Merge branch 'main' into PM-26250-Explore-options-to-enable-direct-importer-for-mac-app-store-build

2025-12-06 00:13:28 +00:00 · 2025-12-04 07:29:47 -07:00
parent 84d588f6e9 2ef84ca460
commit 70b4993a4e
19 changed files with 239 additions and 307 deletions
--- a/apps/cli/package.json
+++ b/apps/cli/package.json
@@ -75,7 +75,7 @@
    "inquirer": "8.2.6",
    "jsdom": "26.1.0",
    "jszip": "3.10.1",
-    "koa": "2.16.3",
+    "koa": "3.1.1",
    "koa-bodyparser": "4.4.1",
    "koa-json": "2.0.2",
    "lowdb": "1.0.0",
@@ -83,7 +83,7 @@
    "multer": "2.0.2",
    "node-fetch": "2.6.12",
    "node-forge": "1.3.2",
-    "open": "10.1.2",
+    "open": "11.0.0",
    "papaparse": "5.5.3",
    "proper-lockfile": "4.1.2",
    "rxjs": "7.8.1",
--- a/apps/web/src/app/key-management/key-rotation/user-key-rotation.service.spec.ts
+++ b/apps/web/src/app/key-management/key-rotation/user-key-rotation.service.spec.ts
@@ -1096,6 +1096,9 @@ describe("KeyRotationService", () => {
      mockKeyService.userSigningKey$.mockReturnValue(
        new BehaviorSubject(TEST_VECTOR_SIGNING_KEY_V2 as WrappedSigningKey),
      );
+      mockKeyService.userSignedPublicKey$.mockReturnValue(
+        new BehaviorSubject(TEST_VECTOR_SIGNED_PUBLIC_KEY_V2 as SignedPublicKey),
+      );
      mockSecurityStateService.accountSecurityState$.mockReturnValue(
        new BehaviorSubject(TEST_VECTOR_SECURITY_STATE_V2 as SignedSecurityState),
      );
@@ -1140,6 +1143,7 @@ describe("KeyRotationService", () => {
          publicKeyEncryptionKeyPair: {
            wrappedPrivateKey: TEST_VECTOR_PRIVATE_KEY_V2,
            publicKey: Utils.fromB64ToArray(TEST_VECTOR_PUBLIC_KEY_V2) as UnsignedPublicKey,
+            signedPublicKey: TEST_VECTOR_SIGNED_PUBLIC_KEY_V2 as SignedPublicKey,
          },
          signingKey: TEST_VECTOR_SIGNING_KEY_V2 as WrappedSigningKey,
          securityState: TEST_VECTOR_SECURITY_STATE_V2 as SignedSecurityState,
--- a/apps/web/src/app/key-management/key-rotation/user-key-rotation.service.ts
+++ b/apps/web/src/app/key-management/key-rotation/user-key-rotation.service.ts
@@ -10,6 +10,7 @@ import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-st
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
 import { SecurityStateService } from "@bitwarden/common/key-management/security-state/abstractions/security-state.service";
 import {
+  SignedPublicKey,
  SignedSecurityState,
  UnsignedPublicKey,
  WrappedPrivateKey,
@@ -308,9 +309,11 @@ export class UserKeyRotationService {
      userId: asUuid(userId),
      kdfParams: kdfConfig.toSdkConfig(),
      email: email,
-      privateKey: cryptographicStateParameters.publicKeyEncryptionKeyPair.wrappedPrivateKey,
-      signingKey: undefined,
-      securityState: undefined,
+      accountCryptographicState: {
+        V1: {
+          private_key: cryptographicStateParameters.publicKeyEncryptionKeyPair.wrappedPrivateKey,
+        },
+      },
      method: {
        decryptedKey: { decrypted_user_key: cryptographicStateParameters.userKey.toBase64() },
      },
@@ -334,9 +337,15 @@ export class UserKeyRotationService {
      userId: asUuid(userId),
      kdfParams: kdfConfig.toSdkConfig(),
      email: email,
-      privateKey: cryptographicStateParameters.publicKeyEncryptionKeyPair.wrappedPrivateKey,
-      signingKey: cryptographicStateParameters.signingKey,
-      securityState: cryptographicStateParameters.securityState,
+      accountCryptographicState: {
+        V2: {
+          private_key: cryptographicStateParameters.publicKeyEncryptionKeyPair.wrappedPrivateKey,
+          signing_key: cryptographicStateParameters.signingKey,
+          security_state: cryptographicStateParameters.securityState,
+          signed_public_key:
+            cryptographicStateParameters.publicKeyEncryptionKeyPair.signedPublicKey,
+        },
+      },
      method: {
        decryptedKey: { decrypted_user_key: cryptographicStateParameters.userKey.toBase64() },
      },
@@ -632,6 +641,10 @@ export class UserKeyRotationService {
        this.securityStateService.accountSecurityState$(user.id),
        "User security state",
      );
+      const signedPublicKey = await this.firstValueFromOrThrow(
+        this.keyService.userSignedPublicKey$(user.id),
+        "User signed public key",
+      );

      return {
        masterKeyKdfConfig,
@@ -642,6 +655,7 @@ export class UserKeyRotationService {
          publicKeyEncryptionKeyPair: {
            wrappedPrivateKey: currentUserKeyWrappedPrivateKey,
            publicKey: publicKey,
+            signedPublicKey: signedPublicKey!,
          },
          signingKey: signingKey!,
          securityState: securityState!,
@@ -679,6 +693,7 @@ export type V2CryptographicStateParameters = {
  publicKeyEncryptionKeyPair: {
    wrappedPrivateKey: WrappedPrivateKey;
    publicKey: UnsignedPublicKey;
+    signedPublicKey: SignedPublicKey;
  };
  signingKey: WrappedSigningKey;
  securityState: SignedSecurityState;
--- a/libs/auth/src/common/login-strategies/login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.spec.ts
@@ -259,7 +259,7 @@ describe("LoginStrategy", () => {

