRoute,
@@ -195,7 +198,11 @@ export class SsoComponent implements OnInit, OnDestroy {
     private organizationApiService: OrganizationApiServiceAbstraction,
     private configService: ConfigService,
     private toastService: ToastService,
-  ) {}
+  ) {
+    this.accountDeprovisioningEnabled$ = this.configService.getFeatureFlag$(
+      FeatureFlag.AccountDeprovisioning,
+    );
+  }
 
   async ngOnInit() {
     this.enabledCtrl.valueChanges.pipe(takeUntil(this.destroy$)).subscribe((enabled) => {

From b2ee27c02f5d416107864f7818d635d1e55dc163 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Wed, 11 Dec 2024 09:53:52 -0500
Subject: [PATCH 3/8] [PM-12443] Remove paging logic from base clients
 component and subclasses (#12250)

* remove ngx-infinite-scroll in provider clients components.

* cleanup, fix redirect

* cleanup

* remove function call during interpolation

* remove this in template

* add router guard, cleanup

* cleanup

* fix row height for virtual scroller
---
 .../clients/vnext-clients.component.html      |  82 +++++++
 .../clients/vnext-clients.component.ts        | 167 +++++++++++++++
 .../providers/providers-routing.module.ts     |  30 ++-
 .../app/billing/providers/clients/index.ts    |   1 +
 .../vnext-manage-clients.component.html       |  83 ++++++++
 .../clients/vnext-manage-clients.component.ts | 201 ++++++++++++++++++
 .../clients/vnext-no-clients.component.ts     |  50 +++++
 libs/common/src/enums/feature-flag.enum.ts    |   2 +
 8 files changed, 609 insertions(+), 7 deletions(-)
 create mode 100644 bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.html
 create mode 100644 bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.ts
 create mode 100644 bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.html
 create mode 100644 bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.ts
 create mode 100644 bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-no-clients.component.ts

diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.html b/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.html
new file mode 100644
index 00000000000..2ace948e9d9
--- /dev/null
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.html
@@ -0,0 +1,82 @@
+<app-header>
+  <bit-search
+    class="tw-grow"
+    [formControl]="searchControl"
+    [placeholder]="'search' | i18n"
+  ></bit-search>
+  <a bitButton routerLink="create" *ngIf="manageOrganizations" buttonType="primary">
+    <i class="bwi bwi-plus bwi-fw" aria-hidden="true"></i>
+    {{ "newClient" | i18n }}
+  </a>
+  <button
+    type="button"
+    bitButton
+    (click)="addExistingOrganization()"
+    *ngIf="manageOrganizations && showAddExisting"
+  >
+    <i class="bwi bwi-plus bwi-fw" aria-hidden="true"></i>
+    {{ "addExistingOrganization" | i18n }}
+  </button>
+</app-header>
+
+<ng-container *ngIf="loading">
+  <i
+    class="bwi bwi-spinner bwi-spin text-muted"
+    title="{{ 'loading' | i18n }}"
+    aria-hidden="true"
+  ></i>
+  <span class="tw-sr-only">{{ "loading" | i18n }}</span>
+</ng-container>
+
+<ng-container *ngIf="!loading">
+  <p *ngIf="dataSource.data.length < 1">{{ "noClientsInList" | i18n }}</p>
+  <ng-container *ngIf="dataSource.data.length >= 1">
+    <bit-table-scroll
+      [dataSource]="dataSource"
+      [rowSize]="53"
+      class="tw-table tw-w-full table-hover table-list"
+    >
+      <ng-container header>
+        <th bitCell colspan="2" bitSortable="organizationName">{{ "name" | i18n }}</th>
+        <th bitCell bitSortable="seats">{{ "numberOfUsers" | i18n }}</th>
+        <th bitCell bitSortable="plan">{{ "billingPlan" | i18n }}</th>
+        <th bitCell></th>
+      </ng-container>
+      <ng-template bitRowDef let-row>
+        <td bitCell>
+          <bit-avatar [text]="row.organizationName" [id]="row.id" size="small"></bit-avatar>
+        </td>
+        <td bitCell>
+          <a [routerLink]="['/organizations', row.organizationId]">{{ row.organizationName }}</a>
+        </td>
+        <td bitCell>
+          <span>{{ row.userCount }}</span>
+          <span *ngIf="row.seats != null"> / {{ row.seats }}</span>
+        </td>
+        <td bitCell>
+          <span>{{ row.plan }}</span>
+        </td>
+        <td class="table-list-options" *ngIf="manageOrganizations">
+          <div class="dropdown" appListDropdown>
+            <button
+              class="btn btn-outline-secondary dropdown-toggle"
+              type="button"
+              data-toggle="dropdown"
+              aria-haspopup="true"
+              aria-expanded="false"
+              appA11yTitle="{{ 'options' | i18n }}"
+            >
+              <i class="bwi bwi-cog bwi-lg" aria-hidden="true"></i>
+            </button>
+            <div class="dropdown-menu dropdown-menu-right">
+              <a class="dropdown-item text-danger" href="#" appStopClick (click)="remove(row)">
+                <i class="bwi bwi-fw bwi-close" aria-hidden="true"></i>
+                {{ "remove" | i18n }}
+              </a>
+            </div>
+          </div>
+        </td>
+      </ng-template>
+    </bit-table-scroll>
+  </ng-container>
+</ng-container>
diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.ts b/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.ts
new file mode 100644
index 00000000000..ba56ce872b2
--- /dev/null
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.ts
@@ -0,0 +1,167 @@
+import { CommonModule } from "@angular/common";
+import { Component } from "@angular/core";
+import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
+import { FormControl } from "@angular/forms";
+import { ActivatedRoute, Router, RouterModule } from "@angular/router";
+import { firstValueFrom, from, map } from "rxjs";
+import { debounceTime, first, switchMap } from "rxjs/operators";
+
+import { JslibModule } from "@bitwarden/angular/jslib.module";
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
+import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { ProviderService } from "@bitwarden/common/admin-console/abstractions/provider.service";
+import { ProviderStatusType, ProviderUserType } from "@bitwarden/common/admin-console/enums";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { ProviderOrganizationOrganizationDetailsResponse } from "@bitwarden/common/admin-console/models/response/provider/provider-organization.response";
+import { PlanType } from "@bitwarden/common/billing/enums";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
+import {
+  AvatarModule,
+  DialogService,
+  TableDataSource,
+  TableModule,
+  ToastService,
+} from "@bitwarden/components";
+import { SharedOrganizationModule } from "@bitwarden/web-vault/app/admin-console/organizations/shared";
+import { HeaderModule } from "@bitwarden/web-vault/app/layouts/header/header.module";
+
+import { WebProviderService } from "../services/web-provider.service";
+
+import { AddOrganizationComponent } from "./add-organization.component";
+
+const DisallowedPlanTypes = [
+  PlanType.Free,
+  PlanType.FamiliesAnnually2019,
+  PlanType.FamiliesAnnually,
+  PlanType.TeamsStarter2023,
+  PlanType.TeamsStarter,
+];
+
+@Component({
+  templateUrl: "vnext-clients.component.html",
+  standalone: true,
+  imports: [
+    SharedOrganizationModule,
+    HeaderModule,
+    CommonModule,
+    JslibModule,
+    AvatarModule,
+    RouterModule,
+    TableModule,
+  ],
+})
+export class vNextClientsComponent {
+  providerId: string;
+  addableOrganizations: Organization[];
+  loading = true;
+  manageOrganizations = false;
+  showAddExisting = false;
+  dataSource: TableDataSource<ProviderOrganizationOrganizationDetailsResponse> =
+    new TableDataSource();
+  protected searchControl = new FormControl("", { nonNullable: true });
+
+  constructor(
+    private router: Router,
+    private providerService: ProviderService,
+    private apiService: ApiService,
+    private organizationService: OrganizationService,
+    private organizationApiService: OrganizationApiServiceAbstraction,
+    private activatedRoute: ActivatedRoute,
+    private dialogService: DialogService,
+    private i18nService: I18nService,
+    private toastService: ToastService,
+    private validationService: ValidationService,
+    private webProviderService: WebProviderService,
+  ) {
+    this.activatedRoute.queryParams.pipe(first(), takeUntilDestroyed()).subscribe((queryParams) => {
+      this.searchControl.setValue(queryParams.search);
+    });
+
+    this.activatedRoute.parent.params
+      .pipe(
+        switchMap((params) => {
+          this.providerId = params.providerId;
+          return this.providerService.get$(this.providerId).pipe(
+            map((provider) => provider?.providerStatus === ProviderStatusType.Billable),
+            map((isBillable) => {
+              if (isBillable) {
+                return from(
+                  this.router.navigate(["../manage-client-organizations"], {
+                    relativeTo: this.activatedRoute,
+                  }),
+                );
+              } else {
+                return from(this.load());
+              }
+            }),
+          );
+        }),
+        takeUntilDestroyed(),
+      )
+      .subscribe();
+
+    this.searchControl.valueChanges
+      .pipe(debounceTime(200), takeUntilDestroyed())
+      .subscribe((searchText) => {
+        this.dataSource.filter = (data) =>
+          data.organizationName.toLowerCase().indexOf(searchText.toLowerCase()) > -1;
+      });
+  }
+
+  async remove(organization: ProviderOrganizationOrganizationDetailsResponse) {
+    const confirmed = await this.dialogService.openSimpleDialog({
+      title: organization.organizationName,
+      content: { key: "detachOrganizationConfirmation" },
+      type: "warning",
+    });
+
+    if (!confirmed) {
+      return;
+    }
+
+    try {
+      await this.webProviderService.detachOrganization(this.providerId, organization.id);
+      this.toastService.showToast({
+        variant: "success",
+        title: null,
+        message: this.i18nService.t("detachedOrganization", organization.organizationName),
+      });
+      await this.load();
+    } catch (e) {
+      this.validationService.showError(e);
+    }
+  }
+
+  async load() {
+    const response = await this.apiService.getProviderClients(this.providerId);
+    const clients = response.data != null && response.data.length > 0 ? response.data : [];
+    this.dataSource.data = clients;
+    this.manageOrganizations =
+      (await this.providerService.get(this.providerId)).type === ProviderUserType.ProviderAdmin;
+    const candidateOrgs = (await this.organizationService.getAll()).filter(
+      (o) => o.isOwner && o.providerId == null,
+    );
+    const allowedOrgsIds = await Promise.all(
+      candidateOrgs.map((o) => this.organizationApiService.get(o.id)),
+    ).then((orgs) =>
+      orgs.filter((o) => !DisallowedPlanTypes.includes(o.planType)).map((o) => o.id),
+    );
+    this.addableOrganizations = candidateOrgs.filter((o) => allowedOrgsIds.includes(o.id));
+
+    this.showAddExisting = this.addableOrganizations.length !== 0;
+    this.loading = false;
+  }
+
+  async addExistingOrganization() {
+    const dialogRef = AddOrganizationComponent.open(this.dialogService, {
+      providerId: this.providerId,
+      organizations: this.addableOrganizations,
+    });
+
+    if (await firstValueFrom(dialogRef.closed)) {
+      await this.load();
+    }
+  }
+}
diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/providers-routing.module.ts b/bitwarden_license/bit-web/src/app/admin-console/providers/providers-routing.module.ts
index 00c944e69bb..09276263332 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/providers/providers-routing.module.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/providers-routing.module.ts
@@ -2,8 +2,10 @@ import { NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
 import { authGuard } from "@bitwarden/angular/auth/guards";
+import { featureFlaggedRoute } from "@bitwarden/angular/platform/utils/feature-flagged-route";
 import { AnonLayoutWrapperComponent } from "@bitwarden/auth/angular";
 import { Provider } from "@bitwarden/common/admin-console/models/domain/provider";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { FrontendLayoutComponent } from "@bitwarden/web-vault/app/layouts/frontend-layout.component";
 import { UserLayoutComponent } from "@bitwarden/web-vault/app/layouts/user-layout.component";
 
