From d5273c7abe4df0548d79e99c7608dde7516658bf Mon Sep 17 00:00:00 2001
From: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com>
Date: Wed, 21 Jan 2026 12:39:09 -0800
Subject: [PATCH 01/24] [PM-25082] - update browser extension widths (#18376)

* update browser extension widths

* use PopupWidthOptions where possible
---
 apps/browser/src/_locales/en/messages.json       |  3 +++
 .../platform/browser/browser-popup-utils.spec.ts | 16 ++++++++--------
 .../src/platform/browser/browser-popup-utils.ts  |  6 +++---
 .../popup/layout/popup-layout.stories.ts         |  4 ++--
 .../platform/popup/layout/popup-size.service.ts  |  2 +-
 .../extension-anon-layout-wrapper.stories.ts     |  8 +++++++-
 apps/browser/src/popup/scss/tailwind.css         |  8 ++++----
 .../popup/settings/appearance-v2.component.ts    |  2 +-
 8 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/apps/browser/src/_locales/en/messages.json b/apps/browser/src/_locales/en/messages.json
index 68149a9781e..dabd238e039 100644
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -5673,6 +5673,9 @@
   "extraWide": {
     "message": "Extra wide"
   },
+  "narrow": {
+    "message": "Narrow"
+  },
   "sshKeyWrongPassword": {
     "message": "The password you entered is incorrect."
   },
diff --git a/apps/browser/src/platform/browser/browser-popup-utils.spec.ts b/apps/browser/src/platform/browser/browser-popup-utils.spec.ts
index 6e2175e3a79..cb04f30b589 100644
--- a/apps/browser/src/platform/browser/browser-popup-utils.spec.ts
+++ b/apps/browser/src/platform/browser/browser-popup-utils.spec.ts
@@ -1,7 +1,7 @@
 import { createChromeTabMock } from "../../autofill/spec/autofill-mocks";
 
 import { BrowserApi } from "./browser-api";
-import BrowserPopupUtils from "./browser-popup-utils";
+import BrowserPopupUtils, { PopupWidthOptions } from "./browser-popup-utils";
 
 describe("BrowserPopupUtils", () => {
   afterEach(() => {
@@ -152,7 +152,7 @@ describe("BrowserPopupUtils", () => {
         focused: false,
         alwaysOnTop: false,
         incognito: false,
-        width: 380,
+        width: PopupWidthOptions.default,
       });
       jest.spyOn(BrowserApi, "createWindow").mockImplementation();
       jest.spyOn(BrowserApi, "updateWindowProperties").mockImplementation();
@@ -168,7 +168,7 @@ describe("BrowserPopupUtils", () => {
       expect(BrowserApi.createWindow).toHaveBeenCalledWith({
         type: "popup",
         focused: true,
-        width: 380,
+        width: PopupWidthOptions.default,
         height: 630,
         left: 85,
         top: 190,
@@ -197,7 +197,7 @@ describe("BrowserPopupUtils", () => {
       expect(BrowserApi.createWindow).toHaveBeenCalledWith({
         type: "popup",
         focused: true,
-        width: 380,
+        width: PopupWidthOptions.default,
         height: 630,
         left: 85,
         top: 190,
@@ -214,7 +214,7 @@ describe("BrowserPopupUtils", () => {
       expect(BrowserApi.createWindow).toHaveBeenCalledWith({
         type: "popup",
         focused: true,
-        width: 380,
+        width: PopupWidthOptions.default,
         height: 630,
         left: 85,
         top: 190,
@@ -267,7 +267,7 @@ describe("BrowserPopupUtils", () => {
       expect(BrowserApi.createWindow).toHaveBeenCalledWith({
         type: "popup",
         focused: true,
-        width: 380,
+        width: PopupWidthOptions.default,
         height: 630,
         left: 85,
         top: 190,
@@ -290,7 +290,7 @@ describe("BrowserPopupUtils", () => {
         focused: false,
         alwaysOnTop: false,
         incognito: false,
-        width: 380,
+        width: PopupWidthOptions.default,
         state: "fullscreen",
       });
       jest
@@ -321,7 +321,7 @@ describe("BrowserPopupUtils", () => {
         focused: false,
         alwaysOnTop: false,
         incognito: false,
-        width: 380,
+        width: PopupWidthOptions.default,
         state: "fullscreen",
       });
 
diff --git a/apps/browser/src/platform/browser/browser-popup-utils.ts b/apps/browser/src/platform/browser/browser-popup-utils.ts
index 8343799d0eb..c8dba57e708 100644
--- a/apps/browser/src/platform/browser/browser-popup-utils.ts
+++ b/apps/browser/src/platform/browser/browser-popup-utils.ts
@@ -10,9 +10,9 @@ import { BrowserApi } from "./browser-api";
  * Value represents width in pixels
  */
 export const PopupWidthOptions = Object.freeze({
-  default: 380,
-  wide: 480,
-  "extra-wide": 600,
+  default: 480,
+  wide: 600,
+  narrow: 380,
 });
 
 type PopupWidthOptions = typeof PopupWidthOptions;
diff --git a/apps/browser/src/platform/popup/layout/popup-layout.stories.ts b/apps/browser/src/platform/popup/layout/popup-layout.stories.ts
index c6ffe1a6414..2e088b8161e 100644
--- a/apps/browser/src/platform/popup/layout/popup-layout.stories.ts
+++ b/apps/browser/src/platform/popup/layout/popup-layout.stories.ts
@@ -44,7 +44,7 @@ import { PopupTabNavigationComponent } from "./popup-tab-navigation.component";
 @Component({
   selector: "extension-container",
   template: `
-    <div class="tw-h-[640px] tw-w-[380px] tw-border tw-border-solid tw-border-secondary-300">
+    <div class="tw-h-[640px] tw-w-[480px] tw-border tw-border-solid tw-border-secondary-300">
       <ng-content></ng-content>
     </div>
   `,
@@ -678,7 +678,7 @@ export const WidthOptions: Story = {
     template: /* HTML */ `
       <div class="tw-flex tw-flex-col tw-gap-4 tw-text-main">
         <div>Default:</div>
-        <div class="tw-h-[640px] tw-w-[380px] tw-border tw-border-solid tw-border-secondary-300">
+        <div class="tw-h-[640px] tw-w-[480px] tw-border tw-border-solid tw-border-secondary-300">
           <mock-vault-page></mock-vault-page>
         </div>
         <div>Wide:</div>
diff --git a/apps/browser/src/platform/popup/layout/popup-size.service.ts b/apps/browser/src/platform/popup/layout/popup-size.service.ts
index 0e4aacb9a97..ff3f09d0d01 100644
--- a/apps/browser/src/platform/popup/layout/popup-size.service.ts
+++ b/apps/browser/src/platform/popup/layout/popup-size.service.ts
@@ -83,7 +83,7 @@ export class PopupSizeService {
     }
     const pxWidth = PopupWidthOptions[width] ?? PopupWidthOptions.default;
 
-    document.body.style.minWidth = `${pxWidth}px`;
+    document.body.style.width = `${pxWidth}px`;
   }
 
   /**
diff --git a/apps/browser/src/popup/components/extension-anon-layout-wrapper/extension-anon-layout-wrapper.stories.ts b/apps/browser/src/popup/components/extension-anon-layout-wrapper/extension-anon-layout-wrapper.stories.ts
index 8fdae06e28a..66c9f655b05 100644
--- a/apps/browser/src/popup/components/extension-anon-layout-wrapper/extension-anon-layout-wrapper.stories.ts
+++ b/apps/browser/src/popup/components/extension-anon-layout-wrapper/extension-anon-layout-wrapper.stories.ts
@@ -10,6 +10,7 @@ import {
 import { of } from "rxjs";
 
 import { LockIcon, RegistrationCheckEmailIcon } from "@bitwarden/assets/svg";
+import { PopupWidthOptions } from "@bitwarden/browser/platform/browser/browser-popup-utils";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AvatarService } from "@bitwarden/common/auth/abstractions/avatar.service";
@@ -243,7 +244,12 @@ export const DefaultContentExample: Story = {
   }),
   parameters: {
     chromatic: {
-      viewports: [380, 1280],
+      viewports: [
+        PopupWidthOptions.default,
+        PopupWidthOptions.narrow,
+        PopupWidthOptions.wide,
+        1280,
+      ],
     },
   },
 };
diff --git a/apps/browser/src/popup/scss/tailwind.css b/apps/browser/src/popup/scss/tailwind.css
index f58950cc86a..0ef7b82bfed 100644
--- a/apps/browser/src/popup/scss/tailwind.css
+++ b/apps/browser/src/popup/scss/tailwind.css
@@ -60,7 +60,7 @@
   }
 
   body {
-    width: 380px;
+    width: 480px;
     height: 100%;
     position: relative;
     min-height: inherit;
@@ -84,9 +84,9 @@
     animation: redraw 1s linear infinite;
   }
 
-  /** 
+  /**
    * Text selection style:
-   * suppress user selection for most elements (to make it more app-like) 
+   * suppress user selection for most elements (to make it more app-like)
    */
   h1,
   h2,
@@ -165,7 +165,7 @@
     @apply tw-text-muted;
   }
 
-  /** 
+  /**
    * Text selection style:
    * Set explicit selection styles (assumes primary accent color has sufficient
    * contrast against the background, so its inversion is also still readable)
diff --git a/apps/browser/src/vault/popup/settings/appearance-v2.component.ts b/apps/browser/src/vault/popup/settings/appearance-v2.component.ts
index e6515ae7461..e02ccf25f3e 100644
--- a/apps/browser/src/vault/popup/settings/appearance-v2.component.ts
+++ b/apps/browser/src/vault/popup/settings/appearance-v2.component.ts
@@ -79,7 +79,7 @@ export class AppearanceV2Component implements OnInit {
   protected readonly widthOptions: Option<PopupWidthOption>[] = [
     { label: this.i18nService.t("default"), value: "default" },
     { label: this.i18nService.t("wide"), value: "wide" },
-    { label: this.i18nService.t("extraWide"), value: "extra-wide" },
+    { label: this.i18nService.t("narrow"), value: "narrow" },
   ];
 
   constructor(

From 1db601b82fe77d21c489d111e12955d0c9da798a Mon Sep 17 00:00:00 2001
From: Alex <55413326+AlexRubik@users.noreply.github.com>
Date: Wed, 21 Jan 2026 15:55:14 -0500
Subject: [PATCH 02/24] [PM-30718] add IndexedDB storage service for phishing
 data (#18344)

* add PhishingIndexedDbService for IndexedDB storage

Add a dedicated IndexedDB storage service for phishing detection data.
This service provides save, load, and clear operations using IndexedDB
instead of chrome.storage.local to avoid broadcast overhead, size
limitations, and JSON serialization cost for large datasets.

* add unit tests for PhishingIndexedDbService

Add comprehensive tests for save, load, and clear operations with
mocked IndexedDB. Tests cover success cases, error handling, and
database initialization with object store creation.

* add PhishingIndexedDbService core structure

- Add IndexedDB service with per-operation database opening
- Define PhishingUrlRecord type for row storage
- Include clearStore helper for atomic data replacement
- Service worker safe: no cached connections

* add saveUrls with chunked writes

- Add PhishingUrlRecord type for row storage
- Store each URL as individual row
- Chunk writes at 50K per transaction for responsiveness
- Atomic replacement: clear then save

* add hasUrl for lookups

- Direct IndexedDB index lookup via keyPath
- Returns boolean, handles errors gracefully

* add loadAllUrls with cursor iteration

- Cursor-based bulk load for fallback scenarios
- Memory-efficient: no intermediate array duplication
- Returns empty array on error

* add saveUrlsFromStream for memory efficiency

- Stream directly from fetch response body
- Parse newline-delimited URLs incrementally
- Reuse chunked save infrastructure

* update PhishingIndexedDbService tests

- Replace blob-based tests with row-per-URL API tests
- Test saveUrls, hasUrl, loadAllUrls, saveUrlsFromStream
- Verify chunked writes and cursor iteration
- Use stream/web ReadableStream with type cast for Node.js compatibility

* use proper URL syntax and cleanup global state

Update test data to use proper URL syntax with https:// prefix to match
real phishing.database format. Add cleanup of global.indexedDB in
afterEach to prevent test pollution.

* improve stream processing correctness and efficiency

- Move decoder.decode() before done check with { stream: !done } to flush properly
- Use array reassignment instead of splice() for O(1) chunk clearing
- Use single trim via local variable to avoid double-trim
- Centralize URL cleaning in saveChunked(), simplify saveChunk()
- Use explicit urls.length > 0 comparison

* duplicate urls test

* split final buffer by newlines
---
 .../phishing-indexeddb.service.spec.ts        | 375 ++++++++++++++++++
 .../services/phishing-indexeddb.service.ts    | 241 +++++++++++
 2 files changed, 616 insertions(+)
 create mode 100644 apps/browser/src/dirt/phishing-detection/services/phishing-indexeddb.service.spec.ts
 create mode 100644 apps/browser/src/dirt/phishing-detection/services/phishing-indexeddb.service.ts

diff --git a/apps/browser/src/dirt/phishing-detection/services/phishing-indexeddb.service.spec.ts b/apps/browser/src/dirt/phishing-detection/services/phishing-indexeddb.service.spec.ts
new file mode 100644
index 00000000000..75bd634b1fc
--- /dev/null
+++ b/apps/browser/src/dirt/phishing-detection/services/phishing-indexeddb.service.spec.ts
@@ -0,0 +1,375 @@
+import { ReadableStream as NodeReadableStream } from "stream/web";
+
+import { mock, MockProxy } from "jest-mock-extended";
+
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+
+import { PhishingIndexedDbService } from "./phishing-indexeddb.service";
+
+describe("PhishingIndexedDbService", () => {
+  let service: PhishingIndexedDbService;
+  let logService: MockProxy<LogService>;
+
+  // Mock IndexedDB storage (keyed by URL for row-per-URL storage)
+  let mockStore: Map<string, { url: string }>;
+  let mockObjectStore: any;
+  let mockTransaction: any;
+  let mockDb: any;
+  let mockOpenRequest: any;
+
+  beforeEach(() => {
+    logService = mock<LogService>();
+    mockStore = new Map();
+
+    // Mock IDBObjectStore
+    mockObjectStore = {
+      put: jest.fn().mockImplementation((record: { url: string }) => {
+        const request = {
+          error: null as DOMException | null,
+          result: undefined as undefined,
+          onsuccess: null as (() => void) | null,
+          onerror: null as (() => void) | null,
+        };
+        setTimeout(() => {
+          mockStore.set(record.url, record);
+          request.onsuccess?.();
+        }, 0);
+        return request;
+      }),
+      get: jest.fn().mockImplementation((key: string) => {
+        const request = {
+          error: null as DOMException | null,
+          result: mockStore.get(key),
+          onsuccess: null as (() => void) | null,
+          onerror: null as (() => void) | null,
+        };
+        setTimeout(() => {
+          request.result = mockStore.get(key);
+          request.onsuccess?.();
+        }, 0);
+        return request;
+      }),
+      clear: jest.fn().mockImplementation(() => {
+        const request = {
+          error: null as DOMException | null,
+          result: undefined as undefined,
+          onsuccess: null as (() => void) | null,
+          onerror: null as (() => void) | null,
+        };
+        setTimeout(() => {
+          mockStore.clear();
+          request.onsuccess?.();
+        }, 0);
+        return request;
+      }),
+      openCursor: jest.fn().mockImplementation(() => {
+        const entries = Array.from(mockStore.entries());
+        let index = 0;
+        const request = {
+          error: null as DOMException | null,
+          result: null as any,
+          onsuccess: null as ((e: any) => void) | null,
+          onerror: null as (() => void) | null,
+        };
+        const advanceCursor = () => {
+          if (index < entries.length) {
+            const [, value] = entries[index];
+            index++;
+            request.result = {
+              value,
+              continue: () => setTimeout(advanceCursor, 0),
+            };
+          } else {
+            request.result = null;
+          }
+          request.onsuccess?.({ target: request });
+        };
+        setTimeout(advanceCursor, 0);
+        return request;
+      }),
+    };
+
+    // Mock IDBTransaction
+    mockTransaction = {
+      objectStore: jest.fn().mockReturnValue(mockObjectStore),
+      oncomplete: null as (() => void) | null,
+      onerror: null as (() => void) | null,
+    };
+
+    // Trigger oncomplete after a tick
+    const originalObjectStore = mockTransaction.objectStore;
+    mockTransaction.objectStore = jest.fn().mockImplementation((...args: any[]) => {
+      setTimeout(() => mockTransaction.oncomplete?.(), 0);
+      return originalObjectStore(...args);
+    });
+
+    // Mock IDBDatabase
+    mockDb = {
+      transaction: jest.fn().mockReturnValue(mockTransaction),
+      close: jest.fn(),
+      objectStoreNames: {
+        contains: jest.fn().mockReturnValue(true),
+      },
+      createObjectStore: jest.fn(),
+    };
+
+    // Mock IDBOpenDBRequest
+    mockOpenRequest = {
+      error: null as DOMException | null,
+      result: mockDb,
+      onsuccess: null as (() => void) | null,
+      onerror: null as (() => void) | null,
+      onupgradeneeded: null as ((event: any) => void) | null,
+    };
+
+    // Mock indexedDB.open
+    const mockIndexedDB = {
+      open: jest.fn().mockImplementation(() => {
+        setTimeout(() => {
+          mockOpenRequest.onsuccess?.();
+        }, 0);
+        return mockOpenRequest;
+      }),
+    };
+
+    global.indexedDB = mockIndexedDB as any;
+
+    service = new PhishingIndexedDbService(logService);
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+    delete (global as any).indexedDB;
+  });
+
+  describe("saveUrls", () => {
+    it("stores URLs in IndexedDB and returns true", async () => {
+      const urls = ["https://phishing.com", "https://malware.net"];
+
+      const result = await service.saveUrls(urls);
+
+      expect(result).toBe(true);
+      expect(mockDb.transaction).toHaveBeenCalledWith("phishing-urls", "readwrite");
+      expect(mockObjectStore.clear).toHaveBeenCalled();
+      expect(mockObjectStore.put).toHaveBeenCalledTimes(2);
+      expect(mockDb.close).toHaveBeenCalled();
+    });
+
+    it("handles empty array", async () => {
+      const result = await service.saveUrls([]);
+
+      expect(result).toBe(true);
+      expect(mockObjectStore.clear).toHaveBeenCalled();
+    });
+
+    it("trims whitespace from URLs", async () => {
+      const urls = ["  https://example.com  ", "\nhttps://test.org\n"];
+
+      await service.saveUrls(urls);
+
+      expect(mockObjectStore.put).toHaveBeenCalledWith({ url: "https://example.com" });
+      expect(mockObjectStore.put).toHaveBeenCalledWith({ url: "https://test.org" });
+    });
+
+    it("skips empty lines", async () => {
+      const urls = ["https://example.com", "", "  ", "https://test.org"];
+
+      await service.saveUrls(urls);
+
+      expect(mockObjectStore.put).toHaveBeenCalledTimes(2);
+    });
+
+    it("handles duplicate URLs via upsert (keyPath deduplication)", async () => {
+      const urls = [
+        "https://example.com",
+        "https://example.com", // duplicate
+        "https://test.org",
+      ];
+
+      const result = await service.saveUrls(urls);
+
+      expect(result).toBe(true);
+      // put() is called 3 times, but mockStore (using Map with URL as key)
+      // only stores 2 unique entries - demonstrating upsert behavior
+      expect(mockObjectStore.put).toHaveBeenCalledTimes(3);
+      expect(mockStore.size).toBe(2);
+    });
+
+    it("logs error and returns false on failure", async () => {
+      const error = new Error("IndexedDB error");
+      mockOpenRequest.error = error;
+      (global.indexedDB.open as jest.Mock).mockImplementation(() => {
+        setTimeout(() => {
+          mockOpenRequest.onerror?.();
+        }, 0);
+        return mockOpenRequest;
+      });
+
+      const result = await service.saveUrls(["https://test.com"]);
+
+      expect(result).toBe(false);
+      expect(logService.error).toHaveBeenCalledWith(
+        "[PhishingIndexedDbService] Save failed",
+        expect.any(Error),
+      );
+    });
+  });
+
+  describe("hasUrl", () => {
+    it("returns true for existing URL", async () => {
+      mockStore.set("https://example.com", { url: "https://example.com" });
+
+      const result = await service.hasUrl("https://example.com");
+
+      expect(result).toBe(true);
+      expect(mockDb.transaction).toHaveBeenCalledWith("phishing-urls", "readonly");
+      expect(mockObjectStore.get).toHaveBeenCalledWith("https://example.com");
+    });
+
+    it("returns false for non-existing URL", async () => {
+      const result = await service.hasUrl("https://notfound.com");
+
+      expect(result).toBe(false);
+    });
+
+    it("returns false on error", async () => {
+      const error = new Error("IndexedDB error");
+      mockOpenRequest.error = error;
+      (global.indexedDB.open as jest.Mock).mockImplementation(() => {
+        setTimeout(() => {
+          mockOpenRequest.onerror?.();
+        }, 0);
+        return mockOpenRequest;
+      });
+
+      const result = await service.hasUrl("https://example.com");
+
+      expect(result).toBe(false);
+      expect(logService.error).toHaveBeenCalledWith(
+        "[PhishingIndexedDbService] Check failed",
+        expect.any(Error),
+      );
+    });
+  });
+
+  describe("loadAllUrls", () => {
+    it("loads all URLs using cursor", async () => {
+      mockStore.set("https://example.com", { url: "https://example.com" });
+      mockStore.set("https://test.org", { url: "https://test.org" });
+
+      const result = await service.loadAllUrls();
+
+      expect(result).toContain("https://example.com");
+      expect(result).toContain("https://test.org");
+      expect(result.length).toBe(2);
+    });
+
+    it("returns empty array when no data exists", async () => {
+      const result = await service.loadAllUrls();
+
+      expect(result).toEqual([]);
+    });
+
+    it("returns empty array on error", async () => {
+      const error = new Error("IndexedDB error");
+      mockOpenRequest.error = error;
+      (global.indexedDB.open as jest.Mock).mockImplementation(() => {
+        setTimeout(() => {
+          mockOpenRequest.onerror?.();
+        }, 0);
+        return mockOpenRequest;
+      });
+
+      const result = await service.loadAllUrls();
+
+      expect(result).toEqual([]);
+      expect(logService.error).toHaveBeenCalledWith(
+        "[PhishingIndexedDbService] Load failed",
+        expect.any(Error),
+      );
+    });
+  });
+
+  describe("saveUrlsFromStream", () => {
+    it("saves URLs from stream", async () => {
+      const content = "https://example.com\nhttps://test.org\nhttps://phishing.net";
+      const stream = new NodeReadableStream({
+        start(controller) {
+          controller.enqueue(new TextEncoder().encode(content));
+          controller.close();
+        },
+      }) as unknown as ReadableStream<Uint8Array>;
+
+      const result = await service.saveUrlsFromStream(stream);
+
+      expect(result).toBe(true);
+      expect(mockObjectStore.clear).toHaveBeenCalled();
+      expect(mockObjectStore.put).toHaveBeenCalledTimes(3);
+    });
+
+    it("handles chunked stream data", async () => {
+      const content = "https://url1.com\nhttps://url2.com";
+      const encoder = new TextEncoder();
+      const encoded = encoder.encode(content);
+
+      // Split into multiple small chunks
+      const stream = new NodeReadableStream({
+        start(controller) {
+          controller.enqueue(encoded.slice(0, 5));
+          controller.enqueue(encoded.slice(5, 10));
+          controller.enqueue(encoded.slice(10));
+          controller.close();
+        },
+      }) as unknown as ReadableStream<Uint8Array>;
+
+      const result = await service.saveUrlsFromStream(stream);
+
+      expect(result).toBe(true);
+      expect(mockObjectStore.put).toHaveBeenCalledTimes(2);
+    });
+
+    it("returns false on error", async () => {
+      const error = new Error("IndexedDB error");
+      mockOpenRequest.error = error;
+      (global.indexedDB.open as jest.Mock).mockImplementation(() => {
+        setTimeout(() => {
+          mockOpenRequest.onerror?.();
+        }, 0);
+        return mockOpenRequest;
+      });
+
+      const stream = new NodeReadableStream({
+        start(controller) {
+          controller.enqueue(new TextEncoder().encode("https://test.com"));
+          controller.close();
+        },
+      }) as unknown as ReadableStream<Uint8Array>;
+
+      const result = await service.saveUrlsFromStream(stream);
+
+      expect(result).toBe(false);
+      expect(logService.error).toHaveBeenCalledWith(
+        "[PhishingIndexedDbService] Stream save failed",
+        expect.any(Error),
+      );
+    });
+  });
+
+  describe("database initialization", () => {
+    it("creates object store with keyPath on upgrade", async () => {
+      mockDb.objectStoreNames.contains.mockReturnValue(false);
+
+      (global.indexedDB.open as jest.Mock).mockImplementation(() => {
+        setTimeout(() => {
+          mockOpenRequest.onupgradeneeded?.({ target: mockOpenRequest });
+          mockOpenRequest.onsuccess?.();
+        }, 0);
+        return mockOpenRequest;
+      });
+
+      await service.hasUrl("https://test.com");
+
+      expect(mockDb.createObjectStore).toHaveBeenCalledWith("phishing-urls", { keyPath: "url" });
+    });
+  });
+});
diff --git a/apps/browser/src/dirt/phishing-detection/services/phishing-indexeddb.service.ts b/apps/browser/src/dirt/phishing-detection/services/phishing-indexeddb.service.ts
new file mode 100644
index 00000000000..099839a38d9
--- /dev/null
+++ b/apps/browser/src/dirt/phishing-detection/services/phishing-indexeddb.service.ts
@@ -0,0 +1,241 @@
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+
+/**
+ * Record type for phishing URL storage in IndexedDB.
+ */
+type PhishingUrlRecord = { url: string };
+
+/**
+ * IndexedDB storage service for phishing URLs.
+ * Stores URLs as individual rows.
+ */
+export class PhishingIndexedDbService {
+  private readonly DB_NAME = "bitwarden-phishing";
+  private readonly STORE_NAME = "phishing-urls";
+  private readonly DB_VERSION = 1;
+  private readonly CHUNK_SIZE = 50000;
+
+  constructor(private logService: LogService) {}
+
+  /**
+   * Opens the IndexedDB database, creating the object store if needed.
+   */
+  private openDatabase(): Promise<IDBDatabase> {
+    return new Promise((resolve, reject) => {
+      const req = indexedDB.open(this.DB_NAME, this.DB_VERSION);
+      req.onerror = () => reject(req.error);
+      req.onsuccess = () => resolve(req.result);
+      req.onupgradeneeded = (e) => {
+        const db = (e.target as IDBOpenDBRequest).result;
+        if (!db.objectStoreNames.contains(this.STORE_NAME)) {
+          db.createObjectStore(this.STORE_NAME, { keyPath: "url" });
+        }
+      };
+    });
+  }
+
+  /**
+   * Clears all records from the phishing URLs store.
+   */
+  private clearStore(db: IDBDatabase): Promise<void> {
+    return new Promise((resolve, reject) => {
+      const req = db.transaction(this.STORE_NAME, "readwrite").objectStore(this.STORE_NAME).clear();
+      req.onerror = () => reject(req.error);
+      req.onsuccess = () => resolve();
+    });
+  }
+
+  /**
+   * Saves an array of phishing URLs to IndexedDB.
+   * Atomically replaces all existing data.
+   *
+   * @param urls - Array of phishing URLs to save
+   * @returns `true` if save succeeded, `false` on error
+   */
+  async saveUrls(urls: string[]): Promise<boolean> {
+    let db: IDBDatabase | null = null;
+    try {
+      db = await this.openDatabase();
+      await this.clearStore(db);
+      await this.saveChunked(db, urls);
+      return true;
+    } catch (error) {
+      this.logService.error("[PhishingIndexedDbService] Save failed", error);
+      return false;
+    } finally {
+      db?.close();
+    }
+  }
+
+  /**
+   * Saves URLs in chunks to prevent transaction timeouts and UI freezes.
+   */
+  private async saveChunked(db: IDBDatabase, urls: string[]): Promise<void> {
+    const cleaned = urls.map((u) => u.trim()).filter(Boolean);
+    for (let i = 0; i < cleaned.length; i += this.CHUNK_SIZE) {
+      await this.saveChunk(db, cleaned.slice(i, i + this.CHUNK_SIZE));
+      await new Promise((r) => setTimeout(r, 0)); // Yield to event loop
+    }
+  }
+
+  /**
+   * Saves a single chunk of URLs in one transaction.
+   */
+  private saveChunk(db: IDBDatabase, urls: string[]): Promise<void> {
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.STORE_NAME, "readwrite");
+      const store = tx.objectStore(this.STORE_NAME);
+      for (const url of urls) {
+        store.put({ url } as PhishingUrlRecord);
+      }
+      tx.oncomplete = () => resolve();
+      tx.onerror = () => reject(tx.error);
+    });
+  }
+
+  /**
+   * Checks if a URL exists in the phishing database.
+   *
+   * @param url - The URL to check
+   * @returns `true` if URL exists, `false` if not found or on error
+   */
+  async hasUrl(url: string): Promise<boolean> {
+    let db: IDBDatabase | null = null;
+    try {
+      db = await this.openDatabase();
+      return await this.checkUrlExists(db, url);
+    } catch (error) {
+      this.logService.error("[PhishingIndexedDbService] Check failed", error);
+      return false;
+    } finally {
+      db?.close();
+    }
+  }
+
+  /**
+   * Performs the actual URL existence check using index lookup.
+   */
+  private checkUrlExists(db: IDBDatabase, url: string): Promise<boolean> {
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.STORE_NAME, "readonly");
+      const req = tx.objectStore(this.STORE_NAME).get(url);
+      req.onerror = () => reject(req.error);
+      req.onsuccess = () => resolve(req.result !== undefined);
+    });
+  }
+
+  /**
+   * Loads all phishing URLs from IndexedDB.
+   *
+   * @returns Array of all stored URLs, or empty array on error
+   */
+  async loadAllUrls(): Promise<string[]> {
+    let db: IDBDatabase | null = null;
+    try {
+      db = await this.openDatabase();
+      return await this.getAllUrls(db);
+    } catch (error) {
+      this.logService.error("[PhishingIndexedDbService] Load failed", error);
+      return [];
+    } finally {
+      db?.close();
+    }
+  }
+
+  /**
+   * Iterates all records using a cursor.
+   */
+  private getAllUrls(db: IDBDatabase): Promise<string[]> {
+    return new Promise((resolve, reject) => {
+      const urls: string[] = [];
+      const req = db
+        .transaction(this.STORE_NAME, "readonly")
+        .objectStore(this.STORE_NAME)
+        .openCursor();
+      req.onerror = () => reject(req.error);
+      req.onsuccess = (e) => {
+        const cursor = (e.target as IDBRequest<IDBCursorWithValue | null>).result;
+        if (cursor) {
+          urls.push((cursor.value as PhishingUrlRecord).url);
+          cursor.continue();
+        } else {
+          resolve(urls);
+        }
+      };
+    });
+  }
+
+  /**
+   * Saves phishing URLs directly from a stream.
+   * Processes data incrementally to minimize memory usage.
+   *
+   * @param stream - ReadableStream of newline-delimited URLs
+   * @returns `true` if save succeeded, `false` on error
+   */
+  async saveUrlsFromStream(stream: ReadableStream<Uint8Array>): Promise<boolean> {
+    let db: IDBDatabase | null = null;
+    try {
+      db = await this.openDatabase();
+      await this.clearStore(db);
+      await this.processStream(db, stream);
+      return true;
+    } catch (error) {
+      this.logService.error("[PhishingIndexedDbService] Stream save failed", error);
+      return false;
+    } finally {
+      db?.close();
+    }
+  }
+
+  /**
+   * Processes a stream of URL data, parsing lines and saving in chunks.
+   */
+  private async processStream(db: IDBDatabase, stream: ReadableStream<Uint8Array>): Promise<void> {
+    const reader = stream.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    let urls: string[] = [];
+
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+
+        // Decode BEFORE done check; stream: !done flushes on final call
+        buffer += decoder.decode(value, { stream: !done });
+
+        if (done) {
+          // Split remaining buffer by newlines in case it contains multiple URLs
+          const lines = buffer.split("\n");
+          for (const line of lines) {
+            const trimmed = line.trim();
+            if (trimmed) {
+              urls.push(trimmed);
+            }
+          }
+          if (urls.length > 0) {
+            await this.saveChunk(db, urls);
+          }
+          break;
+        }
+
+        const lines = buffer.split("\n");
+        buffer = lines.pop() ?? "";
+
+        for (const line of lines) {
+          const trimmed = line.trim();
+          if (trimmed) {
+            urls.push(trimmed);
+          }
+
+          if (urls.length >= this.CHUNK_SIZE) {
+            await this.saveChunk(db, urls);
+            urls = [];
+            await new Promise((r) => setTimeout(r, 0));
+          }
+        }
+      }
+    } finally {
+      reader.releaseLock();
+    }
+  }
+}

From 714ff1aba3ee3cdfc1e78e25ea910a59192ad132 Mon Sep 17 00:00:00 2001
From: Leslie Tilton <23057410+Banrion@users.noreply.github.com>
Date: Wed, 21 Jan 2026 15:09:02 -0600
Subject: [PATCH 03/24] Move loading blob to memory to rxjs pipeline triggered
 implicitly. Removed from constructor. Added dispose to guard against memory
 leaks (#18480)

---
 .../services/phishing-data.service.spec.ts    |   5 +-
 .../services/phishing-data.service.ts         | 100 +++++++++++++-----
 .../services/phishing-detection.service.ts    |   3 +
 3 files changed, 82 insertions(+), 26 deletions(-)

diff --git a/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.spec.ts b/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.spec.ts
index 746f5a1f8f7..c277b8d33f8 100644
--- a/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.spec.ts
+++ b/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.spec.ts
@@ -319,7 +319,10 @@ describe("PhishingDataService", () => {
 
       jest.spyOn(service as any, "_decompressString").mockResolvedValue("phish.com\nbadguy.net");
 
-      await service["_loadBlobToMemory"]();
+      // Trigger the load pipeline and allow async RxJS processing to complete
+      service["_loadBlobToMemory"]();
+      await flushPromises();
+
       const set = service["_webAddressesSet"] as Set<string>;
       expect(set).toBeDefined();
       expect(set.has("phish.com")).toBe(true);
diff --git a/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.ts b/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.ts
index 85e91b06a6b..7d5f04cc276 100644
--- a/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.ts
+++ b/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.ts
@@ -3,11 +3,15 @@ import {
   EMPTY,
   first,
   firstValueFrom,
+  from,
+  of,
   share,
+  takeUntil,
   startWith,
   Subject,
   switchMap,
   tap,
+  map,
 } from "rxjs";
 
 import { devFlagEnabled, devFlagValue } from "@bitwarden/browser/platform/flags";
@@ -64,12 +68,20 @@ export const PHISHING_DOMAINS_BLOB_KEY = new KeyDefinition<string>(
 
 /** Coordinates fetching, caching, and patching of known phishing web addresses */
 export class PhishingDataService {
+  // While background scripts do not necessarily need destroying,
+  // processes in PhishingDataService are memory intensive.
+  // We are adding the destroy to guard against accidental leaks.
+  private _destroy$ = new Subject<void>();
+
   private _testWebAddresses = this.getTestWebAddresses().concat("phishing.testcategory.com"); // Included for QA to test in prod
   private _phishingMetaState = this.globalStateProvider.get(PHISHING_DOMAINS_META_KEY);
   private _phishingBlobState = this.globalStateProvider.get(PHISHING_DOMAINS_BLOB_KEY);
 
   // In-memory set loaded from blob for fast lookups without reading large storage repeatedly
   private _webAddressesSet: Set<string> | null = null;
+  // Loading variables for web addresses set
+  // Triggers a load for _webAddressesSet
+  private _loadTrigger$ = new Subject<void>();
 
   // How often are new web addresses added to the remote?
   readonly UPDATE_INTERVAL_DURATION = 24 * 60 * 60 * 1000; // 24 hours
@@ -81,6 +93,10 @@ export class PhishingDataService {
       this._phishingMetaState.state$.pipe(
         first(), // Only take the first value to avoid an infinite loop when updating the cache below
         tap((metaState) => {
+          // Initial loading of web addresses set if not already loaded
+          if (!this._webAddressesSet) {
+            this._loadBlobToMemory();
+          }
           // Perform any updates in the background if needed
           void this._backgroundUpdate(metaState);
         }),
@@ -90,6 +106,8 @@ export class PhishingDataService {
         }),
       ),
     ),
+    // Stop emitting when dispose() is called
+    takeUntil(this._destroy$),
     share(),
   );
 
@@ -109,7 +127,18 @@ export class PhishingDataService {
       ScheduledTaskNames.phishingDomainUpdate,
       this.UPDATE_INTERVAL_DURATION,
     );
-    void this._loadBlobToMemory();
+    this._setupLoadPipeline();
+  }
+
+  dispose(): void {
+    // Signal all pipelines to stop and unsubscribe stored subscriptions
+    this._destroy$.next();
+    this._destroy$.complete();
+
+    // Clear web addresses set from memory
+    if (this._webAddressesSet !== null) {
+      this._webAddressesSet = null;
+    }
   }
 
   /**
@@ -269,7 +298,7 @@ export class PhishingDataService {
         }
         if (next.blob) {
           await this._phishingBlobState.update(() => next!.blob!);
-          await this._loadBlobToMemory();
+          this._loadBlobToMemory();
         }
 
         // Performance logging
@@ -293,6 +322,47 @@ export class PhishingDataService {
     }
   }
 
+  // Sets up the load pipeline to load the blob into memory when triggered
+  private _setupLoadPipeline(): void {
+    this._loadTrigger$
+      .pipe(
+        switchMap(() =>
+          this._phishingBlobState.state$.pipe(
+            first(),
+            switchMap((blobBase64) => {
+              if (!blobBase64) {
+                return of(undefined);
+              }
+              // Note: _decompressString wraps a promise that cannot be aborted
+              // If performance improvements are needed, consider migrating to a cancellable approach
+              return from(this._decompressString(blobBase64)).pipe(
+                map((text) => {
+                  const lines = text.split(/\r?\n/);
+                  const newWebAddressesSet = new Set(lines);
+                  this._testWebAddresses.forEach((a) => newWebAddressesSet.add(a));
+                  this._webAddressesSet = new Set(newWebAddressesSet);
+                  this.logService.info(
+                    `[PhishingDataService] loaded ${this._webAddressesSet.size} addresses into memory from blob`,
+                  );
+                }),
+              );
+            }),
+            catchError((err: unknown) => {
+              this.logService.error("[PhishingDataService] Failed to load blob into memory", err);
+              return of(undefined);
+            }),
+          ),
+        ),
+        catchError((err: unknown) => {
+          this.logService.error("[PhishingDataService] Load pipeline failed", err);
+          return of(undefined);
+        }),
+        takeUntil(this._destroy$),
+        share(),
+      )
+      .subscribe();
+  }
+
   // [FIXME] Move compression helpers to a shared utils library
   // to separate from phishing data service.
   // ------------------------- Blob and Compression Handling -------------------------
@@ -337,29 +407,9 @@ export class PhishingDataService {
     }
   }
 
-  // Try to load compressed newline blob into an in-memory Set for fast lookups
-  private async _loadBlobToMemory(): Promise<void> {
-    this.logService.debug("[PhishingDataService] Loading data blob into memory...");
-    try {
-      const blobBase64 = await firstValueFrom(this._phishingBlobState.state$);
-      if (!blobBase64) {
-        return;
-      }
-
-      const text = await this._decompressString(blobBase64);
-      // Split and filter
-      const lines = text.split(/\r?\n/);
-      const newWebAddressesSet = new Set(lines);
-
-      // Add test addresses
-      this._testWebAddresses.forEach((a) => newWebAddressesSet.add(a));
-      this._webAddressesSet = new Set(newWebAddressesSet);
-      this.logService.info(
-        `[PhishingDataService] loaded ${this._webAddressesSet.size} addresses into memory from blob`,
-      );
-    } catch (err) {
-      this.logService.error("[PhishingDataService] Failed to load blob into memory", err);
-    }
+  // Trigger a load of the blob into memory
+  private _loadBlobToMemory(): void {
+    this._loadTrigger$.next();
   }
   private _uint8ToBase64Fallback(bytes: Uint8Array): string {
     const CHUNK_SIZE = 0x8000; // 32KB chunks
diff --git a/apps/browser/src/dirt/phishing-detection/services/phishing-detection.service.ts b/apps/browser/src/dirt/phishing-detection/services/phishing-detection.service.ts
index d90e872eef8..815007e1d4c 100644
--- a/apps/browser/src/dirt/phishing-detection/services/phishing-detection.service.ts
+++ b/apps/browser/src/dirt/phishing-detection/services/phishing-detection.service.ts
@@ -137,6 +137,9 @@ export class PhishingDetectionService {
 
     this._didInit = true;
     return () => {
+      // Dispose phishing data service resources
+      phishingDataService.dispose();
+
       initSub.unsubscribe();
       this._didInit = false;
 

From 9dd94a27825c83d6355b0b4d6038b36b93b808dc Mon Sep 17 00:00:00 2001
From: Jason Ng <jng@bitwarden.com>
Date: Wed, 21 Jan 2026 17:16:18 -0500
Subject: [PATCH 04/24] [PM-30828] added MP reprompt check to unarchive
 (#18464)

---
 .../archive-cipher-utilities.service.spec.ts       | 14 ++++++++++++++
 .../services/archive-cipher-utilities.service.ts   |  9 ++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/libs/vault/src/services/archive-cipher-utilities.service.spec.ts b/libs/vault/src/services/archive-cipher-utilities.service.spec.ts
index 5df1bff9a56..ea00f482987 100644
--- a/libs/vault/src/services/archive-cipher-utilities.service.spec.ts
+++ b/libs/vault/src/services/archive-cipher-utilities.service.spec.ts
@@ -120,5 +120,19 @@ describe("ArchiveCipherUtilitiesService", () => {
         message: "errorOccurred",
       });
     });
+
+    it("calls password reprompt check when unarchiving", async () => {
+      await service.unarchiveCipher(mockCipher);
+
+      expect(passwordRepromptService.passwordRepromptCheck).toHaveBeenCalledWith(mockCipher);
+    });
+
+    it("returns early when password reprompt fails on unarchive", async () => {
+      passwordRepromptService.passwordRepromptCheck.mockResolvedValue(false);
+
+      await service.unarchiveCipher(mockCipher);
+
+      expect(cipherArchiveService.unarchiveWithServer).not.toHaveBeenCalled();
+    });
   });
 });
diff --git a/libs/vault/src/services/archive-cipher-utilities.service.ts b/libs/vault/src/services/archive-cipher-utilities.service.ts
index 93e752b57dd..b747961a701 100644
--- a/libs/vault/src/services/archive-cipher-utilities.service.ts
+++ b/libs/vault/src/services/archive-cipher-utilities.service.ts
@@ -74,7 +74,14 @@ export class ArchiveCipherUtilitiesService {
    * @param cipher The cipher to unarchive
    * @returns The unarchived cipher on success, or undefined on failure
    */
-  async unarchiveCipher(cipher: CipherView) {
+  async unarchiveCipher(cipher: CipherView, skipReprompt = false) {
+    if (!skipReprompt) {
+      const repromptPassed = await this.passwordRepromptService.passwordRepromptCheck(cipher);
+      if (!repromptPassed) {
+        return;
+      }
+    }
+
     const userId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
     try {
       const cipherResponse = await this.cipherArchiveService.unarchiveWithServer(

From 3f466c4b4cf9c8fcdba6f42960d2a78a52948183 Mon Sep 17 00:00:00 2001
From: Jonathan Prusik <jprusik@users.noreply.github.com>
Date: Wed, 21 Jan 2026 17:22:45 -0500
Subject: [PATCH 05/24] refresh top layer when top layer candidate handlers are
 set up (#18326)

---
 .../src/autofill/services/collect-autofill-content.service.ts   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/browser/src/autofill/services/collect-autofill-content.service.ts b/apps/browser/src/autofill/services/collect-autofill-content.service.ts
index 18eb8e2baf8..25fcb9038d8 100644
--- a/apps/browser/src/autofill/services/collect-autofill-content.service.ts
+++ b/apps/browser/src/autofill/services/collect-autofill-content.service.ts
@@ -1083,6 +1083,8 @@ export class CollectAutofillContentService implements CollectAutofillContentServ
           setTimeout(this.autofillOverlayContentService.refreshMenuLayerPosition, 100);
         }
       });
+
+      this.autofillOverlayContentService.refreshMenuLayerPosition();
     }
   };
 

