From 91be36bfcf4cdf0d20835ed59cc0fb570700118f Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Wed, 22 Oct 2025 12:27:48 -0500
Subject: [PATCH 01/11] force a `null` value for angular forms as `undefined`
 gets forced to `null` anyway (#16985)

---
 .../item-details-section.component.spec.ts    | 40 +++++++++++++++++++
 .../item-details-section.component.ts         |  8 +++-
 2 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/libs/vault/src/cipher-form/components/item-details/item-details-section.component.spec.ts b/libs/vault/src/cipher-form/components/item-details/item-details-section.component.spec.ts
index 67b5509c8ac..e40231ce801 100644
--- a/libs/vault/src/cipher-form/components/item-details/item-details-section.component.spec.ts
+++ b/libs/vault/src/cipher-form/components/item-details/item-details-section.component.spec.ts
@@ -640,6 +640,46 @@ describe("ItemDetailsSectionComponent", () => {
     });
   });
 
+  describe("initFromExistingCipher", () => {
+    it("should set organizationId to null when prefillCipher.organizationId is undefined", async () => {
+      component.config.organizationDataOwnershipDisabled = true;
+      component.config.organizations = [{ id: "org1" } as Organization];
+
+      const prefillCipher = {
+        name: "Test Cipher",
+        organizationId: undefined,
+        folderId: null,
+        collectionIds: [],
+        favorite: false,
+      } as unknown as CipherView;
+
+      getInitialCipherView.mockReturnValueOnce(prefillCipher);
+
+      await component.ngOnInit();
+
+      expect(component.itemDetailsForm.controls.organizationId.value).toBeNull();
+    });
+
+    it("should preserve organizationId when prefillCipher.organizationId has a value", async () => {
+      component.config.organizationDataOwnershipDisabled = true;
+      component.config.organizations = [{ id: "org1", name: "Organization 1" } as Organization];
+
+      const prefillCipher = {
+        name: "Test Cipher",
+        organizationId: "org1",
+        folderId: null,
+        collectionIds: [],
+        favorite: false,
+      } as unknown as CipherView;
+
+      getInitialCipherView.mockReturnValueOnce(prefillCipher);
+
+      await component.ngOnInit();
+
+      expect(component.itemDetailsForm.controls.organizationId.value).toBe("org1");
+    });
+  });
+
   describe("form status when editing a cipher", () => {
     beforeEach(() => {
       component.config.mode = "edit";
diff --git a/libs/vault/src/cipher-form/components/item-details/item-details-section.component.ts b/libs/vault/src/cipher-form/components/item-details/item-details-section.component.ts
index ce0244bc759..892fc5804ec 100644
--- a/libs/vault/src/cipher-form/components/item-details/item-details-section.component.ts
+++ b/libs/vault/src/cipher-form/components/item-details/item-details-section.component.ts
@@ -4,7 +4,7 @@ import { CommonModule } from "@angular/common";
 import { Component, DestroyRef, Input, OnInit } from "@angular/core";
 import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
 import { FormBuilder, FormControl, ReactiveFormsModule, Validators } from "@angular/forms";
-import { concatMap, firstValueFrom, map } from "rxjs";
+import { concatMap, distinctUntilChanged, firstValueFrom, map } from "rxjs";
 
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
@@ -236,6 +236,7 @@ export class ItemDetailsSectionComponent implements OnInit {
     this.itemDetailsForm.controls.organizationId.valueChanges
       .pipe(
         takeUntilDestroyed(this.destroyRef),
+        distinctUntilChanged(),
         concatMap(async () => {
           await this.updateCollectionOptions();
           this.setFormState();
@@ -314,7 +315,10 @@ export class ItemDetailsSectionComponent implements OnInit {
 
     this.itemDetailsForm.patchValue({
       name: name ? name : (this.initialValues?.name ?? ""),
-      organizationId: prefillCipher.organizationId, // We do not allow changing ownership of an existing cipher.
+      // We do not allow changing ownership of an existing cipher.
+      // Angular forms do not support `undefined` as a value for a form control,
+      // force `null` if `organizationId` is undefined.
+      organizationId: prefillCipher.organizationId ?? null,
       folderId: folderId ? folderId : (this.initialValues?.folderId ?? null),
       collectionIds: [],
       favorite: prefillCipher.favorite,

From 8154613462a9bd02be701f1b84b431b510a9f916 Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Wed, 22 Oct 2025 20:29:36 +0200
Subject: [PATCH 02/11] [PM-23995] Updated change kdf component for Forced
 update KDF settings (#16516)

* move change-kdf into KM ownership

* Change kdf component update for Forced KDF update

* correct validators load on init

* incorrect feature flag observable check

* unit test coverage

* unit test coverage

* remove Close button, wrong icon

* change to `pm-23995-no-logout-on-kdf-change` feature flag

* updated unit tests

* revert bad merge

Signed-off-by: Maciej Zieniuk <mzieniuk@bitwarden.com>

* updated wording, TS strict enabled, use form controls, updated tests

* use localisation for button label

* small margin in confirmation dialog

* simpler I18nService mock

---------

Signed-off-by: Maciej Zieniuk <mzieniuk@bitwarden.com>
---
 .../change-kdf-confirmation.component.html    |  14 +-
 .../change-kdf-confirmation.component.spec.ts | 243 ++++++++++++
 .../change-kdf-confirmation.component.ts      |  49 ++-
 .../change-kdf/change-kdf.component.html      | 153 ++++----
 .../change-kdf/change-kdf.component.spec.ts   | 365 ++++++++++++++++++
 .../change-kdf/change-kdf.component.ts        | 125 +++---
 .../change-kdf/change-kdf.module.ts           |   4 +-
 apps/web/src/locales/en/messages.json         |  94 ++---
 8 files changed, 848 insertions(+), 199 deletions(-)
 create mode 100644 apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.spec.ts
 create mode 100644 apps/web/src/app/key-management/change-kdf/change-kdf.component.spec.ts

diff --git a/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.html b/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.html
index 9f21b28f190..88c6c8b9aca 100644
--- a/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.html
+++ b/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.html
@@ -1,12 +1,14 @@
 <form [formGroup]="form" [bitSubmit]="submit" autocomplete="off">
   <bit-dialog>
     <span bitDialogTitle>
-      {{ "changeKdf" | i18n }}
+      {{ "updateYourEncryptionSettings" | i18n }}
     </span>
 
     <span bitDialogContent>
-      <bit-callout type="warning">{{ "kdfSettingsChangeLogoutWarning" | i18n }}</bit-callout>
-      <bit-form-field>
+      @if (!(noLogoutOnKdfChangeFeatureFlag$ | async)) {
+        <bit-callout type="warning">{{ "kdfSettingsChangeLogoutWarning" | i18n }}</bit-callout>
+      }
+      <bit-form-field disableMargin>
         <bit-label>{{ "masterPass" | i18n }}</bit-label>
         <input bitInput type="password" formControlName="masterPassword" appAutofocus />
         <button
@@ -18,12 +20,12 @@
         ></button>
         <bit-hint>
           {{ "confirmIdentity" | i18n }}
-        </bit-hint></bit-form-field
-      >
+        </bit-hint>
+      </bit-form-field>
     </span>
     <ng-container bitDialogFooter>
       <button bitButton buttonType="primary" type="submit" bitFormButton>
-        <span>{{ "changeKdf" | i18n }}</span>
+        <span>{{ "updateSettings" | i18n }}</span>
       </button>
       <button bitButton buttonType="secondary" type="button" bitFormButton bitDialogClose>
         {{ "cancel" | i18n }}
diff --git a/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.spec.ts b/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.spec.ts
new file mode 100644
index 00000000000..525ddd89675
--- /dev/null
+++ b/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.spec.ts
@@ -0,0 +1,243 @@
+import { ComponentFixture, TestBed } from "@angular/core/testing";
+import { FormControl } from "@angular/forms";
+import { mock, MockProxy } from "jest-mock-extended";
+import { of } from "rxjs";
+
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { ChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf-service.abstraction";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
+import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
+import { UserId } from "@bitwarden/common/types/guid";
+import { DIALOG_DATA, DialogRef, ToastService } from "@bitwarden/components";
+import { KdfType, PBKDF2KdfConfig, Argon2KdfConfig } from "@bitwarden/key-management";
+
+import { SharedModule } from "../../shared";
+
+import { ChangeKdfConfirmationComponent } from "./change-kdf-confirmation.component";
+
+describe("ChangeKdfConfirmationComponent", () => {
+  let component: ChangeKdfConfirmationComponent;
+  let fixture: ComponentFixture<ChangeKdfConfirmationComponent>;
+
+  // Mock Services
+  let mockI18nService: MockProxy<I18nService>;
+  let mockMessagingService: MockProxy<MessagingService>;
+  let mockToastService: MockProxy<ToastService>;
+  let mockDialogRef: MockProxy<DialogRef<ChangeKdfConfirmationComponent>>;
+  let mockConfigService: MockProxy<ConfigService>;
+  let accountService: FakeAccountService;
+  let mockChangeKdfService: MockProxy<ChangeKdfService>;
+
+  const mockUserId = "user-id" as UserId;
+  const mockEmail = "email";
+  const mockMasterPassword = "master-password";
+  const mockDialogData = jest.fn();
+  const kdfConfig = new PBKDF2KdfConfig(600_001);
+
+  beforeEach(() => {
+    mockI18nService = mock<I18nService>();
+    mockMessagingService = mock<MessagingService>();
+    mockToastService = mock<ToastService>();
+    mockDialogRef = mock<DialogRef<ChangeKdfConfirmationComponent>>();
+    mockConfigService = mock<ConfigService>();
+    accountService = mockAccountServiceWith(mockUserId, { email: mockEmail });
+    mockChangeKdfService = mock<ChangeKdfService>();
+
+    mockI18nService.t.mockImplementation((key) => `${key}-used-i18n`);
+
+    // Mock config service feature flag
+    mockConfigService.getFeatureFlag$.mockReturnValue(of(false));
+
+    mockDialogData.mockReturnValue({
+      kdf: KdfType.PBKDF2_SHA256,
+      kdfConfig,
+    });
+
+    TestBed.configureTestingModule({
+      declarations: [ChangeKdfConfirmationComponent],
+      imports: [SharedModule],
+      providers: [
+        { provide: I18nService, useValue: mockI18nService },
+        { provide: MessagingService, useValue: mockMessagingService },
+        { provide: AccountService, useValue: accountService },
+        { provide: ToastService, useValue: mockToastService },
+        { provide: DialogRef, useValue: mockDialogRef },
+        { provide: ConfigService, useValue: mockConfigService },
+        { provide: ChangeKdfService, useValue: mockChangeKdfService },
+        {
+          provide: DIALOG_DATA,
+          useFactory: mockDialogData,
+        },
+      ],
+    });
+  });
+
+  describe("Component Initialization", () => {
+    it("should create component with PBKDF2 config", () => {
+      const fixture = TestBed.createComponent(ChangeKdfConfirmationComponent);
+      const component = fixture.componentInstance;
+
+      expect(component).toBeTruthy();
+      expect(component.kdfConfig).toBeInstanceOf(PBKDF2KdfConfig);
+      expect(component.kdfConfig.iterations).toBe(600_001);
+    });
+
+    it("should create component with Argon2id config", () => {
+      mockDialogData.mockReturnValue({
+        kdf: KdfType.Argon2id,
+        kdfConfig: new Argon2KdfConfig(4, 65, 5),
+      });
+
+      const fixture = TestBed.createComponent(ChangeKdfConfirmationComponent);
+      const component = fixture.componentInstance;
+
+      expect(component).toBeTruthy();
+      expect(component.kdfConfig).toBeInstanceOf(Argon2KdfConfig);
+      const kdfConfig = component.kdfConfig as Argon2KdfConfig;
+      expect(kdfConfig.iterations).toBe(4);
+      expect(kdfConfig.memory).toBe(65);
+      expect(kdfConfig.parallelism).toBe(5);
+    });
+
+    it("should initialize form with required master password field", () => {
+      const fixture = TestBed.createComponent(ChangeKdfConfirmationComponent);
+      const component = fixture.componentInstance;
+
+      expect(component.form.controls.masterPassword).toBeInstanceOf(FormControl);
+      expect(component.form.controls.masterPassword.value).toEqual(null);
+      expect(component.form.controls.masterPassword.hasError("required")).toBe(true);
+    });
+  });
+
+  describe("Form Validation", () => {
+    beforeEach(() => {
+      fixture = TestBed.createComponent(ChangeKdfConfirmationComponent);
+      component = fixture.componentInstance;
+    });
+
+    it("should be invalid when master password is empty", () => {
+      component.form.controls.masterPassword.setValue("");
+      expect(component.form.invalid).toBe(true);
+    });
+
+    it("should be valid when master password is provided", () => {
+      component.form.controls.masterPassword.setValue(mockMasterPassword);
+      expect(component.form.valid).toBe(true);
+    });
+  });
+
+  describe("submit method", () => {
+    describe("should not update kdf and not show success toast", () => {
+      beforeEach(() => {
+        fixture = TestBed.createComponent(ChangeKdfConfirmationComponent);
+        component = fixture.componentInstance;
+
+        component.form.controls.masterPassword.setValue(mockMasterPassword);
+      });
+
+      it("when form is invalid", async () => {
+        // Arrange
+        component.form.controls.masterPassword.setValue("");
+        expect(component.form.invalid).toBe(true);
+
+        // Act
+        await component.submit();
+
+        // Assert
+        expect(mockChangeKdfService.updateUserKdfParams).not.toHaveBeenCalled();
+      });
+
+      it("when no active account", async () => {
+        accountService.activeAccount$ = of(null);
+
+        await expect(component.submit()).rejects.toThrow("Null or undefined account");
+
+        expect(mockChangeKdfService.updateUserKdfParams).not.toHaveBeenCalled();
+      });
+
+      it("when kdf is invalid", async () => {
+        // Arrange
+        component.kdfConfig = new PBKDF2KdfConfig(1);
+
+        // Act
+        await expect(component.submit()).rejects.toThrow();
+
+        expect(mockChangeKdfService.updateUserKdfParams).not.toHaveBeenCalled();
+      });
+    });
+
+    describe("should update kdf and show success toast", () => {
+      it("should set loading to true during submission", async () => {
+        // Arrange
+        let loadingDuringExecution = false;
+        mockChangeKdfService.updateUserKdfParams.mockImplementation(async () => {
+          loadingDuringExecution = component.loading;
+        });
+
+        const fixture = TestBed.createComponent(ChangeKdfConfirmationComponent);
+        const component = fixture.componentInstance;
+
+        component.form.controls.masterPassword.setValue(mockMasterPassword);
+
+        // Act
+        await component.submit();
+
+        expect(loadingDuringExecution).toBe(true);
+        expect(component.loading).toBe(false);
+      });
+
+      it("doesn't logout and closes the dialog when feature flag is enabled", async () => {
+        // Arrange
+        mockConfigService.getFeatureFlag$.mockReturnValue(of(true));
+
+        const fixture = TestBed.createComponent(ChangeKdfConfirmationComponent);
+        const component = fixture.componentInstance;
+
+        component.form.controls.masterPassword.setValue(mockMasterPassword);
+
+        // Act
+        await component.submit();
+
+        // Assert
+        expect(mockChangeKdfService.updateUserKdfParams).toHaveBeenCalledWith(
+          mockMasterPassword,
+          kdfConfig,
+          mockUserId,
+        );
+        expect(mockToastService.showToast).toHaveBeenCalledWith({
+          variant: "success",
+          message: "encKeySettingsChanged-used-i18n",
+        });
+        expect(mockDialogRef.close).toHaveBeenCalled();
+        expect(mockMessagingService.send).not.toHaveBeenCalled();
+      });
+
+      it("sends a logout and displays a log back in toast when feature flag is disabled", async () => {
+        // Arrange
+        const fixture = TestBed.createComponent(ChangeKdfConfirmationComponent);
+        const component = fixture.componentInstance;
+
+        component.form.controls.masterPassword.setValue(mockMasterPassword);
+
+        // Act
+        await component.submit();
+
+        // Assert
+        expect(mockChangeKdfService.updateUserKdfParams).toHaveBeenCalledWith(
+          mockMasterPassword,
+          kdfConfig,
+          mockUserId,
+        );
+        expect(mockToastService.showToast).toHaveBeenCalledWith({
+          variant: "success",
+          title: "encKeySettingsChanged-used-i18n",
+          message: "logBackIn-used-i18n",
+        });
+        expect(mockMessagingService.send).toHaveBeenCalledWith("logout");
+        expect(mockDialogRef.close).not.toHaveBeenCalled();
+      });
+    });
+  });
+});
diff --git a/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.ts b/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.ts
index 09d00d38dcf..b730a3597ba 100644
--- a/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.ts
+++ b/apps/web/src/app/key-management/change-kdf/change-kdf-confirmation.component.ts
@@ -1,15 +1,15 @@
-// FIXME: Update this file to be type safe and remove this and next line
-// @ts-strict-ignore
 import { Component, Inject } from "@angular/core";
 import { FormGroup, FormControl, Validators } from "@angular/forms";
-import { firstValueFrom } from "rxjs";
+import { firstValueFrom, Observable } from "rxjs";
 
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { ChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf-service.abstraction";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
-import { DIALOG_DATA, ToastService } from "@bitwarden/components";
+import { DIALOG_DATA, DialogRef, ToastService } from "@bitwarden/components";
 import { KdfConfig, KdfType } from "@bitwarden/key-management";
 
 // FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
@@ -23,12 +23,13 @@ export class ChangeKdfConfirmationComponent {
   kdfConfig: KdfConfig;
 
   form = new FormGroup({
-    masterPassword: new FormControl(null, Validators.required),
+    masterPassword: new FormControl<string | null>(null, Validators.required),
   });
   showPassword = false;
-  masterPassword: string;
   loading = false;
 
+  noLogoutOnKdfChangeFeatureFlag$: Observable<boolean>;
+
   constructor(
     private i18nService: I18nService,
     private messagingService: MessagingService,
@@ -36,9 +37,13 @@ export class ChangeKdfConfirmationComponent {
     private accountService: AccountService,
     private toastService: ToastService,
     private changeKdfService: ChangeKdfService,
+    private dialogRef: DialogRef<ChangeKdfConfirmationComponent>,
+    configService: ConfigService,
   ) {
     this.kdfConfig = params.kdfConfig;
-    this.masterPassword = null;
+    this.noLogoutOnKdfChangeFeatureFlag$ = configService.getFeatureFlag$(
+      FeatureFlag.NoLogoutOnKdfChange,
+    );
   }
 
   submit = async () => {
@@ -46,24 +51,32 @@ export class ChangeKdfConfirmationComponent {
       return;
     }
     this.loading = true;
-    await this.makeKeyAndSaveAsync();
-    this.toastService.showToast({
-      variant: "success",
-      title: this.i18nService.t("encKeySettingsChanged"),
-      message: this.i18nService.t("logBackIn"),
-    });
-    this.messagingService.send("logout");
+    await this.makeKeyAndSave();
+    if (await firstValueFrom(this.noLogoutOnKdfChangeFeatureFlag$)) {
+      this.toastService.showToast({
+        variant: "success",
+        message: this.i18nService.t("encKeySettingsChanged"),
+      });
+      this.dialogRef.close();
+    } else {
+      this.toastService.showToast({
+        variant: "success",
+        title: this.i18nService.t("encKeySettingsChanged"),
+        message: this.i18nService.t("logBackIn"),
+      });
+      this.messagingService.send("logout");
+    }
     this.loading = false;
   };
 
-  private async makeKeyAndSaveAsync() {
-    const masterPassword = this.form.value.masterPassword;
+  private async makeKeyAndSave() {
+    const activeAccountId = await firstValueFrom(getUserId(this.accountService.activeAccount$));
+
+    const masterPassword = this.form.value.masterPassword!;
 
     // Ensure the KDF config is valid.
     this.kdfConfig.validateKdfConfigForSetting();
 
-    const activeAccountId = await firstValueFrom(getUserId(this.accountService.activeAccount$));
-
     await this.changeKdfService.updateUserKdfParams(
       masterPassword,
       this.kdfConfig,
diff --git a/apps/web/src/app/key-management/change-kdf/change-kdf.component.html b/apps/web/src/app/key-management/change-kdf/change-kdf.component.html
index 203f6d016bb..7ac34d7f3e5 100644
--- a/apps/web/src/app/key-management/change-kdf/change-kdf.component.html
+++ b/apps/web/src/app/key-management/change-kdf/change-kdf.component.html
@@ -1,31 +1,30 @@
-<h2 bitTypography="h2">{{ "encKeySettings" | i18n }}</h2>
-<bit-callout type="warning">{{ "kdfSettingsChangeLogoutWarning" | i18n }}</bit-callout>
-<p bitTypography="body1">
-  {{ "higherKDFIterations" | i18n }}
+<h2 bitTypography="h2" class="tw-mt-6">
+  {{ "encKeySettings" | i18n }}
+</h2>
+@if (!(noLogoutOnKdfChangeFeatureFlag$ | async)) {
+  <bit-callout type="warning">{{ "kdfSettingsChangeLogoutWarning" | i18n }}</bit-callout>
+}
+<p bitTypography="body1" class="tw-mt-4">
+  {{ "encryptionKeySettingsHowShouldWeEncryptYourData" | i18n }}
 </p>
 <p bitTypography="body1">
-  {{
-    "kdfToHighWarningIncreaseInIncrements"
-      | i18n: (isPBKDF2(kdfConfig) ? ("incrementsOf100,000" | i18n) : ("smallIncrements" | i18n))
-  }}
+  {{ "encryptionKeySettingsIncreaseImproveSecurity" | i18n }}
 </p>
 <form [formGroup]="formGroup" autocomplete="off">
-  <div class="tw-grid tw-grid-cols-12 tw-gap-4">
+  <div class="tw-grid tw-grid-cols-12 tw-gap-x-4">
     <div class="tw-col-span-6">
       <bit-form-field>
-        <bit-label
-          >{{ "kdfAlgorithm" | i18n }}
-          <a
-            class="tw-ml-auto"
+        <bit-label>
+          {{ "algorithm" | i18n }}
+          <button
+            type="button"
+            class="tw-border-none tw-bg-transparent tw-text-primary-600 tw-p-0"
+            [bitPopoverTriggerFor]="algorithmPopover"
+            appA11yTitle="{{ 'encryptionKeySettingsAlgorithmPopoverTitle' | i18n }}"
             bitLink
-            href="https://bitwarden.com/help/kdf-algorithms"
-            target="_blank"
-            rel="noreferrer"
-            appA11yTitle="{{ 'learnMoreAboutEncryptionAlgorithms' | i18n }}"
-            slot="end"
           >
             <i class="bwi bwi-question-circle" aria-hidden="true"></i>
-          </a>
+          </button>
         </bit-label>
         <bit-select formControlName="kdf">
           <bit-option
@@ -35,33 +34,12 @@
           ></bit-option>
         </bit-select>
       </bit-form-field>
-      <bit-form-field formGroupName="kdfConfig" *ngIf="isArgon2(kdfConfig)">
-        <bit-label>{{ "kdfMemory" | i18n }}</bit-label>
-        <input
-          bitInput
-          formControlName="memory"
-          type="number"
-          [min]="ARGON2_MEMORY.min"
-          [max]="ARGON2_MEMORY.max"
-        />
-      </bit-form-field>
     </div>
     <div class="tw-col-span-6">
-      <div class="tw-mb-0">
-        <bit-form-field formGroupName="kdfConfig" *ngIf="isPBKDF2(kdfConfig)">
+      @if (isPBKDF2(kdfConfig)) {
+        <bit-form-field formGroupName="kdfConfig">
           <bit-label>
             {{ "kdfIterations" | i18n }}
-            <a
-              bitLink
-              class="tw-ml-auto"
-              href="https://bitwarden.com/help/what-encryption-is-used/#changing-kdf-iterations"
-              target="_blank"
-              rel="noreferrer"
-              appA11yTitle="{{ 'learnMoreAboutKDFIterations' | i18n }}"
-              slot="end"
-            >
-              <i class="bwi bwi-question-circle" aria-hidden="true"></i>
-            </a>
           </bit-label>
           <input
             bitInput
@@ -72,34 +50,49 @@
           />
           <bit-hint>{{ "kdfIterationRecommends" | i18n }}</bit-hint>
         </bit-form-field>
-        <ng-container *ngIf="isArgon2(kdfConfig)">
-          <bit-form-field formGroupName="kdfConfig">
-            <bit-label>
-              {{ "kdfIterations" | i18n }}
-            </bit-label>
-            <input
-              bitInput
-              type="number"
-              formControlName="iterations"
-              [min]="ARGON2_ITERATIONS.min"
-              [max]="ARGON2_ITERATIONS.max"
-            />
-          </bit-form-field>
-          <bit-form-field formGroupName="kdfConfig">
-            <bit-label>
-              {{ "kdfParallelism" | i18n }}
-            </bit-label>
-            <input
-              bitInput
-              type="number"
-              formControlName="parallelism"
-              [min]="ARGON2_PARALLELISM.min"
-              [max]="ARGON2_PARALLELISM.max"
-            />
-          </bit-form-field>
-        </ng-container>
-      </div>
+      } @else if (isArgon2(kdfConfig)) {
+        <bit-form-field formGroupName="kdfConfig">
+          <bit-label>{{ "kdfMemory" | i18n }}</bit-label>
+          <input
+            bitInput
+            formControlName="memory"
+            type="number"
+            [min]="ARGON2_MEMORY.min"
+            [max]="ARGON2_MEMORY.max"
+          />
+        </bit-form-field>
+      }
     </div>
+    @if (isArgon2(kdfConfig)) {
+      <div class="tw-col-span-6">
+        <bit-form-field formGroupName="kdfConfig">
+          <bit-label>
+            {{ "kdfIterations" | i18n }}
+          </bit-label>
+          <input
+            bitInput
+            type="number"
+            formControlName="iterations"
+            [min]="ARGON2_ITERATIONS.min"
+            [max]="ARGON2_ITERATIONS.max"
+          />
+        </bit-form-field>
+      </div>
+      <div class="tw-col-span-6">
+        <bit-form-field formGroupName="kdfConfig">
+          <bit-label>
+            {{ "kdfParallelism" | i18n }}
+          </bit-label>
+          <input
+            bitInput
+            type="number"
+            formControlName="parallelism"
+            [min]="ARGON2_PARALLELISM.min"
+            [max]="ARGON2_PARALLELISM.max"
+          />
+        </bit-form-field>
+      </div>
+    }
   </div>
   <button
     (click)="openConfirmationModal()"
@@ -107,7 +100,27 @@
     buttonType="primary"
     bitButton
     bitFormButton
+    class="tw-mt-2"
   >
-    {{ "changeKdf" | i18n }}
+    {{ "updateEncryptionSettings" | i18n }}
   </button>
 </form>
+
+<bit-popover [title]="'encryptionKeySettingsAlgorithmPopoverTitle' | i18n" #algorithmPopover>
+  <ul class="tw-mt-2 tw-mb-0 tw-ps-4">
+    <li class="tw-mb-2">{{ "encryptionKeySettingsAlgorithmPopoverPBKDF2" | i18n }}</li>
+    <li>{{ "encryptionKeySettingsAlgorithmPopoverArgon2Id" | i18n }}</li>
+  </ul>
+  <div class="tw-mt-4 tw-mb-1">
+    <a
+      href="https://bitwarden.com/help/kdf-algorithms/"
+      bitLink
+      target="_blank"
+      rel="noreferrer"
+      appA11yTitle="{{ 'learnMoreAboutEncryptionAlgorithms' | i18n }}"
+    >
+      {{ "learnMore" | i18n }}
+      <i class="bwi bwi-external-link tw-ml-1" aria-hidden="true"></i>
+    </a>
+  </div>
+</bit-popover>
diff --git a/apps/web/src/app/key-management/change-kdf/change-kdf.component.spec.ts b/apps/web/src/app/key-management/change-kdf/change-kdf.component.spec.ts
new file mode 100644
index 00000000000..c5144223ba0
--- /dev/null
+++ b/apps/web/src/app/key-management/change-kdf/change-kdf.component.spec.ts
@@ -0,0 +1,365 @@
+import { ComponentFixture, TestBed } from "@angular/core/testing";
+import { FormBuilder, FormControl } from "@angular/forms";
+import { mock, MockProxy } from "jest-mock-extended";
+import { of } from "rxjs";
+
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
+import { UserId } from "@bitwarden/common/types/guid";
+import { DialogService, PopoverModule, CalloutModule } from "@bitwarden/components";
+import {
+  KdfConfigService,
+  Argon2KdfConfig,
+  PBKDF2KdfConfig,
+  KdfType,
+} from "@bitwarden/key-management";
+
+import { SharedModule } from "../../shared";
+
+import { ChangeKdfComponent } from "./change-kdf.component";
+
+describe("ChangeKdfComponent", () => {
+  let component: ChangeKdfComponent;
+  let fixture: ComponentFixture<ChangeKdfComponent>;
+
+  // Mock Services
+  let mockDialogService: MockProxy<DialogService>;
+  let mockKdfConfigService: MockProxy<KdfConfigService>;
+  let mockConfigService: MockProxy<ConfigService>;
+  let mockI18nService: MockProxy<I18nService>;
+  let accountService: FakeAccountService;
+  let formBuilder: FormBuilder;
+
+  const mockUserId = "user-id" as UserId;
+
+  // Helper functions for validation testing
+  function expectPBKDF2Validation(
+    iterationsControl: FormControl<number | null>,
+    memoryControl: FormControl<number | null>,
+    parallelismControl: FormControl<number | null>,
+  ) {
+    // Assert current validators state
+    expect(iterationsControl.hasError("required")).toBe(false);
+    expect(iterationsControl.hasError("min")).toBe(false);
+    expect(iterationsControl.hasError("max")).toBe(false);
+    expect(memoryControl.validator).toBeNull();
+    expect(parallelismControl.validator).toBeNull();
+
+    // Test validation boundaries
+    iterationsControl.setValue(PBKDF2KdfConfig.ITERATIONS.min - 1);
+    expect(iterationsControl.hasError("min")).toBe(true);
+
+    iterationsControl.setValue(PBKDF2KdfConfig.ITERATIONS.max + 1);
+    expect(iterationsControl.hasError("max")).toBe(true);
+  }
+
+  function expectArgon2Validation(
+    iterationsControl: FormControl<number | null>,
+    memoryControl: FormControl<number | null>,
+    parallelismControl: FormControl<number | null>,
+  ) {
+    // Assert current validators state
+    expect(iterationsControl.hasError("required")).toBe(false);
+    expect(memoryControl.hasError("required")).toBe(false);
+    expect(parallelismControl.hasError("required")).toBe(false);
+
+    // Test validation boundaries - min values
+    iterationsControl.setValue(Argon2KdfConfig.ITERATIONS.min - 1);
+    expect(iterationsControl.hasError("min")).toBe(true);
+
+    memoryControl.setValue(Argon2KdfConfig.MEMORY.min - 1);
+    expect(memoryControl.hasError("min")).toBe(true);
+
+    parallelismControl.setValue(Argon2KdfConfig.PARALLELISM.min - 1);
+    expect(parallelismControl.hasError("min")).toBe(true);
+
+    // Test validation boundaries - max values
+    iterationsControl.setValue(Argon2KdfConfig.ITERATIONS.max + 1);
+    expect(iterationsControl.hasError("max")).toBe(true);
+
+    memoryControl.setValue(Argon2KdfConfig.MEMORY.max + 1);
+    expect(memoryControl.hasError("max")).toBe(true);
+
+    parallelismControl.setValue(Argon2KdfConfig.PARALLELISM.max + 1);
+    expect(parallelismControl.hasError("max")).toBe(true);
+  }
+
+  beforeEach(() => {
+    mockDialogService = mock<DialogService>();
+    mockKdfConfigService = mock<KdfConfigService>();
+    mockConfigService = mock<ConfigService>();
+    mockI18nService = mock<I18nService>();
+    accountService = mockAccountServiceWith(mockUserId);
+    formBuilder = new FormBuilder();
+
+    mockConfigService.getFeatureFlag$.mockReturnValue(of(false));
+
+    mockI18nService.t.mockImplementation((key) => `${key}-used-i18n`);
+
+    TestBed.configureTestingModule({
+      declarations: [ChangeKdfComponent],
+      imports: [SharedModule, PopoverModule, CalloutModule],
+      providers: [
+        { provide: DialogService, useValue: mockDialogService },
+        { provide: KdfConfigService, useValue: mockKdfConfigService },
+        { provide: AccountService, useValue: accountService },
+        { provide: FormBuilder, useValue: formBuilder },
+        { provide: ConfigService, useValue: mockConfigService },
+        { provide: I18nService, useValue: mockI18nService },
+      ],
+    });
+  });
+
+  describe("Component Initialization", () => {
+    describe("given PBKDF2 configuration", () => {
+      it("should initialize form with PBKDF2 values and validators when component loads", async () => {
+        // Arrange
+        const mockPBKDF2Config = new PBKDF2KdfConfig(600_000);
+        mockKdfConfigService.getKdfConfig.mockResolvedValue(mockPBKDF2Config);
+
+        // Act
+        fixture = TestBed.createComponent(ChangeKdfComponent);
+        component = fixture.componentInstance;
+        await component.ngOnInit();
+
+        // Extract form controls
+        const formGroup = component["formGroup"];
+
+        // Assert form values
+        expect(formGroup.controls.kdf.value).toBe(KdfType.PBKDF2_SHA256);
+        const kdfConfigFormGroup = formGroup.controls.kdfConfig;
+        expect(kdfConfigFormGroup.controls.iterations.value).toBe(600_000);
+        expect(kdfConfigFormGroup.controls.memory.value).toBeNull();
+        expect(kdfConfigFormGroup.controls.parallelism.value).toBeNull();
+        expect(component.kdfConfig).toEqual(mockPBKDF2Config);
+
+        // Assert validators
+        expectPBKDF2Validation(
+          kdfConfigFormGroup.controls.iterations,
+          kdfConfigFormGroup.controls.memory,
+          kdfConfigFormGroup.controls.parallelism,
+        );
+      });
+    });
+
+    describe("given Argon2id configuration", () => {
+      it("should initialize form with Argon2id values and validators when component loads", async () => {
+        // Arrange
+        const mockArgon2Config = new Argon2KdfConfig(3, 64, 4);
+        mockKdfConfigService.getKdfConfig.mockResolvedValue(mockArgon2Config);
+
+        // Act
+        fixture = TestBed.createComponent(ChangeKdfComponent);
+        component = fixture.componentInstance;
+        await component.ngOnInit();
+
+        // Extract form controls
+        const formGroup = component["formGroup"];
+
+        // Assert form values
+        expect(formGroup.controls.kdf.value).toBe(KdfType.Argon2id);
+        const kdfConfigFormGroup = formGroup.controls.kdfConfig;
+        expect(kdfConfigFormGroup.controls.iterations.value).toBe(3);
+        expect(kdfConfigFormGroup.controls.memory.value).toBe(64);
+        expect(kdfConfigFormGroup.controls.parallelism.value).toBe(4);
+        expect(component.kdfConfig).toEqual(mockArgon2Config);
+
+        // Assert validators
+        expectArgon2Validation(
+          kdfConfigFormGroup.controls.iterations,
+          kdfConfigFormGroup.controls.memory,
+          kdfConfigFormGroup.controls.parallelism,
+        );
+      });
+    });
+
+    it.each([
+      [true, false],
+      [false, true],
+    ])(
+      "should show log out banner = %s when feature flag observable is %s",
+      async (showLogOutBanner, forceUpgradeKdfFeatureFlag) => {
+        // Arrange
+        const mockPBKDF2Config = new PBKDF2KdfConfig(600_000);
+        mockKdfConfigService.getKdfConfig.mockResolvedValue(mockPBKDF2Config);
+        mockConfigService.getFeatureFlag$.mockReturnValue(of(forceUpgradeKdfFeatureFlag));
+
+        // Act
+        fixture = TestBed.createComponent(ChangeKdfComponent);
+        component = fixture.componentInstance;
+        await component.ngOnInit();
+        fixture.detectChanges();
+
+        // Assert
+        const calloutElement = fixture.debugElement.query((el) =>
+          el.nativeElement.textContent?.includes("kdfSettingsChangeLogoutWarning"),
+        );
+
+        if (showLogOutBanner) {
+          expect(calloutElement).not.toBeNull();
+          expect(calloutElement.nativeElement.textContent).toContain(
+            "kdfSettingsChangeLogoutWarning-used-i18n",
+          );
+        } else {
+          expect(calloutElement).toBeNull();
+        }
+      },
+    );
+  });
+
+  describe("KDF Type Switching", () => {
+    describe("switching from PBKDF2 to Argon2id", () => {
+      beforeEach(async () => {
+        // Setup component with initial PBKDF2 configuration
+        const mockPBKDF2Config = new PBKDF2KdfConfig(600_001);
+        mockKdfConfigService.getKdfConfig.mockResolvedValue(mockPBKDF2Config);
+
+        fixture = TestBed.createComponent(ChangeKdfComponent);
+        component = fixture.componentInstance;
+        await component.ngOnInit();
+      });
+
+      it("should update form structure and default values when KDF type changes to Argon2id", () => {
+        // Arrange
+        const formGroup = component["formGroup"];
+
+        // Act - change KDF type to Argon2id
+        formGroup.controls.kdf.setValue(KdfType.Argon2id);
+
+        // Assert form values update to Argon2id defaults
+        expect(formGroup.controls.kdf.value).toBe(KdfType.Argon2id);
+        const kdfConfigFormGroup = formGroup.controls.kdfConfig;
+        expect(kdfConfigFormGroup.controls.iterations.value).toBe(3); // Argon2id default
+        expect(kdfConfigFormGroup.controls.memory.value).toBe(64); // Argon2id default
+        expect(kdfConfigFormGroup.controls.parallelism.value).toBe(4); // Argon2id default
+      });
+
+      it("should update validators when KDF type changes to Argon2id", () => {
+        // Arrange
+        const formGroup = component["formGroup"];
+
+        // Act - change KDF type to Argon2id
+        formGroup.controls.kdf.setValue(KdfType.Argon2id);
+
+        // Assert validators update to Argon2id validation rules
+        const kdfConfigFormGroup = formGroup.controls.kdfConfig;
+        expectArgon2Validation(
+          kdfConfigFormGroup.controls.iterations,
+          kdfConfigFormGroup.controls.memory,
+          kdfConfigFormGroup.controls.parallelism,
+        );
+      });
+    });
+
+    describe("switching from Argon2id to PBKDF2", () => {
+      beforeEach(async () => {
+        // Setup component with initial Argon2id configuration
+        const mockArgon2IdConfig = new Argon2KdfConfig(4, 65, 5);
+        mockKdfConfigService.getKdfConfig.mockResolvedValue(mockArgon2IdConfig);
+
+        fixture = TestBed.createComponent(ChangeKdfComponent);
+        component = fixture.componentInstance;
+        await component.ngOnInit();
+      });
+
+      it("should update form structure and default values when KDF type changes to PBKDF2", () => {
+        // Arrange
+        const formGroup = component["formGroup"];
+
+        // Act - change KDF type back to PBKDF2
+        formGroup.controls.kdf.setValue(KdfType.PBKDF2_SHA256);
+
+        // Assert form values update to PBKDF2 defaults
+        expect(formGroup.controls.kdf.value).toBe(KdfType.PBKDF2_SHA256);
+        const kdfConfigFormGroup = formGroup.controls.kdfConfig;
+        expect(kdfConfigFormGroup.controls.iterations.value).toBe(600_000); // PBKDF2 default
+        expect(kdfConfigFormGroup.controls.memory.value).toBeNull(); // PBKDF2 doesn't use memory
+        expect(kdfConfigFormGroup.controls.parallelism.value).toBeNull(); // PBKDF2 doesn't use parallelism
+      });
+
+      it("should update validators when KDF type changes to PBKDF2", () => {
+        // Arrange
+        const formGroup = component["formGroup"];
+
+        // Act - change KDF type back to PBKDF2
+        formGroup.controls.kdf.setValue(KdfType.PBKDF2_SHA256);
+
+        // Assert validators update to PBKDF2 validation rules
+        const kdfConfigFormGroup = formGroup.controls.kdfConfig;
+        expectPBKDF2Validation(
+          kdfConfigFormGroup.controls.iterations,
+          kdfConfigFormGroup.controls.memory,
+          kdfConfigFormGroup.controls.parallelism,
+        );
+      });
+    });
+  });
+
+  describe("openConfirmationModal", () => {
+    describe("when form is valid", () => {
+      it("should open confirmation modal with PBKDF2 config when form is submitted", async () => {
+        // Arrange
+        const mockPBKDF2Config = new PBKDF2KdfConfig(600_001);
+        mockKdfConfigService.getKdfConfig.mockResolvedValue(mockPBKDF2Config);
+
+        fixture = TestBed.createComponent(ChangeKdfComponent);
+        component = fixture.componentInstance;
+        await component.ngOnInit();
+
+        // Act
+        await component.openConfirmationModal();
+
+        // Assert
+        expect(mockDialogService.open).toHaveBeenCalledWith(
+          expect.any(Function),
+          expect.objectContaining({
+            data: expect.objectContaining({
+              kdfConfig: mockPBKDF2Config,
+            }),
+          }),
+        );
+      });
+
+      it("should open confirmation modal with Argon2id config when form is submitted", async () => {
+        // Arrange
+        const mockArgon2Config = new Argon2KdfConfig(4, 65, 5);
+        mockKdfConfigService.getKdfConfig.mockResolvedValue(mockArgon2Config);
+
+        fixture = TestBed.createComponent(ChangeKdfComponent);
+        component = fixture.componentInstance;
+        await component.ngOnInit();
+
+        // Act
+        await component.openConfirmationModal();
+
+        // Assert
+        expect(mockDialogService.open).toHaveBeenCalledWith(
+          expect.any(Function),
+          expect.objectContaining({
+            data: expect.objectContaining({
+              kdfConfig: mockArgon2Config,
+            }),
+          }),
+        );
+      });
+
+      it("should not open modal when form is invalid", async () => {
+        // Arrange
+        const mockPBKDF2Config = new PBKDF2KdfConfig(PBKDF2KdfConfig.ITERATIONS.min - 1);
+        mockKdfConfigService.getKdfConfig.mockResolvedValue(mockPBKDF2Config);
+
+        fixture = TestBed.createComponent(ChangeKdfComponent);
+        component = fixture.componentInstance;
+        await component.ngOnInit();
+
+        // Act
+        await component.openConfirmationModal();
+
+        // Assert
+        expect(mockDialogService.open).not.toHaveBeenCalled();
+      });
+    });
+  });
+});
diff --git a/apps/web/src/app/key-management/change-kdf/change-kdf.component.ts b/apps/web/src/app/key-management/change-kdf/change-kdf.component.ts
index 0463c6d4afc..f128aefdd9b 100644
--- a/apps/web/src/app/key-management/change-kdf/change-kdf.component.ts
+++ b/apps/web/src/app/key-management/change-kdf/change-kdf.component.ts
@@ -1,11 +1,11 @@
-// FIXME: Update this file to be type safe and remove this and next line
-// @ts-strict-ignore
 import { Component, OnDestroy, OnInit } from "@angular/core";
-import { FormBuilder, FormControl, ValidatorFn, Validators } from "@angular/forms";
-import { Subject, firstValueFrom, takeUntil } from "rxjs";
+import { FormBuilder, FormControl, Validators } from "@angular/forms";
+import { Subject, firstValueFrom, takeUntil, Observable } from "rxjs";
 
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { DialogService } from "@bitwarden/components";
 import {
   KdfConfigService,
@@ -31,11 +31,11 @@ export class ChangeKdfComponent implements OnInit, OnDestroy {
   private destroy$ = new Subject<void>();
 
   protected formGroup = this.formBuilder.group({
-    kdf: new FormControl(KdfType.PBKDF2_SHA256, [Validators.required]),
+    kdf: new FormControl<KdfType>(KdfType.PBKDF2_SHA256, [Validators.required]),
     kdfConfig: this.formBuilder.group({
-      iterations: [this.kdfConfig.iterations],
-      memory: [null as number],
-      parallelism: [null as number],
+      iterations: new FormControl<number | null>(null),
+      memory: new FormControl<number | null>(null),
+      parallelism: new FormControl<number | null>(null),
     }),
   });
 
@@ -45,95 +45,102 @@ export class ChangeKdfComponent implements OnInit, OnDestroy {
   protected ARGON2_MEMORY = Argon2KdfConfig.MEMORY;
   protected ARGON2_PARALLELISM = Argon2KdfConfig.PARALLELISM;
 
+  noLogoutOnKdfChangeFeatureFlag$: Observable<boolean>;
+
   constructor(
     private dialogService: DialogService,
     private kdfConfigService: KdfConfigService,
     private accountService: AccountService,
     private formBuilder: FormBuilder,
+    configService: ConfigService,
   ) {
     this.kdfOptions = [
       { name: "PBKDF2 SHA-256", value: KdfType.PBKDF2_SHA256 },
       { name: "Argon2id", value: KdfType.Argon2id },
     ];
+    this.noLogoutOnKdfChangeFeatureFlag$ = configService.getFeatureFlag$(
+      FeatureFlag.NoLogoutOnKdfChange,
+    );
   }
 
   async ngOnInit() {
     const userId = await firstValueFrom(getUserId(this.accountService.activeAccount$));
     this.kdfConfig = await this.kdfConfigService.getKdfConfig(userId);
-    this.formGroup.get("kdf").setValue(this.kdfConfig.kdfType);
+    this.formGroup.controls.kdf.setValue(this.kdfConfig.kdfType);
     this.setFormControlValues(this.kdfConfig);
+    this.setFormValidators(this.kdfConfig.kdfType);
 
-    this.formGroup
-      .get("kdf")
-      .valueChanges.pipe(takeUntil(this.destroy$))
+    this.formGroup.controls.kdf.valueChanges
+      .pipe(takeUntil(this.destroy$))
       .subscribe((newValue) => {
-        this.updateKdfConfig(newValue);
+        this.updateKdfConfig(newValue!);
       });
   }
   private updateKdfConfig(newValue: KdfType) {
     let config: KdfConfig;
-    const validators: { [key: string]: ValidatorFn[] } = {
-      iterations: [],
-      memory: [],
-      parallelism: [],
-    };
 
     switch (newValue) {
       case KdfType.PBKDF2_SHA256:
         config = new PBKDF2KdfConfig();
-        validators.iterations = [
-          Validators.required,
-          Validators.min(PBKDF2KdfConfig.ITERATIONS.min),
-          Validators.max(PBKDF2KdfConfig.ITERATIONS.max),
-        ];
         break;
       case KdfType.Argon2id:
         config = new Argon2KdfConfig();
-        validators.iterations = [
-          Validators.required,
-          Validators.min(Argon2KdfConfig.ITERATIONS.min),
-          Validators.max(Argon2KdfConfig.ITERATIONS.max),
-        ];
-        validators.memory = [
-          Validators.required,
-          Validators.min(Argon2KdfConfig.MEMORY.min),
-          Validators.max(Argon2KdfConfig.MEMORY.max),
-        ];
-        validators.parallelism = [
-          Validators.required,
-          Validators.min(Argon2KdfConfig.PARALLELISM.min),
-          Validators.max(Argon2KdfConfig.PARALLELISM.max),
-        ];
         break;
       default:
         throw new Error("Unknown KDF type.");
     }
 
     this.kdfConfig = config;
-    this.setFormValidators(validators);
+    this.setFormValidators(newValue);
     this.setFormControlValues(this.kdfConfig);
   }
 