@@ -12,10 +14,12 @@ import {
   ProviderSubscriptionComponent,
   hasConsolidatedBilling,
   ProviderBillingHistoryComponent,
+  vNextManageClientsComponent,
 } from "../../billing/providers";
 
 import { ClientsComponent } from "./clients/clients.component";
 import { CreateOrganizationComponent } from "./clients/create-organization.component";
+import { vNextClientsComponent } from "./clients/vnext-clients.component";
 import { providerPermissionsGuard } from "./guards/provider-permissions.guard";
 import { AcceptProviderComponent } from "./manage/accept-provider.component";
 import { EventsComponent } from "./manage/events.component";
@@ -82,13 +86,25 @@ const routes: Routes = [
         children: [
           { path: "", pathMatch: "full", redirectTo: "clients" },
           { path: "clients/create", component: CreateOrganizationComponent },
-          { path: "clients", component: ClientsComponent, data: { titleId: "clients" } },
-          {
-            path: "manage-client-organizations",
-            canActivate: [hasConsolidatedBilling],
-            component: ManageClientsComponent,
-            data: { titleId: "clients" },
-          },
+          ...featureFlaggedRoute({
+            defaultComponent: ClientsComponent,
+            flaggedComponent: vNextClientsComponent,
+            featureFlag: FeatureFlag.PM12443RemovePagingLogic,
+            routeOptions: {
+              path: "clients",
+              data: { titleId: "clients" },
+            },
+          }),
+          ...featureFlaggedRoute({
+            defaultComponent: ManageClientsComponent,
+            flaggedComponent: vNextManageClientsComponent,
+            featureFlag: FeatureFlag.PM12443RemovePagingLogic,
+            routeOptions: {
+              path: "manage-client-organizations",
+              data: { titleId: "clients" },
+              canActivate: [hasConsolidatedBilling],
+            },
+          }),
           {
             path: "manage",
             children: [
diff --git a/bitwarden_license/bit-web/src/app/billing/providers/clients/index.ts b/bitwarden_license/bit-web/src/app/billing/providers/clients/index.ts
index ae7bf487f99..f8b344372ef 100644
--- a/bitwarden_license/bit-web/src/app/billing/providers/clients/index.ts
+++ b/bitwarden_license/bit-web/src/app/billing/providers/clients/index.ts
@@ -3,3 +3,4 @@ export * from "./manage-clients.component";
 export * from "./manage-client-name-dialog.component";
 export * from "./manage-client-subscription-dialog.component";
 export * from "./no-clients.component";
+export * from "./vnext-manage-clients.component";
diff --git a/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.html b/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.html
new file mode 100644
index 00000000000..c54965bbdb6
--- /dev/null
+++ b/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.html
@@ -0,0 +1,83 @@
+<app-header>
+  <bit-search [placeholder]="'search' | i18n" [formControl]="searchControl"></bit-search>
+  <a type="button" bitButton *ngIf="isProviderAdmin" buttonType="primary" (click)="createClient()">
+    <i class="bwi bwi-plus bwi-fw" aria-hidden="true"></i>
+    {{ "addNewOrganization" | i18n }}
+  </a>
+</app-header>
+
+<ng-container *ngIf="loading">
+  <i
+    class="bwi bwi-spinner bwi-spin text-muted"
+    title="{{ 'loading' | i18n }}"
+    aria-hidden="true"
+  ></i>
+  <span class="tw-sr-only">{{ "loading" | i18n }}</span>
+</ng-container>
+
+<ng-container *ngIf="!loading">
+  <bit-table-scroll [dataSource]="dataSource" [rowSize]="53" class="table table-hover table-list">
+    <ng-container header>
+      <th colspan="2" bitCell bitSortable="organizationName" default>{{ "client" | i18n }}</th>
+      <th bitCell bitSortable="seats">{{ "assigned" | i18n }}</th>
+      <th bitCell bitSortable="occupiedSeats">{{ "used" | i18n }}</th>
+      <th bitCell bitSortable="remainingSeats">{{ "remaining" | i18n }}</th>
+      <th bitCell bitSortable="plan">{{ "billingPlan" | i18n }}</th>
+      <th></th>
+    </ng-container>
+    <ng-template bitRowDef let-row>
+      <td bitCell width="30">
+        <bit-avatar [text]="row.organizationName" [id]="row.id" size="small"></bit-avatar>
+      </td>
+      <td bitCell>
+        <div class="tw-flex tw-items-center tw-gap-4 tw-break-all">
+          <a bitLink [routerLink]="['/organizations', row.organizationId]">{{
+            row.organizationName
+          }}</a>
+        </div>
+      </td>
+      <td bitCell class="tw-whitespace-nowrap">
+        <span class="tw-text-muted">{{ row.seats }}</span>
+      </td>
+      <td bitCell class="tw-whitespace-nowrap">
+        <span class="tw-text-muted">{{ row.occupiedSeats }}</span>
+      </td>
+      <td bitCell class="tw-whitespace-nowrap">
+        <span class="tw-text-muted">{{ row.remainingSeats }}</span>
+      </td>
+      <td bitCell class="tw-whitespace-nowrap">
+        <span class="tw-text-muted">{{ row.plan }}</span>
+      </td>
+      <td bitCell class="tw-text-right">
+        <button
+          [bitMenuTriggerFor]="rowMenu"
+          type="button"
+          bitIconButton="bwi-ellipsis-v"
+          size="small"
+          appA11yTitle="{{ 'options' | i18n }}"
+        ></button>
+        <bit-menu #rowMenu>
+          <button type="button" bitMenuItem (click)="manageClientName(row)">
+            <i aria-hidden="true" class="bwi bwi-pencil-square"></i>
+            {{ "updateName" | i18n }}
+          </button>
+          <button type="button" bitMenuItem (click)="manageClientSubscription(row)">
+            <i aria-hidden="true" class="bwi bwi-family"></i>
+            {{ "manageSubscription" | i18n }}
+          </button>
+          <button *ngIf="isProviderAdmin" type="button" bitMenuItem (click)="remove(row)">
+            <span class="tw-text-danger">
+              <i aria-hidden="true" class="bwi bwi-close"></i> {{ "unlinkOrganization" | i18n }}
+            </span>
+          </button>
+        </bit-menu>
+      </td>
+    </ng-template>
+  </bit-table-scroll>
+  <div *ngIf="dataSource.data.length === 0" class="tw-mt-10">
+    <app-no-clients
+      [showAddOrganizationButton]="isProviderAdmin"
+      (addNewOrganizationClicked)="createClient()"
+    />
+  </div>
+</ng-container>
diff --git a/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.ts b/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.ts
new file mode 100644
index 00000000000..5ee7817f34e
--- /dev/null
+++ b/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.ts
@@ -0,0 +1,201 @@
+import { Component } from "@angular/core";
+import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
+import { FormControl } from "@angular/forms";
+import { ActivatedRoute, Router } from "@angular/router";
+import { firstValueFrom, from, lastValueFrom, map } from "rxjs";
+import { debounceTime, first, switchMap } from "rxjs/operators";
+
+import { ProviderService } from "@bitwarden/common/admin-console/abstractions/provider.service";
+import { ProviderStatusType, ProviderUserType } from "@bitwarden/common/admin-console/enums";
+import { Provider } from "@bitwarden/common/admin-console/models/domain/provider";
+import { ProviderOrganizationOrganizationDetailsResponse } from "@bitwarden/common/admin-console/models/response/provider/provider-organization.response";
+import { BillingApiServiceAbstraction } from "@bitwarden/common/billing/abstractions";
+import { PlanResponse } from "@bitwarden/common/billing/models/response/plan.response";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
+import {
+  AvatarModule,
+  DialogService,
+  TableDataSource,
+  TableModule,
+  ToastService,
+} from "@bitwarden/components";
+import { SharedOrganizationModule } from "@bitwarden/web-vault/app/admin-console/organizations/shared";
+import { HeaderModule } from "@bitwarden/web-vault/app/layouts/header/header.module";
+
+import { WebProviderService } from "../../../admin-console/providers/services/web-provider.service";
+
+import {
+  CreateClientDialogResultType,
+  openCreateClientDialog,
+} from "./create-client-dialog.component";
+import {
+  ManageClientNameDialogResultType,