From 0ad1ab448ae5452f3142ead40ac1ea8d89bcb03f Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 21 Jan 2026 17:27:24 -0500
Subject: [PATCH 06/24] fix(entitlements): Restrict entitlements for Helium
 browser to just the directory

---
 apps/desktop/resources/entitlements.mas.plist | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/desktop/resources/entitlements.mas.plist b/apps/desktop/resources/entitlements.mas.plist
index 226e9827e37..9760af69e8b 100644
--- a/apps/desktop/resources/entitlements.mas.plist
+++ b/apps/desktop/resources/entitlements.mas.plist
@@ -34,7 +34,7 @@
 		<string>/Library/Application Support/Microsoft Edge Canary/NativeMessagingHosts/</string>
 		<string>/Library/Application Support/Vivaldi/NativeMessagingHosts/</string>
 		<string>/Library/Application Support/Zen/NativeMessagingHosts/</string>
-		<string>/Library/Application Support/net.imput.helium</string>
+		<string>/Library/Application Support/net.imput.helium/NativeMessagingHosts/</string>
 	</array>
 </dict>
 </plist>

From d80ca85e503ce6a4c38d2f6b25115386cf1e90ea Mon Sep 17 00:00:00 2001
From: Jason Ng <jng@bitwarden.com>
Date: Wed, 21 Jan 2026 18:24:17 -0500
Subject: [PATCH 07/24] [PM-30857] add empty state to desktop archives (#18414)

* add empty state to desktop archives
---
 .../vault/app/vault/vault-v2.component.html   | 124 ++++++++++--------
 .../src/vault/app/vault/vault-v2.component.ts |  10 ++
 2 files changed, 77 insertions(+), 57 deletions(-)

diff --git a/apps/desktop/src/vault/app/vault/vault-v2.component.html b/apps/desktop/src/vault/app/vault/vault-v2.component.html
index d10b3fd85c6..61b7c0ee355 100644
--- a/apps/desktop/src/vault/app/vault/vault-v2.component.html
+++ b/apps/desktop/src/vault/app/vault/vault-v2.component.html
@@ -10,69 +10,79 @@
     [organizationId]="organizationId"
   >
   </app-vault-items-v2>
-  <div class="details" *ngIf="!!action">
-    <app-vault-item-footer
-      id="footer"
-      #footer
-      [cipher]="cipher()"
-      [action]="action"
-      (onEdit)="editCipher($event)"
-      (onRestore)="restoreCipher()"
-      (onClone)="cloneCipher($event)"
-      (onDelete)="deleteCipher()"
-      (onCancel)="cancelCipher($event)"
-      (onArchiveToggle)="refreshCurrentCipher()"
-      [masterPasswordAlreadyPrompted]="cipherRepromptId === cipherId"
-      [submitButtonText]="submitButtonText()"
-    ></app-vault-item-footer>
-    <div class="content">
-      <div class="inner-content">
-        <div class="box">
-          <app-cipher-view
-            *ngIf="action === 'view'"
-            [cipher]="cipher()"
-            [collections]="collections"
-          >
-          </app-cipher-view>
-          <vault-cipher-form
-            #vaultForm
-            *ngIf="action === 'add' || action === 'edit' || action === 'clone'"
-            formId="cipherForm"
-            [config]="config"
-            (cipherSaved)="savedCipher($event)"
-            [submitBtn]="footer?.submitBtn"
-            (formStatusChange$)="formStatusChanged($event)"
-          >
-            <bit-item slot="attachment-button">
-              <button
-                bit-item-content
-                type="button"
-                (click)="openAttachmentsDialog()"
-                [disabled]="formDisabled"
+  @if (!!action) {
+    <div class="details">
+      <app-vault-item-footer
+        id="footer"
+        #footer
+        [cipher]="cipher()"
+        [action]="action"
+        (onEdit)="editCipher($event)"
+        (onRestore)="restoreCipher()"
+        (onClone)="cloneCipher($event)"
+        (onDelete)="deleteCipher()"
+        (onCancel)="cancelCipher($event)"
+        (onArchiveToggle)="refreshCurrentCipher()"
+        [masterPasswordAlreadyPrompted]="cipherRepromptId === cipherId"
+        [submitButtonText]="submitButtonText()"
+      ></app-vault-item-footer>
+      <div class="content">
+        <div class="inner-content">
+          <div class="box">
+            @if (action === "view") {
+              <app-cipher-view [cipher]="cipher()" [collections]="collections"> </app-cipher-view>
+            }
+            @if (action === "add" || action === "edit" || action === "clone") {
+              <vault-cipher-form
+                #vaultForm
+                formId="cipherForm"
+                [config]="config"
+                (cipherSaved)="savedCipher($event)"
+                [submitBtn]="footer?.submitBtn"
+                (formStatusChange$)="formStatusChanged($event)"
               >
-                <div class="tw-flex tw-items-center tw-gap-2">
-                  {{ "attachments" | i18n }}
-                  <app-premium-badge></app-premium-badge>
-                </div>
-                <i slot="end" class="bwi bwi-angle-right" aria-hidden="true"></i>
-              </button>
-            </bit-item>
-          </vault-cipher-form>
+                <bit-item slot="attachment-button">
+                  <button
+                    bit-item-content
+                    type="button"
+                    (click)="openAttachmentsDialog()"
+                    [disabled]="formDisabled"
+                  >
+                    <div class="tw-flex tw-items-center tw-gap-2">
+                      {{ "attachments" | i18n }}
+                      <app-premium-badge></app-premium-badge>
+                    </div>
+                    <i slot="end" class="bwi bwi-angle-right" aria-hidden="true"></i>
+                  </button>
+                </bit-item>
+              </vault-cipher-form>
+            }
+          </div>
         </div>
       </div>
     </div>
-  </div>
-  <div
-    id="logo"
-    class="logo"
-    *ngIf="action !== 'add' && action !== 'edit' && action !== 'view' && action !== 'clone'"
-  >
-    <div class="content">
-      <div class="inner-content">
-        <img class="logo-image" alt="Bitwarden" aria-hidden="true" />
+  }
+  @if (action !== "add" && action !== "edit" && action !== "view" && action !== "clone") {
+    <div id="logo" class="logo">
+      <div class="content">
+        <div class="inner-content">
+          @if (activeFilter.status === "archive" && !(hasArchivedCiphers$ | async)) {
+            <bit-no-items [icon]="itemTypesIcon">
+              <div slot="title">
+                {{ "noItemsInArchive" | i18n }}
+              </div>
+              <p slot="description" bitTypography="body2" class="tw-max-w-md tw-text-center">
+                {{ "noItemsInArchiveDesc" | i18n }}
+              </p>
+            </bit-no-items>
+          } @else {
+            <img class="logo-image" alt="Bitwarden" aria-hidden="true" />
+          }
+        </div>
       </div>
     </div>
-  </div>
+  }
+
   <div class="left-nav">
     <app-vault-filter
       class="vault-filters"
diff --git a/apps/desktop/src/vault/app/vault/vault-v2.component.ts b/apps/desktop/src/vault/app/vault/vault-v2.component.ts
index 20e6bc6d35b..c1ab9d6f22a 100644
--- a/apps/desktop/src/vault/app/vault/vault-v2.component.ts
+++ b/apps/desktop/src/vault/app/vault/vault-v2.component.ts
@@ -27,6 +27,7 @@ import { CollectionService } from "@bitwarden/admin-console/common";
 import { PremiumBadgeComponent } from "@bitwarden/angular/billing/components/premium-badge";
 import { VaultViewPasswordHistoryService } from "@bitwarden/angular/services/view-password-history.service";
 import { VaultFilter } from "@bitwarden/angular/vault/vault-filter/models/vault-filter.model";
+import { ItemTypes } from "@bitwarden/assets/svg";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { EventCollectionService } from "@bitwarden/common/abstractions/event/event-collection.service";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
@@ -69,6 +70,7 @@ import {
   ToastService,
   CopyClickListener,
   COPY_CLICK_LISTENER,
+  NoItemsModule,
 } from "@bitwarden/components";
 import { I18nPipe } from "@bitwarden/ui-common";
 import {
@@ -124,6 +126,7 @@ const BroadcasterSubscriptionId = "VaultComponent";
     NavComponent,
     VaultFilterModule,
     VaultItemsV2Component,
+    NoItemsModule,
   ],
   providers: [
     {
@@ -203,6 +206,7 @@ export class VaultV2Component<C extends CipherViewLike>
   collections: CollectionView[] | null = null;
   config: CipherFormConfig | null = null;
   readonly userHasPremium = signal<boolean>(false);
+  protected itemTypesIcon = ItemTypes;
 
   /** Tracks the disabled status of the edit cipher form */
   protected formDisabled: boolean = false;
@@ -221,6 +225,12 @@ export class VaultV2Component<C extends CipherViewLike>
       : this.i18nService.t("save");
   });
 
+  protected hasArchivedCiphers$ = this.userId$.pipe(
+    switchMap((userId) =>
+      this.cipherArchiveService.archivedCiphers$(userId).pipe(map((ciphers) => ciphers.length > 0)),
+    ),
+  );
+
   private componentIsDestroyed$ = new Subject<boolean>();
   private allOrganizations: Organization[] = [];
   private allCollections: CollectionView[] = [];

From 21eb376b4146878d0d2275024ddab678537e0ffd Mon Sep 17 00:00:00 2001
From: Shane Melton <smelton@bitwarden.com>
Date: Wed, 21 Jan 2026 15:32:58 -0800
Subject: [PATCH 08/24] [PM-30906] Auto confirm nudge service fix and better
 nudge documentation (#18419)

* [PM-30906] Refactor AutoConfirmNudgeService to be Browser specific and add additional documentation detailing when this is necessary

* [PM-30906] Add README.md for custom nudge services
---
 .../src/popup/services/services.module.ts     |  17 +-
 libs/angular/src/vault/index.ts               |   6 +-
 .../services/custom-nudges-services/README.md | 204 ++++++++++++++++++
 .../auto-confirm-nudge.service.ts             |  15 +-
 .../new-account-nudge.service.ts              |  12 +-
 .../services/default-single-nudge.service.ts  |   8 +-
 .../vault/services/nudge-injection-tokens.ts  |  19 ++
 .../src/vault/services/nudges.service.ts      |  16 +-
 8 files changed, 280 insertions(+), 17 deletions(-)
 create mode 100644 libs/angular/src/vault/services/custom-nudges-services/README.md

diff --git a/apps/browser/src/popup/services/services.module.ts b/apps/browser/src/popup/services/services.module.ts
index 06a021085ea..7b207f0fac1 100644
--- a/apps/browser/src/popup/services/services.module.ts
+++ b/apps/browser/src/popup/services/services.module.ts
@@ -27,8 +27,12 @@ import {
   WINDOW,
 } from "@bitwarden/angular/services/injection-tokens";
 import { JslibServicesModule } from "@bitwarden/angular/services/jslib-services.module";
-import { AUTOFILL_NUDGE_SERVICE } from "@bitwarden/angular/vault";
-import { SingleNudgeService } from "@bitwarden/angular/vault/services/default-single-nudge.service";
+import {
+  AUTOFILL_NUDGE_SERVICE,
+  AUTO_CONFIRM_NUDGE_SERVICE,
+  AutoConfirmNudgeService,
+} from "@bitwarden/angular/vault";
+import { VaultProfileService } from "@bitwarden/angular/vault/services/vault-profile.service";
 import {
   LoginComponentService,
   TwoFactorAuthComponentService,
@@ -786,9 +790,14 @@ const safeProviders: SafeProvider[] = [
     ],
   }),
   safeProvider({
-    provide: AUTOFILL_NUDGE_SERVICE as SafeInjectionToken<SingleNudgeService>,
+    provide: AUTOFILL_NUDGE_SERVICE as SafeInjectionToken<BrowserAutofillNudgeService>,
     useClass: BrowserAutofillNudgeService,
-    deps: [],
+    deps: [StateProvider, VaultProfileService, LogService],
+  }),
+  safeProvider({
+    provide: AUTO_CONFIRM_NUDGE_SERVICE as SafeInjectionToken<AutoConfirmNudgeService>,
+    useClass: AutoConfirmNudgeService,
+    deps: [StateProvider, AutomaticUserConfirmationService],
   }),
 ];
 
diff --git a/libs/angular/src/vault/index.ts b/libs/angular/src/vault/index.ts
index b9131338a45..a89be7bc2c4 100644
--- a/libs/angular/src/vault/index.ts
+++ b/libs/angular/src/vault/index.ts
@@ -1,4 +1,8 @@
 // Note: Nudge related code is exported from `libs/angular` because it is consumed by multiple
 // `libs/*` packages. Exporting from the `libs/vault` package creates circular dependencies.
 export { NudgesService, NudgeStatus, NudgeType } from "./services/nudges.service";
-export { AUTOFILL_NUDGE_SERVICE } from "./services/nudge-injection-tokens";
+export {
+  AUTOFILL_NUDGE_SERVICE,
+  AUTO_CONFIRM_NUDGE_SERVICE,
+} from "./services/nudge-injection-tokens";
+export { AutoConfirmNudgeService } from "./services/custom-nudges-services";
diff --git a/libs/angular/src/vault/services/custom-nudges-services/README.md b/libs/angular/src/vault/services/custom-nudges-services/README.md
new file mode 100644
index 00000000000..f0759979de9
--- /dev/null
+++ b/libs/angular/src/vault/services/custom-nudges-services/README.md
@@ -0,0 +1,204 @@
+# Custom Nudge Services
+
+This folder contains custom implementations of `SingleNudgeService` that provide specialized logic for determining when nudges should be shown or dismissed.
+
+## Architecture Overview
+
+### Core Components
+
+- **`NudgesService`** (`../nudges.service.ts`) - The main service that components use to check nudge status and dismiss nudges
+- **`SingleNudgeService`** - Interface that all nudge services implement
+- **`DefaultSingleNudgeService`** - Base implementation that stores dismissed state in user state
+- **Custom nudge services** - Specialized implementations with additional logic
+
+### How It Works
+
+1. Components call `NudgesService.showNudgeSpotlight$()` or `showNudgeBadge$()` with a `NudgeType`
+2. `NudgesService` routes to the appropriate custom nudge service (or falls back to `DefaultSingleNudgeService`)
+3. The custom service returns a `NudgeStatus` indicating if the badge/spotlight should be shown
+4. Custom services can combine the persisted dismissed state with dynamic conditions (e.g., account age, vault contents)
+
+### NudgeStatus
+
+```typescript
+type NudgeStatus = {
+  hasBadgeDismissed: boolean; // True if the badge indicator should be hidden
+  hasSpotlightDismissed: boolean; // True if the spotlight/callout should be hidden
+};
+```
+
+## Service Categories
+
+### Universal Services
+
+These services work on **all clients** (browser, web, desktop) and use `@Injectable({ providedIn: "root" })`.
+
+| Service                           | Purpose                                                                |
+| --------------------------------- | ---------------------------------------------------------------------- |
+| `NewAccountNudgeService`          | Auto-dismisses after account is 30 days old                            |
+| `NewItemNudgeService`             | Checks cipher counts for "add first item" nudges                       |
+| `HasItemsNudgeService`            | Checks if vault has items                                              |
+| `EmptyVaultNudgeService`          | Checks empty vault state                                               |
+| `AccountSecurityNudgeService`     | Checks security settings (PIN, biometrics)                             |
+| `VaultSettingsImportNudgeService` | Checks import status                                                   |
+| `NoOpNudgeService`                | Always returns dismissed (used as fallback for client specific nudges) |
+
+### Client-Specific Services
+
+These services require **platform-specific features** and must be explicitly registered in each client that supports them.
+
+| Service                       | Clients      | Requires                               |
+| ----------------------------- | ------------ | -------------------------------------- |
+| `AutoConfirmNudgeService`     | Browser only | `AutomaticUserConfirmationService`     |
+| `BrowserAutofillNudgeService` | Browser only | `BrowserApi` (lives in `apps/browser`) |
+
+## Adding a New Nudge Service
+
+### Step 1: Determine if Universal or Client-Specific
+
+**Universal** - If your service only depends on:
+
+- `StateProvider`
+- Services available in all clients (e.g., `CipherService`, `OrganizationService`)
+
+**Client-Specific** - If your service depends on:
+
+- Browser APIs (`BrowserApi`, autofill services)
+- Services only available in certain clients
+- Platform-specific features
+
+### Step 2: Create the Service
+
+#### For Universal Services
+
+```typescript
+// my-nudge.service.ts
+import { Injectable } from "@angular/core";
+import { combineLatest, map, Observable } from "rxjs";
+
+import { StateProvider } from "@bitwarden/common/platform/state";
+import { UserId } from "@bitwarden/common/types/guid";
+
+import { DefaultSingleNudgeService } from "../default-single-nudge.service";
+import { NudgeStatus, NudgeType } from "../nudges.service";
+
+@Injectable({ providedIn: "root" })
+export class MyNudgeService extends DefaultSingleNudgeService {
+  constructor(
+    stateProvider: StateProvider,
+    private myDependency: MyDependency, // Must be available in all clients
+  ) {
+    super(stateProvider);
+  }
+
+  nudgeStatus$(nudgeType: NudgeType, userId: UserId): Observable<NudgeStatus> {
+    return combineLatest([
+      this.getNudgeStatus$(nudgeType, userId), // Gets persisted dismissed state
+      this.myDependency.someData$,
+    ]).pipe(
+      map(([persistedStatus, data]) => {
+        // Return dismissed if user already dismissed OR your condition is met
+        const autoDismiss = /* your logic */;
+        return {
+          hasBadgeDismissed: persistedStatus.hasBadgeDismissed || autoDismiss,
+          hasSpotlightDismissed: persistedStatus.hasSpotlightDismissed || autoDismiss,
+        };
+      }),
+    );
+  }
+}
+```
+
+#### For Client-Specific Services
+
+```typescript
+// my-client-specific-nudge.service.ts
+import { Injectable } from "@angular/core";
+import { combineLatest, map, Observable } from "rxjs";
+
+import { StateProvider } from "@bitwarden/common/platform/state";
+import { UserId } from "@bitwarden/common/types/guid";
+
+import { DefaultSingleNudgeService } from "../default-single-nudge.service";
+import { NudgeStatus, NudgeType } from "../nudges.service";
+
+@Injectable() // NO providedIn: "root"
+export class MyClientSpecificNudgeService extends DefaultSingleNudgeService {
+  constructor(
+    stateProvider: StateProvider,
+    private clientSpecificService: ClientSpecificService,
+  ) {
+    super(stateProvider);
+  }
+
+  nudgeStatus$(nudgeType: NudgeType, userId: UserId): Observable<NudgeStatus> {
+    return combineLatest([
+      this.getNudgeStatus$(nudgeType, userId),
+      this.clientSpecificService.someData$,
+    ]).pipe(
+      map(([persistedStatus, data]) => {
+        const autoDismiss = /* your logic */;
+        return {
+          hasBadgeDismissed: persistedStatus.hasBadgeDismissed || autoDismiss,
+          hasSpotlightDismissed: persistedStatus.hasSpotlightDismissed || autoDismiss,
+        };
+      }),
+    );
+  }
+}
+```
+
+### Step 3: Add NudgeType
+
+Add your nudge type to `NudgeType` in `../nudges.service.ts`:
+
+```typescript
+export const NudgeType = {
+  // ... existing types
+  MyNewNudge: "my-new-nudge",
+} as const;
+```
+
+### Step 4: Register in NudgesService
+
+#### For Universal Services
+
+Add to `customNudgeServices` map in `../nudges.service.ts`:
+
+```typescript
+private customNudgeServices: Partial<Record<NudgeType, SingleNudgeService>> = {
+  // ... existing
+  [NudgeType.MyNewNudge]: inject(MyNudgeService),
+};
+```
+
+#### For Client-Specific Services
+
+1. **Add injection token** in `../nudge-injection-tokens.ts`:
+
+```typescript
+export const MY_NUDGE_SERVICE = new InjectionToken<SingleNudgeService>("MyNudgeService");
+```
+
+2. **Inject with optional** in `../nudges.service.ts`:
+
+```typescript
+private myNudgeService = inject(MY_NUDGE_SERVICE, { optional: true });
+
+private customNudgeServices = {
+  // ... existing
+  [NudgeType.MyNewNudge]: this.myNudgeService ?? this.noOpNudgeService,
+};
+```
+
+3. **Register in each supporting client** (e.g., `apps/browser/src/popup/services/services.module.ts`):
+
+```typescript
+import { MY_NUDGE_SERVICE } from "@bitwarden/angular/vault";
+
+safeProvider({
+  provide: MY_NUDGE_SERVICE as SafeInjectionToken<SingleNudgeService>,
+  useClass: MyClientSpecificNudgeService,
+  deps: [StateProvider, ClientSpecificService],
+}),
+```
diff --git a/libs/angular/src/vault/services/custom-nudges-services/auto-confirm-nudge.service.ts b/libs/angular/src/vault/services/custom-nudges-services/auto-confirm-nudge.service.ts
index 52fc87d7604..9fe843e50e0 100644
--- a/libs/angular/src/vault/services/custom-nudges-services/auto-confirm-nudge.service.ts
+++ b/libs/angular/src/vault/services/custom-nudges-services/auto-confirm-nudge.service.ts
@@ -1,15 +1,24 @@
-import { inject, Injectable } from "@angular/core";
+import { Injectable } from "@angular/core";
 import { combineLatest, map, Observable } from "rxjs";
 
 import { AutomaticUserConfirmationService } from "@bitwarden/auto-confirm";
+import { StateProvider } from "@bitwarden/common/platform/state";
 import { UserId } from "@bitwarden/user-core";
 
 import { DefaultSingleNudgeService } from "../default-single-nudge.service";
 import { NudgeType, NudgeStatus } from "../nudges.service";
 
-@Injectable({ providedIn: "root" })
+/**
+ * Browser specific nudge service for auto-confirm nudge.
+ */
+@Injectable()
 export class AutoConfirmNudgeService extends DefaultSingleNudgeService {
-  autoConfirmService = inject(AutomaticUserConfirmationService);
+  constructor(
+    stateProvider: StateProvider,
+    private autoConfirmService: AutomaticUserConfirmationService,
+  ) {
+    super(stateProvider);
+  }
 
   nudgeStatus$(nudgeType: NudgeType, userId: UserId): Observable<NudgeStatus> {
     return combineLatest([
diff --git a/libs/angular/src/vault/services/custom-nudges-services/new-account-nudge.service.ts b/libs/angular/src/vault/services/custom-nudges-services/new-account-nudge.service.ts
index 39af9a2e4aa..8c18da8a103 100644
--- a/libs/angular/src/vault/services/custom-nudges-services/new-account-nudge.service.ts
+++ b/libs/angular/src/vault/services/custom-nudges-services/new-account-nudge.service.ts
@@ -1,10 +1,11 @@
-import { Injectable, inject } from "@angular/core";
+import { Injectable } from "@angular/core";
 import { Observable, combineLatest, from, map, of } from "rxjs";
 import { catchError } from "rxjs/operators";
 
 import { VaultProfileService } from "@bitwarden/angular/vault/services/vault-profile.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { UserId } from "@bitwarden/common/types/guid";
+import { StateProvider } from "@bitwarden/state";
 
 import { DefaultSingleNudgeService } from "../default-single-nudge.service";
 import { NudgeStatus, NudgeType } from "../nudges.service";
@@ -18,8 +19,13 @@ const THIRTY_DAYS_MS = 30 * 24 * 60 * 60 * 1000;
   providedIn: "root",
 })
 export class NewAccountNudgeService extends DefaultSingleNudgeService {
-  vaultProfileService = inject(VaultProfileService);
-  logService = inject(LogService);
+  constructor(
+    stateProvider: StateProvider,
+    private vaultProfileService: VaultProfileService,
+    private logService: LogService,
+  ) {
+    super(stateProvider);
+  }
 
   nudgeStatus$(nudgeType: NudgeType, userId: UserId): Observable<NudgeStatus> {
     const profileDate$ = from(this.vaultProfileService.getProfileCreationDate(userId)).pipe(
diff --git a/libs/angular/src/vault/services/default-single-nudge.service.ts b/libs/angular/src/vault/services/default-single-nudge.service.ts
index 8abc344c4a0..06c08371f41 100644
--- a/libs/angular/src/vault/services/default-single-nudge.service.ts
+++ b/libs/angular/src/vault/services/default-single-nudge.service.ts
@@ -1,4 +1,4 @@
-import { inject, Injectable } from "@angular/core";
+import { Injectable } from "@angular/core";
 import { map, Observable } from "rxjs";
 
 import { StateProvider } from "@bitwarden/common/platform/state";
@@ -22,7 +22,11 @@ export interface SingleNudgeService {
   providedIn: "root",
 })
 export class DefaultSingleNudgeService implements SingleNudgeService {
-  stateProvider = inject(StateProvider);
+  protected stateProvider: StateProvider;
+
+  constructor(stateProvider: StateProvider) {
+    this.stateProvider = stateProvider;
+  }
 
   protected getNudgeStatus$(nudgeType: NudgeType, userId: UserId): Observable<NudgeStatus> {
     return this.stateProvider
diff --git a/libs/angular/src/vault/services/nudge-injection-tokens.ts b/libs/angular/src/vault/services/nudge-injection-tokens.ts
index 52a0838d356..43db5ec1dc6 100644
--- a/libs/angular/src/vault/services/nudge-injection-tokens.ts
+++ b/libs/angular/src/vault/services/nudge-injection-tokens.ts
@@ -2,6 +2,25 @@ import { InjectionToken } from "@angular/core";
 
 import { SingleNudgeService } from "./default-single-nudge.service";
 
+/**
+ * Injection tokens for client specific nudge services.
+ *
+ * These services require platform-specific features and must be explicitly
+ * provided by each client that supports them. If not provided, NudgesService
+ * falls back to NoOpNudgeService.
+ *
+ * Client specific services should use constructor injection (not inject())
+ * to maintain safeProvider type safety.
+ *
+ * Universal services use @Injectable({ providedIn: "root" }) and can use inject().
+ */
+
+/** Browser: Requires BrowserApi  */
 export const AUTOFILL_NUDGE_SERVICE = new InjectionToken<SingleNudgeService>(
   "AutofillNudgeService",
 );
+
+/** Browser: Requires AutomaticUserConfirmationService */
+export const AUTO_CONFIRM_NUDGE_SERVICE = new InjectionToken<SingleNudgeService>(
+  "AutoConfirmNudgeService",
+);
diff --git a/libs/angular/src/vault/services/nudges.service.ts b/libs/angular/src/vault/services/nudges.service.ts
index afd0d184d6e..a8a8feb073f 100644
--- a/libs/angular/src/vault/services/nudges.service.ts
+++ b/libs/angular/src/vault/services/nudges.service.ts
@@ -12,11 +12,10 @@ import {
   NewItemNudgeService,
   AccountSecurityNudgeService,
   VaultSettingsImportNudgeService,
-  AutoConfirmNudgeService,
   NoOpNudgeService,
 } from "./custom-nudges-services";
 import { DefaultSingleNudgeService, SingleNudgeService } from "./default-single-nudge.service";
-import { AUTOFILL_NUDGE_SERVICE } from "./nudge-injection-tokens";
+import { AUTOFILL_NUDGE_SERVICE, AUTO_CONFIRM_NUDGE_SERVICE } from "./nudge-injection-tokens";
 
 export type NudgeStatus = {
   hasBadgeDismissed: boolean;
@@ -63,12 +62,21 @@ export class NudgesService {
   // NoOp service that always returns dismissed
   private noOpNudgeService = inject(NoOpNudgeService);
 
-  // Optional Browser-specific service provided via injection token (not all clients have autofill)
+  // Client specific services (optional, via injection tokens)
+  // These services require platform-specific features and fallback to NoOpNudgeService if not provided
+
   private autofillNudgeService = inject(AUTOFILL_NUDGE_SERVICE, { optional: true });
+  private autoConfirmNudgeService = inject(AUTO_CONFIRM_NUDGE_SERVICE, { optional: true });
 
   /**
    * Custom nudge services to use for specific nudge types
    * Each nudge type can have its own service to determine when to show the nudge
+   *
+   * NOTE: If a custom nudge service requires client specific services/features:
+   *  1. The custom nudge service must be provided via injection token and marked as optional.
+   *  2. The custom nudge service must be manually registered with that token in the client(s).
+   *
+   *  See the README.md in the custom-nudge-services folder for more details on adding custom nudges.
    * @private
    */
   private customNudgeServices: Partial<Record<NudgeType, SingleNudgeService>> = {
@@ -84,7 +92,7 @@ export class NudgesService {
     [NudgeType.NewIdentityItemStatus]: this.newItemNudgeService,
     [NudgeType.NewNoteItemStatus]: this.newItemNudgeService,
     [NudgeType.NewSshItemStatus]: this.newItemNudgeService,
-    [NudgeType.AutoConfirmNudge]: inject(AutoConfirmNudgeService),
+    [NudgeType.AutoConfirmNudge]: this.autoConfirmNudgeService ?? this.noOpNudgeService,
   };
 
   /**

From 464a0427bf41bdee96a44b918568c39d251e829c Mon Sep 17 00:00:00 2001
From: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com>
Date: Wed, 21 Jan 2026 16:28:39 -0800
Subject: [PATCH 09/24] [PM-29816] - fix scroll position in browser vault
 (#18449)

* fix scroll position in browser vault

* use bitScrollLayoutHost
---
 .../popup/layout/popup-page.component.html    |  1 -
 .../popup/layout/popup-page.component.ts      | 27 ++++++--
 .../vault-v2/vault-v2.component.spec.ts       | 28 +++++---
 .../components/vault-v2/vault-v2.component.ts | 34 +++++-----
 ...ault-popup-scroll-position.service.spec.ts | 68 ++++++++++---------
 .../vault-popup-scroll-position.service.ts    | 22 +++---
 6 files changed, 104 insertions(+), 76 deletions(-)

diff --git a/apps/browser/src/platform/popup/layout/popup-page.component.html b/apps/browser/src/platform/popup/layout/popup-page.component.html
index 828d9947373..bb24fb800aa 100644
--- a/apps/browser/src/platform/popup/layout/popup-page.component.html
+++ b/apps/browser/src/platform/popup/layout/popup-page.component.html
@@ -25,7 +25,6 @@
   <div
     class="tw-size-full tw-styled-scrollbar"
     data-testid="popup-layout-scroll-region"
-    (scroll)="handleScroll($event)"
     [ngClass]="{
       '!tw-overflow-hidden': hideOverflow(),
       'tw-overflow-y-auto': !hideOverflow(),
diff --git a/apps/browser/src/platform/popup/layout/popup-page.component.ts b/apps/browser/src/platform/popup/layout/popup-page.component.ts
index 4eed322bdbd..7d4b7decb7f 100644
--- a/apps/browser/src/platform/popup/layout/popup-page.component.ts
+++ b/apps/browser/src/platform/popup/layout/popup-page.component.ts
@@ -3,13 +3,17 @@ import {
   booleanAttribute,
   ChangeDetectionStrategy,
   Component,
+  DestroyRef,
+  ElementRef,
   inject,
   input,
   signal,
 } from "@angular/core";
+import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
+import { filter, switchMap, fromEvent, startWith, map } from "rxjs";
 
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
-import { ScrollLayoutHostDirective } from "@bitwarden/components";
+import { ScrollLayoutHostDirective, ScrollLayoutService } from "@bitwarden/components";
 
 @Component({
   selector: "popup-page",
@@ -22,6 +26,8 @@ import { ScrollLayoutHostDirective } from "@bitwarden/components";
 })
 export class PopupPageComponent {
   protected i18nService = inject(I18nService);
+  private scrollLayout = inject(ScrollLayoutService);
+  private destroyRef = inject(DestroyRef);
 
   readonly loading = input<boolean>(false);
 
@@ -33,10 +39,21 @@ export class PopupPageComponent {
   protected readonly scrolled = signal(false);
   isScrolled = this.scrolled.asReadonly();
 
+  constructor() {
+    this.scrollLayout.scrollableRef$
+      .pipe(
+        filter((ref): ref is ElementRef<HTMLElement> => ref != null),
+        switchMap((ref) =>
+          fromEvent(ref.nativeElement, "scroll").pipe(
+            startWith(null),
+            map(() => ref.nativeElement.scrollTop !== 0),
+          ),
+        ),
+        takeUntilDestroyed(this.destroyRef),
+      )
+      .subscribe((isScrolled) => this.scrolled.set(isScrolled));
+  }
+
   /** Accessible loading label for the spinner. Defaults to "loading" */
   readonly loadingText = input<string | undefined>(this.i18nService.t("loading"));
-
-  handleScroll(event: Event) {
-    this.scrolled.set((event.currentTarget as HTMLElement).scrollTop !== 0);
-  }
 }
diff --git a/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.spec.ts b/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.spec.ts
index e6dffdaff08..2c94d9c226b 100644
--- a/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.spec.ts
+++ b/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.spec.ts
@@ -1,4 +1,3 @@
-import { CdkVirtualScrollableElement } from "@angular/cdk/scrolling";
 import { ChangeDetectionStrategy, Component, input, NO_ERRORS_SCHEMA } from "@angular/core";
 import { TestBed, fakeAsync, flush, tick } from "@angular/core/testing";
 import { By } from "@angular/platform-browser";
@@ -394,21 +393,28 @@ describe("VaultV2Component", () => {
     expect(values[values.length - 1]).toBe(false);
   });
 
-  it("ngAfterViewInit waits for allFilters$ then starts scroll position service", fakeAsync(() => {
+  it("passes popup-page scroll region element to scroll position service", fakeAsync(() => {
+    const fixture = TestBed.createComponent(VaultV2Component);
+    const component = fixture.componentInstance;
+
+    const readySubject$ = component["readySubject"] as unknown as BehaviorSubject<boolean>;
+    const itemsLoading$ = itemsSvc.loading$ as unknown as BehaviorSubject<boolean>;
     const allFilters$ = filtersSvc.allFilters$ as unknown as Subject<any>;
 
-    (component as any).virtualScrollElement = {} as CdkVirtualScrollableElement;
-
-    component.ngAfterViewInit();
-    expect(scrollSvc.start).not.toHaveBeenCalled();
-
-    allFilters$.next({ any: true });
+    fixture.detectChanges();
     tick();
 
-    expect(scrollSvc.start).toHaveBeenCalledTimes(1);
-    expect(scrollSvc.start).toHaveBeenCalledWith((component as any).virtualScrollElement);
+    const scrollRegion = fixture.nativeElement.querySelector(
+      '[data-testid="popup-layout-scroll-region"]',
+    ) as HTMLElement;
 
-    flush();
+    // Unblock loading
+    itemsLoading$.next(false);
+    readySubject$.next(true);
+    allFilters$.next({});
+    tick();
+
+    expect(scrollSvc.start).toHaveBeenCalledWith(scrollRegion);
   }));
 
   it("showPremiumDialog opens PremiumUpgradeDialogComponent", () => {
diff --git a/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.ts b/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.ts
index 761b366bcd2..4678e2733eb 100644
--- a/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.ts
+++ b/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.ts
@@ -1,7 +1,7 @@
 import { LiveAnnouncer } from "@angular/cdk/a11y";
-import { CdkVirtualScrollableElement, ScrollingModule } from "@angular/cdk/scrolling";
+import { ScrollingModule } from "@angular/cdk/scrolling";
 import { CommonModule } from "@angular/common";
-import { AfterViewInit, Component, DestroyRef, OnDestroy, OnInit, ViewChild } from "@angular/core";
+import { Component, DestroyRef, effect, inject, OnDestroy, OnInit } from "@angular/core";
 import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
 import { Router, RouterModule } from "@angular/router";
 import {
@@ -47,6 +47,7 @@ import {
   ButtonModule,
   DialogService,
   NoItemsModule,
+  ScrollLayoutService,
   ToastService,
   TypographyModule,
 } from "@bitwarden/components";
@@ -119,11 +120,7 @@ type VaultState = UnionOfValues<typeof VaultState>;
   ],
   providers: [{ provide: VaultItemsTransferService, useClass: DefaultVaultItemsTransferService }],
 })
-export class VaultV2Component implements OnInit, AfterViewInit, OnDestroy {
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @ViewChild(CdkVirtualScrollableElement) virtualScrollElement?: CdkVirtualScrollableElement;
-
+export class VaultV2Component implements OnInit, OnDestroy {
   NudgeType = NudgeType;
   cipherType = CipherType;
   private activeUserId$ = this.accountService.activeAccount$.pipe(getUserId);
@@ -308,16 +305,21 @@ export class VaultV2Component implements OnInit, AfterViewInit, OnDestroy {
       });
   }
 
-  ngAfterViewInit(): void {
-    if (this.virtualScrollElement) {
-      // The filters component can cause the size of the virtual scroll element to change,
-      // which can cause the scroll position to be land in the wrong spot. To fix this,
-      // wait until all filters are populated before restoring the scroll position.
-      this.allFilters$.pipe(take(1), takeUntilDestroyed(this.destroyRef)).subscribe(() => {
-        this.vaultScrollPositionService.start(this.virtualScrollElement!);
+  private readonly scrollLayout = inject(ScrollLayoutService);
+
+  private readonly _scrollPositionEffect = effect((onCleanup) => {
+    const sub = combineLatest([this.scrollLayout.scrollableRef$, this.allFilters$, this.loading$])
+      .pipe(
+        filter(([ref, _filters, loading]) => !!ref && !loading),
+        take(1),
+        takeUntilDestroyed(this.destroyRef),
+      )
+      .subscribe(([ref]) => {
+        this.vaultScrollPositionService.start(ref!.nativeElement);
       });
-    }
-  }
+
+    onCleanup(() => sub.unsubscribe());
+  });
 
   async ngOnInit() {
     this.activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
diff --git a/apps/browser/src/vault/popup/services/vault-popup-scroll-position.service.spec.ts b/apps/browser/src/vault/popup/services/vault-popup-scroll-position.service.spec.ts
index 562375f8f85..af21f664f2d 100644
--- a/apps/browser/src/vault/popup/services/vault-popup-scroll-position.service.spec.ts
+++ b/apps/browser/src/vault/popup/services/vault-popup-scroll-position.service.spec.ts
@@ -1,4 +1,3 @@
-import { CdkVirtualScrollableElement } from "@angular/cdk/scrolling";
 import { fakeAsync, TestBed, tick } from "@angular/core/testing";
 import { NavigationEnd, Router } from "@angular/router";
 import { Subject, Subscription } from "rxjs";
@@ -66,21 +65,18 @@ describe("VaultPopupScrollPositionService", () => {
   });
 
   describe("start", () => {
-    const elementScrolled$ = new Subject();
-    const focus = jest.fn();
-    const nativeElement = {
-      scrollTop: 0,
-      querySelector: jest.fn(() => ({ focus })),
-      addEventListener: jest.fn(),
-      style: {
-        visibility: "",
-      },
-    };
-    const virtualElement = {
-      elementScrolled: () => elementScrolled$,
-      getElementRef: () => ({ nativeElement }),
-      scrollTo: jest.fn(),
-    } as unknown as CdkVirtualScrollableElement;
+    let scrollElement: HTMLElement;
+
+    beforeEach(() => {
+      scrollElement = document.createElement("div");
+
+      (scrollElement as any).scrollTo = jest.fn(function scrollTo(opts: { top?: number }) {
+        if (opts?.top != null) {
+          (scrollElement as any).scrollTop = opts.top;
+        }
+      });
+      (scrollElement as any).scrollTop = 0;
+    });
 
     afterEach(() => {
       // remove the actual subscription created by `.subscribe`
@@ -89,47 +85,55 @@ describe("VaultPopupScrollPositionService", () => {
 
     describe("initial scroll position", () => {
       beforeEach(() => {
-        (virtualElement.scrollTo as jest.Mock).mockClear();
-        nativeElement.querySelector.mockClear();
+        ((scrollElement as any).scrollTo as jest.Mock).mockClear();
       });
 
       it("does not scroll when `scrollPosition` is null", () => {
         service["scrollPosition"] = null;
 
-        service.start(virtualElement);
+        service.start(scrollElement);
 
-        expect(virtualElement.scrollTo).not.toHaveBeenCalled();
+        expect((scrollElement as any).scrollTo).not.toHaveBeenCalled();
       });
 
-      it("scrolls the virtual element to `scrollPosition`", fakeAsync(() => {
+      it("scrolls the element to `scrollPosition` (async via setTimeout)", fakeAsync(() => {
         service["scrollPosition"] = 500;
-        nativeElement.scrollTop = 500;
 
-        service.start(virtualElement);
+        service.start(scrollElement);
         tick();
 
-        expect(virtualElement.scrollTo).toHaveBeenCalledWith({ behavior: "instant", top: 500 });
+        expect((scrollElement as any).scrollTo).toHaveBeenCalledWith({
+          behavior: "instant",
+          top: 500,
+        });
+        expect((scrollElement as any).scrollTop).toBe(500);
       }));
     });
 
     describe("scroll listener", () => {
       it("unsubscribes from any existing subscription", () => {
-        service.start(virtualElement);
+        service.start(scrollElement);
 
         expect(unsubscribe).toHaveBeenCalled();
       });
 
-      it("subscribes to `elementScrolled`", fakeAsync(() => {
-        virtualElement.measureScrollOffset = jest.fn(() => 455);
+      it("stores scrollTop on subsequent scroll events (skips first)", fakeAsync(() => {
+        service["scrollPosition"] = null;
 
-        service.start(virtualElement);
+        service.start(scrollElement);
 
-        elementScrolled$.next(null); // first subscription is skipped by `skip(1)`
-        elementScrolled$.next(null);
+        // First scroll event is intentionally ignored (equivalent to old skip(1)).
+        (scrollElement as any).scrollTop = 111;
+        scrollElement.dispatchEvent(new Event("scroll"));
+        tick();
+
+        expect(service["scrollPosition"]).toBeNull();
+
+        // Second scroll event should persist.
+        (scrollElement as any).scrollTop = 455;
+        scrollElement.dispatchEvent(new Event("scroll"));
         tick();
 
-        expect(virtualElement.measureScrollOffset).toHaveBeenCalledTimes(1);
-        expect(virtualElement.measureScrollOffset).toHaveBeenCalledWith("top");
         expect(service["scrollPosition"]).toBe(455);
       }));
     });
diff --git a/apps/browser/src/vault/popup/services/vault-popup-scroll-position.service.ts b/apps/browser/src/vault/popup/services/vault-popup-scroll-position.service.ts
index 5bfe0ec9331..7261fdd6633 100644
--- a/apps/browser/src/vault/popup/services/vault-popup-scroll-position.service.ts
+++ b/apps/browser/src/vault/popup/services/vault-popup-scroll-position.service.ts
@@ -1,8 +1,7 @@
-import { CdkVirtualScrollableElement } from "@angular/cdk/scrolling";
 import { inject, Injectable } from "@angular/core";
 import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
 import { NavigationEnd, Router } from "@angular/router";
-import { filter, skip, Subscription } from "rxjs";
+import { filter, fromEvent, Subscription } from "rxjs";
 
 @Injectable({
   providedIn: "root",
@@ -31,24 +30,25 @@ export class VaultPopupScrollPositionService {
   }
 
   /** Scrolls the user to the stored scroll position and starts tracking scroll of the page. */
-  start(virtualScrollElement: CdkVirtualScrollableElement) {
+  start(scrollElement: HTMLElement) {
     if (this.hasScrollPosition()) {
       // Use `setTimeout` to scroll after rendering is complete
       setTimeout(() => {
-        virtualScrollElement.scrollTo({ top: this.scrollPosition!, behavior: "instant" });
+        scrollElement.scrollTo({ top: this.scrollPosition!, behavior: "instant" });
       });
     }
 
     this.scrollSubscription?.unsubscribe();
 
     // Skip the first scroll event to avoid settings the scroll from the above `scrollTo` call
-    this.scrollSubscription = virtualScrollElement
-      ?.elementScrolled()
-      .pipe(skip(1))
-      .subscribe(() => {
-        const offset = virtualScrollElement.measureScrollOffset("top");
-        this.scrollPosition = offset;
-      });
+    let skipped = false;
+    this.scrollSubscription = fromEvent(scrollElement, "scroll").subscribe(() => {
+      if (!skipped) {
+        skipped = true;
+        return;
+      }
+      this.scrollPosition = scrollElement.scrollTop;
+    });
   }
 
   /** Stops the scroll listener from updating the stored location. */

From 65abeb51aad6b4c6462c3d41e91c6154aca8223e Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Wed, 21 Jan 2026 23:47:14 -0500
Subject: [PATCH 10/24] [PM-30500] Centralize Organization Data Ownership
 (#18387)