      expect(userDecryptionOptionsService.setUserDecryptionOptionsById).toHaveBeenCalledWith(
        userId,
-        UserDecryptionOptions.fromResponse(idTokenResponse),
+        UserDecryptionOptions.fromIdentityTokenResponse(idTokenResponse),
      );
      expect(masterPasswordService.mock.setMasterPasswordUnlockData).toHaveBeenCalledWith(
        new MasterPasswordUnlockData(
--- a/libs/auth/src/common/login-strategies/login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.ts
@@ -199,7 +199,7 @@ export abstract class LoginStrategy {
    // as the user decryption options help determine the available timeout actions.
    await this.userDecryptionOptionsService.setUserDecryptionOptionsById(
      userId,
-      UserDecryptionOptions.fromResponse(tokenResponse),
+      UserDecryptionOptions.fromIdentityTokenResponse(tokenResponse),
    );

    if (tokenResponse.userDecryptionOptions?.masterPasswordUnlock != null) {
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
@@ -503,67 +503,6 @@ describe("SsoLoginStrategy", () => {
        HasMasterPassword: false,
        KeyConnectorOption: { KeyConnectorUrl: keyConnectorUrl },
      });
-      tokenResponse.keyConnectorUrl = keyConnectorUrl;
-    });
-
-    it("gets and sets the master key if Key Connector is enabled and the user doesn't have a master password", async () => {
-      const masterKey = new SymmetricCryptoKey(
-        new Uint8Array(64).buffer as CsprngArray,
-      ) as MasterKey;
-
-      apiService.postIdentityToken.mockResolvedValue(tokenResponse);
-      masterPasswordService.masterKeySubject.next(masterKey);
-
-      await ssoLoginStrategy.logIn(credentials);
-
-      expect(keyConnectorService.setMasterKeyFromUrl).toHaveBeenCalledWith(keyConnectorUrl, userId);
-    });
-
-    it("converts new SSO user with no master password to Key Connector on first login", async () => {
-      tokenResponse.key = undefined;
-      tokenResponse.kdfConfig = new Argon2KdfConfig(10, 64, 4);
-
-      apiService.postIdentityToken.mockResolvedValue(tokenResponse);
-
-      await ssoLoginStrategy.logIn(credentials);
-
-      expect(keyConnectorService.setNewSsoUserKeyConnectorConversionData).toHaveBeenCalledWith(
-        {
-          kdfConfig: new Argon2KdfConfig(10, 64, 4),
-          keyConnectorUrl: keyConnectorUrl,
-          organizationId: ssoOrgId,
-        },
-        userId,
-      );
-    });
-
-    it("decrypts and sets the user key if Key Connector is enabled and the user doesn't have a master password", async () => {
-      const userKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as UserKey;
-      const masterKey = new SymmetricCryptoKey(
-        new Uint8Array(64).buffer as CsprngArray,
-      ) as MasterKey;
-
-      apiService.postIdentityToken.mockResolvedValue(tokenResponse);
-      masterPasswordService.masterKeySubject.next(masterKey);
-      masterPasswordService.mock.decryptUserKeyWithMasterKey.mockResolvedValue(userKey);
-
-      await ssoLoginStrategy.logIn(credentials);
-
-      expect(masterPasswordService.mock.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(
-        masterKey,
-        userId,
-        undefined,
-      );
-      expect(keyService.setUserKey).toHaveBeenCalledWith(userKey, userId);
-    });
-  });
-
-  describe("Key Connector Pre-TDE", () => {
-    let tokenResponse: IdentityTokenResponse;
-    beforeEach(() => {
-      tokenResponse = identityTokenResponseFactory();
-      tokenResponse.userDecryptionOptions = null;
-      tokenResponse.keyConnectorUrl = keyConnectorUrl;
    });

    it("gets and sets the master key if Key Connector is enabled and the user doesn't have a master password", async () => {
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.ts
@@ -157,22 +157,12 @@ export class SsoLoginStrategy extends LoginStrategy {
      // In order for us to set the master key from Key Connector, we need to have a Key Connector URL
      // and the user must not have a master password.
      return userHasKeyConnectorUrl && !userHasMasterPassword;
-    } else {
-      // In pre-TDE versions of the server, the userDecryptionOptions will not be present.
-      // In this case, we can determine if the user has a master password and has a Key Connector URL by
-      // just checking the keyConnectorUrl property. This is because the server short-circuits on the response
-      // and will not pass back the URL in the response if the user has a master password.
-      // TODO: remove compatibility check after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3537)
-      return tokenResponse.keyConnectorUrl != null;
    }
  }

  private getKeyConnectorUrl(tokenResponse: IdentityTokenResponse): string {
-    // TODO: remove tokenResponse.keyConnectorUrl reference after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3537)
    const userDecryptionOptions = tokenResponse?.userDecryptionOptions;
-    return (
-      tokenResponse.keyConnectorUrl ?? userDecryptionOptions?.keyConnectorOption?.keyConnectorUrl
-    );
+    return userDecryptionOptions?.keyConnectorOption?.keyConnectorUrl;
  }

  // TODO: future passkey login strategy will need to support setting user key (decrypting via TDE or admin approval request)
--- a/libs/auth/src/common/models/domain/user-decryption-options.ts
+++ b/libs/auth/src/common/models/domain/user-decryption-options.ts
@@ -112,10 +112,11 @@ export class UserDecryptionOptions {
   * @throws If the response is nullish, this method will throw an error. User decryption options
   * are required for client initialization.
   */
-  // TODO: Change response type to `UserDecryptionOptionsResponse` after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3537)
-  static fromResponse(response: IdentityTokenResponse): UserDecryptionOptions {
+  static fromIdentityTokenResponse(response: IdentityTokenResponse): UserDecryptionOptions {
    if (response == null) {
-      throw new Error("User Decryption Options are required for client initialization.");
+      throw new Error(
+        "User Decryption Options are required for client initialization. Response is nullish.",
+      );
    }