+  openManageClientNameDialog,
+} from "./manage-client-name-dialog.component";
+import {
+  ManageClientSubscriptionDialogResultType,
+  openManageClientSubscriptionDialog,
+} from "./manage-client-subscription-dialog.component";
+import { vNextNoClientsComponent } from "./vnext-no-clients.component";
+
+@Component({
+  templateUrl: "vnext-manage-clients.component.html",
+  standalone: true,
+  imports: [
+    AvatarModule,
+    TableModule,
+    HeaderModule,
+    SharedOrganizationModule,
+    vNextNoClientsComponent,
+  ],
+})
+export class vNextManageClientsComponent {
+  providerId: string;
+  provider: Provider;
+  loading = true;
+  isProviderAdmin = false;
+  dataSource: TableDataSource<ProviderOrganizationOrganizationDetailsResponse> =
+    new TableDataSource();
+
+  protected searchControl = new FormControl("", { nonNullable: true });
+  protected plans: PlanResponse[];
+
+  constructor(
+    private billingApiService: BillingApiServiceAbstraction,
+    private providerService: ProviderService,
+    private router: Router,
+    private activatedRoute: ActivatedRoute,
+    private dialogService: DialogService,
+    private i18nService: I18nService,
+    private toastService: ToastService,
+    private validationService: ValidationService,
+    private webProviderService: WebProviderService,
+  ) {
+    this.activatedRoute.queryParams.pipe(first(), takeUntilDestroyed()).subscribe((queryParams) => {
+      this.searchControl.setValue(queryParams.search);
+    });
+
+    this.activatedRoute.parent.params
+      .pipe(
+        switchMap((params) => {
+          this.providerId = params.providerId;
+          return this.providerService.get$(this.providerId).pipe(
+            map((provider: Provider) => provider?.providerStatus === ProviderStatusType.Billable),
+            map((isBillable) => {
+              if (!isBillable) {
+                return from(
+                  this.router.navigate(["../clients"], {
+                    relativeTo: this.activatedRoute,
+                  }),
+                );
+              } else {
+                return from(this.load());
+              }
+            }),
+          );
+        }),
+        takeUntilDestroyed(),
+      )
+      .subscribe();
+
+    this.searchControl.valueChanges
+      .pipe(debounceTime(200), takeUntilDestroyed())
+      .subscribe((searchText) => {
+        this.dataSource.filter = (data) =>
+          data.organizationName.toLowerCase().indexOf(searchText.toLowerCase()) > -1;
+      });
+  }
+
+  async load() {
+    this.provider = await firstValueFrom(this.providerService.get$(this.providerId));
+
+    this.isProviderAdmin = this.provider.type === ProviderUserType.ProviderAdmin;
+
+    const clients = (await this.billingApiService.getProviderClientOrganizations(this.providerId))
+      .data;
+
+    clients.forEach((client) => (client.plan = client.plan.replace(" (Monthly)", "")));
+
+    this.dataSource.data = clients;
+
+    this.plans = (await this.billingApiService.getPlans()).data;
+
+    this.loading = false;
+  }
+
+  createClient = async () => {
+    const reference = openCreateClientDialog(this.dialogService, {
+      data: {
+        providerId: this.providerId,
+        plans: this.plans,
+      },
+    });
+
+    const result = await lastValueFrom(reference.closed);
+
+    if (result === CreateClientDialogResultType.Submitted) {
+      await this.load();
+    }
+  };
+
+  manageClientName = async (organization: ProviderOrganizationOrganizationDetailsResponse) => {
+    const dialogRef = openManageClientNameDialog(this.dialogService, {
+      data: {
+        providerId: this.providerId,
+        organization: {
+          id: organization.id,
+          name: organization.organizationName,
+          seats: organization.seats,
+        },
+      },
+    });
+
+    const result = await firstValueFrom(dialogRef.closed);
+
+    if (result === ManageClientNameDialogResultType.Submitted) {
+      await this.load();
+    }
+  };
+
+  manageClientSubscription = async (
+    organization: ProviderOrganizationOrganizationDetailsResponse,
+  ) => {
+    const dialogRef = openManageClientSubscriptionDialog(this.dialogService, {
+      data: {
+        organization,
+        provider: this.provider,
+      },
+    });
+
+    const result = await firstValueFrom(dialogRef.closed);
+
+    if (result === ManageClientSubscriptionDialogResultType.Submitted) {
+      await this.load();
+    }
+  };
+
+  async remove(organization: ProviderOrganizationOrganizationDetailsResponse) {
+    const confirmed = await this.dialogService.openSimpleDialog({
+      title: organization.organizationName,
+      content: { key: "detachOrganizationConfirmation" },
+      type: "warning",
+    });
+
+    if (!confirmed) {
+      return;
+    }
+
+    try {
+      await this.webProviderService.detachOrganization(this.providerId, organization.id);
+      this.toastService.showToast({
+        variant: "success",
+        title: null,
+        message: this.i18nService.t("detachedOrganization", organization.organizationName),
+      });
+      await this.load();
+    } catch (e) {
+      this.validationService.showError(e);
+    }
+  }
+}
diff --git a/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-no-clients.component.ts b/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-no-clients.component.ts
new file mode 100644
index 00000000000..5ad19945c51
--- /dev/null
+++ b/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-no-clients.component.ts
@@ -0,0 +1,50 @@
+import { Component, EventEmitter, Input, Output } from "@angular/core";
+
+import { svgIcon } from "@bitwarden/components";
+import { SharedOrganizationModule } from "@bitwarden/web-vault/app/admin-console/organizations/shared";
+
+const gearIcon = svgIcon`
+<svg width="120" height="120" viewBox="0 0 120 120" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M59.9995 37.9541C46.4641 37.9541 35.5465 48.6298 35.5465 61.7321C35.5465 74.8343 46.4641 85.51 59.9995 85.51C73.5349 85.51 84.4526 74.8343 84.4526 61.7321C84.4526 48.6298 73.5349 37.9541 59.9995 37.9541ZM33.1465 61.7321C33.1465 47.2444 45.1994 35.5541 59.9995 35.5541C74.7997 35.5541 86.8526 47.2444 86.8526 61.7321C86.8526 76.2197 74.7997 87.91 59.9995 87.91C45.1994 87.91 33.1465 76.2197 33.1465 61.7321Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M98.9992 8.4C94.36 8.4 90.5992 12.1608 90.5992 16.8C90.5992 21.4392 94.36 25.2 98.9992 25.2C103.638 25.2 107.399 21.4392 107.399 16.8C107.399 12.1608 103.638 8.4 98.9992 8.4ZM88.1992 16.8C88.1992 10.8353 93.0345 6 98.9992 6C104.964 6 109.799 10.8353 109.799 16.8C109.799 22.7647 104.964 27.6 98.9992 27.6C93.0345 27.6 88.1992 22.7647 88.1992 16.8Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M109.2 56.4C104.561 56.4 100.8 60.1608 100.8 64.8C100.8 69.4392 104.561 73.2 109.2 73.2C113.84 73.2 117.6 69.4392 117.6 64.8C117.6 60.1608 113.84 56.4 109.2 56.4ZM98.4004 64.8C98.4004 58.8353 103.236 54 109.2 54C115.165 54 120 58.8353 120 64.8C120 70.7647 115.165 75.6 109.2 75.6C103.236 75.6 98.4004 70.7647 98.4004 64.8Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M100.8 99C96.1608 99 92.4 102.761 92.4 107.4C92.4 112.039 96.1608 115.8 100.8 115.8C105.439 115.8 109.2 112.039 109.2 107.4C109.2 102.761 105.439 99 100.8 99ZM90 107.4C90 101.435 94.8353 96.6 100.8 96.6C106.765 96.6 111.6 101.435 111.6 107.4C111.6 113.365 106.765 118.2 100.8 118.2C94.8353 118.2 90 113.365 90 107.4Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M37.8 98.4C33.1608 98.4 29.4 102.161 29.4 106.8C29.4 111.439 33.1608 115.2 37.8 115.2C42.4392 115.2 46.2 111.439 46.2 106.8C46.2 102.161 42.4392 98.4 37.8 98.4ZM27 106.8C27 100.835 31.8353 96 37.8 96C43.7647 96 48.6 100.835 48.6 106.8C48.6 112.765 43.7647 117.6 37.8 117.6C31.8353 117.6 27 112.765 27 106.8Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M10.8 40.2C6.16081 40.2 2.4 43.9608 2.4 48.6C2.4 53.2392 6.16081 57 10.8 57C15.4392 57 19.2 53.2392 19.2 48.6C19.2 43.9608 15.4392 40.2 10.8 40.2ZM0 48.6C0 42.6353 4.83532 37.8 10.8 37.8C16.7647 37.8 21.6 42.6353 21.6 48.6C21.6 54.5647 16.7647 59.4 