* remove deprecated OrganizationDataOwnership components, promote vNext

* WIP: add new components and copy

* multi step dialog for organization- data ownership

* disable save

* clean up copy, fix bug

* copy change, update button text

* update copy

* un-rename model

* use policyApiService

* simplify style
---
 .../organizations/policies/index.ts           |   2 +-
 .../auto-confirm-policy.component.ts          |   2 +-
 .../policies/policy-edit-definitions/index.ts |   5 +-
 ...organization-data-ownership.component.html |  55 ++++-
 .../organization-data-ownership.component.ts  |  87 ++++++-
 ...organization-data-ownership.component.html | 103 ++++----
 ...t-organization-data-ownership.component.ts |  53 +++--
 .../policies/policy-edit-dialog.component.ts  |  26 +-
 ...-confirm-edit-policy-dialog.component.html |   0
 ...to-confirm-edit-policy-dialog.component.ts |  21 +-
 .../policies/policy-edit-dialogs/index.ts     |   3 +
 .../policies/policy-edit-dialogs/models.ts    |   7 +
 ...wnership-edit-policy-dialog.component.html |  72 ++++++
 ...-ownership-edit-policy-dialog.component.ts | 224 ++++++++++++++++++
 apps/web/src/locales/en/messages.json         |  31 +++
 15 files changed, 586 insertions(+), 105 deletions(-)
 rename apps/web/src/app/admin-console/organizations/policies/{ => policy-edit-dialogs}/auto-confirm-edit-policy-dialog.component.html (100%)
 rename apps/web/src/app/admin-console/organizations/policies/{ => policy-edit-dialogs}/auto-confirm-edit-policy-dialog.component.ts (94%)
 create mode 100644 apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/index.ts
 create mode 100644 apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/models.ts
 create mode 100644 apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/organization-data-ownership-edit-policy-dialog.component.html
 create mode 100644 apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/organization-data-ownership-edit-policy-dialog.component.ts

diff --git a/apps/web/src/app/admin-console/organizations/policies/index.ts b/apps/web/src/app/admin-console/organizations/policies/index.ts
index 3042be240f7..eb614e180e1 100644
--- a/apps/web/src/app/admin-console/organizations/policies/index.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/index.ts
@@ -2,6 +2,6 @@ export { PoliciesComponent } from "./policies.component";
 export { ossPolicyEditRegister } from "./policy-edit-register";
 export { BasePolicyEditDefinition, BasePolicyEditComponent } from "./base-policy-edit.component";
 export { POLICY_EDIT_REGISTER } from "./policy-register-token";
-export { AutoConfirmPolicyDialogComponent } from "./auto-confirm-edit-policy-dialog.component";
 export { AutoConfirmPolicy } from "./policy-edit-definitions";
 export { PolicyEditDialogResult } from "./policy-edit-dialog.component";
+export * from "./policy-edit-dialogs";
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.ts
index cf2a2929905..66074918084 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.ts
@@ -15,8 +15,8 @@ import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 
 import { SharedModule } from "../../../../shared";
-import { AutoConfirmPolicyDialogComponent } from "../auto-confirm-edit-policy-dialog.component";
 import { BasePolicyEditDefinition, BasePolicyEditComponent } from "../base-policy-edit.component";
+import { AutoConfirmPolicyDialogComponent } from "../policy-edit-dialogs/auto-confirm-edit-policy-dialog.component";
 
 export class AutoConfirmPolicy extends BasePolicyEditDefinition {
   name = "autoConfirm";
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/index.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/index.ts
index 9b46e228af9..042f9771529 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/index.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/index.ts
@@ -1,7 +1,10 @@
 export { DisableSendPolicy } from "./disable-send.component";
 export { DesktopAutotypeDefaultSettingPolicy } from "./autotype-policy.component";
 export { MasterPasswordPolicy } from "./master-password.component";
-export { OrganizationDataOwnershipPolicy } from "./organization-data-ownership.component";
+export {
+  OrganizationDataOwnershipPolicy,
+  OrganizationDataOwnershipPolicyComponent,
+} from "./organization-data-ownership.component";
 export { PasswordGeneratorPolicy } from "./password-generator.component";
 export { RemoveUnlockWithPinPolicy } from "./remove-unlock-with-pin.component";
 export { RequireSsoPolicy } from "./require-sso.component";
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/organization-data-ownership.component.html b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/organization-data-ownership.component.html
index 2b6c86b1fdc..bd2237bc2fd 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/organization-data-ownership.component.html
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/organization-data-ownership.component.html
@@ -1,8 +1,57 @@
-<bit-callout type="warning">
-  {{ "personalOwnershipExemption" | i18n }}
-</bit-callout>
+<p>
+  {{ "organizationDataOwnershipDescContent" | i18n }}
+  <a
+    bitLink
+    href="https://bitwarden.com/resources/credential-lifecycle-management/"
+    target="_blank"
+  >
+    {{ "organizationDataOwnershipContentAnchor" | i18n }}.
+  </a>
+</p>
 
 <bit-form-control>
   <input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" />
   <bit-label>{{ "turnOn" | i18n }}</bit-label>
 </bit-form-control>
+
+<ng-template #dialog>
+  <bit-simple-dialog background="alt">
+    <span bitDialogTitle>{{ "organizationDataOwnershipWarningTitle" | i18n }}</span>
+    <ng-container bitDialogContent>
+      <div class="tw-text-left tw-overflow-hidden">
+        {{ "organizationDataOwnershipWarningContentTop" | i18n }}
+        <div class="tw-flex tw-flex-col tw-p-2">
+          <ul class="tw-list-disc tw-pl-5 tw-space-y-2 tw-break-words tw-mb-0">
+            <li>
+              {{ "organizationDataOwnershipWarning1" | i18n }}
+            </li>
+            <li>
+              {{ "organizationDataOwnershipWarning2" | i18n }}
+            </li>
+            <li>
+              {{ "organizationDataOwnershipWarning3" | i18n }}
+            </li>
+          </ul>
+        </div>
+        {{ "organizationDataOwnershipWarningContentBottom" | i18n }}
+        <a
+          bitLink
+          href="https://bitwarden.com/resources/credential-lifecycle-management/"
+          target="_blank"
+        >
+          {{ "organizationDataOwnershipContentAnchor" | i18n }}.
+        </a>
+      </div>
+    </ng-container>
+    <ng-container bitDialogFooter>
+      <span class="tw-flex tw-gap-2">
+        <button bitButton buttonType="primary" [bitDialogClose]="true" type="submit">
+          {{ "continue" | i18n }}
+        </button>
+        <button bitButton buttonType="secondary" [bitDialogClose]="false" type="button">
+          {{ "cancel" | i18n }}
+        </button>
+      </span>
+    </ng-container>
+  </bit-simple-dialog>
+</ng-template>
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/organization-data-ownership.component.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/organization-data-ownership.component.ts
index ceecf8f2ecc..e4a07b7440d 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/organization-data-ownership.component.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/organization-data-ownership.component.ts
@@ -1,22 +1,38 @@
-import { ChangeDetectionStrategy, Component } from "@angular/core";
-import { of, Observable } from "rxjs";
+import { ChangeDetectionStrategy, Component, OnInit, TemplateRef, ViewChild } from "@angular/core";
+import { lastValueFrom, map, Observable } from "rxjs";
 
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { PolicyRequest } from "@bitwarden/common/admin-console/models/request/policy.request";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { OrgKey } from "@bitwarden/common/types/key";
+import { CenterPositionStrategy, DialogService } from "@bitwarden/components";
+import { EncString } from "@bitwarden/sdk-internal";
 
 import { SharedModule } from "../../../../shared";
 import { BasePolicyEditDefinition, BasePolicyEditComponent } from "../base-policy-edit.component";
 
+export interface VNextPolicyRequest {
+  policy: PolicyRequest;
+  metadata: {
+    defaultUserCollectionName: string;
+  };
+}
+
 export class OrganizationDataOwnershipPolicy extends BasePolicyEditDefinition {
   name = "organizationDataOwnership";
-  description = "personalOwnershipPolicyDesc";
+  description = "organizationDataOwnershipDesc";
   type = PolicyType.OrganizationDataOwnership;
   component = OrganizationDataOwnershipPolicyComponent;
+  showDescription = false;
 
-  display$(organization: Organization, configService: ConfigService): Observable<boolean> {
-    // TODO Remove this entire component upon verifying that it can be deleted due to its sole reliance of the CreateDefaultLocation feature flag
-    return of(false);
+  override display$(organization: Organization, configService: ConfigService): Observable<boolean> {
+    return configService
+      .getFeatureFlag$(FeatureFlag.MigrateMyVaultToMyItems)
+      .pipe(map((enabled) => !enabled));
   }
 }
 
@@ -26,4 +42,61 @@ export class OrganizationDataOwnershipPolicy extends BasePolicyEditDefinition {
   imports: [SharedModule],
   changeDetection: ChangeDetectionStrategy.OnPush,
 })
-export class OrganizationDataOwnershipPolicyComponent extends BasePolicyEditComponent {}
+export class OrganizationDataOwnershipPolicyComponent
+  extends BasePolicyEditComponent
+  implements OnInit
+{
+  constructor(
+    private dialogService: DialogService,
+    private i18nService: I18nService,
+    private encryptService: EncryptService,
+  ) {
+    super();
+  }
+
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
+  @ViewChild("dialog", { static: true }) warningContent!: TemplateRef<unknown>;
+
+  override async confirm(): Promise<boolean> {
+    if (this.policyResponse?.enabled && !this.enabled.value) {
+      const dialogRef = this.dialogService.open(this.warningContent, {
+        positionStrategy: new CenterPositionStrategy(),
+      });
+      const result = await lastValueFrom(dialogRef.closed);
+      return Boolean(result);
+    }
+    return true;
+  }
+
+  async buildVNextRequest(orgKey: OrgKey): Promise<VNextPolicyRequest> {
+    if (!this.policy) {
+      throw new Error("Policy was not found");
+    }
+
+    const defaultUserCollectionName = await this.getEncryptedDefaultUserCollectionName(orgKey);
+
+    const request: VNextPolicyRequest = {
+      policy: {
+        enabled: this.enabled.value ?? false,
+        data: this.buildRequestData(),
+      },
+      metadata: {
+        defaultUserCollectionName,
+      },
+    };
+
+    return request;
+  }
+
+  private async getEncryptedDefaultUserCollectionName(orgKey: OrgKey): Promise<EncString> {
+    const defaultCollectionName = this.i18nService.t("myItems");
+    const encrypted = await this.encryptService.encryptString(defaultCollectionName, orgKey);
+
+    if (!encrypted.encryptedString) {
+      throw new Error("Encryption error");
+    }
+
+    return encrypted.encryptedString;
+  }
+}
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/vnext-organization-data-ownership.component.html b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/vnext-organization-data-ownership.component.html
index bd2237bc2fd..e6c93b323c2 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/vnext-organization-data-ownership.component.html
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/vnext-organization-data-ownership.component.html
@@ -1,57 +1,52 @@
-<p>
-  {{ "organizationDataOwnershipDescContent" | i18n }}
-  <a
-    bitLink
-    href="https://bitwarden.com/resources/credential-lifecycle-management/"
-    target="_blank"
-  >
-    {{ "organizationDataOwnershipContentAnchor" | i18n }}.
-  </a>
-</p>
+<ng-container [ngTemplateOutlet]="steps[step()]()"></ng-container>
 
-<bit-form-control>
-  <input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" />
-  <bit-label>{{ "turnOn" | i18n }}</bit-label>
-</bit-form-control>
+<ng-template #step0>
+  <p>
+    {{ "centralizeDataOwnershipDesc" | i18n }}
+    <a
+      bitLink
+      href="https://bitwarden.com/resources/credential-lifecycle-management/"
+      target="_blank"
+    >
+      {{ "centralizeDataOwnershipContentAnchor" | i18n }}
+      <i class="bwi bwi-external-link"></i>
+    </a>
+  </p>
 
-<ng-template #dialog>
-  <bit-simple-dialog background="alt">
-    <span bitDialogTitle>{{ "organizationDataOwnershipWarningTitle" | i18n }}</span>
-    <ng-container bitDialogContent>
-      <div class="tw-text-left tw-overflow-hidden">
-        {{ "organizationDataOwnershipWarningContentTop" | i18n }}
-        <div class="tw-flex tw-flex-col tw-p-2">
-          <ul class="tw-list-disc tw-pl-5 tw-space-y-2 tw-break-words tw-mb-0">
-            <li>
-              {{ "organizationDataOwnershipWarning1" | i18n }}
-            </li>
-            <li>
-              {{ "organizationDataOwnershipWarning2" | i18n }}
-            </li>
-            <li>
-              {{ "organizationDataOwnershipWarning3" | i18n }}
-            </li>
-          </ul>
-        </div>
-        {{ "organizationDataOwnershipWarningContentBottom" | i18n }}
-        <a
-          bitLink
-          href="https://bitwarden.com/resources/credential-lifecycle-management/"
-          target="_blank"
-        >
-          {{ "organizationDataOwnershipContentAnchor" | i18n }}.
-        </a>
-      </div>
-    </ng-container>
-    <ng-container bitDialogFooter>
-      <span class="tw-flex tw-gap-2">
-        <button bitButton buttonType="primary" [bitDialogClose]="true" type="submit">
-          {{ "continue" | i18n }}
-        </button>
-        <button bitButton buttonType="secondary" [bitDialogClose]="false" type="button">
-          {{ "cancel" | i18n }}
-        </button>
-      </span>
-    </ng-container>
-  </bit-simple-dialog>
+  <div class="tw-text-left tw-overflow-hidden tw-mb-2">
+    <strong>{{ "benefits" | i18n }}:</strong>
+    <ul class="tw-pl-7 tw-space-y-2 tw-pt-2">
+      <li>
+        {{ "centralizeDataOwnershipBenefit1" | i18n }}
+      </li>
+      <li>
+        {{ "centralizeDataOwnershipBenefit2" | i18n }}
+      </li>
+      <li>
+        {{ "centralizeDataOwnershipBenefit3" | i18n }}
+      </li>
+    </ul>
+  </div>
+
+  <bit-form-control>
+    <input class="tw-mt-4" type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" />
+    <bit-label>{{ "turnOn" | i18n }}</bit-label>
+  </bit-form-control>
+</ng-template>
+
+<ng-template #step1>
+  <div class="tw-flex tw-flex-col tw-gap-2 tw-overflow-hidden">
+    <span>
+      {{ "centralizeDataOwnershipWarningDesc" | i18n }}
+    </span>
+    <a
+      class="tw-mt-4"
+      bitLink
+      href="https://bitwarden.com/resources/credential-lifecycle-management/"
+      target="_blank"
+    >
+      {{ "centralizeDataOwnershipWarningLink" | i18n }}
+      <i class="bwi bwi-external-link"></i>
+    </a>
+  </div>
 </ng-template>
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/vnext-organization-data-ownership.component.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/vnext-organization-data-ownership.component.ts
index 59670457d88..e1b2f14d457 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/vnext-organization-data-ownership.component.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/vnext-organization-data-ownership.component.ts
@@ -1,18 +1,30 @@
-import { ChangeDetectionStrategy, Component, OnInit, TemplateRef, ViewChild } from "@angular/core";
-import { lastValueFrom } from "rxjs";
+import {
+  ChangeDetectionStrategy,
+  Component,
+  OnInit,
+  signal,
+  Signal,
+  TemplateRef,
+  viewChild,
+  WritableSignal,
+} from "@angular/core";
+import { Observable } from "rxjs";
 
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { PolicyRequest } from "@bitwarden/common/admin-console/models/request/policy.request";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { OrgKey } from "@bitwarden/common/types/key";
-import { CenterPositionStrategy, DialogService } from "@bitwarden/components";
 import { EncString } from "@bitwarden/sdk-internal";
 
 import { SharedModule } from "../../../../shared";
 import { BasePolicyEditDefinition, BasePolicyEditComponent } from "../base-policy-edit.component";
+import { OrganizationDataOwnershipPolicyDialogComponent } from "../policy-edit-dialogs";
 
-interface VNextPolicyRequest {
+export interface VNextPolicyRequest {
   policy: PolicyRequest;
   metadata: {
     defaultUserCollectionName: string;
@@ -20,11 +32,17 @@ interface VNextPolicyRequest {
 }
 
 export class vNextOrganizationDataOwnershipPolicy extends BasePolicyEditDefinition {
-  name = "organizationDataOwnership";
-  description = "organizationDataOwnershipDesc";
+  name = "centralizeDataOwnership";
+  description = "centralizeDataOwnershipDesc";
   type = PolicyType.OrganizationDataOwnership;
   component = vNextOrganizationDataOwnershipPolicyComponent;
   showDescription = false;
+
+  editDialogComponent = OrganizationDataOwnershipPolicyDialogComponent;
+
+  override display$(organization: Organization, configService: ConfigService): Observable<boolean> {
+    return configService.getFeatureFlag$(FeatureFlag.MigrateMyVaultToMyItems);
+  }
 }
 
 @Component({
@@ -38,27 +56,16 @@ export class vNextOrganizationDataOwnershipPolicyComponent
   implements OnInit
 {
   constructor(
-    private dialogService: DialogService,
     private i18nService: I18nService,
     private encryptService: EncryptService,
   ) {
     super();
   }
+  private readonly policyForm: Signal<TemplateRef<any> | undefined> = viewChild("step0");
+  private readonly warningContent: Signal<TemplateRef<any> | undefined> = viewChild("step1");
+  protected readonly step: WritableSignal<number> = signal(0);
 
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @ViewChild("dialog", { static: true }) warningContent!: TemplateRef<unknown>;
-
-  override async confirm(): Promise<boolean> {
-    if (this.policyResponse?.enabled && !this.enabled.value) {
-      const dialogRef = this.dialogService.open(this.warningContent, {
-        positionStrategy: new CenterPositionStrategy(),
-      });
-      const result = await lastValueFrom(dialogRef.closed);
-      return Boolean(result);
-    }
-    return true;
-  }
+  protected steps = [this.policyForm, this.warningContent];
 
   async buildVNextRequest(orgKey: OrgKey): Promise<VNextPolicyRequest> {
     if (!this.policy) {
@@ -90,4 +97,8 @@ export class vNextOrganizationDataOwnershipPolicyComponent
 
     return encrypted.encryptedString;
   }
+
+  setStep(step: number) {
+    this.step.set(step);
+  }
 }
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialog.component.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialog.component.ts
index c633ff5f421..f1b3d04cc7a 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialog.component.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialog.component.ts
@@ -16,6 +16,7 @@ import { AccountService } from "@bitwarden/common/auth/abstractions/account.serv
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { OrganizationId } from "@bitwarden/common/types/guid";
+import { OrgKey } from "@bitwarden/common/types/key";
 import {
   DIALOG_DATA,
   DialogConfig,
@@ -28,7 +29,7 @@ import { KeyService } from "@bitwarden/key-management";
 import { SharedModule } from "../../../shared";
 
 import { BasePolicyEditDefinition, BasePolicyEditComponent } from "./base-policy-edit.component";
-import { vNextOrganizationDataOwnershipPolicyComponent } from "./policy-edit-definitions/vnext-organization-data-ownership.component";
+import { VNextPolicyRequest } from "./policy-edit-definitions/organization-data-ownership.component";
 
 export type PolicyEditDialogData = {
   /**
@@ -73,13 +74,24 @@ export class PolicyEditDialogComponent implements AfterViewInit {
     private formBuilder: FormBuilder,
     protected dialogRef: DialogRef<PolicyEditDialogResult>,
     protected toastService: ToastService,
-    private keyService: KeyService,
+    protected keyService: KeyService,
   ) {}
 
   get policy(): BasePolicyEditDefinition {
     return this.data.policy;
   }
 
+  /**
+   * Type guard to check if the policy component has the buildVNextRequest method.
+   */
+  private hasVNextRequest(
+    component: BasePolicyEditComponent,
+  ): component is BasePolicyEditComponent & {
+    buildVNextRequest: (orgKey: OrgKey) => Promise<VNextPolicyRequest>;
+  } {
+    return "buildVNextRequest" in component && typeof component.buildVNextRequest === "function";
+  }
+
   /**
    * Instantiates the child policy component and inserts it into the view.
    */
@@ -129,7 +141,7 @@ export class PolicyEditDialogComponent implements AfterViewInit {
     }
 
     try {
-      if (this.policyComponent instanceof vNextOrganizationDataOwnershipPolicyComponent) {
+      if (this.hasVNextRequest(this.policyComponent)) {
         await this.handleVNextSubmission(this.policyComponent);
       } else {
         await this.handleStandardSubmission();
@@ -158,7 +170,9 @@ export class PolicyEditDialogComponent implements AfterViewInit {
   }
 
   private async handleVNextSubmission(
-    policyComponent: vNextOrganizationDataOwnershipPolicyComponent,
+    policyComponent: BasePolicyEditComponent & {
+      buildVNextRequest: (orgKey: OrgKey) => Promise<VNextPolicyRequest>;
+    },
   ): Promise<void> {
     const orgKey = await firstValueFrom(
       this.accountService.activeAccount$.pipe(
@@ -173,12 +187,12 @@ export class PolicyEditDialogComponent implements AfterViewInit {
       throw new Error("No encryption key for this organization.");
     }
 
-    const vNextRequest = await policyComponent.buildVNextRequest(orgKey);
+    const request = await policyComponent.buildVNextRequest(orgKey);
 
     await this.policyApiService.putPolicyVNext(
       this.data.organizationId,
       this.data.policy.type,
-      vNextRequest,
+      request,
     );
   }
   static open = (dialogService: DialogService, config: DialogConfig<PolicyEditDialogData>) => {
diff --git a/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.html b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/auto-confirm-edit-policy-dialog.component.html
similarity index 100%
rename from apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.html
rename to apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/auto-confirm-edit-policy-dialog.component.html
diff --git a/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/auto-confirm-edit-policy-dialog.component.ts
similarity index 94%
rename from apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.ts
rename to apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/auto-confirm-edit-policy-dialog.component.ts
index 9dfb8ebb7e7..fbdeffc71bb 100644
--- a/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/auto-confirm-edit-policy-dialog.component.ts
@@ -41,20 +41,15 @@ import {
 } from "@bitwarden/components";
 import { KeyService } from "@bitwarden/key-management";
 
-import { SharedModule } from "../../../shared";
-
-import { AutoConfirmPolicyEditComponent } from "./policy-edit-definitions/auto-confirm-policy.component";
+import { SharedModule } from "../../../../shared";
+import { AutoConfirmPolicyEditComponent } from "../policy-edit-definitions/auto-confirm-policy.component";
 import {
   PolicyEditDialogComponent,
   PolicyEditDialogData,
   PolicyEditDialogResult,
-} from "./policy-edit-dialog.component";
+} from "../policy-edit-dialog.component";
 
-export type MultiStepSubmit = {
-  sideEffect: () => Promise<void>;
-  footerContent: Signal<TemplateRef<unknown> | undefined>;
-  titleContent: Signal<TemplateRef<unknown> | undefined>;
-};
+import { MultiStepSubmit } from "./models";
 
 export type AutoConfirmPolicyDialogData = PolicyEditDialogData & {
   firstTimeDialog?: boolean;
@@ -202,6 +197,7 @@ export class AutoConfirmPolicyDialogComponent
     }
 
     const autoConfirmRequest = await this.policyComponent.buildRequest();
+
     await this.policyApiService.putPolicy(
       this.data.organizationId,
       this.data.policy.type,
@@ -235,7 +231,7 @@ export class AutoConfirmPolicyDialogComponent
       data: null,
     };
 
-    await this.policyApiService.putPolicy(
+    await this.policyApiService.putPolicyVNext(
       this.data.organizationId,
       PolicyType.SingleOrg,
       singleOrgRequest,
@@ -260,7 +256,10 @@ export class AutoConfirmPolicyDialogComponent
 
     try {
       const multiStepSubmit = await firstValueFrom(this.multiStepSubmit);
-      await multiStepSubmit[this.currentStep()].sideEffect();
+      const sideEffect = multiStepSubmit[this.currentStep()].sideEffect;
+      if (sideEffect) {
+        await sideEffect();
+      }
 
       if (this.currentStep() === multiStepSubmit.length - 1) {
         this.dialogRef.close("saved");
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/index.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/index.ts
new file mode 100644
index 00000000000..307d0da04b0
--- /dev/null
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/index.ts
@@ -0,0 +1,3 @@
+export * from "./auto-confirm-edit-policy-dialog.component";
+export * from "./organization-data-ownership-edit-policy-dialog.component";
+export * from "./models";
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/models.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/models.ts
new file mode 100644
index 00000000000..86120623701
--- /dev/null
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/models.ts
@@ -0,0 +1,7 @@
+import { Signal, TemplateRef } from "@angular/core";
+
+export type MultiStepSubmit = {
+  sideEffect?: () => Promise<void>;
+  footerContent: Signal<TemplateRef<unknown> | undefined>;
+  titleContent: Signal<TemplateRef<unknown> | undefined>;
+};
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/organization-data-ownership-edit-policy-dialog.component.html b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/organization-data-ownership-edit-policy-dialog.component.html
new file mode 100644
index 00000000000..73691e94199
--- /dev/null
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/organization-data-ownership-edit-policy-dialog.component.html
@@ -0,0 +1,72 @@
+<form [formGroup]="formGroup" [bitSubmit]="submit">
+  <bit-dialog [loading]="loading">
+    <ng-container bitDialogTitle>
+      @let title = multiStepSubmit()[currentStep()]?.titleContent();
+      @if (title) {
+        <ng-container [ngTemplateOutlet]="title"></ng-container>
+      }
+    </ng-container>
+
+    <ng-container bitDialogContent>
+      @if (loading) {
+        <div>
+          <i
+            class="bwi bwi-spinner bwi-spin tw-text-muted"
+            title="{{ 'loading' | i18n }}"
+            aria-hidden="true"
+          ></i>
+          <span class="tw-sr-only">{{ "loading" | i18n }}</span>
+        </div>
+      }
+      <div [hidden]="loading">
+        @if (policy.showDescription) {
+          <p bitTypography="body1">{{ policy.description | i18n }}</p>
+        }
+      </div>
+      <ng-template #policyForm></ng-template>
+    </ng-container>
+    <ng-container bitDialogFooter>
+      @let footer = multiStepSubmit()[currentStep()]?.footerContent();
+      @if (footer) {
+        <ng-container [ngTemplateOutlet]="footer"></ng-container>
+      }
+    </ng-container>
+  </bit-dialog>
+</form>
+
+<ng-template #step0Title>
+  {{ policy.name | i18n }}
+</ng-template>
+
+<ng-template #step1Title>
+  {{ "centralizeDataOwnershipWarningTitle" | i18n }}
+</ng-template>
+
+<ng-template #step0>
+  <button
+    bitButton
+    buttonType="primary"
+    [disabled]="saveDisabled$ | async"
+    bitFormButton
+    type="submit"
+  >
+    @if (policyComponent?.policyResponse?.enabled) {
+      {{ "save" | i18n }}
+    } @else {
+      {{ "continue" | i18n }}
+    }
+  </button>
+
+  <button bitButton buttonType="secondary" bitDialogClose type="button">
+    {{ "cancel" | i18n }}
+  </button>
+</ng-template>
+
+<ng-template #step1>
+  <button bitButton buttonType="primary" bitFormButton type="submit">
+    {{ "continue" | i18n }}
+  </button>
+  <button bitButton buttonType="secondary" bitDialogClose type="button">
+    {{ "cancel" | i18n }}
+  </button>
+</ng-template>
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/organization-data-ownership-edit-policy-dialog.component.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/organization-data-ownership-edit-policy-dialog.component.ts
new file mode 100644
index 00000000000..7869eab0063
--- /dev/null
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialogs/organization-data-ownership-edit-policy-dialog.component.ts
@@ -0,0 +1,224 @@
+import {
+  AfterViewInit,
+  ChangeDetectorRef,
+  Component,
+  Inject,
+  signal,
+  TemplateRef,
+  viewChild,
+  WritableSignal,
+} from "@angular/core";
+import { FormBuilder } from "@angular/forms";
+import {
+  catchError,
+  combineLatest,
+  defer,
+  firstValueFrom,
+  from,
+  map,
+  Observable,
+  of,
+  startWith,
+  switchMap,
+} from "rxjs";
+
+import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
+import { PolicyType } from "@bitwarden/common/admin-console/enums";
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { getUserId } from "@bitwarden/common/auth/services/account.service";
+import { assertNonNullish } from "@bitwarden/common/auth/utils";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { OrganizationId } from "@bitwarden/common/types/guid";
+import {
+  DIALOG_DATA,
+  DialogConfig,
+  DialogRef,
+  DialogService,
+  ToastService,
+} from "@bitwarden/components";
+import { KeyService } from "@bitwarden/key-management";
+
+import { SharedModule } from "../../../../shared";
+import { vNextOrganizationDataOwnershipPolicyComponent } from "../policy-edit-definitions";
+import {
+  PolicyEditDialogComponent,
+  PolicyEditDialogData,
+  PolicyEditDialogResult,
+} from "../policy-edit-dialog.component";
+
+import { MultiStepSubmit } from "./models";
+
+/**
+ * Custom policy dialog component for Centralize Organization Data
+ * Ownership policy. Satisfies the PolicyDialogComponent interface
+ * structurally via its static open() function.
+ */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
+@Component({
+  templateUrl: "organization-data-ownership-edit-policy-dialog.component.html",
+  imports: [SharedModule],
+})
+export class OrganizationDataOwnershipPolicyDialogComponent
+  extends PolicyEditDialogComponent
+  implements AfterViewInit
+{
+  policyType = PolicyType;
+
+  protected centralizeDataOwnershipEnabled$: Observable<boolean> = defer(() =>
+    from(
+      this.policyApiService.getPolicy(
+        this.data.organizationId,
+        PolicyType.OrganizationDataOwnership,
+      ),
+    ).pipe(
+      map((policy) => policy.enabled),
+      catchError(() => of(false)),
+    ),
+  );
+
+  protected readonly currentStep: WritableSignal<number> = signal(0);
+  protected readonly multiStepSubmit: WritableSignal<MultiStepSubmit[]> = signal([]);
+
+  private readonly policyForm = viewChild.required<TemplateRef<unknown>>("step0");
+  private readonly warningContent = viewChild.required<TemplateRef<unknown>>("step1");
+  private readonly policyFormTitle = viewChild.required<TemplateRef<unknown>>("step0Title");
+  private readonly warningTitle = viewChild.required<TemplateRef<unknown>>("step1Title");
+
+  override policyComponent: vNextOrganizationDataOwnershipPolicyComponent | undefined;
+
+  constructor(
+    @Inject(DIALOG_DATA) protected data: PolicyEditDialogData,
+    accountService: AccountService,
+    policyApiService: PolicyApiServiceAbstraction,
+    i18nService: I18nService,
+    cdr: ChangeDetectorRef,
+    formBuilder: FormBuilder,
+    dialogRef: DialogRef<PolicyEditDialogResult>,
+    toastService: ToastService,
+    protected keyService: KeyService,
+  ) {
+    super(
+      data,
+      accountService,
+      policyApiService,
+      i18nService,
+      cdr,
+      formBuilder,
+      dialogRef,
+      toastService,
+      keyService,
+    );
+  }
+
+  async ngAfterViewInit() {
+    await super.ngAfterViewInit();
+
+    if (this.policyComponent) {
+      this.saveDisabled$ = combineLatest([
+        this.centralizeDataOwnershipEnabled$,
+        this.policyComponent.enabled.valueChanges.pipe(
+          startWith(this.policyComponent.enabled.value),
+        ),
+      ]).pipe(map(([policyEnabled, value]) => !policyEnabled && !value));
+    }
+
+    this.multiStepSubmit.set(this.buildMultiStepSubmit());
+  }
+
+  private buildMultiStepSubmit(): MultiStepSubmit[] {
+    if (this.policyComponent?.policyResponse?.enabled) {
+      return [
+        {
+          sideEffect: () => this.handleSubmit(),
+          footerContent: this.policyForm,
+          titleContent: this.policyFormTitle,
+        },
+      ];
+    }
+
+    return [
+      {
+        footerContent: this.policyForm,
+        titleContent: this.policyFormTitle,
+      },
+      {
+        sideEffect: () => this.handleSubmit(),
+        footerContent: this.warningContent,
+        titleContent: this.warningTitle,
+      },
+    ];
+  }
+
+  private async handleSubmit() {
+    if (!this.policyComponent) {
+      throw new Error("PolicyComponent not initialized.");
+    }
+
+    const orgKey = await firstValueFrom(
+      this.accountService.activeAccount$.pipe(
+        getUserId,
+        switchMap((userId) => this.keyService.orgKeys$(userId)),
+      ),
+    );
+
+    assertNonNullish(orgKey, "Org key not provided");
+
+    const request = await this.policyComponent.buildVNextRequest(
+      orgKey[this.data.organizationId as OrganizationId],
+    );
+
+    await this.policyApiService.putPolicyVNext(
+      this.data.organizationId,
+      this.data.policy.type,
+      request,
+    );
+
+    this.toastService.showToast({
+      variant: "success",
+      message: this.i18nService.t("editedPolicyId", this.i18nService.t(this.data.policy.name)),
+    });
+
+    if (!this.policyComponent.enabled.value) {
+      this.dialogRef.close("saved");
+    }
+  }
+
+  submit = async () => {
+    if (!this.policyComponent) {
+      throw new Error("PolicyComponent not initialized.");
+    }
+
+    if ((await this.policyComponent.confirm()) == false) {
+      this.dialogRef.close();
+      return;
+    }
+
+    try {
+      const sideEffect = this.multiStepSubmit()[this.currentStep()].sideEffect;
+      if (sideEffect) {
+        await sideEffect();
+      }
+
+      if (this.currentStep() === this.multiStepSubmit().length - 1) {
+        this.dialogRef.close("saved");
+        return;
+      }
+
+      this.currentStep.update((value) => value + 1);
+      this.policyComponent.setStep(this.currentStep());
+    } catch (error: any) {
+      this.toastService.showToast({
+        variant: "error",
+        message: error.message,
+      });
+    }
+  };
+
+  static open = (dialogService: DialogService, config: DialogConfig<PolicyEditDialogData>) => {
+    return dialogService.open<PolicyEditDialogResult>(
+      OrganizationDataOwnershipPolicyDialogComponent,
+      config,
+    );
+  };
+}
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index bf7c1a4c908..e7cc7c6cb5c 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -5915,6 +5915,37 @@
       }
     }
   },
+  "centralizeDataOwnership":{
+    "message": "Centralize organization ownership"
+  },
+  "centralizeDataOwnershipDesc":{
+    "message": "All member items will be owned and managed by the organization. Admins and owners are exempt. "
+  },
+  "centralizeDataOwnershipContentAnchor": {
+    "message": "Learn more about centralized ownership",
+    "description": "This will be used as a hyperlink"
+  },
+  "benefits":{
+    "message": "Benefits"
+  },
+  "centralizeDataOwnershipBenefit1":{
+    "message": "Gain full visibility into credential health, including shared and unshared items."
+  },
+  "centralizeDataOwnershipBenefit2":{
+    "message": "Easily transfer items during member offboarding and succession, ensuring there are no access gaps."
+  },
+  "centralizeDataOwnershipBenefit3":{
+    "message": "Give all users a dedicated \"My Items\" space for managing their own logins."
+  },
+  "centralizeDataOwnershipWarningTitle": {
+    "message": "Prompt members to transfer their items"
+  },
+  "centralizeDataOwnershipWarningDesc": {
+    "message": "If members have items in their individual vault, they will be prompted to either transfer them to the organization or leave. If they leave, their access is revoked but can be restored anytime."
+  },
+  "centralizeDataOwnershipWarningLink": {
+    "message": "Learn more about the transfer"
+  },
   "organizationDataOwnership": {
     "message": "Enforce organization data ownership"
   },

From 9a479544a66f70eb4e21d141b1a07be6db36b53f Mon Sep 17 00:00:00 2001
From: Oscar Hinton <Hinton@users.noreply.github.com>
Date: Thu, 22 Jan 2026 10:25:39 +0100
Subject: [PATCH 11/24] Add support for rounded layout (#18283)

---
 .../src/app/layout/desktop-layout.component.html      |  2 +-
 libs/components/src/layout/layout.component.html      |  3 ++-
 libs/components/src/layout/layout.component.ts        |  8 +++++++-
 libs/components/src/layout/layout.stories.ts          | 11 ++++++++++-
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/apps/desktop/src/app/layout/desktop-layout.component.html b/apps/desktop/src/app/layout/desktop-layout.component.html
index cb969f573fc..f9921ac11ef 100644
--- a/apps/desktop/src/app/layout/desktop-layout.component.html
+++ b/apps/desktop/src/app/layout/desktop-layout.component.html
@@ -1,4 +1,4 @@
-<bit-layout class="!tw-h-full">
+<bit-layout class="!tw-h-full" rounded>
   <app-side-nav slot="side-nav">
     <bit-nav-logo [openIcon]="logo" route="." [label]="'passwordManager' | i18n" />
 
diff --git a/libs/components/src/layout/layout.component.html b/libs/components/src/layout/layout.component.html
index 255799b6690..66bfcafafe9 100644
--- a/libs/components/src/layout/layout.component.html
+++ b/libs/components/src/layout/layout.component.html
@@ -1,5 +1,5 @@
 @let mainContentId = "main-content";
-<div class="tw-flex tw-size-full">
+<div class="tw-flex tw-size-full" [class.tw-bg-background-alt3]="rounded()">
   <div class="tw-flex tw-size-full" cdkTrapFocus>
     <div
       class="tw-fixed tw-z-50 tw-w-full tw-flex tw-justify-center tw-opacity-0 focus-within:tw-opacity-100 tw-pointer-events-none focus-within:tw-pointer-events-auto"
@@ -24,6 +24,7 @@
       tabindex="-1"
       bitScrollLayoutHost
       class="tw-overflow-auto tw-max-h-full tw-min-w-0 tw-flex-1 tw-bg-background tw-p-8 tw-pt-6 tw-@container"
+      [class.tw-rounded-tl-2xl]="rounded()"
     >
       <!-- ^ If updating this padding, also update the padding correction in bit-banner! ^ -->
       <ng-content></ng-content>
diff --git a/libs/components/src/layout/layout.component.ts b/libs/components/src/layout/layout.component.ts
index 7460099cf92..5e3d420c8e5 100644
--- a/libs/components/src/layout/layout.component.ts
+++ b/libs/components/src/layout/layout.component.ts
@@ -1,7 +1,7 @@
 import { A11yModule, CdkTrapFocus } from "@angular/cdk/a11y";
 import { PortalModule } from "@angular/cdk/portal";
 import { CommonModule } from "@angular/common";
-import { Component, ElementRef, inject, viewChild } from "@angular/core";
+import { booleanAttribute, Component, ElementRef, inject, input, viewChild } from "@angular/core";
 import { RouterModule } from "@angular/router";
 
 import { DrawerHostDirective } from "../drawer/drawer-host.directive";
@@ -38,6 +38,12 @@ export class LayoutComponent {
   protected drawerPortal = inject(DrawerService).portal;
 
   private readonly mainContent = viewChild.required<ElementRef<HTMLElement>>("main");
+
+  /**
+   * Rounded top left corner for the main content area
+   */
+  readonly rounded = input(false, { transform: booleanAttribute });
+
   protected focusMainContent() {
     this.mainContent().nativeElement.focus();
   }
diff --git a/libs/components/src/layout/layout.stories.ts b/libs/components/src/layout/layout.stories.ts
index 59770c21d2e..75ae329a1b3 100644
--- a/libs/components/src/layout/layout.stories.ts
+++ b/libs/components/src/layout/layout.stories.ts
@@ -14,6 +14,8 @@ import { StorybookGlobalStateProvider } from "../utils/state-mock";
 import { LayoutComponent } from "./layout.component";
 import { mockLayoutI18n } from "./mocks";
 
+import { formatArgsForCodeSnippet } from ".storybook/format-args-for-code-snippet";
+
 export default {
   title: "Component Library/Layout",
   component: LayoutComponent,
@@ -63,7 +65,7 @@ export const WithContent: Story = {
   render: (args) => ({
     props: args,
     template: /* HTML */ `
-      <bit-layout>
+      <bit-layout ${formatArgsForCodeSnippet<LayoutComponent>(args)}>
         <bit-side-nav>
           <bit-nav-group text="Hello World (Anchor)" [route]="['a']" icon="bwi-filter">
             <bit-nav-item text="Child A" route="a" icon="bwi-filter"></bit-nav-item>
@@ -111,3 +113,10 @@ export const Secondary: Story = {
     `,
   }),
 };
+
+export const Rounded: Story = {
+  ...WithContent,
+  args: {
+    rounded: true,
+  },
+};

From 0433678085493060e061c34a6e0baafce920279e Mon Sep 17 00:00:00 2001
From: Oscar Hinton <Hinton@users.noreply.github.com>
Date: Thu, 22 Jan 2026 10:56:43 +0100
Subject: [PATCH 12/24] [PM-31029] Add feature flag for milestone 2 (#18458)

* Add feature flag for milestone 2

* Fix test

* Remove OnPush
---
 .../app/tools/send-v2/send-v2.component.html  | 118 ++++++++++++++----
 .../tools/send-v2/send-v2.component.spec.ts   |   7 +-
 .../app/tools/send-v2/send-v2.component.ts    | 118 +++++++++++++++---
 apps/desktop/src/scss/migration.scss          |  29 +++++
 apps/desktop/src/scss/styles.scss             |   1 +
 libs/common/src/enums/feature-flag.enum.ts    |   2 +
 6 files changed, 235 insertions(+), 40 deletions(-)
 create mode 100644 apps/desktop/src/scss/migration.scss

diff --git a/apps/desktop/src/app/tools/send-v2/send-v2.component.html b/apps/desktop/src/app/tools/send-v2/send-v2.component.html
index eda740fa721..dad0e541a4d 100644
--- a/apps/desktop/src/app/tools/send-v2/send-v2.component.html
+++ b/apps/desktop/src/app/tools/send-v2/send-v2.component.html
@@ -1,25 +1,93 @@
-<!-- Header with Send title and New button -->
-<app-header>
-  @if (!disableSend()) {
-    <tools-new-send-dropdown-v2 buttonType="primary" (addSend)="addSend($event)" />
-  }
-</app-header>
-<!-- Send List Component -->
-<tools-send-list
-  [sends]="filteredSends()"
-  [loading]="loading()"
-  [disableSend]="disableSend()"
-  [listState]="listState()"
-  [searchText]="currentSearchText()"
-  (editSend)="onEditSend($event)"
-  (copySend)="onCopySend($event)"
-  (deleteSend)="onDeleteSend($event)"
-  (removePassword)="onRemovePassword($event)"
->
-  <tools-new-send-dropdown-v2
-    slot="empty-button"
-    [hideIcon]="true"
-    buttonType="primary"
-    (addSend)="addSend($event)"
-  />
-</tools-send-list>
+@if (useDrawerEditMode()) {
+  <div class="tw-m-4 tw-p-4">
+    <!-- New dialog-based layout (feature flag enabled) -->
+    <!-- Header with Send title and New button -->
+    <app-header>
+      @if (!disableSend()) {
+        <tools-new-send-dropdown-v2 buttonType="primary" (addSend)="addSend($event)" />
+      }
+    </app-header>
+    <!-- Send List Component -->
+    <tools-send-list
+      [sends]="filteredSends()"
+      [loading]="loading()"
+      [disableSend]="disableSend()"
+      [listState]="listState()"
+      [searchText]="currentSearchText()"
+      (editSend)="onEditSend($event)"
+      (copySend)="onCopySend($event)"
+      (deleteSend)="onDeleteSend($event)"
+      (removePassword)="onRemovePassword($event)"
+    >
+      <tools-new-send-dropdown-v2
+        slot="empty-button"
+        [hideIcon]="true"
+        buttonType="primary"
+        (addSend)="addSend($event)"
+      />
+    </tools-send-list>
+  </div>
+} @else {
+  <!-- Old split-panel layout (feature flag disabled) -->
+  <div id="sends" class="vault">
+    <div class="send-items-panel tw-w-2/5">
+      <!-- Header with Send title and New button -->
+      <app-header class="tw-block tw-pt-6 tw-px-6">
+        @if (!disableSend()) {
+          <button type="button" bitButton buttonType="primary" (click)="addSendWithoutType()">
+            <i class="bwi bwi-plus" aria-hidden="true"></i>
+            {{ "new" | i18n }}
+          </button>
+        }
+      </app-header>
+      <div class="tw-mb-4 tw-px-6">
+        <!-- Send List Component -->
+        <tools-send-list
+          [sends]="filteredSends()"
+          [loading]="loading()"
+          [disableSend]="disableSend()"
+          [listState]="listState()"
+          [searchText]="currentSearchText()"
+          (editSend)="onEditSend($event)"
+          (copySend)="onCopySend($event)"
+          (deleteSend)="onDeleteSend($event)"
+          (removePassword)="onRemovePassword($event)"
+        >
+          <button
+            slot="empty-button"
+            type="button"
+            bitButton
+            buttonType="primary"
+            (click)="addSendWithoutType()"
+          >
+            {{ "newSend" | i18n }}
+          </button>
+        </tools-send-list>
+      </div>
+    </div>
+
+    <!-- Edit/Add panel (right side) -->
+    @if (action() == "add" || action() == "edit") {
+      <app-send-add-edit
+        id="addEdit"
+        class="details"
+        [sendId]="sendId()"
+        [type]="selectedSendType()"
+        (onSavedSend)="savedSend($event)"
+        (onCancelled)="closeEditPanel()"
+        (onDeletedSend)="closeEditPanel()"
+      ></app-send-add-edit>
+    }
+
+    <!-- Bitwarden logo (shown when no send is selected) -->
+    @if (!action()) {
+      <div class="logo tw-w-1/2">
+        <div class="content">
+          <div class="inner-content">
+            <img class="logo-image" alt="Bitwarden" aria-hidden="true" />
+          </div>
+        </div>
+      </div>
+    }
+  </div>
+}
diff --git a/apps/desktop/src/app/tools/send-v2/send-v2.component.spec.ts b/apps/desktop/src/app/tools/send-v2/send-v2.component.spec.ts
index a73a0534ff9..3670713f8f3 100644
--- a/apps/desktop/src/app/tools/send-v2/send-v2.component.spec.ts
+++ b/apps/desktop/src/app/tools/send-v2/send-v2.component.spec.ts
@@ -49,6 +49,7 @@ describe("SendV2Component", () => {
   let sendApiService: MockProxy<SendApiService>;
   let toastService: MockProxy<ToastService>;
   let i18nService: MockProxy<I18nService>;
+  let configService: MockProxy<ConfigService>;
 
   beforeEach(async () => {
     sendService = mock<SendService>();
@@ -62,6 +63,10 @@ describe("SendV2Component", () => {
     sendApiService = mock<SendApiService>();
     toastService = mock<ToastService>();
     i18nService = mock<I18nService>();
+    configService = mock<ConfigService>();
+
+    // Setup configService mock - feature flag returns true to test the new drawer mode
+    configService.getFeatureFlag$.mockReturnValue(of(true));
 