    const decryptionOptions = new UserDecryptionOptions();
@@ -134,17 +135,9 @@ export class UserDecryptionOptions {
        responseOptions.keyConnectorOption,
      );
    } else {
-      // If the response does not have userDecryptionOptions, this means it's on a pre-TDE server version and so
-      // we must base our decryption options on the presence of the keyConnectorUrl.
-      // Note that the presence of keyConnectorUrl implies that the user does not have a master password, as in pre-TDE
-      // server versions, a master password short-circuited the addition of the keyConnectorUrl to the response.
-      // TODO: remove this check after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3537)
-      const usingKeyConnector = response.keyConnectorUrl != null;
-      decryptionOptions.hasMasterPassword = !usingKeyConnector;
-      if (usingKeyConnector) {
-        decryptionOptions.keyConnectorOption = new KeyConnectorUserDecryptionOption();
-        decryptionOptions.keyConnectorOption.keyConnectorUrl = response.keyConnectorUrl;
-      }
+      throw new Error(
+        "User Decryption Options are required for client initialization. userDecryptionOptions is missing in response.",
+      );
    }
    return decryptionOptions;
  }
--- a/libs/auth/src/common/services/login-strategies/login-strategy.service.spec.ts
+++ b/libs/auth/src/common/services/login-strategies/login-strategy.service.spec.ts
@@ -10,6 +10,7 @@ import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/ide
 import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
 import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response";
 import { PreloginResponse } from "@bitwarden/common/auth/models/response/prelogin.response";
+import { UserDecryptionOptionsResponse } from "@bitwarden/common/auth/models/response/user-decryption-options/user-decryption-options.response";
 import { TwoFactorService } from "@bitwarden/common/auth/two-factor";
 import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
@@ -496,6 +497,7 @@ describe("LoginStrategyService", () => {
        refresh_token: "REFRESH_TOKEN",
        scope: "api offline_access",
        token_type: "Bearer",
+        userDecryptionOptions: new UserDecryptionOptionsResponse({ HasMasterPassword: true }),
      }),
    );
    apiService.postPrelogin.mockResolvedValue(
@@ -563,6 +565,7 @@ describe("LoginStrategyService", () => {
        refresh_token: "REFRESH_TOKEN",
        scope: "api offline_access",
        token_type: "Bearer",
+        userDecryptionOptions: new UserDecryptionOptionsResponse({ HasMasterPassword: true }),
      }),
    );

@@ -692,6 +695,7 @@ describe("LoginStrategyService", () => {
        refresh_token: "REFRESH_TOKEN",
        scope: "api offline_access",
        token_type: "Bearer",
+        userDecryptionOptions: new UserDecryptionOptionsResponse({ HasMasterPassword: true }),
      }),
    );

--- a/libs/common/src/auth/models/response/identity-token.response.ts
+++ b/libs/common/src/auth/models/response/identity-token.response.ts
@@ -26,7 +26,6 @@ export class IdentityTokenResponse extends BaseResponse {
  forcePasswordReset: boolean;
  masterPasswordPolicy: MasterPasswordPolicyResponse;
  apiUseKeyConnector: boolean;
-  keyConnectorUrl: string;

  userDecryptionOptions?: UserDecryptionOptionsResponse;

@@ -70,7 +69,7 @@ export class IdentityTokenResponse extends BaseResponse {
        : new Argon2KdfConfig(kdfIterations, kdfMemory, kdfParallelism);
    this.forcePasswordReset = this.getResponseProperty("ForcePasswordReset");
    this.apiUseKeyConnector = this.getResponseProperty("ApiUseKeyConnector");
-    this.keyConnectorUrl = this.getResponseProperty("KeyConnectorUrl");
+
    this.masterPasswordPolicy = new MasterPasswordPolicyResponse(
      this.getResponseProperty("MasterPasswordPolicy"),
    );
--- a/libs/common/src/key-management/types.ts
+++ b/libs/common/src/key-management/types.ts
@@ -1,6 +1,10 @@
 import { Opaque } from "type-fest";

-import { EncString, SignedSecurityState as SdkSignedSecurityState } from "@bitwarden/sdk-internal";
+import {
+  EncString,
+  SignedSecurityState as SdkSignedSecurityState,
+  SignedPublicKey as SdkSignedPublicKey,
+} from "@bitwarden/sdk-internal";

 /**
 * A private key, encrypted with a symmetric key.
@@ -10,7 +14,7 @@ export type WrappedPrivateKey = Opaque<EncString, "WrappedPrivateKey">;
 /**
 * A public key, signed with the accounts signature key.
 */
-export type SignedPublicKey = Opaque<string, "SignedPublicKey">;
+export type SignedPublicKey = Opaque<SdkSignedPublicKey, "SignedPublicKey">;
 /**
 * A public key in base64 encoded SPKI-DER
 */
--- a/libs/common/src/platform/services/key-state/user-key.state.ts
+++ b/libs/common/src/platform/services/key-state/user-key.state.ts
@@ -1,5 +1,5 @@
 import { EncryptedString } from "../../../key-management/crypto/models/enc-string";
-import { WrappedSigningKey } from "../../../key-management/types";
+import { SignedPublicKey, WrappedSigningKey } from "../../../key-management/types";
 import { UserKey } from "../../../types/key";
 import { SymmetricCryptoKey } from "../../models/domain/symmetric-crypto-key";
 import { CRYPTO_DISK, CRYPTO_MEMORY, UserKeyDefinition } from "../../state";
@@ -35,3 +35,12 @@ export const USER_KEY_ENCRYPTED_SIGNING_KEY = new UserKeyDefinition<WrappedSigni
    clearOn: ["logout"],
  },
 );
+
+export const USER_SIGNED_PUBLIC_KEY = new UserKeyDefinition<SignedPublicKey>(
+  CRYPTO_DISK,
+  "userSignedPublicKey",
+  {
+    deserializer: (obj) => obj,
+    clearOn: ["logout"],
+  },
+);
--- a/libs/common/src/platform/services/sdk/default-sdk.service.spec.ts
+++ b/libs/common/src/platform/services/sdk/default-sdk.service.spec.ts
@@ -105,6 +105,7 @@ describe("DefaultSdkService", () => {
          .mockReturnValue(of("private-key" as EncryptedString));
        keyService.encryptedOrgKeys$.calledWith(userId).mockReturnValue(of({}));
        keyService.userSigningKey$.calledWith(userId).mockReturnValue(of(null));
+        keyService.userSignedPublicKey$.calledWith(userId).mockReturnValue(of(null));
        securityStateService.accountSecurityState$.calledWith(userId).mockReturnValue(of(null));
      });