-  private setFormValidators(validators: { [key: string]: ValidatorFn[] }) {
-    this.setValidators("kdfConfig.iterations", validators.iterations);
-    this.setValidators("kdfConfig.memory", validators.memory);
-    this.setValidators("kdfConfig.parallelism", validators.parallelism);
-  }
-  private setValidators(controlName: string, validators: ValidatorFn[]) {
-    const control = this.formGroup.get(controlName);
-    if (control) {
-      control.setValidators(validators);
-      control.updateValueAndValidity();
+  private setFormValidators(kdfType: KdfType) {
+    const kdfConfigFormGroup = this.formGroup.controls.kdfConfig;
+    switch (kdfType) {
+      case KdfType.PBKDF2_SHA256:
+        kdfConfigFormGroup.controls.iterations.setValidators([
+          Validators.required,
+          Validators.min(PBKDF2KdfConfig.ITERATIONS.min),
+          Validators.max(PBKDF2KdfConfig.ITERATIONS.max),
+        ]);
+        kdfConfigFormGroup.controls.memory.setValidators([]);
+        kdfConfigFormGroup.controls.parallelism.setValidators([]);
+        break;
+      case KdfType.Argon2id:
+        kdfConfigFormGroup.controls.iterations.setValidators([
+          Validators.required,
+          Validators.min(Argon2KdfConfig.ITERATIONS.min),
+          Validators.max(Argon2KdfConfig.ITERATIONS.max),
+        ]);
+        kdfConfigFormGroup.controls.memory.setValidators([
+          Validators.required,
+          Validators.min(Argon2KdfConfig.MEMORY.min),
+          Validators.max(Argon2KdfConfig.MEMORY.max),
+        ]);
+        kdfConfigFormGroup.controls.parallelism.setValidators([
+          Validators.required,
+          Validators.min(Argon2KdfConfig.PARALLELISM.min),
+          Validators.max(Argon2KdfConfig.PARALLELISM.max),
+        ]);
+        break;
+      default:
+        throw new Error("Unknown KDF type.");
     }
+    kdfConfigFormGroup.controls.iterations.updateValueAndValidity();
+    kdfConfigFormGroup.controls.memory.updateValueAndValidity();
+    kdfConfigFormGroup.controls.parallelism.updateValueAndValidity();
   }
+
   private setFormControlValues(kdfConfig: KdfConfig) {
-    this.formGroup.get("kdfConfig").reset();
+    const kdfConfigFormGroup = this.formGroup.controls.kdfConfig;
+    kdfConfigFormGroup.reset();
     if (kdfConfig.kdfType === KdfType.PBKDF2_SHA256) {
-      this.formGroup.get("kdfConfig.iterations").setValue(kdfConfig.iterations);
+      kdfConfigFormGroup.controls.iterations.setValue(kdfConfig.iterations);
     } else if (kdfConfig.kdfType === KdfType.Argon2id) {
-      this.formGroup.get("kdfConfig.iterations").setValue(kdfConfig.iterations);
-      this.formGroup.get("kdfConfig.memory").setValue(kdfConfig.memory);
-      this.formGroup.get("kdfConfig.parallelism").setValue(kdfConfig.parallelism);
+      kdfConfigFormGroup.controls.iterations.setValue(kdfConfig.iterations);
+      kdfConfigFormGroup.controls.memory.setValue(kdfConfig.memory);
+      kdfConfigFormGroup.controls.parallelism.setValue(kdfConfig.parallelism);
     }
   }
 
@@ -155,12 +162,14 @@ export class ChangeKdfComponent implements OnInit, OnDestroy {
     if (this.formGroup.invalid) {
       return;
     }
+
+    const kdfConfigFormGroup = this.formGroup.controls.kdfConfig;
     if (this.kdfConfig.kdfType === KdfType.PBKDF2_SHA256) {
-      this.kdfConfig.iterations = this.formGroup.get("kdfConfig.iterations").value;
+      this.kdfConfig.iterations = kdfConfigFormGroup.controls.iterations.value!;
     } else if (this.kdfConfig.kdfType === KdfType.Argon2id) {
-      this.kdfConfig.iterations = this.formGroup.get("kdfConfig.iterations").value;
-      this.kdfConfig.memory = this.formGroup.get("kdfConfig.memory").value;
-      this.kdfConfig.parallelism = this.formGroup.get("kdfConfig.parallelism").value;
+      this.kdfConfig.iterations = kdfConfigFormGroup.controls.iterations.value!;
+      this.kdfConfig.memory = kdfConfigFormGroup.controls.memory.value!;
+      this.kdfConfig.parallelism = kdfConfigFormGroup.controls.parallelism.value!;
     }
     this.dialogService.open(ChangeKdfConfirmationComponent, {
       data: {
diff --git a/apps/web/src/app/key-management/change-kdf/change-kdf.module.ts b/apps/web/src/app/key-management/change-kdf/change-kdf.module.ts
index 342ad43e368..4c9cd00e79d 100644
--- a/apps/web/src/app/key-management/change-kdf/change-kdf.module.ts
+++ b/apps/web/src/app/key-management/change-kdf/change-kdf.module.ts
@@ -1,13 +1,15 @@
 import { CommonModule } from "@angular/common";
 import { NgModule } from "@angular/core";
 
+import { PopoverModule } from "@bitwarden/components";
+
 import { SharedModule } from "../../shared";
 
 import { ChangeKdfConfirmationComponent } from "./change-kdf-confirmation.component";
 import { ChangeKdfComponent } from "./change-kdf.component";
 
 @NgModule({
-  imports: [CommonModule, SharedModule],
+  imports: [CommonModule, SharedModule, PopoverModule],
   declarations: [ChangeKdfComponent, ChangeKdfConfirmationComponent],
   exports: [ChangeKdfComponent, ChangeKdfConfirmationComponent],
 })
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index 1f8c4ec55b2..f328e3e0bea 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -11,7 +11,7 @@
   "criticalApplications": {
     "message": "Critical applications"
   },
-  "noCriticalAppsAtRisk":{
+  "noCriticalAppsAtRisk": {
     "message": "No critical applications at risk"
   },
   "accessIntelligence": {
@@ -1719,7 +1719,6 @@
       }
     }
   },
-
   "dontAskAgainOnThisDeviceFor30Days": {
     "message": "Don't ask again on this device for 30 days"
   },
@@ -2090,9 +2089,6 @@
   "encKeySettings": {
     "message": "Encryption key settings"
   },
-  "kdfAlgorithm": {
-    "message": "KDF algorithm"
-  },
   "kdfIterations": {
     "message": "KDF iterations"
   },
@@ -2127,9 +2123,6 @@
   "argon2Desc": {
     "message": "Higher KDF iterations, memory, and parallelism can help protect your master password from being brute forced by an attacker."
   },
-  "changeKdf": {
-    "message": "Change KDF"
-  },
   "encKeySettingsChanged": {
     "message": "Encryption key settings saved"
   },
@@ -2146,22 +2139,22 @@
     "message": "Proceeding will also log you out of your current session, requiring you to log back in. You will also be prompted for two-step login again, if set up. Active sessions on other devices may continue to remain active for up to one hour."
   },
   "newDeviceLoginProtection": {
-    "message":"New device login"
+    "message": "New device login"
   },
   "turnOffNewDeviceLoginProtection": {
-    "message":"Turn off new device login protection"
+    "message": "Turn off new device login protection"
   },
   "turnOnNewDeviceLoginProtection": {
-    "message":"Turn on new device login protection"
+    "message": "Turn on new device login protection"
   },
   "turnOffNewDeviceLoginProtectionModalDesc": {
-    "message":"Proceed below to turn off the verification emails bitwarden sends when you login from a new device."
+    "message": "Proceed below to turn off the verification emails bitwarden sends when you login from a new device."
   },
   "turnOnNewDeviceLoginProtectionModalDesc": {
-    "message":"Proceed below to have bitwarden send you verification emails when you login from a new device."
+    "message": "Proceed below to have bitwarden send you verification emails when you login from a new device."
   },
   "turnOffNewDeviceLoginProtectionWarning": {
-    "message":"With new device login protection turned off, anyone with your master password can access your account from any device. To protect your account without verification emails, set up two-step login."
+    "message": "With new device login protection turned off, anyone with your master password can access your account from any device. To protect your account without verification emails, set up two-step login."
   },
   "accountNewDeviceLoginProtectionSaved": {
     "message": "New device login protection changes saved"
@@ -2297,7 +2290,7 @@
   "selectImportCollection": {
     "message": "Select a collection"
   },
-    "importTargetHintCollection": {
+  "importTargetHintCollection": {
     "message": "Select this option if you want the imported file contents moved to a collection"
   },
   "importTargetHintFolder": {
@@ -5700,7 +5693,7 @@
     "message": "All items will be owned and saved to the organization, enabling organization-wide controls, visibility, and reporting. When turned on, a default collection be available for each member to store items. Learn more about managing the ",
     "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'All items will be owned and saved to the organization, enabling organization-wide controls, visibility, and reporting. When turned on, a default collection be available for each member to store items. Learn more about managing the credential lifecycle.'"
   },
-  "organizationDataOwnershipContentAnchor":{
+  "organizationDataOwnershipContentAnchor": {
     "message": "credential lifecycle",
     "description": "This will be used as a hyperlink"
   },
@@ -10374,27 +10367,9 @@
   "memberAccessReportAuthenticationEnabledFalse": {
     "message": "Off"
   },
-  "higherKDFIterations": {
-    "message": "Higher KDF iterations can help protect your master password from being brute forced by an attacker."
-  },
-  "incrementsOf100,000": {
-    "message": "increments of 100,000"
-  },
-  "smallIncrements": {
-    "message": "small increments"
-  },
   "kdfIterationRecommends": {
     "message": "We recommend 600,000 or more"
   },
-  "kdfToHighWarningIncreaseInIncrements": {
-    "message": "For older devices, setting your KDF too high may lead to performance issues. Increase the value in $VALUE$ and test your devices.",
-    "placeholders": {
-      "value": {
-        "content": "$1",
-        "example": "increments of 100,000"
-      }
-    }
-  },
   "providerReinstate": {
     "message": " Contact Customer Support to reinstate your subscription."
   },
@@ -11079,7 +11054,7 @@
   "orgTrustWarning1": {
     "message": "This organization has an Enterprise policy that will enroll you in account recovery. Enrollment will allow organization administrators to change your password. Only proceed if you recognize this organization and the fingerprint phrase displayed below matches the organization's fingerprint."
   },
-  "trustUser":{
+  "trustUser": {
     "message": "Trust user"
   },
   "sshKeyWrongPassword": {
@@ -11115,7 +11090,7 @@
   "openingExtension": {
     "message": "Opening the Bitwarden browser extension"
   },
-  "somethingWentWrong":{
+  "somethingWentWrong": {
     "message": "Something went wrong..."
   },
   "openingExtensionError": {
@@ -11202,7 +11177,7 @@
       }
     }
   },
-  "accountDeprovisioningNotification" : {
+  "accountDeprovisioningNotification": {
     "message": "Administrators now have the ability to delete member accounts that belong to a claimed domain."
   },
   "deleteManagedUserWarningDesc": {
@@ -11293,14 +11268,14 @@
   "upgradeForFullEventsMessage": {
     "message": "Event logs are not stored for your organization. Upgrade to a Teams or Enterprise plan to get full access to organization event logs."
   },
-  "upgradeEventLogTitleMessage" : {
-    "message" : "Upgrade to see event logs from your organization."
+  "upgradeEventLogTitleMessage": {
+    "message": "Upgrade to see event logs from your organization."
   },
-  "upgradeEventLogMessage":{
-    "message" : "These events are examples only and do not reflect real events within your Bitwarden organization."
+  "upgradeEventLogMessage": {
+    "message": "These events are examples only and do not reflect real events within your Bitwarden organization."
   },
-  "viewEvents":{
-    "message" : "View Events"
+  "viewEvents": {
+    "message": "View Events"
   },
   "cannotCreateCollection": {
     "message": "Free organizations may have up to 2 collections. Upgrade to a paid plan to add more collections."
@@ -11619,14 +11594,14 @@
       }
     }
   },
-   "unlimitedSecretsAndProjects": {
+  "unlimitedSecretsAndProjects": {
     "message": "Unlimited secrets and projects"
   },
-   "providersubscriptionCanceled": {
+  "providersubscriptionCanceled": {
     "message": "Subscription canceled"
   },
   "providersubCanceledmessage": {
-    "message" : "To resubscribe, contact Bitwarden Customer Support."
+    "message": "To resubscribe, contact Bitwarden Customer Support."
   },
   "showMore": {
     "message": "Show more"
@@ -11878,5 +11853,32 @@
   },
   "viewbusinessplans": {
     "message": "View business plans"
+  },
+  "updateEncryptionSettings": {
+    "message": "Update encryption settings"
+  },
+  "updateYourEncryptionSettings": {
+    "message": "Update your encryption settings"
+  },
+  "updateSettings": {
+    "message": "Update settings"
+  },
+  "algorithm": {
+    "message": "Algorithm"
+  },
+  "encryptionKeySettingsHowShouldWeEncryptYourData": {
+    "message": "Choose how Bitwarden should encrypt your vault data. All options are secure, but stronger methods offer better protection - especially against brute-force attacks. Bitwarden recommends the default setting for most users."
+  },
+  "encryptionKeySettingsIncreaseImproveSecurity": {
+    "message": "Increasing the values above the default will improve security, but your vault may take longer to unlock as a result."
+  },
+  "encryptionKeySettingsAlgorithmPopoverTitle": {
+    "message": "About encryption algorithms"
+  },
+  "encryptionKeySettingsAlgorithmPopoverPBKDF2": {
+    "message": "PBKDF2-SHA256 is a well-tested encryption method that balances security and performance. Good for all users."
+  },
+  "encryptionKeySettingsAlgorithmPopoverArgon2Id": {
+    "message": "Argon2id offers stronger protection against modern attacks. Best for advanced users with powerful devices."
   }
 }

From 2147f74ae834b912fd68869bffc018bcae83e70e Mon Sep 17 00:00:00 2001
From: Oscar Hinton <Hinton@users.noreply.github.com>
Date: Wed, 22 Oct 2025 22:06:05 +0200
Subject: [PATCH 03/11] Autofill - Prefer signal & change detection (#16943)

---
 .../autofill/popup/fido2/fido2-cipher-row.component.ts    | 8 ++++++++
 .../popup/fido2/fido2-use-browser-link.component.ts       | 2 ++
 apps/browser/src/autofill/popup/fido2/fido2.component.ts  | 2 ++
 .../src/autofill/popup/settings/autofill.component.ts     | 2 ++
 .../autofill/popup/settings/blocked-domains.component.ts  | 4 ++++
 .../autofill/popup/settings/excluded-domains.component.ts | 4 ++++
 .../autofill/popup/settings/notifications.component.ts    | 2 ++
 7 files changed, 24 insertions(+)

diff --git a/apps/browser/src/autofill/popup/fido2/fido2-cipher-row.component.ts b/apps/browser/src/autofill/popup/fido2/fido2-cipher-row.component.ts
index 074e23d642d..adabae2c31d 100644
--- a/apps/browser/src/autofill/popup/fido2/fido2-cipher-row.component.ts
+++ b/apps/browser/src/autofill/popup/fido2/fido2-cipher-row.component.ts
@@ -28,9 +28,17 @@ import {
   ],
 })
 export class Fido2CipherRowComponent {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onSelected = new EventEmitter<CipherView>();
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() cipher: CipherView;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() last: boolean;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() title: string;
 
   protected selectCipher(c: CipherView) {
diff --git a/apps/browser/src/autofill/popup/fido2/fido2-use-browser-link.component.ts b/apps/browser/src/autofill/popup/fido2/fido2-use-browser-link.component.ts
index b8b49f993e3..f4c4c871478 100644
--- a/apps/browser/src/autofill/popup/fido2/fido2-use-browser-link.component.ts
+++ b/apps/browser/src/autofill/popup/fido2/fido2-use-browser-link.component.ts
@@ -15,6 +15,8 @@ import { MenuModule } from "@bitwarden/components";
 import { fido2PopoutSessionData$ } from "../../../vault/popup/utils/fido2-popout-session-data";
 import { BrowserFido2UserInterfaceSession } from "../../fido2/services/browser-fido2-user-interface.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-fido2-use-browser-link",
   templateUrl: "fido2-use-browser-link.component.html",
diff --git a/apps/browser/src/autofill/popup/fido2/fido2.component.ts b/apps/browser/src/autofill/popup/fido2/fido2.component.ts
index 11e00749bdf..c6799f93a5e 100644
--- a/apps/browser/src/autofill/popup/fido2/fido2.component.ts
+++ b/apps/browser/src/autofill/popup/fido2/fido2.component.ts
@@ -71,6 +71,8 @@ interface ViewData {
   fallbackSupported: boolean;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-fido2",
   templateUrl: "fido2.component.html",
diff --git a/apps/browser/src/autofill/popup/settings/autofill.component.ts b/apps/browser/src/autofill/popup/settings/autofill.component.ts
index c3b5915a10a..62e5ba3a151 100644
--- a/apps/browser/src/autofill/popup/settings/autofill.component.ts
+++ b/apps/browser/src/autofill/popup/settings/autofill.component.ts
@@ -77,6 +77,8 @@ import { PopOutComponent } from "../../../platform/popup/components/pop-out.comp
 import { PopupHeaderComponent } from "../../../platform/popup/layout/popup-header.component";
 import { PopupPageComponent } from "../../../platform/popup/layout/popup-page.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "autofill.component.html",
   imports: [
diff --git a/apps/browser/src/autofill/popup/settings/blocked-domains.component.ts b/apps/browser/src/autofill/popup/settings/blocked-domains.component.ts
index 15379eff436..30a64e03c56 100644
--- a/apps/browser/src/autofill/popup/settings/blocked-domains.component.ts
+++ b/apps/browser/src/autofill/popup/settings/blocked-domains.component.ts
@@ -41,6 +41,8 @@ import { PopupHeaderComponent } from "../../../platform/popup/layout/popup-heade
 import { PopupPageComponent } from "../../../platform/popup/layout/popup-page.component";
 import { PopupRouterCacheService } from "../../../platform/popup/view-cache/popup-router-cache.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-blocked-domains",
   templateUrl: "blocked-domains.component.html",
@@ -66,6 +68,8 @@ import { PopupRouterCacheService } from "../../../platform/popup/view-cache/popu
   ],
 })
 export class BlockedDomainsComponent implements AfterViewInit, OnDestroy {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @ViewChildren("uriInput") uriInputElements: QueryList<ElementRef<HTMLInputElement>> =
     new QueryList();
 
diff --git a/apps/browser/src/autofill/popup/settings/excluded-domains.component.ts b/apps/browser/src/autofill/popup/settings/excluded-domains.component.ts
index a5bfad726f5..e67c826cac6 100644
--- a/apps/browser/src/autofill/popup/settings/excluded-domains.component.ts
+++ b/apps/browser/src/autofill/popup/settings/excluded-domains.component.ts
@@ -42,6 +42,8 @@ import { PopupHeaderComponent } from "../../../platform/popup/layout/popup-heade
 import { PopupPageComponent } from "../../../platform/popup/layout/popup-page.component";
 import { PopupRouterCacheService } from "../../../platform/popup/view-cache/popup-router-cache.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-excluded-domains",
   templateUrl: "excluded-domains.component.html",
@@ -67,6 +69,8 @@ import { PopupRouterCacheService } from "../../../platform/popup/view-cache/popu
   ],
 })
 export class ExcludedDomainsComponent implements AfterViewInit, OnDestroy {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @ViewChildren("uriInput") uriInputElements: QueryList<ElementRef<HTMLInputElement>> =
     new QueryList();
 
diff --git a/apps/browser/src/autofill/popup/settings/notifications.component.ts b/apps/browser/src/autofill/popup/settings/notifications.component.ts
index cb10dec620b..3c77d746e9c 100644
--- a/apps/browser/src/autofill/popup/settings/notifications.component.ts
+++ b/apps/browser/src/autofill/popup/settings/notifications.component.ts
@@ -21,6 +21,8 @@ import { PopOutComponent } from "../../../platform/popup/components/pop-out.comp
 import { PopupHeaderComponent } from "../../../platform/popup/layout/popup-header.component";
 import { PopupPageComponent } from "../../../platform/popup/layout/popup-page.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "notifications.component.html",
   imports: [

From 67ba1b83eac94d9e6298f85b33422a8fd98668ac Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Wed, 22 Oct 2025 16:11:33 -0400
Subject: [PATCH 04/11] [PM-26369] [PM-26362] Implement Auto Confirm Policy and
 Multi Step Dialog Workflow (#16831)

* implement multi step dialog for auto confirm

* wip

* implement extension messgae for auto confirm

* expand layout logic for header and footer, implement function to open extension

* add back missing test

* refactor test

* clean up

* clean up

* clean up

* fix policy step increment

* clean up

* Ac/pm 26369 add auto confirm policy to client domain models (#16830)

* refactor BasePoliicyEditDefinition

* fix circular dep

* wip

* wip

* fix policy submission and refreshing

* add svg, copy, and finish layout

* clean up

* cleanup

* cleanup, fix SVG

* design review changes

* fix copy

* fix padding

* address organization plan feature FIXME

* fix test

* remove placeholder URL

* prevent duplicate messages
---
 ...-confirm-edit-policy-dialog.component.html |  91 +++++++
 ...to-confirm-edit-policy-dialog.component.ts | 249 ++++++++++++++++++
 .../policies/base-policy-edit.component.ts    |  17 +-
 .../policies/policies.component.ts            |  29 +-
 .../auto-confirm-policy.component.html        |  59 +++++
 .../auto-confirm-policy.component.ts          |  50 ++++
 .../policies/policy-edit-definitions/index.ts |   1 +
 .../policies/policy-edit-dialog.component.ts  |  12 +-
 .../policies/policy-edit-register.ts          |   2 +
 .../browser-extension-prompt.component.html   |   5 +-
 ...browser-extension-prompt.component.spec.ts |  17 +-
 .../browser-extension-prompt.component.ts     |  33 ++-
 .../browser-extension-prompt.service.spec.ts  |  55 ++--
 .../browser-extension-prompt.service.ts       |  25 +-
 apps/web/src/locales/en/messages.json         |  59 +++++
 libs/assets/src/svg/svgs/auto-confirmation.ts |   5 +
 libs/assets/src/svg/svgs/index.ts             |   1 +
 .../admin-console/enums/policy-type.enum.ts   |   1 +
 .../models/data/organization.data.spec.ts     |   1 +
 .../models/data/organization.data.ts          |   2 +
 .../models/domain/organization.ts             |   2 +
 .../response/profile-organization.response.ts |   2 +
 libs/common/src/enums/feature-flag.enum.ts    |   2 +
 23 files changed, 659 insertions(+), 61 deletions(-)
 create mode 100644 apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.html
 create mode 100644 apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.ts
 create mode 100644 apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.html
 create mode 100644 apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.ts
 create mode 100644 libs/assets/src/svg/svgs/auto-confirmation.ts

diff --git a/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.html b/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.html
new file mode 100644
index 00000000000..2388bb06bd8
--- /dev/null
+++ b/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.html
@@ -0,0 +1,91 @@
+<form [formGroup]="formGroup" [bitSubmit]="submit">
+  <bit-dialog [loading]="loading">
+    <ng-container bitDialogTitle>
+      @let title = (multiStepSubmit | async)[currentStep()]?.titleContent();
+      @if (title) {
+        <ng-container [ngTemplateOutlet]="title"></ng-container>
+      }
+    </ng-container>
+
+    <ng-container bitDialogContent>
+      @if (loading) {
+        <div>
+          <i
+            class="bwi bwi-spinner bwi-spin tw-text-muted"
+            title="{{ 'loading' | i18n }}"
+            aria-hidden="true"
+          ></i>
+          <span class="tw-sr-only">{{ "loading" | i18n }}</span>
+        </div>
+      }
+      <div [hidden]="loading">
+        @if (policy.showDescription) {
+          <p bitTypography="body1">{{ policy.description | i18n }}</p>
+        }
+      </div>
+      <ng-template #policyForm></ng-template>
+    </ng-container>
+    <ng-container bitDialogFooter>
+      @let footer = (multiStepSubmit | async)[currentStep()]?.footerContent();
+      @if (footer) {
+        <ng-container [ngTemplateOutlet]="footer"></ng-container>
+      }
+    </ng-container>
+  </bit-dialog>
+</form>
+
+<ng-template #step0Title>
+  <div class="tw-flex tw-flex-col">
+    @let showBadge = firstTimeDialog();
+    @if (showBadge) {
+      <span bitBadge variant="info" class="tw-w-28 tw-my-2"> {{ "availableNow" | i18n }}</span>
+    }
+    <span>
+      {{ (firstTimeDialog ? "autoConfirm" : "editPolicy") | i18n }}
+      @if (!firstTimeDialog) {
+        <span class="tw-text-muted tw-font-normal tw-text-sm">
+          {{ policy.name | i18n }}
+        </span>
+      }
+    </span>
+  </div>
+</ng-template>
+
+<ng-template #step1Title>
+  {{ "howToTurnOnAutoConfirm" | i18n }}
+</ng-template>
+
+<ng-template #step0>
+  <button
+    bitButton
+    buttonType="primary"
+    [disabled]="saveDisabled$ | async"
+    bitFormButton
+    type="submit"
+  >
+    @if (autoConfirmEnabled$ | async) {
+      {{ "save" | i18n }}
+    } @else {
+      {{ "continue" | i18n }}
+    }
+  </button>
+  <button bitButton buttonType="secondary" bitDialogClose type="button">
+    {{ "cancel" | i18n }}
+  </button>
+</ng-template>
+
+<ng-template #step1>
+  <button
+    bitButton
+    buttonType="primary"
+    [disabled]="saveDisabled$ | async"
+    bitFormButton
+    type="submit"
+  >
+    {{ "openExtension" | i18n }}
+    <i class="bwi bwi-external-link tw-ml-1" aria-hidden="true"></i>
+  </button>
+  <button bitButton buttonType="secondary" bitDialogClose type="button">
+    {{ "close" | i18n }}
+  </button>
+</ng-template>
diff --git a/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.ts b/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.ts
new file mode 100644
index 00000000000..18a9306b7d1
--- /dev/null
+++ b/apps/web/src/app/admin-console/organizations/policies/auto-confirm-edit-policy-dialog.component.ts
@@ -0,0 +1,249 @@
+import {
+  AfterViewInit,
+  ChangeDetectorRef,
+  Component,
+  Inject,
+  signal,
+  Signal,
+  TemplateRef,
+  viewChild,
+} from "@angular/core";
+import { FormBuilder } from "@angular/forms";
+import { Router } from "@angular/router";
+import {
+  combineLatest,
+  firstValueFrom,
+  map,
+  Observable,
+  of,
+  shareReplay,
+  startWith,
+  switchMap,
+  tap,
+} from "rxjs";
+
+import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
+import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
+import { PolicyType } from "@bitwarden/common/admin-console/enums";
+import { PolicyRequest } from "@bitwarden/common/admin-console/models/request/policy.request";
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { getUserId } from "@bitwarden/common/auth/services/account.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import {
+  DIALOG_DATA,
+  DialogConfig,
+  DialogRef,
+  DialogService,
+  ToastService,
+} from "@bitwarden/components";
+import { KeyService } from "@bitwarden/key-management";
+
+import { SharedModule } from "../../../shared";
+
+import { AutoConfirmPolicyEditComponent } from "./policy-edit-definitions/auto-confirm-policy.component";
+import {
+  PolicyEditDialogComponent,
+  PolicyEditDialogData,
+  PolicyEditDialogResult,
+} from "./policy-edit-dialog.component";
+
+export type MultiStepSubmit = {
+  sideEffect: () => Promise<void>;
+  footerContent: Signal<TemplateRef<unknown> | undefined>;
+  titleContent: Signal<TemplateRef<unknown> | undefined>;
+};
+
+export type AutoConfirmPolicyDialogData = PolicyEditDialogData & {
+  firstTimeDialog?: boolean;
+};
+
+/**
+ * Custom policy dialog component for Auto-Confirm policy.
+ * Satisfies the PolicyDialogComponent interface structurally
+ * via its static open() function.
+ */
+@Component({
+  templateUrl: "auto-confirm-edit-policy-dialog.component.html",
+  imports: [SharedModule],
+})
+export class AutoConfirmPolicyDialogComponent
+  extends PolicyEditDialogComponent
+  implements AfterViewInit
+{
+  policyType = PolicyType;
+
+  protected firstTimeDialog = signal(false);
+  protected currentStep = signal(0);
+  protected multiStepSubmit: Observable<MultiStepSubmit[]> = of([]);
+  protected autoConfirmEnabled$: Observable<boolean> = this.accountService.activeAccount$.pipe(
+    getUserId,
+    switchMap((userId) => this.policyService.policies$(userId)),
+    map((policies) => policies.find((p) => p.type === PolicyType.AutoConfirm)?.enabled ?? false),
+  );
+
+  private submitPolicy: Signal<TemplateRef<unknown> | undefined> = viewChild("step0");
+  private openExtension: Signal<TemplateRef<unknown> | undefined> = viewChild("step1");
+
+  private submitPolicyTitle: Signal<TemplateRef<unknown> | undefined> = viewChild("step0Title");
+  private openExtensionTitle: Signal<TemplateRef<unknown> | undefined> = viewChild("step1Title");
+
+  override policyComponent: AutoConfirmPolicyEditComponent | undefined;
+
+  constructor(
+    @Inject(DIALOG_DATA) protected data: AutoConfirmPolicyDialogData,
+    accountService: AccountService,
+    policyApiService: PolicyApiServiceAbstraction,
+    i18nService: I18nService,
+    cdr: ChangeDetectorRef,
+    formBuilder: FormBuilder,
+    dialogRef: DialogRef<PolicyEditDialogResult>,
+    toastService: ToastService,
+    configService: ConfigService,
+    keyService: KeyService,
+    private policyService: PolicyService,
+    private router: Router,
+  ) {
+    super(
+      data,
+      accountService,
+      policyApiService,
+      i18nService,
+      cdr,
+      formBuilder,
+      dialogRef,
+      toastService,
+      configService,
+      keyService,
+    );
+
+    this.firstTimeDialog.set(data.firstTimeDialog ?? false);
+  }
+
+  /**
+   * Instantiates the child policy component and inserts it into the view.
+   */
+  async ngAfterViewInit() {
+    await super.ngAfterViewInit();
+
+    if (this.policyComponent) {
+      this.saveDisabled$ = combineLatest([
+        this.autoConfirmEnabled$,
+        this.policyComponent.enabled.valueChanges.pipe(
+          startWith(this.policyComponent.enabled.value),
+        ),
+      ]).pipe(map(([policyEnabled, value]) => !policyEnabled && !value));
+    }
+
+    this.multiStepSubmit = this.accountService.activeAccount$.pipe(
+      getUserId,
+      switchMap((userId) => this.policyService.policies$(userId)),
+      map((policies) => policies.find((p) => p.type === PolicyType.SingleOrg)?.enabled ?? false),
+      tap((singleOrgPolicyEnabled) =>
+        this.policyComponent?.setSingleOrgEnabled(singleOrgPolicyEnabled),
+      ),
+      map((singleOrgPolicyEnabled) => [
+        {
+          sideEffect: () => this.handleSubmit(singleOrgPolicyEnabled ?? false),
+          footerContent: this.submitPolicy,
+          titleContent: this.submitPolicyTitle,
+        },
+        {
+          sideEffect: () => this.openBrowserExtension(),
+          footerContent: this.openExtension,
+          titleContent: this.openExtensionTitle,
+        },
+      ]),
+      shareReplay({ bufferSize: 1, refCount: true }),
+    );
+  }
+
+  private async handleSubmit(singleOrgEnabled: boolean) {
+    if (!singleOrgEnabled) {
+      await this.submitSingleOrg();
+    }
+    await this.submitAutoConfirm();
+  }
+
+  /**
+   *  Triggers policy submission for auto confirm.
+   *  @returns boolean: true if multi-submit workflow should continue, false otherwise.
+   */
+  private async submitAutoConfirm() {
+    if (!this.policyComponent) {
+      throw new Error("PolicyComponent not initialized.");
+    }
+
+    const autoConfirmRequest = await this.policyComponent.buildRequest();
+    await this.policyApiService.putPolicy(
+      this.data.organizationId,
+      this.data.policy.type,
+      autoConfirmRequest,
+    );
+
+    this.toastService.showToast({
+      variant: "success",
+      message: this.i18nService.t("editedPolicyId", this.i18nService.t(this.data.policy.name)),
+    });
+
+    if (!this.policyComponent.enabled.value) {
+      this.dialogRef.close("saved");
+    }
+  }
+
+  private async submitSingleOrg(): Promise<void> {
+    const singleOrgRequest: PolicyRequest = {
+      type: PolicyType.SingleOrg,
+      enabled: true,
+      data: null,
+    };
+
+    await this.policyApiService.putPolicy(
+      this.data.organizationId,
+      PolicyType.SingleOrg,
+      singleOrgRequest,
+    );
+  }
+
+  private async openBrowserExtension() {
+    await this.router.navigate(["/browser-extension-prompt"], {
+      queryParams: { url: "AutoConfirm" },
+    });
+  }
+
+  submit = async () => {
+    if (!this.policyComponent) {
+      throw new Error("PolicyComponent not initialized.");
+    }
+
+    if ((await this.policyComponent.confirm()) == false) {
+      this.dialogRef.close();
+      return;
+    }
+
+    try {
+      const multiStepSubmit = await firstValueFrom(this.multiStepSubmit);
+      await multiStepSubmit[this.currentStep()].sideEffect();
+
+      if (this.currentStep() === multiStepSubmit.length - 1) {
+        this.dialogRef.close("saved");
+        return;
+      }
+
+      this.currentStep.update((value) => value + 1);
+      this.policyComponent.setStep(this.currentStep());
+    } catch (error: any) {
+      this.toastService.showToast({
+        variant: "error",
+        message: error.message,
+      });
+    }
+  };
+
+  static open = (
+    dialogService: DialogService,
+    config: DialogConfig<AutoConfirmPolicyDialogData>,
+  ) => {
+    return dialogService.open<PolicyEditDialogResult>(AutoConfirmPolicyDialogComponent, config);
+  };
+}
diff --git a/apps/web/src/app/admin-console/organizations/policies/base-policy-edit.component.ts b/apps/web/src/app/admin-console/organizations/policies/base-policy-edit.component.ts
index 9293c686b7f..9bf0ad24b1b 100644
--- a/apps/web/src/app/admin-console/organizations/policies/base-policy-edit.component.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/base-policy-edit.component.ts
@@ -8,8 +8,20 @@ import { Organization } from "@bitwarden/common/admin-console/models/domain/orga
 import { PolicyRequest } from "@bitwarden/common/admin-console/models/request/policy.request";
 import { PolicyResponse } from "@bitwarden/common/admin-console/models/response/policy.response";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { DialogConfig, DialogRef, DialogService } from "@bitwarden/components";
 
-import type { PolicyEditDialogComponent } from "./policy-edit-dialog.component";
+import type { PolicyEditDialogData, PolicyEditDialogResult } from "./policy-edit-dialog.component";
+
+/**
+ * Interface for policy dialog components.
+ * Any component that implements this interface can be used as a custom policy edit dialog.
+ */
+export interface PolicyDialogComponent {
+  open: (
+    dialogService: DialogService,
+    config: DialogConfig<PolicyEditDialogData>,
+  ) => DialogRef<PolicyEditDialogResult>;
+}
 
 /**
  * A metadata class that defines how a policy is displayed in the Admin Console Policies page for editing.
@@ -37,9 +49,8 @@ export abstract class BasePolicyEditDefinition {
   /**
    * The dialog component that will be opened when editing this policy.
    * This allows customizing the look and feel of each policy's dialog contents.
-   * If not specified, defaults to {@link PolicyEditDialogComponent}.
    */
-  editDialogComponent?: typeof PolicyEditDialogComponent;
+  editDialogComponent?: PolicyDialogComponent;
 
   /**
    * If true, the {@link description} will be reused in the policy edit modal. Set this to false if you
diff --git a/apps/web/src/app/admin-console/organizations/policies/policies.component.ts b/apps/web/src/app/admin-console/organizations/policies/policies.component.ts
index 95c00f74f1c..7bab6f262a6 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policies.component.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policies.component.ts
@@ -1,17 +1,18 @@
 // FIXME: Update this file to be type safe and remove this and next line
 // @ts-strict-ignore
 import { Component, OnInit } from "@angular/core";
+import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
 import { ActivatedRoute } from "@angular/router";
 import {
   combineLatest,
   firstValueFrom,
-  lastValueFrom,
   Observable,
   of,
   switchMap,
   first,
   map,
   withLatestFrom,
+  tap,
 } from "rxjs";
 
 import {
@@ -19,9 +20,11 @@ import {
   OrganizationService,
 } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
+import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { PolicyResponse } from "@bitwarden/common/admin-console/models/response/policy.response";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { getUserId } from "@bitwarden/common/auth/services/account.service";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { DialogService } from "@bitwarden/components";
 import { safeProvider } from "@bitwarden/ui-common";
@@ -29,7 +32,7 @@ import { safeProvider } from "@bitwarden/ui-common";
 import { HeaderModule } from "../../../layouts/header/header.module";
 import { SharedModule } from "../../../shared";
 
-import { BasePolicyEditDefinition } from "./base-policy-edit.component";
+import { BasePolicyEditDefinition, PolicyDialogComponent } from "./base-policy-edit.component";
 import { PolicyEditDialogComponent } from "./policy-edit-dialog.component";
 import { PolicyListService } from "./policy-list.service";
 import { POLICY_EDIT_REGISTER } from "./policy-register-token";
@@ -59,8 +62,18 @@ export class PoliciesComponent implements OnInit {
     private policyApiService: PolicyApiServiceAbstraction,
     private policyListService: PolicyListService,
     private dialogService: DialogService,
+    private policyService: PolicyService,
     protected configService: ConfigService,
-  ) {}
+  ) {
+    this.accountService.activeAccount$
+      .pipe(
+        getUserId,
+        switchMap((userId) => this.policyService.policies$(userId)),
+        tap(async () => await this.load()),
+        takeUntilDestroyed(),
+      )
+      .subscribe();
+  }
 
   async ngOnInit() {
     // eslint-disable-next-line rxjs-angular/prefer-takeuntil, rxjs/no-async-subscribe
@@ -127,17 +140,13 @@ export class PoliciesComponent implements OnInit {
   }
 
   async edit(policy: BasePolicyEditDefinition) {
-    const dialogComponent = policy.editDialogComponent ?? PolicyEditDialogComponent;
-    const dialogRef = dialogComponent.open(this.dialogService, {
+    const dialogComponent: PolicyDialogComponent =
+      policy.editDialogComponent ?? PolicyEditDialogComponent;
+    dialogComponent.open(this.dialogService, {
       data: {
         policy: policy,
         organizationId: this.organizationId,
       },
     });
-
-    const result = await lastValueFrom(dialogRef.closed);
-    if (result == "saved") {
-      await this.load();
-    }
   }
 }
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.html b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.html
new file mode 100644
index 00000000000..8334b451d22
--- /dev/null
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.html
@@ -0,0 +1,59 @@
+<ng-container [ngTemplateOutlet]="steps[step]()"></ng-container>
+
+<ng-template #step0>
+  <p class="tw-mb-6">
+    {{ "autoConfirmPolicyEditDescription" | i18n }}
+  </p>
+
+  <ul class="tw-mb-6 tw-pl-6">
+    <li>
+      <span class="tw-font-bold">
+        {{ "autoConfirmAcceptSecurityRiskTitle" | i18n }}
+      </span>
+      {{ "autoConfirmAcceptSecurityRiskDescription" | i18n }}
+      <a bitLink href="https://bitwarden.com/help/automatic-confirmation/" target="_blank">
+        {{ "autoConfirmAcceptSecurityRiskLearnMore" | i18n }}
+        <i class="bwi bwi-external-link bwi-fw"></i>
+      </a>
+    </li>
+
+    <li>
+      @if (singleOrgEnabled$ | async) {
+        <span class="tw-font-bold">
+          {{ "autoConfirmSingleOrgExemption" | i18n }}
+        </span>
+      } @else {
+        <span class="tw-font-bold">
+          {{ "autoConfirmSingleOrgRequired" | i18n }}
+        </span>
+      }
+      {{ "autoConfirmSingleOrgRequiredDescription" | i18n }}
+    </li>
+
+    <li>
+      <span class="tw-font-bold">
+        {{ "autoConfirmNoEmergencyAccess" | i18n }}
+      </span>
+      {{ "autoConfirmNoEmergencyAccessDescription" | i18n }}
+    </li>
+  </ul>
+
+  <input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" />
+  <bit-label>{{ "autoConfirmCheckBoxLabel" | i18n }}</bit-label>
+</ng-template>
+
+<ng-template #step1>
+  <div class="tw-flex tw-justify-center tw-mb-6">
+    <bit-icon class="tw-w-[233px]" [icon]="autoConfirmSvg"></bit-icon>
+  </div>
+  <ol>
+    <li>1. {{ "autoConfirmStep1" | i18n }}</li>
+
+    <li>
+      2. {{ "autoConfirmStep2a" | i18n }}
+      <strong>
+        {{ "autoConfirmStep2b" | i18n }}
+      </strong>
+    </li>
+  </ol>
+</ng-template>
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.ts
new file mode 100644
index 00000000000..a5ea2ef8790
--- /dev/null
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/auto-confirm-policy.component.ts
@@ -0,0 +1,50 @@
+import { Component, OnInit, Signal, TemplateRef, viewChild } from "@angular/core";
+import { BehaviorSubject, map, Observable } from "rxjs";
+
+import { AutoConfirmSvg } from "@bitwarden/assets/svg";
+import { PolicyType } from "@bitwarden/common/admin-console/enums";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+
+import { SharedModule } from "../../../../shared";
+import { AutoConfirmPolicyDialogComponent } from "../auto-confirm-edit-policy-dialog.component";
+import { BasePolicyEditDefinition, BasePolicyEditComponent } from "../base-policy-edit.component";
+
+export class AutoConfirmPolicy extends BasePolicyEditDefinition {
+  name = "autoConfirm";
+  description = "autoConfirmDescription";
+  type = PolicyType.AutoConfirm;
+  component = AutoConfirmPolicyEditComponent;
+  showDescription = false;
+  editDialogComponent = AutoConfirmPolicyDialogComponent;
+
+  override display$(organization: Organization, configService: ConfigService): Observable<boolean> {
+    return configService
+      .getFeatureFlag$(FeatureFlag.AutoConfirm)
+      .pipe(map((enabled) => enabled && organization.useAutomaticUserConfirmation));
+  }
+}
+
+@Component({
+  templateUrl: "auto-confirm-policy.component.html",
+  imports: [SharedModule],
+})
+export class AutoConfirmPolicyEditComponent extends BasePolicyEditComponent implements OnInit {
+  protected readonly autoConfirmSvg = AutoConfirmSvg;
+  private policyForm: Signal<TemplateRef<any> | undefined> = viewChild("step0");
+  private extensionButton: Signal<TemplateRef<any> | undefined> = viewChild("step1");
+
+  protected step: number = 0;
+  protected steps = [this.policyForm, this.extensionButton];
+
+  protected singleOrgEnabled$: BehaviorSubject<boolean> = new BehaviorSubject(false);
+
+  setSingleOrgEnabled(enabled: boolean) {
+    this.singleOrgEnabled$.next(enabled);
+  }
+
+  setStep(step: number) {
+    this.step = step;
+  }
+}
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/index.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/index.ts
index bb2c40b7a76..7373e1ff888 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/index.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-definitions/index.ts
@@ -14,3 +14,4 @@ export {
   vNextOrganizationDataOwnershipPolicy,
   vNextOrganizationDataOwnershipPolicyComponent,
 } from "./vnext-organization-data-ownership.component";
+export { AutoConfirmPolicy } from "./auto-confirm-policy.component";
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialog.component.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialog.component.ts
index f0672d0f861..d98b5d4809b 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialog.component.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-dialog.component.ts
@@ -30,7 +30,7 @@ import { KeyService } from "@bitwarden/key-management";
 import { SharedModule } from "../../../shared";
 
 import { BasePolicyEditDefinition, BasePolicyEditComponent } from "./base-policy-edit.component";
-import { vNextOrganizationDataOwnershipPolicyComponent } from "./policy-edit-definitions";
+import { vNextOrganizationDataOwnershipPolicyComponent } from "./policy-edit-definitions/vnext-organization-data-ownership.component";
 
 export type PolicyEditDialogData = {
   /**
@@ -64,13 +64,13 @@ export class PolicyEditDialogComponent implements AfterViewInit {
   });
   constructor(
     @Inject(DIALOG_DATA) protected data: PolicyEditDialogData,
-    private accountService: AccountService,
-    private policyApiService: PolicyApiServiceAbstraction,
-    private i18nService: I18nService,
+    protected accountService: AccountService,
+    protected policyApiService: PolicyApiServiceAbstraction,
+    protected i18nService: I18nService,
     private cdr: ChangeDetectorRef,
     private formBuilder: FormBuilder,
-    private dialogRef: DialogRef<PolicyEditDialogResult>,
-    private toastService: ToastService,
+    protected dialogRef: DialogRef<PolicyEditDialogResult>,
+    protected toastService: ToastService,
     private configService: ConfigService,
     private keyService: KeyService,
   ) {}
diff --git a/apps/web/src/app/admin-console/organizations/policies/policy-edit-register.ts b/apps/web/src/app/admin-console/organizations/policies/policy-edit-register.ts
index 5e63ba1358a..ca44818764c 100644
--- a/apps/web/src/app/admin-console/organizations/policies/policy-edit-register.ts
+++ b/apps/web/src/app/admin-console/organizations/policies/policy-edit-register.ts
@@ -1,5 +1,6 @@
 import { BasePolicyEditDefinition } from "./base-policy-edit.component";
 import {
+  AutoConfirmPolicy,
   DesktopAutotypeDefaultSettingPolicy,
   DisableSendPolicy,
   MasterPasswordPolicy,
@@ -33,4 +34,5 @@ export const ossPolicyEditRegister: BasePolicyEditDefinition[] = [
   new SendOptionsPolicy(),
   new RestrictedItemTypesPolicy(),
   new DesktopAutotypeDefaultSettingPolicy(),
+  new AutoConfirmPolicy(),
 ];
diff --git a/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.html b/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.html
index 56332cc424b..aff549a84f4 100644
--- a/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.html
+++ b/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.html
@@ -4,13 +4,14 @@
     <p bitTypography="body1" class="tw-mb-0 tw-mt-2">{{ "openingExtension" | i18n }}</p>
   </ng-container>
 
+  @let page = extensionPage$ | async;
   <ng-container *ngIf="pageState === BrowserPromptState.Error">
     <p bitTypography="body1" class="tw-mb-4 tw-text-xl">{{ "openingExtensionError" | i18n }}</p>
     <button
       bitButton
       buttonType="primary"
       type="button"
-      (click)="openExtension()"
+      (click)="openExtension(page)"
       id="bw-extension-prompt-button"
     >
       {{ "openExtension" | i18n }}
@@ -21,7 +22,7 @@
   <ng-container *ngIf="pageState === BrowserPromptState.Success">
     <i class="bwi tw-text-2xl bwi-check-circle tw-text-success-700" aria-hidden="true"></i>
     <p bitTypography="body1" class="tw-mb-4 tw-text-xl">
-      {{ "openedExtensionViewAtRiskPasswords" | i18n }}
+      {{ pageToI18nKeyMap[page] | i18n }}
     </p>
   </ng-container>
 
diff --git a/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.spec.ts b/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.spec.ts
index 1b5b012ab13..a19606f6d9c 100644
--- a/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.spec.ts
+++ b/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.spec.ts
@@ -1,6 +1,7 @@
 import { ComponentFixture, TestBed } from "@angular/core/testing";
 import { By } from "@angular/platform-browser";
-import { BehaviorSubject } from "rxjs";
+import { ActivatedRoute } from "@angular/router";
+import { BehaviorSubject, of } from "rxjs";
 