10.8 59.4C4.83532 59.4 0 54.5647 0 48.6Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M38.3996 3.60001C33.7604 3.60001 29.9996 7.36082 29.9996 12C29.9996 16.6392 33.7604 20.4 38.3996 20.4C43.0388 20.4 46.7996 16.6392 46.7996 12C46.7996 7.36082 43.0388 3.60001 38.3996 3.60001ZM27.5996 12C27.5996 6.03534 32.4349 1.20001 38.3996 1.20001C44.3643 1.20001 49.1996 6.03534 49.1996 12C49.1996 17.9647 44.3643 22.8 38.3996 22.8C32.4349 22.8 27.5996 17.9647 27.5996 12Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M42.217 21.3484C42.5229 21.221 42.8742 21.3656 43.0017 21.6715L49.7525 37.8734C49.8799 38.1793 49.7353 38.5306 49.4294 38.6581C49.1235 38.7855 48.7722 38.6409 48.6448 38.335L41.894 22.133C41.7665 21.8272 41.9112 21.4759 42.217 21.3484Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M92.7905 24.1445C93.0435 24.3585 93.075 24.7371 92.861 24.9901L78.0092 42.5422C77.7952 42.7951 77.4166 42.8267 77.1636 42.6126C76.9107 42.3986 76.8791 42.02 77.0932 41.767L91.9449 24.2149C92.159 23.962 92.5375 23.9304 92.7905 24.1445Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M20.4265 51.4253C20.523 51.1083 20.8582 50.9295 21.1752 51.026L34.9752 55.226C35.2923 55.3225 35.471 55.6577 35.3746 55.9747C35.2781 56.2917 34.9429 56.4705 34.6259 56.374L20.8259 52.174C20.5088 52.0776 20.3301 51.7424 20.4265 51.4253Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M49.4777 84.0684C49.7714 84.2219 49.8849 84.5845 49.7314 84.8781L42.9795 97.7892C42.8259 98.0829 42.4634 98.1964 42.1697 98.0429C41.8761 97.8893 41.7625 97.5268 41.9161 97.2331L48.668 84.322C48.8216 84.0284 49.1841 83.9148 49.4777 84.0684Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M77.1582 79.5058C77.4086 79.2888 77.7876 79.3159 78.0046 79.5663L95.5567 99.8187C95.7737 100.069 95.7466 100.448 95.4962 100.665C95.2458 100.882 94.8669 100.855 94.6499 100.605L77.0978 80.3522C76.8807 80.1018 76.9078 79.7229 77.1582 79.5058Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M85.0558 62.3473C85.0887 62.0176 85.3828 61.7771 85.7125 61.81L99.2141 63.1602C99.5438 63.1932 99.7844 63.4872 99.7514 63.8169C99.7184 64.1466 99.4244 64.3872 99.0947 64.3542L85.5931 63.0041C85.2634 62.9711 85.0228 62.6771 85.0558 62.3473Z" fill="#CED4DC"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M55.0583 45.4382C54.888 45.247 54.615 45.185 54.3788 45.2838L52.1688 46.2079C51.9281 46.3086 51.7801 46.5531 51.8024 46.8129L52.1362 50.6898C52.1819 51.2204 51.9902 51.744 51.6128 52.1197L50.2505 53.4761C49.894 53.8311 49.4052 54.0206 48.9027 53.9989L45.0074 53.8303C44.7569 53.8194 44.5261 53.9655 44.4286 54.1965L43.4934 56.4137C43.3921 56.6536 43.4573 56.9315 43.6545 57.1014L46.5356 59.5838C46.9324 59.9257 47.1606 60.4236 47.1606 60.9474V62.8948C47.1606 63.4058 46.9435 63.8927 46.5633 64.2341L43.7142 66.7927C43.5238 66.9636 43.4628 67.2365 43.5622 67.4723L44.4892 69.6698C44.5905 69.9098 44.835 70.0571 45.0945 70.0343L48.8457 69.7047C49.3746 69.6583 49.897 69.8477 50.2732 70.2223L51.6345 71.5776C51.9931 71.9346 52.1849 72.4261 52.1628 72.9317L51.994 76.7976C51.983 77.0488 52.1299 77.2803 52.3619 77.3773L54.5876 78.308C54.8286 78.4088 55.1071 78.3421 55.2763 78.143L57.6994 75.2918C58.0414 74.8894 58.5429 74.6575 59.071 74.6575H61.0298C61.5381 74.6575 62.0226 74.8723 62.3639 75.249L64.9399 78.0926C65.1106 78.281 65.3815 78.3414 65.616 78.2433L67.8309 77.3171C68.072 77.2163 68.2202 76.9709 68.1971 76.7106L67.8673 72.9892C67.8201 72.4571 68.0117 71.9316 68.3903 71.5547L69.7513 70.1996C70.1078 69.8447 70.5965 69.6551 71.0991 69.6769L74.9944 69.8455C75.2449 69.8563 75.4757 69.7103 75.5731 69.4793L76.5045 67.2715C76.6066 67.0293 76.5393 66.7488 76.3382 66.5794L73.4814 64.1727C73.0755 63.8307 72.8412 63.3269 72.8412 62.7961V60.856C72.8412 60.3457 73.0578 59.8594 73.4371 59.518L76.3646 56.8836C76.5546 56.7125 76.6154 56.4399 76.5161 56.2043L75.5887 54.006C75.4875 53.766 75.2429 53.6187 74.9834 53.6415L71.2322 53.9711C70.7034 54.0175 70.181 53.8281 69.8047 53.4535L68.4434 52.0982C68.0848 51.7411 67.8931 51.2496 67.9152 50.7441L68.084 46.8782C68.0949 46.627 67.9481 46.3955 67.716 46.2985L65.4903 45.3678C65.2493 45.267 64.9708 45.3337 64.8016 45.5328L62.3785 48.384C62.0365 48.7864 61.5351 49.0183 61.007 49.0183H59.0542C58.5406 49.0183 58.0516 48.799 57.71 48.4155L55.0583 45.4382ZM53.9158 44.1767C54.6246 43.8803 55.4434 44.0664 55.9544 44.6401L58.6061 47.6174C58.72 47.7452 58.883 47.8183 59.0542 47.8183H61.007C61.183 47.8183 61.3502 47.741 61.4642 47.6069L63.8872 44.7557C64.3947 44.1585 65.2303 43.9583 65.9532 44.2607L68.179 45.1914C68.8751 45.4825 69.3157 46.1768 69.2828 46.9306L69.114 50.7964C69.1067 50.965 69.1706 51.1288 69.2901 51.2478L70.6514 52.6031C70.7768 52.728 70.9509 52.7911 71.1272 52.7757L74.8784 52.4461C75.6569 52.3777 76.3906 52.8195 76.6944 53.5396L77.6217 55.7379C77.9198 56.4446 77.7374 57.2625 77.1673 57.7755L74.2398 60.41C74.1134 60.5238 74.0412 60.6859 74.0412 60.856V62.7961C74.0412 62.973 74.1193 63.1409 74.2546 63.2549L77.1114 65.6617C77.7145 66.1698 77.9166 67.0113 77.6101 67.7379L76.6788 69.9457C76.3864 70.6387 75.694 71.0769 74.9425 71.0444L71.0472 70.8758C70.8797 70.8685 70.7168 70.9317 70.598 71.05L69.2369 72.4051C69.1108 72.5307 69.0469 72.7059 69.0626 72.8833L69.3924 76.6046C69.4616 77.3857 69.0173 78.1217 68.2939 78.4242L66.079 79.3504C65.3753 79.6447 64.5626 79.4635 64.0505 78.8982L61.4745 76.0547C61.3608 75.9291 61.1993 75.8575 61.0298 75.8575H59.071C58.8949 75.8575 58.7278 75.9348 58.6138 76.0689L56.1907 78.9201C55.6832 79.5173 54.8477 79.7174 54.1247 79.4151L51.899 78.4844C51.2029 78.1933 50.7622 77.499 50.7951 76.7452L50.9639 72.8793C50.9713 72.7108 50.9074 72.547 50.7878 72.428L49.4265 71.0726C49.3011 70.9478 49.127 70.8846 48.9507 70.9001L45.1996 71.2297C44.421 71.298 43.6873 70.8562 43.3836 70.1362L42.4566 67.9387C42.1582 67.2314 42.3412 66.4127 42.9124 65.8998L45.7615 63.3412C45.8883 63.2274 45.9606 63.0651 45.9606 62.8948V60.9474C45.9606 60.7728 45.8846 60.6069 45.7523 60.4929L42.8712 58.0105C42.2794 57.5006 42.0841 56.6671 42.3877 55.9473L43.323 53.7301C43.6153 53.0371 44.3078 52.5989 45.0593 52.6314L48.9546 52.8C49.1221 52.8073 49.285 52.7441 49.4038 52.6258L50.7662 51.2694C50.892 51.1441 50.9558 50.9696 50.9406 50.7927L50.6069 46.9159C50.5398 46.1363 50.9839 45.4027 51.7058 45.1008L53.9158 44.1767ZM65.7734 59.49C64.5008 56.2102 60.7895 54.7187 57.5276 56.0511C54.2534 57.3885 52.7303 61.0753 54.0787 64.2677C55.4244 67.5297 59.1264 69.0401 62.327 67.6984C65.5088 66.3645 67.1209 62.6899 65.7734 59.49ZM64.6574 59.9312C63.6423 57.3035 60.6562 56.0694 57.9814 57.162C55.3169 58.2503 54.0985 61.2338 55.185 63.8029L55.1872 63.808L55.1872 63.808C56.2791 66.4579 59.2771 67.6758 61.863 66.5917C64.4656 65.5006 65.7472 62.5089 64.6645 59.9487C64.662 59.9429 64.6597 59.9371 64.6574 59.9312Z" fill="#CED4DC"/>
+</svg>
+`;
+
+@Component({
+  selector: "app-no-clients",
+  standalone: true,
+  imports: [SharedOrganizationModule],
+  template: `<div class="tw-flex tw-flex-col tw-items-center tw-text-info">
+    <bit-icon [icon]="icon"></bit-icon>
+    <p class="tw-mt-4">{{ "noClients" | i18n }}</p>
+    <a
+      *ngIf="showAddOrganizationButton"
+      type="button"
+      bitButton
+      buttonType="primary"
+      (click)="addNewOrganization()"
+    >
+      <i class="bwi bwi-plus bwi-fw" aria-hidden="true"></i>
+      {{ "addNewOrganization" | i18n }}
+    </a>
+  </div>`,
+})
+export class vNextNoClientsComponent {
+  icon = gearIcon;
+  @Input() showAddOrganizationButton = true;
+  @Output() addNewOrganizationClicked = new EventEmitter();
+
+  addNewOrganization = () => this.addNewOrganizationClicked.emit();
+}
diff --git a/libs/common/src/enums/feature-flag.enum.ts b/libs/common/src/enums/feature-flag.enum.ts
index f79ebf8aa55..6597c97b641 100644
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -40,6 +40,7 @@ export enum FeatureFlag {
   DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship",
   MacOsNativeCredentialSync = "macos-native-credential-sync",
   PM11360RemoveProviderExportPermission = "pm-11360-remove-provider-export-permission",
+  PM12443RemovePagingLogic = "pm-12443-remove-paging-logic",
 }
 