--- a/libs/common/src/platform/services/sdk/default-sdk.service.ts
+++ b/libs/common/src/platform/services/sdk/default-sdk.service.ts
@@ -16,6 +16,7 @@ import {
 } from "rxjs";

 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { UserKey } from "@bitwarden/common/types/key";
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
 import { KeyService, KdfConfigService, KdfConfig, KdfType } from "@bitwarden/key-management";
@@ -24,15 +25,14 @@ import {
  ClientSettings,
  TokenProvider,
  UnsignedSharedKey,
+  WrappedAccountCryptographicState,
 } from "@bitwarden/sdk-internal";

 import { ApiService } from "../../../abstractions/api.service";
 import { AccountInfo, AccountService } from "../../../auth/abstractions/account.service";
-import { EncryptedString, EncString } from "../../../key-management/crypto/models/enc-string";
+import { EncString } from "../../../key-management/crypto/models/enc-string";
 import { SecurityStateService } from "../../../key-management/security-state/abstractions/security-state.service";
-import { SignedSecurityState, WrappedSigningKey } from "../../../key-management/types";
 import { OrganizationId, UserId } from "../../../types/guid";
-import { UserKey } from "../../../types/key";
 import { Environment, EnvironmentService } from "../../abstractions/environment.service";
 import { PlatformUtilsService } from "../../abstractions/platform-utils.service";
 import { SdkClientFactory } from "../../abstractions/sdk/sdk-client-factory";
@@ -174,6 +174,9 @@ export class DefaultSdkService implements SdkService {
    const securityState$ = this.securityStateService
      .accountSecurityState$(userId)
      .pipe(distinctUntilChanged(compareValues));
+    const signedPublicKey$ = this.keyService
+      .userSignedPublicKey$(userId)
+      .pipe(distinctUntilChanged(compareValues));

    const client$ = combineLatest([
      this.environmentService.getEnvironment$(userId),
@@ -184,11 +187,22 @@ export class DefaultSdkService implements SdkService {
      signingKey$,
      orgKeys$,
      securityState$,
+      signedPublicKey$,
      SdkLoadService.Ready, // Makes sure we wait (once) for the SDK to be loaded
    ]).pipe(
      // switchMap is required to allow the clean-up logic to be executed when `combineLatest` emits a new value.
      switchMap(
-        ([env, account, kdfParams, privateKey, userKey, signingKey, orgKeys, securityState]) => {
+        ([
+          env,
+          account,
+          kdfParams,
+          privateKey,
+          userKey,
+          signingKey,
+          orgKeys,
+          securityState,
+          signedPublicKey,
+        ]) => {
          // Create our own observable to be able to implement clean-up logic
          return new Observable<Rc<PasswordManagerClient>>((subscriber) => {
            const createAndInitializeClient = async () => {
@@ -202,15 +216,31 @@ export class DefaultSdkService implements SdkService {
                settings,
              );

+              let accountCryptographicState: WrappedAccountCryptographicState;
+              if (signingKey != null && securityState != null && signedPublicKey != null) {
+                accountCryptographicState = {
+                  V2: {
+                    private_key: privateKey,
+                    signing_key: signingKey,
+                    security_state: securityState,
+                    signed_public_key: signedPublicKey,
+                  },
+                };
+              } else {
+                accountCryptographicState = {
+                  V1: {
+                    private_key: privateKey,
+                  },
+                };
+              }
+
              await this.initializeClient(
                userId,
                client,
                account,
                kdfParams,
-                privateKey,
                userKey,
-                signingKey,
-                securityState,
+                accountCryptographicState,
                orgKeys,
              );

@@ -245,10 +275,8 @@ export class DefaultSdkService implements SdkService {
    client: PasswordManagerClient,
    account: AccountInfo,
    kdfParams: KdfConfig,
-    privateKey: EncryptedString,
    userKey: UserKey,
-    signingKey: WrappedSigningKey | null,
-    securityState: SignedSecurityState | null,
+    accountCryptographicState: WrappedAccountCryptographicState,
    orgKeys: Record<OrganizationId, EncString>,
  ) {
    await client.crypto().initialize_user_crypto({
@@ -265,9 +293,7 @@ export class DefaultSdkService implements SdkService {
                parallelism: kdfParams.parallelism,
              },
            },
-      privateKey,
-      signingKey: signingKey || undefined,
-      securityState: securityState || undefined,
+      accountCryptographicState: accountCryptographicState,
    });