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 
@@ -16,6 +17,7 @@ describe("BrowserExtensionPromptComponent", () => {
   let component: BrowserExtensionPromptComponent;
   const start = jest.fn();
   const openExtension = jest.fn();
+  const registerPopupUrl = jest.fn();
   const pageState$ = new BehaviorSubject<BrowserPromptState>(BrowserPromptState.Loading);
   const setAttribute = jest.fn();
   const getAttribute = jest.fn().mockReturnValue("width=1010");
@@ -23,6 +25,7 @@ describe("BrowserExtensionPromptComponent", () => {
   beforeEach(async () => {
     start.mockClear();
     openExtension.mockClear();
+    registerPopupUrl.mockClear();
     setAttribute.mockClear();
     getAttribute.mockClear();
 
@@ -41,12 +44,20 @@ describe("BrowserExtensionPromptComponent", () => {
       providers: [
         {
           provide: BrowserExtensionPromptService,
-          useValue: { start, openExtension, pageState$ },
+          useValue: { start, openExtension, registerPopupUrl, pageState$ },
         },
         {
           provide: I18nService,
           useValue: { t: (key: string) => key },
         },
+        {
+          provide: ActivatedRoute,
+          useValue: {
+            queryParamMap: of({
+              get: (key: string) => null,
+            }),
+          },
+        },
       ],
     }).compileComponents();
 
@@ -92,7 +103,7 @@ describe("BrowserExtensionPromptComponent", () => {
       button.click();
 
       expect(openExtension).toHaveBeenCalledTimes(1);
-      expect(openExtension).toHaveBeenCalledWith(true);
+      expect(openExtension).toHaveBeenCalledWith("openAtRiskPasswords", true);
     });
   });
 
diff --git a/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.ts b/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.ts
index 177311cbfde..f3a5b9aa532 100644
--- a/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.ts
+++ b/apps/web/src/app/vault/components/browser-extension-prompt/browser-extension-prompt.component.ts
@@ -1,6 +1,10 @@
 import { CommonModule, DOCUMENT } from "@angular/common";
 import { Component, Inject, OnDestroy, OnInit } from "@angular/core";
+import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
+import { ActivatedRoute } from "@angular/router";
+import { map, Observable, of, tap } from "rxjs";
 
+import { VaultMessages } from "@bitwarden/common/vault/enums/vault-messages.enum";
 import { ButtonComponent, IconModule } from "@bitwarden/components";
 import { I18nPipe } from "@bitwarden/ui-common";
 
@@ -16,6 +20,8 @@ import { ManuallyOpenExtensionComponent } from "../manually-open-extension/manua
   imports: [CommonModule, I18nPipe, ButtonComponent, IconModule, ManuallyOpenExtensionComponent],
 })
 export class BrowserExtensionPromptComponent implements OnInit, OnDestroy {
+  protected VaultMessages = VaultMessages;
+
   /** Current state of the prompt page */
   protected pageState$ = this.browserExtensionPromptService.pageState$;
 
@@ -25,14 +31,33 @@ export class BrowserExtensionPromptComponent implements OnInit, OnDestroy {
   /** Content of the meta[name="viewport"] element */
   private viewportContent: string | null = null;
 
+  /** Map of extension page identifiers to their i18n keys */
+  protected readonly pageToI18nKeyMap: Record<string, string> = {
+    [VaultMessages.OpenAtRiskPasswords]: "openedExtensionViewAtRiskPasswords",
+    AutoConfirm: "autoConfirmExtensionOpened",
+  } as const;
+
+  protected extensionPage$: Observable<string> = of(VaultMessages.OpenAtRiskPasswords);
+
   constructor(
     private browserExtensionPromptService: BrowserExtensionPromptService,
+    private route: ActivatedRoute,
     @Inject(DOCUMENT) private document: Document,
-  ) {}
+  ) {
+    this.extensionPage$ = this.route.queryParamMap.pipe(
+      map((params) => params.get("url") ?? VaultMessages.OpenAtRiskPasswords),
+    );
+
+    this.extensionPage$
+      .pipe(
+        tap((url) => this.browserExtensionPromptService.registerPopupUrl(url)),
+        takeUntilDestroyed(),
+      )
+      .subscribe();
+  }
 
   ngOnInit(): void {
     this.browserExtensionPromptService.start();
-
     // It is not be uncommon for users to hit this page from a mobile device.
     // There are global styles and the viewport meta tag that set a min-width
     // for the page which cause it to render poorly. Remove them here.
@@ -57,7 +82,7 @@ export class BrowserExtensionPromptComponent implements OnInit, OnDestroy {
     }
   }
 
-  openExtension(): void {
-    this.browserExtensionPromptService.openExtension(true);
+  async openExtension(command: string) {
+    await this.browserExtensionPromptService.openExtension(command, true);
   }
 }
diff --git a/apps/web/src/app/vault/services/browser-extension-prompt.service.spec.ts b/apps/web/src/app/vault/services/browser-extension-prompt.service.spec.ts
index 5b4c6665aa0..8938431d554 100644
--- a/apps/web/src/app/vault/services/browser-extension-prompt.service.spec.ts
+++ b/apps/web/src/app/vault/services/browser-extension-prompt.service.spec.ts
@@ -1,4 +1,5 @@
 import { TestBed } from "@angular/core/testing";
+import { firstValueFrom, Observable } from "rxjs";
 
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
@@ -9,11 +10,13 @@ import {
   BrowserExtensionPromptService,
   BrowserPromptState,
 } from "./browser-extension-prompt.service";
+import { WebBrowserInteractionService } from "./web-browser-interaction.service";
 
 describe("BrowserExtensionPromptService", () => {
   let service: BrowserExtensionPromptService;
   const setAnonLayoutWrapperData = jest.fn();
   const isFirefox = jest.fn().mockReturnValue(false);
+  const openExtensionMock = jest.fn().mockResolvedValue(undefined);
   const postMessage = jest.fn();
   window.postMessage = postMessage;
 
@@ -21,12 +24,14 @@ describe("BrowserExtensionPromptService", () => {
     setAnonLayoutWrapperData.mockClear();
     postMessage.mockClear();
     isFirefox.mockClear();
+    openExtensionMock.mockClear();
 
     TestBed.configureTestingModule({
       providers: [
         BrowserExtensionPromptService,
         { provide: AnonLayoutWrapperDataService, useValue: { setAnonLayoutWrapperData } },
         { provide: PlatformUtilsService, useValue: { isFirefox } },
+        { provide: WebBrowserInteractionService, useValue: { openExtension: openExtensionMock } },
       ],
     });
     jest.useFakeTimers();
@@ -45,38 +50,42 @@ describe("BrowserExtensionPromptService", () => {
     });
   });
 
-  describe("start", () => {
+  describe("registerPopupUrl", () => {
     it("posts message to check for extension", () => {
-      service.start();
+      service.registerPopupUrl(VaultMessages.OpenAtRiskPasswords);
 
       expect(window.postMessage).toHaveBeenCalledWith({
         command: VaultMessages.checkBwInstalled,
       });
     });
 
-    it("sets timeout for error state", () => {
-      service.start();
-
-      expect(service["extensionCheckTimeout"]).not.toBeNull();
-    });
-
     it("attempts to open the extension when installed", () => {
-      service.start();
+      service.registerPopupUrl(VaultMessages.OpenAtRiskPasswords);
 
       window.dispatchEvent(
         new MessageEvent("message", { data: { command: VaultMessages.HasBwInstalled } }),
       );
 
       expect(window.postMessage).toHaveBeenCalledTimes(2);
+      expect(window.postMessage).toHaveBeenCalledWith({
+        command: VaultMessages.checkBwInstalled,
+      });
       expect(window.postMessage).toHaveBeenCalledWith({
         command: VaultMessages.OpenAtRiskPasswords,
       });
     });
   });
 
-  describe("success state", () => {
-    beforeEach(() => {
+  describe("start", () => {
+    it("sets timeout for error state", () => {
       service.start();
+      expect(service["extensionCheckTimeout"]).not.toBeNull();
+    });
+  });
+
+  describe("success registerPopupUrl", () => {
+    beforeEach(() => {
+      service.registerPopupUrl(VaultMessages.OpenAtRiskPasswords);
 
       window.dispatchEvent(
         new MessageEvent("message", { data: { command: VaultMessages.PopupOpened } }),
@@ -155,7 +164,7 @@ describe("BrowserExtensionPromptService", () => {
 
   describe("error state", () => {
     beforeEach(() => {
-      service.start();
+      service.registerPopupUrl(VaultMessages.OpenAtRiskPasswords);
       jest.advanceTimersByTime(1000);
     });
 
@@ -172,19 +181,17 @@ describe("BrowserExtensionPromptService", () => {
       });
     });
 
-    it("sets manual open state when open extension is called", (done) => {
-      service.openExtension(true);
+    it("sets manual open state when open extension is called", async () => {
+      const pageState$: Observable<BrowserPromptState> = service.pageState$;
 
+      await service.openExtension(VaultMessages.OpenAtRiskPasswords, true);
       jest.advanceTimersByTime(1000);
 
-      service.pageState$.subscribe((state) => {
-        expect(state).toBe(BrowserPromptState.ManualOpen);
-        done();
-      });
+      expect(await firstValueFrom(pageState$)).toBe(BrowserPromptState.ManualOpen);
     });
 
-    it("shows success state when extension auto opens", (done) => {
-      service.openExtension(true);
+    it("shows success state when extension auto opens", async () => {
+      await service.openExtension(VaultMessages.OpenAtRiskPasswords, true);
 
       jest.advanceTimersByTime(500); // don't let timeout occur
 
@@ -192,11 +199,9 @@ describe("BrowserExtensionPromptService", () => {
         new MessageEvent("message", { data: { command: VaultMessages.PopupOpened } }),
       );
 
-      service.pageState$.subscribe((state) => {
-        expect(state).toBe(BrowserPromptState.Success);
-        expect(service["extensionCheckTimeout"]).toBeUndefined();
-        done();
-      });
+      const pageState$: Observable<BrowserPromptState> = service.pageState$;
+      expect(await firstValueFrom(pageState$)).toBe(BrowserPromptState.Success);
+      expect(service["extensionCheckTimeout"]).toBeUndefined();
     });
   });
 });
diff --git a/apps/web/src/app/vault/services/browser-extension-prompt.service.ts b/apps/web/src/app/vault/services/browser-extension-prompt.service.ts
index a164a106917..2bbbd287d76 100644
--- a/apps/web/src/app/vault/services/browser-extension-prompt.service.ts
+++ b/apps/web/src/app/vault/services/browser-extension-prompt.service.ts
@@ -4,10 +4,13 @@ import { BehaviorSubject, fromEvent } from "rxjs";
 
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
+import { ExtensionPageUrls } from "@bitwarden/common/vault/enums";
 import { VaultMessages } from "@bitwarden/common/vault/enums/vault-messages.enum";
 import { UnionOfValues } from "@bitwarden/common/vault/types/union-of-values";
 import { AnonLayoutWrapperDataService } from "@bitwarden/components";
 
+import { WebBrowserInteractionService } from "./web-browser-interaction.service";
+
 export const BrowserPromptState = {
   Loading: "loading",
   Error: "error",
@@ -36,6 +39,7 @@ export class BrowserExtensionPromptService {
     private anonLayoutWrapperDataService: AnonLayoutWrapperDataService,
     private destroyRef: DestroyRef,
     private platformUtilsService: PlatformUtilsService,
+    private webBrowserInteractionService: WebBrowserInteractionService,
   ) {}
 
   start(): void {
@@ -52,14 +56,19 @@ export class BrowserExtensionPromptService {
       this.setErrorState(BrowserPromptState.ManualOpen);
       return;
     }
+  }
 
-    this.checkForBrowserExtension();
+  registerPopupUrl(url: string) {
+    this.checkForBrowserExtension(url);
   }
 
   /** Post a message to the extension to open */
-  openExtension(setManualErrorTimeout = false) {
-    window.postMessage({ command: VaultMessages.OpenAtRiskPasswords });
-
+  async openExtension(url: string, setManualErrorTimeout = false) {
+    if (url == VaultMessages.OpenAtRiskPasswords) {
+      window.postMessage({ command: url });
+    } else {
+      await this.webBrowserInteractionService.openExtension(ExtensionPageUrls[url]);
+    }
     // Optionally, configure timeout to show the manual open error state if
     // the extension does not open within one second.
     if (setManualErrorTimeout) {
@@ -72,11 +81,11 @@ export class BrowserExtensionPromptService {
   }
 
   /** Send message checking for the browser extension */
-  private checkForBrowserExtension() {
+  private checkForBrowserExtension(url: string) {
     fromEvent<MessageEvent>(window, "message")
       .pipe(takeUntilDestroyed(this.destroyRef))
       .subscribe((event) => {
-        void this.getMessages(event);
+        void this.getMessages(event, url);
       });
 
     window.postMessage({ command: VaultMessages.checkBwInstalled });
@@ -88,9 +97,9 @@ export class BrowserExtensionPromptService {
   }
 
   /** Handle window message events */
-  private getMessages(event: any) {
+  private async getMessages(event: any, url: string) {
     if (event.data.command === VaultMessages.HasBwInstalled) {
-      this.openExtension();
+      await this.openExtension(url);
     }
 