     // Setup environmentService mock
     environmentService.getEnvironment.mockResolvedValue({
@@ -117,7 +122,7 @@ describe("SendV2Component", () => {
           useValue: mock<BillingAccountProfileStateService>(),
         },
         { provide: MessagingService, useValue: mock<MessagingService>() },
-        { provide: ConfigService, useValue: mock<ConfigService>() },
+        { provide: ConfigService, useValue: configService },
         {
           provide: ActivatedRoute,
           useValue: {
diff --git a/apps/desktop/src/app/tools/send-v2/send-v2.component.ts b/apps/desktop/src/app/tools/send-v2/send-v2.component.ts
index 7fab0cb6702..95c0c971d2c 100644
--- a/apps/desktop/src/app/tools/send-v2/send-v2.component.ts
+++ b/apps/desktop/src/app/tools/send-v2/send-v2.component.ts
@@ -1,11 +1,13 @@
 // FIXME: Update this file to be type safe and remove this and next line
 // @ts-strict-ignore
 import {
-  ChangeDetectionStrategy,
   ChangeDetectorRef,
   Component,
+  computed,
   effect,
   inject,
+  signal,
+  viewChild,
 } from "@angular/core";
 import { toSignal } from "@angular/core/rxjs-interop";
 import { combineLatest, map, switchMap, lastValueFrom } from "rxjs";
@@ -15,6 +17,8 @@ import { PolicyService } from "@bitwarden/common/admin-console/abstractions/poli
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -36,12 +40,27 @@ import {
 
 import { DesktopPremiumUpgradePromptService } from "../../../services/desktop-premium-upgrade-prompt.service";
 import { DesktopHeaderComponent } from "../../layout/header";
+import { AddEditComponent } from "../send/add-edit.component";
 
+const Action = Object.freeze({
+  /** No action is currently active. */
+  None: "",
+  /** The user is adding a new Send. */
+  Add: "add",
+  /** The user is editing an existing Send. */
+  Edit: "edit",
+} as const);
+
+type Action = (typeof Action)[keyof typeof Action];
+
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-send-v2",
   imports: [
     JslibModule,
     ButtonModule,
+    AddEditComponent,
     SendListComponent,
     NewSendDropdownV2Component,
     DesktopHeaderComponent,
@@ -54,13 +73,19 @@ import { DesktopHeaderComponent } from "../../layout/header";
     },
   ],
   templateUrl: "./send-v2.component.html",
-  changeDetection: ChangeDetectionStrategy.OnPush,
 })
 export class SendV2Component {
+  protected readonly addEditComponent = viewChild(AddEditComponent);
+
+  protected readonly sendId = signal<string | null>(null);
+  protected readonly action = signal<Action>(Action.None);
+  private readonly selectedSendTypeOverride = signal<SendType | undefined>(undefined);
+
   private sendFormConfigService = inject(DefaultSendFormConfigService);
   private sendItemsService = inject(SendItemsService);
   private policyService = inject(PolicyService);
   private accountService = inject(AccountService);
+  private configService = inject(ConfigService);
   private i18nService = inject(I18nService);
   private platformUtilsService = inject(PlatformUtilsService);
   private environmentService = inject(EnvironmentService);
@@ -70,6 +95,11 @@ export class SendV2Component {
   private logService = inject(LogService);
   private cdr = inject(ChangeDetectorRef);
 
+  protected readonly useDrawerEditMode = toSignal(
+    this.configService.getFeatureFlag$(FeatureFlag.DesktopUiMigrationMilestone2),
+    { initialValue: false },
+  );
+
   protected readonly filteredSends = toSignal(this.sendItemsService.filteredAndSortedSends$, {
     initialValue: [],
   });
@@ -119,28 +149,79 @@ export class SendV2Component {
     });
   }
 
+  protected readonly selectedSendType = computed(() => {
+    const action = this.action();
+    const typeOverride = this.selectedSendTypeOverride();
+
+    if (action === Action.Add && typeOverride !== undefined) {
+      return typeOverride;
+    }
+
+    const sendId = this.sendId();
+    return this.filteredSends().find((s) => s.id === sendId)?.type;
+  });
+
   protected async addSend(type: SendType): Promise<void> {
-    const formConfig = await this.sendFormConfigService.buildConfig("add", undefined, type);
+    if (this.useDrawerEditMode()) {
+      const formConfig = await this.sendFormConfigService.buildConfig("add", undefined, type);
 
-    const dialogRef = SendAddEditDialogComponent.openDrawer(this.dialogService, {
-      formConfig,
-    });
+      const dialogRef = SendAddEditDialogComponent.openDrawer(this.dialogService, {
+        formConfig,
+      });
 
-    await lastValueFrom(dialogRef.closed);
+      await lastValueFrom(dialogRef.closed);
+    } else {
+      this.action.set(Action.Add);
+      this.sendId.set(null);
+      this.selectedSendTypeOverride.set(type);
+
+      const component = this.addEditComponent();
+      if (component) {
+        await component.resetAndLoad();
+      }
+    }
   }
 
-  protected async selectSend(sendId: SendId): Promise<void> {
-    const formConfig = await this.sendFormConfigService.buildConfig("edit", sendId);
+  /** Used by old UI to add a send without specifying type (defaults to Text) */
+  protected async addSendWithoutType(): Promise<void> {
+    await this.addSend(SendType.Text);
+  }
 
-    const dialogRef = SendAddEditDialogComponent.openDrawer(this.dialogService, {
-      formConfig,
-    });
+  protected closeEditPanel(): void {
+    this.action.set(Action.None);
+    this.sendId.set(null);
+    this.selectedSendTypeOverride.set(undefined);
+  }
 
-    await lastValueFrom(dialogRef.closed);
+  protected async savedSend(send: SendView): Promise<void> {
+    await this.selectSend(send.id);
+  }
+
+  protected async selectSend(sendId: string): Promise<void> {
+    if (this.useDrawerEditMode()) {
+      const formConfig = await this.sendFormConfigService.buildConfig("edit", sendId as SendId);
+
+      const dialogRef = SendAddEditDialogComponent.openDrawer(this.dialogService, {
+        formConfig,
+      });
+
+      await lastValueFrom(dialogRef.closed);
+    } else {
+      if (sendId === this.sendId() && this.action() === Action.Edit) {
+        return;
+      }
+      this.action.set(Action.Edit);
+      this.sendId.set(sendId);
+      const component = this.addEditComponent();
+      if (component) {
+        component.sendId = sendId;
+        await component.refresh();
+      }
+    }
   }
 
   protected async onEditSend(send: SendView): Promise<void> {
-    await this.selectSend(send.id as SendId);
+    await this.selectSend(send.id);
   }
 
   protected async onCopySend(send: SendView): Promise<void> {
@@ -176,6 +257,11 @@ export class SendV2Component {
         title: null,
         message: this.i18nService.t("removedPassword"),
       });
+
+      if (!this.useDrawerEditMode() && this.sendId() === send.id) {
+        this.sendId.set(null);
+        await this.selectSend(send.id);
+      }
     } catch (e) {
       this.logService.error(e);
     }
@@ -199,5 +285,9 @@ export class SendV2Component {
       title: null,
       message: this.i18nService.t("deletedSend"),
     });
+
+    if (!this.useDrawerEditMode()) {
+      this.closeEditPanel();
+    }
   }
 }
diff --git a/apps/desktop/src/scss/migration.scss b/apps/desktop/src/scss/migration.scss
new file mode 100644
index 00000000000..ba70d4fa009
--- /dev/null
+++ b/apps/desktop/src/scss/migration.scss
@@ -0,0 +1,29 @@
+/**
+ * Desktop UI Migration
+ *
+ * These are temporary styles during the desktop ui migration.
+ **/
+
+/**
+ * This removes any padding applied by the bit-layout to content.
+ * This should be revisited once the table is migrated, and again once drawers are migrated.
+ **/
+bit-layout {
+  #main-content {
+    padding: 0 0 0 0;
+  }
+}
+/**
+ * Send list panel styling for send-v2 component
+ * Temporary during migration - width handled by tw-w-2/5
+ **/
+.vault > .send-items-panel {
+  order: 2;
+  min-width: 200px;
+  border-right: 1px solid;
+
+  @include themify($themes) {
+    background-color: themed("backgroundColor");
+    border-right-color: themed("borderColor");
+  }
+}
diff --git a/apps/desktop/src/scss/styles.scss b/apps/desktop/src/scss/styles.scss
index c579e6acdc0..b4082afd38c 100644
--- a/apps/desktop/src/scss/styles.scss
+++ b/apps/desktop/src/scss/styles.scss
@@ -15,5 +15,6 @@
 @import "left-nav.scss";
 @import "loading.scss";
 @import "plugins.scss";
+@import "migration.scss";
 @import "../../../../libs/angular/src/scss/icons.scss";
 @import "../../../../libs/components/src/multi-select/scss/bw.theme";
diff --git a/libs/common/src/enums/feature-flag.enum.ts b/libs/common/src/enums/feature-flag.enum.ts
index 9f6beb5f81e..f82c095d45f 100644
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -76,6 +76,7 @@ export enum FeatureFlag {
 
   /* Desktop */
   DesktopUiMigrationMilestone1 = "desktop-ui-migration-milestone-1",
+  DesktopUiMigrationMilestone2 = "desktop-ui-migration-milestone-2",
 
   /* UIF */
   RouterFocusManagement = "router-focus-management",
@@ -164,6 +165,7 @@ export const DefaultFeatureFlagValue = {
 
   /* Desktop */
   [FeatureFlag.DesktopUiMigrationMilestone1]: FALSE,
+  [FeatureFlag.DesktopUiMigrationMilestone2]: FALSE,
 
   /* UIF */
   [FeatureFlag.RouterFocusManagement]: FALSE,

From d0e3923eb602ad2133b315e4102269c3dc5ba204 Mon Sep 17 00:00:00 2001
From: Isaiah Inuwa <iinuwa@bitwarden.com>
Date: Thu, 22 Jan 2026 05:58:37 -0600
Subject: [PATCH 13/24] Improve desktop autofill developer builds (#18334)

* Consolidate references to credential provider feature flag
* Adjust entitlements and build stuff for macOS autofill credential extension
* Reduce signature time for MAS builds
---
 apps/desktop/electron-builder.json            |  3 +-
 .../autofill_extension_enabled.entitlements   | 14 ++++
 .../macos/desktop.xcodeproj/project.pbxproj   |  4 +-
 .../xcschemes/autofill-extension.xcscheme     | 71 +++++++++++++++++++
 apps/desktop/package.json                     |  2 +-
 .../entitlements.mas.autofill-enabled.plist   | 42 +++++++++++
 apps/desktop/scripts/after-sign.js            |  5 +-
 .../services/desktop-autofill.service.ts      | 42 ++++++-----
 8 files changed, 161 insertions(+), 22 deletions(-)
 create mode 100644 apps/desktop/macos/autofill-extension/autofill_extension_enabled.entitlements
 create mode 100644 apps/desktop/macos/desktop.xcodeproj/xcshareddata/xcschemes/autofill-extension.xcscheme
 create mode 100644 apps/desktop/resources/entitlements.mas.autofill-enabled.plist

diff --git a/apps/desktop/electron-builder.json b/apps/desktop/electron-builder.json
index 83bd2921551..481d12f02b4 100644
--- a/apps/desktop/electron-builder.json
+++ b/apps/desktop/electron-builder.json
@@ -85,7 +85,8 @@
     "signIgnore": [
       "MacOS/desktop_proxy",
       "MacOS/desktop_proxy.inherit",
-      "Contents/Plugins/autofill-extension.appex"
+      "Contents/Plugins/autofill-extension.appex",
+      "Frameworks/Electron Framework.framework/(Electron Framework|Libraries|Resources|Versions/Current)/.*"
     ],
     "target": ["dmg", "zip"]
   },
diff --git a/apps/desktop/macos/autofill-extension/autofill_extension_enabled.entitlements b/apps/desktop/macos/autofill-extension/autofill_extension_enabled.entitlements
new file mode 100644
index 00000000000..49fda8f8af8
--- /dev/null
+++ b/apps/desktop/macos/autofill-extension/autofill_extension_enabled.entitlements
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>LTZ2PFU5D6.com.bitwarden.desktop</string>
+	</array>
+	<key>com.apple.developer.authentication-services.autofill-credential-provider</key>
+	<true/>
+</dict>
+</plist>
diff --git a/apps/desktop/macos/desktop.xcodeproj/project.pbxproj b/apps/desktop/macos/desktop.xcodeproj/project.pbxproj
index ed19fc9ef5d..c3cb34b6bea 100644
--- a/apps/desktop/macos/desktop.xcodeproj/project.pbxproj
+++ b/apps/desktop/macos/desktop.xcodeproj/project.pbxproj
@@ -256,7 +256,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = D83832AD2D67B9D0003FB9F8 /* ReleaseDeveloper.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_ENTITLEMENTS = "autofill-extension/autofill_extension.entitlements";
+				CODE_SIGN_ENTITLEMENTS = "autofill-extension/autofill_extension_enabled.entitlements";
 				CODE_SIGN_IDENTITY = "Apple Development";
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Mac Developer";
 				CODE_SIGN_STYLE = Manual;
@@ -409,7 +409,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = D83832AB2D67B9AE003FB9F8 /* Debug.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_ENTITLEMENTS = "autofill-extension/autofill_extension.entitlements";
+				CODE_SIGN_ENTITLEMENTS = "autofill-extension/autofill_extension_enabled.entitlements";
 				CODE_SIGN_IDENTITY = "Apple Development";
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Mac Developer";
 				CODE_SIGN_STYLE = Manual;
diff --git a/apps/desktop/macos/desktop.xcodeproj/xcshareddata/xcschemes/autofill-extension.xcscheme b/apps/desktop/macos/desktop.xcodeproj/xcshareddata/xcschemes/autofill-extension.xcscheme
new file mode 100644
index 00000000000..18357be4570
--- /dev/null
+++ b/apps/desktop/macos/desktop.xcodeproj/xcshareddata/xcschemes/autofill-extension.xcscheme
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+   LastUpgradeVersion = "2610"
+   version = "2.0">
+   <BuildAction
+      parallelizeBuildables = "YES"
+      buildImplicitDependencies = "YES"
+      buildArchitectures = "Automatic">
+      <BuildActionEntries>
+         <BuildActionEntry
+            buildForTesting = "YES"
+            buildForRunning = "YES"
+            buildForProfiling = "YES"
+            buildForArchiving = "YES"
+            buildForAnalyzing = "YES">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "E1DF713B2B342F6900F29026"
+               BuildableName = "autofill-extension.appex"
+               BlueprintName = "autofill-extension"
+               ReferencedContainer = "container:desktop.xcodeproj">
+            </BuildableReference>
+         </BuildActionEntry>
+      </BuildActionEntries>
+   </BuildAction>
+   <TestAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      shouldAutocreateTestPlan = "YES">
+   </TestAction>
+   <LaunchAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = ""
+      selectedLauncherIdentifier = "Xcode.IDEFoundation.Launcher.PosixSpawn"
+      launchStyle = "0"
+      askForAppToLaunch = "Yes"
+      useCustomWorkingDirectory = "NO"
+      ignoresPersistentStateOnLaunch = "NO"
+      debugDocumentVersioning = "YES"
+      debugServiceExtension = "internal"
+      allowLocationSimulation = "YES"
+      launchAutomaticallySubstyle = "2">
+   </LaunchAction>
+   <ProfileAction
+      buildConfiguration = "ReleaseAppStore"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      savedToolIdentifier = ""
+      useCustomWorkingDirectory = "NO"
+      debugDocumentVersioning = "YES"
+      askForAppToLaunch = "Yes"
+      launchAutomaticallySubstyle = "2">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "E1DF713B2B342F6900F29026"
+            BuildableName = "autofill-extension.appex"
+            BlueprintName = "autofill-extension"
+            ReferencedContainer = "container:desktop.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
+   </ProfileAction>
+   <AnalyzeAction
+      buildConfiguration = "Debug">
+   </AnalyzeAction>
+   <ArchiveAction
+      buildConfiguration = "ReleaseAppStore"
+      revealArchiveInOrganizer = "YES">
+   </ArchiveAction>
+</Scheme>
diff --git a/apps/desktop/package.json b/apps/desktop/package.json
index ad20e7c0e69..174f3a22a23 100644
--- a/apps/desktop/package.json
+++ b/apps/desktop/package.json
@@ -46,7 +46,7 @@
     "pack:mac:with-extension": "npm run clean:dist && npm run build:macos-extension:mac && electron-builder --mac --universal -p never",
     "pack:mac:arm64": "npm run clean:dist && electron-builder --mac --arm64 -p never",
     "pack:mac:mas": "npm run clean:dist && npm run build:macos-extension:mas && electron-builder --mac mas --universal -p never",
-    "pack:mac:masdev": "npm run clean:dist && npm run build:macos-extension:masdev && electron-builder --mac mas-dev --universal -p never",
+    "pack:mac:masdev": "npm run clean:dist && electron-builder --mac mas-dev --universal -p never -c.mac.identity=null -c.mas.identity=$CSC_NAME -c.mas.provisioningProfile=bitwarden_desktop_developer_id.provisionprofile -c.mas.entitlements=resources/entitlements.mas.autofill-enabled.plist",
     "pack:local:mac": "npm run clean:dist && npm run build:macos-extension:masdev && electron-builder --mac mas-dev --universal -p never -c.mac.provisioningProfile=\"\" -c.mas.provisioningProfile=\"\"",
     "pack:win": "npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p never",
     "pack:win:beta": "npm run clean:dist && electron-builder --config electron-builder.beta.json --win --x64 --arm64 --ia32 -p never",
diff --git a/apps/desktop/resources/entitlements.mas.autofill-enabled.plist b/apps/desktop/resources/entitlements.mas.autofill-enabled.plist
new file mode 100644
index 00000000000..f25780e5c12
--- /dev/null
+++ b/apps/desktop/resources/entitlements.mas.autofill-enabled.plist
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>LTZ2PFU5D6.com.bitwarden.desktop</string>
+	<key>com.apple.developer.team-identifier</key>
+	<string>LTZ2PFU5D6</string>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>LTZ2PFU5D6.com.bitwarden.desktop</string>
+	</array>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.device.usb</key>
+	<true/>
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+	<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
+	<array>
+		<string>/Library/Application Support/Mozilla/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Google/Chrome/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Google/Chrome Beta/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Google/Chrome Dev/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Google/Chrome Canary/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Chromium/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Microsoft Edge/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Microsoft Edge Beta/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Microsoft Edge Dev/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Microsoft Edge Canary/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Vivaldi/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/Zen/NativeMessagingHosts/</string>
+		<string>/Library/Application Support/net.imput.helium</string>
+	</array>
+	<key>com.apple.developer.authentication-services.autofill-credential-provider</key>
+	<true/>
+</dict>
+</plist>
diff --git a/apps/desktop/scripts/after-sign.js b/apps/desktop/scripts/after-sign.js
index 4275ec7d051..0e0e22fc24a 100644
--- a/apps/desktop/scripts/after-sign.js
+++ b/apps/desktop/scripts/after-sign.js
@@ -16,7 +16,9 @@ async function run(context) {
   const appPath = `${context.appOutDir}/${appName}.app`;
   const macBuild = context.electronPlatformName === "darwin";
   const copySafariExtension = ["darwin", "mas"].includes(context.electronPlatformName);
-  const copyAutofillExtension = ["darwin"].includes(context.electronPlatformName); // Disabled for mas builds
+  const isMasDevBuild =
+    context.electronPlatformName === "mas" && context.targets.at(0)?.name === "mas-dev";
+  const copyAutofillExtension = ["darwin"].includes(context.electronPlatformName) || isMasDevBuild;
 
   let shouldResign = false;
 
@@ -31,7 +33,6 @@ async function run(context) {
         fse.mkdirSync(path.join(appPath, "Contents/PlugIns"));
       }
       fse.copySync(extensionPath, path.join(appPath, "Contents/PlugIns/autofill-extension.appex"));
-      shouldResign = true;
     }
   }
 
diff --git a/apps/desktop/src/autofill/services/desktop-autofill.service.ts b/apps/desktop/src/autofill/services/desktop-autofill.service.ts
index c50964e31e3..e5cd85aa7a3 100644
--- a/apps/desktop/src/autofill/services/desktop-autofill.service.ts
+++ b/apps/desktop/src/autofill/services/desktop-autofill.service.ts
@@ -10,6 +10,7 @@ import {
   mergeMap,
   switchMap,
   takeUntil,
+  tap,
 } from "rxjs";
 
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
@@ -52,6 +53,8 @@ import type { NativeWindowObject } from "./desktop-fido2-user-interface.service"
 export class DesktopAutofillService implements OnDestroy {
   private destroy$ = new Subject<void>();
   private registrationRequest: autofill.PasskeyRegistrationRequest;
+  private featureFlag?: FeatureFlag;
+  private isEnabled: boolean = false;
 
   constructor(
     private logService: LogService,
@@ -60,19 +63,26 @@ export class DesktopAutofillService implements OnDestroy {
     private fido2AuthenticatorService: Fido2AuthenticatorServiceAbstraction<NativeWindowObject>,
     private accountService: AccountService,
     private authService: AuthService,
-    private platformUtilsService: PlatformUtilsService,
-  ) {}
+    platformUtilsService: PlatformUtilsService,
+  ) {
+    const deviceType = platformUtilsService.getDevice();
+    if (deviceType === DeviceType.MacOsDesktop) {
+      this.featureFlag = FeatureFlag.MacOsNativeCredentialSync;
+    }
+  }
 
   async init() {
-    // Currently only supported for MacOS
-    if (this.platformUtilsService.getDevice() !== DeviceType.MacOsDesktop) {
+    this.isEnabled =
+      this.featureFlag && (await this.configService.getFeatureFlag(this.featureFlag));
+    if (!this.isEnabled) {
       return;
     }
 
     this.configService
-      .getFeatureFlag$(FeatureFlag.MacOsNativeCredentialSync)
+      .getFeatureFlag$(this.featureFlag)
       .pipe(
         distinctUntilChanged(),
+        tap((enabled) => (this.isEnabled = enabled)),
         filter((enabled) => enabled === true), // Only proceed if feature is enabled
         switchMap(() => {
           return combineLatest([
@@ -199,11 +209,11 @@ export class DesktopAutofillService implements OnDestroy {
 
   listenIpc() {
     ipc.autofill.listenPasskeyRegistration(async (clientId, sequenceNumber, request, callback) => {
-      if (!(await this.configService.getFeatureFlag(FeatureFlag.MacOsNativeCredentialSync))) {
+      if (!this.isEnabled) {
         this.logService.debug(
-          "listenPasskeyRegistration: MacOsNativeCredentialSync feature flag is disabled",
+          `listenPasskeyRegistration: Native credential sync feature flag (${this.featureFlag}) is disabled`,
         );
-        callback(new Error("MacOsNativeCredentialSync feature flag is disabled"), null);
+        callback(new Error("Native credential sync feature flag is disabled"), null);
         return;
       }
 
@@ -230,11 +240,11 @@ export class DesktopAutofillService implements OnDestroy {
 
     ipc.autofill.listenPasskeyAssertionWithoutUserInterface(
       async (clientId, sequenceNumber, request, callback) => {
-        if (!(await this.configService.getFeatureFlag(FeatureFlag.MacOsNativeCredentialSync))) {
+        if (!this.isEnabled) {
           this.logService.debug(
-            "listenPasskeyAssertionWithoutUserInterface: MacOsNativeCredentialSync feature flag is disabled",
+            `listenPasskeyAssertionWithoutUserInterface: Native credential sync feature flag (${this.featureFlag}) is disabled`,
           );
-          callback(new Error("MacOsNativeCredentialSync feature flag is disabled"), null);
+          callback(new Error("Native credential sync feature flag is disabled"), null);
           return;
         }
 
@@ -297,11 +307,11 @@ export class DesktopAutofillService implements OnDestroy {
     );
 
     ipc.autofill.listenPasskeyAssertion(async (clientId, sequenceNumber, request, callback) => {
-      if (!(await this.configService.getFeatureFlag(FeatureFlag.MacOsNativeCredentialSync))) {
+      if (!this.isEnabled) {
         this.logService.debug(
-          "listenPasskeyAssertion: MacOsNativeCredentialSync feature flag is disabled",
+          `listenPasskeyAssertion: Native credential sync feature flag (${this.featureFlag}) is disabled`,
         );
-        callback(new Error("MacOsNativeCredentialSync feature flag is disabled"), null);
+        callback(new Error("Native credential sync feature flag is disabled"), null);
         return;
       }
 
@@ -324,9 +334,9 @@ export class DesktopAutofillService implements OnDestroy {
 
     // Listen for native status messages
     ipc.autofill.listenNativeStatus(async (clientId, sequenceNumber, status) => {
-      if (!(await this.configService.getFeatureFlag(FeatureFlag.MacOsNativeCredentialSync))) {
+      if (!this.isEnabled) {
         this.logService.debug(
-          "listenNativeStatus: MacOsNativeCredentialSync feature flag is disabled",
+          `listenNativeStatus: Native credential sync feature flag (${this.featureFlag}) is disabled`,
         );
         return;
       }

From 1ccacb03a6e511949a3b4dd9e9474af8b5103285 Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Thu, 22 Jan 2026 13:01:49 +0100
Subject: [PATCH 14/24] [PM-27233] Support v2 encryption for JIT Password
 signups (#18222)

* Support v2 encryption for JIT Password signups

* TDE set master password split

* update sdk-internal dependency

* moved encryption v2 to InitializeJitPasswordUserService

* remove account cryptographic state legacy states from #18164

* legacy state comments

* sdk update

* unit test coverage

* consolidate do SetInitialPasswordService

* replace legacy master key with setLegacyMasterKeyFromUnlockData

* typo

* web and desktop overrides with unit tests

* early return

* compact validation

* simplify super prototype
---
 .../src/app/services/services.module.ts       |   2 +
 ...sktop-set-initial-password.service.spec.ts |  43 ++-
 .../desktop-set-initial-password.service.ts   |  13 +
 .../web-set-initial-password.service.spec.ts  |  40 ++-
 .../web-set-initial-password.service.ts       |  15 +
 apps/web/src/app/core/core.module.ts          |  24 +-
 ...initial-password.service.implementation.ts | 215 +++++++++++---
 ...fault-set-initial-password.service.spec.ts | 273 +++++++++++++++++-
 .../set-initial-password.component.ts         | 113 ++++++--
 ...et-initial-password.service.abstraction.ts |  30 +-
 .../src/services/jslib-services.module.ts     |  13 +-
 libs/common/src/enums/feature-flag.enum.ts    |   2 +
 package-lock.json                             |  16 +-
 package.json                                  |   4 +-
 14 files changed, 693 insertions(+), 110 deletions(-)

diff --git a/apps/desktop/src/app/services/services.module.ts b/apps/desktop/src/app/services/services.module.ts
index a5a91c52e7e..66613efd115 100644
--- a/apps/desktop/src/app/services/services.module.ts
+++ b/apps/desktop/src/app/services/services.module.ts
@@ -89,6 +89,7 @@ import {
   PlatformUtilsService,
   PlatformUtilsService as PlatformUtilsServiceAbstraction,
 } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { RegisterSdkService } from "@bitwarden/common/platform/abstractions/sdk/register-sdk.service";
 import { SdkClientFactory } from "@bitwarden/common/platform/abstractions/sdk/sdk-client-factory";
 import { SdkLoadService } from "@bitwarden/common/platform/abstractions/sdk/sdk-load.service";
 import { StateService as StateServiceAbstraction } from "@bitwarden/common/platform/abstractions/state.service";
@@ -432,6 +433,7 @@ const safeProviders: SafeProvider[] = [
       InternalUserDecryptionOptionsServiceAbstraction,
       MessagingServiceAbstraction,
       AccountCryptographicStateService,
+      RegisterSdkService,
     ],
   }),
   safeProvider({
diff --git a/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.spec.ts b/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.spec.ts
index 6b29a464e2c..9bb7d5077cf 100644
--- a/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.spec.ts
+++ b/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.spec.ts
@@ -1,8 +1,10 @@
-import { MockProxy, mock } from "jest-mock-extended";
+import { mock, MockProxy } from "jest-mock-extended";
 import { BehaviorSubject, of } from "rxjs";
 
 import { OrganizationUserApiService } from "@bitwarden/admin-console/common";
+import { DefaultSetInitialPasswordService } from "@bitwarden/angular/auth/password-management/set-initial-password/default-set-initial-password.service.implementation";
 import {
+  InitializeJitPasswordCredentials,
   SetInitialPasswordCredentials,
   SetInitialPasswordService,
   SetInitialPasswordUserType,
@@ -19,12 +21,14 @@ import { AccountCryptographicStateService } from "@bitwarden/common/key-manageme
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
+import { MasterPasswordSalt } from "@bitwarden/common/key-management/master-password/types/master-password.types";
 import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
+import { RegisterSdkService } from "@bitwarden/common/platform/abstractions/sdk/register-sdk.service";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { CsprngArray } from "@bitwarden/common/types/csprng";
-import { UserId } from "@bitwarden/common/types/guid";
+import { OrganizationId, UserId } from "@bitwarden/common/types/guid";
 import { MasterKey, UserKey } from "@bitwarden/common/types/key";
 import { DEFAULT_KDF_CONFIG, KdfConfigService, KeyService } from "@bitwarden/key-management";
 
@@ -45,6 +49,7 @@ describe("DesktopSetInitialPasswordService", () => {
   let userDecryptionOptionsService: MockProxy<InternalUserDecryptionOptionsServiceAbstraction>;
   let messagingService: MockProxy<MessagingService>;
   let accountCryptographicStateService: MockProxy<AccountCryptographicStateService>;
+  let registerSdkService: MockProxy<RegisterSdkService>;
 
   beforeEach(() => {
     apiService = mock<ApiService>();
@@ -59,6 +64,7 @@ describe("DesktopSetInitialPasswordService", () => {
     userDecryptionOptionsService = mock<InternalUserDecryptionOptionsServiceAbstraction>();
     messagingService = mock<MessagingService>();
     accountCryptographicStateService = mock<AccountCryptographicStateService>();
+    registerSdkService = mock<RegisterSdkService>();
 
     sut = new DesktopSetInitialPasswordService(
       apiService,
@@ -73,6 +79,7 @@ describe("DesktopSetInitialPasswordService", () => {
       userDecryptionOptionsService,
       messagingService,
       accountCryptographicStateService,
+      registerSdkService,
     );
   });
 
@@ -179,4 +186,36 @@ describe("DesktopSetInitialPasswordService", () => {
       });
     });
   });
+
+  describe("initializePasswordJitPasswordUserV2Encryption(...)", () => {
+    it("should send a 'redrawMenu' message", async () => {
+      // Arrange
+      const credentials: InitializeJitPasswordCredentials = {
+        newPasswordHint: "newPasswordHint",
+        orgSsoIdentifier: "orgSsoIdentifier",
+        orgId: "orgId" as OrganizationId,
+        resetPasswordAutoEnroll: false,
+        newPassword: "newPassword123!",
+        salt: "user@example.com" as MasterPasswordSalt,
+      };
+      const userId = "userId" as UserId;
+
+      const superSpy = jest
+        .spyOn(
+          DefaultSetInitialPasswordService.prototype,
+          "initializePasswordJitPasswordUserV2Encryption",
+        )
+        .mockResolvedValue(undefined);
+
+      // Act
+      await sut.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+      // Assert
+      expect(superSpy).toHaveBeenCalledWith(credentials, userId);
+      expect(messagingService.send).toHaveBeenCalledTimes(1);
+      expect(messagingService.send).toHaveBeenCalledWith("redrawMenu");
+
+      superSpy.mockRestore();
+    });
+  });
 });
diff --git a/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts b/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts
index cedfa3fe589..f9fb8361056 100644
--- a/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts
+++ b/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts
@@ -1,6 +1,7 @@
 import { OrganizationUserApiService } from "@bitwarden/admin-console/common";
 import { DefaultSetInitialPasswordService } from "@bitwarden/angular/auth/password-management/set-initial-password/default-set-initial-password.service.implementation";
 import {
+  InitializeJitPasswordCredentials,
   SetInitialPasswordCredentials,
   SetInitialPasswordService,
   SetInitialPasswordUserType,
@@ -14,6 +15,7 @@ import { EncryptService } from "@bitwarden/common/key-management/crypto/abstract
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
+import { RegisterSdkService } from "@bitwarden/common/platform/abstractions/sdk/register-sdk.service";
 import { UserId } from "@bitwarden/common/types/guid";
 import { KdfConfigService, KeyService } from "@bitwarden/key-management";
 
@@ -34,6 +36,7 @@ export class DesktopSetInitialPasswordService
     protected userDecryptionOptionsService: InternalUserDecryptionOptionsServiceAbstraction,
     private messagingService: MessagingService,
     protected accountCryptographicStateService: AccountCryptographicStateService,
+    protected registerSdkService: RegisterSdkService,
   ) {
     super(
       apiService,
@@ -47,6 +50,7 @@ export class DesktopSetInitialPasswordService
       organizationUserApiService,
       userDecryptionOptionsService,
       accountCryptographicStateService,
+      registerSdkService,
     );
   }
 
@@ -59,4 +63,13 @@ export class DesktopSetInitialPasswordService
 
     this.messagingService.send("redrawMenu");
   }
+
+  override async initializePasswordJitPasswordUserV2Encryption(
+    credentials: InitializeJitPasswordCredentials,
+    userId: UserId,
+  ): Promise<void> {
+    await super.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+    this.messagingService.send("redrawMenu");
+  }
 }
diff --git a/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.spec.ts b/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.spec.ts
index 1bbaa0ec236..b09b5f0bc9a 100644
--- a/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.spec.ts
+++ b/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.spec.ts
@@ -3,6 +3,7 @@ import { BehaviorSubject, of } from "rxjs";
 
 import { OrganizationUserApiService } from "@bitwarden/admin-console/common";
 import {
+  InitializeJitPasswordCredentials,
   SetInitialPasswordCredentials,
   SetInitialPasswordService,
   SetInitialPasswordUserType,
@@ -20,11 +21,13 @@ import { AccountCryptographicStateService } from "@bitwarden/common/key-manageme
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
+import { MasterPasswordSalt } from "@bitwarden/common/key-management/master-password/types/master-password.types";
 import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { RegisterSdkService } from "@bitwarden/common/platform/abstractions/sdk/register-sdk.service";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { CsprngArray } from "@bitwarden/common/types/csprng";
-import { UserId } from "@bitwarden/common/types/guid";
+import { OrganizationId, UserId } from "@bitwarden/common/types/guid";
 import { MasterKey, UserKey } from "@bitwarden/common/types/key";
 import { DEFAULT_KDF_CONFIG, KdfConfigService, KeyService } from "@bitwarden/key-management";
 import { RouterService } from "@bitwarden/web-vault/app/core";
@@ -47,6 +50,7 @@ describe("WebSetInitialPasswordService", () => {
   let organizationInviteService: MockProxy<OrganizationInviteService>;
   let routerService: MockProxy<RouterService>;
   let accountCryptographicStateService: MockProxy<AccountCryptographicStateService>;
+  let registerSdkService: MockProxy<RegisterSdkService>;
 
   beforeEach(() => {
     apiService = mock<ApiService>();
@@ -62,6 +66,7 @@ describe("WebSetInitialPasswordService", () => {
     organizationInviteService = mock<OrganizationInviteService>();
     routerService = mock<RouterService>();
     accountCryptographicStateService = mock<AccountCryptographicStateService>();
+    registerSdkService = mock<RegisterSdkService>();
 
     sut = new WebSetInitialPasswordService(
       apiService,
@@ -77,6 +82,7 @@ describe("WebSetInitialPasswordService", () => {
       organizationInviteService,
       routerService,
       accountCryptographicStateService,
+      registerSdkService,
     );
   });
 
@@ -208,4 +214,36 @@ describe("WebSetInitialPasswordService", () => {
       });
     });
   });
+
+  describe("initializePasswordJitPasswordUserV2Encryption(...)", () => {
+    it("should call routerService.getAndClearLoginRedirectUrl() and organizationInviteService.clearOrganizationInvitation()", async () => {
+      // Arrange
+      const credentials: InitializeJitPasswordCredentials = {
+        newPasswordHint: "newPasswordHint",
+        orgSsoIdentifier: "orgSsoIdentifier",
+        orgId: "orgId" as OrganizationId,
+        resetPasswordAutoEnroll: false,
+        newPassword: "newPassword123!",
+        salt: "user@example.com" as MasterPasswordSalt,
+      };
+      const userId = "userId" as UserId;
+
+      const superSpy = jest
+        .spyOn(
+          Object.getPrototypeOf(Object.getPrototypeOf(sut)),
+          "initializePasswordJitPasswordUserV2Encryption",
+        )
+        .mockResolvedValue(undefined);
+
+      // Act
+      await sut.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+      // Assert
+      expect(superSpy).toHaveBeenCalledWith(credentials, userId);
+      expect(routerService.getAndClearLoginRedirectUrl).toHaveBeenCalledTimes(1);
+      expect(organizationInviteService.clearOrganizationInvitation).toHaveBeenCalledTimes(1);
+
+      superSpy.mockRestore();
+    });
+  });
 });
diff --git a/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.ts b/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.ts
index 303b9148e8e..0b8dba6c40e 100644
--- a/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.ts
+++ b/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.ts
@@ -1,6 +1,7 @@
 import { OrganizationUserApiService } from "@bitwarden/admin-console/common";
 import { DefaultSetInitialPasswordService } from "@bitwarden/angular/auth/password-management/set-initial-password/default-set-initial-password.service.implementation";
 import {
+  InitializeJitPasswordCredentials,
   SetInitialPasswordCredentials,
   SetInitialPasswordService,
   SetInitialPasswordUserType,
@@ -14,6 +15,7 @@ import { AccountCryptographicStateService } from "@bitwarden/common/key-manageme
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { RegisterSdkService } from "@bitwarden/common/platform/abstractions/sdk/register-sdk.service";
 import { UserId } from "@bitwarden/common/types/guid";
 import { KdfConfigService, KeyService } from "@bitwarden/key-management";
 import { RouterService } from "@bitwarden/web-vault/app/core";
@@ -36,6 +38,7 @@ export class WebSetInitialPasswordService
     private organizationInviteService: OrganizationInviteService,
     private routerService: RouterService,
     protected accountCryptographicStateService: AccountCryptographicStateService,
+    protected registerSdkService: RegisterSdkService,
   ) {
     super(
       apiService,
@@ -49,6 +52,7 @@ export class WebSetInitialPasswordService
       organizationUserApiService,
       userDecryptionOptionsService,
       accountCryptographicStateService,
+      registerSdkService,
     );
   }
 
@@ -83,4 +87,15 @@ export class WebSetInitialPasswordService
     await this.routerService.getAndClearLoginRedirectUrl();
     await this.organizationInviteService.clearOrganizationInvitation();
   }
+
+  override async initializePasswordJitPasswordUserV2Encryption(
+    credentials: InitializeJitPasswordCredentials,
+    userId: UserId,
+  ): Promise<void> {
+    await super.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+    // TODO: Investigate refactoring the following logic in https://bitwarden.atlassian.net/browse/PM-22615
+    await this.routerService.getAndClearLoginRedirectUrl();
+    await this.organizationInviteService.clearOrganizationInvitation();
+  }
 }
diff --git a/apps/web/src/app/core/core.module.ts b/apps/web/src/app/core/core.module.ts
index 661d14502fe..7b248eee8a3 100644
--- a/apps/web/src/app/core/core.module.ts
+++ b/apps/web/src/app/core/core.module.ts
@@ -6,11 +6,11 @@ import { Router } from "@angular/router";
 
 import {
   CollectionAdminService,
-  DefaultCollectionAdminService,
-  OrganizationUserApiService,
   CollectionService,
-  OrganizationUserService,
+  DefaultCollectionAdminService,
   DefaultOrganizationUserService,
+  OrganizationUserApiService,
+  OrganizationUserService,
 } from "@bitwarden/admin-console/common";
 import { DefaultDeviceManagementComponentService } from "@bitwarden/angular/auth/device-management/default-device-management-component.service";
 import { DeviceManagementComponentServiceAbstraction } from "@bitwarden/angular/auth/device-management/device-management-component.service.abstraction";
@@ -27,17 +27,17 @@ import {
   OBSERVABLE_DISK_LOCAL_STORAGE,
   OBSERVABLE_DISK_STORAGE,
   OBSERVABLE_MEMORY_STORAGE,
+  SafeInjectionToken,
   SECURE_STORAGE,
   SYSTEM_LANGUAGE,
-  SafeInjectionToken,
   WINDOW,
 } from "@bitwarden/angular/services/injection-tokens";
 import { JslibServicesModule } from "@bitwarden/angular/services/jslib-services.module";
 import {
-  RegistrationFinishService as RegistrationFinishServiceAbstraction,
   LoginComponentService,
-  SsoComponentService,
   LoginDecryptionOptionsService,
+  RegistrationFinishService as RegistrationFinishServiceAbstraction,
+  SsoComponentService,
   TwoFactorAuthDuoComponentService,
 } from "@bitwarden/auth/angular";
 import {
@@ -90,6 +90,7 @@ import { I18nService as I18nServiceAbstraction } from "@bitwarden/common/platfor
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { RegisterSdkService } from "@bitwarden/common/platform/abstractions/sdk/register-sdk.service";
 import { SdkClientFactory } from "@bitwarden/common/platform/abstractions/sdk/sdk-client-factory";
 import { SdkLoadService } from "@bitwarden/common/platform/abstractions/sdk/sdk-load.service";
 import { AbstractStorageService } from "@bitwarden/common/platform/abstractions/storage.service";
@@ -120,9 +121,9 @@ import { DialogService, ToastService } from "@bitwarden/components";
 import { GeneratorServicesModule } from "@bitwarden/generator-components";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/generator-legacy";
 import {
+  BiometricsService,
   KdfConfigService,
   KeyService as KeyServiceAbstraction,
-  BiometricsService,
 } from "@bitwarden/key-management";
 import {
   LockComponentService,
@@ -135,17 +136,17 @@ import { WebVaultPremiumUpgradePromptService } from "@bitwarden/web-vault/app/va
 
 import { flagEnabled } from "../../utils/flags";
 import {
-  POLICY_EDIT_REGISTER,
   ossPolicyEditRegister,
+  POLICY_EDIT_REGISTER,
 } from "../admin-console/organizations/policies";
 import {
+  LinkSsoService,
   WebChangePasswordService,
-  WebRegistrationFinishService,
   WebLoginComponentService,
   WebLoginDecryptionOptionsService,
-  WebTwoFactorAuthDuoComponentService,
-  LinkSsoService,
+  WebRegistrationFinishService,
   WebSetInitialPasswordService,
+  WebTwoFactorAuthDuoComponentService,
 } from "../auth";
 import { WebSsoComponentService } from "../auth/core/services/login/web-sso-component.service";
 import { WebPremiumInterestStateService } from "../billing/services/premium-interest/web-premium-interest-state.service";
@@ -320,6 +321,7 @@ const safeProviders: SafeProvider[] = [
       OrganizationInviteService,
       RouterService,
       AccountCryptographicStateService,
+      RegisterSdkService,
     ],
   }),
   safeProvider({
diff --git a/libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.implementation.ts b/libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.implementation.ts
index 2f5c43e2db9..3f6023c1205 100644
--- a/libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.implementation.ts
+++ b/libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.implementation.ts
@@ -1,4 +1,4 @@
-import { firstValueFrom } from "rxjs";
+import { concatMap, firstValueFrom } from "rxjs";
 