    // We initialize the org crypto even if the org_keys are
--- a/libs/common/src/platform/sync/default-sync.service.ts
+++ b/libs/common/src/platform/sync/default-sync.service.ts
@@ -253,6 +253,10 @@ export class DefaultSyncService extends CoreSyncService {
          response.accountKeys.securityState.securityState,
          response.id,
        );
+        await this.keyService.setSignedPublicKey(
+          response.accountKeys.publicKeyEncryptionKeyPair.signedPublicKey,
+          response.id,
+        );
      }
    } else {
      await this.keyService.setPrivateKey(response.privateKey, response.id);
--- a/libs/key-management/src/abstractions/key.service.ts
+++ b/libs/key-management/src/abstractions/key.service.ts
@@ -7,7 +7,7 @@ import {
  EncryptedString,
  EncString,
 } from "@bitwarden/common/key-management/crypto/models/enc-string";
-import { WrappedSigningKey } from "@bitwarden/common/key-management/types";
+import { SignedPublicKey, WrappedSigningKey } from "@bitwarden/common/key-management/types";
 import { KeySuffixOptions, HashPurpose } from "@bitwarden/common/platform/enums";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { OrganizationId, ProviderId, UserId } from "@bitwarden/common/types/guid";
@@ -428,4 +428,8 @@ export abstract class KeyService {
   * @param userId The user id for the key
   */
  abstract validateUserKey(key: UserKey, userId: UserId): Promise<boolean>;
+
+  abstract setSignedPublicKey(signedPublicKey: SignedPublicKey, userId: UserId): Promise<void>;
+
+  abstract userSignedPublicKey$(userId: UserId): Observable<SignedPublicKey | null>;
 }
--- a/libs/key-management/src/key.service.ts
+++ b/libs/key-management/src/key.service.ts
@@ -28,7 +28,7 @@ import {
  EncryptedString,
 } from "@bitwarden/common/key-management/crypto/models/enc-string";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
-import { WrappedSigningKey } from "@bitwarden/common/key-management/types";
+import { SignedPublicKey, WrappedSigningKey } from "@bitwarden/common/key-management/types";
 import { VaultTimeoutStringType } from "@bitwarden/common/key-management/vault-timeout";
 import { VAULT_TIMEOUT } from "@bitwarden/common/key-management/vault-timeout/services/vault-timeout-settings.state";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -46,6 +46,7 @@ import {
  USER_EVER_HAD_USER_KEY,
  USER_KEY,
  USER_KEY_ENCRYPTED_SIGNING_KEY,
+  USER_SIGNED_PUBLIC_KEY,
 } from "@bitwarden/common/platform/services/key-state/user-key.state";
 import { StateProvider } from "@bitwarden/common/platform/state";
 import { CsprngArray } from "@bitwarden/common/types/csprng";
@@ -1013,4 +1014,12 @@ export class DefaultKeyService implements KeyServiceAbstraction {
      }),
    );
  }
+
+  async setSignedPublicKey(signedPublicKey: SignedPublicKey, userId: UserId): Promise<void> {
+    await this.stateProvider.setUserState(USER_SIGNED_PUBLIC_KEY, signedPublicKey, userId);
+  }
+
+  userSignedPublicKey$(userId: UserId): Observable<SignedPublicKey | null> {
+    return this.stateProvider.getUserState$(USER_SIGNED_PUBLIC_KEY, userId);
+  }
 }
--- a/package-lock.json
+++ b/package-lock.json
@@ -23,8 +23,8 @@
        "@angular/platform-browser": "20.3.15",
        "@angular/platform-browser-dynamic": "20.3.15",
        "@angular/router": "20.3.15",
-        "@bitwarden/commercial-sdk-internal": "0.2.0-main.403",
-        "@bitwarden/sdk-internal": "0.2.0-main.403",
+        "@bitwarden/commercial-sdk-internal": "0.2.0-main.409",
+        "@bitwarden/sdk-internal": "0.2.0-main.409",
        "@electron/fuses": "1.8.0",
        "@emotion/css": "11.13.5",
        "@koa/multer": "4.0.0",
@@ -49,7 +49,7 @@
        "inquirer": "8.2.6",
        "jsdom": "26.1.0",
        "jszip": "3.10.1",
-        "koa": "2.16.3",
+        "koa": "3.1.1",
        "koa-bodyparser": "4.4.1",
        "koa-json": "2.0.2",
        "lit": "3.3.1",
@@ -60,7 +60,7 @@
        "node-fetch": "2.6.12",
        "node-forge": "1.3.2",
        "oidc-client-ts": "2.4.1",
-        "open": "10.1.2",
+        "open": "11.0.0",
        "papaparse": "5.5.3",
        "proper-lockfile": "4.1.2",
        "qrcode-parser": "2.1.3",
@@ -102,7 +102,7 @@
        "@types/inquirer": "8.2.10",
        "@types/jest": "29.5.14",
        "@types/jsdom": "21.1.7",
-        "@types/koa": "3.0.0",
+        "@types/koa": "3.0.1",
        "@types/koa__multer": "2.0.7",
        "@types/koa__router": "12.0.4",
        "@types/koa-bodyparser": "4.3.7",
@@ -211,7 +211,7 @@
        "inquirer": "8.2.6",
        "jsdom": "26.1.0",
        "jszip": "3.10.1",
-        "koa": "2.16.3",
+        "koa": "3.1.1",
        "koa-bodyparser": "4.4.1",
        "koa-json": "2.0.2",
        "lowdb": "1.0.0",
@@ -219,7 +219,7 @@
        "multer": "2.0.2",
        "node-fetch": "2.6.12",
        "node-forge": "1.3.2",
-        "open": "10.1.2",
+        "open": "11.0.0",
        "papaparse": "5.5.3",
        "proper-lockfile": "4.1.2",
        "rxjs": "7.8.1",
@@ -4615,9 +4615,9 @@
      "link": true
    },
    "node_modules/@bitwarden/commercial-sdk-internal": {
-      "version": "0.2.0-main.403",
-      "resolved": "https://registry.npmjs.org/@bitwarden/commercial-sdk-internal/-/commercial-sdk-internal-0.2.0-main.403.tgz",