     if (event.data.command === VaultMessages.PopupOpened) {
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index f328e3e0bea..f2cb9e5fd7b 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -5716,6 +5716,65 @@
     "message": "Learn more about the ",
     "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Learn more about the credential lifecycle.'"
   },
+  "availableNow": {
+    "message": "Available now"
+  },
+  "autoConfirm": {
+    "message": "Automatic confirmation of new users"
+  },
+  "autoConfirmDescription": {
+    "message": "New users invited to the organization will be automatically confirmed when an admin’s device is unlocked.",
+    "description": "This is the description of the policy as it appears in the 'Policies' page"
+  },
+  "howToTurnOnAutoConfirm": {
+    "message": "How to turn on automatic user confirmation"
+  },
+  "autoConfirmStep1": {
+    "message": "Open your Bitwarden extension."
+  },
+  "autoConfirmStep2a": {
+    "message": "Select",
+    "description": "This is a fragment of a larger sencence. The whole sentence will read: 'Select Turn on.'"
+  },
+  "autoConfirmStep2b": {
+    "message": " Turn on.",
+    "description": "This is a fragment of a larger sencence. The whole sentence will read: 'Select Turn on.'"
+  },
+  "autoConfirmExtensionOpened": {
+    "message": "Successfully opened the Bitwarden browser extension. You can now activate the automatic user confirmation setting."
+  },
+  "autoConfirmPolicyEditDescription": {
+    "message": "New users invited to the organization will be automatically confirmed when an admin’s device is unlocked. Before turning on this policy, please review and agree to the following: ",
+    "description": "This is the description of the policy as it appears inside the policy edit dialog"
+  },
+  "autoConfirmAcceptSecurityRiskTitle": {
+    "message": "Potential security risk. "
+  },
+  "autoConfirmAcceptSecurityRiskDescription": {
+    "message": "Automatic user confirmation could pose a security risk to your organization’s data."
+  },
+  "autoConfirmAcceptSecurityRiskLearnMore": {
+    "message": "Learn about the risks",
+    "description": "The is the link copy for the first check box option in the edit policy dialog"
+  },
+  "autoConfirmSingleOrgRequired": {
+    "message": "Single organization policy required. "
+  },
+  "autoConfirmSingleOrgRequiredDescription": {
+    "message": "Anyone part of more than one organization will have their access revoked until they leave the other organizations."
+  },
+  "autoConfirmSingleOrgExemption": {
+    "message": "Single organization policy will extend to all roles. "
+  },
+  "autoConfirmNoEmergencyAccess": {
+    "message": "No emergency access. "
+  },
+  "autoConfirmNoEmergencyAccessDescription": {
+    "message": "Emergency Access will be removed."
+  },
+  "autoConfirmCheckBoxLabel": {
+    "message": "I accept these risks and policy updates"
+  },
   "personalOwnership": {
     "message": "Remove individual vault"
   },
diff --git a/libs/assets/src/svg/svgs/auto-confirmation.ts b/libs/assets/src/svg/svgs/auto-confirmation.ts
new file mode 100644
index 00000000000..2a1416a5d25
--- /dev/null
+++ b/libs/assets/src/svg/svgs/auto-confirmation.ts
@@ -0,0 +1,5 @@
+import { svgIcon } from "../icon-service";
+
+export const AutoConfirmSvg = svgIcon`
+<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 197 232"><g filter="url(#a)"><path class="tw-fill-background-alt" d="M8 11a8 8 0 0 1 8-8h166a8 8 0 0 1 8 8v16.673H8z"/><path class="tw-fill-background" d="M8 26.686h182V229H8z"/><path class="tw-fill-illustration-logo" d="M153.366 8.3a2.31 2.31 0 0 1 2.31-2.31h11.687a2.31 2.31 0 0 1 2.309 2.31v11.472a2.31 2.31 0 0 1-2.31 2.31h-11.686a2.31 2.31 0 0 1-2.31-2.31z"/><g clip-path="url(#b)"><path class="tw-fill-background" d="M166.143 8.46a.46.46 0 0 0-.334-.143h-8.579a.46.46 0 0 0-.334.143.45.45 0 0 0-.143.335v5.718c.002.436.086.867.249 1.27q.232.602.618 1.118.395.516.879.95.448.411.941.767.429.304.901.577.471.272.666.368.197.097.315.149.094.045.198.043a.4.4 0 0 0 .193-.045q.12-.053.317-.149c.132-.064.357-.187.666-.368s.613-.374.901-.577q.494-.356.943-.767.484-.434.878-.95c.256-.343.464-.719.619-1.117.163-.404.247-.835.248-1.27v-5.72a.45.45 0 0 0-.142-.332m-1.106 6.106c0 2.073-3.517 3.853-3.517 3.853V9.542h3.517z"/></g><path class="tw-fill-secondary-500" d="M178.484 10.454c0 .577.474 1.044 1.059 1.044s1.059-.467 1.059-1.044-.474-1.045-1.059-1.045-1.059.468-1.059 1.045M179.543 14.633a1.05 1.05 0 0 1-1.059-1.045c0-.577.474-1.045 1.059-1.045s1.059.468 1.059 1.045-.474 1.045-1.059 1.045M179.543 17.767a1.05 1.05 0 0 1-1.059-1.045c0-.577.474-1.045 1.059-1.045s1.059.468 1.059 1.045-.474 1.045-1.059 1.045"/></g><g clip-path="url(#c)"><rect width="154" height="205" x="16" y="24" class="tw-fill-background-alt" rx="4.918"/><path class="tw-fill-background" d="M16 24h155v27.419H16z"/><path class="tw-fill-text-main" d="m24.595 40.71-2.107-5.739h1.057l1.648 4.73 1.664-4.73h1.041l-2.107 5.738zm4.891.098q-.492 0-.828-.18a1.2 1.2 0 0 1-.492-.484 1.4 1.4 0 0 1-.155-.656q0-.394.196-.689a1.33 1.33 0 0 1 .59-.459q.395-.164.951-.164h1.025q0-.36-.074-.598a.62.62 0 0 0-.254-.353q-.18-.123-.516-.123-.32 0-.533.148a.64.64 0 0 0-.262.418h-.968q.05-.426.279-.73a1.5 1.5 0 0 1 .623-.475q.386-.165.86-.164.6 0 1 .205.41.197.616.566.213.368.213.901v2.738h-.845l-.098-.664a1.3 1.3 0 0 1-.213.303 1.4 1.4 0 0 1-.287.246q-.165.099-.377.156a1.7 1.7 0 0 1-.45.058m.213-.78q.222 0 .402-.09a.9.9 0 0 0 .32-.253q.14-.164.22-.378.083-.213.1-.45v-.05h-.886q-.279 0-.46.082-.18.074-.27.213a.6.6 0 0 0-.082.312q0 .197.082.336a.56.56 0 0 0 .23.205.76.76 0 0 0 .344.074m4.787.78q-.491 0-.844-.18a1.3 1.3 0 0 1-.549-.558q-.189-.378-.189-.926v-2.747h.984v2.615q0 .493.238.73.246.237.672.238.27 0 .492-.115a.9.9 0 0 0 .352-.36 1.15 1.15 0 0 0 .14-.591v-2.517h.983v4.312h-.868l-.074-.656q-.165.352-.508.558-.345.197-.828.197m3.43-.099v-5.902h.983v5.902zm3.966 0a1.9 1.9 0 0 1-.73-.13 1 1 0 0 1-.476-.435q-.163-.304-.163-.82v-2.107h-.746v-.82h.746l.114-1.164h.87v1.164h1.139v.82h-1.14v2.107q0 .311.131.434.131.115.46.115h.565v.836z"/><path class="tw-fill-secondary-300" d="M102.538 37.71a7.38 7.38 0 0 1 7.378-7.378h27.871a7.378 7.378 0 0 1 0 14.755h-27.871a7.38 7.38 0 0 1-7.378-7.378"/><path class="tw-fill-secondary-100" d="M149.913 37.71a7.378 7.378 0 1 1 14.755 0 7.378 7.378 0 0 1-14.755 0"/><g clip-path="url(#d)"><path class="tw-fill-background" d="M21.874 64.308a6.56 6.56 0 0 1 6.558-6.558h130.137a6.56 6.56 0 0 1 6.558 6.558v1.23a6.56 6.56 0 0 1-6.558 6.558H28.432a6.56 6.56 0 0 1-6.558-6.558z"/></g><path class="tw-fill-secondary-100" d="M22.332 84.759a3.166 3.166 0 0 1 3.166-3.166H68.78a3.166 3.166 0 0 1 0 6.332H25.498a3.166 3.166 0 0 1-3.166-3.166M22.332 97.422a6.33 6.33 0 0 1 6.332-6.331h129.673a6.33 6.33 0 0 1 6.332 6.331v9.497a6.33 6.33 0 0 1-6.332 6.332H28.664a6.33 6.33 0 0 1-6.332-6.332zM22.332 122.749a6.33 6.33 0 0 1 6.332-6.332h129.673a6.33 6.33 0 0 1 6.332 6.332v9.497a6.33 6.33 0 0 1-6.332 6.332H28.664a6.33 6.33 0 0 1-6.332-6.332zM22.332 148.075a6.33 6.33 0 0 1 6.332-6.332h129.673a6.33 6.33 0 0 1 6.332 6.332v9.497a6.33 6.33 0 0 1-6.332 6.332H28.664a6.33 6.33 0 0 1-6.332-6.332z"/><path class="tw-fill-secondary-100" d="M41.477 101.706a7.727 7.727 0 0 0-7.727-7.727h-.337a7.727 7.727 0 0 0 0 15.454h.337a7.727 7.727 0 0 0 7.727-7.727M95.974 106.13a1.994 1.994 0 0 0-1.994-1.994H46.637a1.994 1.994 0 0 0 0 3.988H93.98a1.993 1.993 0 0 0 1.994-1.994M86.31 98.591a3.303 3.303 0 0 0-3.303-3.303h-35.06a3.303 3.303 0 1 0 0 6.607h35.06a3.303 3.303 0 0 0 3.303-3.304M161.816 101.706a5.84 5.84 0 0 0-5.84-5.84h-29.987a5.84 5.84 0 0 0 0 11.681h29.987a5.84 5.84 0 0 0 5.84-5.841M41.477 127.032a7.726 7.726 0 0 0-7.727-7.726h-.337a7.726 7.726 0 1 0 0 15.453h.337a7.727 7.727 0 0 0 7.727-7.727M95.974 131.457a1.993 1.993 0 0 0-1.994-1.994H46.637a1.993 1.993 0 1 0 0 3.987H93.98a1.993 1.993 0 0 0 1.994-1.993M86.31 123.918a3.303 3.303 0 0 0-3.303-3.304h-35.06a3.303 3.303 0 0 0 0 6.607h35.06a3.303 3.303 0 0 0 3.303-3.303M161.816 127.032a5.84 5.84 0 0 0-5.84-5.84h-29.987a5.84 5.84 0 0 0 0 11.681h29.987a5.84 5.84 0 0 0 5.84-5.841M41.477 152.359a7.727 7.727 0 0 0-7.727-7.727h-.337a7.727 7.727 0 0 0 0 15.454h.337a7.727 7.727 0 0 0 7.727-7.727M95.974 156.783a1.994 1.994 0 0 0-1.994-1.994H46.637a1.994 1.994 0 0 0 0 3.988H93.98a1.994 1.994 0 0 0 1.994-1.994M86.31 149.244a3.303 3.303 0 0 0-3.303-3.303h-35.06a3.303 3.303 0 1 0 0 6.606h35.06a3.303 3.303 0 0 0 3.303-3.303M161.816 152.359a5.84 5.84 0 0 0-5.84-5.841h-29.987a5.84 5.84 0 0 0 0 11.682h29.987a5.84 5.84 0 0 0 5.84-5.841M22.332 176.567a3.166 3.166 0 0 1 3.166-3.166H68.78a3.166 3.166 0 0 1 0 6.332H25.498a3.166 3.166 0 0 1-3.166-3.166M22.332 189.23a6.33 6.33 0 0 1 6.332-6.331h129.673a6.33 6.33 0 0 1 6.332 6.331v9.498a6.33 6.33 0 0 1-6.332 6.331H28.664a6.33 6.33 0 0 1-6.332-6.331z"/><path class="tw-fill-secondary-100" d="M41.477 193.514a7.726 7.726 0 0 0-7.727-7.726h-.337a7.726 7.726 0 1 0 0 15.453h.337a7.727 7.727 0 0 0 7.727-7.727M95.974 197.938a1.993 1.993 0 0 0-1.994-1.993H46.637a1.993 1.993 0 1 0 0 3.987H93.98a1.993 1.993 0 0 0 1.994-1.994M86.31 190.4a3.303 3.303 0 0 0-3.303-3.304h-35.06a3.303 3.303 0 0 0 0 6.607h35.06a3.303 3.303 0 0 0 3.303-3.303M161.816 193.514a5.84 5.84 0 0 0-5.84-5.841h-9.038a5.842 5.842 0 0 0 0 11.682h9.038a5.84 5.84 0 0 0 5.84-5.841M22.332 214.557a6.33 6.33 0 0 1 6.332-6.332h129.673a6.33 6.33 0 0 1 6.332 6.332v9.497a6.33 6.33 0 0 1-6.332 6.332H28.664a6.33 6.33 0 0 1-6.332-6.332z"/><path class="tw-fill-secondary-100" d="M41.477 220.424a7.727 7.727 0 0 0-7.727-7.727h-.337a7.727 7.727 0 1 0 0 15.453h.337a7.726 7.726 0 0 0 7.727-7.726M95.974 224.848a1.994 1.994 0 0 0-1.994-1.994H46.637a1.994 1.994 0 0 0 0 3.988H93.98a1.994 1.994 0 0 0 1.994-1.994M86.31 217.309a3.303 3.303 0 0 0-3.303-3.304h-35.06a3.303 3.303 0 0 0 0 6.607h35.06a3.303 3.303 0 0 0 3.303-3.303M161.816 220.423a5.84 5.84 0 0 0-5.84-5.84h-9.038a5.84 5.84 0 1 0 0 11.681h9.038a5.84 5.84 0 0 0 5.84-5.841"/></g><g clip-path="url(#e)"><rect width="154" height="205" x="16" y="24" class="tw-fill-primary-700" fill-opacity=".1" rx="4.918"/><g filter="url(#f)"><g clip-path="url(#g)"><path class="tw-fill-background" d="M20.84 73.484c0-5.577 4.521-10.098 10.098-10.098h124.125c5.577 0 10.098 4.521 10.098 10.098v106.032c0 5.577-4.521 10.098-10.098 10.098H30.938c-5.577 0-10.098-4.521-10.098-10.098z"/><path class="tw-fill-primary-100" d="M36.121 75.434h30.366a5.078 5.078 0 1 1 0 10.155H36.121a5.078 5.078 0 0 1 0-10.156"/><path class="tw-stroke-primary-700" stroke-width=".21" d="M36.121 75.434h30.366a5.078 5.078 0 1 1 0 10.155H36.121a5.078 5.078 0 0 1 0-10.156Z"/><path class="tw-fill-primary-700" d="m36.214 78.64-1.161 3.371h-.703l1.464-3.889h.448zm.973 3.371-1.165-3.37-.05-.519h.45l1.47 3.889zm-.057-1.442v.531h-2.115v-.531zm1.94.932.707-2.38h.668l-1.004 2.89h-.417zm-.543-2.38.721 2.39.035.5h-.416l-1.01-2.89zm3.902 2.31v-1.378a.6.6 0 0 0-.056-.267.4.4 0 0 0-.17-.173.6.6 0 0 0-.284-.062.64.64 0 0 0-.272.054.44.44 0 0 0-.18.144.35.35 0 0 0-.063.205h-.641q0-.17.083-.33a.9.9 0 0 1 .24-.286 1.2 1.2 0 0 1 .377-.198q.22-.072.491-.072.326 0 .577.11.254.109.398.33.147.22.147.55v1.285q0 .198.026.355.03.156.083.27v.043h-.66a1.2 1.2 0 0 1-.072-.264 2 2 0 0 1-.024-.316m.094-1.177.005.397h-.462q-.18 0-.315.035a.7.7 0 0 0-.227.096.42.42 0 0 0-.182.361q0 .114.054.211a.38.38 0 0 0 .155.147q.105.053.25.053a.7.7 0 0 0 .58-.28.44.44 0 0 0 .091-.227l.209.286a1 1 0 0 1-.11.235 1.1 1.1 0 0 1-.203.24 1 1 0 0 1-.692.256q-.283 0-.505-.112a.9.9 0 0 1-.347-.307.8.8 0 0 1-.125-.44.9.9 0 0 1 .085-.407.8.8 0 0 1 .257-.299q.17-.12.416-.181.246-.064.561-.064zm1.915-1.133v2.89h-.647v-2.89zm-.69-.758a.33.33 0 0 1 .097-.243.37.37 0 0 1 .272-.1q.171 0 .27.1a.33.33 0 0 1 .099.243.32.32 0 0 1-.099.24.37.37 0 0 1-.27.096.37.37 0 0 1-.272-.096.33.33 0 0 1-.096-.24m2.084-.454v4.102h-.646v-4.102zm2.334 3.522v-1.378a.6.6 0 0 0-.056-.267.4.4 0 0 0-.17-.173.6.6 0 0 0-.284-.062.64.64 0 0 0-.272.054.44.44 0 0 0-.18.144.35.35 0 0 0-.063.205H46.5q0-.17.083-.33a.9.9 0 0 1 .24-.286q.157-.126.377-.198.219-.072.491-.072.326 0 .577.11.254.109.398.33.147.22.147.55v1.285q0 .198.026.355.03.156.083.27v.043h-.66a1.2 1.2 0 0 1-.072-.264 2 2 0 0 1-.024-.316m.094-1.177.005.397h-.462q-.18 0-.315.035a.7.7 0 0 0-.227.096.42.42 0 0 0-.182.361q0 .114.054.211a.38.38 0 0 0 .155.147q.105.053.25.053a.7.7 0 0 0 .58-.28.44.44 0 0 0 .091-.227l.208.286a1 1 0 0 1-.11.235q-.075.125-.202.24a1 1 0 0 1-.692.256q-.282 0-.505-.112a.9.9 0 0 1-.347-.307.8.8 0 0 1-.125-.44.9.9 0 0 1 .085-.407.8.8 0 0 1 .257-.299q.17-.12.416-.181.246-.064.561-.064zm1.228-2.345h.644v3.485l-.061.617h-.583zm2.53 2.63v.056q0 .32-.072.59a1.4 1.4 0 0 1-.214.465 1 1 0 0 1-.353.308q-.209.105-.483.106-.27 0-.47-.101a.94.94 0 0 1-.337-.288 1.6 1.6 0 0 1-.216-.447 3 3 0 0 1-.117-.571v-.18q.034-.315.117-.57a1.6 1.6 0 0 1 .216-.447.93.93 0 0 1 .334-.29q.201-.103.468-.102.278 0 .488.106a.96.96 0 0 1 .356.305q.141.195.21.465.073.27.073.595m-.644.056v-.056q0-.195-.032-.366a1 1 0 0 0-.107-.304.54.54 0 0 0-.197-.206.57.57 0 0 0-.308-.077.7.7 0 0 0-.293.059.6.6 0 0 0-.206.16.8.8 0 0 0-.13.235q-.047.134-.062.288v.484q.024.2.101.368.08.166.224.267.145.1.372.1.179 0 .302-.073a.53.53 0 0 0 .195-.2 1 1 0 0 0 .106-.305q.035-.173.035-.374m1.878-2.686v4.102h-.647v-4.102zm1.979 4.155a1.5 1.5 0 0 1-.58-.104 1.3 1.3 0 0 1-.438-.296 1.3 1.3 0 0 1-.275-.446 1.6 1.6 0 0 1-.096-.553v-.107q0-.338.099-.614t.275-.47q.176-.198.416-.302.24-.105.521-.104.31 0 .543.104.232.104.384.294.155.186.23.446.077.258.077.571v.275h-2.233v-.462h1.598v-.05a.9.9 0 0 0-.07-.326.55.55 0 0 0-.19-.246.57.57 0 0 0-.341-.094.566.566 0 0 0-.491.264 1 1 0 0 0-.129.31 1.7 1.7 0 0 0-.043.404v.107q0 .19.051.352.054.16.155.28t.246.19a.8.8 0 0 0 .328.067.89.89 0 0 0 .73-.358l.339.329a1.215 1.215 0 0 1-.609.462 1.5 1.5 0 0 1-.497.077m3.659-2.326v2.273h-.644v-2.89h.606zm-.115.721-.208-.002a1.9 1.9 0 0 1 .085-.564 1.4 1.4 0 0 1 .235-.44q.153-.186.363-.284a1.1 1.1 0 0 1 .47-.101q.21 0 .377.058a.7.7 0 0 1 .291.185.8.8 0 0 1 .187.334q.064.202.064.5v1.866h-.646v-1.87a.7.7 0 0 0-.062-.328.34.34 0 0 0-.173-.174.65.65 0 0 0-.28-.053.62.62 0 0 0-.519.259.9.9 0 0 0-.136.278 1.2 1.2 0 0 0-.048.336m2.398.14v-.062q0-.313.091-.58.09-.27.262-.467.173-.2.422-.31.25-.112.566-.112.318 0 .566.112.252.11.425.31.174.198.264.467.091.267.091.58v.061q0 .313-.09.58-.092.267-.265.467a1.2 1.2 0 0 1-.422.31q-.248.11-.563.11a1.4 1.4 0 0 1-.57-.11 1.2 1.2 0 0 1-.421-.31 1.4 1.4 0 0 1-.265-.467 1.8 1.8 0 0 1-.09-.58m.644-.062v.061q0 .195.04.369a1 1 0 0 0 .126.304.6.6 0 0 0 .219.206.64.64 0 0 0 .318.075.61.61 0 0 0 .528-.28 1 1 0 0 0 .126-.305q.042-.174.043-.369v-.061q0-.193-.043-.364a1 1 0 0 0-.128-.307.61.61 0 0 0-.532-.285.6.6 0 0 0-.315.077.6.6 0 0 0-.216.208 1 1 0 0 0-.126.307 1.6 1.6 0 0 0-.04.364m3.368.833.668-2.249h.411l-.112.673-.673 2.217h-.369zm-.393-2.249.521 2.26.043.63h-.411l-.783-2.89zm2.097 2.233.505-2.233h.627l-.78 2.89h-.41zm-.555-2.233.66 2.222.082.668h-.369l-.68-2.22-.113-.67z"/><path class="tw-fill-text-main" d="m33.889 92.986-1.706 5.074h-1.195l2.235-5.983h.764zm1.426 5.074L33.6 92.986l-.103-.909h.769l2.247 5.983zm-.078-2.223v.892h-3.21v-.892zm4.408 1.167v-3.39h1.093v4.446h-1.027zm.14-.92.337-.008q0 .447-.099.825a1.9 1.9 0 0 1-.308.658 1.4 1.4 0 0 1-.522.431 1.7 1.7 0 0 1-.747.152q-.33 0-.6-.09a1.2 1.2 0 0 1-.469-.292 1.4 1.4 0 0 1-.3-.513 2.4 2.4 0 0 1-.106-.76v-2.873h1.084v2.88q0 .223.05.37.053.15.143.243.095.09.218.131a1 1 0 0 0 .271.037q.395 0 .62-.156a.88.88 0 0 0 .33-.427q.098-.271.098-.608m4.019-2.47v.781h-2.548v-.78zm-1.866-1.093h1.09v4.257q0 .198.053.304.053.108.16.144a.8.8 0 0 0 .255.037q.105 0 .197-.012.09-.012.152-.025l.004.814q-.135.045-.308.074-.17.028-.382.028-.366 0-.641-.123a.9.9 0 0 1-.428-.407q-.152-.284-.152-.747zm2.289 3.361v-.086q0-.489.14-.9a2.1 2.1 0 0 1 .407-.719q.266-.304.653-.472.385-.173.88-.173.5 0 .887.173.39.168.657.472t.407.72q.14.41.14.9v.085q0 .486-.14.9a2.1 2.1 0 0 1-.407.72q-.267.303-.653.472a2.2 2.2 0 0 1-.884.168 2.2 2.2 0 0 1-.883-.168q-.39-.168-.657-.473a2.1 2.1 0 0 1-.407-.719 2.8 2.8 0 0 1-.14-.9m1.085-.086v.086q0 .292.057.547.059.255.177.448.12.193.308.304a.94.94 0 0 0 .46.107.9.9 0 0 0 .452-.107.9.9 0 0 0 .309-.304q.123-.193.18-.448a2.5 2.5 0 0 0 .058-.547v-.086q0-.288-.058-.538a1.4 1.4 0 0 0-.18-.448.86.86 0 0 0-.769-.423.85.85 0 0 0-.76.423q-.12.193-.177.448a2.4 2.4 0 0 0-.057.538m4.955-1.27v3.534h-1.085v-4.446h1.023zm-.16 1.151h-.333q0-.465.111-.855.116-.39.337-.678a1.5 1.5 0 0 1 .547-.452q.328-.16.76-.16.3 0 .55.09.25.087.432.276.184.185.283.485.099.296.099.71v2.967h-1.085v-2.856q0-.312-.09-.488a.5.5 0 0 0-.251-.247 1 1 0 0 0-.395-.074.9.9 0 0 0-.44.103.85.85 0 0 0-.3.275 1.3 1.3 0 0 0-.172.407q-.053.23-.053.497m2.704-.201-.448.082q.003-.42.115-.785.111-.37.324-.645.219-.28.539-.436.324-.16.748-.16.328 0 .591.095.267.09.456.291.189.198.288.514.102.316.103.772v2.856h-1.093V95.2q0-.324-.09-.497a.47.47 0 0 0-.251-.238 1 1 0 0 0-.387-.07.808.808 0 0 0-.674.316q-.11.148-.168.346a1.6 1.6 0 0 0-.053.419m6.139 1.64v-2.051q0-.226-.079-.39a.56.56 0 0 0-.238-.255.8.8 0 0 0-.407-.09.9.9 0 0 0-.382.073.56.56 0 0 0-.246.21.54.54 0 0 0-.087.304h-1.089q0-.276.132-.522.132-.25.374-.444.246-.197.587-.308.345-.11.773-.11.506 0 .9.172.398.168.624.51.23.34.23.858v1.94q0 .332.042.57.045.235.131.407v.07H59.11a1.6 1.6 0 0 1-.12-.427 3.4 3.4 0 0 1-.04-.518m.151-1.764.009.645h-.687q-.255 0-.447.054a.8.8 0 0 0-.317.148.6.6 0 0 0-.185.23.7.7 0 0 0 .013.596.56.56 0 0 0 .222.21q.147.073.345.073.287 0 .501-.115a1 1 0 0 0 .333-.287.6.6 0 0 0 .127-.32l.313.468a2 2 0 0 1-.173.357 1.6 1.6 0 0 1-.296.353q-.18.165-.436.272a1.5 1.5 0 0 1-.591.106q-.431 0-.773-.172a1.37 1.37 0 0 1-.538-.473 1.2 1.2 0 0 1-.197-.682q0-.353.131-.624.132-.271.39-.457.26-.188.642-.283.386-.099.883-.099zm4.023-1.738v.781h-2.547v-.78zm-1.865-1.093h1.089v4.257q0 .198.053.304.054.108.16.144a.8.8 0 0 0 .255.037q.107 0 .197-.012t.152-.025l.004.814q-.135.045-.308.074-.169.028-.382.028-.366 0-.64-.123a.9.9 0 0 1-.428-.407q-.153-.284-.152-.747zm3.739 1.093v4.446h-1.089v-4.446zm-1.163-1.163A.54.54 0 0 1 64 92.05a.63.63 0 0 1 .452-.16q.285 0 .448.16a.53.53 0 0 1 .169.402.53.53 0 0 1-.169.399.61.61 0 0 1-.448.16.63.63 0 0 1-.452-.16.53.53 0 0 1-.164-.399m4.023 4.837q.23 0 .41-.09a.7.7 0 0 0 .288-.255.7.7 0 0 0 .12-.383h1.023a1.44 1.44 0 0 1-.255.81 1.75 1.75 0 0 1-.658.567 2 2 0 0 1-.912.205 2.2 2.2 0 0 1-.895-.172 1.74 1.74 0 0 1-.637-.481 2.1 2.1 0 0 1-.379-.715 3 3 0 0 1-.123-.871v-.132q0-.465.123-.87a2.1 2.1 0 0 1 .379-.716q.255-.308.636-.48.382-.173.892-.173.538 0 .945.21.411.21.641.591.234.382.243.9h-1.023a1 1 0 0 0-.107-.427.8.8 0 0 0-.28-.304.8.8 0 0 0-.44-.115.86.86 0 0 0-.46.115.8.8 0 0 0-.283.316q-.099.198-.14.444a3.4 3.4 0 0 0-.037.51v.131q0 .27.037.518.041.246.14.444a.8.8 0 0 0 .283.308q.186.114.469.115m5.013-.173v-2.05q0-.226-.078-.39a.56.56 0 0 0-.239-.255.8.8 0 0 0-.406-.09.9.9 0 0 0-.383.073.56.56 0 0 0-.246.21.54.54 0 0 0-.086.304h-1.09q0-.276.132-.522.132-.25.374-.444.246-.197.588-.308.345-.11.772-.11.505 0 .9.172.399.168.625.51.23.34.23.858v1.94q0 .332.04.57.047.235.132.407v.07h-1.105a1.6 1.6 0 0 1-.12-.427 3.4 3.4 0 0 1-.04-.518m.152-1.763.008.645h-.686q-.255 0-.448.054a.8.8 0 0 0-.317.148.6.6 0 0 0-.184.23.7.7 0 0 0 .012.596.57.57 0 0 0 .222.21q.148.073.345.073.288 0 .501-.115a1 1 0 0 0 .333-.287.6.6 0 0 0 .127-.32l.313.468a2 2 0 0 1-.173.357 1.6 1.6 0 0 1-.296.353q-.18.165-.435.272-.255.105-.592.106-.431 0-.772-.172a1.37 1.37 0 0 1-.539-.473 1.2 1.2 0 0 1-.197-.682q0-.353.132-.624.13-.271.39-.457.258-.188.64-.283.387-.099.884-.099zm3.07-3.603v6.311h-1.09V91.75zm2.185 0v6.311H77.19V91.75zm2.338 5.818 1.192-3.953h1.163l-1.784 5.12q-.06.165-.16.358-.094.192-.255.365a1.2 1.2 0 0 1-.402.288q-.239.11-.58.11-.147 0-.263-.02a3 3 0 0 1-.242-.053v-.814a1 1 0 0 0 .094.004q.059.005.099.005.238 0 .395-.058a.5.5 0 0 0 .25-.177 1 1 0 0 0 .164-.312zm-.587-3.953 1.006 3.275.177 1.147-.748.135-1.606-4.557zm7.388 3.674q.23 0 .41-.09a.7.7 0 0 0 .288-.255.7.7 0 0 0 .12-.383h1.022a1.44 1.44 0 0 1-.254.81 1.75 1.75 0 0 1-.658.567 2 2 0 0 1-.912.205 2.2 2.2 0 0 1-.896-.172 1.74 1.74 0 0 1-.637-.481 2.1 2.1 0 0 1-.378-.715 3 3 0 0 1-.123-.871v-.132q0-.465.123-.87a2.1 2.1 0 0 1 .378-.716q.255-.308.637-.48.382-.173.892-.173.539 0 .945.21.411.21.641.591.234.382.242.9h-1.023a1 1 0 0 0-.107-.427.8.8 0 0 0-.279-.304.8.8 0 0 0-.44-.115.86.86 0 0 0-.46.115.8.8 0 0 0-.283.316q-.1.198-.14.444a3.4 3.4 0 0 0-.037.51v.131q0 .27.037.518.04.246.14.444a.8.8 0 0 0 .283.308q.185.114.469.115m2.37-1.406v-.086q0-.489.14-.9a2.1 2.1 0 0 1 .407-.719q.267-.304.653-.472.386-.173.88-.173.501 0 .887.173.39.168.658.472.267.304.406.72.14.41.14.9v.085q0 .486-.14.9a2.1 2.1 0 0 1-.406.72q-.267.303-.654.472a2.2 2.2 0 0 1-.883.168 2.2 2.2 0 0 1-.884-.168q-.39-.168-.657-.473a2.1 2.1 0 0 1-.407-.719 2.8 2.8 0 0 1-.14-.9m1.085-.086v.086q0 .292.058.547.057.255.176.448.12.193.309.304a.94.94 0 0 0 .46.107.9.9 0 0 0 .452-.107.9.9 0 0 0 .308-.304q.123-.193.18-.448.059-.255.058-.547v-.086a2.4 2.4 0 0 0-.057-.538 1.4 1.4 0 0 0-.181-.448.86.86 0 0 0-.768-.423.85.85 0 0 0-.76.423q-.12.193-.177.448a2.4 2.4 0 0 0-.058.538m4.94-1.233v3.497h-1.085v-4.446h1.019zm-.173 1.114h-.32a3 3 0 0 1 .13-.88q.129-.393.358-.677.234-.285.555-.436.32-.152.715-.152.32 0 .58.09.258.09.443.288.189.197.288.518.102.316.102.78v2.852h-1.093V95.2q0-.304-.09-.48a.5.5 0 0 0-.255-.251 1 1 0 0 0-.407-.074.9.9 0 0 0-.44.103.9.9 0 0 0-.312.275 1.4 1.4 0 0 0-.189.407q-.065.23-.065.497m5.181 2.383h-1.093v-4.692q0-.55.222-.929.226-.382.645-.58.423-.196 1.007-.197.34 0 .657.07.32.066.658.173l-.161.88a7 7 0 0 0-.476-.132 2.6 2.6 0 0 0-.604-.062q-.432 0-.645.197-.21.198-.21.58zm.888-4.446v.781h-2.65v-.78zm1.717 0v4.446h-1.089v-4.446zm2.137.908v3.538h-1.085v-4.446h1.027zm1.352-.937-.017 1.011a2.894 2.894 0 0 0-.415-.033q-.25 0-.439.07a.8.8 0 0 0-.317.193.9.9 0 0 0-.189.313 1.4 1.4 0 0 0-.074.41l-.234-.028q0-.423.086-.785.087-.361.251-.633.165-.27.411-.419.25-.152.575-.152.09 0 .193.017.108.012.169.036m1.676.941v3.534h-1.085v-4.446h1.024zm-.16 1.151h-.333q0-.465.111-.855.115-.39.337-.678.222-.291.547-.452.328-.16.76-.16.3 0 .55.09.25.087.432.276.185.185.283.485.099.296.099.71v2.967h-1.085v-2.856q0-.312-.09-.488a.5.5 0 0 0-.251-.247 1 1 0 0 0-.394-.074.84.84 0 0 0-.74.378 1.3 1.3 0 0 0-.173.407q-.053.23-.053.497m2.704-.201-.448.082q.004-.42.115-.785.111-.37.324-.645a1.5 1.5 0 0 1 .539-.436q.324-.16.748-.16.329 0 .591.095.267.09.456.291.189.198.288.514.102.316.103.772v2.856h-1.093V95.2q0-.324-.091-.497a.47.47 0 0 0-.25-.238 1 1 0 0 0-.387-.07.85.85 0 0 0-.394.086.8.8 0 0 0-.279.23 1.1 1.1 0 0 0-.169.346 1.6 1.6 0 0 0-.053.419m6.849-.913v3.497h-1.084v-4.446h1.019zm-.172 1.114h-.321a3 3 0 0 1 .132-.88q.127-.393.357-.677.234-.285.555-.436.32-.152.715-.152.321 0 .579.09.26.09.444.288.189.197.288.518.102.316.102.78v2.852h-1.093V95.2q0-.304-.09-.48a.5.5 0 0 0-.255-.251 1 1 0 0 0-.406-.074.9.9 0 0 0-.44.103.9.9 0 0 0-.312.275 1.3 1.3 0 0 0-.189.407q-.066.23-.066.497m5.806 2.465q-.506 0-.908-.164a2 2 0 0 1-.686-.456 2.1 2.1 0 0 1-.432-.686 2.4 2.4 0 0 1-.148-.847v-.164q0-.514.148-.933a2.1 2.1 0 0 1 .419-.727q.271-.304.649-.469t.835-.164q.473 0 .834.16.361.156.604.444.242.288.365.69.124.399.124.884v.456h-3.485v-.748h2.416v-.082a1.3 1.3 0 0 0-.098-.473.76.76 0 0 0-.28-.345.84.84 0 0 0-.489-.131.8.8 0 0 0-.423.107.85.85 0 0 0-.296.295 1.5 1.5 0 0 0-.172.452q-.058.264-.058.584v.164q0 .28.074.518.078.238.226.415.152.172.362.271.213.095.485.095.34 0 .616-.132.28-.135.485-.398l.546.567a1.926 1.926 0 0 1-.945.703 2.4 2.4 0 0 1-.768.114m3.768-1.15.974-3.378h.69l-.206 1.167-.982 3.28h-.595zm-.539-3.378.732 3.386.066 1.06h-.687l-1.167-4.446zm3.107 3.337.715-3.337h1.052l-1.159 4.446h-.686zm-.797-3.337.965 3.345.128 1.101h-.596l-.99-3.279-.202-1.167zm7.947 3.39v-3.39h1.093v4.446h-1.028zm.139-.92.337-.008q0 .447-.098.825a1.9 1.9 0 0 1-.309.658 1.44 1.44 0 0 1-.521.431 1.7 1.7 0 0 1-.748.152q-.328 0-.6-.09a1.2 1.2 0 0 1-.469-.292 1.4 1.4 0 0 1-.3-.513 2.4 2.4 0 0 1-.106-.76v-2.873h1.084v2.88q0 .223.05.37.053.15.143.243.095.09.218.131a1 1 0 0 0 .271.037q.395 0 .621-.156a.9.9 0 0 0 .329-.427q.098-.271.098-.608m4.36.76a.44.44 0 0 0-.074-.25q-.074-.112-.279-.202a3 3 0 0 0-.592-.177q-.346-.074-.637-.185a2 2 0 0 1-.501-.267 1.2 1.2 0 0 1-.329-.374 1.05 1.05 0 0 1-.115-.501q0-.275.119-.518.119-.246.345-.431.226-.19.551-.296.324-.11.731-.11.567-.001.974.184.41.184.629.51.217.32.217.723h-1.084a.63.63 0 0 0-.083-.32.56.56 0 0 0-.242-.23.86.86 0 0 0-.415-.091.9.9 0 0 0-.382.074.56.56 0 0 0-.23.193.47.47 0 0 0-.078.263q0 .106.041.193.045.082.144.152.097.07.267.127.173.058.423.111.497.1.867.263.374.161.583.427.21.268.21.683 0 .296-.127.542a1.3 1.3 0 0 1-.37.423q-.243.18-.58.284a2.7 2.7 0 0 1-.76.098q-.612 0-1.035-.217a1.66 1.66 0 0 1-.641-.56 1.3 1.3 0 0 1-.218-.706h1.04q.012.259.139.415t.321.226q.197.066.415.066.246 0 .415-.066a.6.6 0 0 0 .255-.185.45.45 0 0 0 .086-.271m3.883 1.298q-.506 0-.908-.164a2 2 0 0 1-.686-.456 2.1 2.1 0 0 1-.432-.686 2.4 2.4 0 0 1-.148-.847v-.164q0-.514.148-.933a2.1 2.1 0 0 1 .419-.727q.271-.304.649-.469.379-.165.835-.164.472 0 .834.16.361.156.604.444.242.288.365.69.124.399.124.884v.456h-3.485v-.748h2.416v-.082a1.3 1.3 0 0 0-.098-.473.76.76 0 0 0-.28-.345.84.84 0 0 0-.489-.131.8.8 0 0 0-.423.107.85.85 0 0 0-.296.295 1.5 1.5 0 0 0-.172.452q-.058.264-.058.584v.164q0 .28.074.518.078.238.226.415.152.172.362.271.213.095.485.095.34 0 .616-.132.28-.135.485-.398l.546.567a1.926 1.926 0 0 1-.945.703 2.4 2.4 0 0 1-.768.114m3.616-3.62v3.538h-1.085v-4.446h1.027zm1.352-.937-.017 1.011a2.894 2.894 0 0 0-.415-.033q-.25 0-.439.07a.8.8 0 0 0-.317.193.9.9 0 0 0-.189.313 1.4 1.4 0 0 0-.074.41l-.234-.028q0-.423.086-.785.086-.361.251-.633.164-.27.411-.419.25-.152.575-.152.09 0 .193.017.107.012.169.036m3.04 3.259a.44.44 0 0 0-.074-.25q-.073-.112-.279-.202a3 3 0 0 0-.592-.177q-.345-.074-.637-.185a2 2 0 0 1-.501-.267 1.2 1.2 0 0 1-.329-.374 1.07 1.07 0 0 1-.115-.501q0-.275.119-.518a1.3 1.3 0 0 1 .346-.431q.226-.19.55-.296.325-.11.732-.11.567-.001.973.184.411.184.629.51.218.32.218.723h-1.085a.63.63 0 0 0-.082-.32.56.56 0 0 0-.243-.23.85.85 0 0 0-.415-.091.9.9 0 0 0-.382.074.56.56 0 0 0-.23.193.47.47 0 0 0-.037.456q.045.082.144.152t.267.127q.172.058.423.111.498.1.867.263.375.161.584.427.21.268.209.683 0 .296-.127.542a1.25 1.25 0 0 1-.37.423q-.242.18-.579.284a2.7 2.7 0 0 1-.76.098q-.612 0-1.036-.217a1.66 1.66 0 0 1-.641-.56 1.3 1.3 0 0 1-.218-.706h1.04q.012.259.14.415a.7.7 0 0 0 .32.226q.198.066.415.066.247 0 .415-.066a.6.6 0 0 0 .255-.185.45.45 0 0 0 .086-.271M34.646 104.555v4.188h-.558l-2.108-3.23v3.23h-.555v-4.188h.555l2.117 3.239v-3.239zm2.195 4.246q-.326 0-.59-.11a1.3 1.3 0 0 1-.452-.313 1.4 1.4 0 0 1-.287-.478 1.8 1.8 0 0 1-.1-.604v-.12q0-.38.111-.676.113-.3.305-.507.193-.207.437-.313.245-.107.507-.107.333 0 .575.116.244.114.4.322.155.204.23.483.075.276.075.604v.239h-2.325v-.435h1.792v-.04a1.3 1.3 0 0 0-.086-.403.73.73 0 0 0-.23-.322q-.159-.126-.431-.126a.71.71 0 0 0-.595.302 1.1 1.1 0 0 0-.17.365q-.06.216-.06.498v.12q0 .222.06.417.063.193.18.34.121.147.291.23a.9.9 0 0 0 .391.083.9.9 0 0 0 .478-.115q.195-.114.342-.307l.322.256a1.5 1.5 0 0 1-.256.29 1.2 1.2 0 0 1-.382.224 1.5 1.5 0 0 1-.532.087m2.62-.61.8-2.56h.35l-.069.509-.814 2.603h-.342zm-.538-2.56.682 2.589.049.523h-.36l-.903-3.112zm2.454 2.569.65-2.569h.529l-.903 3.112h-.357zm-.688-2.569.782 2.517.09.595h-.34l-.837-2.609-.069-.503zm5.779 2.393v-2.393h.535v3.112h-.51zm.1-.656.222-.005q0 .31-.066.575a1.2 1.2 0 0 1-.207.454 1 1 0 0 1-.377.302 1.4 1.4 0 0 1-.567.107q-.227 0-.417-.066a.85.85 0 0 1-.532-.564 1.7 1.7 0 0 1-.072-.532v-2.008h.532v2.013q0 .21.046.348a.6.6 0 0 0 .13.216.5.5 0 0 0 .184.109q.104.032.212.032.34 0 .538-.129a.74.74 0 0 0 .285-.354q.09-.225.09-.498m3.058.55a.45.45 0 0 0-.052-.213.44.44 0 0 0-.204-.181 1.7 1.7 0 0 0-.46-.144 4 4 0 0 1-.47-.13 1.4 1.4 0 0 1-.353-.181.8.8 0 0 1-.222-.25.785.785 0 0 1 .003-.685.9.9 0 0 1 .233-.29q.153-.127.366-.199t.474-.072q.374 0 .639.133a1 1 0 0 1 .405.354q.141.218.141.486h-.532a.46.46 0 0 0-.078-.251.6.6 0 0 0-.221-.204.7.7 0 0 0-.354-.08.8.8 0 0 0-.36.069.46.46 0 0 0-.198.169.43.43 0 0 0-.031.374.34.34 0 0 0 .109.124 1 1 0 0 0 .218.104q.141.049.36.097.382.087.63.207.248.121.368.297t.12.425a.837.837 0 0 1-.33.668q-.158.12-.38.19a1.7 1.7 0 0 1-.491.066q-.412 0-.697-.147a1.1 1.1 0 0 1-.43-.38.9.9 0 0 1-.148-.492h.535q.012.219.127.349.115.126.282.181.166.051.33.051.219 0 .366-.057a.5.5 0 0 0 .227-.158.37.37 0 0 0 .078-.23m2.522.883q-.324 0-.59-.11a1.3 1.3 0 0 1-.45-.313 1.4 1.4 0 0 1-.289-.478 1.8 1.8 0 0 1-.1-.604v-.12q0-.38.112-.676.112-.3.305-.507.192-.207.437-.313t.506-.107q.334 0 .575.116.245.114.4.322.156.204.23.483.075.276.075.604v.239h-2.324v-.435h1.792v-.04a1.3 1.3 0 0 0-.086-.403.73.73 0 0 0-.23-.322q-.159-.126-.432-.126a.712.712 0 0 0-.595.302q-.11.149-.17.365t-.06.498v.12q0 .222.06.417.064.193.181.34a.9.9 0 0 0 .29.23.9.9 0 0 0 .392.083.9.9 0 0 0 .477-.115q.195-.114.343-.307l.322.256a1.5 1.5 0 0 1-.256.29 1.2 1.2 0 0 1-.383.224 1.5 1.5 0 0 1-.532.087m2.365-2.681v2.623h-.532v-3.112h.517zm.972-.506-.003.494a1.289 1.289 0 0 0-.259-.023.9.9 0 0 0-.325.058.7.7 0 0 0-.239.161.8.8 0 0 0-.155.247 1.2 1.2 0 0 0-.072.311l-.15.086q0-.282.055-.529.057-.248.176-.437a.85.85 0 0 1 .299-.299.84.84 0 0 1 .673-.069m2.304 2.304a.45.45 0 0 0-.052-.213.44.44 0 0 0-.204-.181 1.7 1.7 0 0 0-.46-.144 4 4 0 0 1-.47-.13 1.4 1.4 0 0 1-.353-.181.8.8 0 0 1-.222-.25.783.783 0 0 1 .003-.685.9.9 0 0 1 .233-.29q.153-.127.365-.199.213-.072.475-.072.374 0 .639.133a1 1 0 0 1 .405.354.87.87 0 0 1 .141.486h-.532a.46.46 0 0 0-.078-.251.6.6 0 0 0-.221-.204.7.7 0 0 0-.354-.08.8.8 0 0 0-.36.069.46.46 0 0 0-.198.169.43.43 0 0 0-.032.374.34.34 0 0 0 .11.124 1 1 0 0 0 .218.104q.141.049.36.097.383.087.63.207.248.121.368.297t.12.425a.837.837 0 0 1-.33.668q-.158.12-.38.19a1.7 1.7 0 0 1-.492.066q-.411 0-.696-.147a1.1 1.1 0 0 1-.431-.38.9.9 0 0 1-.147-.492h.535q.012.219.127.349.115.126.282.181.166.051.33.051.219 0 .366-.057a.5.5 0 0 0 .227-.158.37.37 0 0 0 .078-.23m3.48.273.8-2.56h.35l-.069.509-.814 2.603h-.342zm-.538-2.56.682 2.589.049.523h-.36l-.903-3.112zm2.454 2.569.65-2.569h.529l-.903 3.112h-.357zm-.688-2.569.782 2.517.09.595h-.34l-.837-2.609-.069-.503zm2.992 0v3.112h-.535v-3.112zm-.576-.825a.32.32 0 0 1 .078-.219q.08-.09.236-.089.153 0 .233.089a.3.3 0 0 1 .083.219.3.3 0 0 1-.083.212q-.081.087-.233.087-.155 0-.236-.087a.3.3 0 0 1-.078-.212m2.008-.481v4.418h-.535v-4.418zm1.432 0v4.418h-.535v-4.418zm2.313 0h.535v3.814l-.046.604h-.49zm2.637 2.836v.061q0 .339-.08.63a1.6 1.6 0 0 1-.236.5q-.155.213-.38.331-.224.118-.514.118-.296 0-.521-.101a1 1 0 0 1-.374-.296 1.5 1.5 0 0 1-.244-.466q-.09-.273-.124-.616v-.264a3 3 0 0 1 .124-.619 1.5 1.5 0 0 1 .244-.466 1 1 0 0 1 .374-.296q.221-.104.515-.104.293 0 .52.116.228.112.38.322.155.21.236.503.08.29.08.647m-.535.061v-.061a2 2 0 0 0-.043-.437 1.1 1.1 0 0 0-.138-.362.69.69 0 0 0-.633-.34.8.8 0 0 0-.35.069.8.8 0 0 0-.25.187 1 1 0 0 0-.17.265 1.5 1.5 0 0 0-.095.305v.693q.045.201.15.388a.9.9 0 0 0 .281.302.8.8 0 0 0 .44.118.74.74 0 0 0 .368-.086.7.7 0 0 0 .25-.245q.099-.155.144-.359.046-.204.046-.437m2.5 1.579q-.325 0-.59-.11a1.3 1.3 0 0 1-.451-.313 1.4 1.4 0 0 1-.288-.478 1.8 1.8 0 0 1-.1-.604v-.12q0-.38.112-.676.111-.3.305-.507.192-.207.437-.313.244-.107.506-.107.333 0 .575.116.244.114.4.322.155.204.23.483.075.276.075.604v.239h-2.324v-.435h1.792v-.04a1.3 1.3 0 0 0-.087-.403.73.73 0 0 0-.23-.322q-.158-.126-.431-.126a.71.71 0 0 0-.595.302 1.1 1.1 0 0 0-.17.365q-.06.216-.06.498v.12q0 .222.06.417.063.193.181.34.12.147.29.23a.9.9 0 0 0 .392.083.9.9 0 0 0 .477-.115q.196-.114.342-.307l.323.256a1.5 1.5 0 0 1-.256.29 1.2 1.2 0 0 1-.383.224 1.5 1.5 0 0 1-.532.087m5.128-.59v-1.602a.65.65 0 0 0-.074-.319.5.5 0 0 0-.219-.213.8.8 0 0 0-.362-.075.85.85 0 0 0-.354.069.6.6 0 0 0-.236.181.4.4 0 0 0-.084.242h-.532q0-.167.087-.331a1 1 0 0 1 .247-.296q.165-.135.391-.213.23-.081.512-.081.34 0 .599.116.261.114.408.348.15.23.15.578v1.449q0 .156.025.331.03.176.084.302v.046h-.555a1 1 0 0 1-.064-.244 2 2 0 0 1-.023-.288m.092-1.355.006.374h-.538a2 2 0 0 0-.405.038.9.9 0 0 0-.3.106.482.482 0 0 0-.247.431.55.55 0 0 0 .066.268.5.5 0 0 0 .199.193q.135.069.33.069a.894.894 0 0 0 .728-.357.54.54 0 0 0 .121-.29l.227.256a.8.8 0 0 1-.109.267 1.27 1.27 0 0 1-.59.503 1.1 1.1 0 0 1-.454.087q-.317 0-.555-.124a.95.95 0 0 1-.368-.331.9.9 0 0 1-.13-.469q0-.25.098-.44a.85.85 0 0 1 .282-.319q.184-.129.443-.196.258-.066.578-.066zm3.182 1.168v-2.393h.535v3.112h-.51zm.1-.656.222-.005q0 .31-.066.575a1.2 1.2 0 0 1-.207.454 1 1 0 0 1-.377.302 1.4 1.4 0 0 1-.567.107q-.227 0-.417-.066a.85.85 0 0 1-.532-.564 1.7 1.7 0 0 1-.072-.532v-2.008h.532v2.013q0 .21.046.348a.6.6 0 0 0 .13.216.5.5 0 0 0 .184.109q.103.032.213.032.339 0 .537-.129a.74.74 0 0 0 .285-.354q.09-.225.09-.498m2.549-1.737v.408h-1.683v-.408zm-1.114-.756h.533v3.097q0 .159.049.239a.23.23 0 0 0 .126.106.5.5 0 0 0 .167.026q.066 0 .138-.011l.112-.023.003.434a1 1 0 0 1-.167.038q-.1.02-.244.02a.8.8 0 0 1-.36-.078.58.58 0 0 1-.262-.259 1.1 1.1 0 0 1-.094-.495zm1.54 2.347v-.067q0-.336.097-.624a1.5 1.5 0 0 1 .282-.503 1.3 1.3 0 0 1 .446-.334q.261-.12.587-.121.327 0 .59.121.264.118.448.334.188.213.285.503.097.288.097.624v.067q0 .336-.097.624-.098.287-.285.503a1.3 1.3 0 0 1-.446.334 1.4 1.4 0 0 1-.587.118 1.4 1.4 0 0 1-.59-.118 1.3 1.3 0 0 1-.448-.334 1.5 1.5 0 0 1-.282-.503 2 2 0 0 1-.098-.624m.531-.067v.067q0 .233.055.44.055.204.164.362a.8.8 0 0 0 .28.25q.166.09.387.089a.8.8 0 0 0 .383-.089.8.8 0 0 0 .276-.25q.109-.158.164-.362a1.6 1.6 0 0 0 .058-.44v-.067q0-.23-.058-.434a1.1 1.1 0 0 0-.167-.365.768.768 0 0 0-.662-.345.8.8 0 0 0-.385.092.8.8 0 0 0-.276.253 1.2 1.2 0 0 0-.164.365 1.7 1.7 0 0 0-.055.434m3.498-.906v2.494h-.535v-3.112h.506zm-.11.82-.247-.008q.003-.32.084-.59.08-.273.239-.475.157-.2.394-.31.236-.113.546-.113.219 0 .403.064a.81.81 0 0 1 .529.532q.075.207.075.5v2.074h-.532v-2.048a.8.8 0 0 0-.084-.391.48.48 0 0 0-.23-.213.8.8 0 0 0-.35-.069.83.83 0 0 0-.395.084.66.66 0 0 0-.253.23q-.095.146-.138.336-.04.187-.04.397m2.017-.293-.357.109q.003-.257.084-.492.083-.236.239-.42.157-.183.388-.29.23-.11.526-.11.25 0 .443.067a.8.8 0 0 1 .328.204q.135.135.204.348.07.213.07.506v2.045h-.536v-2.051a.8.8 0 0 0-.083-.405.43.43 0 0 0-.23-.204.9.9 0 0 0-.351-.061q-.175 0-.31.061a.6.6 0 0 0-.228.166.7.7 0 0 0-.141.239.9.9 0 0 0-.046.288m4.565 1.435v-1.602a.65.65 0 0 0-.075-.319.5.5 0 0 0-.219-.213.8.8 0 0 0-.362-.075.85.85 0 0 0-.354.069.6.6 0 0 0-.236.181.4.4 0 0 0-.083.242h-.532q0-.167.086-.331a1 1 0 0 1 .247-.296q.165-.135.392-.213.23-.081.511-.081.34 0 .599.116.261.114.408.348.15.23.15.578v1.449q0 .156.026.331.029.176.083.302v.046h-.555a1 1 0 0 1-.063-.244 2 2 0 0 1-.023-.288m.092-1.355.006.374h-.538q-.228 0-.406.038a.9.9 0 0 0-.3.106.482.482 0 0 0-.247.431.55.55 0 0 0 .067.268.5.5 0 0 0 .198.193q.135.069.331.069a.895.895 0 0 0 .728-.357.54.54 0 0 0 .12-.29l.228.256a.8.8 0 0 1-.11.267 1.27 1.27 0 0 1-.59.503 1.1 1.1 0 0 1-.454.087q-.316 0-.555-.124a.95.95 0 0 1-.368-.331.9.9 0 0 1-.13-.469q0-.25.098-.44a.85.85 0 0 1 .282-.319q.184-.129.443-.196.259-.066.578-.066zm2.58-1.225v.408h-1.683v-.408zm-1.113-.756h.532v3.097q0 .159.049.239a.23.23 0 0 0 .126.106.5.5 0 0 0 .167.026q.066 0 .138-.011l.112-.023.003.434a1 1 0 0 1-.167.038q-.1.02-.244.02a.8.8 0 0 1-.36-.078.58.58 0 0 1-.261-.259 1.1 1.1 0 0 1-.095-.495zm2.315.756v3.112h-.535v-3.112zm-.575-.825q0-.13.077-.219.081-.09.236-.089.153 0 .233.089a.3.3 0 0 1 .084.219.3.3 0 0 1-.084.212q-.08.087-.233.087-.155 0-.236-.087a.31.31 0 0 1-.077-.212m2.675 3.557a.8.8 0 0 0 .351-.077.7.7 0 0 0 .264-.213.6.6 0 0 0 .118-.314h.506a.94.94 0 0 1-.187.515 1.3 1.3 0 0 1-.445.383 1.3 1.3 0 0 1-.607.144 1.4 1.4 0 0 1-.613-.124 1.2 1.2 0 0 1-.431-.339 1.5 1.5 0 0 1-.256-.495 2 2 0 0 1-.084-.596v-.12q0-.314.084-.593.086-.282.256-.497.173-.216.431-.34a1.4 1.4 0 0 1 .613-.124q.365 0 .638.15.273.147.429.403.158.252.172.575h-.506a.8.8 0 0 0-.109-.348.7.7 0 0 0-.253-.247.7.7 0 0 0-.371-.095q-.244 0-.412.097a.7.7 0 0 0-.261.259q-.096.162-.138.36-.04.196-.041.4v.12q0 .205.041.403.04.198.135.36a.76.76 0 0 0 .262.259.83.83 0 0 0 .414.094m3.673-.152v-1.602a.65.65 0 0 0-.075-.319.5.5 0 0 0-.219-.213.8.8 0 0 0-.362-.075.85.85 0 0 0-.354.069.63.63 0 0 0-.236.181.4.4 0 0 0-.083.242h-.532a.7.7 0 0 1 .086-.331 1 1 0 0 1 .247-.296q.164-.135.392-.213.23-.081.512-.081.339 0 .598.116a.9.9 0 0 1 .408.348q.15.23.15.578v1.449q0 .156.026.331a1.3 1.3 0 0 0 .083.302v.046h-.555a1 1 0 0 1-.063-.244 2 2 0 0 1-.023-.288m.092-1.355.006.374h-.538a2 2 0 0 0-.406.038 1 1 0 0 0-.299.106.484.484 0 0 0-.247.431q0 .147.066.268t.198.193q.135.069.331.069a.9.9 0 0 0 .728-.357.55.55 0 0 0 .121-.29l.227.256a.8.8 0 0 1-.11.267 1.27 1.27 0 0 1-.589.503 1.1 1.1 0 0 1-.455.087q-.317 0-.555-.124a.95.95 0 0 1-.368-.331.9.9 0 0 1-.129-.469q0-.25.097-.44a.86.86 0 0 1 .282-.319q.185-.129.443-.196.26-.066.578-.066zm1.855-2.531v4.418h-.535v-4.418zm1.432 0v4.418h-.535v-4.418zm1.729 4.096.866-2.79h.569l-1.248 3.593a2 2 0 0 1-.115.247q-.069.135-.178.256a.84.84 0 0 1-.791.256 2 2 0 0 1-.138-.029l-.003-.431.072.005.072.006q.18 0 .307-.049a.45.45 0 0 0 .213-.158 1 1 0 0 0 .153-.302zm-.636-2.79.809 2.416.138.561-.383.196-1.145-3.173zm5.258 2.732a.8.8 0 0 0 .351-.077.7.7 0 0 0 .265-.213.6.6 0 0 0 .118-.314h.506a.95.95 0 0 1-.187.515 1.291 1.291 0 0 1-1.053.527q-.351 0-.612-.124a1.2 1.2 0 0 1-.432-.339 1.5 1.5 0 0 1-.256-.495 2.1 2.1 0 0 1-.083-.596v-.12q0-.314.083-.593.087-.282.256-.497.172-.216.432-.34.261-.123.612-.124.366 0 .639.15.273.147.428.403.158.252.173.575h-.506a.8.8 0 0 0-.11-.348.67.67 0 0 0-.253-.247.7.7 0 0 0-.371-.095q-.244 0-.411.097a.73.73 0 0 0-.262.259 1.2 1.2 0 0 0-.138.36q-.04.196-.04.4v.12q0 .205.04.403t.135.36a.8.8 0 0 0 .262.259.83.83 0 0 0 .414.094m1.697-1.141v-.067q0-.336.098-.624.098-.29.282-.503a1.3 1.3 0 0 1 .446-.334q.261-.12.587-.121.328 0 .589.121.265.118.449.334.187.213.285.503.097.288.097.624v.067q0 .336-.097.624a1.5 1.5 0 0 1-.285.503 1.3 1.3 0 0 1-1.033.452q-.328 0-.589-.118a1.3 1.3 0 0 1-.449-.334 1.5 1.5 0 0 1-.282-.503 2 2 0 0 1-.098-.624m.532-.067v.067q0 .233.055.44.055.204.164.362a.8.8 0 0 0 .279.25q.167.09.388.089a.8.8 0 0 0 .383-.089.8.8 0 0 0 .276-.25 1.1 1.1 0 0 0 .164-.362q.057-.207.057-.44v-.067q0-.23-.057-.434a1.1 1.1 0 0 0-.167-.365.767.767 0 0 0-.661-.345.8.8 0 0 0-.386.092.8.8 0 0 0-.276.253 1.2 1.2 0 0 0-.164.365 1.7 1.7 0 0 0-.055.434m3.501-.86v2.448h-.532v-3.112h.503zm-.127.774-.221-.008q.002-.32.095-.59.091-.273.259-.475.166-.2.397-.31.232-.113.514-.113.23 0 .415.064.183.06.313.195.132.135.201.351.069.213.069.521v2.039h-.534v-2.045a.9.9 0 0 0-.072-.391.44.44 0 0 0-.21-.216.76.76 0 0 0-.34-.069.8.8 0 0 0-.362.084.84.84 0 0 0-.279.23q-.115.146-.181.336a1.2 1.2 0 0 0-.064.397m3.561 1.674h-.532v-3.382q0-.354.138-.599a.9.9 0 0 1 .394-.371q.256-.126.607-.126.207 0 .406.052.198.048.408.123l-.089.449a3 3 0 0 0-.308-.098 1.4 1.4 0 0 0-.38-.049q-.342 0-.494.156-.15.152-.15.463zm.636-3.112v.408h-1.66v-.408zm1.047 0v3.112h-.532v-3.112zm1.406.489v2.623h-.532v-3.112h.518zm.973-.506-.003.494a1.277 1.277 0 0 0-.259-.023.9.9 0 0 0-.325.058.7.7 0 0 0-.239.161.8.8 0 0 0-.155.247 1.2 1.2 0 0 0-.072.311l-.15.086q0-.282.055-.529.058-.248.175-.437a.86.86 0 0 1 .299-.299.84.84 0 0 1 .674-.069m1.021.635v2.494h-.535v-3.112h.506zm-.11.82-.247-.008q.003-.32.083-.59.081-.273.239-.475.159-.2.394-.31.236-.113.547-.113.218 0 .402.064a.82.82 0 0 1 .53.532q.074.207.074.5v2.074h-.532v-2.048a.8.8 0 0 0-.083-.391.48.48 0 0 0-.23-.213.8.8 0 0 0-.351-.069.83.83 0 0 0-.394.084.65.65 0 0 0-.253.23 1 1 0 0 0-.138.336 2 2 0 0 0-.041.397m2.017-.293-.357.109q.003-.257.083-.492a1.4 1.4 0 0 1 .239-.42q.159-.183.388-.29.23-.11.527-.11.25 0 .443.067.195.066.328.204.135.135.204.348t.069.506v2.045h-.535v-2.051a.8.8 0 0 0-.084-.405.43.43 0 0 0-.23-.204.9.9 0 0 0-.351-.061.7.7 0 0 0-.31.061.6.6 0 0 0-.227.166.7.7 0 0 0-.141.239.9.9 0 0 0-.046.288m4.021 2.025q-.326 0-.59-.11a1.3 1.3 0 0 1-.452-.313 1.4 1.4 0 0 1-.287-.478 1.8 1.8 0 0 1-.101-.604v-.12q0-.38.112-.676.113-.3.305-.507a1.3 1.3 0 0 1 .437-.313q.245-.107.507-.107.333 0 .575.116.244.114.4.322.155.204.23.483.075.276.075.604v.239h-2.324v-.435h1.791v-.04a1.3 1.3 0 0 0-.086-.403.73.73 0 0 0-.23-.322q-.158-.126-.431-.126a.71.71 0 0 0-.596.302 1.1 1.1 0 0 0-.169.365q-.061.216-.061.498v.12q0 .222.061.417.063.193.181.34.12.147.29.23a.9.9 0 0 0 .391.083.93.93 0 0 0 .478-.115q.195-.114.342-.307l.322.256a1.5 1.5 0 0 1-.256.29 1.2 1.2 0 0 1-.382.224q-.225.087-.532.087m3.793-.662v-3.814h.535v4.418h-.489zm-2.093-.917v-.061q0-.356.086-.647a1.6 1.6 0 0 1 .25-.503q.164-.21.388-.322.228-.116.507-.116.293 0 .512.104a1 1 0 0 1 .373.296q.156.193.245.466.089.274.124.619v.264a2.7 2.7 0 0 1-.124.616 1.4 1.4 0 0 1-.245.466 1 1 0 0 1-.373.296 1.25 1.25 0 0 1-.518.101 1.08 1.08 0 0 1-.889-.449 1.6 1.6 0 0 1-.25-.5 2.2 2.2 0 0 1-.086-.63m.535-.061v.061q0 .233.046.437.048.204.149.359a.75.75 0 0 0 .256.245.76.76 0 0 0 .371.086.77.77 0 0 0 .434-.112.84.84 0 0 0 .277-.296q.103-.184.161-.4v-.693a1.5 1.5 0 0 0-.101-.305 1 1 0 0 0-.167-.265.7.7 0 0 0-.25-.187.8.8 0 0 0-.348-.069.74.74 0 0 0-.377.092.74.74 0 0 0-.256.248 1.1 1.1 0 0 0-.149.362 2 2 0 0 0-.046.437m-106.9 10.03.799-2.56h.35l-.068.509-.814 2.603h-.343zm-.539-2.56.682 2.589.049.523h-.36l-.903-3.112zm2.454 2.569.65-2.569h.529l-.903 3.112h-.357zm-.688-2.569.783 2.517.089.595h-.34l-.837-2.609-.069-.503zm2.946-1.306v4.418h-.532v-4.418zm-.127 2.744-.221-.008q.003-.32.095-.59.09-.273.258-.475a1.16 1.16 0 0 1 .912-.423q.231 0 .414.064.185.06.314.195a.9.9 0 0 1 .201.351q.07.213.07.521v2.039h-.536v-2.045a.9.9 0 0 0-.072-.391.44.44 0 0 0-.21-.216.75.75 0 0 0-.339-.069.8.8 0 0 0-.362.084.9.9 0 0 0-.28.23 1.15 1.15 0 0 0-.244.733m3.417-1.438v3.112h-.535v-3.112zm-.575-.825a.32.32 0 0 1 .078-.219q.08-.09.235-.089.153 0 .233.089a.3.3 0 0 1 .084.219.3.3 0 0 1-.084.212q-.08.087-.233.087-.155 0-.236-.087a.3.3 0 0 1-.077-.212m2.008-.481v4.418h-.536v-4.418zm2.145 4.476q-.324 0-.59-.11a1.3 1.3 0 0 1-.451-.313 1.4 1.4 0 0 1-.288-.478 1.8 1.8 0 0 1-.1-.604v-.12q0-.38.112-.676.112-.3.305-.507.192-.207.437-.313t.506-.107q.334 0 .576.116.244.114.4.322.155.204.23.483.075.276.074.604v.239h-2.324v-.435h1.792v-.04a1.3 1.3 0 0 0-.086-.403.73.73 0 0 0-.23-.322q-.159-.126-.432-.126a.71.71 0 0 0-.595.302 1.1 1.1 0 0 0-.17.365q-.06.216-.06.498v.12q0 .222.06.417.063.193.181.34.121.147.29.23a.9.9 0 0 0 .392.083.9.9 0 0 0 .477-.115q.196-.114.343-.307l.322.256a1.5 1.5 0 0 1-.256.29 1.2 1.2 0 0 1-.383.224 1.5 1.5 0 0 1-.532.087m4.597-3.17v.408h-1.683v-.408zm-1.114-.756h.533v3.097q0 .159.048.239a.23.23 0 0 0 .127.106.5.5 0 0 0 .167.026q.066 0 .138-.011l.112-.023.003.434a1 1 0 0 1-.167.038q-.101.02-.244.02a.8.8 0 0 1-.36-.078.58.58 0 0 1-.262-.259 1.1 1.1 0 0 1-.095-.495zm2.27-.55v4.418h-.532v-4.418zm-.127 2.744-.221-.008a1.9 1.9 0 0 1 .095-.59q.091-.273.259-.475a1.16 1.16 0 0 1 .911-.423q.231 0 .414.064.185.06.314.195a.9.9 0 0 1 .201.351q.07.213.07.521v2.039h-.536v-2.045a.9.9 0 0 0-.072-.391.44.44 0 0 0-.21-.216.75.75 0 0 0-.339-.069.8.8 0 0 0-.362.084.9.9 0 0 0-.28.23 1.15 1.15 0 0 0-.244.733m3.417-1.438v3.112h-.535v-3.112zm-.575-.825a.32.32 0 0 1 .078-.219q.08-.09.236-.089.152 0 .232.089a.3.3 0 0 1 .084.219.3.3 0 0 1-.084.212q-.08.087-.232.087-.156 0-.236-.087a.3.3 0 0 1-.078-.212m3.242 3.112a.45.45 0 0 0-.052-.213.44.44 0 0 0-.204-.181 1.7 1.7 0 0 0-.46-.144 4 4 0 0 1-.47-.13 1.4 1.4 0 0 1-.353-.181.8.8 0 0 1-.222-.25.783.783 0 0 1 .003-.685.9.9 0 0 1 .233-.29q.153-.127.365-.199.213-.072.475-.072.374 0 .639.133a1 1 0 0 1 .405.354q.141.218.141.486h-.532a.46.46 0 0 0-.078-.251.6.6 0 0 0-.221-.204.7.7 0 0 0-.354-.08.8.8 0 0 0-.36.069.46.46 0 0 0-.198.169.43.43 0 0 0-.032.374.34.34 0 0 0 .11.124 1 1 0 0 0 .218.104q.141.049.36.097.383.087.63.207.247.121.368.297.12.176.12.425a.838.838 0 0 1-.33.668q-.158.12-.38.19a1.7 1.7 0 0 1-.491.066q-.412 0-.697-.147a1.1 1.1 0 0 1-.431-.38.9.9 0 0 1-.147-.492h.535q.012.219.127.349.115.126.282.181.166.051.33.051.219 0 .366-.057a.5.5 0 0 0 .227-.158.37.37 0 0 0 .078-.23m4.654.221v-3.814h.535v4.418h-.49zm-2.094-.917v-.061q0-.356.086-.647.09-.294.25-.503.165-.21.388-.322a1.1 1.1 0 0 1 .507-.116q.293 0 .512.104a1 1 0 0 1 .373.296q.156.193.245.466.089.274.124.619v.264a2.7 2.7 0 0 1-.124.616q-.09.273-.245.466a1 1 0 0 1-.373.296q-.222.1-.518.101-.274 0-.5-.118a1.2 1.2 0 0 1-.389-.331 1.6 1.6 0 0 1-.25-.5 2.2 2.2 0 0 1-.087-.63m.534-.061v.061q0 .233.047.437.048.204.15.359a.75.75 0 0 0 .255.245.76.76 0 0 0 .371.086.77.77 0 0 0 .434-.112.84.84 0 0 0 .277-.296q.103-.184.16-.4v-.693a1.5 1.5 0 0 0-.1-.305 1 1 0 0 0-.167-.265.7.7 0 0 0-.25-.187.8.8 0 0 0-.348-.069.74.74 0 0 0-.377.092.74.74 0 0 0-.256.248 1.1 1.1 0 0 0-.15.362 2 2 0 0 0-.046.437m4.214 1.64q-.324 0-.59-.11a1.3 1.3 0 0 1-.45-.313 1.4 1.4 0 0 1-.289-.478 1.8 1.8 0 0 1-.1-.604v-.12q0-.38.112-.676.112-.3.305-.507.192-.207.437-.313t.506-.107q.335 0 .576.116.244.114.4.322.155.204.23.483.075.276.074.604v.239H61.08v-.435h1.792v-.04a1.3 1.3 0 0 0-.086-.403.73.73 0 0 0-.23-.322q-.159-.126-.432-.126a.71.71 0 0 0-.595.302q-.11.149-.17.365t-.06.498v.12q0 .222.06.417.064.193.181.34a.9.9 0 0 0 .29.23.9.9 0 0 0 .392.083.9.9 0 0 0 .478-.115q.195-.114.342-.307l.322.256a1.5 1.5 0 0 1-.256.29 1.2 1.2 0 0 1-.383.224 1.5 1.5 0 0 1-.532.087m2.738-.538.852-2.632h.544l-1.12 3.112h-.356zm-.71-2.632.877 2.646.06.466h-.356l-1.127-3.112zm3.196 0v3.112h-.535v-3.112zm-.576-.825a.32.32 0 0 1 .078-.219q.08-.09.236-.089.153 0 .233.089a.3.3 0 0 1 .083.219.3.3 0 0 1-.083.212q-.081.087-.233.087-.155 0-.236-.087a.3.3 0 0 1-.078-.212m2.675 3.557a.8.8 0 0 0 .351-.077.7.7 0 0 0 .265-.213.6.6 0 0 0 .118-.314h.506a.95.95 0 0 1-.187.515 1.27 1.27 0 0 1-1.053.527q-.351 0-.612-.124a1.2 1.2 0 0 1-.432-.339 1.5 1.5 0 0 1-.256-.495 2 2 0 0 1-.083-.596v-.12q0-.314.083-.593a1.5 1.5 0 0 1 .256-.497 1.2 1.2 0 0 1 .432-.34q.261-.123.612-.124.366 0 .639.15.273.147.428.403.158.252.173.575h-.506a.8.8 0 0 0-.11-.348.7.7 0 0 0-.253-.247.7.7 0 0 0-.37-.095q-.245 0-.412.097a.73.73 0 0 0-.262.259q-.094.162-.138.36a2 2 0 0 0-.04.4v.12q0 .205.04.403t.135.36a.76.76 0 0 0 .262.259.83.83 0 0 0 .414.094m3.13.438q-.325 0-.59-.11a1.3 1.3 0 0 1-.452-.313 1.4 1.4 0 0 1-.287-.478 1.8 1.8 0 0 1-.1-.604v-.12q0-.38.111-.676.113-.3.305-.507.193-.207.438-.313.244-.107.506-.107.333 0 .575.116.244.114.4.322.155.204.23.483.075.276.075.604v.239h-2.324v-.435h1.792v-.04a1.3 1.3 0 0 0-.087-.403.73.73 0 0 0-.23-.322q-.159-.126-.431-.126a.71.71 0 0 0-.595.302q-.11.149-.17.365t-.06.498v.12q0 .222.06.417.063.193.18.34.121.147.291.23a.9.9 0 0 0 .392.083.9.9 0 0 0 .477-.115q.196-.114.342-.307l.322.256a1.5 1.5 0 0 1-.256.29 1.2 1.2 0 0 1-.382.224 1.5 1.5 0 0 1-.532.087m3.871-3.17v3.112h-.535v-3.112zm-.575-.825a.32.32 0 0 1 .078-.219q.08-.09.235-.089.153 0 .233.089a.3.3 0 0 1 .084.219.3.3 0 0 1-.084.212q-.079.087-.233.087t-.235-.087a.3.3 0 0 1-.078-.212m3.242 3.112a.45.45 0 0 0-.052-.213.44.44 0 0 0-.204-.181 1.7 1.7 0 0 0-.46-.144 4 4 0 0 1-.47-.13 1.4 1.4 0 0 1-.353-.181.8.8 0 0 1-.222-.25.783.783 0 0 1 .003-.685.9.9 0 0 1 .233-.29q.153-.127.365-.199.213-.072.475-.072.375 0 .638.133a1 1 0 0 1 .406.354q.141.218.141.486h-.532a.46.46 0 0 0-.078-.251.6.6 0 0 0-.221-.204.7.7 0 0 0-.354-.08.8.8 0 0 0-.36.069.46.46 0 0 0-.198.169.43.43 0 0 0-.032.374.34.34 0 0 0 .11.124 1 1 0 0 0 .218.104q.141.049.36.097.382.087.63.207.247.121.368.297.12.176.12.425a.837.837 0 0 1-.33.668q-.158.12-.38.19a1.7 1.7 0 0 1-.492.066q-.411 0-.696-.147a1.1 1.1 0 0 1-.431-.38.9.9 0 0 1-.147-.492h.535q.012.219.127.349.114.126.282.181.166.051.33.051.219 0 .366-.057a.5.5 0 0 0 .227-.158.37.37 0 0 0 .078-.23m4.596.106v-2.393h.535v3.112h-.51zm.1-.656.222-.005q0 .31-.066.575a1.2 1.2 0 0 1-.207.454 1 1 0 0 1-.377.302 1.4 1.4 0 0 1-.567.107q-.227 0-.417-.066a.85.85 0 0 1-.532-.564 1.7 1.7 0 0 1-.072-.532v-2.008h.532v2.013q0 .21.046.348a.6.6 0 0 0 .13.216.5.5 0 0 0 .184.109q.104.032.213.032.339 0 .538-.129a.74.74 0 0 0 .284-.354q.09-.225.09-.498m1.778-1.073v2.448h-.532v-3.112h.503zm-.126.774-.222-.008a1.9 1.9 0 0 1 .095-.59q.092-.273.259-.475a1.16 1.16 0 0 1 .912-.423q.23 0 .414.064.184.06.313.195.133.135.202.351.069.213.069.521v2.039h-.535v-2.045a.9.9 0 0 0-.072-.391.44.44 0 0 0-.21-.216.75.75 0 0 0-.34-.069.8.8 0 0 0-.362.084.9.9 0 0 0-.279.23 1.15 1.15 0 0 0-.244.733m3.428-2.744v4.418h-.535v-4.418zm.713 2.897v-.067q0-.336.098-.624a1.5 1.5 0 0 1 .282-.503 1.3 1.3 0 0 1 .446-.334q.261-.12.587-.121a1.4 1.4 0 0 1 .59.121q.264.118.448.334.188.213.285.503.098.288.098.624v.067q0 .336-.098.624a1.5 1.5 0 0 1-.285.503 1.3 1.3 0 0 1-.446.334 1.4 1.4 0 0 1-.587.118 1.4 1.4 0 0 1-.59-.118 1.3 1.3 0 0 1-.448-.334 1.5 1.5 0 0 1-.282-.503 2 2 0 0 1-.098-.624m.532-.067v.067q0 .233.055.44.055.204.164.362a.8.8 0 0 0 .28.25q.166.09.387.089a.8.8 0 0 0 .383-.089.8.8 0 0 0 .276-.25q.11-.158.164-.362.057-.207.058-.44v-.067q0-.23-.058-.434a1.1 1.1 0 0 0-.167-.365.768.768 0 0 0-.662-.345.8.8 0 0 0-.385.092.8.8 0 0 0-.276.253 1.2 1.2 0 0 0-.164.365 1.7 1.7 0 0 0-.055.434m4.214 1.208a.8.8 0 0 0 .351-.077.7.7 0 0 0 .265-.213.6.6 0 0 0 .118-.314h.506a.95.95 0 0 1-.187.515 1.293 1.293 0 0 1-1.053.527q-.351 0-.612-.124a1.2 1.2 0 0 1-.432-.339 1.5 1.5 0 0 1-.256-.495 2 2 0 0 1-.083-.596v-.12q0-.314.083-.593a1.5 1.5 0 0 1 .256-.497 1.2 1.2 0 0 1 .432-.34q.261-.123.612-.124.366 0 .639.15.273.147.428.403.158.252.173.575h-.506a.8.8 0 0 0-.11-.348.7.7 0 0 0-.253-.247.7.7 0 0 0-.37-.095q-.245 0-.412.097a.73.73 0 0 0-.262.259q-.095.162-.138.36-.04.196-.04.4v.12q0 .205.04.403t.135.36a.76.76 0 0 0 .262.259.83.83 0 0 0 .414.094m2.373-4.038v4.418h-.535v-4.418zm1.901 1.306-1.357 1.453-.76.788-.043-.567.544-.65.966-1.024zm-.486 3.112-1.11-1.484.276-.475 1.461 1.959zm2.27.058a1.5 1.5 0 0 1-.59-.11 1.3 1.3 0 0 1-.451-.313 1.4 1.4 0 0 1-.288-.478 1.8 1.8 0 0 1-.1-.604v-.12q0-.38.111-.676.113-.3.305-.507.194-.207.438-.313t.506-.107q.333 0 .575.116.244.114.4.322.155.204.23.483.075.276.075.604v.239h-2.324v-.435h1.792v-.04a1.3 1.3 0 0 0-.087-.403.73.73 0 0 0-.23-.322q-.158-.126-.431-.126a.711.711 0 0 0-.596.302q-.109.149-.17.365-.06.216-.06.498v.12q0 .222.06.417.064.193.182.34a.9.9 0 0 0 .29.23.9.9 0 0 0 .392.083.9.9 0 0 0 .477-.115q.195-.114.342-.307l.322.256a1.5 1.5 0 0 1-.256.29 1.2 1.2 0 0 1-.382.224q-.225.087-.532.087m3.794-.662v-3.814h.535v4.418h-.489zm-2.094-.917v-.061q0-.356.086-.647a1.6 1.6 0 0 1 .25-.503q.164-.21.388-.322.228-.116.507-.116.293 0 .512.104a1 1 0 0 1 .374.296q.155.193.244.466.09.274.124.619v.264a2.7 2.7 0 0 1-.124.616 1.5 1.5 0 0 1-.244.466 1.04 1.04 0 0 1-.374.296 1.25 1.25 0 0 1-.518.101 1.08 1.08 0 0 1-.889-.449 1.6 1.6 0 0 1-.25-.5 2.2 2.2 0 0 1-.086-.63m.535-.061v.061q0 .233.046.437.048.204.149.359a.75.75 0 0 0 .256.245.76.76 0 0 0 .371.086.77.77 0 0 0 .435-.112.84.84 0 0 0 .276-.296q.103-.184.161-.4v-.693a1.5 1.5 0 0 0-.101-.305 1 1 0 0 0-.167-.265.7.7 0 0 0-.25-.187.8.8 0 0 0-.348-.069.74.74 0 0 0-.377.092.74.74 0 0 0-.256.248 1.1 1.1 0 0 0-.149.362 2 2 0 0 0-.046.437m2.931 1.3q0-.135.083-.227a.32.32 0 0 1 .247-.095q.162 0 .245.095a.32.32 0 0 1 .086.227.32.32 0 0 1-.086.225q-.083.092-.245.092a.32.32 0 0 1-.247-.092.32.32 0 0 1-.083-.225"/><path class="tw-fill-background" d="M20.84 126.475h144.32v64.661H20.84z"/><rect width="124.124" height="16.049" x="30.939" y="129.842" class="tw-fill-secondary-500" rx="4.039"/><path class="tw-fill-background" d="M83.974 134.58v4.786h-.983v-4.786zm1.473 0v.772h-3.905v-.772zm2.357 3.935v-2.706h.947v3.557h-.891zm.105-.73.28-.007q0 .355-.083.661a1.6 1.6 0 0 1-.246.526q-.165.22-.414.345a1.3 1.3 0 0 1-.589.122q-.26 0-.48-.072a1 1 0 0 1-.374-.234 1.1 1.1 0 0 1-.244-.411 1.9 1.9 0 0 1-.085-.608v-2.298h.947v2.305q0 .158.036.266a.5.5 0 0 0 .108.177.4.4 0 0 0 .161.099q.096.03.21.03.294 0 .46-.119a.62.62 0 0 0 .24-.322q.073-.207.073-.46m2.511-1.2v2.781h-.946v-3.557h.89zm1.072-.799-.016.878a2 2 0 0 0-.168-.016 2 2 0 0 0-.174-.01q-.2 0-.349.052a.6.6 0 0 0-.243.148.65.65 0 0 0-.145.24 1.2 1.2 0 0 0-.052.322l-.19-.059q0-.345.068-.634.07-.293.2-.51.135-.216.33-.335a.83.83 0 0 1 .443-.118q.08 0 .161.013.082.01.135.029m1.374.783v2.797h-.947v-3.557h.888zm-.138.894h-.256q0-.395.102-.71.102-.32.286-.543.183-.227.437-.345a1.3 1.3 0 0 1 .572-.121q.25 0 .457.072a.9.9 0 0 1 .355.23q.15.158.23.417.082.26.082.635v2.268h-.953v-2.271a.84.84 0 0 0-.066-.369.37.37 0 0 0-.194-.184.8.8 0 0 0-.309-.055.7.7 0 0 0-.332.075.7.7 0 0 0-.23.21 1 1 0 0 0-.135.309q-.046.178-.046.382m4.51.161v-.069q0-.392.112-.72.111-.332.325-.575t.526-.378q.313-.138.717-.138.405 0 .72.138.315.135.529.378.217.243.329.575.111.328.112.72v.069q0 .387-.112.72a1.7 1.7 0 0 1-.329.575 1.46 1.46 0 0 1-.526.378q-.312.135-.717.135t-.72-.135a1.5 1.5 0 0 1-.529-.378 1.7 1.7 0 0 1-.325-.575 2.3 2.3 0 0 1-.112-.72m.947-.069v.069q0 .223.04.417.039.195.124.342a.65.65 0 0 0 .23.227q.142.082.346.082a.66.66 0 0 0 .338-.082.6.6 0 0 0 .227-.227q.086-.147.125-.342.043-.194.043-.417v-.069a2 2 0 0 0-.043-.408 1.1 1.1 0 0 0-.128-.342.64.64 0 0 0-.227-.236.65.65 0 0 0-.342-.086.65.65 0 0 0-.342.086.7.7 0 0 0-.227.236 1.1 1.1 0 0 0-.125.342 2 2 0 0 0-.04.408m3.931-.986v2.797h-.946v-3.557h.887zm-.138.894h-.256q0-.395.102-.71.102-.32.286-.543.184-.227.437-.345a1.3 1.3 0 0 1 .572-.121q.25 0 .457.072a.9.9 0 0 1 .355.23q.151.158.23.417.082.26.082.635v2.268h-.953v-2.271a.84.84 0 0 0-.066-.369.37.37 0 0 0-.194-.184.8.8 0 0 0-.309-.055.7.7 0 0 0-.332.075.7.7 0 0 0-.23.21 1 1 0 0 0-.135.309q-.046.178-.046.382"/><rect width="123.283" height="15.208" x="31.359" y="149.677" class="tw-stroke-secondary-500" stroke-width=".842" rx="3.619"/><path class="tw-fill-secondary-500" d="M87.663 157.194h.982q-.03.483-.266.857-.233.375-.654.586-.418.21-1.006.21-.46 0-.825-.158a1.76 1.76 0 0 1-.625-.46 2 2 0 0 1-.39-.723q-.136-.425-.136-.95v-.332q0-.526.139-.95.14-.427.4-.727a1.8 1.8 0 0 1 .629-.46q.364-.16.815-.161.598 0 1.009.217.414.217.64.598.23.382.277.868h-.986a1.3 1.3 0 0 0-.115-.49.65.65 0 0 0-.3-.305q-.196-.106-.525-.106a.96.96 0 0 0-.43.092.8.8 0 0 0-.31.28 1.4 1.4 0 0 0-.187.473q-.06.283-.06.664v.339q.001.371.056.654a1.5 1.5 0 0 0 .171.473.8.8 0 0 0 .303.29 1 1 0 0 0 .45.095q.309 0 .51-.099a.68.68 0 0 0 .305-.292q.109-.195.129-.483m2.57-3.462v5.049h-.95v-5.049zm.631 3.307v-.069q0-.391.112-.72.112-.332.326-.575.213-.243.525-.378.313-.138.717-.138.405 0 .72.138.315.135.53.378t.328.575q.111.329.112.72v.069q0 .388-.112.72a1.7 1.7 0 0 1-.329.575 1.5 1.5 0 0 1-.526.378 1.8 1.8 0 0 1-.716.135q-.405 0-.72-.135a1.5 1.5 0 0 1-.53-.378 1.7 1.7 0 0 1-.325-.575 2.2 2.2 0 0 1-.112-.72m.947-.069v.069q0 .223.04.418.039.194.124.341.09.145.23.227.142.082.346.082a.66.66 0 0 0 .338-.082.6.6 0 0 0 .227-.227q.086-.147.125-.341.042-.195.043-.418v-.069a2 2 0 0 0-.043-.408 1.1 1.1 0 0 0-.128-.341.64.64 0 0 0-.227-.237.65.65 0 0 0-.342-.086.65.65 0 0 0-.342.086.7.7 0 0 0-.227.237 1.1 1.1 0 0 0-.124.341 2 2 0 0 0-.04.408m4.927.828a.3.3 0 0 0-.059-.184.5.5 0 0 0-.22-.151 2 2 0 0 0-.457-.131 4 4 0 0 1-.503-.148 1.8 1.8 0 0 1-.4-.221.84.84 0 0 1-.358-.706q-.002-.224.094-.421.1-.198.28-.349.183-.155.447-.239.266-.09.598-.089.463 0 .796.148.335.147.512.407a1 1 0 0 1 .181.585h-.947a.5.5 0 0 0-.059-.246.4.4 0 0 0-.177-.174.63.63 0 0 0-.31-.066.6.6 0 0 0-.272.056.4.4 0 0 0-.178.144.35.35 0 0 0-.026.346q.037.062.115.115t.204.098q.127.043.316.079.384.08.686.207.303.125.48.342.178.214.178.562a.9.9 0 0 1-.105.434q-.105.198-.303.345-.197.145-.473.227a2.2 2.2 0 0 1-.615.079q-.496 0-.841-.178a1.33 1.33 0 0 1-.52-.45 1.05 1.05 0 0 1-.174-.565h.897a.53.53 0 0 0 .1.312.54.54 0 0 0 .24.171 1 1 0 0 0 .318.053.8.8 0 0 0 .306-.05.43.43 0 0 0 .184-.138.33.33 0 0 0 .066-.204m3.173 1.049q-.414 0-.743-.131a1.6 1.6 0 0 1-.56-.372 1.7 1.7 0 0 1-.348-.549 1.9 1.9 0 0 1-.121-.67v-.132q0-.404.115-.74t.329-.581a1.4 1.4 0 0 1 .526-.378q.309-.135.697-.135.377 0 .67.125.292.124.49.355.2.23.302.552.102.319.102.71v.394h-2.827v-.631h1.897v-.072a.8.8 0 0 0-.072-.352.57.57 0 0 0-.211-.25.65.65 0 0 0-.361-.092.6.6 0 0 0-.323.083.6.6 0 0 0-.22.23 1.2 1.2 0 0 0-.125.348 2.2 2.2 0 0 0-.04.434v.132q0 .213.06.394.063.18.174.312a.8.8 0 0 0 .276.204q.165.072.372.072.257 0 .476-.098a1 1 0 0 0 .385-.306l.46.5q-.111.16-.305.309a1.7 1.7 0 0 1-.461.243 1.9 1.9 0 0 1-.614.092"/><path class="tw-fill-secondary-700" d="m41.003 177.374.834-3.524h.466l.107.587-.889 3.601h-.5zm-.428-3.524.69 3.524-.057.664h-.558l-.93-4.188zm2.568 3.509.682-3.509h.854l-.926 4.188h-.558zm-.578-3.509.84 3.538-.023.65h-.5l-.895-3.604.115-.584zm3.34-.23v4.418h-.829v-4.418zm-.118 2.753h-.228q.003-.325.087-.599.083-.276.238-.477.156-.205.371-.316a1.04 1.04 0 0 1 .484-.113q.23 0 .417.067a.8.8 0 0 1 .325.207.9.9 0 0 1 .213.371q.074.23.074.558v1.967h-.834v-1.973a.7.7 0 0 0-.06-.325.33.33 0 0 0-.17-.17.6.6 0 0 0-.27-.052.65.65 0 0 0-.305.067.5.5 0 0 0-.199.184.8.8 0 0 0-.109.27 1.5 1.5 0 0 0-.034.334m4.291.963v-1.386q0-.15-.049-.256a.36.36 0 0 0-.152-.17.5.5 0 0 0-.262-.06.54.54 0 0 0-.239.049.34.34 0 0 0-.155.135.37.37 0 0 0-.055.204h-.828q0-.198.092-.377a.9.9 0 0 1 .267-.313q.175-.138.417-.216.246-.078.547-.078.362 0 .644.121a1 1 0 0 1 .443.363q.165.241.164.604v1.331q0 .257.032.42.031.162.092.282v.049h-.837q-.06-.126-.092-.316a3 3 0 0 1-.029-.386m.11-1.193.005.468h-.463a1 1 0 0 0-.285.038.5.5 0 0 0-.198.106.4.4 0 0 0-.115.156.5.5 0 0 0-.035.195q0 .106.05.193.048.083.14.132a.5.5 0 0 0 .216.046.7.7 0 0 0 .325-.075.6.6 0 0 0 .213-.184.4.4 0 0 0 .08-.207l.219.351q-.045.118-.127.245a1.024 1.024 0 0 1-.489.42 1.1 1.1 0 0 1-.402.069q-.297 0-.538-.118a1 1 0 0 1-.38-.331.87.87 0 0 1-.138-.483q0-.245.092-.435a.85.85 0 0 1 .27-.319 1.3 1.3 0 0 1 .452-.198q.27-.069.627-.069zm2.887-1.217v.587h-1.812v-.587zm-1.363-.768h.828v2.942q0 .136.035.208a.2.2 0 0 0 .109.1.6.6 0 0 0 .181.026q.078 0 .138-.006.063-.008.107-.017l.002.61q-.105.035-.23.054a1.6 1.6 0 0 1-.273.021q-.273 0-.477-.09a.66.66 0 0 1-.31-.293 1.1 1.1 0 0 1-.11-.529zm4.981 3.178v-1.386q0-.15-.048-.256a.36.36 0 0 0-.153-.17.5.5 0 0 0-.262-.06.54.54 0 0 0-.238.049.34.34 0 0 0-.156.135.37.37 0 0 0-.054.204h-.829q0-.198.092-.377a.9.9 0 0 1 .268-.313q.175-.138.417-.216.244-.078.546-.078.363 0 .645.121a1 1 0 0 1 .443.363q.164.241.164.604v1.331q0 .257.031.42.032.162.092.282v.049h-.837q-.06-.126-.092-.316a3 3 0 0 1-.029-.386m.11-1.193.006.468h-.463a1 1 0 0 0-.285.038.5.5 0 0 0-.199.106.4.4 0 0 0-.115.156.5.5 0 0 0-.034.195q0 .106.049.193.049.083.14.132a.5.5 0 0 0 .216.046.7.7 0 0 0 .325-.075.6.6 0 0 0 .213-.184.4.4 0 0 0 .08-.207l.22.351q-.047.118-.127.245a1.022 1.022 0 0 1-.489.42 1.1 1.1 0 0 1-.403.069q-.296 0-.538-.118a1 1 0 0 1-.38-.331.87.87 0 0 1-.138-.483q0-.245.093-.435a.85.85 0 0 1 .27-.319q.18-.132.451-.198.27-.069.627-.069zm2.192-.538v2.433h-.829v-3.112h.78zm.937-.699-.014.768a2 2 0 0 0-.147-.015 2 2 0 0 0-.152-.008.9.9 0 0 0-.305.046.55.55 0 0 0-.213.129.6.6 0 0 0-.127.21 1 1 0 0 0-.046.282l-.166-.052q0-.302.06-.555.06-.255.175-.446a.9.9 0 0 1 .288-.293.73.73 0 0 1 .388-.104q.069 0 .141.012a.5.5 0 0 1 .118.026m1.766 3.19q-.362 0-.65-.115a1.4 1.4 0 0 1-.489-.325 1.5 1.5 0 0 1-.305-.481 1.6 1.6 0 0 1-.106-.587v-.115q0-.353.1-.647a1.5 1.5 0 0 1 .288-.509q.19-.216.46-.331.27-.118.61-.118.33 0 .587.11t.429.31q.175.202.264.484.09.279.09.621v.345h-2.474v-.552h1.66v-.064a.7.7 0 0 0-.064-.307.5.5 0 0 0-.184-.219.57.57 0 0 0-.316-.08.54.54 0 0 0-.282.071.56.56 0 0 0-.193.202 1.1 1.1 0 0 0-.11.305 2 2 0 0 0-.034.379v.115q0 .187.052.346a.9.9 0 0 0 .152.273.7.7 0 0 0 .242.178.8.8 0 0 0 .325.063q.225 0 .417-.086a.9.9 0 0 0 .337-.267l.402.437a1.2 1.2 0 0 1-.267.27 1.4 1.4 0 0 1-.403.213 1.7 1.7 0 0 1-.538.081m4.74-3.17v.587h-1.812v-.587zm-1.363-.768h.828v2.942q0 .136.035.208a.2.2 0 0 0 .11.1.6.6 0 0 0 .18.026q.078 0 .139-.006.063-.008.106-.017l.003.61a1.638 1.638 0 0 1-.503.075q-.274 0-.478-.09a.66.66 0 0 1-.31-.293 1.1 1.1 0 0 1-.11-.529zm2.643-.538v4.418h-.828v-4.418zm-.118 2.753h-.227q.002-.325.087-.599.083-.276.238-.477.156-.205.371-.316a1.04 1.04 0 0 1 .483-.113q.231 0 .417.067a.8.8 0 0 1 .326.207.9.9 0 0 1 .212.371q.075.23.075.558v1.967h-.834v-1.973a.7.7 0 0 0-.06-.325.33.33 0 0 0-.17-.17.6.6 0 0 0-.27-.052.65.65 0 0 0-.305.067.5.5 0 0 0-.199.184.8.8 0 0 0-.11.27 1.5 1.5 0 0 0-.034.334m4.044 1.723q-.362 0-.65-.115a1.4 1.4 0 0 1-.489-.325 1.5 1.5 0 0 1-.304-.481 1.6 1.6 0 0 1-.107-.587v-.115q0-.353.1-.647a1.5 1.5 0 0 1 .288-.509q.19-.216.46-.331a1.5 1.5 0 0 1 .61-.118q.332 0 .587.11.256.11.429.31.175.202.264.484.09.279.09.621v.345h-2.474v-.552h1.66v-.064a.7.7 0 0 0-.064-.307.5.5 0 0 0-.184-.219.57.57 0 0 0-.316-.08.54.54 0 0 0-.282.071.56.56 0 0 0-.193.202 1.1 1.1 0 0 0-.11.305 2 2 0 0 0-.034.379v.115q0 .187.052.346a.9.9 0 0 0 .153.273.7.7 0 0 0 .241.178.8.8 0 0 0 .325.063 1 1 0 0 0 .417-.086.9.9 0 0 0 .337-.267l.403.437a1.2 1.2 0 0 1-.268.27 1.4 1.4 0 0 1-.403.213 1.7 1.7 0 0 1-.538.081m4.045-2.572v3.711h-.829v-4.309h.768zm1.97.923v.061q0 .339-.08.63a1.6 1.6 0 0 1-.23.506 1.1 1.1 0 0 1-.38.334q-.225.118-.518.118-.285 0-.495-.115a1.04 1.04 0 0 1-.354-.323 1.9 1.9 0 0 1-.227-.486 4 4 0 0 1-.132-.592v-.158q.046-.34.132-.622.087-.284.227-.492.144-.209.351-.325.21-.114.492-.115.297 0 .52.113.228.111.38.322.155.21.233.5.08.291.08.644m-.831.061v-.061q0-.198-.035-.365a1 1 0 0 0-.104-.296.51.51 0 0 0-.457-.268.7.7 0 0 0-.29.055.5.5 0 0 0-.193.158.7.7 0 0 0-.112.248q-.037.144-.046.325v.399q.015.213.08.383a.6.6 0 0 0 .204.265.6.6 0 0 0 .363.097.5.5 0 0 0 .276-.071.55.55 0 0 0 .181-.205 1 1 0 0 0 .1-.299q.033-.17.033-.365m1.213.006v-.061q0-.342.098-.63.097-.29.285-.503a1.3 1.3 0 0 1 .46-.331q.273-.12.627-.121.354 0 .63.121.276.118.463.331.19.213.288.503.098.288.098.63v.061q0 .339-.098.63a1.5 1.5 0 0 1-.288.503 1.3 1.3 0 0 1-.46.331 1.6 1.6 0 0 1-.627.118q-.354 0-.63-.118a1.3 1.3 0 0 1-.463-.331 1.5 1.5 0 0 1-.285-.503 2 2 0 0 1-.098-.63m.829-.061v.061q0 .195.034.365.035.17.11.299a.6.6 0 0 0 .2.199.6.6 0 0 0 .303.071.6.6 0 0 0 .296-.071.55.55 0 0 0 .199-.199 1 1 0 0 0 .109-.299 1.7 1.7 0 0 0 .037-.365v-.061a1.6 1.6 0 0 0-.037-.356 1 1 0 0 0-.112-.3.56.56 0 0 0-.199-.207.6.6 0 0 0-.299-.074.6.6 0 0 0-.299.074.6.6 0 0 0-.198.207 1 1 0 0 0-.11.3q-.034.167-.034.356m4.153-1.527v.587h-1.812v-.587zm-1.363-.768h.828v2.942q0 .136.035.208a.2.2 0 0 0 .109.1.6.6 0 0 0 .181.026q.078 0 .138-.006.063-.008.107-.017l.002.61q-.105.035-.23.054a1.6 1.6 0 0 1-.273.021q-.273 0-.477-.09a.66.66 0 0 1-.31-.293 1.1 1.1 0 0 1-.11-.529zm3.267 3.938q-.362 0-.65-.115a1.4 1.4 0 0 1-.489-.325 1.5 1.5 0 0 1-.305-.481 1.6 1.6 0 0 1-.106-.587v-.115q0-.353.1-.647a1.5 1.5 0 0 1 .288-.509q.19-.216.46-.331.27-.118.61-.118.33 0 .587.11t.428.31q.177.202.265.484.09.279.09.621v.345H83.73v-.552h1.66v-.064a.7.7 0 0 0-.064-.307.5.5 0 0 0-.184-.219.57.57 0 0 0-.316-.08.54.54 0 0 0-.282.071.56.56 0 0 0-.193.202 1.1 1.1 0 0 0-.11.305 2 2 0 0 0-.034.379v.115q0 .187.052.346a.9.9 0 0 0 .152.273.7.7 0 0 0 .242.178.8.8 0 0 0 .325.063q.225 0 .417-.086a.9.9 0 0 0 .337-.267l.402.437a1.2 1.2 0 0 1-.267.27 1.4 1.4 0 0 1-.403.213 1.7 1.7 0 0 1-.538.081m2.56-2.506v2.448h-.828v-3.112h.776zm-.12.783h-.225q0-.345.09-.622.088-.279.25-.474.16-.198.382-.302.225-.107.5-.107.22 0 .4.064.182.063.31.201a.9.9 0 0 1 .202.365q.072.228.072.555v1.985h-.834v-1.987a.74.74 0 0 0-.058-.323.33.33 0 0 0-.17-.161.7.7 0 0 0-.27-.049.6.6 0 0 0-.29.067.6.6 0 0 0-.201.184.9.9 0 0 0-.118.27q-.04.156-.04.334m4.135-1.447v.587H89.69v-.587zm-1.363-.768h.828v2.942q0 .136.035.208a.2.2 0 0 0 .11.1.6.6 0 0 0 .18.026q.078 0 .138-.006.064-.008.107-.017l.003.61q-.107.035-.23.054a1.6 1.6 0 0 1-.273.021q-.274 0-.478-.09a.66.66 0 0 1-.31-.293 1.1 1.1 0 0 1-.11-.529zm2.71.768v3.112h-.832v-3.112zm-.883-.811a.4.4 0 0 1 .126-.299.48.48 0 0 1 .34-.118q.21 0 .336.118.13.117.13.299 0 .181-.13.299a.47.47 0 0 1-.337.118.48.48 0 0 1-.339-.118.4.4 0 0 1-.126-.299m3.247 3.221v-1.386q0-.15-.049-.256a.36.36 0 0 0-.153-.17.5.5 0 0 0-.261-.06.54.54 0 0 0-.239.049.34.34 0 0 0-.155.135.37.37 0 0 0-.055.204h-.828q0-.198.092-.377a.9.9 0 0 1 .267-.313q.175-.138.417-.216.245-.078.547-.078.362 0 .644.121a1 1 0 0 1 .443.363q.164.241.164.604v1.331q0 .257.032.42.03.162.092.282v.049h-.837a1.2 1.2 0 0 1-.092-.316 3 3 0 0 1-.03-.386m.11-1.193.005.468h-.463a1 1 0 0 0-.285.038.5.5 0 0 0-.198.106.4.4 0 0 0-.115.156.5.5 0 0 0-.035.195q0 .106.049.193.049.083.14.132a.5.5 0 0 0 .217.046.7.7 0 0 0 .325-.075.6.6 0 0 0 .213-.184.4.4 0 0 0 .08-.207l.219.351q-.046.118-.127.245a1.025 1.025 0 0 1-.489.42 1.1 1.1 0 0 1-.403.069q-.295 0-.538-.118a1 1 0 0 1-.38-.331.87.87 0 0 1-.137-.483q0-.245.092-.435a.85.85 0 0 1 .27-.319 1.3 1.3 0 0 1 .452-.198q.27-.069.627-.069zm2.237-2.523v4.418h-.831v-4.418zm3.834 3.558a.27.27 0 0 0-.052-.161.45.45 0 0 0-.192-.132 2 2 0 0 0-.4-.115 3 3 0 0 1-.44-.13 1.5 1.5 0 0 1-.351-.193.739.739 0 0 1-.313-.618q0-.195.083-.368a.95.95 0 0 1 .244-.305q.162-.135.391-.21.234-.078.524-.078.405 0 .696.13.293.129.449.357.158.224.158.511h-.829a.45.45 0 0 0-.051-.215.35.35 0 0 0-.156-.153.56.56 0 0 0-.27-.057.54.54 0 0 0-.239.049.36.36 0 0 0-.155.126.3.3 0 0 0-.023.302q.032.055.101.101a1 1 0 0 0 .178.086q.112.037.276.069.337.07.601.181.266.11.42.3.155.186.155.491 0 .207-.092.38a.9.9 0 0 1-.264.302 1.4 1.4 0 0 1-.414.199q-.24.069-.538.069-.434 0-.737-.156-.299-.155-.454-.394a.9.9 0 0 1-.153-.494h.786a.46.46 0 0 0 .086.273.47.47 0 0 0 .21.149.8.8 0 0 0 .279.046.7.7 0 0 0 .267-.043.37.37 0 0 0 .161-.121.3.3 0 0 0 .058-.178m2.776.918q-.363 0-.65-.115a1.4 1.4 0 0 1-.489-.325 1.5 1.5 0 0 1-.305-.481 1.6 1.6 0 0 1-.107-.587v-.115q0-.353.101-.647.1-.293.288-.509.19-.216.46-.331.27-.118.61-.118.33 0 .586.11t.429.31q.175.202.265.484.089.279.089.621v.345h-2.474v-.552h1.66v-.064a.7.7 0 0 0-.064-.307.5.5 0 0 0-.184-.219.57.57 0 0 0-.316-.08.54.54 0 0 0-.282.071.56.56 0 0 0-.193.202 1.1 1.1 0 0 0-.109.305 2 2 0 0 0-.034.379v.115q0 .187.051.346a.9.9 0 0 0 .153.273.7.7 0 0 0 .241.178.8.8 0 0 0 .325.063q.225 0 .417-.086a.9.9 0 0 0 .337-.267l.403.437a1.417 1.417 0 0 1-.67.483 1.7 1.7 0 0 1-.538.081m3.034-.648a.6.6 0 0 0 .271-.057.46.46 0 0 0 .255-.423h.78q-.003.328-.175.584-.173.253-.464.4a1.44 1.44 0 0 1-.65.144q-.362 0-.632-.121a1.2 1.2 0 0 1-.446-.334 1.5 1.5 0 0 1-.268-.5 2.1 2.1 0 0 1-.089-.616v-.083q0-.331.089-.616.09-.288.268-.5.178-.216.446-.337.267-.12.627-.121.382 0 .67.147.29.147.454.42.167.27.17.641h-.78a.6.6 0 0 0-.066-.281.497.497 0 0 0-.463-.279.5.5 0 0 0-.296.077.5.5 0 0 0-.178.207 1 1 0 0 0-.089.297 2.4 2.4 0 0 0-.024.345v.083q0 .182.024.348.023.167.086.296a.5.5 0 0 0 .181.205q.115.075.299.074m3.627-.155v-2.367h.829v3.112h-.78zm.092-.638.245-.006q0 .31-.072.578-.072.264-.216.46a1 1 0 0 1-.362.302 1.2 1.2 0 0 1-.515.107q-.228 0-.42-.064a.85.85 0 0 1-.328-.204 1 1 0 0 1-.213-.359 1.7 1.7 0 0 1-.075-.533v-2.01h.829v2.016q0 .138.031.233a.4.4 0 0 0 .095.156q.06.06.141.086a.6.6 0 0 0 .184.026.7.7 0 0 0 .403-.104q.15-.103.21-.282a1.2 1.2 0 0 0 .063-.402m2.198-1.05v2.433h-.829v-3.112h.78zm.937-.699-.014.768a2 2 0 0 0-.147-.015 2 2 0 0 0-.152-.008.9.9 0 0 0-.305.046.6.6 0 0 0-.213.129.56.56 0 0 0-.126.21 1 1 0 0 0-.046.282l-.167-.052q0-.302.06-.555.06-.255.176-.446a.9.9 0 0 1 .287-.293.73.73 0 0 1 .388-.104q.069 0 .141.012a.5.5 0 0 1 .118.026m1.266.02v3.112h-.831v-3.112zm-.883-.811a.4.4 0 0 1 .126-.299.48.48 0 0 1 .34-.118.47.47 0 0 1 .336.118q.13.117.13.299 0 .181-.13.299a.47.47 0 0 1-.336.118.48.48 0 0 1-.34-.118.4.4 0 0 1-.126-.299m3.092.811v.587h-1.812v-.587zm-1.363-.768h.828v2.942q0 .136.034.208a.2.2 0 0 0 .11.1.6.6 0 0 0 .181.026q.078 0 .138-.006.064-.008.106-.017l.003.61a1.629 1.629 0 0 1-.503.075q-.273 0-.478-.09a.66.66 0 0 1-.31-.293q-.11-.201-.109-.529zm2.758 3.529.825-2.761h.889l-1.251 3.581a2 2 0 0 1-.109.253 1 1 0 0 1-.182.256.8.8 0 0 1-.284.201 1 1 0 0 1-.417.078q-.118 0-.193-.014a3 3 0 0 1-.178-.041v-.607h.066l.066.003a.8.8 0 0 0 .267-.037.37.37 0 0 0 .167-.115.6.6 0 0 0 .101-.196zm-.345-2.761.676 2.255.118.877-.564.061-1.119-3.193zm4.685.679v2.433h-.828v-3.112h.779zm.938-.699-.014.768a2 2 0 0 0-.147-.015 2 2 0 0 0-.153-.008.9.9 0 0 0-.304.046.54.54 0 0 0-.213.129.6.6 0 0 0-.127.21 1 1 0 0 0-.046.282l-.167-.052q0-.302.061-.555.06-.255.175-.446a.9.9 0 0 1 .288-.293.73.73 0 0 1 .388-.104q.069 0 .141.012a.5.5 0 0 1 .118.026m1.265.02v3.112h-.831v-3.112zm-.883-.811q0-.182.127-.299a.48.48 0 0 1 .339-.118q.21 0 .337.118a.39.39 0 0 1 .129.299q0 .181-.129.299a.47.47 0 0 1-.337.118.48.48 0 0 1-.339-.118.4.4 0 0 1-.127-.299m3.251 3.063a.27.27 0 0 0-.052-.161.46.46 0 0 0-.193-.132 2 2 0 0 0-.4-.115 3 3 0 0 1-.44-.13 1.5 1.5 0 0 1-.351-.193.8.8 0 0 1-.23-.264.75.75 0 0 1-.083-.354.84.84 0 0 1 .328-.673q.161-.135.391-.21.233-.078.523-.078.406 0 .697.13.293.129.448.357a.86.86 0 0 1 .158.511h-.828a.44.44 0 0 0-.052-.215.34.34 0 0 0-.155-.153.56.56 0 0 0-.27-.057.54.54 0 0 0-.239.049.36.36 0 0 0-.155.126.3.3 0 0 0-.052.173q0 .072.029.129.031.055.1.101a1 1 0 0 0 .179.086q.111.037.276.069.336.07.601.181t.42.3a.74.74 0 0 1 .155.491.8.8 0 0 1-.092.38.9.9 0 0 1-.265.302 1.4 1.4 0 0 1-.414.199 2 2 0 0 1-.538.069q-.434 0-.736-.156a1.16 1.16 0 0 1-.454-.394.9.9 0 0 1-.153-.494h.785a.46.46 0 0 0 .087.273.46.46 0 0 0 .21.149.8.8 0 0 0 .279.046.7.7 0 0 0 .267-.043.37.37 0 0 0 .161-.121.3.3 0 0 0 .058-.178m2.171-3.561v4.421h-.828v-4.421zm1.962 1.309-1.352 1.542-.725.733-.302-.598.575-.731.809-.946zm-.86 3.112-.921-1.438.573-.501 1.303 1.939zm2.899-.86a.27.27 0 0 0-.052-.161.44.44 0 0 0-.192-.132 2 2 0 0 0-.4-.115 3 3 0 0 1-.44-.13 1.5 1.5 0 0 1-.351-.193.735.735 0 0 1-.314-.618.8.8 0 0 1 .084-.368.95.95 0 0 1 .244-.305q.162-.135.391-.21.233-.078.524-.078.405 0 .696.13.293.129.449.357.158.224.158.511h-.828a.45.45 0 0 0-.052-.215.35.35 0 0 0-.156-.153.56.56 0 0 0-.27-.057.54.54 0 0 0-.239.049.36.36 0 0 0-.155.126.31.31 0 0 0-.023.302q.032.055.101.101a1 1 0 0 0 .178.086q.112.037.276.069.337.07.601.181.266.11.42.3a.74.74 0 0 1 .156.491.8.8 0 0 1-.092.38.9.9 0 0 1-.265.302 1.4 1.4 0 0 1-.414.199 2 2 0 0 1-.538.069q-.435 0-.736-.156a1.17 1.17 0 0 1-.455-.394.9.9 0 0 1-.152-.494h.785a.46.46 0 0 0 .086.273.47.47 0 0 0 .21.149.8.8 0 0 0 .279.046.7.7 0 0 0 .268-.043.4.4 0 0 0 .161-.121.3.3 0 0 0 .057-.178m2.756-.42h-.734a2.5 2.5 0 0 1 .041-.446q.039-.189.135-.342.097-.153.259-.302.135-.121.235-.23a1 1 0 0 0 .159-.224.6.6 0 0 0 .057-.262.64.64 0 0 0-.052-.276.35.35 0 0 0-.149-.17.5.5 0 0 0-.248-.058.5.5 0 0 0-.23.055.43.43 0 0 0-.175.161.6.6 0 0 0-.069.288h-.834q.008-.395.181-.65.175-.259.469-.383a1.65 1.65 0 0 1 .658-.126q.403 0 .691.132a.96.96 0 0 1 .44.383q.152.25.152.609a1 1 0 0 1-.098.446q-.097.193-.256.36a8 8 0 0 1-.348.345.8.8 0 0 0-.224.308 1.2 1.2 0 0 0-.06.382m-.82.889q0-.184.127-.305a.47.47 0 0 1 .339-.124.46.46 0 0 1 .336.124q.13.121.13.305a.4.4 0 0 1-.13.302.46.46 0 0 1-.336.124.47.47 0 0 1-.339-.124.4.4 0 0 1-.127-.302"/><g class="tw-fill-secondary-700" clip-path="url(#h)"><path d="M141.027 174.75c0-.291.235-.526.526-.526h1.472a.315.315 0 1 0 0-.631h-1.472c-.639 0-1.157.518-1.157 1.157v3.576c0 .639.518 1.157 1.157 1.157h3.576c.639 0 1.157-.518 1.157-1.157v-1.472a.315.315 0 1 0-.631 0v1.472a.525.525 0 0 1-.526.526h-3.576a.525.525 0 0 1-.526-.526z"/><path d="M144.498 173.593a.316.316 0 1 0 0 .631h.711l-1.776 1.775a.317.317 0 0 0 .447.447l1.775-1.776v.711a.316.316 0 0 0 .631 0v-1.473a.315.315 0 0 0-.315-.315z"/></g></g><path class="tw-stroke-secondary-100" stroke-width=".421" d="M30.939 63.596h124.123c5.461 0 9.888 4.428 9.888 9.889v106.031c0 5.461-4.427 9.887-9.888 9.887H30.939c-5.461 0-9.89-4.426-9.89-9.887V73.485c0-5.461 4.429-9.89 9.89-9.89Z"/></g></g><defs><clipPath id="b"><path class="tw-fill-background" d="M155.801 8.317h11.438v11.438h-11.438z"/></clipPath><clipPath id="c"><rect width="154" height="205" x="16" y="24" class="tw-fill-background" rx="4.918"/></clipPath><clipPath id="d"><path class="tw-fill-background" d="M21.874 57.75h143.253v14.345H21.874z"/></clipPath><clipPath id="e"><rect width="154" height="205" x="16" y="24" class="tw-fill-background" rx="4.918"/></clipPath><clipPath id="g"><path class="tw-fill-background" d="M20.84 73.484c0-5.577 4.521-10.098 10.098-10.098h124.125c5.577 0 10.098 4.521 10.098 10.098v106.032c0 5.577-4.521 10.098-10.098 10.098H30.938c-5.577 0-10.098-4.521-10.098-10.098z"/></clipPath><clipPath id="h"><path class="tw-fill-background" d="M139.976 173.172h6.732v6.732h-6.732z"/></clipPath><filter id="a" width="184.857" height="228.234" x="6.26" y="1.883" color-interpolation-filters="sRGB" filterUnits="userSpaceOnUse"><feFlood flood-opacity="0" result="BackgroundImageFix"/><feColorMatrix in="SourceAlpha" result="hardAlpha" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"/><feOffset/><feGaussianBlur stdDeviation=".558"/><feColorMatrix values="0 0 0 0 0.4 0 0 0 0 0.4 0 0 0 0 0.5 0 0 0 0.35 0"/><feBlend in2="BackgroundImageFix" result="effect1_dropShadow_6463_20789"/><feBlend in="SourceGraphic" in2="effect1_dropShadow_6463_20789" result="shape"/></filter><filter id="f" width="161.152" height="143.059" x="12.425" y="63.386" color-interpolation-filters="sRGB" filterUnits="userSpaceOnUse"><feFlood flood-opacity="0" result="BackgroundImageFix"/><feColorMatrix in="SourceAlpha" result="hardAlpha" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"/><feMorphology in="SourceAlpha" radius="2.104" result="effect1_dropShadow_6463_20789"/><feOffset dy="8.415"/><feGaussianBlur stdDeviation="5.26"/><feComposite in2="hardAlpha" operator="out"/><feColorMatrix values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.25 0"/><feBlend in2="BackgroundImageFix" result="effect1_dropShadow_6463_20789"/><feColorMatrix in="SourceAlpha" result="hardAlpha" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"/><feMorphology in="SourceAlpha" radius="2.525" result="effect2_dropShadow_6463_20789"/><feOffset dy="3.366"/><feGaussianBlur stdDeviation="2.104"/><feComposite in2="hardAlpha" operator="out"/><feColorMatrix values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.25 0"/><feBlend in2="effect1_dropShadow_6463_20789" result="effect2_dropShadow_6463_20789"/><feBlend in="SourceGraphic" in2="effect2_dropShadow_6463_20789" result="shape"/></filter></defs></svg>
+`;
diff --git a/libs/assets/src/svg/svgs/index.ts b/libs/assets/src/svg/svgs/index.ts
index 3c6fe4b8306..1e3000c9b4c 100644
--- a/libs/assets/src/svg/svgs/index.ts
+++ b/libs/assets/src/svg/svgs/index.ts
@@ -1,6 +1,7 @@
 export * from "./account-warning.icon";
 export * from "./active-send.icon";
 export { default as AdminConsoleLogo } from "./admin-console";
+export * from "./auto-confirmation";
 export * from "./background-left-illustration";
 export * from "./background-right-illustration";
 export * from "./bitwarden-icon";
diff --git a/libs/common/src/admin-console/enums/policy-type.enum.ts b/libs/common/src/admin-console/enums/policy-type.enum.ts
index 7c06bc41a66..ae0070dda89 100644
--- a/libs/common/src/admin-console/enums/policy-type.enum.ts
+++ b/libs/common/src/admin-console/enums/policy-type.enum.ts
@@ -19,4 +19,5 @@ export enum PolicyType {
   RestrictedItemTypes = 15, // Restricts item types that can be created within an organization
   UriMatchDefaults = 16, // Sets the default URI matching strategy for all users within an organization
   AutotypeDefaultSetting = 17, // Sets the default autotype setting for desktop app
+  AutoConfirm = 18, // Enables the auto confirmation feature for admins to enable in their client
 }
diff --git a/libs/common/src/admin-console/models/data/organization.data.spec.ts b/libs/common/src/admin-console/models/data/organization.data.spec.ts
index 346fc3db4bb..bc74dd189ba 100644
--- a/libs/common/src/admin-console/models/data/organization.data.spec.ts
+++ b/libs/common/src/admin-console/models/data/organization.data.spec.ts
@@ -30,6 +30,7 @@ describe("ORGANIZATIONS state", () => {
         useSecretsManager: false,
         usePasswordManager: false,
         useActivateAutofillPolicy: false,
+        useAutomaticUserConfirmation: false,
         selfHost: false,
         usersGetPremium: false,
         seats: 0,
diff --git a/libs/common/src/admin-console/models/data/organization.data.ts b/libs/common/src/admin-console/models/data/organization.data.ts
index 95b4b294445..e6bf9dbaaa3 100644
--- a/libs/common/src/admin-console/models/data/organization.data.ts
+++ b/libs/common/src/admin-console/models/data/organization.data.ts
@@ -30,6 +30,7 @@ export class OrganizationData {
   useSecretsManager: boolean;
   usePasswordManager: boolean;
   useActivateAutofillPolicy: boolean;
+  useAutomaticUserConfirmation: boolean;
   selfHost: boolean;
   usersGetPremium: boolean;
   seats: number;
@@ -99,6 +100,7 @@ export class OrganizationData {
     this.useSecretsManager = response.useSecretsManager;
     this.usePasswordManager = response.usePasswordManager;
     this.useActivateAutofillPolicy = response.useActivateAutofillPolicy;
+    this.useAutomaticUserConfirmation = response.useAutomaticUserConfirmation;
     this.selfHost = response.selfHost;
     this.usersGetPremium = response.usersGetPremium;
     this.seats = response.seats;
diff --git a/libs/common/src/admin-console/models/domain/organization.ts b/libs/common/src/admin-console/models/domain/organization.ts
index 1372150bd81..aea796dfc39 100644
--- a/libs/common/src/admin-console/models/domain/organization.ts
+++ b/libs/common/src/admin-console/models/domain/organization.ts
@@ -38,6 +38,7 @@ export class Organization {
   useSecretsManager: boolean;
   usePasswordManager: boolean;
   useActivateAutofillPolicy: boolean;
+  useAutomaticUserConfirmation: boolean;
   selfHost: boolean;
   usersGetPremium: boolean;
   seats: number;
@@ -124,6 +125,7 @@ export class Organization {
     this.useSecretsManager = obj.useSecretsManager;
     this.usePasswordManager = obj.usePasswordManager;
     this.useActivateAutofillPolicy = obj.useActivateAutofillPolicy;
+    this.useAutomaticUserConfirmation = obj.useAutomaticUserConfirmation;
     this.selfHost = obj.selfHost;
     this.usersGetPremium = obj.usersGetPremium;
     this.seats = obj.seats;
diff --git a/libs/common/src/admin-console/models/response/profile-organization.response.ts b/libs/common/src/admin-console/models/response/profile-organization.response.ts
index 53c3858ed1d..dc5090f2c05 100644
--- a/libs/common/src/admin-console/models/response/profile-organization.response.ts
+++ b/libs/common/src/admin-console/models/response/profile-organization.response.ts
@@ -23,6 +23,7 @@ export class ProfileOrganizationResponse extends BaseResponse {
   useSecretsManager: boolean;
   usePasswordManager: boolean;
   useActivateAutofillPolicy: boolean;
+  useAutomaticUserConfirmation: boolean;
   selfHost: boolean;
   usersGetPremium: boolean;
   seats: number;
@@ -82,6 +83,7 @@ export class ProfileOrganizationResponse extends BaseResponse {
     this.useSecretsManager = this.getResponseProperty("UseSecretsManager");
     this.usePasswordManager = this.getResponseProperty("UsePasswordManager");
     this.useActivateAutofillPolicy = this.getResponseProperty("UseActivateAutofillPolicy");
+    this.useAutomaticUserConfirmation = this.getResponseProperty("UseAutomaticUserConfirmation");
     this.selfHost = this.getResponseProperty("SelfHost");
     this.usersGetPremium = this.getResponseProperty("UsersGetPremium");
     this.seats = this.getResponseProperty("Seats");
diff --git a/libs/common/src/enums/feature-flag.enum.ts b/libs/common/src/enums/feature-flag.enum.ts
index abe8a6bba68..e26fa69fa91 100644
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -12,6 +12,7 @@ import { ServerConfig } from "../platform/abstractions/config/server-config";
 export enum FeatureFlag {
   /* Admin Console Team */
   CreateDefaultLocation = "pm-19467-create-default-location",
+  AutoConfirm = "pm-19934-auto-confirm-organization-users",
 