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
@@ -19,19 +19,32 @@ import { AccountCryptographicStateService } from "@bitwarden/common/key-manageme
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
-import { MasterPasswordSalt } from "@bitwarden/common/key-management/master-password/types/master-password.types";
+import {
+  MasterPasswordSalt,
+  MasterPasswordUnlockData,
+} from "@bitwarden/common/key-management/master-password/types/master-password.types";
 import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { RegisterSdkService } from "@bitwarden/common/platform/abstractions/sdk/register-sdk.service";
+import { asUuid } from "@bitwarden/common/platform/abstractions/sdk/sdk.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
+import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { UserId } from "@bitwarden/common/types/guid";
 import { MasterKey, UserKey } from "@bitwarden/common/types/key";
-import { KdfConfigService, KeyService, KdfConfig } from "@bitwarden/key-management";
+import {
+  fromSdkKdfConfig,
+  KdfConfig,
+  KdfConfigService,
+  KeyService,
+} from "@bitwarden/key-management";
+import { OrganizationId as SdkOrganizationId, UserId as SdkUserId } from "@bitwarden/sdk-internal";
 
 import {
-  SetInitialPasswordService,
+  InitializeJitPasswordCredentials,
   SetInitialPasswordCredentials,
-  SetInitialPasswordUserType,
+  SetInitialPasswordService,
   SetInitialPasswordTdeOffboardingCredentials,
+  SetInitialPasswordUserType,
 } from "./set-initial-password.service.abstraction";
 
 export class DefaultSetInitialPasswordService implements SetInitialPasswordService {
@@ -47,6 +60,7 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
     protected organizationUserApiService: OrganizationUserApiService,
     protected userDecryptionOptionsService: InternalUserDecryptionOptionsServiceAbstraction,
     protected accountCryptographicStateService: AccountCryptographicStateService,
+    protected registerSdkService: RegisterSdkService,
   ) {}
 
   async setInitialPassword(
@@ -199,6 +213,126 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
     }
   }
 
+  async setInitialPasswordTdeOffboarding(
+    credentials: SetInitialPasswordTdeOffboardingCredentials,
+    userId: UserId,
+  ) {
+    const { newMasterKey, newServerMasterKeyHash, newPasswordHint } = credentials;
+    for (const [key, value] of Object.entries(credentials)) {
+      if (value == null) {
+        throw new Error(`${key} not found. Could not set password.`);
+      }
+    }
+
+    if (userId == null) {
+      throw new Error("userId not found. Could not set password.");
+    }
+
+    const userKey = await firstValueFrom(this.keyService.userKey$(userId));
+    if (userKey == null) {
+      throw new Error("userKey not found. Could not set password.");
+    }
+
+    const newMasterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(
+      newMasterKey,
+      userKey,
+    );
+
+    if (!newMasterKeyEncryptedUserKey[1].encryptedString) {
+      throw new Error("newMasterKeyEncryptedUserKey not found. Could not set password.");
+    }
+
+    const request = new UpdateTdeOffboardingPasswordRequest();
+    request.key = newMasterKeyEncryptedUserKey[1].encryptedString;
+    request.newMasterPasswordHash = newServerMasterKeyHash;
+    request.masterPasswordHint = newPasswordHint;
+
+    await this.masterPasswordApiService.putUpdateTdeOffboardingPassword(request);
+
+    // Clear force set password reason to allow navigation back to vault.
+    await this.masterPasswordService.setForceSetPasswordReason(ForceSetPasswordReason.None, userId);
+  }
+
+  async initializePasswordJitPasswordUserV2Encryption(
+    credentials: InitializeJitPasswordCredentials,
+    userId: UserId,
+  ): Promise<void> {
+    if (userId == null) {
+      throw new Error("User ID is required.");
+    }
+
+    for (const [key, value] of Object.entries(credentials)) {
+      if (value == null) {
+        throw new Error(`${key} is required.`);
+      }
+    }
+
+    const { newPasswordHint, orgSsoIdentifier, orgId, resetPasswordAutoEnroll, newPassword, salt } =
+      credentials;
+
+    const organizationKeys = await this.organizationApiService.getKeys(orgId);
+    if (organizationKeys == null) {
+      throw new Error("Organization keys response is null.");
+    }
+
+    const registerResult = await firstValueFrom(
+      this.registerSdkService.registerClient$(userId).pipe(
+        concatMap(async (sdk) => {
+          if (!sdk) {
+            throw new Error("SDK not available");
+          }
+
+          using ref = sdk.take();
+          return await ref.value
+            .auth()
+            .registration()
+            .post_keys_for_jit_password_registration({
+              org_id: asUuid<SdkOrganizationId>(orgId),
+              org_public_key: organizationKeys.publicKey,
+              master_password: newPassword,
+              master_password_hint: newPasswordHint,
+              salt: salt,
+              organization_sso_identifier: orgSsoIdentifier,
+              user_id: asUuid<SdkUserId>(userId),
+              reset_password_enroll: resetPasswordAutoEnroll,
+            });
+        }),
+      ),
+    );
+
+    if (!("V2" in registerResult.account_cryptographic_state)) {
+      throw new Error("Unexpected V2 account cryptographic state");
+    }
+
+    // Note: When SDK state management matures, these should be moved into post_keys_for_tde_registration
+    // Set account cryptography state
+    await this.accountCryptographicStateService.setAccountCryptographicState(
+      registerResult.account_cryptographic_state,
+      userId,
+    );
+
+    // Clear force set password reason to allow navigation back to vault.
+    await this.masterPasswordService.setForceSetPasswordReason(ForceSetPasswordReason.None, userId);
+
+    const masterPasswordUnlockData = MasterPasswordUnlockData.fromSdk(
+      registerResult.master_password_unlock,
+    );
+    await this.masterPasswordService.setMasterPasswordUnlockData(masterPasswordUnlockData, userId);
+
+    await this.keyService.setUserKey(
+      SymmetricCryptoKey.fromString(registerResult.user_key) as UserKey,
+      userId,
+    );
+
+    await this.updateLegacyState(
+      newPassword,
+      fromSdkKdfConfig(registerResult.master_password_unlock.kdf),
+      new EncString(registerResult.master_password_unlock.masterKeyWrappedUserKey),
+      userId,
+      masterPasswordUnlockData,
+    );
+  }
+
   private async makeMasterKeyEncryptedUserKey(
     masterKey: MasterKey,
     userId: UserId,
@@ -244,6 +378,37 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
     await this.keyService.setUserKey(masterKeyEncryptedUserKey[0], userId);
   }
 
+  // Deprecated legacy support - to be removed in future
+  private async updateLegacyState(
+    newPassword: string,
+    kdfConfig: KdfConfig,
+    masterKeyWrappedUserKey: EncString,
+    userId: UserId,
+    masterPasswordUnlockData: MasterPasswordUnlockData,
+  ) {
+    // TODO Remove HasMasterPassword from UserDecryptionOptions https://bitwarden.atlassian.net/browse/PM-23475
+    const userDecryptionOpts = await firstValueFrom(
+      this.userDecryptionOptionsService.userDecryptionOptionsById$(userId),
+    );
+    userDecryptionOpts.hasMasterPassword = true;
+    await this.userDecryptionOptionsService.setUserDecryptionOptionsById(
+      userId,
+      userDecryptionOpts,
+    );
+
+    // TODO Remove KDF state https://bitwarden.atlassian.net/browse/PM-30661
+    await this.kdfConfigService.setKdfConfig(userId, kdfConfig);
+    // TODO Remove master key memory state https://bitwarden.atlassian.net/browse/PM-23477
+    await this.masterPasswordService.setMasterKeyEncryptedUserKey(masterKeyWrappedUserKey, userId);
+
+    // TODO Removed with https://bitwarden.atlassian.net/browse/PM-30676
+    await this.masterPasswordService.setLegacyMasterKeyFromUnlockData(
+      newPassword,
+      masterPasswordUnlockData,
+      userId,
+    );
+  }
+
   /**
    * As part of [PM-28494], adding this setting path to accommodate the changes that are
    * emerging with pm-23246-unlock-with-master-password-unlock-data.
@@ -310,44 +475,4 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
       enrollmentRequest,
     );
   }
-
-  async setInitialPasswordTdeOffboarding(
-    credentials: SetInitialPasswordTdeOffboardingCredentials,
-    userId: UserId,
-  ) {
-    const { newMasterKey, newServerMasterKeyHash, newPasswordHint } = credentials;
-    for (const [key, value] of Object.entries(credentials)) {
-      if (value == null) {
-        throw new Error(`${key} not found. Could not set password.`);
-      }
-    }
-
-    if (userId == null) {
-      throw new Error("userId not found. Could not set password.");
-    }
-
-    const userKey = await firstValueFrom(this.keyService.userKey$(userId));
-    if (userKey == null) {
-      throw new Error("userKey not found. Could not set password.");
-    }
-
-    const newMasterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(
-      newMasterKey,
-      userKey,
-    );
-
-    if (!newMasterKeyEncryptedUserKey[1].encryptedString) {
-      throw new Error("newMasterKeyEncryptedUserKey not found. Could not set password.");
-    }
-
-    const request = new UpdateTdeOffboardingPasswordRequest();
-    request.key = newMasterKeyEncryptedUserKey[1].encryptedString;
-    request.newMasterPasswordHash = newServerMasterKeyHash;
-    request.masterPasswordHint = newPasswordHint;
-
-    await this.masterPasswordApiService.putUpdateTdeOffboardingPassword(request);
-
-    // Clear force set password reason to allow navigation back to vault.
-    await this.masterPasswordService.setForceSetPasswordReason(ForceSetPasswordReason.None, userId);
-  }
 }
diff --git a/libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.spec.ts b/libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.spec.ts
index af4505371d3..6b3981a5231 100644
--- a/libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.spec.ts
+++ b/libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.spec.ts
@@ -1,5 +1,8 @@
-import { MockProxy, mock } from "jest-mock-extended";
-import { BehaviorSubject, of } from "rxjs";
+// Polyfill for Symbol.dispose required by the service's use of `using` keyword
+import "core-js/proposals/explicit-resource-management";
+
+import { mock, MockProxy } from "jest-mock-extended";
+import { BehaviorSubject, Observable, of } from "rxjs";
 
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
@@ -27,17 +30,35 @@ import {
   EncString,
 } from "@bitwarden/common/key-management/crypto/models/enc-string";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
+import {
+  MasterPasswordSalt,
+  MasterPasswordUnlockData,
+} from "@bitwarden/common/key-management/master-password/types/master-password.types";
 import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { RegisterSdkService } from "@bitwarden/common/platform/abstractions/sdk/register-sdk.service";
+import { Rc } from "@bitwarden/common/platform/misc/reference-counting/rc";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { makeEncString, makeSymmetricCryptoKey } from "@bitwarden/common/spec";
 import { CsprngArray } from "@bitwarden/common/types/csprng";
-import { UserId } from "@bitwarden/common/types/guid";
+import { OrganizationId, UserId } from "@bitwarden/common/types/guid";
 import { MasterKey, UserKey, UserPrivateKey, UserPublicKey } from "@bitwarden/common/types/key";
-import { DEFAULT_KDF_CONFIG, KdfConfigService, KeyService } from "@bitwarden/key-management";
+import {
+  DEFAULT_KDF_CONFIG,
+  fromSdkKdfConfig,
+  KdfConfigService,
+  KeyService,
+} from "@bitwarden/key-management";
+import {
+  AuthClient,
+  BitwardenClient,
+  WrappedAccountCryptographicState,
+} from "@bitwarden/sdk-internal";
 
 import { DefaultSetInitialPasswordService } from "./default-set-initial-password.service.implementation";
 import {
+  InitializeJitPasswordCredentials,
   SetInitialPasswordCredentials,
   SetInitialPasswordService,
   SetInitialPasswordTdeOffboardingCredentials,
@@ -58,6 +79,7 @@ describe("DefaultSetInitialPasswordService", () => {
   let organizationUserApiService: MockProxy<OrganizationUserApiService>;
   let userDecryptionOptionsService: MockProxy<InternalUserDecryptionOptionsServiceAbstraction>;
   let accountCryptographicStateService: MockProxy<AccountCryptographicStateService>;
+  const registerSdkService = mock<RegisterSdkService>();
 
   let userId: UserId;
   let userKey: UserKey;
@@ -94,6 +116,7 @@ describe("DefaultSetInitialPasswordService", () => {
       organizationUserApiService,
       userDecryptionOptionsService,
       accountCryptographicStateService,
+      registerSdkService,
     );
   });
 
@@ -834,4 +857,246 @@ describe("DefaultSetInitialPasswordService", () => {
       });
     });
   });
+
+  describe("initializePasswordJitPasswordUserV2Encryption()", () => {
+    let mockSdkRef: {
+      value: MockProxy<BitwardenClient>;
+      [Symbol.dispose]: jest.Mock;
+    };
+    let mockSdk: {
+      take: jest.Mock;
+    };
+    let mockRegistration: jest.Mock;
+
+    const userId = "d4e2e3a1-1b5e-4c3b-8d7a-9f8e7d6c5b4a" as UserId;
+    const orgId = "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d" as OrganizationId;
+
+    const credentials: InitializeJitPasswordCredentials = {
+      newPasswordHint: "test-hint",
+      orgSsoIdentifier: "org-sso-id",
+      orgId: orgId,
+      resetPasswordAutoEnroll: false,
+      newPassword: "Test@Password123!",
+      salt: "user@example.com" as unknown as MasterPasswordSalt,
+    };
+
+    const orgKeys: OrganizationKeysResponse = {
+      publicKey: "org-public-key-base64",
+      privateKey: "org-private-key-encrypted",
+    } as OrganizationKeysResponse;
+
+    const sdkRegistrationResult = {
+      account_cryptographic_state: {
+        V2: {
+          private_key: makeEncString().encryptedString!,
+          signed_public_key: "test-signed-public-key",
+          signing_key: makeEncString().encryptedString!,
+          security_state: "test-security-state",
+        },
+      },
+      master_password_unlock: {
+        kdf: {
+          pBKDF2: {
+            iterations: 600000,
+          },
+        },
+        masterKeyWrappedUserKey: makeEncString().encryptedString!,
+        salt: "user@example.com" as unknown as MasterPasswordSalt,
+      },
+      user_key: makeSymmetricCryptoKey(64).keyB64,
+    };
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+
+      mockSdkRef = {
+        value: mock<BitwardenClient>(),
+        [Symbol.dispose]: jest.fn(),
+      };
+
+      mockSdkRef.value.auth.mockReturnValue({
+        registration: jest.fn().mockReturnValue({
+          post_keys_for_jit_password_registration: jest.fn(),
+        }),
+      } as unknown as AuthClient);
+
+      mockSdk = {
+        take: jest.fn().mockReturnValue(mockSdkRef),
+      };
+
+      registerSdkService.registerClient$.mockReturnValue(
+        of(mockSdk) as unknown as Observable<Rc<BitwardenClient>>,
+      );
+
+      organizationApiService.getKeys.mockResolvedValue(orgKeys);
+
+      mockRegistration = mockSdkRef.value.auth().registration()
+        .post_keys_for_jit_password_registration as unknown as jest.Mock;
+      mockRegistration.mockResolvedValue(sdkRegistrationResult);
+
+      const mockUserDecryptionOpts = new UserDecryptionOptions({ hasMasterPassword: false });
+      userDecryptionOptionsService.userDecryptionOptionsById$.mockReturnValue(
+        of(mockUserDecryptionOpts),
+      );
+    });
+
+    it("should successfully initialize JIT password user", async () => {
+      await sut.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+      expect(organizationApiService.getKeys).toHaveBeenCalledWith(credentials.orgId);
+
+      expect(registerSdkService.registerClient$).toHaveBeenCalledWith(userId);
+      expect(mockRegistration).toHaveBeenCalledWith(
+        expect.objectContaining({
+          org_id: credentials.orgId,
+          org_public_key: orgKeys.publicKey,
+          master_password: credentials.newPassword,
+          master_password_hint: credentials.newPasswordHint,
+          salt: credentials.salt,
+          organization_sso_identifier: credentials.orgSsoIdentifier,
+          user_id: userId,
+          reset_password_enroll: credentials.resetPasswordAutoEnroll,
+        }),
+      );
+
+      expect(accountCryptographicStateService.setAccountCryptographicState).toHaveBeenCalledWith(
+        sdkRegistrationResult.account_cryptographic_state,
+        userId,
+      );
+
+      expect(masterPasswordService.setForceSetPasswordReason).toHaveBeenCalledWith(
+        ForceSetPasswordReason.None,
+        userId,
+      );
+
+      expect(masterPasswordService.setMasterPasswordUnlockData).toHaveBeenCalledWith(
+        MasterPasswordUnlockData.fromSdk(sdkRegistrationResult.master_password_unlock),
+        userId,
+      );
+
+      expect(keyService.setUserKey).toHaveBeenCalledWith(
+        SymmetricCryptoKey.fromString(sdkRegistrationResult.user_key) as UserKey,
+        userId,
+      );
+
+      // Verify legacy state updates below
+      expect(userDecryptionOptionsService.userDecryptionOptionsById$).toHaveBeenCalledWith(userId);
+      expect(userDecryptionOptionsService.setUserDecryptionOptionsById).toHaveBeenCalledWith(
+        userId,
+        expect.objectContaining({ hasMasterPassword: true }),
+      );
+
+      expect(kdfConfigService.setKdfConfig).toHaveBeenCalledWith(
+        userId,
+        fromSdkKdfConfig(sdkRegistrationResult.master_password_unlock.kdf),
+      );
+
+      expect(masterPasswordService.setMasterKeyEncryptedUserKey).toHaveBeenCalledWith(
+        new EncString(sdkRegistrationResult.master_password_unlock.masterKeyWrappedUserKey),
+        userId,
+      );
+
+      expect(masterPasswordService.setLegacyMasterKeyFromUnlockData).toHaveBeenCalledWith(
+        credentials.newPassword,
+        MasterPasswordUnlockData.fromSdk(sdkRegistrationResult.master_password_unlock),
+        userId,
+      );
+    });
+
+    describe("input validation", () => {
+      it.each([
+        "newPasswordHint",
+        "orgSsoIdentifier",
+        "orgId",
+        "resetPasswordAutoEnroll",
+        "newPassword",
+        "salt",
+      ])("should throw error when %s is null", async (field) => {
+        const invalidCredentials = {
+          ...credentials,
+          [field]: null,
+        } as unknown as InitializeJitPasswordCredentials;
+
+        const promise = sut.initializePasswordJitPasswordUserV2Encryption(
+          invalidCredentials,
+          userId,
+        );
+
+        await expect(promise).rejects.toThrow(`${field} is required.`);
+
+        expect(organizationApiService.getKeys).not.toHaveBeenCalled();
+        expect(registerSdkService.registerClient$).not.toHaveBeenCalled();
+      });
+
+      it("should throw error when userId is null", async () => {
+        const nullUserId = null as unknown as UserId;
+
+        const promise = sut.initializePasswordJitPasswordUserV2Encryption(credentials, nullUserId);
+
+        await expect(promise).rejects.toThrow("User ID is required.");
+        expect(organizationApiService.getKeys).not.toHaveBeenCalled();
+      });
+    });
+
+    describe("organization API error handling", () => {
+      it("should throw when organizationApiService.getKeys returns null", async () => {
+        organizationApiService.getKeys.mockResolvedValue(
+          null as unknown as OrganizationKeysResponse,
+        );
+
+        const promise = sut.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+        await expect(promise).rejects.toThrow("Organization keys response is null.");
+        expect(organizationApiService.getKeys).toHaveBeenCalledWith(credentials.orgId);
+        expect(registerSdkService.registerClient$).not.toHaveBeenCalled();
+      });
+
+      it("should throw when organizationApiService.getKeys rejects", async () => {
+        const apiError = new Error("API network error");
+        organizationApiService.getKeys.mockRejectedValue(apiError);
+
+        const promise = sut.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+        await expect(promise).rejects.toThrow("API network error");
+        expect(registerSdkService.registerClient$).not.toHaveBeenCalled();
+      });
+    });
+
+    describe("SDK error handling", () => {
+      it("should throw when SDK is not available", async () => {
+        organizationApiService.getKeys.mockResolvedValue(orgKeys);
+        registerSdkService.registerClient$.mockReturnValue(
+          of(null) as unknown as Observable<Rc<BitwardenClient>>,
+        );
+
+        const promise = sut.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+        await expect(promise).rejects.toThrow("SDK not available");
+      });
+
+      it("should throw when SDK registration fails", async () => {
+        const sdkError = new Error("SDK crypto operation failed");
+
+        organizationApiService.getKeys.mockResolvedValue(orgKeys);
+        mockRegistration.mockRejectedValue(sdkError);
+
+        const promise = sut.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+        await expect(promise).rejects.toThrow("SDK crypto operation failed");
+      });
+    });
+
+    it("should throw when account_cryptographic_state is not V2", async () => {
+      const invalidResult = {
+        ...sdkRegistrationResult,
+        account_cryptographic_state: { V1: {} } as unknown as WrappedAccountCryptographicState,
+      };
+
+      mockRegistration.mockResolvedValue(invalidResult);
+
+      const promise = sut.initializePasswordJitPasswordUserV2Encryption(credentials, userId);
+
+      await expect(promise).rejects.toThrow("Unexpected V2 account cryptographic state");
+    });
+  });
 });
diff --git a/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts b/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts
index 0e0bae62b9a..4ab26ecd09e 100644
--- a/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts
+++ b/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts
@@ -21,14 +21,16 @@ import { MasterPasswordPolicyOptions } from "@bitwarden/common/admin-console/mod
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
 import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
-import { assertTruthy, assertNonNullish } from "@bitwarden/common/auth/utils";
+import { assertNonNullish, assertTruthy } from "@bitwarden/common/auth/utils";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
 import { SyncService } from "@bitwarden/common/platform/sync";
-import { UserId } from "@bitwarden/common/types/guid";
+import { OrganizationId, UserId } from "@bitwarden/common/types/guid";
 import {
   AnonLayoutWrapperDataService,
   ButtonModule,
@@ -39,6 +41,7 @@ import {
 import { I18nPipe } from "@bitwarden/ui-common";
 
 import {
+  InitializeJitPasswordCredentials,
   SetInitialPasswordCredentials,
   SetInitialPasswordService,
   SetInitialPasswordTdeOffboardingCredentials,
@@ -86,6 +89,7 @@ export class SetInitialPasswordComponent implements OnInit {
     private syncService: SyncService,
     private toastService: ToastService,
     private validationService: ValidationService,
+    private configService: ConfigService,
   ) {}
 
   async ngOnInit() {
@@ -101,6 +105,51 @@ export class SetInitialPasswordComponent implements OnInit {
     this.initializing = false;
   }
 
+  protected async handlePasswordFormSubmit(passwordInputResult: PasswordInputResult) {
+    this.submitting = true;
+
+    switch (this.userType) {
+      case SetInitialPasswordUserType.JIT_PROVISIONED_MP_ORG_USER: {
+        const accountEncryptionV2 = await this.configService.getFeatureFlag(
+          FeatureFlag.EnableAccountEncryptionV2JitPasswordRegistration,
+        );
+
+        if (accountEncryptionV2) {
+          await this.setInitialPasswordJitMPUserV2Encryption(passwordInputResult);
+          return;
+        }
+
+        await this.setInitialPassword(passwordInputResult);
+
+        break;
+      }
+      case SetInitialPasswordUserType.TDE_ORG_USER_RESET_PASSWORD_PERMISSION_REQUIRES_MP:
+        await this.setInitialPassword(passwordInputResult);
+        break;
+      case SetInitialPasswordUserType.OFFBOARDED_TDE_ORG_USER:
+        await this.setInitialPasswordTdeOffboarding(passwordInputResult);
+        break;
+      default:
+        this.logService.error(
+          `Unexpected user type: ${this.userType}. Could not set initial password.`,
+        );
+        this.validationService.showError("Unexpected user type. Could not set initial password.");
+    }
+  }
+
+  protected async logout() {
+    const confirmed = await this.dialogService.openSimpleDialog({
+      title: { key: "logOut" },
+      content: { key: "logOutConfirmation" },
+      acceptButtonText: { key: "logOut" },
+      type: "warning",
+    });
+
+    if (confirmed) {
+      this.messagingService.send("logout");
+    }
+  }
+
   private async establishUserType() {
     if (!this.userId) {
       throw new Error("userId not found. Could not determine user type.");
@@ -189,22 +238,39 @@ export class SetInitialPasswordComponent implements OnInit {
     }
   }
 
-  protected async handlePasswordFormSubmit(passwordInputResult: PasswordInputResult) {
-    this.submitting = true;
+  private async setInitialPasswordJitMPUserV2Encryption(passwordInputResult: PasswordInputResult) {
+    const ctx = "Could not set initial password for SSO JIT master password encryption user.";
+    assertTruthy(passwordInputResult.newPassword, "newPassword", ctx);
+    assertTruthy(passwordInputResult.salt, "salt", ctx);
+    assertTruthy(this.orgSsoIdentifier, "orgSsoIdentifier", ctx);
+    assertTruthy(this.orgId, "orgId", ctx);
+    assertTruthy(this.userId, "userId", ctx);
+    assertNonNullish(passwordInputResult.newPasswordHint, "newPasswordHint", ctx); // can have an empty string as a valid value, so check non-nullish
+    assertNonNullish(this.resetPasswordAutoEnroll, "resetPasswordAutoEnroll", ctx); // can have `false` as a valid value, so check non-nullish
 
-    switch (this.userType) {
-      case SetInitialPasswordUserType.JIT_PROVISIONED_MP_ORG_USER:
-      case SetInitialPasswordUserType.TDE_ORG_USER_RESET_PASSWORD_PERMISSION_REQUIRES_MP:
-        await this.setInitialPassword(passwordInputResult);
-        break;
-      case SetInitialPasswordUserType.OFFBOARDED_TDE_ORG_USER:
-        await this.setInitialPasswordTdeOffboarding(passwordInputResult);
-        break;
-      default:
-        this.logService.error(
-          `Unexpected user type: ${this.userType}. Could not set initial password.`,
-        );
-        this.validationService.showError("Unexpected user type. Could not set initial password.");
+    try {
+      const credentials: InitializeJitPasswordCredentials = {
+        newPasswordHint: passwordInputResult.newPasswordHint,
+        orgSsoIdentifier: this.orgSsoIdentifier,
+        orgId: this.orgId as OrganizationId,
+        resetPasswordAutoEnroll: this.resetPasswordAutoEnroll,
+        newPassword: passwordInputResult.newPassword,
+        salt: passwordInputResult.salt,
+      };
+
+      await this.setInitialPasswordService.initializePasswordJitPasswordUserV2Encryption(
+        credentials,
+        this.userId,
+      );
+
+      this.showSuccessToastByUserType();
+
+      this.submitting = false;
+      await this.router.navigate(["vault"]);
+    } catch (e) {
+      this.logService.error("Error setting initial password", e);
+      this.validationService.showError(e);
+      this.submitting = false;
     }
   }
 
@@ -307,17 +373,4 @@ export class SetInitialPasswordComponent implements OnInit {
       });
     }
   }
-
-  protected async logout() {
-    const confirmed = await this.dialogService.openSimpleDialog({
-      title: { key: "logOut" },
-      content: { key: "logOutConfirmation" },
-      acceptButtonText: { key: "logOut" },
-      type: "warning",
-    });
-
-    if (confirmed) {
-      this.messagingService.send("logout");
-    }
-  }
 }
diff --git a/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.service.abstraction.ts b/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.service.abstraction.ts
index 5620194e1bb..2667040c707 100644
--- a/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.service.abstraction.ts
+++ b/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.service.abstraction.ts
@@ -1,5 +1,5 @@
 import { MasterPasswordSalt } from "@bitwarden/common/key-management/master-password/types/master-password.types";
-import { UserId } from "@bitwarden/common/types/guid";
+import { OrganizationId, UserId } from "@bitwarden/common/types/guid";
 import { MasterKey } from "@bitwarden/common/types/key";
 import { KdfConfig } from "@bitwarden/key-management";
 
@@ -61,6 +61,24 @@ export interface SetInitialPasswordTdeOffboardingCredentials {
   newPasswordHint: string;
 }
 
+/**
+ * Credentials required to initialize a just-in-time (JIT) provisioned user with a master password.
+ */
+export interface InitializeJitPasswordCredentials {
+  /** Hint for the new master password */
+  newPasswordHint: string;
+  /** SSO identifier for the organization */
+  orgSsoIdentifier: string;
+  /** Organization ID */
+  orgId: OrganizationId;
+  /** Whether to auto-enroll the user in account recovery (reset password) */
+  resetPasswordAutoEnroll: boolean;
+  /** The new master password */
+  newPassword: string;
+  /** Master password salt (typically the user's email) */
+  salt: MasterPasswordSalt;
+}
+
 /**
  * Handles setting an initial password for an existing authed user.
  *
@@ -95,4 +113,14 @@ export abstract class SetInitialPasswordService {
     credentials: SetInitialPasswordTdeOffboardingCredentials,
     userId: UserId,
   ) => Promise<void>;
+
+  /**
+   * Initializes a JIT-provisioned user's cryptographic state and enrolls them in master password unlock.
+   * @param credentials The credentials needed to initialize the JIT password user
+   * @param userId The account userId
+   */
+  abstract initializePasswordJitPasswordUserV2Encryption(
+    credentials: InitializeJitPasswordCredentials,
+    userId: UserId,
+  ): Promise<void>;
 }
diff --git a/libs/angular/src/services/jslib-services.module.ts b/libs/angular/src/services/jslib-services.module.ts
index 5eaac4033eb..cf41b28baca 100644
--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@@ -108,7 +108,7 @@ import { UserVerificationService as UserVerificationServiceAbstraction } from "@
 import { WebAuthnLoginApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/webauthn/webauthn-login-api.service.abstraction";
 import { WebAuthnLoginPrfKeyServiceAbstraction } from "@bitwarden/common/auth/abstractions/webauthn/webauthn-login-prf-key.service.abstraction";
 import { WebAuthnLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/webauthn/webauthn-login.service.abstraction";
-import { SendTokenService, DefaultSendTokenService } from "@bitwarden/common/auth/send-access";
+import { DefaultSendTokenService, SendTokenService } from "@bitwarden/common/auth/send-access";
 import { AccountApiServiceImplementation } from "@bitwarden/common/auth/services/account-api.service";
 import { AccountServiceImplementation } from "@bitwarden/common/auth/services/account.service";
 import { AnonymousHubService } from "@bitwarden/common/auth/services/anonymous-hub.service";
@@ -131,10 +131,10 @@ import { WebAuthnLoginApiService } from "@bitwarden/common/auth/services/webauth
 import { WebAuthnLoginPrfKeyService } from "@bitwarden/common/auth/services/webauthn-login/webauthn-login-prf-key.service";
 import { WebAuthnLoginService } from "@bitwarden/common/auth/services/webauthn-login/webauthn-login.service";
 import {
-  TwoFactorApiService,
   DefaultTwoFactorApiService,
-  TwoFactorService,
   DefaultTwoFactorService,
+  TwoFactorApiService,
+  TwoFactorService,
 } from "@bitwarden/common/auth/two-factor";
 import {
   AutofillSettingsService,
@@ -208,8 +208,8 @@ import { PinService } from "@bitwarden/common/key-management/pin/pin.service.imp
 import { SecurityStateService } from "@bitwarden/common/key-management/security-state/abstractions/security-state.service";
 import { DefaultSecurityStateService } from "@bitwarden/common/key-management/security-state/services/security-state.service";
 import {
-  SendPasswordService,
   DefaultSendPasswordService,
+  SendPasswordService,
 } from "@bitwarden/common/key-management/sends";
 import { SessionTimeoutTypeService } from "@bitwarden/common/key-management/session-timeout";
 import {
@@ -387,12 +387,12 @@ import { SafeInjectionToken } from "@bitwarden/ui-common";
 // eslint-disable-next-line no-restricted-imports
 import { PasswordRepromptService } from "@bitwarden/vault";
 import {
+  DefaultVaultExportApiService,
   IndividualVaultExportService,
   IndividualVaultExportServiceAbstraction,
-  DefaultVaultExportApiService,
-  VaultExportApiService,
   OrganizationVaultExportService,
   OrganizationVaultExportServiceAbstraction,
+  VaultExportApiService,
   VaultExportService,
   VaultExportServiceAbstraction,
 } from "@bitwarden/vault-export-core";
@@ -1583,6 +1583,7 @@ const safeProviders: SafeProvider[] = [
       OrganizationUserApiService,
       InternalUserDecryptionOptionsServiceAbstraction,
       AccountCryptographicStateService,
+      RegisterSdkService,
     ],
   }),
   safeProvider({
diff --git a/libs/common/src/enums/feature-flag.enum.ts b/libs/common/src/enums/feature-flag.enum.ts
index f82c095d45f..811f4e524ac 100644
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -47,6 +47,7 @@ export enum FeatureFlag {
   ConsolidatedSessionTimeoutComponent = "pm-26056-consolidated-session-timeout-component",
   PM27279_V2RegistrationTdeJit = "pm-27279-v2-registration-tde-jit",
   EnableAccountEncryptionV2KeyConnectorRegistration = "enable-account-encryption-v2-key-connector-registration",
+  EnableAccountEncryptionV2JitPasswordRegistration = "enable-account-encryption-v2-jit-password-registration",
 
   /* Tools */
   UseSdkPasswordGenerators = "pm-19976-use-sdk-password-generators",
@@ -156,6 +157,7 @@ export const DefaultFeatureFlagValue = {
   [FeatureFlag.ConsolidatedSessionTimeoutComponent]: FALSE,
   [FeatureFlag.PM27279_V2RegistrationTdeJit]: FALSE,
   [FeatureFlag.EnableAccountEncryptionV2KeyConnectorRegistration]: FALSE,
+  [FeatureFlag.EnableAccountEncryptionV2JitPasswordRegistration]: FALSE,
 
   /* Platform */
   [FeatureFlag.IpcChannelFramework]: FALSE,
diff --git a/package-lock.json b/package-lock.json
index 95842c6b409..ff632dc2807 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -23,8 +23,8 @@
         "@angular/platform-browser": "20.3.15",
         "@angular/platform-browser-dynamic": "20.3.15",
         "@angular/router": "20.3.15",
-        "@bitwarden/commercial-sdk-internal": "0.2.0-main.450",
-        "@bitwarden/sdk-internal": "0.2.0-main.450",
+        "@bitwarden/commercial-sdk-internal": "0.2.0-main.470",
+        "@bitwarden/sdk-internal": "0.2.0-main.470",
         "@electron/fuses": "1.8.0",
         "@emotion/css": "11.13.5",
         "@koa/multer": "4.0.0",
@@ -4982,9 +4982,9 @@
       "link": true
     },
     "node_modules/@bitwarden/commercial-sdk-internal": {
-      "version": "0.2.0-main.450",
-      "resolved": "https://registry.npmjs.org/@bitwarden/commercial-sdk-internal/-/commercial-sdk-internal-0.2.0-main.450.tgz",
-      "integrity": "sha512-WCihR6ykpIfaqJBHl4Wou4xDB8mp+5UPi94eEKYUdkx/9/19YyX33SX9H56zEriOuOMCD8l2fymhzAFjAAB++g==",
+      "version": "0.2.0-main.470",
+      "resolved": "https://registry.npmjs.org/@bitwarden/commercial-sdk-internal/-/commercial-sdk-internal-0.2.0-main.470.tgz",
+      "integrity": "sha512-QYhxv5eX6ouFJv94gMtBW7MjuK6t2KAN9FLz+/w1wnq8dScnA9Iky25phNPw+iHMgWwhq/dzZq45asKUFF//oA==",
       "license": "BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE AGREEMENT",
       "dependencies": {
         "type-fest": "^4.41.0"
@@ -5087,9 +5087,9 @@
       "link": true
     },
     "node_modules/@bitwarden/sdk-internal": {
-      "version": "0.2.0-main.450",
-      "resolved": "https://registry.npmjs.org/@bitwarden/sdk-internal/-/sdk-internal-0.2.0-main.450.tgz",
-      "integrity": "sha512-XRhrBN0uoo66ONx7dYo9glhe9N451+VhwtC/oh3wo3j3qYxbPwf9yE98szlQ52u3iUExLisiYJY7sQNzhZrbZw==",
+      "version": "0.2.0-main.470",
+      "resolved": "https://registry.npmjs.org/@bitwarden/sdk-internal/-/sdk-internal-0.2.0-main.470.tgz",
+      "integrity": "sha512-XKvcUtoU6NnxeEzl3WK7bATiCh2RNxRmuX6JYNgcQHUtHUH+x3ckToR6II1qM3nha0VH0u1ijy3+07UdNQM+JQ==",
       "license": "GPL-3.0",
       "dependencies": {
         "type-fest": "^4.41.0"
diff --git a/package.json b/package.json
index 01d11df89f8..829dc91370a 100644
--- a/package.json
+++ b/package.json
@@ -162,8 +162,8 @@
     "@angular/platform-browser": "20.3.15",
     "@angular/platform-browser-dynamic": "20.3.15",
     "@angular/router": "20.3.15",
-    "@bitwarden/sdk-internal": "0.2.0-main.450",
-    "@bitwarden/commercial-sdk-internal": "0.2.0-main.450",
+    "@bitwarden/sdk-internal": "0.2.0-main.470",
+    "@bitwarden/commercial-sdk-internal": "0.2.0-main.470",
     "@electron/fuses": "1.8.0",
     "@emotion/css": "11.13.5",
     "@koa/multer": "4.0.0",

From eee6fb895cec13c17cf08b0ff51cb7de9aa84ceb Mon Sep 17 00:00:00 2001
From: Jason Ng <jng@bitwarden.com>
Date: Thu, 22 Jan 2026 08:58:17 -0500
Subject: [PATCH 15/24] [PM-30889] Remove clone option from archive item
 desktop (#18457)

* remove clone option from archive item desktop for users who lose premium status
---
 .../src/vault/app/vault/item-footer.component.html | 14 +++++---------
 .../src/vault/app/vault/item-footer.component.ts   | 13 +++++++++++++
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/apps/desktop/src/vault/app/vault/item-footer.component.html b/apps/desktop/src/vault/app/vault/item-footer.component.html
index a03f3e96b06..0af73bf7d8a 100644
--- a/apps/desktop/src/vault/app/vault/item-footer.component.html
+++ b/apps/desktop/src/vault/app/vault/item-footer.component.html
@@ -36,15 +36,11 @@
     >
       <i class="bwi bwi-undo bwi-fw bwi-lg" aria-hidden="true"></i>
     </button>
-    <button
-      type="button"
-      class="primary"
-      *ngIf="cipher.id && !cipher?.organizationId && !cipher.isDeleted && action === 'view'"
-      (click)="clone()"
-      appA11yTitle="{{ 'clone' | i18n }}"
-    >
-      <i class="bwi bwi-files bwi-fw bwi-lg" aria-hidden="true"></i>
-    </button>
+    @if (showCloneOption) {
+      <button type="button" class="primary" (click)="clone()" appA11yTitle="{{ 'clone' | i18n }}">
+        <i class="bwi bwi-files bwi-fw bwi-lg" aria-hidden="true"></i>
+      </button>
+    }
   </ng-container>
   <div class="right" *ngIf="hasFooterAction">
     <button
diff --git a/apps/desktop/src/vault/app/vault/item-footer.component.ts b/apps/desktop/src/vault/app/vault/item-footer.component.ts
index 399a0e7875d..d601f46e430 100644
--- a/apps/desktop/src/vault/app/vault/item-footer.component.ts
+++ b/apps/desktop/src/vault/app/vault/item-footer.component.ts
@@ -75,6 +75,7 @@ export class ItemFooterComponent implements OnInit, OnChanges {
 
   protected showArchiveButton = false;
   protected showUnarchiveButton = false;
+  protected userCanArchive = false;
 
   constructor(
     protected cipherService: CipherService,
@@ -134,6 +135,16 @@ export class ItemFooterComponent implements OnInit, OnChanges {
     );
   }
 
+  protected get showCloneOption() {
+    return (
+      this.cipher.id &&
+      !this.cipher?.organizationId &&
+      !this.cipher.isDeleted &&
+      this.action === "view" &&
+      (!this.cipher.isArchived || this.userCanArchive)
+    );
+  }
+
   cancel() {
     this.onCancel.emit(this.cipher);
   }
@@ -241,6 +252,8 @@ export class ItemFooterComponent implements OnInit, OnChanges {
       ),
     );
 
+    this.userCanArchive = userCanArchive;
+
     this.showArchiveButton =
       cipherCanBeArchived && userCanArchive && this.action === "view" && !this.cipher.isArchived;
 

From 2fac696567d0463a2913b0e79ff01409042a07a6 Mon Sep 17 00:00:00 2001
From: neuronull <9162534+neuronull@users.noreply.github.com>
Date: Thu, 22 Jan 2026 06:38:26 -0800
Subject: [PATCH 16/24] Desktop Autotype windows integration tests (#17639)

---
 .github/workflows/test.yml                    |  16 +-
 .../desktop_native/autotype/Cargo.toml        |   9 +
 .../autotype/tests/integration_tests.rs       | 324 ++++++++++++++++++
 3 files changed, 343 insertions(+), 6 deletions(-)
 create mode 100644 apps/desktop/desktop_native/autotype/tests/integration_tests.rs

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index cf7251b259a..4280cabc812 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -111,7 +111,7 @@ jobs:
         working-directory: ./apps/desktop/desktop_native
         run: cargo build
 
-      - name: Test Ubuntu
+      - name: Linux unit tests
         if: ${{ matrix.os=='ubuntu-22.04' }}
         working-directory: ./apps/desktop/desktop_native
         run: |
@@ -120,17 +120,21 @@ jobs:
           mkdir -p ~/.local/share/keyrings
           eval "$(printf '\n' | gnome-keyring-daemon --unlock)"
           eval "$(printf '\n' | /usr/bin/gnome-keyring-daemon --start)"
-          cargo test -- --test-threads=1
+          cargo test --lib -- --test-threads=1
 
-      - name: Test macOS
+      - name: MacOS unit tests
         if: ${{ matrix.os=='macos-14' }}
         working-directory: ./apps/desktop/desktop_native
-        run: cargo test -- --test-threads=1
+        run: cargo test --lib -- --test-threads=1
 
-      - name: Test Windows
+      - name: Windows unit tests
         if: ${{ matrix.os=='windows-2022'}}
         working-directory: ./apps/desktop/desktop_native
-        run: cargo test --workspace --exclude=desktop_napi -- --test-threads=1
+        run: cargo test --lib --workspace --exclude=desktop_napi -- --test-threads=1
+
+      - name: Doc tests
+        working-directory: ./apps/desktop/desktop_native
+        run: cargo test --doc
 
   rust-coverage:
     name: Rust Coverage
diff --git a/apps/desktop/desktop_native/autotype/Cargo.toml b/apps/desktop/desktop_native/autotype/Cargo.toml
index a9c826af57d..59dd36c6c91 100644
--- a/apps/desktop/desktop_native/autotype/Cargo.toml
+++ b/apps/desktop/desktop_native/autotype/Cargo.toml
@@ -19,5 +19,14 @@ windows-core = { workspace = true }
 [dependencies]
 anyhow = { workspace = true }
 