 export type AllowedFeatureFlagTypes = boolean | number | string;
@@ -90,6 +91,7 @@ export const DefaultFeatureFlagValue = {
   [FeatureFlag.DisableFreeFamiliesSponsorship]: FALSE,
   [FeatureFlag.MacOsNativeCredentialSync]: FALSE,
   [FeatureFlag.PM11360RemoveProviderExportPermission]: FALSE,
+  [FeatureFlag.PM12443RemovePagingLogic]: FALSE,
 } satisfies Record<FeatureFlag, AllowedFeatureFlagTypes>;
 
 export type DefaultFeatureFlagValueType = typeof DefaultFeatureFlagValue;

From 92a620dd9c06c46127164d3c7a103aeafff92708 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Wed, 11 Dec 2024 07:10:06 -0800
Subject: [PATCH 4/8] [BEEEP/PM-10534] Add snap biometric support (#12187)

* Add snap biometric support

* Fix linting

* Remove unused message

* Disable snap browser integration again
---
 apps/desktop/electron-builder.json               | 11 ++++++++++-
 apps/desktop/package.json                        |  2 +-
 .../resources/com.bitwarden.desktop.policy       | 16 ++++++++++++++++
 .../biometrics/biometric.unix.main.ts            | 10 +++++++---
 apps/desktop/src/locales/en/messages.json        |  3 ---
 5 files changed, 34 insertions(+), 8 deletions(-)
 create mode 100644 apps/desktop/resources/com.bitwarden.desktop.policy

diff --git a/apps/desktop/electron-builder.json b/apps/desktop/electron-builder.json
index 9b894b0bfc7..38f11a97a8b 100644
--- a/apps/desktop/electron-builder.json
+++ b/apps/desktop/electron-builder.json
@@ -241,7 +241,16 @@
     "autoStart": true,
     "base": "core22",
     "confinement": "strict",
-    "plugs": ["default", "network-bind", "password-manager-service"],
+    "plugs": [
+      "default",
+      "network-bind",
+      "password-manager-service",
+      {
+        "polkit": {
+          "action-prefix": "com.bitwarden.Bitwarden"
+        }
+      }
+    ],
     "stagePackages": ["default"]
   },
   "protocols": [
diff --git a/apps/desktop/package.json b/apps/desktop/package.json
index eab9a7d7119..f546563ed18 100644
--- a/apps/desktop/package.json
+++ b/apps/desktop/package.json
@@ -35,7 +35,7 @@
     "clean:dist": "rimraf ./dist",
     "pack:dir": "npm run clean:dist && electron-builder --dir -p never",
     "pack:lin:flatpak": "npm run clean:dist && electron-builder --dir -p never && flatpak-builder  --repo=build/.repo build/.flatpak  ./resources/com.bitwarden.desktop.devel.yaml --install-deps-from=flathub --force-clean &&  flatpak build-bundle ./build/.repo/ ./dist/com.bitwarden.desktop.flatpak com.bitwarden.desktop",
-    "pack:lin": "npm run clean:dist && electron-builder --linux --x64 -p never",
+    "pack:lin": "npm run clean:dist && electron-builder --linux --x64 -p never && export SNAP_FILE=$(realpath ./dist/bitwarden_*.snap) && unsquashfs -d ./dist/tmp-snap/ $SNAP_FILE && mkdir -p ./dist/tmp-snap/meta/polkit/ && cp ./resources/com.bitwarden.desktop.policy  ./dist/tmp-snap/meta/polkit/polkit.com.bitwarden.desktop.policy && rm $SNAP_FILE && mksquashfs ./dist/tmp-snap/ $SNAP_FILE -noappend -comp lzo -no-fragments && rm -rf ./dist/tmp-snap/",
     "pack:mac": "npm run clean:dist && electron-builder --mac --universal -p never",
     "pack:mac:arm64": "npm run clean:dist && electron-builder --mac --arm64 -p never",
     "pack:mac:mas": "npm run clean:dist && electron-builder --mac mas --universal -p never",
diff --git a/apps/desktop/resources/com.bitwarden.desktop.policy b/apps/desktop/resources/com.bitwarden.desktop.policy
new file mode 100644
index 00000000000..e48bc6b8fbb
--- /dev/null
+++ b/apps/desktop/resources/com.bitwarden.desktop.policy
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+
+<policyconfig>
+    <action id="com.bitwarden.Bitwarden.unlock">
+      <description>Unlock Bitwarden</description>
+      <message>Authenticate to unlock Bitwarden</message>
+      <defaults>
+        <allow_any>no</allow_any>
+        <allow_inactive>no</allow_inactive>
+        <allow_active>auth_self</allow_active>
+      </defaults>
+    </action>
+</policyconfig>
diff --git a/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts b/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts
index 771f1ea3a1c..f2bcf62e03e 100644
--- a/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts
+++ b/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts
@@ -87,8 +87,8 @@ export default class BiometricUnixMain implements OsBiometricService {
   }
 