-      "integrity": "sha512-M2ZUu29oua7CaDTNK7mCwY7PhaIUbNYogAAvxLOmkJuyHNxxqvS9usjjlD2CkQVNBeTUFqvAQpaZQo9vgzEEFA==",
+      "version": "0.2.0-main.409",
+      "resolved": "https://registry.npmjs.org/@bitwarden/commercial-sdk-internal/-/commercial-sdk-internal-0.2.0-main.409.tgz",
+      "integrity": "sha512-86AVuOG5S9Te9ZMvozCV1FN8v98ROnUwr24nTeocqD/5OJIKoWWXk1t+g4YoVF+8AItpD6hFfO/uL05mG80jDA==",
      "license": "BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE AGREEMENT",
      "dependencies": {
        "type-fest": "^4.41.0"
@@ -4720,9 +4720,9 @@
      "link": true
    },
    "node_modules/@bitwarden/sdk-internal": {
-      "version": "0.2.0-main.403",
-      "resolved": "https://registry.npmjs.org/@bitwarden/sdk-internal/-/sdk-internal-0.2.0-main.403.tgz",
-      "integrity": "sha512-ROEZdTbeKU68kDh9WYm9wKsLQD5jdTRclXLKl8x0aTj+Tx0nKyyXmLyUfOP+qh3EHIetij4jwPx2z3uS+7r8mg==",
+      "version": "0.2.0-main.409",
+      "resolved": "https://registry.npmjs.org/@bitwarden/sdk-internal/-/sdk-internal-0.2.0-main.409.tgz",
+      "integrity": "sha512-3e3hZenNos1xACJ2Bsq14RrzCnWdIilJuJhFwZYQBI6PQ+R38UGGQhGJDandKvQggfR8bDCY3re8x8n9G7MDiA==",
      "license": "GPL-3.0",
      "dependencies": {
        "type-fest": "^4.41.0"
@@ -13887,9 +13887,9 @@
      }
    },
    "node_modules/@types/koa": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/@types/koa/-/koa-3.0.0.tgz",
-      "integrity": "sha512-MOcVYdVYmkSutVHZZPh8j3+dAjLyR5Tl59CN0eKgpkE1h/LBSmPAsQQuWs+bKu7WtGNn+hKfJH9Gzml+PulmDg==",
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/@types/koa/-/koa-3.0.1.tgz",
+      "integrity": "sha512-VkB6WJUQSe0zBpR+Q7/YIUESGp5wPHcaXr0xueU5W0EOUWtlSbblsl+Kl31lyRQ63nIILh0e/7gXjQ09JXJIHw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -17675,40 +17675,6 @@
      "dev": true,
      "license": "ISC"
    },
-    "node_modules/cache-content-type": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/cache-content-type/-/cache-content-type-1.0.1.tgz",
-      "integrity": "sha512-IKufZ1o4Ut42YUrZSo8+qnMTrFuKkvyoLXUywKz9GJ5BrhOFGhLdkx9sG4KAnVvbY6kEcSFjLQul+DVmBm2bgA==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-types": "^2.1.18",
-        "ylru": "^1.2.0"
-      },
-      "engines": {
-        "node": ">= 6.0.0"
-      }
-    },
-    "node_modules/cache-content-type/node_modules/mime-db": {
-      "version": "1.52.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
-      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/cache-content-type/node_modules/mime-types": {
-      "version": "2.1.35",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
-      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-db": "1.52.0"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
    "node_modules/cacheable-lookup": {
      "version": "5.0.4",
      "resolved": "https://registry.npmjs.org/cacheable-lookup/-/cacheable-lookup-5.0.4.tgz",
@@ -19713,9 +19679,9 @@
      }
    },
    "node_modules/default-browser": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/default-browser/-/default-browser-5.2.1.tgz",
-      "integrity": "sha512-WY/3TUME0x3KPYdRRxEJJvXRHV4PyPoUsxtZa78lwItwRQRHhd2U9xOscaT/YTf8uCXIAjeJOFBVEh/7FtD8Xg==",
+      "version": "5.4.0",
+      "resolved": "https://registry.npmjs.org/default-browser/-/default-browser-5.4.0.tgz",
+      "integrity": "sha512-XDuvSq38Hr1MdN47EDvYtx3U0MTqpCEn+F6ft8z2vYDzMrvQhVp0ui9oQdqW3MvK3vqUETglt1tVGgjLuJ5izg==",
      "license": "MIT",
      "dependencies": {
        "bundle-name": "^4.1.0",
@@ -24759,6 +24725,7 @@
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/is-generator-function/-/is-generator-function-1.1.0.tgz",
      "integrity": "sha512-nPUB5km40q9e8UfN/Zc24eLlzdSf9OfKByBw9CIdw4H1giPMeA0OIJvbchsCu4npfI2QcMVBsGEBHKZ7wLTWmQ==",
+      "dev": true,
      "license": "MIT",
      "dependencies": {
        "call-bound": "^1.0.3",
@@ -24785,6 +24752,18 @@
        "node": ">=0.10.0"
      }
    },
+    "node_modules/is-in-ssh": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/is-in-ssh/-/is-in-ssh-1.0.0.tgz",
+      "integrity": "sha512-jYa6Q9rH90kR1vKB6NM7qqd1mge3Fx4Dhw5TVlK1MUBqhEOuCagrEHMevNuCcbECmXZ0ThXkRm+Ymr51HwEPAw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
    "node_modules/is-inside-container": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/is-inside-container/-/is-inside-container-1.0.0.tgz",
@@ -24932,6 +24911,7 @@
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/is-regex/-/is-regex-1.2.1.tgz",
      "integrity": "sha512-MjYsKHO5O7mCsmRGxWcLWheFqN9DJ/2TmngvjKXihe6efViPqc274+Fx/4fYj/r03+ESvBdTXK0V6tA3rgez1g==",
+      "dev": true,
      "license": "MIT",
      "dependencies": {
        "call-bound": "^1.0.2",
@@ -27471,37 +27451,32 @@
      }
    },
    "node_modules/koa": {
-      "version": "2.16.3",
-      "resolved": "https://registry.npmjs.org/koa/-/koa-2.16.3.tgz",
-      "integrity": "sha512-zPPuIt+ku1iCpFBRwseMcPYQ1cJL8l60rSmKeOuGfOXyE6YnTBmf2aEFNL2HQGrD0cPcLO/t+v9RTgC+fwEh/g==",
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/koa/-/koa-3.1.1.tgz",
+      "integrity": "sha512-KDDuvpfqSK0ZKEO2gCPedNjl5wYpfj+HNiuVRlbhd1A88S3M0ySkdf2V/EJ4NWt5dwh5PXCdcenrKK2IQJAxsg==",
      "license": "MIT",
      "dependencies": {