   /* Auth */
   PM22110_DisableAlternateLoginMethods = "pm-22110-disable-alternate-login-methods",
@@ -80,6 +81,7 @@ const FALSE = false as boolean;
 export const DefaultFeatureFlagValue = {
   /* Admin Console Team */
   [FeatureFlag.CreateDefaultLocation]: FALSE,
+  [FeatureFlag.AutoConfirm]: FALSE,
 
   /* Autofill */
   [FeatureFlag.MacOsNativeCredentialSync]: FALSE,

From fb53aac84e5e60c6b1ca4b4774e7c89354b88029 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 22 Oct 2025 16:15:07 -0400
Subject: [PATCH 05/11] [deps] SM: Update jest (#15290)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com>
---
 package-lock.json | 46 +++++++++++++++++++++++++++++++---------------
 package.json      |  4 ++--
 2 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 4e3707a60e2..c9abe11b585 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -154,7 +154,7 @@
         "jest-diff": "29.7.0",
         "jest-junit": "16.0.0",
         "jest-mock-extended": "3.0.7",
-        "jest-preset-angular": "14.6.0",
+        "jest-preset-angular": "14.6.1",
         "json5": "2.2.3",
         "lint-staged": "16.0.0",
         "mini-css-extract-plugin": "2.9.2",
@@ -171,7 +171,7 @@
         "storybook": "8.6.12",
         "style-loader": "4.0.0",
         "tailwindcss": "3.4.17",
-        "ts-jest": "29.3.4",
+        "ts-jest": "29.4.5",
         "ts-loader": "9.5.2",
         "tsconfig-paths-webpack-plugin": "4.2.0",
         "type-fest": "2.19.0",
@@ -26855,9 +26855,9 @@
       }
     },
     "node_modules/jest-preset-angular": {
-      "version": "14.6.0",
-      "resolved": "https://registry.npmjs.org/jest-preset-angular/-/jest-preset-angular-14.6.0.tgz",
-      "integrity": "sha512-LGSKLCsUhtrs2dw6f7ega/HOS8/Ni/1gV+oXmxPHmJDLHFpM6cI78Monmz8Z1P87a/A4OwnKilxgPRr+6Pzmgg==",
+      "version": "14.6.1",
+      "resolved": "https://registry.npmjs.org/jest-preset-angular/-/jest-preset-angular-14.6.1.tgz",
+      "integrity": "sha512-7q5x42wKrsF2ykOwGVzcXpr9p1X4FQJMU/DnH1tpvCmeOm5XqENdwD/xDZug+nP6G8SJPdioauwdsK/PMY/MpQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -39290,20 +39290,19 @@
       "license": "Apache-2.0"
     },
     "node_modules/ts-jest": {
-      "version": "29.3.4",
-      "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.3.4.tgz",
-      "integrity": "sha512-Iqbrm8IXOmV+ggWHOTEbjwyCf2xZlUMv5npExksXohL+tk8va4Fjhb+X2+Rt9NBmgO7bJ8WpnMLOwih/DnMlFA==",
+      "version": "29.4.5",
+      "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.4.5.tgz",
+      "integrity": "sha512-HO3GyiWn2qvTQA4kTgjDcXiMwYQt68a1Y8+JuLRVpdIzm+UOLSHgl/XqR4c6nzJkq5rOkjc02O2I7P7l/Yof0Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "bs-logger": "^0.2.6",
-        "ejs": "^3.1.10",
         "fast-json-stable-stringify": "^2.1.0",
-        "jest-util": "^29.0.0",
+        "handlebars": "^4.7.8",
         "json5": "^2.2.3",
         "lodash.memoize": "^4.1.2",
         "make-error": "^1.3.6",
-        "semver": "^7.7.2",
+        "semver": "^7.7.3",
         "type-fest": "^4.41.0",
         "yargs-parser": "^21.1.1"
       },
@@ -39315,10 +39314,11 @@
       },
       "peerDependencies": {
         "@babel/core": ">=7.0.0-beta.0 <8",
-        "@jest/transform": "^29.0.0",
-        "@jest/types": "^29.0.0",
-        "babel-jest": "^29.0.0",
-        "jest": "^29.0.0",
+        "@jest/transform": "^29.0.0 || ^30.0.0",
+        "@jest/types": "^29.0.0 || ^30.0.0",
+        "babel-jest": "^29.0.0 || ^30.0.0",
+        "jest": "^29.0.0 || ^30.0.0",
+        "jest-util": "^29.0.0 || ^30.0.0",
         "typescript": ">=4.3 <6"
       },
       "peerDependenciesMeta": {
@@ -39336,9 +39336,25 @@
         },
         "esbuild": {
           "optional": true
+        },
+        "jest-util": {
+          "optional": true
         }
       }
     },
+    "node_modules/ts-jest/node_modules/semver": {
+      "version": "7.7.3",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.3.tgz",
+      "integrity": "sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
     "node_modules/ts-jest/node_modules/type-fest": {
       "version": "4.41.0",
       "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.41.0.tgz",
diff --git a/package.json b/package.json
index 4acf038b65a..88cf2bda43c 100644
--- a/package.json
+++ b/package.json
@@ -117,7 +117,7 @@
     "jest-diff": "29.7.0",
     "jest-junit": "16.0.0",
     "jest-mock-extended": "3.0.7",
-    "jest-preset-angular": "14.6.0",
+    "jest-preset-angular": "14.6.1",
     "json5": "2.2.3",
     "lint-staged": "16.0.0",
     "mini-css-extract-plugin": "2.9.2",
@@ -134,7 +134,7 @@
     "storybook": "8.6.12",
     "style-loader": "4.0.0",
     "tailwindcss": "3.4.17",
-    "ts-jest": "29.3.4",
+    "ts-jest": "29.4.5",
     "ts-loader": "9.5.2",
     "tsconfig-paths-webpack-plugin": "4.2.0",
     "type-fest": "2.19.0",