+[target.'cfg(windows)'.dev-dependencies]
+windows = { workspace = true, features = [
+    "Win32_UI_Input_KeyboardAndMouse",
+    "Win32_UI_WindowsAndMessaging",
+    "Win32_Foundation",
+    "Win32_System_LibraryLoader",
+    "Win32_Graphics_Gdi",
+] }
+
 [lints]
 workspace = true
diff --git a/apps/desktop/desktop_native/autotype/tests/integration_tests.rs b/apps/desktop/desktop_native/autotype/tests/integration_tests.rs
new file mode 100644
index 00000000000..b87219f77fe
--- /dev/null
+++ b/apps/desktop/desktop_native/autotype/tests/integration_tests.rs
@@ -0,0 +1,324 @@
+#![cfg(target_os = "windows")]
+
+use std::{
+    sync::{Arc, Mutex},
+    thread,
+    time::Duration,
+};
+
+use autotype::{get_foreground_window_title, type_input};
+use serial_test::serial;
+use tracing::debug;
+use windows::Win32::{
+    Foundation::{COLORREF, HINSTANCE, HMODULE, HWND, LPARAM, LRESULT, WPARAM},
+    Graphics::Gdi::{CreateSolidBrush, UpdateWindow, ValidateRect, COLOR_WINDOW},
+    System::LibraryLoader::{GetModuleHandleA, GetModuleHandleW},
+    UI::WindowsAndMessaging::*,
+};
+use windows_core::{s, w, Result, PCSTR, PCWSTR};
+
+struct TestWindow {
+    handle: HWND,
+    capture: Option<InputCapture>,
+}
+
+impl Drop for TestWindow {
+    fn drop(&mut self) {
+        // Clean up the InputCapture pointer
+        unsafe {
+            let capture_ptr = GetWindowLongPtrW(self.handle, GWLP_USERDATA) as *mut InputCapture;
+            if !capture_ptr.is_null() {
+                let _ = Box::from_raw(capture_ptr);
+            }
+            CloseWindow(self.handle).expect("window handle should be closeable");
+            DestroyWindow(self.handle).expect("window handle should be destroyable");
+        }
+    }
+}
+
+// state to capture keyboard input
+#[derive(Clone)]
+struct InputCapture {
+    chars: Arc<Mutex<Vec<char>>>,
+}
+
+impl InputCapture {
+    fn new() -> Self {
+        Self {
+            chars: Arc::new(Mutex::new(Vec::new())),
+        }
+    }
+
+    fn get_chars(&self) -> Vec<char> {
+        self.chars
+            .lock()
+            .expect("mutex should not be poisoned")
+            .clone()
+    }
+}
+
+// Custom window procedure that captures input
+unsafe extern "system" fn capture_input_proc(
+    handle: HWND,
+    msg: u32,
+    wparam: WPARAM,
+    lparam: LPARAM,
+) -> LRESULT {
+    match msg {
+        WM_CREATE => {
+            // Store the InputCapture pointer in window data
+            let create_struct = lparam.0 as *const CREATESTRUCTW;
+            let capture_ptr = (*create_struct).lpCreateParams as *mut InputCapture;
+            SetWindowLongPtrW(handle, GWLP_USERDATA, capture_ptr as isize);
+            LRESULT(0)
+        }
+        WM_CHAR => {
+            // Get the InputCapture from window data
+            let capture_ptr = GetWindowLongPtrW(handle, GWLP_USERDATA) as *mut InputCapture;
+            if !capture_ptr.is_null() {
+                let capture = &*capture_ptr;
+                if let Some(ch) = char::from_u32(wparam.0 as u32) {
+                    capture
+                        .chars
+                        .lock()
+                        .expect("mutex should not be poisoned")
+                        .push(ch);
+                }
+            }
+            LRESULT(0)
+        }
+        WM_DESTROY => {
+            PostQuitMessage(0);
+            LRESULT(0)
+        }
+        _ => DefWindowProcW(handle, msg, wparam, lparam),
+    }
+}
+
+// A pointer to the window procedure
+type ProcType = unsafe extern "system" fn(HWND, u32, WPARAM, LPARAM) -> LRESULT;
+
+// <https://learn.microsoft.com/en-us/windows/win32/api/winuser/nc-winuser-wndproc>
+extern "system" fn show_window_proc(
+    handle: HWND, // the window handle
+    message: u32, // the system message
+    wparam: WPARAM, /* additional message information. The contents of the wParam parameter
+                   * depend on the value of the message parameter. */
+    lparam: LPARAM, /* additional message information. The contents of the lParam parameter
+                     * depend on the value of the message parameter. */
+) -> LRESULT {
+    unsafe {
+        match message {
+            WM_PAINT => {
+                debug!("WM_PAINT");
+                let res = ValidateRect(Some(handle), None);
+                debug_assert!(res.ok().is_ok());
+                LRESULT(0)
+            }
+            WM_DESTROY => {
+                debug!("WM_DESTROY");
+                PostQuitMessage(0);
+                LRESULT(0)
+            }
+            _ => DefWindowProcA(handle, message, wparam, lparam),
+        }
+    }
+}
+
+impl TestWindow {
+    fn set_foreground(&self) -> Result<()> {
+        unsafe {
+            let _ = ShowWindow(self.handle, SW_SHOW);
+            let _ = SetForegroundWindow(self.handle);
+            let _ = UpdateWindow(self.handle);
+            let _ = SetForegroundWindow(self.handle);
+        }
+        std::thread::sleep(std::time::Duration::from_millis(100));
+        Ok(())
+    }
+
+    fn wait_for_input(&self, timeout_ms: u64) {
+        let start = std::time::Instant::now();
+        while start.elapsed().as_millis() < timeout_ms as u128 {
+            process_messages();
+            thread::sleep(Duration::from_millis(10));
+        }
+    }
+}
+
+fn process_messages() {
+    unsafe {
+        let mut msg = MSG::default();
+        while PeekMessageW(&mut msg, None, 0, 0, PM_REMOVE).as_bool() {
+            let _ = TranslateMessage(&msg);
+            DispatchMessageW(&msg);
+        }
+    }
+}
+
+fn create_input_window(title: PCWSTR, proc_type: ProcType) -> Result<TestWindow> {
+    unsafe {
+        let instance = GetModuleHandleW(None).unwrap_or(HMODULE(std::ptr::null_mut()));
+        let instance: HINSTANCE = instance.into();
+        debug_assert!(!instance.is_invalid());
+
+        let window_class = w!("show_window");
+
+        // Register window class with our custom proc
+        let wc = WNDCLASSW {
+            lpfnWndProc: Some(proc_type),
+            hInstance: instance,
+            lpszClassName: window_class,
+            hbrBackground: CreateSolidBrush(COLORREF(
+                (COLOR_WINDOW.0 + 1).try_into().expect("i32 to fit in u32"),
+            )),
+            ..Default::default()
+        };
+
+        let _atom = RegisterClassW(&wc);
+
+        let capture = InputCapture::new();
+
+        // Pass InputCapture as lpParam
+        let capture_ptr = Box::into_raw(Box::new(capture.clone()));
+
+        // Create window
+        // <https://learn.microsoft.com/en-us/windows/win32/learnwin32/creating-a-window>
+        let handle = CreateWindowExW(
+            WINDOW_EX_STYLE(0),
+            window_class,
+            title,
+            WS_OVERLAPPEDWINDOW | WS_VISIBLE,
+            CW_USEDEFAULT,
+            CW_USEDEFAULT,
+            400,
+            300,
+            None,
+            None,
+            Some(instance),
+            Some(capture_ptr as *const _),
+        )
+        .expect("window should be created");
+
+        // Process pending messages
+        process_messages();
+        thread::sleep(Duration::from_millis(100));
+
+        Ok(TestWindow {
+            handle,
+            capture: Some(capture),
+        })
+    }
+}
+
+fn create_title_window(title: PCSTR, proc_type: ProcType) -> Result<TestWindow> {
+    unsafe {
+        let instance = GetModuleHandleA(None)?;
+        let instance: HINSTANCE = instance.into();
+        debug_assert!(!instance.is_invalid());
+
+        let window_class = s!("input_window");
+
+        // Register window class with our custom proc
+        // <https://learn.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-wndclassa>
+        let wc = WNDCLASSA {
+            hCursor: LoadCursorW(None, IDC_ARROW)?,
+            hInstance: instance,
+            lpszClassName: window_class,
+            style: CS_HREDRAW | CS_VREDRAW,
+            lpfnWndProc: Some(proc_type),
+            ..Default::default()
+        };
+
+        let _atom = RegisterClassA(&wc);
+
+        // Create window
+        // <https://learn.microsoft.com/en-us/windows/win32/learnwin32/creating-a-window>
+        let handle = CreateWindowExA(
+            WINDOW_EX_STYLE::default(),
+            window_class,
+            title,
+            WS_OVERLAPPEDWINDOW | WS_VISIBLE,
+            CW_USEDEFAULT,
+            CW_USEDEFAULT,
+            800,
+            600,
+            None,
+            None,
+            Some(instance),
+            None,
+        )
+        .expect("window should be created");
+
+        Ok(TestWindow {
+            handle,
+            capture: None,
+        })
+    }
+}
+
+#[serial]
+#[test]
+fn test_get_active_window_title_success() {
+    let title;
+    {
+        let window = create_title_window(s!("TITLE_FOOBAR"), show_window_proc).unwrap();
+        window.set_foreground().unwrap();
+        title = get_foreground_window_title().unwrap();
+    }
+
+    assert_eq!(title, "TITLE_FOOBAR\0".to_owned());
+
+    thread::sleep(Duration::from_millis(100));
+}
+
+#[serial]
+#[test]
+fn test_get_active_window_title_doesnt_fail_if_empty_title() {
+    let title;
+    {
+        let window = create_title_window(s!(""), show_window_proc).unwrap();
+        window.set_foreground().unwrap();
+        title = get_foreground_window_title();
+    }
+
+    assert_eq!(title.unwrap(), "".to_owned());
+
+    thread::sleep(Duration::from_millis(100));
+}
+
+#[serial]
+#[test]
+fn test_type_input_success() {
+    const TAB: u16 = 0x09;
+    let chars;
+    {
+        let window = create_input_window(w!("foo"), capture_input_proc).unwrap();
+        window.set_foreground().unwrap();
+
+        type_input(
+            &[
+                0x66, 0x6F, 0x6C, 0x6C, 0x6F, 0x77, 0x5F, 0x74, 0x68, 0x65, TAB, 0x77, 0x68, 0x69,
+                0x74, 0x65, 0x5F, 0x72, 0x61, 0x62, 0x62, 0x69, 0x74,
+            ],
+            &["Control".to_owned(), "Alt".to_owned(), "B".to_owned()],
+        )
+        .unwrap();
+
+        // Wait for and process input messages
+        window.wait_for_input(250);
+
+        // Verify captured input
+        let capture = window.capture.as_ref().unwrap();
+        chars = capture.get_chars();
+    }
+
+    assert!(!chars.is_empty(), "No input captured");
+
+    let input_str = String::from_iter(chars.iter());
+    let input_str = input_str.replace("\t", "_");
+
+    assert_eq!(input_str, "follow_the_white_rabbit");
+
+    thread::sleep(Duration::from_millis(100));
+}

From 139a5c1eb65070b7169149c557c5c05f6253505a Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Thu, 22 Jan 2026 14:04:34 -0600
Subject: [PATCH 17/24] avoid setting width on body when extension is within a
 tab (#18499)

---
 .../src/platform/popup/layout/popup-size.service.ts      | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/apps/browser/src/platform/popup/layout/popup-size.service.ts b/apps/browser/src/platform/popup/layout/popup-size.service.ts
index ff3f09d0d01..4c0c901270e 100644
--- a/apps/browser/src/platform/popup/layout/popup-size.service.ts
+++ b/apps/browser/src/platform/popup/layout/popup-size.service.ts
@@ -37,7 +37,7 @@ export class PopupSizeService {
   /** Begin listening for state changes */
   async init() {
     this.width$.subscribe((width: PopupWidthOption) => {
-      PopupSizeService.setStyle(width);
+      void PopupSizeService.setStyle(width);
       localStorage.setItem(PopupSizeService.LocalStorageKey, width);
     });
   }
@@ -77,8 +77,9 @@ export class PopupSizeService {
     }
   }
 
-  private static setStyle(width: PopupWidthOption) {
-    if (!BrowserPopupUtils.inPopup(window)) {
+  private static async setStyle(width: PopupWidthOption) {
+    const isInTab = await BrowserPopupUtils.isInTab();
+    if (!BrowserPopupUtils.inPopup(window) || isInTab) {
       return;
     }
     const pxWidth = PopupWidthOptions[width] ?? PopupWidthOptions.default;
@@ -91,6 +92,6 @@ export class PopupSizeService {
    **/
   static initBodyWidthFromLocalStorage() {
     const storedValue = localStorage.getItem(PopupSizeService.LocalStorageKey);
-    this.setStyle(storedValue as any);
+    void this.setStyle(storedValue as any);
   }
 }

From 0270474c99bafd330dba5d5b30adf9616237abc4 Mon Sep 17 00:00:00 2001
From: neuronull <9162534+neuronull@users.noreply.github.com>
Date: Thu, 22 Jan 2026 12:27:36 -0800
Subject: [PATCH 18/24] Move approve ssh request out of Platform (#18226)

---
 .../{platform => autofill}/components/approve-ssh-request.html  | 0
 .../{platform => autofill}/components/approve-ssh-request.ts    | 0
 apps/desktop/src/autofill/services/ssh-agent.service.ts         | 2 +-
 3 files changed, 1 insertion(+), 1 deletion(-)
 rename apps/desktop/src/{platform => autofill}/components/approve-ssh-request.html (100%)
 rename apps/desktop/src/{platform => autofill}/components/approve-ssh-request.ts (100%)

diff --git a/apps/desktop/src/platform/components/approve-ssh-request.html b/apps/desktop/src/autofill/components/approve-ssh-request.html
similarity index 100%
rename from apps/desktop/src/platform/components/approve-ssh-request.html
rename to apps/desktop/src/autofill/components/approve-ssh-request.html
diff --git a/apps/desktop/src/platform/components/approve-ssh-request.ts b/apps/desktop/src/autofill/components/approve-ssh-request.ts
similarity index 100%
rename from apps/desktop/src/platform/components/approve-ssh-request.ts
rename to apps/desktop/src/autofill/components/approve-ssh-request.ts
diff --git a/apps/desktop/src/autofill/services/ssh-agent.service.ts b/apps/desktop/src/autofill/services/ssh-agent.service.ts
index 7e289720ec8..e3280f07ede 100644
--- a/apps/desktop/src/autofill/services/ssh-agent.service.ts
+++ b/apps/desktop/src/autofill/services/ssh-agent.service.ts
@@ -32,8 +32,8 @@ import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.servi
 import { CipherType } from "@bitwarden/common/vault/enums";
 import { DialogService, ToastService } from "@bitwarden/components";
 
-import { ApproveSshRequestComponent } from "../../platform/components/approve-ssh-request";
 import { DesktopSettingsService } from "../../platform/services/desktop-settings.service";
+import { ApproveSshRequestComponent } from "../components/approve-ssh-request";
 import { SshAgentPromptType } from "../models/ssh-agent-setting";
 
 @Injectable({

From 676b75902b0d422abcc58512ac72ab78b20fd110 Mon Sep 17 00:00:00 2001
From: brandonbiete <bbiete@bitwarden.com>
Date: Thu, 22 Jan 2026 15:49:37 -0500
Subject: [PATCH 19/24] [BRE-1507] Remove PR process from workflow to allow
 direct pushes (#18504)

---
 .github/workflows/repository-management.yml | 46 ++-------------------
 1 file changed, 3 insertions(+), 43 deletions(-)

diff --git a/.github/workflows/repository-management.yml b/.github/workflows/repository-management.yml
index 79f3335313e..65607268cda 100644
--- a/.github/workflows/repository-management.yml
+++ b/.github/workflows/repository-management.yml
@@ -72,7 +72,6 @@ jobs:
     permissions:
       id-token: write
       contents: write
-      pull-requests: write
 
     steps:
       - name: Validate version input format
@@ -111,8 +110,7 @@ jobs:
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
-          permission-contents: write      # for creating, committing to, and pushing new branches
-          permission-pull-requests: write # for generating pull requests
+          permission-contents: write # for committing and pushing to main (bypasses rulesets)
 
       - name: Check out branch
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -448,53 +446,15 @@ jobs:
             echo "No changes to commit!";
           fi
 
-      - name: Create version bump branch
-        if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        run: |
-          BRANCH_NAME="version-bump-$(date +%s)"
-          git checkout -b "$BRANCH_NAME"
-          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
-
       - name: Commit version bumps with GPG signature
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
         run: |
           git commit -m "Bumped client version(s)" -a
 
-      - name: Push version bump branch
+      - name: Push changes to main
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
         run: |
-          git push --set-upstream origin "$BRANCH_NAME"
-
-      - name: Create Pull Request for version bump
-        if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        env:
-          VERSION_BROWSER: ${{ steps.set-final-version-output.outputs.version_browser }}
-          VERSION_CLI: ${{ steps.set-final-version-output.outputs.version_cli }}
-          VERSION_DESKTOP: ${{ steps.set-final-version-output.outputs.version_desktop }}
-          VERSION_WEB: ${{ steps.set-final-version-output.outputs.version_web }}
-        with:
-          github-token: ${{ steps.app-token.outputs.token }}
-          script: |
-            const versions = [];
-            if (process.env.VERSION_BROWSER) versions.push(`- Browser: ${process.env.VERSION_BROWSER}`);
-            if (process.env.VERSION_CLI) versions.push(`- CLI: ${process.env.VERSION_CLI}`);
-            if (process.env.VERSION_DESKTOP) versions.push(`- Desktop: ${process.env.VERSION_DESKTOP}`);
-            if (process.env.VERSION_WEB) versions.push(`- Web: ${process.env.VERSION_WEB}`);
-
-            const body = versions.length > 0
-              ? `Automated version bump:\n\n${versions.join('\n')}`
-              : 'Automated version bump';
-
-            const { data: pr } = await github.rest.pulls.create({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              title: 'Bumped client version(s)',
-              body: body,
-              head: process.env.BRANCH_NAME,
-              base: context.ref.replace('refs/heads/', '')
-            });
-            console.log(`Created PR #${pr.number}: ${pr.html_url}`);
+          git push
 
   cut_branch:
     name: Cut branch

From 1baed4dea8992081cf3456bdd74c624766cf668c Mon Sep 17 00:00:00 2001
From: Derek Nance <dnance@bitwarden.com>
Date: Thu, 22 Jan 2026 15:12:15 -0600
Subject: [PATCH 20/24] [PM-30470] Revert to using X11 on Linux desktop
 (#18465)

---
 apps/desktop/resources/linux-wrapper.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/apps/desktop/resources/linux-wrapper.sh b/apps/desktop/resources/linux-wrapper.sh
index 3c5d16c3a3d..e1cb69274d7 100644
--- a/apps/desktop/resources/linux-wrapper.sh
+++ b/apps/desktop/resources/linux-wrapper.sh
@@ -12,9 +12,13 @@ if [ -e "/usr/lib/x86_64-linux-gnu/libdbus-1.so.3" ]; then
   export LD_PRELOAD="/usr/lib/x86_64-linux-gnu/libdbus-1.so.3"
 fi
 
+# A bug in Electron 39 (which now enables Wayland by default) causes a crash on
+# systems using Wayland with hardware acceleration. Platform decided to
+# configure Electron to use X11 (with an opt-out) until the upstream bug is
+# fixed. The follow-up task is https://bitwarden.atlassian.net/browse/PM-31080.
 PARAMS="--enable-features=UseOzonePlatform,WaylandWindowDecorations --ozone-platform-hint=auto"
-if [ "$USE_X11" = "true" ]; then
-  PARAMS=""
+if [ "$USE_X11" != "false" ]; then
+  PARAMS="--ozone-platform=x11"
 fi
 
 $APP_PATH/bitwarden-app $PARAMS "$@"

From a9d8edc52ccdeec6d3d46df880ed8856344e40a2 Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Thu, 22 Jan 2026 15:20:53 -0600
Subject: [PATCH 21/24] [PM-28749] Desktop Transfer Items (#18410)

* add transfer items prompt to desktop

* add transfer service to vault v3
---
 .../desktop/src/vault/app/vault-v3/vault.component.ts | 11 +++++++++++
 .../desktop/src/vault/app/vault/vault-v2.component.ts | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/apps/desktop/src/vault/app/vault-v3/vault.component.ts b/apps/desktop/src/vault/app/vault-v3/vault.component.ts
index c104f76ff2d..a64830c3b5d 100644
--- a/apps/desktop/src/vault/app/vault-v3/vault.component.ts
+++ b/apps/desktop/src/vault/app/vault-v3/vault.component.ts
@@ -79,6 +79,8 @@ import {
   VaultFilter,
   VaultFilterServiceAbstraction as VaultFilterService,
   RoutedVaultFilterBridgeService,
+  VaultItemsTransferService,
+  DefaultVaultItemsTransferService,
 } from "@bitwarden/vault";
 
 import { SearchBarService } from "../../../app/layout/search/search-bar.service";
@@ -130,6 +132,7 @@ const BroadcasterSubscriptionId = "VaultComponent";
       provide: COPY_CLICK_LISTENER,
       useExisting: VaultComponent,
     },
+    { provide: VaultItemsTransferService, useClass: DefaultVaultItemsTransferService },
   ],
 })
 export class VaultComponent implements OnInit, OnDestroy, CopyClickListener {
@@ -214,6 +217,7 @@ export class VaultComponent implements OnInit, OnDestroy, CopyClickListener {
     private archiveCipherUtilitiesService: ArchiveCipherUtilitiesService,
     private routedVaultFilterBridgeService: RoutedVaultFilterBridgeService,
     private vaultFilterService: VaultFilterService,
+    private vaultItemTransferService: VaultItemsTransferService,
   ) {}
 
   async ngOnInit() {
@@ -266,6 +270,11 @@ export class VaultComponent implements OnInit, OnDestroy, CopyClickListener {
                 if (this.vaultItemsComponent) {
                   await this.vaultItemsComponent.refresh().catch(() => {});
                 }
+                if (this.activeUserId) {
+                  void this.vaultItemTransferService.enforceOrganizationDataOwnership(
+                    this.activeUserId,
+                  );
+                }
                 break;
               case "modalShown":
                 this.showingModal = true;
@@ -372,6 +381,8 @@ export class VaultComponent implements OnInit, OnDestroy, CopyClickListener {
       .subscribe((collections) => {
         this.filteredCollections = collections;
       });
+
+    void this.vaultItemTransferService.enforceOrganizationDataOwnership(this.activeUserId);
   }
 
   ngOnDestroy() {
diff --git a/apps/desktop/src/vault/app/vault/vault-v2.component.ts b/apps/desktop/src/vault/app/vault/vault-v2.component.ts
index c1ab9d6f22a..efbdee97798 100644
--- a/apps/desktop/src/vault/app/vault/vault-v2.component.ts
+++ b/apps/desktop/src/vault/app/vault/vault-v2.component.ts
@@ -92,6 +92,8 @@ import {
   PasswordRepromptService,
   CipherFormComponent,
   ArchiveCipherUtilitiesService,
+  VaultItemsTransferService,
+  DefaultVaultItemsTransferService,
 } from "@bitwarden/vault";
 
 import { NavComponent } from "../../../app/layout/nav.component";
@@ -150,6 +152,7 @@ const BroadcasterSubscriptionId = "VaultComponent";
       provide: COPY_CLICK_LISTENER,
       useExisting: VaultV2Component,
     },
+    { provide: VaultItemsTransferService, useClass: DefaultVaultItemsTransferService },
   ],
 })
 export class VaultV2Component<C extends CipherViewLike>
@@ -264,6 +267,7 @@ export class VaultV2Component<C extends CipherViewLike>
     private policyService: PolicyService,
     private archiveCipherUtilitiesService: ArchiveCipherUtilitiesService,
     private masterPasswordService: MasterPasswordServiceAbstraction,
+    private vaultItemTransferService: VaultItemsTransferService,
   ) {}
 
   async ngOnInit() {
@@ -317,6 +321,11 @@ export class VaultV2Component<C extends CipherViewLike>
                     .catch(() => {});
                   await this.vaultFilterComponent.reloadOrganizations().catch(() => {});
                 }
+                if (this.activeUserId) {
+                  void this.vaultItemTransferService.enforceOrganizationDataOwnership(
+                    this.activeUserId,
+                  );
+                }
                 break;
               case "modalShown":
                 this.showingModal = true;
@@ -420,6 +429,8 @@ export class VaultV2Component<C extends CipherViewLike>
       .subscribe((collections) => {
         this.allCollections = collections;
       });
+
+    void this.vaultItemTransferService.enforceOrganizationDataOwnership(this.activeUserId);
   }
 
   ngOnDestroy() {

From daacff888d5da3cb6eae4dedf258377440c44f7f Mon Sep 17 00:00:00 2001
From: Bryan Cunningham <bcunningham@bitwarden.com>
Date: Thu, 22 Jan 2026 16:55:35 -0500
Subject: [PATCH 22/24] [CL-1020] background color updates (#18417)

* Adding new background colors

* add sidenav color variables

* fix admin console text color

* update sidenav logos to use correct fill color

* update nav logo focus ring color
---
 libs/assets/src/svg/svgs/admin-console.ts     |  4 +--
 libs/assets/src/svg/svgs/password-manager.ts  |  4 +--
 libs/assets/src/svg/svgs/provider-portal.ts   |  4 +--
 libs/assets/src/svg/svgs/secrets-manager.ts   |  4 +--
 libs/assets/src/svg/svgs/shield.ts            |  4 +--
 .../src/icon-button/icon-button.component.ts  |  4 +--
 .../src/navigation/nav-group.component.html   |  2 +-
 .../src/navigation/nav-item.component.html    | 16 ++++++------
 .../src/navigation/nav-item.component.ts      |  2 +-
 .../src/navigation/nav-logo.component.html    |  2 +-
 .../src/navigation/side-nav.component.html    | 12 ++++-----
 libs/components/src/tw-theme.css              | 26 +++++++++++++++++++
 libs/components/tailwind.config.base.js       | 15 +++++++----
 13 files changed, 65 insertions(+), 34 deletions(-)

diff --git a/libs/assets/src/svg/svgs/admin-console.ts b/libs/assets/src/svg/svgs/admin-console.ts
index 83c8cf9f0e1..3e8f47ec4a5 100644
--- a/libs/assets/src/svg/svgs/admin-console.ts
+++ b/libs/assets/src/svg/svgs/admin-console.ts
@@ -2,13 +2,13 @@ import { svgIcon } from "../icon-service";
 
 const AdminConsoleLogo = svgIcon`
   <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 200 46">
-    <g class="tw-fill-text-alt2" clip-path="url(#admin-console-logo-clip)">
+    <g class="tw-fill-fg-sidenav-text" clip-path="url(#admin-console-logo-clip)">
       <path d="M47.948 7.444c2.284 0 4.06.867 5.366 2.674 1.305 1.77 1.958 4.191 1.958 7.263 0 3.18-.653 5.637-1.995 7.371-1.341 1.77-3.154 2.602-5.438 2.602s-4.025-.795-5.33-2.457h-.363l-.688 1.698a.67.67 0 0 1-.617.398h-2.9a.649.649 0 0 1-.653-.65V.94c0-.362.29-.65.653-.65h3.915c.363 0 .653.288.653.65v5.564c0 .795-.072 2.06-.218 3.794h.218c1.197-1.879 3.046-2.854 5.439-2.854Zm-1.668 4.228c-1.27 0-2.248.397-2.865 1.192-.58.795-.906 2.132-.906 3.939v.578c0 2.06.29 3.541.906 4.408.617.867 1.596 1.337 2.937 1.337 1.052 0 1.958-.506 2.575-1.517.616-.976.942-2.458.942-4.3 0-1.88-.326-3.289-.943-4.228-.652-.94-1.559-1.41-2.646-1.41ZM63.9 27.029h-3.915a.649.649 0 0 1-.653-.65V8.491c0-.362.29-.65.653-.65h3.916c.362 0 .652.288.652.65v17.85c.037.326-.29.687-.652.687Zm14.322-3.867c.762 0 1.668-.144 2.756-.433a.435.435 0 0 1 .544.433v3c0 .18-.109.325-.254.397-1.233.506-2.792.759-4.532.759-2.103 0-3.626-.506-4.569-1.59-.942-1.048-1.45-2.638-1.45-4.734V11.78H68.65a.418.418 0 0 1-.435-.434V9.648c0-.036.037-.072.037-.108l2.864-1.699 1.414-3.758c.073-.18.218-.289.399-.289h2.61c.254 0 .435.18.435.434v3.65h5.185c.109 0 .218.108.218.216v3.252a.418.418 0 0 1-.435.434H76.01v9.178c0 .723.217 1.301.616 1.626.363.398.943.578 1.595.578Zm24.401 3.867c-.507 0-.906-.325-1.124-.795l-3.843-11.672c-.254-.83-.58-2.095-1.015-3.722h-.109l-.362 1.301-.762 2.457-3.952 11.672c-.145.47-.58.759-1.088.759a1.12 1.12 0 0 1-1.087-.831L84.459 9.395c-.145-.506.253-1.048.834-1.048h.108c.363 0 .69.253.798.614l2.828 10.227c.689 2.674 1.16 4.625 1.378 5.926h.108c.653-2.674 1.16-4.445 1.487-5.348L95.662 9.07c.145-.434.544-.723 1.051-.723.472 0 .87.29 1.016.723l3.408 10.623c.834 2.71 1.341 4.445 1.523 5.348h.108c.109-.722.544-2.746 1.378-5.998l2.72-10.082a.848.848 0 0 1 .797-.614c.544 0 .943.506.798 1.048l-4.569 16.803c-.145.506-.58.83-1.124.83h-.145Zm21.537 0a.663.663 0 0 1-.652-.578l-.327-2.385H123c-.943 1.192-1.885 2.06-2.901 2.565-.979.506-2.175.723-3.517.723-1.849 0-3.263-.47-4.278-1.41-.906-.83-1.414-1.95-1.486-3.36-.145-1.879.652-3.686 2.175-4.733 1.559-1.012 3.734-1.627 6.671-1.627l3.554-.108v-1.229c0-1.806-.363-3.107-1.124-4.01-.762-.904-1.886-1.337-3.481-1.337-1.523 0-3.046.36-4.641 1.12-.399.18-.87 0-1.052-.398-.181-.397 0-.867.399-1.011 1.813-.723 3.59-1.12 5.403-1.12 2.066 0 3.589.541 4.641 1.625 1.015 1.048 1.522 2.747 1.522 4.95v11.745c-.036.216-.362.578-.725.578Zm-7.505-1.229c2.03 0 3.589-.578 4.713-1.698 1.161-1.12 1.741-2.746 1.741-4.734v-1.806l-3.263.144c-2.647.108-4.496.542-5.657 1.229-1.124.686-1.704 1.806-1.704 3.252 0 1.156.363 2.096 1.052 2.746.797.542 1.813.867 3.118.867Zm21.464-17.814c.544 0 1.088.036 1.704.108a.815.815 0 0 1 .689.94c-.072.433-.507.686-.942.614-.544-.072-1.088-.145-1.632-.145-1.595 0-2.901.687-3.916 2.024-1.015 1.337-1.523 3.072-1.523 5.095v9.467c0 .47-.362.831-.834.831a.819.819 0 0 1-.833-.83V9.105c0-.398.326-.723.725-.723.398 0 .725.29.725.687l.145 2.674h.109c.761-1.373 1.595-2.349 2.465-2.891.834-.578 1.885-.867 3.118-.867Zm12.763 0c1.341 0 2.538.253 3.517.722 1.015.47 1.885 1.338 2.646 2.53h.109a86.156 86.156 0 0 1-.109-4.228V1.12a.82.82 0 0 1 .834-.83c.472 0 .834.36.834.83v25.258a.571.571 0 0 1-.58.579.588.588 0 0 1-.58-.543l-.363-2.348h-.145c-1.414 2.132-3.48 3.18-6.127 3.18-2.611 0-4.532-.795-5.946-2.421-1.342-1.627-2.067-3.94-2.067-7.01 0-3.217.653-5.674 2.031-7.408 1.377-1.554 3.335-2.421 5.946-2.421Zm0 1.554c-2.067 0-3.59.722-4.641 2.168-1.015 1.409-1.523 3.469-1.523 6.215 0 5.276 2.067 7.913 6.2 7.913 2.139 0 3.662-.614 4.641-1.842 1.015-1.23 1.486-3.253 1.486-6.071v-.29c0-2.89-.471-4.95-1.486-6.178-.943-1.301-2.502-1.915-4.677-1.915ZM172.6 27.354c-2.719 0-4.822-.831-6.381-2.53-1.523-1.662-2.285-4.01-2.285-7.01 0-2.999.725-5.384 2.212-7.154 1.487-1.807 3.444-2.71 5.946-2.71 2.176 0 3.952.758 5.185 2.276 1.305 1.518 1.922 3.614 1.922 6.251v1.374h-13.488c.036 2.565.616 4.516 1.813 5.89 1.196 1.373 2.864 1.987 5.076 1.987 1.051 0 2.03-.072 2.828-.217a14.66 14.66 0 0 0 2.103-.578c.471-.18.979.18.979.687a.74.74 0 0 1-.472.686 12.46 12.46 0 0 1-2.465.723c-.907.253-1.885.325-2.973.325Zm-.508-17.85c-1.813 0-3.263.578-4.351 1.77-1.087 1.156-1.704 2.89-1.921 5.095h11.602c0-2.132-.471-3.866-1.414-5.059-.943-1.192-2.248-1.807-3.916-1.807Zm26.25 17.525a.819.819 0 0 1-.833-.831v-11.31c0-1.88-.399-3.253-1.161-4.084-.834-.83-2.03-1.3-3.698-1.3-2.248 0-3.879.542-4.895 1.698-1.015 1.12-1.595 2.963-1.595 5.456v9.467a.82.82 0 0 1-.834.832.82.82 0 0 1-.834-.832V9.107c0-.434.326-.759.762-.759.398 0 .688.29.761.65l.218 1.88h.108c1.233-1.952 3.372-2.927 6.49-2.927 4.242 0 6.382 2.276 6.382 6.83v11.345c-.037.506-.435.904-.871.904ZM61.979 0c-1.704 0-3.082 1.3-3.082 2.927v.289c0 1.59 1.414 2.927 3.082 2.927s3.082-1.337 3.082-2.927v-.253C65.061 1.301 63.647 0 61.979 0Z" clip-rule="evenodd"/>
       <path d="M22.01 17.055V4.135h-9.063v22.954c1.605-.848 3.041-1.77 4.31-2.766 3.169-2.476 4.753-4.899 4.753-7.268Zm3.884-15.504v15.504a9.255 9.255 0 0 1-.677 3.442 12.83 12.83 0 0 1-1.68 3.029 18.707 18.707 0 0 1-2.386 2.574 27.775 27.775 0 0 1-2.56 2.079 32.22 32.22 0 0 1-2.448 1.565c-.85.49-1.453.824-1.81.999-.357.175-.644.31-.86.404-.162.08-.337.12-.526.12s-.364-.04-.526-.12a22.86 22.86 0 0 1-.86-.404c-.357-.175-.96-.508-1.81-1a32.21 32.21 0 0 1-2.448-1.564 27.763 27.763 0 0 1-2.56-2.08 18.705 18.705 0 0 1-2.386-2.573 12.83 12.83 0 0 1-1.68-3.029A9.255 9.255 0 0 1 0 17.055V1.551C0 1.2.128.898.384.642c.257-.256.56-.384.91-.384H24.6c.35 0 .654.128.91.384s.384.559.384.909ZM92.66 45.44l3.974-10.782h1.37l3.959 10.782h-1.371l-.986-2.773h-4.59l-1 2.773H92.66Zm2.742-3.82h3.82l-1.91-5.33-1.91 5.33Zm11.131 4.004c-.76 0-1.427-.174-2.002-.523a3.634 3.634 0 0 1-1.325-1.433c-.308-.606-.462-1.294-.462-2.064s.159-1.453.478-2.048a3.523 3.523 0 0 1 1.324-1.417c.565-.35 1.232-.524 2.002-.524.627 0 1.181.129 1.664.385a2.78 2.78 0 0 1 1.124 1.078V34.35h1.294v11.09h-1.171l-.123-1.264c-.246.37-.6.704-1.063 1.002-.462.297-1.042.446-1.74.446Zm.139-1.124c.513 0 .965-.118 1.355-.354.4-.247.709-.586.924-1.017.226-.431.339-.934.339-1.51 0-.574-.113-1.077-.339-1.509a2.356 2.356 0 0 0-.924-1c-.39-.247-.842-.37-1.355-.37-.503 0-.955.123-1.356.37-.39.235-.698.57-.924 1-.215.432-.323.935-.323 1.51s.108 1.078.323 1.51c.226.43.534.77.924 1.016.401.236.853.354 1.356.354Zm6.067.94V37.8h1.171l.092 1.109a2.59 2.59 0 0 1 .986-.955c.41-.226.872-.339 1.386-.339.606 0 1.124.123 1.555.37.442.246.781.621 1.017 1.124a2.943 2.943 0 0 1 1.094-1.093c.472-.267.98-.4 1.524-.4.914 0 1.643.276 2.187.83.545.545.817 1.387.817 2.527v4.467h-1.279v-4.328c0-.791-.159-1.387-.477-1.787-.318-.4-.775-.6-1.371-.6-.616 0-1.129.24-1.54.723-.4.472-.601 1.15-.601 2.033v3.959h-1.293v-4.328c0-.791-.16-1.387-.478-1.787-.318-.4-.775-.6-1.371-.6-.606 0-1.114.24-1.525.723-.4.472-.6 1.15-.6 2.033v3.959h-1.294Zm14.563-9.334a.908.908 0 0 1-.647-.247.909.909 0 0 1-.246-.647c0-.246.082-.451.246-.616a.908.908 0 0 1 .647-.246.89.89 0 0 1 .632.246c.174.165.261.37.261.617a.88.88 0 0 1-.261.646.89.89 0 0 1-.632.247Zm-.647 9.334V37.8h1.294v7.64h-1.294Zm3.547 0V37.8h1.17l.077 1.37a2.779 2.779 0 0 1 1.063-1.139 2.994 2.994 0 0 1 1.571-.416c.904 0 1.622.277 2.156.832.545.544.817 1.386.817 2.526v4.467h-1.294v-4.328c0-1.592-.657-2.388-1.972-2.388-.657 0-1.206.242-1.648.724-.431.472-.647 1.15-.647 2.033v3.959h-1.293Zm17.695.184c-1.057 0-1.971-.23-2.741-.693a4.804 4.804 0 0 1-1.771-1.956c-.421-.842-.632-1.817-.632-2.926 0-1.099.211-2.064.632-2.896.421-.842 1.011-1.499 1.771-1.971.77-.473 1.684-.709 2.741-.709 1.233 0 2.234.298 3.004.894.78.585 1.278 1.406 1.494 2.464h-1.433c-.164-.668-.503-1.202-1.016-1.602-.503-.41-1.186-.616-2.049-.616-.77 0-1.442.18-2.017.539-.575.35-1.022.857-1.34 1.525-.308.657-.462 1.448-.462 2.372 0 .924.154 1.72.462 2.387.318.657.765 1.166 1.34 1.525.575.349 1.247.523 2.017.523.863 0 1.546-.195 2.049-.585.513-.4.852-.929 1.016-1.586h1.433c-.216 1.037-.714 1.848-1.494 2.433-.77.586-1.771.878-3.004.878Zm9.761 0c-.719 0-1.366-.164-1.941-.493a3.62 3.62 0 0 1-1.37-1.386c-.329-.606-.493-1.314-.493-2.125 0-.811.169-1.515.508-2.11a3.602 3.602 0 0 1 1.371-1.402 3.924 3.924 0 0 1 1.956-.493c.719 0 1.366.164 1.941.493a3.497 3.497 0 0 1 1.355 1.402c.339.595.508 1.299.508 2.11 0 .81-.169 1.52-.508 2.125a3.598 3.598 0 0 1-1.386 1.386c-.575.329-1.222.493-1.941.493Zm0-1.109a2.46 2.46 0 0 0 1.232-.323c.38-.216.688-.54.924-.97.237-.432.355-.966.355-1.602 0-.637-.118-1.17-.355-1.602-.226-.431-.528-.755-.908-.97a2.428 2.428 0 0 0-1.217-.324 2.45 2.45 0 0 0-1.232.324c-.38.215-.688.539-.924.97-.237.431-.355.965-.355 1.602 0 .636.118 1.17.355 1.602.236.43.539.754.908.97.38.215.786.323 1.217.323Zm5.634.925V37.8h1.171l.077 1.37a2.77 2.77 0 0 1 1.062-1.139 2.994 2.994 0 0 1 1.571-.416c.904 0 1.623.277 2.157.832.544.544.816 1.386.816 2.526v4.467h-1.294v-4.328c0-1.592-.657-2.388-1.971-2.388-.657 0-1.207.242-1.648.724-.431.472-.647 1.15-.647 2.033v3.959h-1.294Zm11.741.184c-.914 0-1.674-.23-2.28-.693-.606-.462-.96-1.088-1.063-1.879h1.325c.082.4.293.75.631 1.047.35.288.817.432 1.402.432.544 0 .945-.113 1.201-.34.257-.235.385-.513.385-.83 0-.463-.169-.77-.508-.925-.328-.154-.796-.293-1.401-.416a7.95 7.95 0 0 1-1.233-.354 2.866 2.866 0 0 1-1.032-.647c-.277-.287-.415-.662-.415-1.124 0-.668.246-1.212.739-1.633.503-.431 1.181-.647 2.033-.647.811 0 1.473.206 1.987.616.524.4.826.976.909 1.725h-1.279c-.051-.39-.221-.693-.508-.908-.277-.226-.652-.34-1.124-.34-.462 0-.822.098-1.079.293a.935.935 0 0 0-.369.77c0 .309.159.55.477.724.329.175.77.324 1.325.447.472.103.919.231 1.34.385.431.144.78.365 1.047.662.277.288.416.709.416 1.263.01.688-.252 1.258-.786 1.71-.523.441-1.237.662-2.14.662Zm8.255 0c-.719 0-1.366-.164-1.941-.493a3.627 3.627 0 0 1-1.37-1.386c-.329-.606-.493-1.314-.493-2.125 0-.811.169-1.515.508-2.11a3.602 3.602 0 0 1 1.371-1.402 3.924 3.924 0 0 1 1.956-.493c.719 0 1.366.164 1.941.493a3.497 3.497 0 0 1 1.355 1.402c.339.595.508 1.299.508 2.11 0 .81-.169 1.52-.508 2.125a3.598 3.598 0 0 1-1.386 1.386c-.575.329-1.222.493-1.941.493Zm0-1.109a2.46 2.46 0 0 0 1.232-.323c.38-.216.688-.54.924-.97.237-.432.355-.966.355-1.602 0-.637-.118-1.17-.355-1.602a2.307 2.307 0 0 0-.908-.97 2.428 2.428 0 0 0-1.217-.324 2.45 2.45 0 0 0-1.232.324c-.38.215-.688.539-.924.97-.237.431-.355.965-.355 1.602 0 .636.118 1.17.355 1.602.236.43.539.754.908.97.38.215.786.323 1.217.323Zm5.634.925V34.35h1.294v11.09h-1.294Zm6.849.184c-.729 0-1.376-.164-1.941-.493a3.673 3.673 0 0 1-1.34-1.401c-.318-.596-.477-1.3-.477-2.11 0-.801.159-1.5.477-2.095a3.427 3.427 0 0 1 1.325-1.401c.575-.34 1.237-.509 1.987-.509.739 0 1.376.17 1.91.508.544.33.96.766 1.247 1.31a3.697 3.697 0 0 1 .416 2.094v.385h-6.084c.031.586.165 1.073.401 1.464a2.5 2.5 0 0 0 .909.862 2.47 2.47 0 0 0 1.17.293c.534 0 .981-.123 1.34-.37a2.12 2.12 0 0 0 .786-1.001h1.278a3.47 3.47 0 0 1-1.186 1.771c-.575.462-1.314.693-2.218.693Zm0-6.915c-.616 0-1.165.19-1.648.57-.472.37-.744.913-.816 1.632h4.805c-.031-.688-.267-1.227-.708-1.617-.442-.39-.986-.585-1.633-.585Z"/>
     </g>
     <defs>
       <clipPath id="admin-console-logo-clip">
-        <path d="M0 0h200v46H0z" class="tw-fill-text-alt2"/>
+        <path d="M0 0h200v46H0z" class="tw-fill-fg-sidenav-text" />
       </clipPath>
     </defs>
   </svg> 
diff --git a/libs/assets/src/svg/svgs/password-manager.ts b/libs/assets/src/svg/svgs/password-manager.ts
index 17b6f148be3..5b19562e022 100644
--- a/libs/assets/src/svg/svgs/password-manager.ts
+++ b/libs/assets/src/svg/svgs/password-manager.ts
@@ -2,13 +2,13 @@ import { svgIcon } from "../icon-service";
 