   async authenticateBiometric(): Promise<boolean> {
-    const hwnd = this.windowMain.win.getNativeWindowHandle();
-    return await biometrics.prompt(hwnd, this.i18nservice.t("polkitConsentMessage"));
+    const hwnd = Buffer.from("");
+    return await biometrics.prompt(hwnd, "");
   }
 
   async osSupportsBiometric(): Promise<boolean> {
@@ -98,10 +98,14 @@ export default class BiometricUnixMain implements OsBiometricService {
     // This could be dynamically detected on dbus in the future.
     // We should check if a libsecret implementation is available on the system
     // because otherwise we cannot offlod the protected userkey to secure storage.
-    return (await passwords.isAvailable()) && !isSnapStore();
+    return await passwords.isAvailable();
   }
 
   async osBiometricsNeedsSetup(): Promise<boolean> {
+    if (isSnapStore()) {
+      return false;
+    }
+
     // check whether the polkit policy is loaded via dbus call to polkit
     return !(await biometrics.available());
   }
diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json
index e4c235dada9..f8f81a5ac2c 100644
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -1734,9 +1734,6 @@
   "windowsHelloConsentMessage": {
     "message": "Verify for Bitwarden."
   },
-  "polkitConsentMessage": {
-    "message": "Authenticate to unlock Bitwarden."
-  },
   "unlockWithTouchId": {
     "message": "Unlock with Touch ID"
   },

From 8dd904f4b7ad767a24839a18b878703514be1f87 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Wed, 11 Dec 2024 19:08:14 -0500
Subject: [PATCH 6/8] fix ts strict errors (#12355)

---
 .../clients/vnext-clients.component.ts        | 10 +++++-----
 .../clients/vnext-manage-clients.component.ts | 20 +++++++++----------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.ts b/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.ts
index ba56ce872b2..2be38477d4c 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/clients/vnext-clients.component.ts
@@ -53,8 +53,8 @@ const DisallowedPlanTypes = [
   ],
 })
 export class vNextClientsComponent {
-  providerId: string;
-  addableOrganizations: Organization[];
+  providerId: string = "";
+  addableOrganizations: Organization[] = [];
   loading = true;
   manageOrganizations = false;
   showAddExisting = false;
@@ -79,8 +79,8 @@ export class vNextClientsComponent {
       this.searchControl.setValue(queryParams.search);
     });
 
-    this.activatedRoute.parent.params
-      .pipe(
+    this.activatedRoute.parent?.params
+      ?.pipe(
         switchMap((params) => {
           this.providerId = params.providerId;
           return this.providerService.get$(this.providerId).pipe(
@@ -125,7 +125,7 @@ export class vNextClientsComponent {
       await this.webProviderService.detachOrganization(this.providerId, organization.id);
       this.toastService.showToast({
         variant: "success",
-        title: null,
+        title: "",
         message: this.i18nService.t("detachedOrganization", organization.organizationName),
       });
       await this.load();
diff --git a/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.ts b/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.ts
index 5ee7817f34e..4c0837d6da2 100644
--- a/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.ts
+++ b/bitwarden_license/bit-web/src/app/billing/providers/clients/vnext-manage-clients.component.ts
@@ -51,15 +51,15 @@ import { vNextNoClientsComponent } from "./vnext-no-clients.component";
   ],
 })
 export class vNextManageClientsComponent {
-  providerId: string;
-  provider: Provider;
+  providerId: string = "";
+  provider: Provider | undefined;
   loading = true;
   isProviderAdmin = false;
   dataSource: TableDataSource<ProviderOrganizationOrganizationDetailsResponse> =
     new TableDataSource();
 
   protected searchControl = new FormControl("", { nonNullable: true });
-  protected plans: PlanResponse[];
+  protected plans: PlanResponse[] = [];
 
   constructor(
     private billingApiService: BillingApiServiceAbstraction,
@@ -76,8 +76,8 @@ export class vNextManageClientsComponent {
       this.searchControl.setValue(queryParams.search);
     });
 
-    this.activatedRoute.parent.params
-      .pipe(
+    this.activatedRoute.parent?.params
+      ?.pipe(
         switchMap((params) => {
           this.providerId = params.providerId;
           return this.providerService.get$(this.providerId).pipe(
@@ -110,12 +110,12 @@ export class vNextManageClientsComponent {
   async load() {
     this.provider = await firstValueFrom(this.providerService.get$(this.providerId));
 
-    this.isProviderAdmin = this.provider.type === ProviderUserType.ProviderAdmin;
+    this.isProviderAdmin = this.provider?.type === ProviderUserType.ProviderAdmin;
 
     const clients = (await this.billingApiService.getProviderClientOrganizations(this.providerId))
       .data;
 
-    clients.forEach((client) => (client.plan = client.plan.replace(" (Monthly)", "")));
+    clients.forEach((client) => (client.plan = client.plan?.replace(" (Monthly)", "")));
 
     this.dataSource.data = clients;
 
@@ -146,7 +146,7 @@ export class vNextManageClientsComponent {
         organization: {
           id: organization.id,
           name: organization.organizationName,
-          seats: organization.seats,
+          seats: organization.seats ? organization.seats : 0,
         },
       },
     });
@@ -164,7 +164,7 @@ export class vNextManageClientsComponent {
     const dialogRef = openManageClientSubscriptionDialog(this.dialogService, {
       data: {
         organization,
-        provider: this.provider,
+        provider: this.provider!,
       },
     });
 
@@ -190,7 +190,7 @@ export class vNextManageClientsComponent {
       await this.webProviderService.detachOrganization(this.providerId, organization.id);
       this.toastService.showToast({
         variant: "success",
-        title: null,
+        title: "",
         message: this.i18nService.t("detachedOrganization", organization.organizationName),
       });
       await this.load();

From cecf1f2506a69b8a6edc16be19e772531785a5b7 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 12 Dec 2024 10:26:05 +0100
Subject: [PATCH 7/8] [deps] Platform: Update electron to v33 - abandoned
 (#11580)

* [deps] Platform: Update electron to v33

* fix: remove event from minimize

* chore: update electron version in `electron-builder.json`

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>
Co-authored-by: Bernd Schoolmann <mail@quexten.com>
---
 apps/desktop/electron-builder.json |  2 +-
 apps/desktop/src/main/tray.main.ts |  3 +--
 package-lock.json                  | 14 +++++++-------
 package.json                       |  2 +-
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/apps/desktop/electron-builder.json b/apps/desktop/electron-builder.json
index 38f11a97a8b..898ad086b29 100644
--- a/apps/desktop/electron-builder.json
+++ b/apps/desktop/electron-builder.json
@@ -20,7 +20,7 @@
     "**/node_modules/@bitwarden/desktop-napi/index.js",
     "**/node_modules/@bitwarden/desktop-napi/desktop_napi.${platform}-${arch}*.node"
   ],
-  "electronVersion": "32.1.1",
+  "electronVersion": "33.2.1",
   "generateUpdatesFilesForAllChannels": true,
   "publish": {
     "provider": "generic",
diff --git a/apps/desktop/src/main/tray.main.ts b/apps/desktop/src/main/tray.main.ts
index 641af8db0ad..52a8615a1da 100644
--- a/apps/desktop/src/main/tray.main.ts
+++ b/apps/desktop/src/main/tray.main.ts
@@ -64,9 +64,8 @@ export class TrayMain {
   }
 
   setupWindowListeners(win: BrowserWindow) {
-    win.on("minimize", async (e: Event) => {
+    win.on("minimize", async () => {
       if (await firstValueFrom(this.desktopSettingsService.minimizeToTray$)) {
-        e.preventDefault();
         // FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
         // eslint-disable-next-line @typescript-eslint/no-floating-promises
         this.hideToTray();
diff --git a/package-lock.json b/package-lock.json
index 64a7c926ca2..2da7d9e6255 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -132,7 +132,7 @@
         "copy-webpack-plugin": "12.0.2",
         "cross-env": "7.0.3",
         "css-loader": "7.1.2",
-        "electron": "32.1.1",
+        "electron": "33.2.1",
         "electron-builder": "24.13.3",
         "electron-log": "5.2.4",
         "electron-reload": "2.0.0-alpha.1",
@@ -15745,9 +15745,9 @@
       }
     },
     "node_modules/electron": {
-      "version": "32.1.1",
-      "resolved": "https://registry.npmjs.org/electron/-/electron-32.1.1.tgz",
-      "integrity": "sha512-NlWvG6kXOJbZbELmzP3oV7u50I3NHYbCeh+AkUQ9vGyP7b74cFMx9HdTzejODeztW1jhr3SjIBbUZzZ45zflfQ==",
+      "version": "33.2.1",
+      "resolved": "https://registry.npmjs.org/electron/-/electron-33.2.1.tgz",
+      "integrity": "sha512-SG/nmSsK9Qg1p6wAW+ZfqU+AV8cmXMTIklUL18NnOKfZLlum4ZsDoVdmmmlL39ZmeCaq27dr7CgslRPahfoVJg==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -15986,9 +15986,9 @@
       }
     },
     "node_modules/electron/node_modules/@types/node": {
-      "version": "20.17.6",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.17.6.tgz",
-      "integrity": "sha512-VEI7OdvK2wP7XHnsuXbAJnEpEkF6NjSN45QJlL4VGqZSXsnicpesdTWsg9RISeSdYd3yeRj/y3k5KGjUXYnFwQ==",
+      "version": "20.17.8",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.17.8.tgz",
+      "integrity": "sha512-ahz2g6/oqbKalW9sPv6L2iRbhLnojxjYWspAqhjvqSWBgGebEJT5GvRmk0QXPj3sbC6rU0GTQjPLQkmR8CObvA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/package.json b/package.json
index 5573332db1a..aa567f18df6 100644
--- a/package.json
+++ b/package.json
@@ -93,7 +93,7 @@
     "copy-webpack-plugin": "12.0.2",
     "cross-env": "7.0.3",
     "css-loader": "7.1.2",
-    "electron": "32.1.1",
+    "electron": "33.2.1",
     "electron-builder": "24.13.3",
     "electron-log": "5.2.4",
     "electron-reload": "2.0.0-alpha.1",