From 7804aa118c7c9aad521a20fbeb319ba4145ee63e Mon Sep 17 00:00:00 2001
From: Kyle Denney <4227399+kdenney@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:45:51 -0500
Subject: [PATCH 06/11] [PM-27206] fix: redirect from premium page if user has
 premium (#16990)

---
 .../premium/premium-vnext.component.ts        | 46 +++++++++++++++----
 1 file changed, 38 insertions(+), 8 deletions(-)

diff --git a/apps/web/src/app/billing/individual/premium/premium-vnext.component.ts b/apps/web/src/app/billing/individual/premium/premium-vnext.component.ts
index 9de9c22d3c3..61994fdb61d 100644
--- a/apps/web/src/app/billing/individual/premium/premium-vnext.component.ts
+++ b/apps/web/src/app/billing/individual/premium/premium-vnext.component.ts
@@ -1,21 +1,29 @@
 import { CommonModule } from "@angular/common";
 import { Component, DestroyRef, inject } from "@angular/core";
 import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
-import { combineLatest, firstValueFrom, map, Observable, of, shareReplay, switchMap } from "rxjs";
+import { ActivatedRoute, Router } from "@angular/router";
+import {
+  combineLatest,
+  firstValueFrom,
+  from,
+  map,
+  Observable,
+  of,
+  shareReplay,
+  switchMap,
+} from "rxjs";
 
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions";
-import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { SyncService } from "@bitwarden/common/platform/sync";
 import {
-  DialogService,
-  ToastService,
-  SectionComponent,
   BadgeModule,
-  TypographyModule,
+  DialogService,
   LinkModule,
+  SectionComponent,
+  TypographyModule,
 } from "@bitwarden/components";
 import { PricingCardComponent } from "@bitwarden/pricing";
 import { I18nPipe } from "@bitwarden/ui-common";
@@ -69,14 +77,14 @@ export class PremiumVNextComponent {
 
   constructor(
     private accountService: AccountService,
-    private i18nService: I18nService,
     private apiService: ApiService,
     private dialogService: DialogService,
     private platformUtilsService: PlatformUtilsService,
     private syncService: SyncService,
-    private toastService: ToastService,
     private billingAccountProfileStateService: BillingAccountProfileStateService,
     private subscriptionPricingService: SubscriptionPricingService,
+    private router: Router,
+    private activatedRoute: ActivatedRoute,
   ) {
     this.isSelfHost = this.platformUtilsService.isSelfHost();
 
@@ -107,6 +115,23 @@ export class PremiumVNextComponent {
       this.hasPremiumPersonally$,
     ]).pipe(map(([hasOrgPremium, hasPersonalPremium]) => !hasOrgPremium && !hasPersonalPremium));
 
+    // redirect to user subscription page if they already have premium personally
+    // redirect to individual vault if they already have premium from an org
+    combineLatest([this.hasPremiumFromAnyOrganization$, this.hasPremiumPersonally$])
+      .pipe(
+        takeUntilDestroyed(this.destroyRef),
+        switchMap(([hasPremiumFromOrg, hasPremiumPersonally]) => {
+          if (hasPremiumPersonally) {
+            return from(this.navigateToSubscriptionPage());
+          }
+          if (hasPremiumFromOrg) {
+            return from(this.navigateToIndividualVault());
+          }
+          return of(true);
+        }),
+      )
+      .subscribe();
+
     this.personalPricingTiers$ =
       this.subscriptionPricingService.getPersonalSubscriptionPricingTiers$();
 
@@ -141,6 +166,11 @@ export class PremiumVNextComponent {
     );
   }
 
+  private navigateToSubscriptionPage = (): Promise<boolean> =>
+    this.router.navigate(["../user-subscription"], { relativeTo: this.activatedRoute });
+
+  private navigateToIndividualVault = (): Promise<boolean> => this.router.navigate(["/vault"]);
+
   finalizeUpgrade = async () => {
     await this.apiService.refreshIdentityToken();
     await this.syncService.fullSync(true);

From 740fe0787f50a2b6ac55f988200ad1ffdaaea73e Mon Sep 17 00:00:00 2001
From: Nik Gilmore <ngilmore@bitwarden.com>
Date: Wed, 22 Oct 2025 16:18:53 -0700
Subject: [PATCH 07/11] [PM-26974] Add reprompt check when deleting ciphers in
 browser extension (#16907)

* Add reprompt check when deleting ciphers in browser extension

* RE-use existing remprompt check function.
---
 .../item-more-options/item-more-options.component.ts         | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/browser/src/vault/popup/components/vault-v2/item-more-options/item-more-options.component.ts b/apps/browser/src/vault/popup/components/vault-v2/item-more-options/item-more-options.component.ts
index 83535b09e66..1b8403e6024 100644
--- a/apps/browser/src/vault/popup/components/vault-v2/item-more-options/item-more-options.component.ts
+++ b/apps/browser/src/vault/popup/components/vault-v2/item-more-options/item-more-options.component.ts
@@ -267,6 +267,11 @@ export class ItemMoreOptionsComponent {
   }
 
   protected async delete() {
+    const repromptPassed = await this.passwordRepromptService.passwordRepromptCheck(this.cipher);
+    if (!repromptPassed) {
+      return;
+    }
+
     const confirmed = await this.dialogService.openSimpleDialog({
       title: { key: "deleteItem" },
       content: { key: "deleteItemConfirmation" },

From 0ec3f661d58e0147341010d7c63b3a362a714f13 Mon Sep 17 00:00:00 2001
From: Nik Gilmore <ngilmore@bitwarden.com>
Date: Wed, 22 Oct 2025 16:19:57 -0700
Subject: [PATCH 08/11] [PM-22992] Send lastKnownRevisionDate with Attachment
 API calls (#16862)

* Add lastKnownRevisionDate to Attachment methods.

* Address issues raised by Claude PR

* Fix string errors

* Show error to user in event of attachment upload failure

* Improve error handling for missing cipher

* Add unit tests for attachment lastKnownRevisionDate

* Remove generic title from toast errors

* Move lastKnwonRevisionDate to function input
---
 .../models/request/attachment.request.ts      |  1 +
 .../vault/models/request/cipher.request.ts    |  1 +
 .../src/vault/services/cipher.service.spec.ts | 31 +++++++
 .../src/vault/services/cipher.service.ts      | 13 ++-
 .../cipher-file-upload.service.spec.ts        | 82 +++++++++++++++++++
 .../file-upload/cipher-file-upload.service.ts |  1 +
 .../cipher-attachments.component.spec.ts      | 43 ++++++++++
 .../cipher-attachments.component.ts           | 13 +++
 8 files changed, 183 insertions(+), 2 deletions(-)
 create mode 100644 libs/common/src/vault/services/file-upload/cipher-file-upload.service.spec.ts

diff --git a/libs/common/src/vault/models/request/attachment.request.ts b/libs/common/src/vault/models/request/attachment.request.ts
index d058fa69d8b..80205835ab7 100644
--- a/libs/common/src/vault/models/request/attachment.request.ts
+++ b/libs/common/src/vault/models/request/attachment.request.ts
@@ -5,4 +5,5 @@ export class AttachmentRequest {
   key: string;
   fileSize: number;
   adminRequest: boolean;
+  lastKnownRevisionDate: Date;
 }
diff --git a/libs/common/src/vault/models/request/cipher.request.ts b/libs/common/src/vault/models/request/cipher.request.ts
index 63776c8aea6..b29d5865d2b 100644
--- a/libs/common/src/vault/models/request/cipher.request.ts
+++ b/libs/common/src/vault/models/request/cipher.request.ts
@@ -201,6 +201,7 @@ export class CipherRequest {
         this.attachments[attachment.id] = fileName;
         const attachmentRequest = new AttachmentRequest();
         attachmentRequest.fileName = fileName;
+        attachmentRequest.lastKnownRevisionDate = cipher.revisionDate;
         if (attachment.key != null) {
           attachmentRequest.key = attachment.key.encryptedString;
         }
diff --git a/libs/common/src/vault/services/cipher.service.spec.ts b/libs/common/src/vault/services/cipher.service.spec.ts
index e6c22961673..85ce8bd0423 100644
--- a/libs/common/src/vault/services/cipher.service.spec.ts
+++ b/libs/common/src/vault/services/cipher.service.spec.ts
@@ -174,6 +174,37 @@ describe("Cipher Service", () => {
 
       expect(spy).toHaveBeenCalled();
     });
+
+    it("should include lastKnownRevisionDate in the upload request", async () => {
+      const fileName = "filename";
+      const fileData = new Uint8Array(10);
+      const testCipher = new Cipher(cipherData);
+      const expectedRevisionDate = "2022-01-31T12:00:00.000Z";
+
+      keyService.getOrgKey.mockReturnValue(
+        Promise.resolve<any>(new SymmetricCryptoKey(new Uint8Array(32)) as OrgKey),
+      );
+      keyService.makeDataEncKey.mockReturnValue(
+        Promise.resolve([
+          new SymmetricCryptoKey(new Uint8Array(32)),
+          new EncString("encrypted-key"),
+        ] as any),
+      );
+
+      configService.checkServerMeetsVersionRequirement$.mockReturnValue(of(false));
+      configService.getFeatureFlag
+        .calledWith(FeatureFlag.CipherKeyEncryption)
+        .mockResolvedValue(false);
+
+      const uploadSpy = jest.spyOn(cipherFileUploadService, "upload").mockResolvedValue({} as any);
+
+      await cipherService.saveAttachmentRawWithServer(testCipher, fileName, fileData, userId);
+
+      // Verify upload was called with cipher that has revisionDate
+      expect(uploadSpy).toHaveBeenCalled();
+      const cipherArg = uploadSpy.mock.calls[0][0];
+      expect(cipherArg.revisionDate).toEqual(new Date(expectedRevisionDate));
+    });
   });
 
   describe("createWithServer()", () => {
diff --git a/libs/common/src/vault/services/cipher.service.ts b/libs/common/src/vault/services/cipher.service.ts
index 41f94e02cdf..8032c69ed7c 100644
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@@ -937,7 +937,12 @@ export class CipherService implements CipherServiceAbstraction {
         cipher.attachments.forEach((attachment) => {
           if (attachment.key == null) {
             attachmentPromises.push(
-              this.shareAttachmentWithServer(attachment, cipher.id, organizationId),
+              this.shareAttachmentWithServer(
+                attachment,
+                cipher.id,
+                organizationId,
+                cipher.revisionDate,
+              ),
             );
           }
         });
@@ -1722,7 +1727,10 @@ export class CipherService implements CipherServiceAbstraction {
     attachmentView: AttachmentView,
     cipherId: string,
     organizationId: string,
+    lastKnownRevisionDate: Date,
   ): Promise<any> {
+    const activeUserId = await firstValueFrom(this.accountService.activeAccount$);
+
     const attachmentResponse = await this.apiService.nativeFetch(
       new Request(attachmentView.url, { cache: "no-store" }),
     );
@@ -1731,7 +1739,6 @@ export class CipherService implements CipherServiceAbstraction {
     }
 
     const encBuf = await EncArrayBuffer.fromResponse(attachmentResponse);
-    const activeUserId = await firstValueFrom(this.accountService.activeAccount$);
     const userKey = await this.keyService.getUserKey(activeUserId.id);
     const decBuf = await this.encryptService.decryptFileData(encBuf, userKey);
 
@@ -1752,9 +1759,11 @@ export class CipherService implements CipherServiceAbstraction {
       const blob = new Blob([encData.buffer], { type: "application/octet-stream" });
       fd.append("key", dataEncKey[1].encryptedString);
       fd.append("data", blob, encFileName.encryptedString);
+      fd.append("lastKnownRevisionDate", lastKnownRevisionDate.toISOString());
     } catch (e) {
       if (Utils.isNode && !Utils.isBrowser) {
         fd.append("key", dataEncKey[1].encryptedString);
+        fd.append("lastKnownRevisionDate", lastKnownRevisionDate.toISOString());
         fd.append(
           "data",
           Buffer.from(encData.buffer) as any,
diff --git a/libs/common/src/vault/services/file-upload/cipher-file-upload.service.spec.ts b/libs/common/src/vault/services/file-upload/cipher-file-upload.service.spec.ts
new file mode 100644
index 00000000000..8837f00df6b
--- /dev/null
+++ b/libs/common/src/vault/services/file-upload/cipher-file-upload.service.spec.ts
@@ -0,0 +1,82 @@
+import { mock } from "jest-mock-extended";
+
+import { ApiService } from "../../../abstractions/api.service";
+import { EncString } from "../../../key-management/crypto/models/enc-string";
+import { FileUploadService } from "../../../platform/abstractions/file-upload/file-upload.service";
+import { Utils } from "../../../platform/misc/utils";
+import { EncArrayBuffer } from "../../../platform/models/domain/enc-array-buffer";
+import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+import { CipherType } from "../../enums/cipher-type";
+import { Cipher } from "../../models/domain/cipher";
+import { AttachmentUploadDataResponse } from "../../models/response/attachment-upload-data.response";
+import { CipherResponse } from "../../models/response/cipher.response";
+
+import { CipherFileUploadService } from "./cipher-file-upload.service";
+
+describe("CipherFileUploadService", () => {
+  const apiService = mock<ApiService>();
+  const fileUploadService = mock<FileUploadService>();
+
+  let service: CipherFileUploadService;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+
+    service = new CipherFileUploadService(apiService, fileUploadService);
+  });
+
+  describe("upload", () => {
+    it("should include lastKnownRevisionDate in the attachment request", async () => {
+      const cipherId = Utils.newGuid();
+      const mockCipher = new Cipher({
+        id: cipherId,
+        type: CipherType.Login,
+        name: "Test Cipher",
+        revisionDate: "2024-01-15T10:30:00.000Z",
+      } as any);
+
+      const mockEncFileName = new EncString("encrypted-filename");
+      const mockEncData = {
+        buffer: new ArrayBuffer(100),
+      } as unknown as EncArrayBuffer;
+
+      const mockDataEncKey: [SymmetricCryptoKey, EncString] = [
+        new SymmetricCryptoKey(new Uint8Array(32)),
+        new EncString("encrypted-key"),
+      ];
+
+      const mockUploadDataResponse = {
+        attachmentId: "attachment-id",
+        url: "https://upload.example.com",
+        fileUploadType: 0,
+        cipherResponse: {
+          id: cipherId,
+          type: CipherType.Login,
+          revisionDate: "2024-01-15T10:30:00.000Z",
+        } as CipherResponse,
+        cipherMiniResponse: null,
+      } as AttachmentUploadDataResponse;
+
+      apiService.postCipherAttachment.mockResolvedValue(mockUploadDataResponse);
+      fileUploadService.upload.mockResolvedValue(undefined);
+
+      await service.upload(mockCipher, mockEncFileName, mockEncData, false, mockDataEncKey);
+
+      const callArgs = apiService.postCipherAttachment.mock.calls[0][1];
+
+      expect(apiService.postCipherAttachment).toHaveBeenCalledWith(
+        cipherId,
+        expect.objectContaining({
+          key: "encrypted-key",
+          fileName: "encrypted-filename",
+          fileSize: 100,
+          adminRequest: false,
+        }),
+      );
+
+      // Verify lastKnownRevisionDate is set (it's converted to a Date object)
+      expect(callArgs.lastKnownRevisionDate).toBeDefined();
+      expect(callArgs.lastKnownRevisionDate).toEqual(new Date("2024-01-15T10:30:00.000Z"));
+    });
+  });
+});
diff --git a/libs/common/src/vault/services/file-upload/cipher-file-upload.service.ts b/libs/common/src/vault/services/file-upload/cipher-file-upload.service.ts
index 2fb2746366d..8d97a921748 100644
--- a/libs/common/src/vault/services/file-upload/cipher-file-upload.service.ts
+++ b/libs/common/src/vault/services/file-upload/cipher-file-upload.service.ts
@@ -33,6 +33,7 @@ export class CipherFileUploadService implements CipherFileUploadServiceAbstracti
       fileName: encFileName.encryptedString,
       fileSize: encData.buffer.byteLength,
       adminRequest: admin,
+      lastKnownRevisionDate: cipher.revisionDate,
     };
 
     let response: CipherResponse;
diff --git a/libs/vault/src/cipher-form/components/attachments/cipher-attachments.component.spec.ts b/libs/vault/src/cipher-form/components/attachments/cipher-attachments.component.spec.ts
index 439c651e5ad..c88ce9f0301 100644
--- a/libs/vault/src/cipher-form/components/attachments/cipher-attachments.component.spec.ts
+++ b/libs/vault/src/cipher-form/components/attachments/cipher-attachments.component.spec.ts
@@ -240,6 +240,49 @@ describe("CipherAttachmentsComponent", () => {
           message: "maxFileSize",
         });
       });
+
+      it("shows error toast with server message when saveAttachmentWithServer fails", async () => {
+        const file = { size: 100 } as File;
+        component.attachmentForm.controls.file.setValue(file);
+
+        const serverError = new Error("Cipher has been modified by another client");
+        saveAttachmentWithServer.mockRejectedValue(serverError);
+
+        await component.submit();
+
+        expect(showToast).toHaveBeenCalledWith({
+          variant: "error",
+          message: "Cipher has been modified by another client",
+        });
+      });
+
+      it("shows error toast with fallback message when error has no message property", async () => {
+        const file = { size: 100 } as File;
+        component.attachmentForm.controls.file.setValue(file);
+
+        saveAttachmentWithServer.mockRejectedValue({ code: "UNKNOWN_ERROR" });
+
+        await component.submit();
+
+        expect(showToast).toHaveBeenCalledWith({
+          variant: "error",
+          message: "unexpectedError",
+        });
+      });
+
+      it("shows error toast with string error message", async () => {
+        const file = { size: 100 } as File;
+        component.attachmentForm.controls.file.setValue(file);
+
+        saveAttachmentWithServer.mockRejectedValue("Network connection failed");
+
+        await component.submit();
+
+        expect(showToast).toHaveBeenCalledWith({
+          variant: "error",
+          message: "Network connection failed",
+        });
+      });
     });
 
     describe("success", () => {
diff --git a/libs/vault/src/cipher-form/components/attachments/cipher-attachments.component.ts b/libs/vault/src/cipher-form/components/attachments/cipher-attachments.component.ts
index 0bcb31c7af9..9ae1c62bd3e 100644
--- a/libs/vault/src/cipher-form/components/attachments/cipher-attachments.component.ts
+++ b/libs/vault/src/cipher-form/components/attachments/cipher-attachments.component.ts
@@ -222,6 +222,19 @@ export class CipherAttachmentsComponent implements OnInit, AfterViewInit {
       this.onUploadSuccess.emit();
     } catch (e) {
       this.logService.error(e);
+
+      // Extract error message from server response, fallback to generic message
+      let errorMessage = this.i18nService.t("unexpectedError");
+      if (typeof e === "string") {
+        errorMessage = e;
+      } else if (e?.message) {
+        errorMessage = e.message;
+      }
+
+      this.toastService.showToast({
+        variant: "error",
+        message: errorMessage,
+      });
     }
   };
 

From 29dccd63522f2d65aed9395a0522c43edafa03df Mon Sep 17 00:00:00 2001
From: Oscar Hinton <Hinton@users.noreply.github.com>
Date: Thu, 23 Oct 2025 03:28:47 +0200
Subject: [PATCH 09/11] Auth - Prefer signal & change detection (#16950)

---
 .../account-switcher.component.ts             |  2 ++
 .../account-switching/account.component.ts    |  6 +++++
 .../current-account.component.ts              |  2 ++
 .../popup/components/set-pin.component.ts     |  2 ++
 .../account-security.component.spec.ts        |  2 ++
 .../settings/account-security.component.ts    |  2 ++
 .../await-desktop-dialog.component.ts         |  2 ++
 .../extension-device-management.component.ts  |  2 ++
 .../src/auth/components/set-pin.component.ts  |  2 ++
 .../src/auth/delete-account.component.ts      |  2 ++
 .../accept/accept-emergency.component.ts      |  2 ++
 .../guards/deep-link/deep-link.guard.spec.ts  |  6 +++++
 .../accept-organization.component.ts          |  2 ++
 .../src/app/auth/recover-delete.component.ts  |  2 ++
 .../app/auth/recover-two-factor.component.ts  |  2 ++
 .../settings/account/account.component.ts     |  2 ++
 .../account/change-avatar-dialog.component.ts |  4 +++
 .../account/change-email.component.ts         |  2 ++
 .../settings/account/danger-zone.component.ts |  2 ++
 .../account/deauthorize-sessions.component.ts |  2 ++
 .../delete-account-dialog.component.ts        |  2 ++
 .../settings/account/profile.component.ts     |  2 ++
 .../account/selectable-avatar.component.ts    | 16 ++++++++++++
 ...account-verify-devices-dialog.component.ts |  2 ++
 .../emergency-access-confirm.component.ts     |  2 ++
 .../emergency-access-add-edit.component.ts    |  2 ++
 .../emergency-access.component.ts             |  2 ++
 ...rgency-access-takeover-dialog.component.ts |  4 +++
 .../view/emergency-access-view.component.ts   |  2 ++
 .../view/emergency-view-dialog.component.ts   |  2 ++
 .../settings/security/api-key.component.ts    |  2 ++
 .../password-settings.component.ts            |  2 ++
 .../security/security-keys.component.ts       |  2 ++
 .../settings/security/security.component.ts   |  2 ++
 .../two-factor-recovery.component.ts          |  2 ++
 ...wo-factor-setup-authenticator.component.ts |  4 +++
 .../two-factor-setup-duo.component.ts         |  4 +++
 .../two-factor-setup-email.component.ts       |  4 +++
 .../two-factor-setup-method-base.component.ts |  2 ++
 .../two-factor-setup-webauthn.component.ts    |  2 ++
 .../two-factor-setup-yubikey.component.ts     |  2 ++
 .../two-factor/two-factor-setup.component.ts  |  2 ++
 .../two-factor/two-factor-verify.component.ts |  4 +++
 .../auth/settings/verify-email.component.ts   |  6 +++++
 .../create-credential-dialog.component.ts     |  2 ++
 .../delete-credential-dialog.component.ts     |  2 ++
 .../enable-encryption-dialog.component.ts     |  2 ++
 .../webauthn-login-settings.component.ts      |  2 ++
 .../user-verification-prompt.component.ts     |  2 ++
 .../user-verification.component.ts            |  2 ++
 .../app/auth/verify-email-token.component.ts  |  2 ++
 .../auth/verify-recover-delete.component.ts   |  2 ++
 .../bit-web/src/app/auth/sso/sso.component.ts |  2 ++
 .../authentication-timeout.component.ts       |  2 ++
 .../components/two-factor-icon.component.ts   |  6 +++++
 .../components/user-verification.component.ts |  4 +++
 .../device-management-item-group.component.ts |  6 +++++
 .../device-management-table.component.ts      |  6 +++++
 .../device-management.component.ts            |  2 ++
 .../environment-selector.component.ts         |  2 ++
 .../src/auth/guards/active-auth.guard.spec.ts |  2 ++
 .../login-approval-dialog.component.ts        |  2 ++
 .../login-via-webauthn.component.ts           |  2 ++
 .../change-password.component.ts              |  4 +++
 .../set-initial-password.component.ts         |  2 ++
 .../fingerprint-dialog.component.ts           |  2 ++
 .../input-password.component.ts               | 26 +++++++++++++++++++
 .../login-decryption-options.component.ts     |  2 ++
 .../login-via-auth-request.component.ts       |  2 ++
 .../login-secondary-content.component.ts      |  2 ++
 .../auth/src/angular/login/login.component.ts |  4 +++
 .../new-device-verification.component.ts      |  2 ++
 .../password-callout.component.ts             |  6 +++++
 .../password-hint/password-hint.component.ts  |  2 ++
 .../registration-env-selector.component.ts    |  4 +++
 .../registration-finish.component.ts          |  2 ++
 .../registration-link-expired.component.ts    |  2 ++
 .../registration-start-secondary.component.ts |  2 ++
 .../registration-start.component.ts           |  4 +++
 ...self-hosted-env-config-dialog.component.ts |  2 ++
 libs/auth/src/angular/sso/sso.component.ts    |  2 ++
 ...two-factor-auth-authenticator.component.ts |  6 +++++
 .../two-factor-auth-duo.component.ts          |  6 +++++
 ...ctor-auth-email-component-cache.service.ts |  2 +-
 .../two-factor-auth-email.component.ts        |  6 +++++
 .../two-factor-auth-webauthn.component.ts     |  6 +++++
 .../two-factor-auth-yubikey.component.ts      |  4 +++
 ...two-factor-auth-component-cache.service.ts |  2 +-
 .../two-factor-auth.component.spec.ts         |  2 ++
 .../two-factor-auth.component.ts              |  6 +++++
 .../two-factor-auth.guard.spec.ts             |  2 ++
 .../two-factor-options.component.ts           |  2 ++
 .../user-verification-dialog.component.ts     |  2 ++
 .../user-verification-form-input.component.ts | 12 +++++++++
 .../vault-timeout-input.component.ts          |  4 +++
 ...lt-login-via-auth-request-cache.service.ts |  2 +-
 96 files changed, 311 insertions(+), 3 deletions(-)

diff --git a/apps/browser/src/auth/popup/account-switching/account-switcher.component.ts b/apps/browser/src/auth/popup/account-switching/account-switcher.component.ts
index 48fd57431a2..9e9a1ecf570 100644
--- a/apps/browser/src/auth/popup/account-switching/account-switcher.component.ts
+++ b/apps/browser/src/auth/popup/account-switching/account-switcher.component.ts
@@ -33,6 +33,8 @@ import { AccountComponent } from "./account.component";
 import { CurrentAccountComponent } from "./current-account.component";
 import { AccountSwitcherService } from "./services/account-switcher.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "account-switcher.component.html",
   imports: [
diff --git a/apps/browser/src/auth/popup/account-switching/account.component.ts b/apps/browser/src/auth/popup/account-switching/account.component.ts
index c060d9161ef..edfad2a54b3 100644
--- a/apps/browser/src/auth/popup/account-switching/account.component.ts
+++ b/apps/browser/src/auth/popup/account-switching/account.component.ts
@@ -13,13 +13,19 @@ import { BiometricsService } from "@bitwarden/key-management";
 
 import { AccountSwitcherService, AvailableAccount } from "./services/account-switcher.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-account",
   templateUrl: "account.component.html",
   imports: [CommonModule, JslibModule, AvatarModule, ItemModule],
 })
 export class AccountComponent {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() account: AvailableAccount;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() loading = new EventEmitter<boolean>();
 
   constructor(
diff --git a/apps/browser/src/auth/popup/account-switching/current-account.component.ts b/apps/browser/src/auth/popup/account-switching/current-account.component.ts
index 63e8481621a..2dde3b5a266 100644
--- a/apps/browser/src/auth/popup/account-switching/current-account.component.ts
+++ b/apps/browser/src/auth/popup/account-switching/current-account.component.ts
@@ -21,6 +21,8 @@ export type CurrentAccount = {
   avatarColor: string;
 };
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-current-account",
   templateUrl: "current-account.component.html",
diff --git a/apps/browser/src/auth/popup/components/set-pin.component.ts b/apps/browser/src/auth/popup/components/set-pin.component.ts
index a9e8e1b122f..dbb71ae3b07 100644
--- a/apps/browser/src/auth/popup/components/set-pin.component.ts
+++ b/apps/browser/src/auth/popup/components/set-pin.component.ts
@@ -13,6 +13,8 @@ import {
   IconButtonModule,
 } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "set-pin.component.html",
   imports: [
diff --git a/apps/browser/src/auth/popup/settings/account-security.component.spec.ts b/apps/browser/src/auth/popup/settings/account-security.component.spec.ts
index 2335c5c2e69..aa3639e9e93 100644
--- a/apps/browser/src/auth/popup/settings/account-security.component.spec.ts
+++ b/apps/browser/src/auth/popup/settings/account-security.component.spec.ts
@@ -41,6 +41,8 @@ import { PopupRouterCacheService } from "../../../platform/popup/view-cache/popu
 
 import { AccountSecurityComponent } from "./account-security.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-pop-out",
   template: ` <ng-content></ng-content>`,
diff --git a/apps/browser/src/auth/popup/settings/account-security.component.ts b/apps/browser/src/auth/popup/settings/account-security.component.ts
index 4eb24d19605..65a0d33f93e 100644
--- a/apps/browser/src/auth/popup/settings/account-security.component.ts
+++ b/apps/browser/src/auth/popup/settings/account-security.component.ts
@@ -78,6 +78,8 @@ import { SetPinComponent } from "../components/set-pin.component";
 
 import { AwaitDesktopDialogComponent } from "./await-desktop-dialog.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "account-security.component.html",
   imports: [
diff --git a/apps/browser/src/auth/popup/settings/await-desktop-dialog.component.ts b/apps/browser/src/auth/popup/settings/await-desktop-dialog.component.ts
index 11bb9683bb9..a64cea1ef3e 100644
--- a/apps/browser/src/auth/popup/settings/await-desktop-dialog.component.ts
+++ b/apps/browser/src/auth/popup/settings/await-desktop-dialog.component.ts
@@ -3,6 +3,8 @@ import { Component } from "@angular/core";
 import { JslibModule } from "@bitwarden/angular/jslib.module";
 import { ButtonModule, DialogModule, DialogService } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "await-desktop-dialog.component.html",
   imports: [JslibModule, ButtonModule, DialogModule],
diff --git a/apps/browser/src/auth/popup/settings/extension-device-management.component.ts b/apps/browser/src/auth/popup/settings/extension-device-management.component.ts
index 793965db141..b431fc874dd 100644
--- a/apps/browser/src/auth/popup/settings/extension-device-management.component.ts
+++ b/apps/browser/src/auth/popup/settings/extension-device-management.component.ts
@@ -7,6 +7,8 @@ import { PopOutComponent } from "../../../platform/popup/components/pop-out.comp
 import { PopupHeaderComponent } from "../../../platform/popup/layout/popup-header.component";
 import { PopupPageComponent } from "../../../platform/popup/layout/popup-page.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   standalone: true,
   selector: "extension-device-management",
diff --git a/apps/desktop/src/auth/components/set-pin.component.ts b/apps/desktop/src/auth/components/set-pin.component.ts
index 93e1ea0d25c..5bb8e761b32 100644
--- a/apps/desktop/src/auth/components/set-pin.component.ts
+++ b/apps/desktop/src/auth/components/set-pin.component.ts
@@ -12,6 +12,8 @@ import {
   FormFieldModule,
   IconButtonModule,
 } from "@bitwarden/components";
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "set-pin.component.html",
   imports: [
diff --git a/apps/desktop/src/auth/delete-account.component.ts b/apps/desktop/src/auth/delete-account.component.ts
index b6c6650375d..5cd73896e07 100644
--- a/apps/desktop/src/auth/delete-account.component.ts
+++ b/apps/desktop/src/auth/delete-account.component.ts
@@ -20,6 +20,8 @@ import {
 
 import { UserVerificationComponent } from "../app/components/user-verification.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-delete-account",
   templateUrl: "delete-account.component.html",
diff --git a/apps/web/src/app/auth/emergency-access/accept/accept-emergency.component.ts b/apps/web/src/app/auth/emergency-access/accept/accept-emergency.component.ts
index e1b7329504c..d1491e6d782 100644
--- a/apps/web/src/app/auth/emergency-access/accept/accept-emergency.component.ts
+++ b/apps/web/src/app/auth/emergency-access/accept/accept-emergency.component.ts
@@ -12,6 +12,8 @@ import { SharedModule } from "../../../shared";
 import { EmergencyAccessModule } from "../emergency-access.module";
 import { EmergencyAccessService } from "../services/emergency-access.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   imports: [SharedModule, EmergencyAccessModule],
   templateUrl: "accept-emergency.component.html",
diff --git a/apps/web/src/app/auth/guards/deep-link/deep-link.guard.spec.ts b/apps/web/src/app/auth/guards/deep-link/deep-link.guard.spec.ts
index dba4dbd8357..31033b29154 100644
--- a/apps/web/src/app/auth/guards/deep-link/deep-link.guard.spec.ts
+++ b/apps/web/src/app/auth/guards/deep-link/deep-link.guard.spec.ts
@@ -11,18 +11,24 @@ import { RouterService } from "../../../core/router.service";
 
 import { deepLinkGuard } from "./deep-link.guard";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   template: "",
   standalone: false,
 })
 export class GuardedRouteTestComponent {}
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   template: "",
   standalone: false,
 })
 export class LockTestComponent {}
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   template: "",
   standalone: false,
diff --git a/apps/web/src/app/auth/organization-invite/accept-organization.component.ts b/apps/web/src/app/auth/organization-invite/accept-organization.component.ts
index 09d4fc3e9ef..f98a62f91ea 100644
--- a/apps/web/src/app/auth/organization-invite/accept-organization.component.ts
+++ b/apps/web/src/app/auth/organization-invite/accept-organization.component.ts
@@ -16,6 +16,8 @@ import { BaseAcceptComponent } from "../../common/base.accept.component";
 
 import { AcceptOrganizationInviteService } from "./accept-organization.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "accept-organization.component.html",
   standalone: false,
diff --git a/apps/web/src/app/auth/recover-delete.component.ts b/apps/web/src/app/auth/recover-delete.component.ts
index 7381d526879..00b14f9a402 100644
--- a/apps/web/src/app/auth/recover-delete.component.ts
+++ b/apps/web/src/app/auth/recover-delete.component.ts
@@ -10,6 +10,8 @@ import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.servic
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { ToastService } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-recover-delete",
   templateUrl: "recover-delete.component.html",
diff --git a/apps/web/src/app/auth/recover-two-factor.component.ts b/apps/web/src/app/auth/recover-two-factor.component.ts
index f606e803df3..dc85668c8ec 100644
--- a/apps/web/src/app/auth/recover-two-factor.component.ts
+++ b/apps/web/src/app/auth/recover-two-factor.component.ts
@@ -16,6 +16,8 @@ import { LogService } from "@bitwarden/common/platform/abstractions/log.service"
 import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
 import { ToastService } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-recover-two-factor",
   templateUrl: "recover-two-factor.component.html",
diff --git a/apps/web/src/app/auth/settings/account/account.component.ts b/apps/web/src/app/auth/settings/account/account.component.ts
index 921db19bc49..8bae8cd2c1f 100644
--- a/apps/web/src/app/auth/settings/account/account.component.ts
+++ b/apps/web/src/app/auth/settings/account/account.component.ts
@@ -19,6 +19,8 @@ import { DeleteAccountDialogComponent } from "./delete-account-dialog.component"
 import { ProfileComponent } from "./profile.component";
 import { SetAccountVerifyDevicesDialogComponent } from "./set-account-verify-devices-dialog.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "account.component.html",
   imports: [
diff --git a/apps/web/src/app/auth/settings/account/change-avatar-dialog.component.ts b/apps/web/src/app/auth/settings/account/change-avatar-dialog.component.ts
index 6bb785fb8f5..6e6fac1404e 100644
--- a/apps/web/src/app/auth/settings/account/change-avatar-dialog.component.ts
+++ b/apps/web/src/app/auth/settings/account/change-avatar-dialog.component.ts
@@ -32,6 +32,8 @@ type ChangeAvatarDialogData = {
   profile: ProfileResponse;
 };
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "change-avatar-dialog.component.html",
   encapsulation: ViewEncapsulation.None,
@@ -40,6 +42,8 @@ type ChangeAvatarDialogData = {
 export class ChangeAvatarDialogComponent implements OnInit, OnDestroy {
   profile: ProfileResponse;
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @ViewChild("colorPicker") colorPickerElement: ElementRef<HTMLElement>;
 
   loading = false;
diff --git a/apps/web/src/app/auth/settings/account/change-email.component.ts b/apps/web/src/app/auth/settings/account/change-email.component.ts
index b6ca39c6413..ee29e0c8a9c 100644
--- a/apps/web/src/app/auth/settings/account/change-email.component.ts
+++ b/apps/web/src/app/auth/settings/account/change-email.component.ts
@@ -17,6 +17,8 @@ import { KdfConfigService, KeyService } from "@bitwarden/key-management";
 
 import { SharedModule } from "../../../shared";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-change-email",
   templateUrl: "change-email.component.html",
diff --git a/apps/web/src/app/auth/settings/account/danger-zone.component.ts b/apps/web/src/app/auth/settings/account/danger-zone.component.ts
index 05fd22d087d..e60ff6ec03d 100644
--- a/apps/web/src/app/auth/settings/account/danger-zone.component.ts
+++ b/apps/web/src/app/auth/settings/account/danger-zone.component.ts
@@ -9,6 +9,8 @@ import { I18nPipe } from "@bitwarden/ui-common";
 /**
  * Component for the Danger Zone section of the Account/Organization Settings page.
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-danger-zone",
   templateUrl: "danger-zone.component.html",
diff --git a/apps/web/src/app/auth/settings/account/deauthorize-sessions.component.ts b/apps/web/src/app/auth/settings/account/deauthorize-sessions.component.ts
index f75320e8335..b792963ae9b 100644
--- a/apps/web/src/app/auth/settings/account/deauthorize-sessions.component.ts
+++ b/apps/web/src/app/auth/settings/account/deauthorize-sessions.component.ts
@@ -12,6 +12,8 @@ import { DialogService, ToastService } from "@bitwarden/components";
 
 import { SharedModule } from "../../../shared";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "deauthorize-sessions.component.html",
   imports: [SharedModule, UserVerificationFormInputComponent],
diff --git a/apps/web/src/app/auth/settings/account/delete-account-dialog.component.ts b/apps/web/src/app/auth/settings/account/delete-account-dialog.component.ts
index 7e8f169994f..76eb067fdd2 100644
--- a/apps/web/src/app/auth/settings/account/delete-account-dialog.component.ts
+++ b/apps/web/src/app/auth/settings/account/delete-account-dialog.component.ts
@@ -12,6 +12,8 @@ import { DialogRef, DialogService, ToastService } from "@bitwarden/components";
 
 import { SharedModule } from "../../../shared";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "delete-account-dialog.component.html",
   imports: [SharedModule, UserVerificationFormInputComponent],
diff --git a/apps/web/src/app/auth/settings/account/profile.component.ts b/apps/web/src/app/auth/settings/account/profile.component.ts
index 1f4fa578491..fd96f343b3a 100644
--- a/apps/web/src/app/auth/settings/account/profile.component.ts
+++ b/apps/web/src/app/auth/settings/account/profile.component.ts
@@ -23,6 +23,8 @@ import { AccountFingerprintComponent } from "../../../shared/components/account-
 
 import { ChangeAvatarDialogComponent } from "./change-avatar-dialog.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-profile",
   templateUrl: "profile.component.html",
diff --git a/apps/web/src/app/auth/settings/account/selectable-avatar.component.ts b/apps/web/src/app/auth/settings/account/selectable-avatar.component.ts
index 630c0e949ad..b74cf8beb59 100644
--- a/apps/web/src/app/auth/settings/account/selectable-avatar.component.ts
+++ b/apps/web/src/app/auth/settings/account/selectable-avatar.component.ts
@@ -5,6 +5,8 @@ import { Component, EventEmitter, Input, Output } from "@angular/core";
 
 import { AvatarModule } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "selectable-avatar",
   template: `<span
@@ -30,12 +32,26 @@ import { AvatarModule } from "@bitwarden/components";
   imports: [NgClass, AvatarModule],
 })
 export class SelectableAvatarComponent {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() id: string;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() text: string;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() title: string;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() color: string;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() border = false;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() selected = false;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() select = new EventEmitter<string>();
 
   onFire() {
diff --git a/apps/web/src/app/auth/settings/account/set-account-verify-devices-dialog.component.ts b/apps/web/src/app/auth/settings/account/set-account-verify-devices-dialog.component.ts
index c66f31f6c3b..01be46c45b3 100644
--- a/apps/web/src/app/auth/settings/account/set-account-verify-devices-dialog.component.ts
+++ b/apps/web/src/app/auth/settings/account/set-account-verify-devices-dialog.component.ts
@@ -27,6 +27,8 @@ import {
   ToastService,
 } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "./set-account-verify-devices-dialog.component.html",
   imports: [
diff --git a/apps/web/src/app/auth/settings/emergency-access/confirm/emergency-access-confirm.component.ts b/apps/web/src/app/auth/settings/emergency-access/confirm/emergency-access-confirm.component.ts
index 641dde66cc4..a5fdd5212fa 100644
--- a/apps/web/src/app/auth/settings/emergency-access/confirm/emergency-access-confirm.component.ts
+++ b/apps/web/src/app/auth/settings/emergency-access/confirm/emergency-access-confirm.component.ts
@@ -25,6 +25,8 @@ type EmergencyAccessConfirmDialogData = {
   /** user public key */
   publicKey: Uint8Array;
 };
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "emergency-access-confirm.component.html",
   imports: [SharedModule],
diff --git a/apps/web/src/app/auth/settings/emergency-access/emergency-access-add-edit.component.ts b/apps/web/src/app/auth/settings/emergency-access/emergency-access-add-edit.component.ts
index 04b549e7f05..2e8d02a0c4f 100644
--- a/apps/web/src/app/auth/settings/emergency-access/emergency-access-add-edit.component.ts
+++ b/apps/web/src/app/auth/settings/emergency-access/emergency-access-add-edit.component.ts
@@ -35,6 +35,8 @@ export enum EmergencyAccessAddEditDialogResult {
   Canceled = "canceled",
   Deleted = "deleted",
 }
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "emergency-access-add-edit.component.html",
   imports: [SharedModule, PremiumBadgeComponent],
diff --git a/apps/web/src/app/auth/settings/emergency-access/emergency-access.component.ts b/apps/web/src/app/auth/settings/emergency-access/emergency-access.component.ts
index f6594f4b11a..c2b8127ec34 100644
--- a/apps/web/src/app/auth/settings/emergency-access/emergency-access.component.ts
+++ b/apps/web/src/app/auth/settings/emergency-access/emergency-access.component.ts
@@ -42,6 +42,8 @@ import {
   EmergencyAccessTakeoverDialogResultType,
 } from "./takeover/emergency-access-takeover-dialog.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "emergency-access.component.html",
   imports: [SharedModule, HeaderModule, PremiumBadgeComponent],
diff --git a/apps/web/src/app/auth/settings/emergency-access/takeover/emergency-access-takeover-dialog.component.ts b/apps/web/src/app/auth/settings/emergency-access/takeover/emergency-access-takeover-dialog.component.ts
index e5c21fb82b9..743f41537e9 100644
--- a/apps/web/src/app/auth/settings/emergency-access/takeover/emergency-access-takeover-dialog.component.ts
+++ b/apps/web/src/app/auth/settings/emergency-access/takeover/emergency-access-takeover-dialog.component.ts
@@ -48,6 +48,8 @@ export type EmergencyAccessTakeoverDialogResultType =
  *
  * @link https://bitwarden.com/help/emergency-access/
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-emergency-access-takeover-dialog",
   templateUrl: "./emergency-access-takeover-dialog.component.html",
@@ -61,6 +63,8 @@ export type EmergencyAccessTakeoverDialogResultType =
   ],
 })
 export class EmergencyAccessTakeoverDialogComponent implements OnInit {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @ViewChild(InputPasswordComponent)
   inputPasswordComponent: InputPasswordComponent | undefined = undefined;
 
diff --git a/apps/web/src/app/auth/settings/emergency-access/view/emergency-access-view.component.ts b/apps/web/src/app/auth/settings/emergency-access/view/emergency-access-view.component.ts
index 250261fb0e7..1d96a19ca74 100644
--- a/apps/web/src/app/auth/settings/emergency-access/view/emergency-access-view.component.ts
+++ b/apps/web/src/app/auth/settings/emergency-access/view/emergency-access-view.component.ts
@@ -14,6 +14,8 @@ import { EmergencyAccessService } from "../../../emergency-access";
 
 import { EmergencyViewDialogComponent } from "./emergency-view-dialog.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "emergency-access-view.component.html",
   providers: [{ provide: CipherFormConfigService, useClass: DefaultCipherFormConfigService }],
diff --git a/apps/web/src/app/auth/settings/emergency-access/view/emergency-view-dialog.component.ts b/apps/web/src/app/auth/settings/emergency-access/view/emergency-view-dialog.component.ts
index 656ec894f27..62cfd95ecfa 100644
--- a/apps/web/src/app/auth/settings/emergency-access/view/emergency-view-dialog.component.ts
+++ b/apps/web/src/app/auth/settings/emergency-access/view/emergency-view-dialog.component.ts
@@ -35,6 +35,8 @@ class PremiumUpgradePromptNoop implements PremiumUpgradePromptService {
   }
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-emergency-view-dialog",
   templateUrl: "emergency-view-dialog.component.html",
diff --git a/apps/web/src/app/auth/settings/security/api-key.component.ts b/apps/web/src/app/auth/settings/security/api-key.component.ts
index 82d1010f020..af49ca556ab 100644
--- a/apps/web/src/app/auth/settings/security/api-key.component.ts
+++ b/apps/web/src/app/auth/settings/security/api-key.component.ts
@@ -23,6 +23,8 @@ export type ApiKeyDialogData = {
   apiKeyWarning: string;
   apiKeyDescription: string;
 };
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "api-key.component.html",
   imports: [SharedModule, UserVerificationFormInputComponent],
diff --git a/apps/web/src/app/auth/settings/security/password-settings/password-settings.component.ts b/apps/web/src/app/auth/settings/security/password-settings/password-settings.component.ts
index 0698ffe1f8d..0e37c856935 100644
--- a/apps/web/src/app/auth/settings/security/password-settings/password-settings.component.ts
+++ b/apps/web/src/app/auth/settings/security/password-settings/password-settings.component.ts
@@ -10,6 +10,8 @@ import { I18nPipe } from "@bitwarden/ui-common";
 