 const PasswordManagerLogo = svgIcon`
   <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 49" fill="none">
-    <g class="tw-fill-text-alt2" clip-path="url(#password-manager-logo-clip)">
+    <g class="tw-fill-fg-sidenav-text" clip-path="url(#password-manager-logo-clip)">
       <path fill-rule="evenodd" d="M47.948 7.444c2.284 0 4.06.867 5.366 2.674 1.305 1.77 1.958 4.191 1.958 7.263 0 3.18-.653 5.637-1.995 7.371-1.341 1.77-3.154 2.602-5.438 2.602s-4.025-.795-5.33-2.457h-.363l-.688 1.698a.67.67 0 0 1-.617.398h-2.9a.649.649 0 0 1-.653-.65V.94c0-.362.29-.65.653-.65h3.915c.363 0 .653.288.653.65v5.564c0 .795-.072 2.06-.218 3.794h.218c1.197-1.879 3.046-2.854 5.439-2.854Zm-1.668 4.228c-1.27 0-2.248.397-2.865 1.192-.58.795-.906 2.132-.906 3.939v.578c0 2.06.29 3.541.906 4.408.617.867 1.596 1.337 2.937 1.337 1.052 0 1.958-.506 2.575-1.517.616-.976.942-2.458.942-4.3 0-1.88-.326-3.289-.943-4.228-.652-.94-1.559-1.41-2.646-1.41ZM63.9 27.029h-3.915a.649.649 0 0 1-.653-.65V8.491c0-.362.29-.65.653-.65h3.916c.362 0 .652.288.652.65v17.85c.037.326-.29.687-.652.687Zm14.322-3.867c.762 0 1.668-.144 2.756-.433a.435.435 0 0 1 .544.433v3c0 .18-.109.325-.254.397-1.233.506-2.792.759-4.532.759-2.103 0-3.626-.506-4.569-1.59-.942-1.048-1.45-2.638-1.45-4.734V11.78H68.65a.418.418 0 0 1-.435-.434V9.648c0-.036.037-.072.037-.108l2.864-1.699 1.414-3.758c.073-.18.218-.289.399-.289h2.61c.254 0 .435.18.435.434v3.65h5.185c.109 0 .218.108.218.216v3.252a.418.418 0 0 1-.435.434H76.01v9.178c0 .723.217 1.301.616 1.626.363.398.943.578 1.595.578Zm24.401 3.867c-.507 0-.906-.325-1.124-.795l-3.843-11.672c-.254-.83-.58-2.095-1.015-3.722h-.109l-.362 1.301-.762 2.457-3.952 11.672c-.145.47-.58.759-1.088.759a1.12 1.12 0 0 1-1.087-.831L84.459 9.395c-.145-.506.253-1.048.834-1.048h.108c.363 0 .69.253.798.614l2.828 10.227c.689 2.674 1.16 4.625 1.378 5.926h.108c.653-2.674 1.16-4.445 1.487-5.348L95.662 9.07c.145-.434.544-.723 1.051-.723.472 0 .87.29 1.016.723l3.408 10.623c.834 2.71 1.341 4.445 1.523 5.348h.108c.109-.722.544-2.746 1.378-5.998l2.72-10.082a.848.848 0 0 1 .797-.614c.544 0 .943.506.798 1.048l-4.569 16.803c-.145.506-.58.83-1.124.83h-.145Zm21.537 0a.663.663 0 0 1-.652-.578l-.327-2.385H123c-.943 1.192-1.885 2.06-2.901 2.565-.979.506-2.175.723-3.517.723-1.849 0-3.263-.47-4.278-1.41-.906-.83-1.414-1.95-1.486-3.36-.145-1.879.652-3.686 2.175-4.733 1.559-1.012 3.734-1.627 6.671-1.627l3.554-.108v-1.229c0-1.806-.363-3.107-1.124-4.01-.762-.904-1.886-1.337-3.481-1.337-1.523 0-3.046.36-4.641 1.12-.399.18-.87 0-1.052-.398-.181-.397 0-.867.399-1.011 1.813-.723 3.59-1.12 5.403-1.12 2.066 0 3.589.541 4.641 1.625 1.015 1.048 1.522 2.747 1.522 4.95v11.745c-.036.216-.362.578-.725.578Zm-7.505-1.229c2.03 0 3.589-.578 4.713-1.698 1.161-1.12 1.741-2.746 1.741-4.734v-1.806l-3.263.144c-2.647.108-4.496.542-5.657 1.229-1.124.686-1.704 1.806-1.704 3.252 0 1.156.363 2.096 1.052 2.746.797.542 1.813.867 3.118.867Zm21.464-17.814c.544 0 1.088.036 1.704.108a.815.815 0 0 1 .689.94c-.072.433-.507.686-.942.614-.544-.072-1.088-.145-1.632-.145-1.595 0-2.901.687-3.916 2.024-1.015 1.337-1.523 3.072-1.523 5.095v9.467c0 .47-.362.831-.834.831a.819.819 0 0 1-.833-.83V9.105c0-.398.326-.723.725-.723.398 0 .725.29.725.687l.145 2.674h.109c.761-1.373 1.595-2.349 2.465-2.891.834-.578 1.885-.867 3.118-.867Zm12.763 0c1.341 0 2.538.253 3.517.722 1.015.47 1.885 1.338 2.646 2.53h.109a86.156 86.156 0 0 1-.109-4.228V1.12a.82.82 0 0 1 .834-.83c.472 0 .834.36.834.83v25.258a.571.571 0 0 1-.58.579.588.588 0 0 1-.58-.543l-.363-2.348h-.145c-1.414 2.132-3.48 3.18-6.127 3.18-2.611 0-4.532-.795-5.946-2.421-1.342-1.627-2.067-3.94-2.067-7.01 0-3.217.653-5.674 2.031-7.408 1.377-1.554 3.335-2.421 5.946-2.421Zm0 1.554c-2.067 0-3.59.722-4.641 2.168-1.015 1.409-1.523 3.469-1.523 6.215 0 5.276 2.067 7.913 6.2 7.913 2.139 0 3.662-.614 4.641-1.842 1.015-1.23 1.486-3.253 1.486-6.071v-.29c0-2.89-.471-4.95-1.486-6.178-.943-1.301-2.502-1.915-4.677-1.915ZM172.6 27.354c-2.719 0-4.822-.831-6.381-2.53-1.523-1.662-2.285-4.01-2.285-7.01 0-2.999.725-5.384 2.212-7.154 1.487-1.807 3.444-2.71 5.946-2.71 2.176 0 3.952.758 5.185 2.276 1.305 1.518 1.922 3.614 1.922 6.251v1.374h-13.488c.036 2.565.616 4.516 1.813 5.89 1.196 1.373 2.864 1.987 5.076 1.987 1.051 0 2.03-.072 2.828-.217.58-.108 1.269-.289 2.103-.578.471-.18.979.18.979.687 0 .289-.182.578-.472.686-.87.361-1.704.578-2.465.723-.907.253-1.885.325-2.973.325Zm-.508-17.85c-1.813 0-3.263.578-4.351 1.77-1.087 1.156-1.704 2.89-1.921 5.095h11.602c0-2.132-.471-3.866-1.414-5.059-.943-1.192-2.248-1.807-3.916-1.807Zm26.25 17.525a.819.819 0 0 1-.833-.831v-11.31c0-1.88-.399-3.253-1.161-4.084-.834-.83-2.03-1.3-3.698-1.3-2.248 0-3.879.542-4.895 1.698-1.015 1.12-1.595 2.963-1.595 5.456v9.467a.82.82 0 0 1-.834.832.82.82 0 0 1-.834-.832V9.107c0-.434.326-.759.762-.759.398 0 .688.29.761.65l.218 1.88h.108c1.233-1.952 3.372-2.927 6.49-2.927 4.242 0 6.382 2.276 6.382 6.83v11.345c-.037.506-.435.904-.871.904ZM61.979 0c-1.704 0-3.082 1.3-3.082 2.927v.289c0 1.59 1.414 2.927 3.082 2.927s3.082-1.337 3.082-2.927v-.253C65.061 1.301 63.647 0 61.979 0Z" clip-rule="evenodd"/>
       <path d="M22.01 17.055V4.135h-9.063v22.954c1.605-.848 3.041-1.77 4.31-2.766 3.169-2.476 4.753-4.899 4.753-7.268Zm3.884-15.504v15.504a9.255 9.255 0 0 1-.677 3.442 12.83 12.83 0 0 1-1.68 3.029 18.707 18.707 0 0 1-2.386 2.574 27.775 27.775 0 0 1-2.56 2.079 32.22 32.22 0 0 1-2.448 1.565c-.85.49-1.453.824-1.81.999-.357.175-.644.31-.86.404-.162.08-.337.12-.526.12s-.364-.04-.526-.12a22.86 22.86 0 0 1-.86-.404c-.357-.175-.96-.508-1.81-1a32.21 32.21 0 0 1-2.448-1.564 27.763 27.763 0 0 1-2.56-2.08 18.705 18.705 0 0 1-2.386-2.573 12.83 12.83 0 0 1-1.68-3.029A9.255 9.255 0 0 1 0 17.055V1.551C0 1.2.128.898.384.642c.257-.256.56-.384.91-.384H24.6c.35 0 .654.128.91.384s.384.559.384.909ZM195.312 44.882v-7.738h1.118l.089 1.412c.176-.353.407-.647.691-.883a2.845 2.845 0 0 1 1.03-.53 5.031 5.031 0 0 1 1.383-.176v1.295h-.765c-.295 0-.579.039-.854.117a2.184 2.184 0 0 0-.75.383 1.82 1.82 0 0 0-.515.72c-.127.305-.191.687-.191 1.148v4.252h-1.236ZM190.187 45.058c-.687 0-1.295-.166-1.824-.5-.53-.333-.947-.804-1.251-1.412-.294-.608-.441-1.32-.441-2.133 0-.814.147-1.525.441-2.133.304-.608.721-1.08 1.251-1.413.539-.333 1.157-.5 1.853-.5.746 0 1.368.167 1.869.5.5.334.877.78 1.132 1.34.255.558.383 1.171.383 1.838v.294c0 .098-.005.216-.015.353h-5.987v-.956h4.795c-.019-.755-.24-1.329-.662-1.721-.411-.402-.926-.603-1.544-.603a2.214 2.214 0 0 0-1.986 1.192c-.216.392-.324.882-.324 1.47v.412c0 .648.108 1.192.324 1.633.216.432.495.755.838.971.353.216.736.324 1.148.324.549 0 .981-.103 1.294-.31.314-.215.545-.519.692-.911h1.221a2.97 2.97 0 0 1-.618 1.162 2.929 2.929 0 0 1-1.089.81c-.431.195-.931.293-1.5.293ZM181.836 48.295c-.697 0-1.31-.088-1.839-.265-.52-.167-.927-.427-1.221-.78-.285-.353-.427-.79-.427-1.309 0-.245.044-.5.132-.765.099-.265.26-.52.486-.765.235-.245.564-.466.986-.662l.941.5c-.559.216-.922.466-1.089.75-.166.285-.25.56-.25.824 0 .324.094.594.28.81.196.215.466.377.809.485.343.108.74.162 1.192.162.441 0 .819-.059 1.132-.177.324-.108.569-.27.736-.485.177-.206.265-.451.265-.736 0-.412-.133-.735-.397-.97-.265-.226-.78-.359-1.545-.398a14.992 14.992 0 0 1-1.501-.162 6.92 6.92 0 0 1-1-.235 3.296 3.296 0 0 1-.647-.324 4.326 4.326 0 0 1-.456-.368v-.338l1.456-1.398 1.162.383-1.589 1.31.192-.56c.108.079.211.152.309.22.098.07.23.133.397.192.176.05.417.098.721.147.314.05.725.093 1.235.133.707.049 1.27.166 1.692.353.422.186.726.446.912.78.187.323.28.72.28 1.191 0 .412-.118.804-.353 1.177-.226.373-.589.677-1.089.912-.49.245-1.128.368-1.912.368Zm-.015-5.826c-.628 0-1.162-.117-1.604-.353a2.505 2.505 0 0 1-.985-.986 2.942 2.942 0 0 1-.339-1.412c0-.52.113-.986.339-1.397.235-.412.569-.74 1-.986.441-.245.971-.368 1.589-.368.637 0 1.172.123 1.603.368.432.245.761.574.986.986.226.412.338.877.338 1.397s-.112.99-.338 1.412a2.5 2.5 0 0 1-.986.986c-.431.236-.966.353-1.603.353Zm0-1.015c.549 0 .976-.142 1.28-.426.304-.295.456-.731.456-1.31 0-.579-.152-1.01-.456-1.294-.304-.285-.731-.427-1.28-.427-.52 0-.946.142-1.28.427-.324.284-.485.715-.485 1.294 0 .579.157 1.015.47 1.31.324.284.756.426 1.295.426Zm1.295-3.266-.368-1.044h3.03v.927l-2.662.117ZM173.115 45.058c-.588 0-1.079-.108-1.471-.323a2.247 2.247 0 0 1-.883-.883 2.523 2.523 0 0 1-.294-1.192c0-.51.128-.941.383-1.294.264-.363.632-.638 1.103-.824.471-.186 1.02-.28 1.648-.28h1.927c0-.5-.059-.916-.177-1.25-.118-.333-.309-.584-.574-.75-.264-.167-.617-.25-1.059-.25-.441 0-.819.112-1.133.338-.313.216-.51.54-.588.971h-1.265c.059-.51.23-.937.515-1.28a2.63 2.63 0 0 1 1.074-.794c.441-.187.907-.28 1.397-.28.697 0 1.27.128 1.721.383.452.245.785.593 1.001 1.044.216.442.323.966.323 1.574v4.914h-1.103l-.073-1.324a2.782 2.782 0 0 1-.383.588 2.46 2.46 0 0 1-.53.471 2.575 2.575 0 0 1-.706.324 2.89 2.89 0 0 1-.853.117Zm.177-1.044c.323 0 .622-.074.897-.22a2.26 2.26 0 0 0 .706-.59c.206-.254.363-.539.471-.852.108-.314.162-.643.162-.986v-.147h-1.824c-.461 0-.839.059-1.133.176-.285.118-.491.285-.618.5a1.309 1.309 0 0 0-.191.707c0 .284.058.534.176.75.118.206.289.368.515.485.235.118.515.177.839.177ZM162.197 44.882v-7.738h1.118l.059 1.22c.226-.44.55-.784.971-1.03.432-.244.927-.367 1.486-.367.569 0 1.064.108 1.486.324.422.216.75.544.986.986.235.44.353 1 .353 1.677v4.928h-1.236v-4.796c0-.687-.172-1.201-.515-1.545-.333-.343-.785-.515-1.353-.515-.383 0-.736.094-1.06.28a1.964 1.964 0 0 0-.779.794c-.187.353-.28.785-.28 1.295v4.487h-1.236ZM156.507 45.058c-.588 0-1.078-.108-1.471-.323a2.245 2.245 0 0 1-.882-.883 2.513 2.513 0 0 1-.295-1.192c0-.51.128-.941.383-1.294.265-.363.632-.638 1.103-.824.471-.186 1.02-.28 1.648-.28h1.927c0-.5-.059-.916-.177-1.25a1.397 1.397 0 0 0-.573-.75c-.265-.167-.618-.25-1.059-.25-.442 0-.819.112-1.133.338-.314.216-.51.54-.589.971h-1.265c.059-.51.231-.937.515-1.28a2.63 2.63 0 0 1 1.074-.794c.441-.187.907-.28 1.398-.28.696 0 1.27.128 1.721.383a2.29 2.29 0 0 1 1 1.044c.216.442.324.966.324 1.574v4.914h-1.104l-.073-1.324a2.743 2.743 0 0 1-.383.588 2.455 2.455 0 0 1-.529.471 2.603 2.603 0 0 1-.706.324c-.255.078-.54.117-.854.117Zm.177-1.044c.324 0 .623-.074.897-.22a2.26 2.26 0 0 0 .706-.59c.206-.254.363-.539.471-.852.108-.314.162-.643.162-.986v-.147h-1.824c-.461 0-.839.059-1.133.176-.284.118-.49.285-.618.5a1.318 1.318 0 0 0-.191.707c0 .284.059.534.176.75.118.206.29.368.515.485.236.118.515.177.839.177ZM142.043 44.882V34.584h1.442l3.501 7.253 3.472-7.253h1.457v10.298h-1.236v-8.077l-3.237 6.724h-.927l-3.236-6.665v8.018h-1.236ZM132.059 45.059c-.686 0-1.294-.177-1.824-.53a3.562 3.562 0 0 1-1.236-1.442c-.294-.618-.441-1.314-.441-2.089 0-.784.147-1.476.441-2.074a3.456 3.456 0 0 1 1.236-1.427c.53-.353 1.143-.53 1.839-.53.608 0 1.128.123 1.56.368.441.245.789.588 1.044 1.03V34.29h1.236v10.592h-1.118l-.103-1.236a2.948 2.948 0 0 1-.589.692 2.803 2.803 0 0 1-.868.53c-.333.127-.725.19-1.177.19Zm.162-1.074c.491 0 .917-.118 1.28-.353.363-.246.643-.589.839-1.03.196-.451.294-.981.294-1.59 0-.607-.098-1.132-.294-1.573-.196-.451-.476-.795-.839-1.03-.363-.245-.789-.368-1.28-.368-.461 0-.873.123-1.236.368-.362.235-.647.579-.853 1.03-.206.441-.309.966-.309 1.574 0 .608.103 1.138.309 1.589.206.441.491.784.853 1.03.363.235.775.353 1.236.353ZM123.408 44.882v-7.738h1.118l.088 1.412a2.69 2.69 0 0 1 .692-.883 2.84 2.84 0 0 1 1.029-.53 5.031 5.031 0 0 1 1.383-.176v1.295h-.765c-.294 0-.578.039-.853.117a2.166 2.166 0 0 0-.75.383 1.81 1.81 0 0 0-.515.72c-.128.305-.191.687-.191 1.148v4.252h-1.236ZM117.955 45.058c-.716 0-1.349-.166-1.898-.5a3.377 3.377 0 0 1-1.28-1.412c-.304-.608-.456-1.32-.456-2.133 0-.824.152-1.535.456-2.133a3.471 3.471 0 0 1 1.295-1.413c.559-.333 1.196-.5 1.912-.5.726 0 1.358.167 1.898.5.549.334.976.805 1.28 1.413.304.598.456 1.309.456 2.133 0 .814-.157 1.525-.471 2.133a3.377 3.377 0 0 1-1.28 1.412c-.549.334-1.187.5-1.912.5Zm0-1.059c.451 0 .858-.108 1.221-.324.363-.225.647-.558.853-1 .216-.451.324-1.005.324-1.662 0-.667-.103-1.221-.309-1.663-.206-.44-.491-.77-.854-.985a2.192 2.192 0 0 0-1.206-.339 2.24 2.24 0 0 0-1.206.339c-.363.215-.652.544-.868.985-.216.442-.324.996-.324 1.663 0 .657.103 1.211.309 1.662.216.442.5.775.853 1 .363.216.765.324 1.207.324ZM104.913 44.882l-2.281-7.738h1.236l1.692 6.164 1.795-6.164h1.397l1.81 6.149 1.677-6.15h1.25l-2.28 7.739h-1.265l-1.883-6.444-1.883 6.444h-1.265ZM98.892 45.058c-.696 0-1.275-.103-1.736-.309-.45-.215-.794-.51-1.03-.882a3.06 3.06 0 0 1-.426-1.324h1.265c.04.265.127.51.265.735.147.216.358.393.632.53.275.137.623.206 1.045.206.333 0 .618-.05.853-.147.236-.108.412-.255.53-.442.127-.186.191-.402.191-.647 0-.323-.074-.574-.221-.75-.137-.186-.343-.324-.618-.412a4.496 4.496 0 0 0-1-.22 6.681 6.681 0 0 1-1.147-.25 2.896 2.896 0 0 1-.854-.427 1.708 1.708 0 0 1-.515-.663 2.304 2.304 0 0 1-.176-.941c0-.422.113-.794.338-1.118.226-.324.545-.574.957-.75.421-.187.916-.28 1.485-.28.834 0 1.491.191 1.972.574.49.382.779.927.868 1.633h-1.221a1.207 1.207 0 0 0-.5-.853c-.285-.206-.663-.31-1.133-.31-.5 0-.878.094-1.133.28a.87.87 0 0 0-.383.736c0 .225.054.431.162.618.118.176.314.328.589.456.274.117.642.206 1.103.264.579.07 1.069.182 1.471.339.402.147.706.377.912.691.216.314.319.74.309 1.28 0 .51-.122.942-.368 1.295a2.222 2.222 0 0 1-1 .809c-.422.186-.917.28-1.486.28ZM91.407 45.058c-.696 0-1.275-.103-1.736-.309-.45-.215-.794-.51-1.03-.882a3.06 3.06 0 0 1-.426-1.324h1.265c.04.265.127.51.265.735.147.216.358.393.632.53.275.137.623.206 1.045.206.333 0 .618-.05.853-.147.236-.108.412-.255.53-.442.127-.186.191-.402.191-.647 0-.323-.073-.574-.22-.75-.138-.186-.344-.324-.618-.412a4.496 4.496 0 0 0-1-.22 6.681 6.681 0 0 1-1.148-.25 2.896 2.896 0 0 1-.854-.427 1.71 1.71 0 0 1-.515-.663 2.304 2.304 0 0 1-.176-.941c0-.422.113-.794.338-1.118.226-.324.545-.574.957-.75.421-.187.916-.28 1.485-.28.834 0 1.491.191 1.972.574.49.382.78.927.868 1.633h-1.221a1.207 1.207 0 0 0-.5-.853c-.285-.206-.663-.31-1.133-.31-.5 0-.878.094-1.133.28a.87.87 0 0 0-.383.736c0 .225.054.431.162.618.118.176.314.328.589.456.274.117.642.206 1.103.264.579.07 1.07.182 1.471.339.402.147.706.377.912.691.216.314.319.74.31 1.28 0 .51-.123.942-.369 1.295a2.228 2.228 0 0 1-1 .809c-.422.186-.917.28-1.486.28ZM82.922 45.058c-.588 0-1.079-.108-1.471-.323a2.246 2.246 0 0 1-.883-.883 2.522 2.522 0 0 1-.294-1.192c0-.51.127-.941.382-1.294.265-.363.633-.638 1.104-.824.47-.186 1.02-.28 1.647-.28h1.928c0-.5-.06-.916-.177-1.25a1.402 1.402 0 0 0-.574-.75c-.264-.167-.618-.25-1.059-.25-.441 0-.819.112-1.133.338-.313.216-.51.54-.588.971h-1.265c.059-.51.23-.937.515-1.28a2.635 2.635 0 0 1 1.074-.794c.441-.187.907-.28 1.397-.28.697 0 1.27.128 1.721.383a2.29 2.29 0 0 1 1 1.044c.217.442.324.966.324 1.574v4.914h-1.103l-.073-1.324a2.74 2.74 0 0 1-.383.588 2.46 2.46 0 0 1-.53.471 2.591 2.591 0 0 1-.706.324c-.255.078-.54.117-.853.117Zm.177-1.044c.323 0 .622-.074.897-.22.275-.148.51-.344.706-.59.206-.254.363-.539.47-.852.109-.314.163-.643.163-.986v-.147H83.51c-.46 0-.838.059-1.132.176-.285.118-.49.285-.618.5a1.314 1.314 0 0 0-.191.707c0 .284.058.534.176.75.118.206.29.368.515.485.235.118.515.177.839.177ZM72.351 44.882V34.584h3.31c.824 0 1.5.137 2.03.412.53.274.922.647 1.177 1.118.255.46.383.986.383 1.574 0 .579-.128 1.103-.383 1.574-.255.47-.647.844-1.176 1.118-.52.275-1.197.412-2.03.412h-2.075v4.09h-1.236Zm1.236-5.134h2.06c.863 0 1.466-.187 1.81-.56.352-.382.529-.882.529-1.5 0-.647-.177-1.152-.53-1.515-.343-.373-.946-.56-1.81-.56h-2.059v4.135Z"/
     </g>
     <defs>
       <clipPath id="password-manager-logo-clip">
-        <path class="tw-fill-text-alt2" d="M0 0h200v48.819H0z"/>
+        <path class="tw-fill-fg-sidenav-text" d="M0 0h200v48.819H0z"/>
       </clipPath>
     </defs>
   </svg>
diff --git a/libs/assets/src/svg/svgs/provider-portal.ts b/libs/assets/src/svg/svgs/provider-portal.ts
index 51c04e1553b..fad2ce6b864 100644
--- a/libs/assets/src/svg/svgs/provider-portal.ts
+++ b/libs/assets/src/svg/svgs/provider-portal.ts
@@ -2,13 +2,13 @@ import { svgIcon } from "../icon-service";
 
 const ProviderPortalLogo = svgIcon`
   <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 46" fill="none">
-    <g class="tw-fill-text-alt2" clip-path="url(#provider-portal-logo-clip)">
+    <g class="tw-fill-fg-sidenav-text" clip-path="url(#provider-portal-logo-clip)">
       <path fill-rule="evenodd" d="M47.948 7.444c2.284 0 4.06.867 5.366 2.674 1.305 1.77 1.958 4.191 1.958 7.263 0 3.18-.653 5.637-1.995 7.371-1.341 1.77-3.154 2.602-5.438 2.602s-4.025-.795-5.33-2.457h-.363l-.688 1.698a.67.67 0 0 1-.617.398h-2.9a.649.649 0 0 1-.653-.65V.94c0-.362.29-.65.653-.65h3.915c.363 0 .653.288.653.65v5.564c0 .795-.072 2.06-.218 3.794h.218c1.197-1.879 3.046-2.854 5.439-2.854Zm-1.668 4.228c-1.27 0-2.248.397-2.865 1.192-.58.795-.906 2.132-.906 3.939v.578c0 2.06.29 3.541.906 4.408.617.867 1.596 1.337 2.937 1.337 1.052 0 1.958-.506 2.575-1.517.616-.976.942-2.458.942-4.3 0-1.88-.326-3.289-.943-4.228-.652-.94-1.559-1.41-2.646-1.41ZM63.9 27.029h-3.915a.649.649 0 0 1-.653-.65V8.491c0-.362.29-.65.653-.65h3.916c.362 0 .652.288.652.65v17.85c.037.326-.29.687-.652.687Zm14.322-3.867c.762 0 1.668-.144 2.756-.433a.435.435 0 0 1 .544.433v3c0 .18-.109.325-.254.397-1.233.506-2.792.759-4.532.759-2.103 0-3.626-.506-4.569-1.59-.942-1.048-1.45-2.638-1.45-4.734V11.78H68.65a.418.418 0 0 1-.435-.434V9.648c0-.036.037-.072.037-.108l2.864-1.699 1.414-3.758c.073-.18.218-.289.399-.289h2.61c.254 0 .435.18.435.434v3.65h5.185c.109 0 .218.108.218.216v3.252a.418.418 0 0 1-.435.434H76.01v9.178c0 .723.217 1.301.616 1.626.363.398.943.578 1.595.578Zm24.401 3.867c-.507 0-.906-.325-1.124-.795l-3.843-11.672c-.254-.83-.58-2.095-1.015-3.722h-.109l-.362 1.301-.762 2.457-3.952 11.672c-.145.47-.58.759-1.088.759a1.12 1.12 0 0 1-1.087-.831L84.459 9.395c-.145-.506.253-1.048.834-1.048h.108c.363 0 .69.253.798.614l2.828 10.227c.689 2.674 1.16 4.625 1.378 5.926h.108c.653-2.674 1.16-4.445 1.487-5.348L95.662 9.07c.145-.434.544-.723 1.051-.723.472 0 .87.29 1.016.723l3.408 10.623c.834 2.71 1.341 4.445 1.523 5.348h.108c.109-.722.544-2.746 1.378-5.998l2.72-10.082a.848.848 0 0 1 .797-.614c.544 0 .943.506.798 1.048l-4.569 16.803c-.145.506-.58.83-1.124.83h-.145Zm21.537 0a.663.663 0 0 1-.652-.578l-.327-2.385H123c-.943 1.192-1.885 2.06-2.901 2.565-.979.506-2.175.723-3.517.723-1.849 0-3.263-.47-4.278-1.41-.906-.83-1.414-1.95-1.486-3.36-.145-1.879.652-3.686 2.175-4.733 1.559-1.012 3.734-1.627 6.671-1.627l3.554-.108v-1.229c0-1.806-.363-3.107-1.124-4.01-.762-.904-1.886-1.337-3.481-1.337-1.523 0-3.046.36-4.641 1.12-.399.18-.87 0-1.052-.398-.181-.397 0-.867.399-1.011 1.813-.723 3.59-1.12 5.403-1.12 2.066 0 3.589.541 4.641 1.625 1.015 1.048 1.522 2.747 1.522 4.95v11.745c-.036.216-.362.578-.725.578Zm-7.505-1.229c2.03 0 3.589-.578 4.713-1.698 1.161-1.12 1.741-2.746 1.741-4.734v-1.806l-3.263.144c-2.647.108-4.496.542-5.657 1.229-1.124.686-1.704 1.806-1.704 3.252 0 1.156.363 2.096 1.052 2.746.797.542 1.813.867 3.118.867Zm21.464-17.814c.544 0 1.088.036 1.704.108a.815.815 0 0 1 .689.94c-.072.433-.507.686-.942.614-.544-.072-1.088-.145-1.632-.145-1.595 0-2.901.687-3.916 2.024-1.015 1.337-1.523 3.072-1.523 5.095v9.467c0 .47-.362.831-.834.831a.819.819 0 0 1-.833-.83V9.105c0-.398.326-.723.725-.723.398 0 .725.29.725.687l.145 2.674h.109c.761-1.373 1.595-2.349 2.465-2.891.834-.578 1.885-.867 3.118-.867Zm12.763 0c1.341 0 2.538.253 3.517.722 1.015.47 1.885 1.338 2.646 2.53h.109a86.156 86.156 0 0 1-.109-4.228V1.12a.82.82 0 0 1 .834-.83c.472 0 .834.36.834.83v25.258a.571.571 0 0 1-.58.579.588.588 0 0 1-.58-.543l-.363-2.348h-.145c-1.414 2.132-3.48 3.18-6.127 3.18-2.611 0-4.532-.795-5.946-2.421-1.342-1.627-2.067-3.94-2.067-7.01 0-3.217.653-5.674 2.031-7.408 1.377-1.554 3.335-2.421 5.946-2.421Zm0 1.554c-2.067 0-3.59.722-4.641 2.168-1.015 1.409-1.523 3.469-1.523 6.215 0 5.276 2.067 7.913 6.2 7.913 2.139 0 3.662-.614 4.641-1.842 1.015-1.23 1.486-3.253 1.486-6.071v-.29c0-2.89-.471-4.95-1.486-6.178-.943-1.301-2.502-1.915-4.677-1.915ZM172.6 27.354c-2.719 0-4.822-.831-6.381-2.53-1.523-1.662-2.285-4.01-2.285-7.01 0-2.999.725-5.384 2.212-7.154 1.487-1.807 3.444-2.71 5.946-2.71 2.176 0 3.952.758 5.185 2.276 1.305 1.518 1.922 3.614 1.922 6.251v1.374h-13.488c.036 2.565.616 4.516 1.813 5.89 1.196 1.373 2.864 1.987 5.076 1.987 1.051 0 2.03-.072 2.828-.217.58-.108 1.269-.289 2.103-.578.471-.18.979.18.979.687 0 .289-.182.578-.472.686-.87.361-1.704.578-2.465.723-.907.253-1.885.325-2.973.325Zm-.508-17.85c-1.813 0-3.263.578-4.351 1.77-1.087 1.156-1.704 2.89-1.921 5.095h11.602c0-2.132-.471-3.866-1.414-5.059-.943-1.192-2.248-1.807-3.916-1.807Zm26.25 17.525a.819.819 0 0 1-.833-.831v-11.31c0-1.88-.399-3.253-1.161-4.084-.834-.83-2.03-1.3-3.698-1.3-2.248 0-3.879.542-4.895 1.698-1.015 1.12-1.595 2.963-1.595 5.456v9.467a.82.82 0 0 1-.834.832.82.82 0 0 1-.834-.832V9.107c0-.434.326-.759.762-.759.398 0 .688.29.761.65l.218 1.88h.108c1.233-1.952 3.372-2.927 6.49-2.927 4.242 0 6.382 2.276 6.382 6.83v11.345c-.037.506-.435.904-.871.904ZM61.979 0c-1.704 0-3.082 1.3-3.082 2.927v.289c0 1.59 1.414 2.927 3.082 2.927s3.082-1.337 3.082-2.927v-.253C65.061 1.301 63.647 0 61.979 0Z" clip-rule="evenodd"/>
       <path d="M22.01 17.055V4.135h-9.063v22.954c1.605-.848 3.041-1.77 4.31-2.766 3.169-2.476 4.753-4.899 4.753-7.268Zm3.884-15.504v15.504a9.255 9.255 0 0 1-.677 3.442 12.83 12.83 0 0 1-1.68 3.029 18.707 18.707 0 0 1-2.386 2.574 27.775 27.775 0 0 1-2.56 2.079 32.22 32.22 0 0 1-2.448 1.565c-.85.49-1.453.824-1.81.999-.357.175-.644.31-.86.404-.162.08-.337.12-.526.12s-.364-.04-.526-.12a22.86 22.86 0 0 1-.86-.404c-.357-.175-.96-.508-1.81-1a32.21 32.21 0 0 1-2.448-1.564 27.763 27.763 0 0 1-2.56-2.08 18.705 18.705 0 0 1-2.386-2.573 12.83 12.83 0 0 1-1.68-3.029A9.255 9.255 0 0 1 0 17.055V1.551C0 1.2.128.898.384.642c.257-.256.56-.384.91-.384H24.6c.35 0 .654.128.91.384s.384.559.384.909ZM97.887 45.44V34.658h3.543c.842 0 1.536.139 2.08.416.544.277.945.652 1.202 1.124.267.473.4 1.007.4 1.603 0 .585-.128 1.114-.385 1.586-.257.473-.657.853-1.202 1.14-.544.278-1.242.416-2.095.416h-2.249v4.499h-1.294Zm1.294-5.591h2.218c.863 0 1.474-.18 1.834-.54.369-.37.554-.873.554-1.51 0-.646-.185-1.15-.554-1.51-.36-.369-.971-.554-1.834-.554h-2.218v4.114ZM106.731 45.44V37.8h1.171l.108 1.463a2.767 2.767 0 0 1 1.078-1.201c.483-.298 1.079-.447 1.787-.447v1.355h-.354c-.452 0-.868.083-1.248.247-.38.154-.683.421-.909.801-.226.38-.339.904-.339 1.571v3.852h-1.294ZM115.523 45.626c-.719 0-1.366-.165-1.941-.493a3.63 3.63 0 0 1-1.371-1.387c-.328-.606-.493-1.315-.493-2.126 0-.811.17-1.515.509-2.11a3.602 3.602 0 0 1 1.371-1.402 3.924 3.924 0 0 1 1.956-.493c.719 0 1.366.164 1.941.493a3.5 3.5 0 0 1 1.356 1.402c.339.595.508 1.299.508 2.11 0 .812-.169 1.52-.508 2.126a3.595 3.595 0 0 1-1.387 1.386c-.575.33-1.222.494-1.941.494Zm0-1.11c.442 0 .853-.108 1.233-.323.38-.216.688-.54.924-.97.236-.432.354-.966.354-1.603s-.118-1.17-.354-1.602c-.226-.431-.529-.755-.909-.97a2.424 2.424 0 0 0-1.217-.324c-.441 0-.852.108-1.232.324-.38.215-.688.539-.925.97-.236.431-.354.965-.354 1.602 0 .637.118 1.17.354 1.602.237.432.54.755.909.97.38.216.786.324 1.217.324ZM122.97 45.44l-2.896-7.64h1.356l2.295 6.393 2.311-6.393h1.325l-2.896 7.64h-1.495ZM129.587 36.105a.907.907 0 0 1-.647-.246.906.906 0 0 1-.247-.647c0-.247.082-.452.247-.617a.906.906 0 0 1 .647-.246c.246 0 .457.082.631.246a.81.81 0 0 1 .262.617.878.878 0 0 1-.262.647.887.887 0 0 1-.631.246Zm-.647 9.336V37.8h1.294v7.64h-1.294ZM135.953 45.626c-.76 0-1.428-.175-2.003-.524a3.643 3.643 0 0 1-1.325-1.433c-.308-.606-.462-1.294-.462-2.064s.159-1.453.478-2.05a3.526 3.526 0 0 1 1.325-1.416c.565-.35 1.232-.524 2.002-.524.627 0 1.181.128 1.664.385.483.257.858.616 1.125 1.078v-4.73h1.294v11.093h-1.171l-.123-1.264c-.247.37-.601.704-1.063 1.002-.462.298-1.043.447-1.741.447Zm.139-1.125c.513 0 .965-.118 1.355-.354a2.46 2.46 0 0 0 .925-1.017c.226-.431.339-.935.339-1.51s-.113-1.078-.339-1.51a2.359 2.359 0 0 0-.925-1c-.39-.247-.842-.37-1.355-.37-.504 0-.955.123-1.356.37-.39.235-.698.57-.924 1-.216.432-.324.935-.324 1.51s.108 1.079.324 1.51c.226.431.534.77.924 1.017.401.236.852.354 1.356.354ZM145.596 45.626c-.73 0-1.377-.165-1.941-.493a3.67 3.67 0 0 1-1.341-1.402c-.318-.596-.477-1.3-.477-2.11 0-.802.159-1.5.477-2.096a3.427 3.427 0 0 1 1.325-1.402c.575-.339 1.238-.508 1.987-.508.74 0 1.377.17 1.911.508.544.329.96.765 1.247 1.31a3.699 3.699 0 0 1 .416 2.095v.385h-6.085c.031.585.165 1.073.401 1.463a2.5 2.5 0 0 0 .909.863c.37.195.76.293 1.171.293.534 0 .98-.123 1.34-.37.359-.246.621-.58.786-1.001H149a3.472 3.472 0 0 1-1.186 1.771c-.575.462-1.315.694-2.218.694Zm0-6.917c-.617 0-1.166.19-1.649.57-.472.37-.744.914-.816 1.632h4.806c-.031-.688-.267-1.227-.708-1.617-.442-.39-.986-.585-1.633-.585ZM150.931 45.44V37.8h1.171l.108 1.463a2.767 2.767 0 0 1 1.078-1.201c.483-.298 1.078-.447 1.787-.447v1.355h-.354c-.452 0-.868.083-1.248.247-.38.154-.683.421-.909.801-.226.38-.339.904-.339 1.571v3.852h-1.294ZM160.681 45.44V34.658h3.544c.842 0 1.535.139 2.079.416.545.277.945.652 1.202 1.124.267.473.4 1.007.4 1.603 0 .585-.128 1.114-.385 1.586-.256.473-.657.853-1.201 1.14-.545.278-1.243.416-2.095.416h-2.25v4.499h-1.294Zm1.294-5.591h2.219c.862 0 1.474-.18 1.833-.54.37-.37.555-.873.555-1.51 0-.646-.185-1.15-.555-1.51-.359-.369-.971-.554-1.833-.554h-2.219v4.114ZM172.556 45.626c-.719 0-1.366-.165-1.941-.493a3.63 3.63 0 0 1-1.371-1.387c-.329-.606-.493-1.315-.493-2.126 0-.811.169-1.515.508-2.11a3.602 3.602 0 0 1 1.371-1.402 3.93 3.93 0 0 1 1.957-.493c.719 0 1.366.164 1.941.493a3.49 3.49 0 0 1 1.355 1.402c.339.595.509 1.299.509 2.11 0 .812-.17 1.52-.509 2.126a3.6 3.6 0 0 1-1.386 1.386c-.575.33-1.222.494-1.941.494Zm0-1.11c.441 0 .852-.108 1.232-.323.38-.216.688-.54.925-.97.236-.432.354-.966.354-1.603s-.118-1.17-.354-1.602c-.226-.431-.529-.755-.909-.97a2.427 2.427 0 0 0-1.217-.324c-.442 0-.853.108-1.233.324-.38.215-.688.539-.924.97-.236.431-.354.965-.354 1.602 0 .637.118 1.17.354 1.602.236.432.539.755.909.97.38.216.785.324 1.217.324ZM178.191 45.44V37.8h1.171l.108 1.463a2.767 2.767 0 0 1 1.078-1.201c.483-.298 1.078-.447 1.787-.447v1.355h-.354c-.452 0-.868.083-1.248.247-.38.154-.683.421-.909.801-.226.38-.339.904-.339 1.571v3.852h-1.294ZM186.807 45.44c-.699 0-1.248-.169-1.649-.508-.4-.339-.6-.95-.6-1.833v-4.206h-1.325V37.8h1.325l.169-1.834h1.125V37.8h2.249v1.093h-2.249V43.1c0 .483.097.811.292.986.196.164.54.246 1.033.246h.801v1.11h-1.171ZM192.287 45.626c-.637 0-1.166-.108-1.587-.324-.421-.216-.734-.503-.94-.863a2.324 2.324 0 0 1-.308-1.17c0-.781.298-1.382.894-1.803.595-.421 1.407-.632 2.434-.632h2.064v-.092c0-.667-.175-1.17-.524-1.51-.349-.349-.816-.523-1.402-.523-.503 0-.939.128-1.309.385-.359.246-.585.61-.678 1.093h-1.325c.052-.554.236-1.021.555-1.401.329-.38.734-.668 1.217-.863a3.893 3.893 0 0 1 1.54-.308c1.068 0 1.87.287 2.404.862.544.565.816 1.32.816 2.265v4.699h-1.155l-.077-1.371a3.072 3.072 0 0 1-.955 1.109c-.411.298-.966.447-1.664.447Zm.2-1.094c.493 0 .914-.129 1.263-.385.36-.257.632-.59.817-1.002.185-.41.277-.842.277-1.294v-.015h-1.956c-.76 0-1.3.133-1.618.4a1.21 1.21 0 0 0-.462.97c0 .401.144.725.431.971.298.237.714.355 1.248.355ZM198.079 45.44V34.35h1.294V45.44h-1.294Z"/>
     </g>
     <defs>
       <clipPath id="provider-portal-logo-clip">
-        <path class="tw-fill-text-alt2" d="M0 0h200v46H0z"/>
+        <path class="tw-fill-fg-sidenav-text" d="M0 0h200v46H0z"/>
       </clipPath>
     </defs>
   </svg>
diff --git a/libs/assets/src/svg/svgs/secrets-manager.ts b/libs/assets/src/svg/svgs/secrets-manager.ts
index 27589e7e2f9..62b54174c55 100644
--- a/libs/assets/src/svg/svgs/secrets-manager.ts
+++ b/libs/assets/src/svg/svgs/secrets-manager.ts
@@ -2,13 +2,13 @@ import { svgIcon } from "../icon-service";
 