From f8c33ea04be4052a383c6f1ce84bca6ff3a07256 Mon Sep 17 00:00:00 2001
From: Andreas Coroiu <acoroiu@bitwarden.com>
Date: Thu, 12 Dec 2024 11:50:21 +0100
Subject: [PATCH 8/8] [PM-15126] Tighten scope of our client build pipelines to
 remove reliance on secrets (#12243)

* feat: create copy of desktop build for PR target

* chore: add temporary file to trigger ci

* fix: remove check-run from regular desktop build

* feat: change browser build to not use pr target

* fix: skip build-safari if secret is not available

* feat: skip safari build if secrets are not available

* feat: let windows desktop build without secrets

* fix: has_secrets not being output correctly

* feat: let macos desktop build without secrets

* feat: don't build browser as part of desktop

* feat: change CLI to pull_request

* feat: let web build without secrets

* feat: tweak lint to run on PR and not just push

* feat: add PR target workflows

* fix: remove wip files

* fix: lint on hotfix-rc branches

* feat: add new workflows to CODEOWNERS
---
 .github/CODEOWNERS                         |  4 ++
 .github/workflows/build-browser-target.yml | 39 +++++++++++++
 .github/workflows/build-browser.yml        | 18 +++---
 .github/workflows/build-cli-target.yml     | 39 +++++++++++++
 .github/workflows/build-cli.yml            | 27 +++++----
 .github/workflows/build-desktop-target.yml | 38 ++++++++++++
 .github/workflows/build-desktop.yml        | 68 +++++++++++++++++-----
 .github/workflows/build-web-target.yml     | 41 +++++++++++++
 .github/workflows/build-web.yml            | 28 ++++++---
 .github/workflows/lint.yml                 | 10 +++-
 10 files changed, 269 insertions(+), 43 deletions(-)
 create mode 100644 .github/workflows/build-browser-target.yml
 create mode 100644 .github/workflows/build-cli-target.yml
 create mode 100644 .github/workflows/build-desktop-target.yml
 create mode 100644 .github/workflows/build-web-target.yml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 99bea676bfb..e9360c73ab9 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -85,9 +85,13 @@ apps/web/src/app/shared @bitwarden/team-platform-dev
 apps/web/src/translation-constants.ts @bitwarden/team-platform-dev
 # Workflows
 .github/workflows/brew-bump-desktop.yml @bitwarden/team-platform-dev
+.github/workflows/build-browser-target.yml @bitwarden/team-platform-dev
 .github/workflows/build-browser.yml @bitwarden/team-platform-dev
+.github/workflows/build-cli-target.yml @bitwarden/team-platform-dev
 .github/workflows/build-cli.yml @bitwarden/team-platform-dev
+.github/workflows/build-desktop-target.yml @bitwarden/team-platform-dev
 .github/workflows/build-desktop.yml @bitwarden/team-platform-dev
+.github/workflows/build-web-target.yml @bitwarden/team-platform-dev
 .github/workflows/build-web.yml @bitwarden/team-platform-dev
 .github/workflows/chromatic.yml @bitwarden/team-platform-dev
 .github/workflows/lint.yml @bitwarden/team-platform-dev
diff --git a/.github/workflows/build-browser-target.yml b/.github/workflows/build-browser-target.yml
new file mode 100644
index 00000000000..11a268466f1
--- /dev/null
+++ b/.github/workflows/build-browser-target.yml
@@ -0,0 +1,39 @@
+name: Build Browser on PR Target
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches-ignore:
+      - 'l10n_master'
+      - 'cf-pages'
+    paths:
+      - 'apps/browser/**'
+      - 'libs/**'
+      - '*'
+      - '!*.md'
+      - '!*.txt'
+  workflow_call:
+    inputs: {}
+  workflow_dispatch:
+    inputs:
+      sdk_branch:
+        description: "Custom SDK branch"
+        required: false
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  run-workflow:
+    name: Run Build Browser on PR Target
+    needs: check-run
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/build-browser.yml
+    secrets: inherit
+
diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml
index 7740e418e7b..56a980bf0f9 100644
--- a/.github/workflows/build-browser.yml
+++ b/.github/workflows/build-browser.yml
@@ -1,7 +1,7 @@
 name: Build Browser
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize]
     branches-ignore:
       - 'l10n_master'
@@ -38,19 +38,14 @@ defaults:
     shell: bash
 
 jobs:
-  check-run:
-    name: Check PR run
-    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
-
   setup:
     name: Setup
     runs-on: ubuntu-22.04
-    needs:
-      - check-run
     outputs:
       repo_url: ${{ steps.gen_vars.outputs.repo_url }}
       adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }}
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -74,6 +69,14 @@ jobs:
           NODE_VERSION=${NODE_NVMRC/v/''}
           echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
 
   locales-test:
     name: Locales Test
@@ -281,6 +284,7 @@ jobs:
     needs:
       - setup
       - locales-test
+    if: ${{ needs.setup.outputs.has_secrets == 'true' }}
     env:
       _BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }}
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
diff --git a/.github/workflows/build-cli-target.yml b/.github/workflows/build-cli-target.yml
new file mode 100644
index 00000000000..658d8f922ba
--- /dev/null
+++ b/.github/workflows/build-cli-target.yml
@@ -0,0 +1,39 @@
+name: Build CLI on PR Target
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches-ignore:
+      - 'l10n_master'
+      - 'cf-pages'
+    paths:
+      - 'apps/cli/**'
+      - 'libs/**'
+      - '*'
+      - '!*.md'
+      - '!*.txt'
+      - '.github/workflows/build-cli.yml'
+      - 'bitwarden_license/bit-cli/**'
+  workflow_dispatch:
+    inputs:
+      sdk_branch:
+        description: "Custom SDK branch"
+        required: false
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  run-workflow:
+    name: Run Build CLI on PR Target
+    needs: check-run
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/build-cli.yml
+    secrets: inherit
+
diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
index d480879fb15..35970a8b307 100644
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@@ -1,7 +1,7 @@
 name: Build CLI
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize]
     branches-ignore:
       - 'l10n_master'
@@ -27,6 +27,8 @@ on:
       - '!*.txt'
       - '.github/workflows/build-cli.yml'
       - 'bitwarden_license/bit-cli/**'
+  workflow_call:
+    inputs: {}
   workflow_dispatch:
     inputs:
       sdk_branch:
@@ -39,18 +41,13 @@ defaults:
     working-directory: apps/cli
 
 jobs:
-  check-run:
-    name: Check PR run
-    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
-
   setup:
     name: Setup
     runs-on: ubuntu-22.04
-    needs:
-      - check-run
     outputs:
       package_version: ${{ steps.retrieve-package-version.outputs.package_version }}
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -71,6 +68,14 @@ jobs:
           NODE_VERSION=${NODE_NVMRC/v/''}
           echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
   cli:
     name: CLI ${{ matrix.os.base }} - ${{ matrix.license_type.readable }}
     strategy:
@@ -117,7 +122,7 @@ jobs:
         working-directory: ./
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -130,7 +135,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
@@ -272,7 +277,7 @@ jobs:
         working-directory: ./
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -285,7 +290,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
diff --git a/.github/workflows/build-desktop-target.yml b/.github/workflows/build-desktop-target.yml
new file mode 100644
index 00000000000..47f85d69163
--- /dev/null
+++ b/.github/workflows/build-desktop-target.yml
@@ -0,0 +1,38 @@
+name: Build Desktop on PR Target
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches-ignore:
+      - 'l10n_master'
+      - 'cf-pages'
+    paths:
+      - 'apps/desktop/**'
+      - 'libs/**'
+      - '*'
+      - '!*.md'
+      - '!*.txt'
+      - '.github/workflows/build-desktop.yml'
+  workflow_dispatch:
+    inputs:
+      sdk_branch:
+        description: "Custom SDK branch"
+        required: false
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  run-workflow:
+    name: Run Build Desktop on PR Target
+    needs: check-run
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/build-desktop.yml
+    secrets: inherit
+
diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml
index bc9bdec396a..e35dee54e08 100644
--- a/.github/workflows/build-desktop.yml
+++ b/.github/workflows/build-desktop.yml
@@ -1,7 +1,7 @@
 name: Build Desktop
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize]
     branches-ignore:
       - 'l10n_master'
@@ -25,6 +25,8 @@ on:
       - '!*.md'
       - '!*.txt'
       - '.github/workflows/build-desktop.yml'
+  workflow_call:
+    inputs: {}
   workflow_dispatch:
     inputs:
       sdk_branch:
@@ -37,15 +39,9 @@ defaults:
     shell: bash
 