 import { WebauthnLoginSettingsModule } from "../../webauthn-login-settings";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-password-settings",
   templateUrl: "password-settings.component.html",
diff --git a/apps/web/src/app/auth/settings/security/security-keys.component.ts b/apps/web/src/app/auth/settings/security/security-keys.component.ts
index 9d16d4380eb..27a555ff343 100644
--- a/apps/web/src/app/auth/settings/security/security-keys.component.ts
+++ b/apps/web/src/app/auth/settings/security/security-keys.component.ts
@@ -13,6 +13,8 @@ import { SharedModule } from "../../../shared";
 
 import { ApiKeyComponent } from "./api-key.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "security-keys.component.html",
   imports: [SharedModule, ChangeKdfModule],
diff --git a/apps/web/src/app/auth/settings/security/security.component.ts b/apps/web/src/app/auth/settings/security/security.component.ts
index 2a237bf6d01..ff13515eec0 100644
--- a/apps/web/src/app/auth/settings/security/security.component.ts
+++ b/apps/web/src/app/auth/settings/security/security.component.ts
@@ -5,6 +5,8 @@ import { UserVerificationService } from "@bitwarden/common/auth/abstractions/use
 import { HeaderModule } from "../../../layouts/header/header.module";
 import { SharedModule } from "../../../shared";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "security.component.html",
   imports: [SharedModule, HeaderModule],
diff --git a/apps/web/src/app/auth/settings/two-factor/two-factor-recovery.component.ts b/apps/web/src/app/auth/settings/two-factor/two-factor-recovery.component.ts
index 37d94bfae0e..543c4236d89 100644
--- a/apps/web/src/app/auth/settings/two-factor/two-factor-recovery.component.ts
+++ b/apps/web/src/app/auth/settings/two-factor/two-factor-recovery.component.ts
@@ -15,6 +15,8 @@ import {
 } from "@bitwarden/components";
 import { I18nPipe } from "@bitwarden/ui-common";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-recovery",
   templateUrl: "two-factor-recovery.component.html",
diff --git a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-authenticator.component.ts b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-authenticator.component.ts
index d57d6eca894..20c3c742db6 100644
--- a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-authenticator.component.ts
+++ b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-authenticator.component.ts
@@ -53,6 +53,8 @@ declare global {
   }
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-setup-authenticator",
   templateUrl: "two-factor-setup-authenticator.component.html",
@@ -76,6 +78,8 @@ export class TwoFactorSetupAuthenticatorComponent
   extends TwoFactorSetupMethodBaseComponent
   implements OnInit, OnDestroy
 {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onChangeStatus = new EventEmitter<boolean>();
   type = TwoFactorProviderType.Authenticator;
   key: string;
diff --git a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-duo.component.ts b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-duo.component.ts
index bf820e32917..1a476f2206d 100644
--- a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-duo.component.ts
+++ b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-duo.component.ts
@@ -30,6 +30,8 @@ import { I18nPipe } from "@bitwarden/ui-common";
 
 import { TwoFactorSetupMethodBaseComponent } from "./two-factor-setup-method-base.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-setup-duo",
   templateUrl: "two-factor-setup-duo.component.html",
@@ -51,6 +53,8 @@ export class TwoFactorSetupDuoComponent
   extends TwoFactorSetupMethodBaseComponent
   implements OnInit
 {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onChangeStatus: EventEmitter<boolean> = new EventEmitter();
 
   type = TwoFactorProviderType.Duo;
diff --git a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-email.component.ts b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-email.component.ts
index 138d541d551..4219fb0b687 100644
--- a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-email.component.ts
+++ b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-email.component.ts
@@ -33,6 +33,8 @@ import { I18nPipe } from "@bitwarden/ui-common";
 
 import { TwoFactorSetupMethodBaseComponent } from "./two-factor-setup-method-base.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-setup-email",
   templateUrl: "two-factor-setup-email.component.html",
@@ -54,6 +56,8 @@ export class TwoFactorSetupEmailComponent
   extends TwoFactorSetupMethodBaseComponent
   implements OnInit
 {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onChangeStatus: EventEmitter<boolean> = new EventEmitter();
   type = TwoFactorProviderType.Email;
   sentEmail: string = "";
diff --git a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-method-base.component.ts b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-method-base.component.ts
index aa3b9e1def3..c614e45e577 100644
--- a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-method-base.component.ts
+++ b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-method-base.component.ts
@@ -17,6 +17,8 @@ import { DialogService, ToastService } from "@bitwarden/components";
  */
 @Directive({})
 export abstract class TwoFactorSetupMethodBaseComponent {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onUpdated = new EventEmitter<boolean>();
 
   type: TwoFactorProviderType | undefined;
diff --git a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-webauthn.component.ts b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-webauthn.component.ts
index ff0e971461e..acf83ab278e 100644
--- a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-webauthn.component.ts
+++ b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-webauthn.component.ts
@@ -43,6 +43,8 @@ interface Key {
   removePromise: Promise<TwoFactorWebAuthnResponse> | null;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-setup-webauthn",
   templateUrl: "two-factor-setup-webauthn.component.html",
diff --git a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-yubikey.component.ts b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-yubikey.component.ts
index 4e4691a5f60..09fb1ad308f 100644
--- a/apps/web/src/app/auth/settings/two-factor/two-factor-setup-yubikey.component.ts
+++ b/apps/web/src/app/auth/settings/two-factor/two-factor-setup-yubikey.component.ts
@@ -44,6 +44,8 @@ interface Key {
   existingKey: string;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-setup-yubikey",
   templateUrl: "two-factor-setup-yubikey.component.html",
diff --git a/apps/web/src/app/auth/settings/two-factor/two-factor-setup.component.ts b/apps/web/src/app/auth/settings/two-factor/two-factor-setup.component.ts
index c3a55ad661e..ef4d647a7d0 100644
--- a/apps/web/src/app/auth/settings/two-factor/two-factor-setup.component.ts
+++ b/apps/web/src/app/auth/settings/two-factor/two-factor-setup.component.ts
@@ -45,6 +45,8 @@ import { TwoFactorSetupWebAuthnComponent } from "./two-factor-setup-webauthn.com
 import { TwoFactorSetupYubiKeyComponent } from "./two-factor-setup-yubikey.component";
 import { TwoFactorVerifyComponent } from "./two-factor-verify.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-setup",
   templateUrl: "two-factor-setup.component.html",
diff --git a/apps/web/src/app/auth/settings/two-factor/two-factor-verify.component.ts b/apps/web/src/app/auth/settings/two-factor/two-factor-verify.component.ts
index a2c734ed2d5..9baa93d38c0 100644
--- a/apps/web/src/app/auth/settings/two-factor/two-factor-verify.component.ts
+++ b/apps/web/src/app/auth/settings/two-factor/two-factor-verify.component.ts
@@ -28,6 +28,8 @@ type TwoFactorVerifyDialogData = {
   organizationId: string;
 };
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-verify",
   templateUrl: "two-factor-verify.component.html",
@@ -43,6 +45,8 @@ type TwoFactorVerifyDialogData = {
 export class TwoFactorVerifyComponent {
   type: TwoFactorProviderType;
   organizationId: string;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onAuthed = new EventEmitter<AuthResponse<TwoFactorResponse>>();
 
   formPromise: Promise<TwoFactorResponse> | undefined;
diff --git a/apps/web/src/app/auth/settings/verify-email.component.ts b/apps/web/src/app/auth/settings/verify-email.component.ts
index 7088dae8d0f..a63d0b18b36 100644
--- a/apps/web/src/app/auth/settings/verify-email.component.ts
+++ b/apps/web/src/app/auth/settings/verify-email.component.ts
@@ -16,6 +16,8 @@ import {
   ToastService,
 } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-verify-email",
   templateUrl: "verify-email.component.html",
@@ -24,7 +26,11 @@ import {
 export class VerifyEmailComponent {
   actionPromise: Promise<unknown>;
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onVerified = new EventEmitter<boolean>();
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onDismiss = new EventEmitter<void>();
 
   constructor(
diff --git a/apps/web/src/app/auth/settings/webauthn-login-settings/create-credential-dialog/create-credential-dialog.component.ts b/apps/web/src/app/auth/settings/webauthn-login-settings/create-credential-dialog/create-credential-dialog.component.ts
index 04b148e8a0a..89b7410baba 100644
--- a/apps/web/src/app/auth/settings/webauthn-login-settings/create-credential-dialog/create-credential-dialog.component.ts
+++ b/apps/web/src/app/auth/settings/webauthn-login-settings/create-credential-dialog/create-credential-dialog.component.ts
@@ -32,6 +32,8 @@ type Step =
   | "credentialCreationFailed"
   | "credentialNaming";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "create-credential-dialog.component.html",
   standalone: false,
diff --git a/apps/web/src/app/auth/settings/webauthn-login-settings/delete-credential-dialog/delete-credential-dialog.component.ts b/apps/web/src/app/auth/settings/webauthn-login-settings/delete-credential-dialog/delete-credential-dialog.component.ts
index ea766a302ca..af4b7c497fb 100644
--- a/apps/web/src/app/auth/settings/webauthn-login-settings/delete-credential-dialog/delete-credential-dialog.component.ts
+++ b/apps/web/src/app/auth/settings/webauthn-login-settings/delete-credential-dialog/delete-credential-dialog.component.ts
@@ -24,6 +24,8 @@ export interface DeleteCredentialDialogParams {
   credentialId: string;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "delete-credential-dialog.component.html",
   standalone: false,
diff --git a/apps/web/src/app/auth/settings/webauthn-login-settings/enable-encryption-dialog/enable-encryption-dialog.component.ts b/apps/web/src/app/auth/settings/webauthn-login-settings/enable-encryption-dialog/enable-encryption-dialog.component.ts
index dd1ac45a9b6..24a711cb5b4 100644
--- a/apps/web/src/app/auth/settings/webauthn-login-settings/enable-encryption-dialog/enable-encryption-dialog.component.ts
+++ b/apps/web/src/app/auth/settings/webauthn-login-settings/enable-encryption-dialog/enable-encryption-dialog.component.ts
@@ -21,6 +21,8 @@ export interface EnableEncryptionDialogParams {
   credentialId: string;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "enable-encryption-dialog.component.html",
   standalone: false,
diff --git a/apps/web/src/app/auth/settings/webauthn-login-settings/webauthn-login-settings.component.ts b/apps/web/src/app/auth/settings/webauthn-login-settings/webauthn-login-settings.component.ts
index 94e926ac138..e8a278d8dd7 100644
--- a/apps/web/src/app/auth/settings/webauthn-login-settings/webauthn-login-settings.component.ts
+++ b/apps/web/src/app/auth/settings/webauthn-login-settings/webauthn-login-settings.component.ts
@@ -17,6 +17,8 @@ import { openCreateCredentialDialog } from "./create-credential-dialog/create-cr
 import { openDeleteCredentialDialogComponent } from "./delete-credential-dialog/delete-credential-dialog.component";
 import { openEnableCredentialDialogComponent } from "./enable-encryption-dialog/enable-encryption-dialog.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-webauthn-login-settings",
   templateUrl: "webauthn-login-settings.component.html",
diff --git a/apps/web/src/app/auth/shared/components/user-verification/user-verification-prompt.component.ts b/apps/web/src/app/auth/shared/components/user-verification/user-verification-prompt.component.ts
index 77df374f3ed..beafa48bb8e 100644
--- a/apps/web/src/app/auth/shared/components/user-verification/user-verification-prompt.component.ts
+++ b/apps/web/src/app/auth/shared/components/user-verification/user-verification-prompt.component.ts
@@ -21,6 +21,8 @@ import {
 /**
  * @deprecated Jan 24, 2024: Use new libs/auth UserVerificationDialogComponent instead.
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "user-verification-prompt.component.html",
   standalone: false,
diff --git a/apps/web/src/app/auth/shared/components/user-verification/user-verification.component.ts b/apps/web/src/app/auth/shared/components/user-verification/user-verification.component.ts
index 42f4b26fb36..7ea5014254b 100644
--- a/apps/web/src/app/auth/shared/components/user-verification/user-verification.component.ts
+++ b/apps/web/src/app/auth/shared/components/user-verification/user-verification.component.ts
@@ -8,6 +8,8 @@ import { UserVerificationComponent as BaseComponent } from "@bitwarden/angular/a
  * @deprecated Jan 24, 2024: Use new libs/auth UserVerificationDialogComponent or UserVerificationFormInputComponent instead.
  * Each client specific component should eventually be converted over to use one of these new components.
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-user-verification",
   templateUrl: "user-verification.component.html",
diff --git a/apps/web/src/app/auth/verify-email-token.component.ts b/apps/web/src/app/auth/verify-email-token.component.ts
index 2c4fa7f447c..30bfcf95bbf 100644
--- a/apps/web/src/app/auth/verify-email-token.component.ts
+++ b/apps/web/src/app/auth/verify-email-token.component.ts
@@ -13,6 +13,8 @@ import { LogService } from "@bitwarden/common/platform/abstractions/log.service"
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { ToastService } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-verify-email-token",
   templateUrl: "verify-email-token.component.html",
diff --git a/apps/web/src/app/auth/verify-recover-delete.component.ts b/apps/web/src/app/auth/verify-recover-delete.component.ts
index a475fdfd3e5..06d6096c3de 100644
--- a/apps/web/src/app/auth/verify-recover-delete.component.ts
+++ b/apps/web/src/app/auth/verify-recover-delete.component.ts
@@ -11,6 +11,8 @@ import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.servic
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { ToastService } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-verify-recover-delete",
   templateUrl: "verify-recover-delete.component.html",
diff --git a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
index 64fa36fc4ac..4928d7a6abc 100644
--- a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
+++ b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
@@ -58,6 +58,8 @@ interface SelectOptions {
 
 const defaultSigningAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-org-manage-sso",
   templateUrl: "sso.component.html",
diff --git a/libs/angular/src/auth/components/authentication-timeout.component.ts b/libs/angular/src/auth/components/authentication-timeout.component.ts
index 940798de9e7..ed1ff9d29fa 100644
--- a/libs/angular/src/auth/components/authentication-timeout.component.ts
+++ b/libs/angular/src/auth/components/authentication-timeout.component.ts
@@ -9,6 +9,8 @@ import { ButtonModule } from "@bitwarden/components";
  * This component is used to display a message to the user that their authentication session has expired.
  * It provides a button to navigate to the login page.
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-authentication-timeout",
   imports: [CommonModule, JslibModule, ButtonModule, RouterModule],
diff --git a/libs/angular/src/auth/components/two-factor-icon.component.ts b/libs/angular/src/auth/components/two-factor-icon.component.ts
index c9c7e43b61f..85db7975f87 100644
--- a/libs/angular/src/auth/components/two-factor-icon.component.ts
+++ b/libs/angular/src/auth/components/two-factor-icon.component.ts
@@ -9,13 +9,19 @@ import {
   TwoFactorAuthWebAuthnIcon,
 } from "@bitwarden/assets/svg";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-two-factor-icon",
   templateUrl: "./two-factor-icon.component.html",
   standalone: false,
 })
 export class TwoFactorIconComponent {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() provider: any;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() name: string;
 
   protected readonly IconProviderMap: { [key: number | string]: Icon } = {
diff --git a/libs/angular/src/auth/components/user-verification.component.ts b/libs/angular/src/auth/components/user-verification.component.ts
index 6f5021340c7..1f0659a92ff 100644
--- a/libs/angular/src/auth/components/user-verification.component.ts
+++ b/libs/angular/src/auth/components/user-verification.component.ts
@@ -26,6 +26,8 @@ import { KeyService } from "@bitwarden/key-management";
 })
 export class UserVerificationComponent implements ControlValueAccessor, OnInit, OnDestroy {
   private _invalidSecret = false;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input()
   get invalidSecret() {
     return this._invalidSecret;
@@ -43,6 +45,8 @@ export class UserVerificationComponent implements ControlValueAccessor, OnInit,
     }
     this.secret.updateValueAndValidity({ emitEvent: false });
   }
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() invalidSecretChange = new EventEmitter<boolean>();
 
   hasMasterPassword = true;
diff --git a/libs/angular/src/auth/device-management/device-management-item-group.component.ts b/libs/angular/src/auth/device-management/device-management-item-group.component.ts
index 71e343e734f..71fe80928f9 100644
--- a/libs/angular/src/auth/device-management/device-management-item-group.component.ts
+++ b/libs/angular/src/auth/device-management/device-management-item-group.component.ts
@@ -8,6 +8,8 @@ import { I18nPipe } from "@bitwarden/ui-common";
 import { DeviceDisplayData } from "./device-management.component";
 
 /** Displays user devices in an item list view */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   standalone: true,
   selector: "auth-device-management-item-group",
@@ -15,7 +17,11 @@ import { DeviceDisplayData } from "./device-management.component";
   imports: [BadgeModule, CommonModule, ItemModule, I18nPipe],
 })
 export class DeviceManagementItemGroupComponent {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() devices: DeviceDisplayData[] = [];
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onAuthRequestAnswered = new EventEmitter<DevicePendingAuthRequest>();
 
   protected answerAuthRequest(pendingAuthRequest: DevicePendingAuthRequest | null) {
diff --git a/libs/angular/src/auth/device-management/device-management-table.component.ts b/libs/angular/src/auth/device-management/device-management-table.component.ts
index d663e28b9e4..36edf6dd336 100644
--- a/libs/angular/src/auth/device-management/device-management-table.component.ts
+++ b/libs/angular/src/auth/device-management/device-management-table.component.ts
@@ -15,6 +15,8 @@ import {
 import { DeviceDisplayData } from "./device-management.component";
 
 /** Displays user devices in a sortable table view */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   standalone: true,
   selector: "auth-device-management-table",
@@ -22,7 +24,11 @@ import { DeviceDisplayData } from "./device-management.component";
   imports: [BadgeModule, ButtonModule, CommonModule, JslibModule, LinkModule, TableModule],
 })
 export class DeviceManagementTableComponent implements OnChanges {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() devices: DeviceDisplayData[] = [];
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onAuthRequestAnswered = new EventEmitter<DevicePendingAuthRequest>();
 
   protected tableDataSource = new TableDataSource<DeviceDisplayData>();
diff --git a/libs/angular/src/auth/device-management/device-management.component.ts b/libs/angular/src/auth/device-management/device-management.component.ts
index 2c67812b586..d8f8cc10df4 100644
--- a/libs/angular/src/auth/device-management/device-management.component.ts
+++ b/libs/angular/src/auth/device-management/device-management.component.ts
@@ -50,6 +50,8 @@ export interface DeviceDisplayData {
  * - Medium to Large screens = `bit-table` view
  * - Small screens = `bit-item-group` view
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   standalone: true,
   selector: "auth-device-management",
diff --git a/libs/angular/src/auth/environment-selector/environment-selector.component.ts b/libs/angular/src/auth/environment-selector/environment-selector.component.ts
index 6fe3eaa92a0..89366f47b70 100644
--- a/libs/angular/src/auth/environment-selector/environment-selector.component.ts
+++ b/libs/angular/src/auth/environment-selector/environment-selector.component.ts
@@ -20,6 +20,8 @@ import {
 } from "@bitwarden/components";
 import { I18nPipe } from "@bitwarden/ui-common";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "environment-selector",
   templateUrl: "environment-selector.component.html",
diff --git a/libs/angular/src/auth/guards/active-auth.guard.spec.ts b/libs/angular/src/auth/guards/active-auth.guard.spec.ts
index de1bf40be11..d4d27626c11 100644
--- a/libs/angular/src/auth/guards/active-auth.guard.spec.ts
+++ b/libs/angular/src/auth/guards/active-auth.guard.spec.ts
@@ -13,6 +13,8 @@ import { LogService } from "@bitwarden/common/platform/abstractions/log.service"
 
 import { activeAuthGuard } from "./active-auth.guard";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({ template: "", standalone: false })
 class EmptyComponent {}
 
diff --git a/libs/angular/src/auth/login-approval/login-approval-dialog.component.ts b/libs/angular/src/auth/login-approval/login-approval-dialog.component.ts
index 19dc3f519c6..35333c43536 100644
--- a/libs/angular/src/auth/login-approval/login-approval-dialog.component.ts
+++ b/libs/angular/src/auth/login-approval/login-approval-dialog.component.ts
@@ -33,6 +33,8 @@ export interface LoginApprovalDialogParams {
   notificationId: string;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "login-approval-dialog.component.html",
   imports: [AsyncActionsModule, ButtonModule, CommonModule, DialogModule, JslibModule],
diff --git a/libs/angular/src/auth/login-via-webauthn/login-via-webauthn.component.ts b/libs/angular/src/auth/login-via-webauthn/login-via-webauthn.component.ts
index f795b66d916..fa2a01fe8e1 100644
--- a/libs/angular/src/auth/login-via-webauthn/login-via-webauthn.component.ts
+++ b/libs/angular/src/auth/login-via-webauthn/login-via-webauthn.component.ts
@@ -31,6 +31,8 @@ import {
 import { KeyService } from "@bitwarden/key-management";
 
 export type State = "assert" | "assertFailed";
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-login-via-webauthn",
   templateUrl: "login-via-webauthn.component.html",
diff --git a/libs/angular/src/auth/password-management/change-password/change-password.component.ts b/libs/angular/src/auth/password-management/change-password/change-password.component.ts
index 1512f348133..7f46ebfc9d4 100644
--- a/libs/angular/src/auth/password-management/change-password/change-password.component.ts
+++ b/libs/angular/src/auth/password-management/change-password/change-password.component.ts
@@ -39,12 +39,16 @@ import { ChangePasswordService } from "./change-password.service.abstraction";
  * and by design to maintain a strong security posture as some flows could have the user
  * end up at a change password without having one before.
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-change-password",
   templateUrl: "change-password.component.html",
   imports: [InputPasswordComponent, I18nPipe, CalloutComponent, CommonModule],
 })
 export class ChangePasswordComponent implements OnInit {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() inputPasswordFlow: InputPasswordFlow = InputPasswordFlow.ChangePassword;
 
   activeAccount: Account | null = null;
diff --git a/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts b/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts
index ff78952c562..805fe3c0173 100644
--- a/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts
+++ b/libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts
@@ -45,6 +45,8 @@ import {
   SetInitialPasswordUserType,
 } from "./set-initial-password.service.abstraction";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   standalone: true,
   templateUrl: "set-initial-password.component.html",
diff --git a/libs/auth/src/angular/fingerprint-dialog/fingerprint-dialog.component.ts b/libs/auth/src/angular/fingerprint-dialog/fingerprint-dialog.component.ts
index 1769a57319c..6ef36a32448 100644
--- a/libs/auth/src/angular/fingerprint-dialog/fingerprint-dialog.component.ts
+++ b/libs/auth/src/angular/fingerprint-dialog/fingerprint-dialog.component.ts
@@ -9,6 +9,8 @@ export type FingerprintDialogData = {
   fingerprint: string[];
 };
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "fingerprint-dialog.component.html",
   imports: [JslibModule, ButtonModule, DialogModule],
diff --git a/libs/auth/src/angular/input-password/input-password.component.ts b/libs/auth/src/angular/input-password/input-password.component.ts
index dda471c7129..019a9e3975e 100644
--- a/libs/auth/src/angular/input-password/input-password.component.ts
+++ b/libs/auth/src/angular/input-password/input-password.component.ts
@@ -99,6 +99,8 @@ interface InputPasswordForm {
   rotateUserKey?: FormControl<boolean>;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-input-password",
   templateUrl: "./input-password.component.html",
@@ -118,24 +120,48 @@ interface InputPasswordForm {
   ],
 })
 export class InputPasswordComponent implements OnInit {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @ViewChild(PasswordStrengthV2Component) passwordStrengthComponent:
     | PasswordStrengthV2Component
     | undefined = undefined;
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onPasswordFormSubmit = new EventEmitter<PasswordInputResult>();
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() onSecondaryButtonClick = new EventEmitter<void>();
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() isSubmitting = new EventEmitter<boolean>();
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input({ required: true }) flow!: InputPasswordFlow;
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input({ transform: (val: string) => val?.trim().toLowerCase() }) email?: string;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() userId?: UserId;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() loading = false;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() masterPasswordPolicyOptions?: MasterPasswordPolicyOptions;
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() inlineButtons = false;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() primaryButtonText?: Translation;
   protected primaryButtonTextStr: string = "";
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() secondaryButtonText?: Translation;
   protected secondaryButtonTextStr: string = "";
 
diff --git a/libs/auth/src/angular/login-decryption-options/login-decryption-options.component.ts b/libs/auth/src/angular/login-decryption-options/login-decryption-options.component.ts
index a2018817fed..26293285008 100644
--- a/libs/auth/src/angular/login-decryption-options/login-decryption-options.component.ts
+++ b/libs/auth/src/angular/login-decryption-options/login-decryption-options.component.ts
@@ -50,6 +50,8 @@ enum State {
   ExistingUserUntrustedDevice,
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "./login-decryption-options.component.html",
   imports: [
diff --git a/libs/auth/src/angular/login-via-auth-request/login-via-auth-request.component.ts b/libs/auth/src/angular/login-via-auth-request/login-via-auth-request.component.ts
index 10b19567946..2436593dfda 100644
--- a/libs/auth/src/angular/login-via-auth-request/login-via-auth-request.component.ts
+++ b/libs/auth/src/angular/login-via-auth-request/login-via-auth-request.component.ts
@@ -56,6 +56,8 @@ const matchOptions: IsActiveMatchOptions = {
   matrixParams: "ignored",
 };
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "./login-via-auth-request.component.html",
   imports: [ButtonModule, CommonModule, JslibModule, LinkModule, RouterModule],
diff --git a/libs/auth/src/angular/login/login-secondary-content.component.ts b/libs/auth/src/angular/login/login-secondary-content.component.ts
index 9cd4cfd2502..29474d5c8c6 100644
--- a/libs/auth/src/angular/login/login-secondary-content.component.ts
+++ b/libs/auth/src/angular/login/login-secondary-content.component.ts
@@ -8,6 +8,8 @@ import { DefaultServerSettingsService } from "@bitwarden/common/platform/service
 // eslint-disable-next-line no-restricted-imports
 import { LinkModule } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   imports: [CommonModule, JslibModule, LinkModule, RouterModule],
   template: `
diff --git a/libs/auth/src/angular/login/login.component.ts b/libs/auth/src/angular/login/login.component.ts
index 9ade2c1d0af..537a42700c8 100644
--- a/libs/auth/src/angular/login/login.component.ts
+++ b/libs/auth/src/angular/login/login.component.ts
@@ -67,6 +67,8 @@ export enum LoginUiState {
   MASTER_PASSWORD_ENTRY = "MasterPasswordEntry",
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "./login.component.html",
   imports: [
@@ -83,6 +85,8 @@ export enum LoginUiState {
   ],
 })
 export class LoginComponent implements OnInit, OnDestroy {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @ViewChild("masterPasswordInputRef") masterPasswordInputRef: ElementRef | undefined;
 
   private destroy$ = new Subject<void>();
diff --git a/libs/auth/src/angular/new-device-verification/new-device-verification.component.ts b/libs/auth/src/angular/new-device-verification/new-device-verification.component.ts
index 2211b3390a7..c3d6ff5d1fe 100644
--- a/libs/auth/src/angular/new-device-verification/new-device-verification.component.ts
+++ b/libs/auth/src/angular/new-device-verification/new-device-verification.component.ts
@@ -30,6 +30,8 @@ import { NewDeviceVerificationComponentService } from "./new-device-verification
 /**
  * Component for verifying a new device via a one-time password (OTP).
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-new-device-verification",
   templateUrl: "./new-device-verification.component.html",
diff --git a/libs/auth/src/angular/password-callout/password-callout.component.ts b/libs/auth/src/angular/password-callout/password-callout.component.ts
index 7a28700f109..2d97c33c50b 100644
--- a/libs/auth/src/angular/password-callout/password-callout.component.ts
+++ b/libs/auth/src/angular/password-callout/password-callout.component.ts
@@ -10,13 +10,19 @@ import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.servic
 // eslint-disable-next-line no-restricted-imports
 import { CalloutModule } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-password-callout",
   templateUrl: "password-callout.component.html",
   imports: [CommonModule, JslibModule, CalloutModule],
 })
 export class PasswordCalloutComponent {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() message = "masterPasswordPolicyInEffect";
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() policy: MasterPasswordPolicyOptions;
 
   constructor(private i18nService: I18nService) {}
diff --git a/libs/auth/src/angular/password-hint/password-hint.component.ts b/libs/auth/src/angular/password-hint/password-hint.component.ts
index 3189bf8f187..50d53e00ad3 100644
--- a/libs/auth/src/angular/password-hint/password-hint.component.ts
+++ b/libs/auth/src/angular/password-hint/password-hint.component.ts
@@ -22,6 +22,8 @@ import {
   ToastService,
 } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "./password-hint.component.html",
   imports: [
diff --git a/libs/auth/src/angular/registration/registration-env-selector/registration-env-selector.component.ts b/libs/auth/src/angular/registration/registration-env-selector/registration-env-selector.component.ts
index 93ddd00fdd6..d2dbd72989d 100644
--- a/libs/auth/src/angular/registration/registration-env-selector/registration-env-selector.component.ts
+++ b/libs/auth/src/angular/registration/registration-env-selector/registration-env-selector.component.ts
@@ -25,12 +25,16 @@ import { SelfHostedEnvConfigDialogComponent } from "../../self-hosted-env-config
  * Component for selecting the environment to register with in the email verification registration flow.
  * Outputs the selected region to the parent component so it can respond as necessary.
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-registration-env-selector",
   templateUrl: "registration-env-selector.component.html",
   imports: [CommonModule, JslibModule, ReactiveFormsModule, FormFieldModule, SelectModule],
 })
 export class RegistrationEnvSelectorComponent implements OnInit, OnDestroy {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() selectedRegionChange = new EventEmitter<RegionConfig | Region.SelfHosted | null>();
 
   ServerEnvironmentType = Region;
diff --git a/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts b/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts
index 952b9e9ce75..7e7b9131fac 100644
--- a/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts
+++ b/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts
@@ -31,6 +31,8 @@ import { PasswordInputResult } from "../../input-password/password-input-result"
 
 import { RegistrationFinishService } from "./registration-finish.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-registration-finish",
   templateUrl: "./registration-finish.component.html",
diff --git a/libs/auth/src/angular/registration/registration-link-expired/registration-link-expired.component.ts b/libs/auth/src/angular/registration/registration-link-expired/registration-link-expired.component.ts
index 9e75a8b888c..e7a3e99759c 100644
--- a/libs/auth/src/angular/registration/registration-link-expired/registration-link-expired.component.ts
+++ b/libs/auth/src/angular/registration/registration-link-expired/registration-link-expired.component.ts
@@ -19,6 +19,8 @@ export interface RegistrationLinkExpiredComponentData {
   loginRoute: string;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-registration-link-expired",
   templateUrl: "./registration-link-expired.component.html",
diff --git a/libs/auth/src/angular/registration/registration-start/registration-start-secondary.component.ts b/libs/auth/src/angular/registration/registration-start/registration-start-secondary.component.ts
index f30dc8a3822..31e9cbc6316 100644
--- a/libs/auth/src/angular/registration/registration-start/registration-start-secondary.component.ts
+++ b/libs/auth/src/angular/registration/registration-start/registration-start-secondary.component.ts
@@ -18,6 +18,8 @@ export interface RegistrationStartSecondaryComponentData {
   loginRoute: string;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-registration-start-secondary",
   templateUrl: "./registration-start-secondary.component.html",
diff --git a/libs/auth/src/angular/registration/registration-start/registration-start.component.ts b/libs/auth/src/angular/registration/registration-start/registration-start.component.ts
index 16018cecfa7..714f6d49342 100644
--- a/libs/auth/src/angular/registration/registration-start/registration-start.component.ts
+++ b/libs/auth/src/angular/registration/registration-start/registration-start.component.ts
@@ -40,6 +40,8 @@ const DEFAULT_MARKETING_EMAILS_PREF_BY_REGION: Record<Region, boolean> = {
   [Region.SelfHosted]: false,
 };
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-registration-start",
   templateUrl: "./registration-start.component.html",
@@ -57,6 +59,8 @@ const DEFAULT_MARKETING_EMAILS_PREF_BY_REGION: Record<Region, boolean> = {
   ],
 })
 export class RegistrationStartComponent implements OnInit, OnDestroy {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() registrationStartStateChange = new EventEmitter<RegistrationStartState>();
 
   state: RegistrationStartState = RegistrationStartState.USER_DATA_ENTRY;
diff --git a/libs/auth/src/angular/self-hosted-env-config-dialog/self-hosted-env-config-dialog.component.ts b/libs/auth/src/angular/self-hosted-env-config-dialog/self-hosted-env-config-dialog.component.ts
index 16c25f2404f..40fdfb8c17c 100644
--- a/libs/auth/src/angular/self-hosted-env-config-dialog/self-hosted-env-config-dialog.component.ts
+++ b/libs/auth/src/angular/self-hosted-env-config-dialog/self-hosted-env-config-dialog.component.ts
@@ -54,6 +54,8 @@ function selfHostedEnvSettingsFormValidator(): ValidatorFn {
 /**
  * Dialog for configuring self-hosted environment settings.
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "self-hosted-env-config-dialog",
   templateUrl: "self-hosted-env-config-dialog.component.html",
diff --git a/libs/auth/src/angular/sso/sso.component.ts b/libs/auth/src/angular/sso/sso.component.ts
index 8636595759e..0b6bb1159f4 100644
--- a/libs/auth/src/angular/sso/sso.component.ts
+++ b/libs/auth/src/angular/sso/sso.component.ts
@@ -62,6 +62,8 @@ interface QueryParams {
 /**
  * This component handles the SSO flow.
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "sso.component.html",
   imports: [
diff --git a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-authenticator/two-factor-auth-authenticator.component.ts b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-authenticator/two-factor-auth-authenticator.component.ts
index c53bffe2496..2bc5d1a0381 100644
--- a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-authenticator/two-factor-auth-authenticator.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-authenticator/two-factor-auth-authenticator.component.ts
@@ -14,6 +14,8 @@ import {
   AsyncActionsModule,
 } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-auth-authenticator",
   templateUrl: "two-factor-auth-authenticator.component.html",
@@ -32,7 +34,11 @@ import {
   providers: [],
 })
 export class TwoFactorAuthAuthenticatorComponent {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input({ required: true }) tokenFormControl: FormControl | undefined = undefined;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() tokenChange = new EventEmitter<{ token: string }>();
 
   onTokenChange(event: Event) {
diff --git a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-duo/two-factor-auth-duo.component.ts b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-duo/two-factor-auth-duo.component.ts
index 5ad70d3792d..0e089c674be 100644
--- a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-duo/two-factor-auth-duo.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-duo/two-factor-auth-duo.component.ts
@@ -25,6 +25,8 @@ import {
   TwoFactorAuthDuoComponentService,
 } from "./two-factor-auth-duo-component.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-auth-duo",
   template: "",
@@ -43,7 +45,11 @@ import {
   providers: [],
 })
 export class TwoFactorAuthDuoComponent implements OnInit {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() tokenEmitter = new EventEmitter<string>();
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() providerData: any;
 
   duoFramelessUrl: string | undefined = undefined;
diff --git a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email-component-cache.service.ts b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email-component-cache.service.ts
index d98387e1cf5..79a7e1f9ddc 100644
--- a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email-component-cache.service.ts
+++ b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email-component-cache.service.ts
@@ -36,7 +36,7 @@ export class TwoFactorAuthEmailComponentCacheService {
   /**
    * Signal for the cached email state.
    */
-  private emailCache: WritableSignal<TwoFactorAuthEmailComponentCache | null> =
+  private readonly emailCache: WritableSignal<TwoFactorAuthEmailComponentCache | null> =
     this.viewCacheService.signal<TwoFactorAuthEmailComponentCache | null>({
       key: TWO_FACTOR_AUTH_EMAIL_COMPONENT_CACHE_KEY,
       initialValue: null,
diff --git a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email.component.ts b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email.component.ts
index 084e8e6e851..000d391b62c 100644
--- a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email.component.ts
@@ -26,6 +26,8 @@ import {
 
 import { TwoFactorAuthEmailComponentCacheService } from "./two-factor-auth-email-component-cache.service";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-auth-email",
   templateUrl: "two-factor-auth-email.component.html",
@@ -49,7 +51,11 @@ import { TwoFactorAuthEmailComponentCacheService } from "./two-factor-auth-email
   ],
 })
 export class TwoFactorAuthEmailComponent implements OnInit {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input({ required: true }) tokenFormControl: FormControl | undefined = undefined;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() tokenChange = new EventEmitter<{ token: string }>();
 
   twoFactorEmail: string | undefined = undefined;
diff --git a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-webauthn/two-factor-auth-webauthn.component.ts b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-webauthn/two-factor-auth-webauthn.component.ts
index 710d5dc4de0..71a91ec20e7 100644
--- a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-webauthn/two-factor-auth-webauthn.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-webauthn/two-factor-auth-webauthn.component.ts
@@ -32,6 +32,8 @@ export interface WebAuthnResult {
   remember?: boolean;
 }
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-auth-webauthn",
   templateUrl: "two-factor-auth-webauthn.component.html",
@@ -50,7 +52,11 @@ export interface WebAuthnResult {
   providers: [],
 })
 export class TwoFactorAuthWebAuthnComponent implements OnInit, OnDestroy {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() webAuthnResultEmitter = new EventEmitter<WebAuthnResult>();
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() webAuthnInNewTabEmitter = new EventEmitter<boolean>();
 
   webAuthnReady = false;
diff --git a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-yubikey/two-factor-auth-yubikey.component.ts b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-yubikey/two-factor-auth-yubikey.component.ts
index 7218bee056c..40bd3fb551d 100644
--- a/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-yubikey/two-factor-auth-yubikey.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-yubikey/two-factor-auth-yubikey.component.ts
@@ -14,6 +14,8 @@ import {
   AsyncActionsModule,
 } from "@bitwarden/components";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-auth-yubikey",
   templateUrl: "two-factor-auth-yubikey.component.html",
@@ -32,5 +34,7 @@ import {
   providers: [],
 })
 export class TwoFactorAuthYubikeyComponent {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input({ required: true }) tokenFormControl: FormControl | undefined = undefined;
 }
diff --git a/libs/auth/src/angular/two-factor-auth/two-factor-auth-component-cache.service.ts b/libs/auth/src/angular/two-factor-auth/two-factor-auth-component-cache.service.ts
index 33aa76680e4..89fb3d34e96 100644
--- a/libs/auth/src/angular/two-factor-auth/two-factor-auth-component-cache.service.ts
+++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth-component-cache.service.ts
@@ -42,7 +42,7 @@ export class TwoFactorAuthComponentCacheService {
   /**
    * Signal for the cached TwoFactorAuthData.
    */
-  private twoFactorAuthComponentCache: WritableSignal<TwoFactorAuthComponentCache | null> =
+  private readonly twoFactorAuthComponentCache: WritableSignal<TwoFactorAuthComponentCache | null> =
     this.viewCacheService.signal<TwoFactorAuthComponentCache | null>({
       key: TWO_FACTOR_AUTH_COMPONENT_CACHE_KEY,
       initialValue: null,
diff --git a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.spec.ts b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.spec.ts
index 9418030d7a1..5d36fd384ca 100644
--- a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.spec.ts
+++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.spec.ts
@@ -46,6 +46,8 @@ import { TwoFactorAuthComponentCacheService } from "./two-factor-auth-component-
 import { TwoFactorAuthComponentService } from "./two-factor-auth-component.service";
 import { TwoFactorAuthComponent } from "./two-factor-auth.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({ standalone: false })
 class TestTwoFactorComponent extends TwoFactorAuthComponent {}
 
diff --git a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts
index 4c0784928d4..52f20b04601 100644
--- a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts
@@ -75,6 +75,8 @@ import {
   TwoFactorOptionsDialogResult,
 } from "./two-factor-options.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-auth",
   templateUrl: "two-factor-auth.component.html",
@@ -99,6 +101,8 @@ import {
   ],
 })
 export class TwoFactorAuthComponent implements OnInit, OnDestroy {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @ViewChild("continueButton", { read: ElementRef, static: false }) continueButton:
     | ElementRef
     | undefined = undefined;
@@ -114,6 +118,8 @@ export class TwoFactorAuthComponent implements OnInit, OnDestroy {
   twoFactorProviders: Map<TwoFactorProviderType, { [key: string]: string }> | null = null;
   selectedProviderData: { [key: string]: string } | undefined;
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @ViewChild("duoComponent") duoComponent!: TwoFactorAuthDuoComponent;
 
   form = this.formBuilder.group({
diff --git a/libs/auth/src/angular/two-factor-auth/two-factor-auth.guard.spec.ts b/libs/auth/src/angular/two-factor-auth/two-factor-auth.guard.spec.ts
index 06b998c5725..116da73173f 100644
--- a/libs/auth/src/angular/two-factor-auth/two-factor-auth.guard.spec.ts
+++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth.guard.spec.ts
@@ -11,6 +11,8 @@ import { LoginStrategyServiceAbstraction } from "../../common";
 
 import { TwoFactorAuthGuard } from "./two-factor-auth.guard";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({ template: "", standalone: true })
 export class EmptyComponent {}
 
diff --git a/libs/auth/src/angular/two-factor-auth/two-factor-options.component.ts b/libs/auth/src/angular/two-factor-auth/two-factor-options.component.ts
index 7e7e02e5e5a..d0ad9be6103 100644
--- a/libs/auth/src/angular/two-factor-auth/two-factor-options.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/two-factor-options.component.ts
@@ -30,6 +30,8 @@ export type TwoFactorOptionsDialogResult = {
   type: TwoFactorProviderType;
 };
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-two-factor-options",
   templateUrl: "two-factor-options.component.html",
diff --git a/libs/auth/src/angular/user-verification/user-verification-dialog.component.ts b/libs/auth/src/angular/user-verification/user-verification-dialog.component.ts
index 4dfb7a6a995..09d428d4ba7 100644
--- a/libs/auth/src/angular/user-verification/user-verification-dialog.component.ts
+++ b/libs/auth/src/angular/user-verification/user-verification-dialog.component.ts
@@ -30,6 +30,8 @@ import {
 } from "./user-verification-dialog.types";
 import { UserVerificationFormInputComponent } from "./user-verification-form-input.component";
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   templateUrl: "user-verification-dialog.component.html",
   imports: [
diff --git a/libs/auth/src/angular/user-verification/user-verification-form-input.component.ts b/libs/auth/src/angular/user-verification/user-verification-form-input.component.ts
index e1b8207d970..296359c92ff 100644
--- a/libs/auth/src/angular/user-verification/user-verification-form-input.component.ts
+++ b/libs/auth/src/angular/user-verification/user-verification-form-input.component.ts
@@ -40,6 +40,8 @@ import { ActiveClientVerificationOption } from "./active-client-verification-opt
  * This is exposed to the parent component via the ControlValueAccessor interface (e.g. bind it to a FormControl).
  * Use UserVerificationService to verify the user's input.
  */
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "app-user-verification-form-input",
   templateUrl: "user-verification-form-input.component.html",
@@ -69,8 +71,12 @@ import { ActiveClientVerificationOption } from "./active-client-verification-opt
   ],
 })
 export class UserVerificationFormInputComponent implements ControlValueAccessor, OnInit, OnDestroy {
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() verificationType: "server" | "client" = "server"; // server represents original behavior
   private _invalidSecret = false;
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input()
   get invalidSecret() {
     return this._invalidSecret;
@@ -88,11 +94,17 @@ export class UserVerificationFormInputComponent implements ControlValueAccessor,
     }
     this.secret.updateValueAndValidity({ emitEvent: false });
   }
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() invalidSecretChange = new EventEmitter<boolean>();
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() activeClientVerificationOptionChange =
     new EventEmitter<ActiveClientVerificationOption>();
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
   @Output() biometricsVerificationResultChange = new EventEmitter<boolean>();
 
   readonly Icons = { UserVerificationBiometricsIcon };
diff --git a/libs/auth/src/angular/vault-timeout-input/vault-timeout-input.component.ts b/libs/auth/src/angular/vault-timeout-input/vault-timeout-input.component.ts
index b5d87c60882..2335de34c21 100644
--- a/libs/auth/src/angular/vault-timeout-input/vault-timeout-input.component.ts
+++ b/libs/auth/src/angular/vault-timeout-input/vault-timeout-input.component.ts
@@ -44,6 +44,8 @@ type VaultTimeoutForm = FormGroup<{
 
 type VaultTimeoutFormValue = VaultTimeoutForm["value"];
 
+// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
+// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "auth-vault-timeout-input",
   templateUrl: "vault-timeout-input.component.html",
@@ -110,6 +112,8 @@ export class VaultTimeoutInputComponent
     }),
   });
 
+  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
+  // eslint-disable-next-line @angular-eslint/prefer-signals
   @Input() vaultTimeoutOptions: VaultTimeoutOption[];
 
   vaultTimeoutPolicy: Policy;
diff --git a/libs/auth/src/common/services/auth-request/default-login-via-auth-request-cache.service.ts b/libs/auth/src/common/services/auth-request/default-login-via-auth-request-cache.service.ts
index 80dbafd3159..8b947c41c46 100644
--- a/libs/auth/src/common/services/auth-request/default-login-via-auth-request-cache.service.ts
+++ b/libs/auth/src/common/services/auth-request/default-login-via-auth-request-cache.service.ts
@@ -16,7 +16,7 @@ const LOGIN_VIA_AUTH_CACHE_KEY = "login-via-auth-request-form-cache";
 export class LoginViaAuthRequestCacheService {
   private viewCacheService: ViewCacheService = inject(ViewCacheService);
 
-  private defaultLoginViaAuthRequestCache: WritableSignal<LoginViaAuthRequestView | null> =
+  private readonly defaultLoginViaAuthRequestCache: WritableSignal<LoginViaAuthRequestView | null> =
     this.viewCacheService.signal<LoginViaAuthRequestView | null>({
       key: LOGIN_VIA_AUTH_CACHE_KEY,
       initialValue: null,

From 7e7107f16500892b424e4ced178aaa0c8bd29f9a Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Thu, 23 Oct 2025 11:38:10 +0200
Subject: [PATCH 10/11] [PM-27221] Update legacy kdf state on master password
 unlock sync (#16966)

* Update legacy kdf state on master password unlock sync

* Fix cli build

* Fix

* Fix build

* Fix cli

* Fix browser
---
 apps/browser/src/background/main.background.ts             | 1 +
 apps/cli/src/service-container/service-container.ts        | 1 +
 libs/angular/src/services/jslib-services.module.ts         | 1 +
 libs/common/src/platform/sync/default-sync.service.spec.ts | 5 ++++-
 libs/common/src/platform/sync/default-sync.service.ts      | 4 +++-
 5 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/apps/browser/src/background/main.background.ts b/apps/browser/src/background/main.background.ts
index 7a4ee64070f..8170c2a65a0 100644
--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@@ -1050,6 +1050,7 @@ export default class MainBackground {
       this.authService,
       this.stateProvider,
       this.securityStateService,
+      this.kdfConfigService,
     );
 
     this.syncServiceListener = new SyncServiceListener(
diff --git a/apps/cli/src/service-container/service-container.ts b/apps/cli/src/service-container/service-container.ts
index d10849bae0f..3c4ee55361f 100644
--- a/apps/cli/src/service-container/service-container.ts
+++ b/apps/cli/src/service-container/service-container.ts
@@ -846,6 +846,7 @@ export class ServiceContainer {
       this.authService,
       this.stateProvider,
       this.securityStateService,
+      this.kdfConfigService,
     );
 
     this.totpService = new TotpService(this.sdkService);
diff --git a/libs/angular/src/services/jslib-services.module.ts b/libs/angular/src/services/jslib-services.module.ts
index 5d2a23444f0..47e9e7d23bd 100644
--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@@ -847,6 +847,7 @@ const safeProviders: SafeProvider[] = [
       AuthServiceAbstraction,
       StateProvider,
       SecurityStateService,
+      KdfConfigService,
     ],
   }),
   safeProvider({
diff --git a/libs/common/src/platform/sync/default-sync.service.spec.ts b/libs/common/src/platform/sync/default-sync.service.spec.ts
index f60b42ce450..621033ced65 100644
--- a/libs/common/src/platform/sync/default-sync.service.spec.ts
+++ b/libs/common/src/platform/sync/default-sync.service.spec.ts
@@ -15,7 +15,7 @@ import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-st
 import { SecurityStateService } from "@bitwarden/common/key-management/security-state/abstractions/security-state.service";
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
-import { KeyService, PBKDF2KdfConfig } from "@bitwarden/key-management";
+import { KdfConfigService, KeyService, PBKDF2KdfConfig } from "@bitwarden/key-management";
 
 import { Matrix } from "../../../spec/matrix";
 import { ApiService } from "../../abstractions/api.service";
@@ -75,6 +75,7 @@ describe("DefaultSyncService", () => {
   let authService: MockProxy<AuthService>;
   let stateProvider: MockProxy<StateProvider>;
   let securityStateService: MockProxy<SecurityStateService>;
+  let kdfConfigService: MockProxy<KdfConfigService>;
 
   let sut: DefaultSyncService;
 
@@ -105,6 +106,7 @@ describe("DefaultSyncService", () => {
     authService = mock();
     stateProvider = mock();
     securityStateService = mock();
+    kdfConfigService = mock();
 
     sut = new DefaultSyncService(
       masterPasswordAbstraction,
@@ -132,6 +134,7 @@ describe("DefaultSyncService", () => {
       authService,
       stateProvider,
       securityStateService,
+      kdfConfigService,
     );
   });
 
diff --git a/libs/common/src/platform/sync/default-sync.service.ts b/libs/common/src/platform/sync/default-sync.service.ts
index d5fa2d0ae68..e599fbc1c48 100644
--- a/libs/common/src/platform/sync/default-sync.service.ts
+++ b/libs/common/src/platform/sync/default-sync.service.ts
@@ -12,7 +12,7 @@ import {
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 import { SecurityStateService } from "@bitwarden/common/key-management/security-state/abstractions/security-state.service";
 // eslint-disable-next-line no-restricted-imports
-import { KeyService } from "@bitwarden/key-management";
+import { KdfConfigService, KeyService } from "@bitwarden/key-management";
 
 // FIXME: remove `src` and fix import
 // eslint-disable-next-line no-restricted-imports
@@ -100,6 +100,7 @@ export class DefaultSyncService extends CoreSyncService {
     authService: AuthService,
     stateProvider: StateProvider,
     private securityStateService: SecurityStateService,
+    private kdfConfigService: KdfConfigService,
   ) {
     super(
       tokenService,
@@ -434,6 +435,7 @@ export class DefaultSyncService extends CoreSyncService {
         masterPasswordUnlockData,
         userId,
       );
+      await this.kdfConfigService.setKdfConfig(userId, masterPasswordUnlockData.kdf);
     }
   }
 }

From 7f86f2d0ac69fb3d952a2cbfc95e1b8fd75d302e Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Thu, 23 Oct 2025 14:04:25 +0200
Subject: [PATCH 11/11] [PM-26340] Implement encrypted memory store (#16659)

* Extract windows biometrics v2 changes

Co-authored-by: Bernd Schoolmann <mail@quexten.com>

* Address some code review feedback

* cargo fmt

* rely on zeroizing allocator

* Handle TDE edge cases

* Update windows default

* Make windows rust code async and fix restoring focus freezes

* fix formatting

* cleanup native logging

* Add unit test coverage

* Add missing logic to edge case for PIN disable.