 const SecretsManagerLogo = svgIcon`
   <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 49" fill="none">
-    <g class="tw-fill-text-alt2" clip-path="url(#secrets-manager-logo-clip)">
+    <g class="tw-fill-fg-sidenav-text" clip-path="url(#secrets-manager-logo-clip)">
       <path fill-rule="evenodd" d="M47.948 7.444c2.284 0 4.06.867 5.366 2.674 1.305 1.77 1.958 4.191 1.958 7.263 0 3.18-.653 5.637-1.995 7.371-1.341 1.77-3.154 2.602-5.438 2.602s-4.025-.795-5.33-2.457h-.363l-.688 1.698a.67.67 0 0 1-.617.398h-2.9a.649.649 0 0 1-.653-.65V.94c0-.362.29-.65.653-.65h3.915c.363 0 .653.288.653.65v5.564c0 .795-.072 2.06-.218 3.794h.218c1.197-1.879 3.046-2.854 5.439-2.854Zm-1.668 4.228c-1.27 0-2.248.397-2.865 1.192-.58.795-.906 2.132-.906 3.939v.578c0 2.06.29 3.541.906 4.408.617.867 1.596 1.337 2.937 1.337 1.052 0 1.958-.506 2.575-1.517.616-.976.942-2.458.942-4.3 0-1.88-.326-3.289-.943-4.228-.652-.94-1.559-1.41-2.646-1.41ZM63.9 27.029h-3.915a.649.649 0 0 1-.653-.65V8.491c0-.362.29-.65.653-.65h3.916c.362 0 .652.288.652.65v17.85c.037.326-.29.687-.652.687Zm14.322-3.867c.762 0 1.668-.144 2.756-.433a.435.435 0 0 1 .544.433v3c0 .18-.109.325-.254.397-1.233.506-2.792.759-4.532.759-2.103 0-3.626-.506-4.569-1.59-.942-1.048-1.45-2.638-1.45-4.734V11.78H68.65a.418.418 0 0 1-.435-.434V9.648c0-.036.037-.072.037-.108l2.864-1.699 1.414-3.758c.073-.18.218-.289.399-.289h2.61c.254 0 .435.18.435.434v3.65h5.185c.109 0 .218.108.218.216v3.252a.418.418 0 0 1-.435.434H76.01v9.178c0 .723.217 1.301.616 1.626.363.398.943.578 1.595.578Zm24.401 3.867c-.507 0-.906-.325-1.124-.795l-3.843-11.672c-.254-.83-.58-2.095-1.015-3.722h-.109l-.362 1.301-.762 2.457-3.952 11.672c-.145.47-.58.759-1.088.759a1.12 1.12 0 0 1-1.087-.831L84.459 9.395c-.145-.506.253-1.048.834-1.048h.108c.363 0 .69.253.798.614l2.828 10.227c.689 2.674 1.16 4.625 1.378 5.926h.108c.653-2.674 1.16-4.445 1.487-5.348L95.662 9.07c.145-.434.544-.723 1.051-.723.472 0 .87.29 1.016.723l3.408 10.623c.834 2.71 1.341 4.445 1.523 5.348h.108c.109-.722.544-2.746 1.378-5.998l2.72-10.082a.848.848 0 0 1 .797-.614c.544 0 .943.506.798 1.048l-4.569 16.803c-.145.506-.58.83-1.124.83h-.145Zm21.537 0a.663.663 0 0 1-.652-.578l-.327-2.385H123c-.943 1.192-1.885 2.06-2.901 2.565-.979.506-2.175.723-3.517.723-1.849 0-3.263-.47-4.278-1.41-.906-.83-1.414-1.95-1.486-3.36-.145-1.879.652-3.686 2.175-4.733 1.559-1.012 3.734-1.627 6.671-1.627l3.554-.108v-1.229c0-1.806-.363-3.107-1.124-4.01-.762-.904-1.886-1.337-3.481-1.337-1.523 0-3.046.36-4.641 1.12-.399.18-.87 0-1.052-.398-.181-.397 0-.867.399-1.011 1.813-.723 3.59-1.12 5.403-1.12 2.066 0 3.589.541 4.641 1.625 1.015 1.048 1.522 2.747 1.522 4.95v11.745c-.036.216-.362.578-.725.578Zm-7.505-1.229c2.03 0 3.589-.578 4.713-1.698 1.161-1.12 1.741-2.746 1.741-4.734v-1.806l-3.263.144c-2.647.108-4.496.542-5.657 1.229-1.124.686-1.704 1.806-1.704 3.252 0 1.156.363 2.096 1.052 2.746.797.542 1.813.867 3.118.867Zm21.464-17.814c.544 0 1.088.036 1.704.108a.815.815 0 0 1 .689.94c-.072.433-.507.686-.942.614-.544-.072-1.088-.145-1.632-.145-1.595 0-2.901.687-3.916 2.024-1.015 1.337-1.523 3.072-1.523 5.095v9.467c0 .47-.362.831-.834.831a.819.819 0 0 1-.833-.83V9.105c0-.398.326-.723.725-.723.398 0 .725.29.725.687l.145 2.674h.109c.761-1.373 1.595-2.349 2.465-2.891.834-.578 1.885-.867 3.118-.867Zm12.763 0c1.341 0 2.538.253 3.517.722 1.015.47 1.885 1.338 2.646 2.53h.109a86.156 86.156 0 0 1-.109-4.228V1.12a.82.82 0 0 1 .834-.83c.472 0 .834.36.834.83v25.258a.571.571 0 0 1-.58.579.588.588 0 0 1-.58-.543l-.363-2.348h-.145c-1.414 2.132-3.48 3.18-6.127 3.18-2.611 0-4.532-.795-5.946-2.421-1.342-1.627-2.067-3.94-2.067-7.01 0-3.217.653-5.674 2.031-7.408 1.377-1.554 3.335-2.421 5.946-2.421Zm0 1.554c-2.067 0-3.59.722-4.641 2.168-1.015 1.409-1.523 3.469-1.523 6.215 0 5.276 2.067 7.913 6.2 7.913 2.139 0 3.662-.614 4.641-1.842 1.015-1.23 1.486-3.253 1.486-6.071v-.29c0-2.89-.471-4.95-1.486-6.178-.943-1.301-2.502-1.915-4.677-1.915ZM172.6 27.354c-2.719 0-4.822-.831-6.381-2.53-1.523-1.662-2.285-4.01-2.285-7.01 0-2.999.725-5.384 2.212-7.154 1.487-1.807 3.444-2.71 5.946-2.71 2.176 0 3.952.758 5.185 2.276 1.305 1.518 1.922 3.614 1.922 6.251v1.374h-13.488c.036 2.565.616 4.516 1.813 5.89 1.196 1.373 2.864 1.987 5.076 1.987 1.051 0 2.03-.072 2.828-.217.58-.108 1.269-.289 2.103-.578.471-.18.979.18.979.687 0 .289-.182.578-.472.686-.87.361-1.704.578-2.465.723-.907.253-1.885.325-2.973.325Zm-.508-17.85c-1.813 0-3.263.578-4.351 1.77-1.087 1.156-1.704 2.89-1.921 5.095h11.602c0-2.132-.471-3.866-1.414-5.059-.943-1.192-2.248-1.807-3.916-1.807Zm26.25 17.525a.819.819 0 0 1-.833-.831v-11.31c0-1.88-.399-3.253-1.161-4.084-.834-.83-2.03-1.3-3.698-1.3-2.248 0-3.879.542-4.895 1.698-1.015 1.12-1.595 2.963-1.595 5.456v9.467a.82.82 0 0 1-.834.832.82.82 0 0 1-.834-.832V9.107c0-.434.326-.759.762-.759.398 0 .688.29.761.65l.218 1.88h.108c1.233-1.952 3.372-2.927 6.49-2.927 4.242 0 6.382 2.276 6.382 6.83v11.345c-.037.506-.435.904-.871.904ZM61.979 0c-1.704 0-3.082 1.3-3.082 2.927v.289c0 1.59 1.414 2.927 3.082 2.927s3.082-1.337 3.082-2.927v-.253C65.061 1.301 63.647 0 61.979 0Z" clip-rule="evenodd"/>
       <path d="M22.01 17.055V4.135h-9.063v22.954c1.605-.848 3.041-1.77 4.31-2.766 3.169-2.476 4.753-4.899 4.753-7.268Zm3.884-15.504v15.504a9.255 9.255 0 0 1-.677 3.442 12.83 12.83 0 0 1-1.68 3.029 18.707 18.707 0 0 1-2.386 2.574 27.775 27.775 0 0 1-2.56 2.079 32.22 32.22 0 0 1-2.448 1.565c-.85.49-1.453.824-1.81.999-.357.175-.644.31-.86.404-.162.08-.337.12-.526.12s-.364-.04-.526-.12a22.86 22.86 0 0 1-.86-.404c-.357-.175-.96-.508-1.81-1a32.21 32.21 0 0 1-2.448-1.564 27.763 27.763 0 0 1-2.56-2.08 18.705 18.705 0 0 1-2.386-2.573 12.83 12.83 0 0 1-1.68-3.029A9.255 9.255 0 0 1 0 17.055V1.551C0 1.2.128.898.384.642c.257-.256.56-.384.91-.384H24.6c.35 0 .654.128.91.384s.384.559.384.909ZM195.307 44.875v-7.739h1.118l.088 1.413a2.7 2.7 0 0 1 .691-.883 2.854 2.854 0 0 1 1.03-.53 5.031 5.031 0 0 1 1.383-.176v1.295h-.765c-.294 0-.579.039-.853.117a2.168 2.168 0 0 0-.75.383 1.81 1.81 0 0 0-.515.72c-.128.305-.192.687-.192 1.148v4.252h-1.235ZM190.181 45.051c-.686 0-1.294-.166-1.824-.5-.53-.334-.946-.804-1.25-1.412-.295-.608-.442-1.32-.442-2.133 0-.815.147-1.526.442-2.134.304-.608.72-1.078 1.25-1.412.539-.333 1.157-.5 1.854-.5.745 0 1.368.167 1.868.5.5.334.878.78 1.133 1.339.255.559.382 1.172.382 1.839v.294c0 .098-.005.216-.015.353h-5.987v-.956h4.796c-.02-.755-.24-1.33-.662-1.721-.412-.402-.927-.603-1.545-.603-.412 0-.794.102-1.147.308a2.21 2.21 0 0 0-.839.883c-.216.392-.324.883-.324 1.471v.412c0 .647.108 1.192.324 1.633.216.432.495.755.839.971.353.216.735.324 1.147.324.549 0 .981-.103 1.295-.31.314-.215.544-.52.691-.911h1.221a2.944 2.944 0 0 1-.618 1.162 2.933 2.933 0 0 1-1.088.809c-.432.196-.932.294-1.501.294ZM181.83 48.288c-.696 0-1.309-.089-1.839-.265-.52-.167-.927-.427-1.221-.78-.284-.353-.426-.79-.426-1.31 0-.244.044-.5.132-.764.098-.265.26-.52.485-.765.236-.245.564-.466.986-.662l.942.5c-.559.216-.922.466-1.089.75-.167.285-.25.56-.25.824 0 .324.093.593.279.81.196.215.466.377.809.485.344.108.741.162 1.192.162.441 0 .819-.06 1.133-.177.324-.108.569-.27.735-.485.177-.206.265-.452.265-.736 0-.412-.132-.736-.397-.97-.265-.227-.78-.359-1.545-.398a14.968 14.968 0 0 1-1.5-.162 6.937 6.937 0 0 1-1.001-.235 3.324 3.324 0 0 1-.647-.324 4.326 4.326 0 0 1-.456-.368v-.338l1.456-1.398 1.163.383-1.589 1.31.191-.56c.108.079.211.152.309.22.098.07.231.133.397.192a7 7 0 0 0 .721.147c.314.05.726.093 1.236.133.706.049 1.27.166 1.692.353.421.186.725.446.912.78.186.323.279.72.279 1.19 0 .413-.117.805-.353 1.178-.225.372-.588.676-1.088.912-.491.245-1.128.368-1.913.368Zm-.015-5.826c-.627 0-1.162-.118-1.603-.353a2.507 2.507 0 0 1-.986-.986 2.953 2.953 0 0 1-.338-1.412c0-.52.113-.986.338-1.398.236-.412.569-.74 1.001-.985.441-.245.971-.368 1.588-.368.638 0 1.172.123 1.604.368.431.245.76.573.986.985.225.412.338.878.338 1.398 0 .52-.113.99-.338 1.412-.226.412-.555.74-.986.986-.432.235-.966.353-1.604.353Zm0-1.015c.55 0 .976-.142 1.28-.427.304-.294.456-.73.456-1.309s-.152-1.01-.456-1.295c-.304-.284-.73-.426-1.28-.426-.519 0-.946.142-1.28.426-.323.285-.485.716-.485 1.295s.157 1.015.471 1.31c.323.284.755.426 1.294.426Zm1.295-3.266-.368-1.044h3.031v.926l-2.663.118ZM173.109 45.051c-.588 0-1.078-.108-1.471-.324a2.245 2.245 0 0 1-.882-.882 2.513 2.513 0 0 1-.295-1.192c0-.51.128-.941.383-1.294.265-.363.633-.638 1.103-.824.471-.186 1.02-.28 1.648-.28h1.927c0-.5-.059-.917-.176-1.25-.118-.334-.309-.584-.574-.75-.265-.167-.618-.25-1.059-.25-.442 0-.819.112-1.133.338-.314.216-.51.54-.589.97h-1.265c.059-.51.231-.936.515-1.28a2.643 2.643 0 0 1 1.074-.794c.441-.186.907-.279 1.398-.279.696 0 1.27.127 1.721.383a2.29 2.29 0 0 1 1 1.044c.216.441.324.966.324 1.574v4.914h-1.103l-.074-1.324a2.743 2.743 0 0 1-.383.588 2.452 2.452 0 0 1-.529.47 2.586 2.586 0 0 1-.706.325c-.255.078-.54.117-.854.117Zm.177-1.044c.324 0 .623-.074.897-.221.275-.147.51-.343.707-.588.205-.255.362-.54.47-.854.108-.313.162-.642.162-.985v-.148h-1.824c-.461 0-.839.06-1.133.177-.284.118-.49.285-.618.5a1.318 1.318 0 0 0-.191.706c0 .285.059.535.177.75.117.207.289.368.514.486.236.118.515.177.839.177ZM162.192 44.875v-7.739h1.118l.059 1.221c.225-.44.549-.784.971-1.03.431-.244.926-.367 1.486-.367.568 0 1.064.108 1.485.324.422.215.751.544.986.985.235.442.353 1 .353 1.677v4.929h-1.236v-4.796c0-.687-.171-1.202-.515-1.545-.333-.343-.784-.515-1.353-.515-.382 0-.736.093-1.059.28a1.96 1.96 0 0 0-.78.794c-.186.353-.279.785-.279 1.295v4.487h-1.236ZM156.502 45.051c-.589 0-1.079-.108-1.471-.324a2.241 2.241 0 0 1-.883-.882 2.523 2.523 0 0 1-.294-1.192c0-.51.127-.941.382-1.294.265-.363.633-.638 1.104-.824.47-.186 1.02-.28 1.647-.28h1.927c0-.5-.058-.917-.176-1.25-.118-.334-.309-.584-.574-.75-.265-.167-.618-.25-1.059-.25-.441 0-.819.112-1.133.338-.314.216-.51.54-.588.97h-1.265c.058-.51.23-.936.514-1.28a2.643 2.643 0 0 1 1.074-.794c.442-.186.908-.279 1.398-.279.696 0 1.27.127 1.721.383.451.245.785.593 1.001 1.044.215.441.323.966.323 1.574v4.914h-1.103l-.074-1.324a2.738 2.738 0 0 1-.382.588 2.457 2.457 0 0 1-.53.47 2.586 2.586 0 0 1-.706.325 2.89 2.89 0 0 1-.853.117Zm.176-1.044c.324 0 .623-.074.898-.221a2.27 2.27 0 0 0 .706-.588c.206-.255.363-.54.471-.854.108-.313.161-.642.161-.985v-.148h-1.824c-.461 0-.838.06-1.133.177-.284.118-.49.285-.617.5a1.31 1.31 0 0 0-.192.706c0 .285.059.535.177.75.118.207.289.368.515.486.235.118.515.177.838.177ZM142.038 44.875V34.577h1.441l3.502 7.253 3.472-7.253h1.456v10.298h-1.236v-8.077l-3.236 6.723h-.927l-3.237-6.664v8.018h-1.235ZM133.309 45.051c-.697 0-1.275-.103-1.736-.309-.451-.215-.795-.51-1.03-.882a3.064 3.064 0 0 1-.427-1.324h1.266c.039.264.127.51.264.735.148.216.358.392.633.53.275.137.623.206 1.045.206.333 0 .617-.05.853-.147.235-.108.412-.255.529-.442.128-.186.192-.402.192-.647 0-.324-.074-.574-.221-.75-.137-.187-.343-.324-.618-.412a4.496 4.496 0 0 0-1-.22 6.687 6.687 0 0 1-1.148-.251 2.894 2.894 0 0 1-.853-.427 1.708 1.708 0 0 1-.515-.662 2.3 2.3 0 0 1-.176-.941c0-.422.112-.795.338-1.118.225-.324.544-.574.956-.75.422-.187.917-.28 1.486-.28.834 0 1.491.191 1.971.574.491.382.78.927.868 1.633h-1.221a1.209 1.209 0 0 0-.5-.854c-.284-.206-.662-.309-1.133-.309-.5 0-.877.094-1.132.28a.87.87 0 0 0-.383.736c0 .225.054.431.162.617.118.177.314.329.588.456.275.118.643.206 1.104.265.578.069 1.069.182 1.471.339.402.147.706.377.912.691.216.314.319.74.309 1.28 0 .51-.123.941-.368 1.295a2.228 2.228 0 0 1-1 .809c-.422.186-.917.28-1.486.28ZM127.538 44.875c-.441 0-.824-.069-1.147-.206a1.506 1.506 0 0 1-.75-.692c-.167-.333-.251-.78-.251-1.338V38.18h-1.353v-1.044h1.353l.162-1.928h1.074v1.927h2.192v1.045h-2.192v4.458c0 .46.093.774.28.941.186.157.515.236.985.236h.898v1.059h-1.251ZM119.656 45.051c-.687 0-1.295-.166-1.824-.5-.53-.334-.947-.804-1.251-1.412-.294-.608-.441-1.32-.441-2.133 0-.815.147-1.526.441-2.134.304-.608.721-1.078 1.251-1.412.539-.333 1.157-.5 1.853-.5.746 0 1.368.167 1.869.5.5.334.877.78 1.132 1.339.255.559.383 1.172.383 1.839v.294c0 .098-.005.216-.015.353h-5.987v-.956h4.796c-.02-.755-.241-1.33-.662-1.721-.412-.402-.927-.603-1.545-.603a2.214 2.214 0 0 0-1.986 1.192c-.216.391-.324.882-.324 1.47v.412c0 .647.108 1.192.324 1.633.216.432.495.755.838.971.353.216.736.324 1.148.324.549 0 .981-.103 1.294-.31.314-.215.545-.52.692-.911h1.221a2.97 2.97 0 0 1-.618 1.162 2.929 2.929 0 0 1-1.089.809c-.431.196-.931.294-1.5.294ZM110.99 44.875v-7.739h1.118l.088 1.413c.176-.353.407-.648.691-.883a2.854 2.854 0 0 1 1.03-.53 5.031 5.031 0 0 1 1.383-.176v1.295h-.765c-.294 0-.579.039-.853.117a2.182 2.182 0 0 0-.751.383 1.818 1.818 0 0 0-.514.72c-.128.305-.192.687-.192 1.148v4.252h-1.235ZM105.838 45.051c-.706 0-1.333-.166-1.883-.5a3.58 3.58 0 0 1-1.294-1.427c-.314-.608-.471-1.314-.471-2.118 0-.815.157-1.52.471-2.119a3.475 3.475 0 0 1 1.294-1.412c.55-.343 1.177-.515 1.883-.515.883 0 1.619.235 2.207.706.598.47.981 1.104 1.148 1.898h-1.266c-.107-.49-.358-.868-.75-1.133-.382-.274-.834-.412-1.353-.412-.451 0-.858.113-1.221.339-.353.225-.633.559-.839 1-.206.441-.309.99-.309 1.648 0 .49.059.926.177 1.309.117.373.279.686.485.941.216.246.466.432.75.56.295.127.613.19.957.19.353 0 .672-.058.956-.176.294-.127.539-.309.735-.544.206-.236.344-.515.412-.839h1.266a3.113 3.113 0 0 1-1.148 1.883c-.598.48-1.334.721-2.207.721ZM97.373 45.051c-.686 0-1.294-.166-1.824-.5-.53-.334-.946-.804-1.25-1.412-.295-.608-.442-1.32-.442-2.133 0-.815.147-1.526.442-2.134.304-.608.72-1.078 1.25-1.412.54-.333 1.157-.5 1.854-.5.745 0 1.368.167 1.868.5.5.334.878.78 1.133 1.339.255.559.382 1.172.382 1.839v.294a4.9 4.9 0 0 1-.014.353h-5.988v-.956h4.796c-.02-.755-.24-1.33-.662-1.721-.412-.402-.927-.603-1.545-.603a2.213 2.213 0 0 0-1.986 1.192c-.215.391-.323.882-.323 1.47v.412c0 .647.108 1.192.323 1.633.216.432.496.755.839.971a2.16 2.16 0 0 0 1.147.324c.55 0 .981-.103 1.295-.31.314-.215.544-.52.691-.911h1.221a2.95 2.95 0 0 1-.617 1.162 2.936 2.936 0 0 1-1.089.809c-.432.196-.932.294-1.5.294ZM88.93 45.051c-.755 0-1.412-.137-1.971-.412a3.079 3.079 0 0 1-1.295-1.147c-.304-.49-.456-1.06-.456-1.707h1.295c0 .403.093.775.28 1.118.186.334.455.604.808.81.363.196.81.294 1.339.294.461 0 .853-.074 1.177-.22.333-.158.584-.369.75-.633.177-.265.265-.564.265-.898 0-.373-.083-.681-.25-.927a1.751 1.751 0 0 0-.662-.618 5.415 5.415 0 0 0-.986-.44c-.372-.128-.775-.26-1.206-.398-.863-.275-1.49-.618-1.883-1.03-.383-.422-.574-.961-.574-1.618 0-.56.128-1.05.383-1.471.264-.422.637-.75 1.118-.986.49-.245 1.069-.368 1.736-.368.657 0 1.226.123 1.706.368.49.245.873.584 1.148 1.015.274.422.412.912.412 1.471h-1.295c0-.284-.074-.564-.22-.838a1.725 1.725 0 0 0-.677-.677c-.295-.186-.667-.28-1.118-.28a2.199 2.199 0 0 0-1 .192 1.58 1.58 0 0 0-.678.559c-.156.245-.235.544-.235.897 0 .334.069.603.206.81.147.205.353.382.618.529.274.137.593.265.956.382.363.118.765.25 1.206.398a5.9 5.9 0 0 1 1.324.617c.393.236.697.54.913.913.225.372.338.848.338 1.427 0 .49-.133.956-.397 1.397-.255.432-.638.785-1.148 1.06-.51.274-1.152.411-1.927.411Z"/>
     </g>
     <defs>
       <clipPath id="secrets-manager-logo-clip">
-        <path class="tw-fill-text-alt2" d="M0 0h200v48.819H0z"/>
+        <path class="tw-fill-fg-sidenav-text" d="M0 0h200v48.819H0z"/>
       </clipPath>
     </defs>
   </svg>
diff --git a/libs/assets/src/svg/svgs/shield.ts b/libs/assets/src/svg/svgs/shield.ts
index 38d429604aa..af626a98e9d 100644
--- a/libs/assets/src/svg/svgs/shield.ts
+++ b/libs/assets/src/svg/svgs/shield.ts
@@ -3,11 +3,11 @@ import { svgIcon } from "../icon-service";
 const BitwardenShield = svgIcon`
   <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 26 32" fill="none">
     <g clip-path="url(#bitwarden-shield-clip)">
-      <path class="tw-fill-text-alt2" d="M22.01 17.055V4.135h-9.063v22.954c1.605-.848 3.041-1.77 4.31-2.766 3.169-2.476 4.753-4.899 4.753-7.268Zm3.884-15.504v15.504a9.256 9.256 0 0 1-.677 3.442 12.828 12.828 0 0 1-1.68 3.029 18.708 18.708 0 0 1-2.386 2.574 27.808 27.808 0 0 1-2.56 2.08 32.251 32.251 0 0 1-2.448 1.564c-.85.49-1.453.824-1.81.999-.357.175-.644.31-.86.404-.162.08-.337.12-.526.12s-.364-.04-.526-.12a22.99 22.99 0 0 1-.86-.404c-.357-.175-.96-.508-1.81-1a32.242 32.242 0 0 1-2.448-1.564 27.796 27.796 0 0 1-2.56-2.08 18.706 18.706 0 0 1-2.386-2.573 12.828 12.828 0 0 1-1.68-3.029A9.256 9.256 0 0 1 0 17.055V1.551C0 1.2.128.898.384.642.641.386.944.26 1.294.26H24.6c.35 0 .654.127.91.383s.384.559.384.909Z"/>
+      <path class="tw-fill-fg-sidenav-text" d="M22.01 17.055V4.135h-9.063v22.954c1.605-.848 3.041-1.77 4.31-2.766 3.169-2.476 4.753-4.899 4.753-7.268Zm3.884-15.504v15.504a9.256 9.256 0 0 1-.677 3.442 12.828 12.828 0 0 1-1.68 3.029 18.708 18.708 0 0 1-2.386 2.574 27.808 27.808 0 0 1-2.56 2.08 32.251 32.251 0 0 1-2.448 1.564c-.85.49-1.453.824-1.81.999-.357.175-.644.31-.86.404-.162.08-.337.12-.526.12s-.364-.04-.526-.12a22.99 22.99 0 0 1-.86-.404c-.357-.175-.96-.508-1.81-1a32.242 32.242 0 0 1-2.448-1.564 27.796 27.796 0 0 1-2.56-2.08 18.706 18.706 0 0 1-2.386-2.573 12.828 12.828 0 0 1-1.68-3.029A9.256 9.256 0 0 1 0 17.055V1.551C0 1.2.128.898.384.642.641.386.944.26 1.294.26H24.6c.35 0 .654.127.91.383s.384.559.384.909Z"/>
     </g>
     <defs>
       <clipPath id="bitwarden-shield-clip">
-        <path class="tw-fill-text-alt2" d="M0 0h26v32H0z"/>
+        <path class="tw-fill-fg-sidenav-text" d="M0 0h26v32H0z" />
       </clipPath>
     </defs>
   </svg>
diff --git a/libs/components/src/icon-button/icon-button.component.ts b/libs/components/src/icon-button/icon-button.component.ts
index c7eb28fc086..3b5e01132a2 100644
--- a/libs/components/src/icon-button/icon-button.component.ts
+++ b/libs/components/src/icon-button/icon-button.component.ts
@@ -71,9 +71,9 @@ const styles: Record<IconButtonType, string[]> = {
   primary: ["!tw-text-primary-600", "focus-visible:before:tw-ring-primary-600", ...focusRing],
   danger: ["!tw-text-danger-600", "focus-visible:before:tw-ring-primary-600", ...focusRing],
   "nav-contrast": [
-    "!tw-text-alt2",
+    "!tw-text-fg-sidenav-text",
     "hover:!tw-bg-hover-contrast",
-    "focus-visible:before:tw-ring-text-alt2",
+    "focus-visible:before:tw-ring-border-focus",
     ...focusRing,
   ],
 };
diff --git a/libs/components/src/navigation/nav-group.component.html b/libs/components/src/navigation/nav-group.component.html
index 1790fea179a..d305f89063e 100644
--- a/libs/components/src/navigation/nav-group.component.html
+++ b/libs/components/src/navigation/nav-group.component.html
@@ -19,7 +19,7 @@
     <ng-template #button>
       <button
         type="button"
-        class="tw-ms-auto"
+        class="tw-ms-auto tw-text-fg-sidenav-text"
         [ngClass]="{
           'tw-transform tw-rotate-[90deg]': variantValue === 'tree' && !open(),
         }"
diff --git a/libs/components/src/navigation/nav-item.component.html b/libs/components/src/navigation/nav-item.component.html
index 8a59d474d94..7b1b0619ee7 100644
--- a/libs/components/src/navigation/nav-item.component.html
+++ b/libs/components/src/navigation/nav-item.component.html
@@ -4,15 +4,15 @@
     <div
       [style.padding-inline-start]="navItemIndentationPadding()"
       class="tw-relative tw-rounded-md tw-h-10"
-      [class.tw-bg-background-alt4]="showActiveStyles"
-      [class.tw-bg-background-alt3]="!showActiveStyles"
-      [class.hover:tw-bg-hover-contrast]="!showActiveStyles"
+      [class.tw-bg-bg-sidenav-active-item]="showActiveStyles"
+      [class.tw-bg-bg-sidenav-background]="!showActiveStyles"
+      [class.hover:tw-bg-bg-sidenav-item-hover]="!showActiveStyles"
       [class]="fvwStyles$ | async"
     >
       <div class="tw-relative tw-flex tw-items-center tw-h-full">
         @if (open) {
           <div
-            class="tw-absolute tw-left-[0px] tw-transform tw--translate-x-[calc(100%_+_4px)] [&>*:focus-visible::before]:!tw-ring-text-alt2 [&>*:hover]:!tw-border-text-alt2 [&>*]:tw-text-alt2"
+            class="tw-absolute tw-left-[0px] tw-transform tw--translate-x-[calc(100%_+_4px)] [&>*:focus-visible::before]:!tw-ring-border-focus [&>*:hover]:!tw-border-text-alt2 [&>*]:tw-text-alt2"
           >
             <ng-content select="[slot=start]"></ng-content>
           </div>
@@ -31,7 +31,7 @@
           >
             @if (icon()) {
               <i
-                class="!tw-m-0 tw-w-4 tw-shrink-0 bwi bwi-fw tw-text-alt2 {{ icon() }}"
+                class="!tw-m-0 tw-w-4 tw-shrink-0 bwi bwi-fw tw-text-fg-sidenav-text {{ icon() }}"
                 [attr.aria-hidden]="open"
                 [attr.aria-label]="text()"
               ></i>
@@ -47,7 +47,7 @@
           <!-- The `data-fvw` attribute passes focus to `this.focusVisibleWithin$` -->
           <!-- The following `class` field should match the `#isButton` class field below -->
           <a
-            class="tw-size-full tw-px-4 tw-block tw-truncate tw-border-none tw-bg-transparent tw-text-start !tw-text-alt2 hover:tw-text-alt2 hover:tw-no-underline focus:tw-outline-none [&_i]:tw-leading-[1.5rem]"
+            class="tw-size-full tw-px-4 tw-block tw-truncate tw-border-none tw-bg-transparent tw-text-start !tw-text-fg-sidenav-text hover:tw-text-fg-sidenav-text hover:tw-no-underline focus:tw-outline-none [&_i]:tw-leading-[1.5rem]"
             [class.!tw-ps-0]="variant() === 'tree' || treeDepth() > 0"
             data-fvw
             [routerLink]="route()"
@@ -68,7 +68,7 @@
           <!-- Class field should match `#isAnchor` class field above -->
           <button
             type="button"
-            class="tw-size-full tw-px-4 tw-truncate tw-border-none tw-bg-transparent tw-text-start !tw-text-alt2 hover:tw-text-alt2 hover:tw-no-underline focus:tw-outline-none [&_i]:tw-leading-[1.5rem]"
+            class="tw-size-full tw-px-4 tw-block tw-truncate tw-border-none tw-bg-transparent tw-text-start !tw-text-fg-sidenav-text hover:tw-text-fg-sidenav-text hover:tw-no-underline focus:tw-outline-none [&_i]:tw-leading-[1.5rem]"
             [class.!tw-ps-0]="variant() === 'tree' || treeDepth() > 0"
             data-fvw
             (click)="mainContentClicked.emit()"
@@ -79,7 +79,7 @@
 
         @if (open) {
           <div
-            class="tw-flex tw-items-center tw-pe-1 tw-gap-1 [&>*:focus-visible::before]:!tw-ring-text-alt2 [&>*:hover]:!tw-border-text-alt2 [&>*]:tw-text-alt2 empty:tw-hidden"
+            class="tw-flex tw-items-center tw-pe-1 tw-gap-1 [&>*:focus-visible::before]:!tw-ring-border-focus [&>*:hover]:!tw-border-border-focus [&>*]:tw-text-fg-sidenav-text empty:tw-hidden"
           >
             <ng-content select="[slot=end]"></ng-content>
           </div>
diff --git a/libs/components/src/navigation/nav-item.component.ts b/libs/components/src/navigation/nav-item.component.ts
index b32ca0e3fde..e57413d9980 100644
--- a/libs/components/src/navigation/nav-item.component.ts
+++ b/libs/components/src/navigation/nav-item.component.ts
@@ -90,7 +90,7 @@ export class NavItemComponent extends NavBaseComponent {
   protected focusVisibleWithin$ = new BehaviorSubject(false);
   protected fvwStyles$ = this.focusVisibleWithin$.pipe(
     map((value) =>
-      value ? "tw-z-10 tw-rounded tw-outline-none tw-ring tw-ring-inset tw-ring-text-alt2" : "",
+      value ? "tw-z-10 tw-rounded tw-outline-none tw-ring tw-ring-inset tw-ring-border-focus" : "",
     ),
   );
   @HostListener("focusin", ["$event.target"])
diff --git a/libs/components/src/navigation/nav-logo.component.html b/libs/components/src/navigation/nav-logo.component.html
index 5915f029357..1d9961554c2 100644
--- a/libs/components/src/navigation/nav-logo.component.html
+++ b/libs/components/src/navigation/nav-logo.component.html
@@ -8,7 +8,7 @@
   <!-- absolutely position the link svg to avoid shifting layout when sidenav is closed -->
   <a
     [routerLink]="route()"
-    class="tw-relative tw-p-3 tw-block tw-rounded-md tw-bg-background-alt3 tw-outline-none focus-visible:tw-ring focus-visible:tw-ring-inset focus-visible:tw-ring-text-alt2 hover:tw-bg-hover-contrast tw-h-[73px] [&_svg]:tw-absolute [&_svg]:tw-inset-[.6875rem] [&_svg]:tw-w-[200px]"
+    class="tw-relative tw-p-3 tw-block tw-rounded-md tw-bg-bg-sidenav tw-outline-none focus-visible:tw-ring focus-visible:tw-ring-inset focus-visible:tw-ring-border-focus hover:tw-bg-bg-sidenav-item-hover tw-h-[73px] [&_svg]:tw-absolute [&_svg]:tw-inset-[.6875rem] [&_svg]:tw-w-[200px]"
     [ngClass]="{
       '!tw-h-[55px] [&_svg]:!tw-w-[26px]': !sideNavService.open,
     }"
diff --git a/libs/components/src/navigation/side-nav.component.html b/libs/components/src/navigation/side-nav.component.html
index 38ec096fe49..6b53c525e3a 100644
--- a/libs/components/src/navigation/side-nav.component.html
+++ b/libs/components/src/navigation/side-nav.component.html
@@ -8,14 +8,14 @@
   <div class="tw-relative tw-h-full">
     <nav
       id="bit-side-nav"
-      class="tw-sticky tw-inset-y-0 tw-left-0 tw-z-30 tw-flex tw-h-full tw-flex-col tw-overscroll-none tw-overflow-auto tw-bg-background-alt3 tw-outline-none"
+      class="tw-sticky tw-inset-y-0 tw-left-0 tw-z-30 tw-flex tw-h-full tw-flex-col tw-overscroll-none tw-overflow-auto tw-bg-bg-sidenav tw-text-fg-sidenav-text tw-outline-none"
       [style.width.rem]="data.open ? (sideNavService.width$ | async) : undefined"
       [ngStyle]="
         variant() === 'secondary' && {
-          '--color-text-alt2': 'var(--color-text-main)',
-          '--color-background-alt3': 'var(--color-secondary-100)',
-          '--color-background-alt4': 'var(--color-secondary-300)',
-          '--color-hover-contrast': 'var(--color-hover-default)',
+          '--color-sidenav-text': 'var(--color-admin-sidenav-text)',
+          '--color-sidenav-background': 'var(--color-admin-sidenav-background)',
+          '--color-sidenav-active-item': 'var(--color-admin-sidenav-active-item)',
+          '--color-sidenav-item-hover': 'var(--color-admin-sidenav-item-hover)',
         }
       "
       [cdkTrapFocus]="data.isOverlay"
@@ -27,7 +27,7 @@
       <!-- 53rem = ~850px -->
       <!-- This is a magic number. This number was selected by going to the UI and finding the number that felt the best to me and design. No real rhyme or reason :) -->
       <div
-        class="[@media(min-height:53rem)]:tw-sticky tw-bottom-0 tw-left-0 tw-z-20 tw-mt-auto tw-w-full tw-bg-background-alt3"
+        class="[@media(min-height:53rem)]:tw-sticky tw-bottom-0 tw-left-0 tw-z-20 tw-mt-auto tw-w-full"
       >
         <bit-nav-divider></bit-nav-divider>
         @if (data.open) {
diff --git a/libs/components/src/tw-theme.css b/libs/components/src/tw-theme.css
index 757859985d6..5aab0d8bec9 100644
--- a/libs/components/src/tw-theme.css
+++ b/libs/components/src/tw-theme.css
@@ -353,6 +353,19 @@
 
   /* Focus Border */
   --color-border-focus: var(--color-black);
+
+  /**========================================
+   * SIDENAV BACKGROUND COLORS (Light mode)
+   * ======================================== */
+  --color-sidenav-background: var(--color-brand-800);
+  --color-sidenav-text: var(--color-white);
+  --color-sidenav-active-item: var(--color-brand-900);
+  --color-sidenav-item-hover: var(--color-brand-900);
+
+  --color-admin-sidenav-background: var(--color-gray-100);
+  --color-admin-sidenav-text: var(--color-gray-900);
+  --color-admin-sidenav-active-item: var(--color-gray-300);
+  --color-admin-sidenav-item-hover: var(--color-gray-300);
 }
 
 .theme_light {
@@ -542,6 +555,19 @@
 
   /* Focus Border */
   --color-border-focus: var(--color-white);
+
+  /**========================================
+    * SIDENAV BACKGROUND COLORS (Dark mode)
+    * ======================================== */
+  --color-sidenav-background: var(--color-gray-800);
+  --color-sidenav-text: var(--color-white);
+  --color-sidenav-active-item: var(--color-gray-900);
+  --color-sidenav-item-hover: var(--color-gray-900);
+
+  --color-admin-sidenav-background: var(--color-gray-800);
+  --color-admin-sidenav-text: var(--color-white);
+  --color-admin-sidenav-active-item: var(--color-gray-900);
+  --color-admin-sidenav-item-hover: var(--color-gray-900);
 }
 
 @layer components {
diff --git a/libs/components/tailwind.config.base.js b/libs/components/tailwind.config.base.js
index bd88f5471ff..d8220c39ff8 100644
--- a/libs/components/tailwind.config.base.js
+++ b/libs/components/tailwind.config.base.js
@@ -72,11 +72,11 @@ module.exports = {
         code: rgba("--color-text-code"),
       },
       background: {
-        DEFAULT: rgba("--color-background"),
-        alt: rgba("--color-background-alt"),
-        alt2: rgba("--color-background-alt2"),
-        alt3: rgba("--color-background-alt3"),
-        alt4: rgba("--color-background-alt4"),
+        DEFAULT: "var(--color-bg-primary)",
+        alt: "var(--color-bg-tertiary)",
+        alt2: "var(--color-bg-brand)",
+        alt3: "var(--color-bg-brand-strong)",
+        alt4: "var(--color-brand-950)",
       },
       bg: {
         white: "var(--color-bg-white)",
@@ -117,6 +117,9 @@ module.exports = {
         "accent-tertiary": "var(--color-bg-accent-tertiary)",
         hover: "var(--color-bg-hover)",
         overlay: "var(--color-bg-overlay)",
+        sidenav: "var(--color-sidenav-background)",
+        "sidenav-active-item": "var(--color-sidenav-active-item)",
+        "sidenav-item-hover": "var(--color-sidenav-item-hover)",
       },
       hover: {
         default: "var(--color-hover-default)",
@@ -159,6 +162,7 @@ module.exports = {
         "accent-tertiary-soft": "var(--color-fg-accent-tertiary-soft)",
         "accent-tertiary": "var(--color-fg-accent-tertiary)",
         "accent-tertiary-strong": "var(--color-fg-accent-tertiary-strong)",
+        "sidenav-text": "var(--color-sidenav-text)",
       },
       border: {
         muted: "var(--color-border-muted)",
@@ -253,6 +257,7 @@ module.exports = {
       "fg-accent-tertiary-soft": "var(--color-fg-accent-tertiary-soft)",
       "fg-accent-tertiary": "var(--color-fg-accent-tertiary)",
       "fg-accent-tertiary-strong": "var(--color-fg-accent-tertiary-strong)",
+      "fg-sidenav-text": "var(--color-sidenav-text)",
     }),
     borderColor: ({ theme }) => ({
       ...theme("colors"),

From a28193f880d664a488b6c1eac3fc5da569a0a6ff Mon Sep 17 00:00:00 2001
From: Leslie Xiong <lxiong@livefront.com>
Date: Thu, 22 Jan 2026 17:08:46 -0500
Subject: [PATCH 23/24] fixed misalignment of suspended org icon (#18502)

---
 .../filters/organization-filter.component.html         | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/desktop/src/vault/app/vault-v3/vault-filter/filters/organization-filter.component.html b/apps/desktop/src/vault/app/vault-v3/vault-filter/filters/organization-filter.component.html
index e4e11b82a8a..daf84c642d6 100644
--- a/apps/desktop/src/vault/app/vault-v3/vault-filter/filters/organization-filter.component.html
+++ b/apps/desktop/src/vault/app/vault-v3/vault-filter/filters/organization-filter.component.html
@@ -17,16 +17,16 @@
         [text]="organization.node.name"
         [appA11yTitle]="organization.node.name"
         (click)="applyFilter($event, organization)"
-      />
-      @if (!organization.node.enabled) {
-        <span class="tw-ml-auto">
+      >
+        @if (!organization.node.enabled) {
           <i
+            slot="end"
             class="bwi bwi-fw bwi-exclamation-triangle text-danger mr-auto"
             [attr.aria-label]="'organizationIsDisabled' | i18n"
             [appA11yTitle]="'organizationIsDisabled' | i18n"
           ></i>
-        </span>
-      }
+        }
+      </bit-nav-item>
     }
   </bit-nav-group>
 }

From dafa00346ca256a24888cc23b8375e92c035359e Mon Sep 17 00:00:00 2001
From: Jonathan Prusik <jprusik@users.noreply.github.com>
Date: Thu, 22 Jan 2026 17:10:47 -0500
Subject: [PATCH 24/24] [PM-25615] Handle missing autofillOverlayContentService
 case (#18369)

* handle missing autofillOverlayContentService case

* additional checks autofillOverlayContentService
---
 .../collect-autofill-content.service.ts       | 28 +++++++++++--------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/apps/browser/src/autofill/services/collect-autofill-content.service.ts b/apps/browser/src/autofill/services/collect-autofill-content.service.ts
index 25fcb9038d8..117c7c5e2a4 100644
--- a/apps/browser/src/autofill/services/collect-autofill-content.service.ts
+++ b/apps/browser/src/autofill/services/collect-autofill-content.service.ts
@@ -96,7 +96,9 @@ export class CollectAutofillContentService implements CollectAutofillContentServ
    */
   async getPageDetails(): Promise<AutofillPageDetails> {
     // Set up listeners on top-layer candidates that predate Mutation Observer setup
-    this.setupInitialTopLayerListeners();
+    if (this.autofillOverlayContentService) {
+      this.setupInitialTopLayerListeners();
+    }
 
     if (!this.mutationObserver) {
       this.setupMutationObserver();
@@ -1072,19 +1074,21 @@ export class CollectAutofillContentService implements CollectAutofillContentServ
   }
 
   private setupTopLayerCandidateListener = (element: Element) => {
-    const ownedTags = this.autofillOverlayContentService.getOwnedInlineMenuTagNames() || [];
-    this.ownedExperienceTagNames = ownedTags;
+    if (this.autofillOverlayContentService) {
+      const ownedTags = this.autofillOverlayContentService.getOwnedInlineMenuTagNames() || [];
+      this.ownedExperienceTagNames = ownedTags;
 
-    if (!ownedTags.includes(element.tagName)) {
-      element.addEventListener("toggle", (event: ToggleEvent) => {
-        if (event.newState === "open") {
-          // Add a slight delay (but faster than a user's reaction), to ensure the layer
-          // positioning happens after any triggered toggle has completed.
-          setTimeout(this.autofillOverlayContentService.refreshMenuLayerPosition, 100);
-        }
-      });
+      if (!ownedTags.includes(element.tagName)) {
+        element.addEventListener("toggle", (event: ToggleEvent) => {
+          if (event.newState === "open") {
+            // Add a slight delay (but faster than a user's reaction), to ensure the layer
+            // positioning happens after any triggered toggle has completed.
+            setTimeout(this.autofillOverlayContentService.refreshMenuLayerPosition, 100);
+          }
+        });
 
-      this.autofillOverlayContentService.refreshMenuLayerPosition();
+        this.autofillOverlayContentService.refreshMenuLayerPosition();
+      }
     }
   };