 jobs:
-  check-run:
-    name: Check PR run
-    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
-
   electron-verify:
     name: Verify Electron Version
     runs-on: ubuntu-22.04
-    needs:
-      - check-run
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -67,8 +63,6 @@ jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
-    needs:
-      - check-run
     outputs:
       package_version: ${{ steps.retrieve-version.outputs.package_version }}
       release_channel: ${{ steps.release-channel.outputs.channel }}
@@ -76,6 +70,7 @@ jobs:
       rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }}
       hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }}
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     defaults:
       run:
         working-directory: apps/desktop
@@ -138,6 +133,14 @@ jobs:
           NODE_VERSION=${NODE_NVMRC/v/''}
           echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
   linux:
     name: Linux Build
     # Note, before updating the ubuntu version of the workflow, ensure the snap base image
@@ -333,12 +336,14 @@ jobs:
           rustup show
 
       - name: Login to Azure
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
       - name: Retrieve secrets
         id: retrieve-secrets
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
           keyvault: "bitwarden-ci"
@@ -353,7 +358,7 @@ jobs:
         working-directory: ./
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -366,7 +371,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
@@ -386,7 +391,17 @@ jobs:
         working-directory: apps/desktop/desktop_native
         run: node build.js cross-platform
 
-      - name: Build & Sign (dev)
+      - name: Build
+        run: |
+          npm run build
+
+      - name: Pack
+        if: ${{ needs.setup.outputs.has_secrets == 'false' }}
+        run: |
+          npm run pack:win
+
+      - name: Pack & Sign (dev)
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         env:
           ELECTRON_BUILDER_SIGN: 1
           SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }}
@@ -395,10 +410,10 @@ jobs:
           SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.code-signing-client-secret }}
           SIGNING_CERT_NAME: ${{ steps.retrieve-secrets.outputs.code-signing-cert-name }}
         run: |
-          npm run build
           npm run pack:win
 
       - name: Rename appx files for store
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         run: |
           Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" `
             -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx"
@@ -408,6 +423,7 @@ jobs:
             -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx"
 
       - name: Package for Chocolatey
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         run: |
           Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse
           Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe `
@@ -419,6 +435,7 @@ jobs:
           choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey
 
       - name: Fix NSIS artifact names for auto-updater
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         run: |
           Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z `
             -NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@@ -435,6 +452,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload installer exe artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe
@@ -442,6 +460,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload appx ia32 artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx
@@ -449,6 +468,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload store appx ia32 artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx
@@ -456,6 +476,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload NSIS ia32 artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@@ -463,6 +484,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload appx x64 artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx
@@ -470,6 +492,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload store appx x64 artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx
@@ -477,6 +500,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload NSIS x64 artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z
@@ -484,6 +508,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload appx ARM64 artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx
@@ -491,6 +516,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload store appx ARM64 artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx
@@ -498,6 +524,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload NSIS ARM64 artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z
@@ -505,6 +532,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload nupkg artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: bitwarden.${{ env._PACKAGE_VERSION }}.nupkg
@@ -512,6 +540,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload auto-update artifact
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: ${{ needs.setup.outputs.release_channel }}.yml
@@ -574,11 +603,13 @@ jobs:
           key: ${{ runner.os }}-${{ github.run_id }}-safari-extension
 
       - name: Login to Azure
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
       - name: Download Provisioning Profiles secrets
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         env:
           ACCOUNT_NAME: bitwardenci
           CONTAINER_NAME: profiles
@@ -591,6 +622,7 @@ jobs:
             --output none
 
       - name: Get certificates
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         run: |
           mkdir -p $HOME/certificates
 
@@ -613,6 +645,7 @@ jobs:
             jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12
 
       - name: Set up keychain
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         env:
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
         run: |
@@ -642,6 +675,7 @@ jobs:
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
 
       - name: Set up provisioning profiles
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         run: |
           cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \
             $GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile
@@ -661,7 +695,7 @@ jobs:
         working-directory: ./
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -674,7 +708,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
@@ -701,6 +735,7 @@ jobs:
   browser-build:
     name: Browser Build
     needs: setup
+    if: ${{ needs.setup.outputs.has_secrets == 'true' }}
     uses: ./.github/workflows/build-browser.yml
     secrets: inherit
 
@@ -708,6 +743,7 @@ jobs:
   macos-package-github:
     name: MacOS Package GitHub Release Assets
     runs-on: macos-13
+    if: ${{ needs.setup.outputs.has_secrets == 'true' }}
     needs:
       - browser-build
       - macos-build
@@ -949,6 +985,7 @@ jobs:
   macos-package-mas:
     name: MacOS Package Prod Release Asset
     runs-on: macos-13
+    if: ${{ needs.setup.outputs.has_secrets == 'true' }}
     needs:
       - browser-build
       - macos-build
@@ -1216,6 +1253,7 @@ jobs:
   macos-package-dev:
     name: MacOS Package Dev Release Asset
     runs-on: macos-13
+    if: ${{ needs.setup.outputs.has_secrets == 'true' }}
     needs:
       - browser-build
       - macos-build
diff --git a/.github/workflows/build-web-target.yml b/.github/workflows/build-web-target.yml
new file mode 100644
index 00000000000..a27af0b0870
--- /dev/null
+++ b/.github/workflows/build-web-target.yml
@@ -0,0 +1,41 @@
+name: Build Web on PR Target
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches-ignore:
+      - 'l10n_master'
+      - 'cf-pages'
+    paths:
+      - 'apps/web/**'
+      - 'libs/**'
+      - '*'
+      - '!*.md'
+      - '!*.txt'
+      - '.github/workflows/build-web.yml'
+  workflow_dispatch:
+    inputs:
+      custom_tag_extension:
+        description: "Custom image tag extension"
+        required: false
+      sdk_branch:
+        description: "Custom SDK branch"
+        required: false
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  run-workflow:
+    name: Run Build Web on PR Target
+    needs: check-run
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/build-web.yml
+    secrets: inherit
+
diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml
index 6e5e11c3361..2360f876826 100644
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@@ -1,7 +1,7 @@
 name: Build Web
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize]
     branches-ignore:
       - 'l10n_master'
@@ -27,6 +27,8 @@ on:
       - '.github/workflows/build-web.yml'
   release:
     types: [published]
+  workflow_call:
+    inputs: {}
   workflow_dispatch:
     inputs:
       custom_tag_extension:
@@ -41,18 +43,13 @@ env:
   _AZ_REGISTRY: bitwardenprod.azurecr.io
 
 jobs:
-  check-run:
-    name: Check PR run
-    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
-
   setup:
     name: Setup
     runs-on: ubuntu-22.04
-    needs:
-      - check-run
     outputs:
       version: ${{ steps.version.outputs.value }}
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -70,6 +67,14 @@ jobs:
           NODE_VERSION=${NODE_NVMRC/v/''}
           echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
   build-artifacts:
     name: Build artifacts
     runs-on: ubuntu-22.04
@@ -128,7 +133,7 @@ jobs:
         run: npm ci
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -141,7 +146,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
@@ -210,19 +215,23 @@ jobs:
 
       ########## ACRs ##########
       - name: Login to Prod Azure
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
           creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
       - name: Log into Prod container registry
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         run: az acr login -n bitwardenprod
 
       - name: Login to Azure - CI Subscription
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
       - name: Retrieve github PAT secrets
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         id: retrieve-secret-pat
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
@@ -270,6 +279,7 @@ jobs:
         run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
       - name: Build Docker image
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: apps/web
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9dc72c7fdda..1b738bd7bcf 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,12 +1,20 @@
 name: Lint
 
 on:
-  push:
+  pull_request:
+    types: [opened, synchronize]
     branches-ignore:
       - 'l10n_master'
       - 'cf-pages'
     paths-ignore:
       - '.github/workflows/**'
+  push:
+    branches:
+      - 'main'
+      - 'rc'
+      - 'hotfix-rc-*'
+    paths-ignore:
+      - '.github/workflows/**'
   workflow_dispatch:
     inputs: {}