-        "accepts": "^1.3.5",
-        "cache-content-type": "^1.0.0",
-        "content-disposition": "~0.5.2",
-        "content-type": "^1.0.4",
-        "cookies": "~0.9.0",
-        "debug": "^4.3.2",
+        "accepts": "^1.3.8",
+        "content-disposition": "~0.5.4",
+        "content-type": "^1.0.5",
+        "cookies": "~0.9.1",
        "delegates": "^1.0.0",
-        "depd": "^2.0.0",
-        "destroy": "^1.0.4",
-        "encodeurl": "^1.0.2",
+        "destroy": "^1.2.0",
+        "encodeurl": "^2.0.0",
        "escape-html": "^1.0.3",
        "fresh": "~0.5.2",
-        "http-assert": "^1.3.0",
-        "http-errors": "^1.6.3",
-        "is-generator-function": "^1.0.7",
+        "http-assert": "^1.5.0",
+        "http-errors": "^2.0.0",
        "koa-compose": "^4.1.0",
-        "koa-convert": "^2.0.0",
-        "on-finished": "^2.3.0",
-        "only": "~0.0.2",
-        "parseurl": "^1.3.2",
-        "statuses": "^1.5.0",
-        "type-is": "^1.6.16",
+        "mime-types": "^3.0.1",
+        "on-finished": "^2.4.1",
+        "parseurl": "^1.3.3",
+        "statuses": "^2.0.1",
+        "type-is": "^2.0.1",
        "vary": "^1.1.2"
      },
      "engines": {
-        "node": "^4.8.4 || ^6.10.1 || ^7.10.1 || >= 8.1.4"
+        "node": ">= 18"
      }
    },
    "node_modules/koa-bodyparser": {
@@ -27567,19 +27542,6 @@
      "integrity": "sha512-8ODW8TrDuMYvXRwra/Kh7/rJo9BtOfPc6qO8eAfC80CnCvSjSl0bkRM24X6/XBBEyj0v1nRUQ1LyOy3dbqOWXw==",
      "license": "MIT"
    },
-    "node_modules/koa-convert": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/koa-convert/-/koa-convert-2.0.0.tgz",
-      "integrity": "sha512-asOvN6bFlSnxewce2e/DK3p4tltyfC4VM7ZwuTuepI7dEQVcvpyFuBcEARu1+Hxg8DIwytce2n7jrZtRlPrARA==",
-      "license": "MIT",
-      "dependencies": {
-        "co": "^4.6.0",
-        "koa-compose": "^4.1.0"
-      },
-      "engines": {
-        "node": ">= 10"
-      }
-    },
    "node_modules/koa-is-json": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/koa-is-json/-/koa-is-json-1.0.0.tgz",
@@ -27609,6 +27571,18 @@
        "node": ">= 0.6"
      }
    },
+    "node_modules/koa/node_modules/accepts/node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
    "node_modules/koa/node_modules/content-disposition": {
      "version": "0.5.4",
      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
@@ -27621,15 +27595,6 @@
        "node": ">= 0.6"
      }
    },
-    "node_modules/koa/node_modules/encodeurl": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
-      "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
    "node_modules/koa/node_modules/fresh": {
      "version": "0.5.2",
      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
@@ -27639,40 +27604,6 @@
        "node": ">= 0.6"
      }
    },
-    "node_modules/koa/node_modules/http-errors": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.8.1.tgz",
-      "integrity": "sha512-Kpk9Sm7NmI+RHhnj6OIWDI1d6fIoFAtFt9RLaTMRlg/8w49juAStsrBgp0Dp4OdxdVbRIeKhtCUvoi/RuAhO4g==",
-      "license": "MIT",
-      "dependencies": {
-        "depd": "~1.1.2",
-        "inherits": "2.0.4",
-        "setprototypeof": "1.2.0",
-        "statuses": ">= 1.5.0 < 2",
-        "toidentifier": "1.0.1"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/koa/node_modules/http-errors/node_modules/depd": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
-      "integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/koa/node_modules/media-typer": {
-      "version": "0.3.0",
-      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
-      "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
    "node_modules/koa/node_modules/mime-db": {
      "version": "1.52.0",
      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
@@ -27682,18 +27613,6 @@
        "node": ">= 0.6"
      }
    },
-    "node_modules/koa/node_modules/mime-types": {
-      "version": "2.1.35",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
-      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-db": "1.52.0"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
    "node_modules/koa/node_modules/negotiator": {
      "version": "0.6.3",
      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
@@ -27703,28 +27622,6 @@
        "node": ">= 0.6"
      }
    },
-    "node_modules/koa/node_modules/statuses": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
-      "integrity": "sha512-OpZ3zP+jT1PI7I8nemJX4AKmAX070ZkYPVWV/AaKTJl+tXCTGyVdC1a4SL8RUQYEwk/f34ZX8UTykN68FwrqAA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/koa/node_modules/type-is": {
-      "version": "1.6.18",
-      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
-      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
-      "license": "MIT",
-      "dependencies": {
-        "media-typer": "0.3.0",
-        "mime-types": "~2.1.24"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
    "node_modules/launch-editor": {
      "version": "2.10.0",
      "resolved": "https://registry.npmjs.org/launch-editor/-/launch-editor-2.10.0.tgz",
@@ -32471,24 +32368,37 @@
        "node": ">=6"
      }
    },
-    "node_modules/only": {
-      "version": "0.0.2",