* Address code review feedback

* fix test

* code review changes

* fix clippy warning

* Swap to unimplemented on each method

* Implement encrypted memory store

* Make dpapi secure key container pub(super)

* Add comments on sync and send

* Clean up comments

* Clean up

* Fix build

* Add logging and update codeowners

* Run cargo fmt

* Clean up doc

* fix unit tests

* Update apps/desktop/desktop_native/core/src/secure_memory/secure_key/mod.rs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Handle tampering with re-key and log

* Add docs

* Fix windows build

* Prevent rust flycheck log from being commited to git

* Undo feature flag change

* Add env var override and docs

* Add deps to km owership

---------

Co-authored-by: Thomas Avery <tavery@bitwarden.com>
Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
---
 .github/CODEOWNERS                            |   1 +
 .github/renovate.json5                        |  11 +-
 .gitignore                                    |   1 +
 apps/desktop/desktop_native/Cargo.lock        |  93 ++++++-
 apps/desktop/desktop_native/Cargo.toml        |   2 +
 apps/desktop/desktop_native/core/Cargo.toml   |   2 +
 .../core/src/secure_memory/dpapi.rs           |   2 +-
 .../secure_memory/encrypted_memory_store.rs   | 105 ++++++++
 .../core/src/secure_memory/mod.rs             |   7 +-
 .../src/secure_memory/secure_key/crypto.rs    |  96 +++++++
 .../src/secure_memory/secure_key/dpapi.rs     |  93 +++++++
 .../src/secure_memory/secure_key/keyctl.rs    | 100 ++++++++
 .../secure_memory/secure_key/memfd_secret.rs  | 109 ++++++++
 .../src/secure_memory/secure_key/mlock.rs     |  83 ++++++
 .../core/src/secure_memory/secure_key/mod.rs  | 242 ++++++++++++++++++
 15 files changed, 942 insertions(+), 5 deletions(-)
 create mode 100644 apps/desktop/desktop_native/core/src/secure_memory/encrypted_memory_store.rs
 create mode 100644 apps/desktop/desktop_native/core/src/secure_memory/secure_key/crypto.rs
 create mode 100644 apps/desktop/desktop_native/core/src/secure_memory/secure_key/dpapi.rs
 create mode 100644 apps/desktop/desktop_native/core/src/secure_memory/secure_key/keyctl.rs
 create mode 100644 apps/desktop/desktop_native/core/src/secure_memory/secure_key/memfd_secret.rs
 create mode 100644 apps/desktop/desktop_native/core/src/secure_memory/secure_key/mlock.rs
 create mode 100644 apps/desktop/desktop_native/core/src/secure_memory/secure_key/mod.rs

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index ae5d62a90c2..f03cf3ee2a8 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -8,6 +8,7 @@
 apps/desktop/desktop_native @bitwarden/team-platform-dev
 apps/desktop/desktop_native/objc/src/native/autofill @bitwarden/team-autofill-desktop-dev
 apps/desktop/desktop_native/core/src/autofill @bitwarden/team-autofill-desktop-dev
+apps/desktop/desktop_native/core/src/secure_memory @bitwarden/team-key-management-dev
 ## No ownership for Cargo.lock and Cargo.toml to allow dependency updates
 apps/desktop/desktop_native/Cargo.lock
 apps/desktop/desktop_native/Cargo.toml
diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 6fcffb1f875..f898df460c9 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -400,7 +400,16 @@
       reviewers: ["team:team-vault-dev"],
     },
     {
-      matchPackageNames: ["aes", "big-integer", "cbc", "rsa", "russh-cryptovec", "sha2"],
+      matchPackageNames: [
+        "aes",
+        "big-integer",
+        "cbc",
+        "rsa",
+        "russh-cryptovec",
+        "sha2",
+        "memsec",
+        "linux-keyutils",
+      ],
       description: "Key Management owned dependencies",
       commitMessagePrefix: "[deps] KM:",
       reviewers: ["team:team-key-management-dev"],
diff --git a/.gitignore b/.gitignore
index 61a20195592..6b13d22caa7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,6 +28,7 @@ npm-debug.log
 # Build directories
 dist
 build
+target
 .angular/cache
 .flatpak
 .flatpak-repo
diff --git a/apps/desktop/desktop_native/Cargo.lock b/apps/desktop/desktop_native/Cargo.lock
index 0aa040bbcf1..3df6b41734b 100644
--- a/apps/desktop/desktop_native/Cargo.lock
+++ b/apps/desktop/desktop_native/Cargo.lock
@@ -927,6 +927,8 @@ dependencies = [
  "interprocess",
  "keytar",
  "libc",
+ "linux-keyutils",
+ "memsec",
  "oo7",
  "pin-project",
  "pkcs8",
@@ -1793,6 +1795,16 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "linux-keyutils"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "761e49ec5fd8a5a463f9b84e877c373d888935b71c6be78f3767fe2ae6bed18e"
+dependencies = [
+ "bitflags",
+ "libc",
+]
+
 [[package]]
 name = "linux-raw-sys"
 version = "0.4.15"
@@ -1878,6 +1890,17 @@ dependencies = [
  "autocfg",
 ]
 
+[[package]]
+name = "memsec"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c797b9d6bb23aab2fc369c65f871be49214f5c759af65bde26ffaaa2b646b492"
+dependencies = [
+ "getrandom 0.2.16",
+ "libc",
+ "windows-sys 0.45.0",
+]
+
 [[package]]
 name = "mime"
 version = "0.3.17"
@@ -3993,6 +4016,15 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "windows-sys"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
+dependencies = [
+ "windows-targets 0.42.2",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
@@ -4020,6 +4052,21 @@ dependencies = [
  "windows-targets 0.53.3",
 ]
 
+[[package]]
+name = "windows-targets"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.48.5"
@@ -4068,6 +4115,12 @@ dependencies = [
  "windows_x86_64_msvc 0.53.0",
 ]
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.48.5"
@@ -4086,6 +4139,12 @@ version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.48.5"
@@ -4104,6 +4163,12 @@ version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.48.5"
@@ -4134,6 +4199,12 @@ version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.48.5"
@@ -4161,6 +4232,12 @@ dependencies = [
  "windows-core 0.61.0",
 ]
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.48.5"
@@ -4179,6 +4256,12 @@ version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.48.5"
@@ -4197,6 +4280,12 @@ version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.48.5"
@@ -4416,9 +4505,9 @@ dependencies = [
 
 [[package]]
 name = "zeroize"
-version = "1.8.1"
+version = "1.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
 dependencies = [
  "zeroize_derive",
 ]
diff --git a/apps/desktop/desktop_native/Cargo.toml b/apps/desktop/desktop_native/Cargo.toml
index 855b0b3aa43..edf3cb44eca 100644
--- a/apps/desktop/desktop_native/Cargo.toml
+++ b/apps/desktop/desktop_native/Cargo.toml
@@ -39,7 +39,9 @@ homedir = "=0.3.4"
 interprocess = "=2.2.1"
 keytar = "=0.1.6"
 libc = "=0.2.172"
+linux-keyutils = "=0.2.4"
 log = "=0.4.25"
+memsec = "=0.7.0"
 napi = "=2.16.17"
 napi-build = "=2.2.0"
 napi-derive = "=2.16.13"
diff --git a/apps/desktop/desktop_native/core/Cargo.toml b/apps/desktop/desktop_native/core/Cargo.toml
index b7e4c9b7a83..f6c9d669df6 100644
--- a/apps/desktop/desktop_native/core/Cargo.toml
+++ b/apps/desktop/desktop_native/core/Cargo.toml
@@ -32,6 +32,7 @@ ed25519 = { workspace = true, features = ["pkcs8"] }
 futures = { workspace = true }
 homedir = { workspace = true }
 interprocess = { workspace = true, features = ["tokio"] }
+memsec = { workspace = true, features = ["alloc_ext"] }
 pin-project = { workspace = true }
 pkcs8 = { workspace = true, features = ["alloc", "encryption", "pem"] }
 rand = { workspace = true }
@@ -87,6 +88,7 @@ desktop_objc = { path = "../objc" }
 [target.'cfg(target_os = "linux")'.dependencies]
 oo7 = { workspace = true }
 libc = { workspace = true }
+linux-keyutils = { workspace = true }
 ashpd = { workspace = true }
 
 zbus = { workspace = true, optional = true }
diff --git a/apps/desktop/desktop_native/core/src/secure_memory/dpapi.rs b/apps/desktop/desktop_native/core/src/secure_memory/dpapi.rs
index ca9b6081d69..3ff8a6d3d83 100644
--- a/apps/desktop/desktop_native/core/src/secure_memory/dpapi.rs
+++ b/apps/desktop/desktop_native/core/src/secure_memory/dpapi.rs
@@ -54,7 +54,7 @@ impl SecureMemoryStore for DpapiSecretKVStore {
         self.map.insert(key, padded_data);
     }
 
-    fn get(&self, key: &str) -> Option<Vec<u8>> {
+    fn get(&mut self, key: &str) -> Option<Vec<u8>> {
         self.map.get(key).map(|data| {
             // A copy is created, that is then mutated by the DPAPI unprotect function.
             let mut data = data.clone();
diff --git a/apps/desktop/desktop_native/core/src/secure_memory/encrypted_memory_store.rs b/apps/desktop/desktop_native/core/src/secure_memory/encrypted_memory_store.rs
new file mode 100644
index 00000000000..a8952d8f55a
--- /dev/null
+++ b/apps/desktop/desktop_native/core/src/secure_memory/encrypted_memory_store.rs
@@ -0,0 +1,105 @@
+use tracing::error;
+
+use crate::secure_memory::{
+    secure_key::{EncryptedMemory, SecureMemoryEncryptionKey},
+    SecureMemoryStore,
+};
+
+/// An encrypted memory store holds a platform protected symmetric encryption key, and uses it
+/// to encrypt all items it stores. The ciphertexts for the items are not specially protected. This
+/// allows circumventing length and amount limitations on platform specific secure memory APIs since
+/// only a single short item needs to be protected.
+///
+/// The key is briefly in process memory during encryption and decryption, in memory that is protected
+/// from swapping to disk via mlock, and then zeroed out immediately after use.
+#[allow(unused)]
+pub(crate) struct EncryptedMemoryStore {
+    map: std::collections::HashMap<String, EncryptedMemory>,
+    memory_encryption_key: SecureMemoryEncryptionKey,
+}
+
+impl EncryptedMemoryStore {
+    #[allow(unused)]
+    pub(crate) fn new() -> Self {
+        EncryptedMemoryStore {
+            map: std::collections::HashMap::new(),
+            memory_encryption_key: SecureMemoryEncryptionKey::new(),
+        }
+    }
+}
+
+impl SecureMemoryStore for EncryptedMemoryStore {
+    fn put(&mut self, key: String, value: &[u8]) {
+        let encrypted_value = self.memory_encryption_key.encrypt(value);
+        self.map.insert(key, encrypted_value);
+    }
+
+    fn get(&mut self, key: &str) -> Option<Vec<u8>> {
+        let encrypted_memory = self.map.get(key);
+        if let Some(encrypted_memory) = encrypted_memory {
+            match self.memory_encryption_key.decrypt(encrypted_memory) {
+                Ok(plaintext) => Some(plaintext),
+                Err(_) => {
+                    error!("In memory store, decryption failed for key {}. The memory may have been tampered with. re-keying.", key);
+                    self.memory_encryption_key = SecureMemoryEncryptionKey::new();
+                    self.clear();
+                    None
+                }
+            }
+        } else {
+            None
+        }
+    }
+
+    fn has(&self, key: &str) -> bool {
+        self.map.contains_key(key)
+    }
+
+    fn remove(&mut self, key: &str) {
+        self.map.remove(key);
+    }
+
+    fn clear(&mut self) {
+        self.map.clear();
+    }
+}
+
+impl Drop for EncryptedMemoryStore {
+    fn drop(&mut self) {
+        self.clear();
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_secret_kv_store_various_sizes() {
+        let mut store = EncryptedMemoryStore::new();
+        for size in 0..=2048 {
+            let key = format!("test_key_{}", size);
+            let value: Vec<u8> = (0..size).map(|i| (i % 256) as u8).collect();
+            store.put(key.clone(), &value);
+            assert!(store.has(&key), "Store should have key for size {}", size);
+            assert_eq!(
+                store.get(&key),
+                Some(value),
+                "Value mismatch for size {}",
+                size
+            );
+        }
+    }
+
+    #[test]
+    fn test_crud() {
+        let mut store = EncryptedMemoryStore::new();
+        let key = "test_key".to_string();
+        let value = vec![1, 2, 3, 4, 5];
+        store.put(key.clone(), &value);
+        assert!(store.has(&key));
+        assert_eq!(store.get(&key), Some(value));
+        store.remove(&key);
+        assert!(!store.has(&key));
+    }
+}
diff --git a/apps/desktop/desktop_native/core/src/secure_memory/mod.rs b/apps/desktop/desktop_native/core/src/secure_memory/mod.rs
index 0cb604e03f2..8695904758e 100644
--- a/apps/desktop/desktop_native/core/src/secure_memory/mod.rs
+++ b/apps/desktop/desktop_native/core/src/secure_memory/mod.rs
@@ -1,6 +1,9 @@
 #[cfg(target_os = "windows")]
 pub(crate) mod dpapi;
 
+mod encrypted_memory_store;
+mod secure_key;
+
 /// The secure memory store provides an ephemeral key-value store for sensitive data.
 /// Data stored in this store is prevented from being swapped to disk and zeroed out. Additionally,
 /// platform-specific protections are applied to prevent memory dumps or debugger access from
@@ -12,7 +15,9 @@ pub(crate) trait SecureMemoryStore {
     /// Retrieves a copy of the value associated with the given key from secure memory.
     /// This copy does not have additional memory protections applied, and should be zeroed when no
     /// longer needed.
-    fn get(&self, key: &str) -> Option<Vec<u8>>;
+    ///
+    /// Note: If memory was tampered with, this will re-key the store and return None.
+    fn get(&mut self, key: &str) -> Option<Vec<u8>>;
     /// Checks if a value is stored under the given key.
     fn has(&self, key: &str) -> bool;
     /// Removes the value associated with the given key from secure memory.
diff --git a/apps/desktop/desktop_native/core/src/secure_memory/secure_key/crypto.rs b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/crypto.rs
new file mode 100644
index 00000000000..1ee6c4cdf40
--- /dev/null
+++ b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/crypto.rs
@@ -0,0 +1,96 @@
+use std::ptr::NonNull;
+
+use chacha20poly1305::{aead::Aead, Key, KeyInit};
+use rand::{rng, Rng};
+
+pub(super) const KEY_SIZE: usize = 32;
+pub(super) const NONCE_SIZE: usize = 24;
+
+/// The encryption performed here is xchacha-poly1305. Any tampering with the key or the ciphertexts will result
+/// in a decryption failure and panic. The key's memory contents are protected from being swapped to disk
+/// via mlock.
+pub(super) struct MemoryEncryptionKey(NonNull<[u8]>);
+
+/// An encrypted memory blob that must be decrypted using the same key that it was encrypted with.
+pub struct EncryptedMemory {
+    nonce: [u8; NONCE_SIZE],
+    ciphertext: Vec<u8>,
+}
+
+impl MemoryEncryptionKey {
+    pub fn new() -> Self {
+        let mut key = [0u8; KEY_SIZE];
+        rng().fill(&mut key);
+        MemoryEncryptionKey::from(&key)
+    }
+
+    /// Encrypts the given plaintext using the key.
+    #[allow(unused)]
+    pub(super) fn encrypt(&self, plaintext: &[u8]) -> EncryptedMemory {
+        let cipher = chacha20poly1305::XChaCha20Poly1305::new(Key::from_slice(self.as_ref()));
+        let mut nonce = [0u8; NONCE_SIZE];
+        rng().fill(&mut nonce);
+        let ciphertext = cipher
+            .encrypt(chacha20poly1305::XNonce::from_slice(&nonce), plaintext)
+            .expect("encryption should not fail");
+        EncryptedMemory { nonce, ciphertext }
+    }
+
+    /// Decrypts the given encrypted memory using the key. A decryption failure will panic. This is
+    /// okay because neither the keys nor ciphertexts should ever fail to decrypt, and doing so
+    /// indicates that the process memory was tampered with.
+    #[allow(unused)]
+    pub(super) fn decrypt(&self, encrypted: &EncryptedMemory) -> Result<Vec<u8>, DecryptionError> {
+        let cipher = chacha20poly1305::XChaCha20Poly1305::new(Key::from_slice(self.as_ref()));
+        cipher
+            .decrypt(
+                chacha20poly1305::XNonce::from_slice(&encrypted.nonce),
+                encrypted.ciphertext.as_ref(),
+            )
+            .map_err(|_| DecryptionError::CouldNotDecrypt)
+    }
+}
+
+impl Drop for MemoryEncryptionKey {
+    fn drop(&mut self) {
+        unsafe {
+            memsec::free(self.0);
+        }
+    }
+}
+
+impl From<&[u8; KEY_SIZE]> for MemoryEncryptionKey {
+    fn from(value: &[u8; KEY_SIZE]) -> Self {
+        let mut ptr: NonNull<[u8]> =
+            unsafe { memsec::malloc_sized(KEY_SIZE).expect("malloc_sized should work") };
+        unsafe {
+            std::ptr::copy_nonoverlapping(value.as_ptr(), ptr.as_mut().as_mut_ptr(), KEY_SIZE);
+        }
+        MemoryEncryptionKey(ptr)
+    }
+}
+
+impl AsRef<[u8]> for MemoryEncryptionKey {
+    fn as_ref(&self) -> &[u8] {
+        unsafe { self.0.as_ref() }
+    }
+}
+
+#[derive(Debug)]
+pub(crate) enum DecryptionError {
+    CouldNotDecrypt,
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_memory_encryption_key() {
+        let key = MemoryEncryptionKey::new();
+        let data = b"Hello, world!";
+        let encrypted = key.encrypt(data);
+        let decrypted = key.decrypt(&encrypted).unwrap();
+        assert_eq!(data.as_ref(), decrypted.as_slice());
+    }
+}
diff --git a/apps/desktop/desktop_native/core/src/secure_memory/secure_key/dpapi.rs b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/dpapi.rs
new file mode 100644
index 00000000000..0975b542877
--- /dev/null
+++ b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/dpapi.rs
@@ -0,0 +1,93 @@
+use super::crypto::{MemoryEncryptionKey, KEY_SIZE};
+use super::SecureKeyContainer;
+use windows::Win32::Security::Cryptography::{
+    CryptProtectMemory, CryptUnprotectMemory, CRYPTPROTECTMEMORY_BLOCK_SIZE,
+    CRYPTPROTECTMEMORY_SAME_PROCESS,
+};
+
+/// https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata
+/// The DPAPI store encrypts data using the Windows Data Protection API (DPAPI). The key is bound
+/// to the current process, and cannot be decrypted by other user-mode processes.
+///
+/// Note: Admin processes can still decrypt this memory:
+/// https://blog.slowerzs.net/posts/cryptdecryptmemory/
+pub(super) struct DpapiSecureKeyContainer {
+    dpapi_encrypted_key: [u8; KEY_SIZE + CRYPTPROTECTMEMORY_BLOCK_SIZE as usize],
+}
+
+// SAFETY: The encrypted data is fully owned by this struct, and not exposed outside or cloned,
+// and is disposed on drop of this struct.
+unsafe impl Send for DpapiSecureKeyContainer {}
+// SAFETY: The container is non-mutable and thus safe to share between threads.
+unsafe impl Sync for DpapiSecureKeyContainer {}
+
+impl SecureKeyContainer for DpapiSecureKeyContainer {
+    fn as_key(&self) -> MemoryEncryptionKey {
+        let mut decrypted_key = self.dpapi_encrypted_key;
+        unsafe {
+            CryptUnprotectMemory(
+                decrypted_key.as_mut_ptr() as *mut core::ffi::c_void,
+                decrypted_key.len() as u32,
+                CRYPTPROTECTMEMORY_SAME_PROCESS,
+            )
+        }
+        .expect("crypt_unprotect_memory should work");
+        let mut key = [0u8; KEY_SIZE];
+        key.copy_from_slice(&decrypted_key[..KEY_SIZE]);
+        MemoryEncryptionKey::from(&key)
+    }
+
+    fn from_key(key: MemoryEncryptionKey) -> Self {
+        let mut padded_key = [0u8; KEY_SIZE + CRYPTPROTECTMEMORY_BLOCK_SIZE as usize];
+        padded_key[..KEY_SIZE].copy_from_slice(key.as_ref());
+        unsafe {
+            CryptProtectMemory(
+                padded_key.as_mut_ptr() as *mut core::ffi::c_void,
+                padded_key.len() as u32,
+                CRYPTPROTECTMEMORY_SAME_PROCESS,
+            )
+        }
+        .expect("crypt_protect_memory should work");
+        DpapiSecureKeyContainer {
+            dpapi_encrypted_key: padded_key,
+        }
+    }
+
+    fn is_supported() -> bool {
+        // DPAPI is supported on all Windows versions that we support.
+        true
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_multiple_keys() {
+        let key1 = MemoryEncryptionKey::new();
+        let key2 = MemoryEncryptionKey::new();
+        let container1 = DpapiSecureKeyContainer::from_key(key1);
+        let container2 = DpapiSecureKeyContainer::from_key(key2);
+
+        // Capture at time 1
+        let data_1_1 = container1.as_key();
+        let data_2_1 = container2.as_key();
+        // Capture at time 2
+        let data_1_2 = container1.as_key();
+        let data_2_2 = container2.as_key();
+
+        // Same keys should be equal
+        assert_eq!(data_1_1.as_ref(), data_1_2.as_ref());
+        assert_eq!(data_2_1.as_ref(), data_2_2.as_ref());
+
+        // Different keys should be different
+        assert_ne!(data_1_1.as_ref(), data_2_1.as_ref());
+        assert_ne!(data_1_2.as_ref(), data_2_2.as_ref());
+    }
+
+    #[test]
+    fn test_is_supported() {
+        assert!(DpapiSecureKeyContainer::is_supported());
+    }
+}
diff --git a/apps/desktop/desktop_native/core/src/secure_memory/secure_key/keyctl.rs b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/keyctl.rs
new file mode 100644
index 00000000000..a738d964671
--- /dev/null
+++ b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/keyctl.rs
@@ -0,0 +1,100 @@
+use crate::secure_memory::secure_key::crypto::MemoryEncryptionKey;
+
+use super::crypto::KEY_SIZE;
+use super::SecureKeyContainer;
+use linux_keyutils::{KeyRing, KeyRingIdentifier};
+
+/// The keys are bound to the process keyring.
+const KEY_RING_IDENTIFIER: KeyRingIdentifier = KeyRingIdentifier::Process;
+/// This is an atomic global counter used to help generate unique key IDs
+static COUNTER: std::sync::atomic::AtomicU64 = std::sync::atomic::AtomicU64::new(0);
+/// Generates a unique ID for the key in the kernel keyring.
+/// SAFETY: This function is safe to call from multiple threads because it uses an atomic counter.
+fn make_id() -> String {
+    let counter = COUNTER.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+    // In case multiple processes are running, include the PID in the key ID.
+    let pid = std::process::id();
+    format!("bitwarden_desktop_{}_{}", pid, counter)
+}
+
+/// A secure key container that uses the Linux kernel keyctl API to store the key.
+/// `https://man7.org/linux/man-pages/man1/keyctl.1.html`. The kernel enforces only
+/// the correct process can read them, and they do not live in process memory space
+/// and cannot be dumped.
+pub(super) struct KeyctlSecureKeyContainer {
+    /// The kernel has an identifier for the key. This is randomly generated on construction.
+    id: String,
+}
+
+// SAFETY: The key id is fully owned by this struct and not exposed or cloned, and cleaned up on drop.
+// Further, since we use `KeyRingIdentifier::Process` and not `KeyRingIdentifier::Thread`, the key
+// is accessible across threads within the same process bound.
+unsafe impl Send for KeyctlSecureKeyContainer {}
+// SAFETY: The container is non-mutable and thus safe to share between threads.
+unsafe impl Sync for KeyctlSecureKeyContainer {}
+
+impl SecureKeyContainer for KeyctlSecureKeyContainer {
+    fn as_key(&self) -> MemoryEncryptionKey {
+        let ring = KeyRing::from_special_id(KEY_RING_IDENTIFIER, false)
+            .expect("should get process keyring");
+        let key = ring.search(&self.id).expect("should find key");
+        let mut buffer = [0u8; KEY_SIZE];
+        key.read(&mut buffer).expect("should read key");
+        MemoryEncryptionKey::from(&buffer)
+    }
+
+    fn from_key(data: MemoryEncryptionKey) -> Self {
+        let ring = KeyRing::from_special_id(KEY_RING_IDENTIFIER, true)
+            .expect("should get process keyring");
+        let id = make_id();
+        ring.add_key(&id, &data).expect("should add key");
+        KeyctlSecureKeyContainer { id }
+    }
+
+    fn is_supported() -> bool {
+        KeyRing::from_special_id(KEY_RING_IDENTIFIER, true).is_ok()
+    }
+}
+
+impl Drop for KeyctlSecureKeyContainer {
+    fn drop(&mut self) {
+        let ring = KeyRing::from_special_id(KEY_RING_IDENTIFIER, false)
+            .expect("should get process keyring");
+        if let Ok(key) = ring.search(&self.id) {
+            let _ = key.invalidate();
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_multiple_keys() {
+        let key1 = MemoryEncryptionKey::new();
+        let key2 = MemoryEncryptionKey::new();
+        let container1 = KeyctlSecureKeyContainer::from_key(key1);
+        let container2 = KeyctlSecureKeyContainer::from_key(key2);
+
+        // Capture at time 1
+        let data_1_1 = container1.as_key();
+        let data_2_1 = container2.as_key();
+        // Capture at time 2
+        let data_1_2 = container1.as_key();
+        let data_2_2 = container2.as_key();
+
+        // Same keys should be equal
+        assert_eq!(data_1_1.as_ref(), data_1_2.as_ref());
+        assert_eq!(data_2_1.as_ref(), data_2_2.as_ref());
+
+        // Different keys should be different
+        assert_ne!(data_1_1.as_ref(), data_2_1.as_ref());
+        assert_ne!(data_1_2.as_ref(), data_2_2.as_ref());
+    }
+
+    #[test]
+    fn test_is_supported() {
+        assert!(KeyctlSecureKeyContainer::is_supported());
+    }
+}
diff --git a/apps/desktop/desktop_native/core/src/secure_memory/secure_key/memfd_secret.rs b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/memfd_secret.rs
new file mode 100644
index 00000000000..4e6a2c4d7ac
--- /dev/null
+++ b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/memfd_secret.rs
@@ -0,0 +1,109 @@
+use std::{ptr::NonNull, sync::LazyLock};
+
+use super::crypto::MemoryEncryptionKey;
+use super::crypto::KEY_SIZE;
+use super::SecureKeyContainer;
+
+/// https://man.archlinux.org/man/memfd_secret.2.en
+/// The memfd_secret store protects the data using the `memfd_secret` syscall. The
+/// data is inaccessible to other user-mode processes, and even to root in most cases.
+/// If arbitrary data can be executed in the kernel, the data can still be retrieved:
+/// https://github.com/JonathonReinhart/nosecmem
+pub(super) struct MemfdSecretSecureKeyContainer {
+    ptr: NonNull<[u8]>,
+}
+// SAFETY: The pointers in this struct are allocated by `memfd_secret`, and we have full ownership.
+// They are never exposed outside or cloned, and are cleaned up by drop.
+unsafe impl Send for MemfdSecretSecureKeyContainer {}
+// SAFETY: The container is non-mutable and thus safe to share between threads. Further, memfd-secret
+// is accessible across threads within the same process bound.
+unsafe impl Sync for MemfdSecretSecureKeyContainer {}
+
+impl SecureKeyContainer for MemfdSecretSecureKeyContainer {
+    fn as_key(&self) -> MemoryEncryptionKey {
+        MemoryEncryptionKey::from(
+            &unsafe { self.ptr.as_ref() }
+                .try_into()
+                .expect("slice should be KEY_SIZE"),
+        )
+    }
+
+    fn from_key(key: MemoryEncryptionKey) -> Self {
+        let mut ptr: NonNull<[u8]> = unsafe {
+            memsec::memfd_secret_sized(KEY_SIZE).expect("memfd_secret_sized should work")
+        };
+        unsafe {
+            std::ptr::copy_nonoverlapping(
+                key.as_ref().as_ptr(),
+                ptr.as_mut().as_mut_ptr(),
+                KEY_SIZE,
+            );
+        }
+        MemfdSecretSecureKeyContainer { ptr }
+    }
+
+    /// Note, `memfd_secret` is only available since Linux 6.5, so fallbacks are needed.
+    fn is_supported() -> bool {
+        // To test if memfd_secret is supported, we try to allocate a 1 byte and see if that
+        // succeeds.
+        static IS_SUPPORTED: LazyLock<bool> = LazyLock::new(|| {
+            let Some(ptr): Option<NonNull<[u8]>> = (unsafe { memsec::memfd_secret_sized(1) })
+            else {
+                return false;
+            };
+
+            // Check that the pointer is readable and writable
+            let result = unsafe {
+                let ptr = ptr.as_ptr() as *mut u8;
+                *ptr = 30;
+                *ptr += 107;
+                *ptr == 137
+            };
+
+            unsafe { memsec::free_memfd_secret(ptr) };
+            result
+        });
+        *IS_SUPPORTED
+    }
+}
+
+impl Drop for MemfdSecretSecureKeyContainer {
+    fn drop(&mut self) {
+        unsafe {
+            memsec::free_memfd_secret(self.ptr);
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_multiple_keys() {
+        let key1 = MemoryEncryptionKey::new();
+        let key2 = MemoryEncryptionKey::new();
+        let container1 = MemfdSecretSecureKeyContainer::from_key(key1);
+        let container2 = MemfdSecretSecureKeyContainer::from_key(key2);
+
+        // Capture at time 1
+        let data_1_1 = container1.as_key();
+        let data_2_1 = container2.as_key();
+        // Capture at time 2
+        let data_1_2 = container1.as_key();
+        let data_2_2 = container2.as_key();
+
+        // Same keys should be equal
+        assert_eq!(data_1_1.as_ref(), data_1_2.as_ref());
+        assert_eq!(data_2_1.as_ref(), data_2_2.as_ref());
+
+        // Different keys should be different
+        assert_ne!(data_1_1.as_ref(), data_2_1.as_ref());
+        assert_ne!(data_1_2.as_ref(), data_2_2.as_ref());
+    }
+
+    #[test]
+    fn test_is_supported() {
+        assert!(MemfdSecretSecureKeyContainer::is_supported());
+    }
+}
diff --git a/apps/desktop/desktop_native/core/src/secure_memory/secure_key/mlock.rs b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/mlock.rs
new file mode 100644
index 00000000000..db21cd7fedc
--- /dev/null
+++ b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/mlock.rs
@@ -0,0 +1,83 @@
+use std::ptr::NonNull;
+
+use super::crypto::MemoryEncryptionKey;
+use super::crypto::KEY_SIZE;
+use super::SecureKeyContainer;
+
+/// A SecureKeyContainer that uses mlock to prevent the memory from being swapped to disk.
+/// This does not provide as strong protections as other methods, but is always supported.
+pub(super) struct MlockSecureKeyContainer {
+    ptr: NonNull<[u8]>,
+}
+// SAFETY: The pointers in this struct are allocated by `malloc_sized`, and we have full ownership.
+// They are never exposed outside or cloned, and are cleaned up by drop.
+unsafe impl Send for MlockSecureKeyContainer {}
+// SAFETY: The container is non-mutable and thus safe to share between threads.
+unsafe impl Sync for MlockSecureKeyContainer {}
+
+impl SecureKeyContainer for MlockSecureKeyContainer {
+    fn as_key(&self) -> MemoryEncryptionKey {
+        MemoryEncryptionKey::from(
+            &unsafe { self.ptr.as_ref() }
+                .try_into()
+                .expect("slice should be KEY_SIZE"),
+        )
+    }
+    fn from_key(key: MemoryEncryptionKey) -> Self {
+        let mut ptr: NonNull<[u8]> =
+            unsafe { memsec::malloc_sized(KEY_SIZE).expect("malloc_sized should work") };
+        unsafe {
+            std::ptr::copy_nonoverlapping(
+                key.as_ref().as_ptr(),
+                ptr.as_mut().as_mut_ptr(),
+                KEY_SIZE,
+            );
+        }
+        MlockSecureKeyContainer { ptr }
+    }
+
+    fn is_supported() -> bool {
+        true
+    }
+}
+
+impl Drop for MlockSecureKeyContainer {
+    fn drop(&mut self) {
+        unsafe {
+            memsec::free(self.ptr);
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_multiple_keys() {
+        let key1 = MemoryEncryptionKey::new();
+        let key2 = MemoryEncryptionKey::new();
+        let container1 = MlockSecureKeyContainer::from_key(key1);
+        let container2 = MlockSecureKeyContainer::from_key(key2);
+
+        // Capture at time 1
+        let data_1_1 = container1.as_key();
+        let data_2_1 = container2.as_key();
+        // Capture at time 2
+        let data_1_2 = container1.as_key();
+        let data_2_2 = container2.as_key();
+
+        // Same keys should be equal
+        assert_eq!(data_1_1.as_ref(), data_1_2.as_ref());
+        assert_eq!(data_2_1.as_ref(), data_2_2.as_ref());
+
+        // Different keys should be different
+        assert_ne!(data_1_1.as_ref(), data_2_1.as_ref());
+        assert_ne!(data_1_2.as_ref(), data_2_2.as_ref());
+    }
+
+    #[test]
+    fn test_is_supported() {
+        assert!(MlockSecureKeyContainer::is_supported());
+    }
+}
diff --git a/apps/desktop/desktop_native/core/src/secure_memory/secure_key/mod.rs b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/mod.rs
new file mode 100644
index 00000000000..6c3b53117a5
--- /dev/null
+++ b/apps/desktop/desktop_native/core/src/secure_memory/secure_key/mod.rs
@@ -0,0 +1,242 @@
+//! This module provides hardened storage for single cryptographic keys. These are meant for encrypting large amounts of memory.
+//! Some platforms restrict how many keys can be protected by their APIs, which necessitates this layer of indirection. This significantly
+//! reduces the complexity of each platform specific implementation, since all that's needed is implementing protecting a single fixed sized key
+//! instead of protecting many arbitrarily sized secrets. This significantly lowers the effort to maintain each implementation.
+//!
+//! The implementations include DPAPI on Windows, `keyctl` on Linux, and `memfd_secret` on Linux, and a fallback implementation using mlock.
+
+use tracing::info;
+
+mod crypto;
+#[cfg(target_os = "windows")]
+mod dpapi;
+#[cfg(target_os = "linux")]
+mod keyctl;
+#[cfg(target_os = "linux")]
+mod memfd_secret;
+mod mlock;
+
+pub use crypto::EncryptedMemory;
+
+use crate::secure_memory::secure_key::crypto::DecryptionError;
+
+/// An ephemeral key that is protected using a platform mechanism. It is generated on construction freshly, and can be used
+/// to encrypt and decrypt segments of memory. Since the key is ephemeral, persistent data cannot be encrypted with this key.
+/// On Linux and Windows, in most cases the protection mechanisms prevent memory dumps/debuggers from reading the key.
+///
+/// Note: This can be circumvented if code can be injected into the process and is only effective in combination with the
+/// memory isolation provided in `process_isolation`.
+/// - https://github.com/zer1t0/keydump
+#[allow(unused)]
+pub(crate) struct SecureMemoryEncryptionKey(CrossPlatformSecureKeyContainer);
+
+impl SecureMemoryEncryptionKey {
+    pub fn new() -> Self {
+        SecureMemoryEncryptionKey(CrossPlatformSecureKeyContainer::from_key(
+            crypto::MemoryEncryptionKey::new(),
+        ))
+    }
+
+    /// Encrypts the provided plaintext using the contained key, returning an EncryptedMemory blob.
+    #[allow(unused)]
+    pub fn encrypt(&self, plaintext: &[u8]) -> crypto::EncryptedMemory {
+        self.0.as_key().encrypt(plaintext)
+    }
+
+    /// Decrypts the provided EncryptedMemory blob using the contained key, returning the plaintext.
+    /// If the decryption fails, that means the memory was tampered with, and the function panics.
+    #[allow(unused)]
+    pub fn decrypt(&self, encrypted: &crypto::EncryptedMemory) -> Result<Vec<u8>, DecryptionError> {
+        self.0.as_key().decrypt(encrypted)
+    }
+}
+
+/// A platform specific implementation of a key container that protects a single encryption key
+/// from memory attacks.
+#[allow(unused)]
+trait SecureKeyContainer: Sync + Send {
+    /// Returns the key as a byte slice. This slice does not have additional memory protections applied.
+    fn as_key(&self) -> crypto::MemoryEncryptionKey;
+    /// Creates a new SecureKeyContainer from the provided key.
+    fn from_key(key: crypto::MemoryEncryptionKey) -> Self;
+    /// Returns true if this platform supports this secure key container implementation.
+    fn is_supported() -> bool;
+}
+
+#[allow(unused)]
+enum CrossPlatformSecureKeyContainer {
+    #[cfg(target_os = "windows")]
+    Dpapi(dpapi::DpapiSecureKeyContainer),
+    #[cfg(target_os = "linux")]
+    Keyctl(keyctl::KeyctlSecureKeyContainer),
+    #[cfg(target_os = "linux")]
+    MemfdSecret(memfd_secret::MemfdSecretSecureKeyContainer),
+    Mlock(mlock::MlockSecureKeyContainer),
+}
+
+impl SecureKeyContainer for CrossPlatformSecureKeyContainer {
+    fn as_key(&self) -> crypto::MemoryEncryptionKey {
+        match self {
+            #[cfg(target_os = "windows")]
+            CrossPlatformSecureKeyContainer::Dpapi(c) => c.as_key(),
+            #[cfg(target_os = "linux")]
+            CrossPlatformSecureKeyContainer::Keyctl(c) => c.as_key(),
+            #[cfg(target_os = "linux")]
+            CrossPlatformSecureKeyContainer::MemfdSecret(c) => c.as_key(),
+            CrossPlatformSecureKeyContainer::Mlock(c) => c.as_key(),
+        }
+    }
+
+    fn from_key(key: crypto::MemoryEncryptionKey) -> Self {
+        if let Some(container) = get_env_forced_container() {
+            return container;
+        }
+
+        #[cfg(target_os = "windows")]
+        {
+            if dpapi::DpapiSecureKeyContainer::is_supported() {
+                info!("Using DPAPI for secure key storage");
+                return CrossPlatformSecureKeyContainer::Dpapi(
+                    dpapi::DpapiSecureKeyContainer::from_key(key),
+                );
+            }
+        }
+        #[cfg(target_os = "linux")]
+        {
+            // Memfd_secret is slightly better in some cases of the kernel being compromised.
+            // Note that keyctl may sometimes not be available in e.g. snap. Memfd_secret is
+            // not available on kernels older than 6.5 while keyctl is supported since 2.6.
+            //
+            // Note: This may prevent the system from hibernating but not sleeping. Hibernate
+            // would write the memory to disk, exposing the keys. If this is an issue,
+            // the environment variable `SECURE_KEY_CONTAINER_BACKEND` can be used
+            // to force the use of keyctl or mlock.
+            if memfd_secret::MemfdSecretSecureKeyContainer::is_supported() {
+                info!("Using memfd_secret for secure key storage");
+                return CrossPlatformSecureKeyContainer::MemfdSecret(
+                    memfd_secret::MemfdSecretSecureKeyContainer::from_key(key),
+                );
+            }
+            if keyctl::KeyctlSecureKeyContainer::is_supported() {
+                info!("Using keyctl for secure key storage");
+                return CrossPlatformSecureKeyContainer::Keyctl(
+                    keyctl::KeyctlSecureKeyContainer::from_key(key),
+                );
+            }
+        }
+
+        // Falling back to mlock means that the key is accessible via memory dumping.
+        info!("Falling back to mlock for secure key storage");
+        CrossPlatformSecureKeyContainer::Mlock(mlock::MlockSecureKeyContainer::from_key(key))
+    }
+
+    fn is_supported() -> bool {
+        // Mlock is always supported as a fallback.
+        true
+    }
+}
+
+fn get_env_forced_container() -> Option<CrossPlatformSecureKeyContainer> {
+    let env_var = std::env::var("SECURE_KEY_CONTAINER_BACKEND");
+    match env_var.as_deref() {
+        #[cfg(target_os = "windows")]
+        Ok("dpapi") => {
+            info!("Forcing DPAPI secure key container via environment variable");
+            Some(CrossPlatformSecureKeyContainer::Dpapi(
+                dpapi::DpapiSecureKeyContainer::from_key(crypto::MemoryEncryptionKey::new()),
+            ))
+        }
+        #[cfg(target_os = "linux")]
+        Ok("memfd_secret") => {
+            info!("Forcing memfd_secret secure key container via environment variable");
+            Some(CrossPlatformSecureKeyContainer::MemfdSecret(
+                memfd_secret::MemfdSecretSecureKeyContainer::from_key(
+                    crypto::MemoryEncryptionKey::new(),
+                ),
+            ))
+        }
+        #[cfg(target_os = "linux")]
+        Ok("keyctl") => {
+            info!("Forcing keyctl secure key container via environment variable");
+            Some(CrossPlatformSecureKeyContainer::Keyctl(
+                keyctl::KeyctlSecureKeyContainer::from_key(crypto::MemoryEncryptionKey::new()),
+            ))
+        }
+        Ok("mlock") => {
+            info!("Forcing mlock secure key container via environment variable");
+            Some(CrossPlatformSecureKeyContainer::Mlock(
+                mlock::MlockSecureKeyContainer::from_key(crypto::MemoryEncryptionKey::new()),
+            ))
+        }
+        _ => {
+            info!(
+                "{} is not a valid secure key container backend, using automatic selection",
+                env_var.unwrap_or_default()
+            );
+            None
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_multiple_keys() {
+        // Create 20 different keys
+        let original_keys: Vec<crypto::MemoryEncryptionKey> = (0..20)
+            .map(|_| crypto::MemoryEncryptionKey::new())
+            .collect();
+
+        // Store them in secure containers
+        let containers: Vec<CrossPlatformSecureKeyContainer> = original_keys
+            .iter()
+            .map(|key| {
+                let key_bytes: &[u8; crypto::KEY_SIZE] = key.as_ref().try_into().unwrap();
+                CrossPlatformSecureKeyContainer::from_key(crypto::MemoryEncryptionKey::from(
+                    key_bytes,
+                ))
+            })
+            .collect();
+
+        // Read all keys back and validate they match the originals
+        for (i, (original_key, container)) in
+            original_keys.iter().zip(containers.iter()).enumerate()
+        {
+            let retrieved_key = container.as_key();
+            assert_eq!(
+                original_key.as_ref(),
+                retrieved_key.as_ref(),
+                "Key {} should match after storage and retrieval",
+                i
+            );
+        }
+
+        // Verify all keys are different from each other
+        for i in 0..original_keys.len() {
+            for j in (i + 1)..original_keys.len() {
+                assert_ne!(
+                    original_keys[i].as_ref(),
+                    original_keys[j].as_ref(),
+                    "Keys {} and {} should be different",
+                    i,
+                    j
+                );
+            }
+        }
+
+        // Read keys back a second time to ensure consistency
+        for (i, (original_key, container)) in
+            original_keys.iter().zip(containers.iter()).enumerate()
+        {
+            let retrieved_key_again = container.as_key();
+            assert_eq!(
+                original_key.as_ref(),
+                retrieved_key_again.as_ref(),
+                "Key {} should still match on second retrieval",
+                i
+            );
+        }
+    }
+}