-      "resolved": "https://registry.npmjs.org/only/-/only-0.0.2.tgz",
-      "integrity": "sha512-Fvw+Jemq5fjjyWz6CpKx6w9s7xxqo3+JCyM0WXWeCSOboZ8ABkyvP8ID4CZuChA/wxSx+XSJmdOm8rGVyJ1hdQ=="
-    },
    "node_modules/open": {
-      "version": "10.1.2",
-      "resolved": "https://registry.npmjs.org/open/-/open-10.1.2.tgz",
-      "integrity": "sha512-cxN6aIDPz6rm8hbebcP7vrQNhvRcveZoJU72Y7vskh4oIm+BZwBECnx5nTmrlres1Qapvx27Qo1Auukpf8PKXw==",
+      "version": "11.0.0",
+      "resolved": "https://registry.npmjs.org/open/-/open-11.0.0.tgz",
+      "integrity": "sha512-smsWv2LzFjP03xmvFoJ331ss6h+jixfA4UUV/Bsiyuu4YJPfN+FIQGOIiv4w9/+MoHkfkJ22UIaQWRVFRfH6Vw==",
      "license": "MIT",
      "dependencies": {
-        "default-browser": "^5.2.1",
+        "default-browser": "^5.4.0",
        "define-lazy-prop": "^3.0.0",
+        "is-in-ssh": "^1.0.0",
        "is-inside-container": "^1.0.0",
-        "is-wsl": "^3.1.0"
+        "powershell-utils": "^0.1.0",
+        "wsl-utils": "^0.3.0"
      },
      "engines": {
-        "node": ">=18"
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/open/node_modules/wsl-utils": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/wsl-utils/-/wsl-utils-0.3.0.tgz",
+      "integrity": "sha512-3sFIGLiaDP7rTO4xh3g+b3AzhYDIUGGywE/WsmqzJWDxus5aJXVnPTNC/6L+r2WzrwXqVOdD262OaO+cEyPMSQ==",
+      "license": "MIT",
+      "dependencies": {
+        "is-wsl": "^3.1.0",
+        "powershell-utils": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=20"
      },
      "funding": {
        "url": "https://github.com/sponsors/sindresorhus"
@@ -34417,6 +34327,18 @@
        "node": "^12.20.0 || >=14"
      }
    },
+    "node_modules/powershell-utils": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/powershell-utils/-/powershell-utils-0.1.0.tgz",
+      "integrity": "sha512-dM0jVuXJPsDN6DvRpea484tCUaMiXWjuCn++HGTqUWzGDjv5tZkEZldAJ/UMlqRYGFrD/etByo4/xOuC/snX2A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
    "node_modules/prebuild-install": {
      "version": "7.1.3",
      "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-7.1.3.tgz",
@@ -35945,6 +35867,7 @@
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/safe-regex-test/-/safe-regex-test-1.1.0.tgz",
      "integrity": "sha512-x/+Cz4YrimQxQccJf5mKEbIa1NzeCRNI5Ecl/ekmlYaampdNLPalVyIcCZNNH3MvmqBugV5TMYZXv0ljslUlaw==",
+      "dev": true,
      "license": "MIT",
      "dependencies": {
        "call-bound": "^1.0.2",
@@ -41311,6 +41234,24 @@
        "node": ">= 0.6"
      }
    },
+    "node_modules/webpack-dev-server/node_modules/open": {
+      "version": "10.2.0",
+      "resolved": "https://registry.npmjs.org/open/-/open-10.2.0.tgz",
+      "integrity": "sha512-YgBpdJHPyQ2UE5x+hlSXcnejzAvD0b22U2OuAP+8OnlJT+PjWPxtgmGqKKc+RgTM63U9gN0YzrYc71R2WT/hTA==",
+      "license": "MIT",
+      "dependencies": {
+        "default-browser": "^5.2.1",
+        "define-lazy-prop": "^3.0.0",
+        "is-inside-container": "^1.0.0",
+        "wsl-utils": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
    "node_modules/webpack-dev-server/node_modules/path-to-regexp": {
      "version": "0.1.12",
      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
@@ -41895,7 +41836,6 @@
      "version": "0.1.0",
      "resolved": "https://registry.npmjs.org/wsl-utils/-/wsl-utils-0.1.0.tgz",
      "integrity": "sha512-h3Fbisa2nKGPxCpm89Hk33lBLsnaGBvctQopaBSOW/uIs6FTe1ATyAnKFJrzVs9vpGdsTe73WF3V4lIsk4Gacw==",
-      "dev": true,
      "license": "MIT",
      "dependencies": {
        "is-wsl": "^3.1.0"
@@ -42013,15 +41953,6 @@
        "fd-slicer": "~1.1.0"
      }
    },
-    "node_modules/ylru": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/ylru/-/ylru-1.4.0.tgz",
-      "integrity": "sha512-2OQsPNEmBCvXuFlIni/a+Rn+R2pHW9INm0BxXJ4hVDA8TirqMj+J/Rp9ItLatT/5pZqWwefVrTQcHpixsxnVlA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 4.0.0"
-      }
-    },
    "node_modules/yn": {
      "version": "3.1.1",
      "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
--- a/package.json
+++ b/package.json
@@ -64,7 +64,7 @@
    "@types/inquirer": "8.2.10",
    "@types/jest": "29.5.14",
    "@types/jsdom": "21.1.7",
-    "@types/koa": "3.0.0",
+    "@types/koa": "3.0.1",
    "@types/koa__multer": "2.0.7",
    "@types/koa__router": "12.0.4",
    "@types/koa-bodyparser": "4.3.7",
@@ -157,8 +157,8 @@
    "@angular/platform-browser": "20.3.15",
    "@angular/platform-browser-dynamic": "20.3.15",
    "@angular/router": "20.3.15",
-    "@bitwarden/sdk-internal": "0.2.0-main.403",
-    "@bitwarden/commercial-sdk-internal": "0.2.0-main.403",
+    "@bitwarden/sdk-internal": "0.2.0-main.409",
+    "@bitwarden/commercial-sdk-internal": "0.2.0-main.409",
    "@electron/fuses": "1.8.0",
    "@emotion/css": "11.13.5",
    "@koa/multer": "4.0.0",
@@ -183,7 +183,7 @@
    "inquirer": "8.2.6",
    "jsdom": "26.1.0",
    "jszip": "3.10.1",
-    "koa": "2.16.3",
+    "koa": "3.1.1",
    "koa-bodyparser": "4.4.1",
    "koa-json": "2.0.2",
    "lit": "3.3.1",
@@ -194,7 +194,7 @@
    "node-fetch": "2.6.12",
    "node-forge": "1.3.2",
    "oidc-client-ts": "2.4.1",
-    "open": "10.1.2",
+    "open": "11.0.0",
    "papaparse": "5.5.3",
    "proper-lockfile": "4.1.2",
    "qrcode-parser": "2.1.3",