Merge branch 'main' into PM-25685

libs/angular/src/admin-console/guards/index.ts

@@ -0,0 +1 @@
+export * from "./org-policy.guard";

libs/angular/src/admin-console/guards/org-policy.guard.ts

@@ -0,0 +1,70 @@
+import { inject } from "@angular/core";
+import { CanActivateFn, Router } from "@angular/router";
+import { firstValueFrom, Observable, switchMap, tap } from "rxjs";
+
+import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { getUserId } from "@bitwarden/common/auth/services/account.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { SyncService } from "@bitwarden/common/platform/sync";
+import { ToastService } from "@bitwarden/components";
+import { UserId } from "@bitwarden/user-core";
+
+/**
+ * This guard is intended to prevent members of an organization from accessing
+ * routes based on compliance with organization
+ * policies. e.g Emergency access, which is a non-organization
+ * feature is restricted by the Auto Confirm policy.
+ */
+export function organizationPolicyGuard(
+  featureCallback: (
+    userId: UserId,
+    configService: ConfigService,
+    policyService: PolicyService,
+  ) => Observable<boolean>,
+): CanActivateFn {
+  return async () => {
+    const router = inject(Router);
+    const toastService = inject(ToastService);
+    const i18nService = inject(I18nService);
+    const accountService = inject(AccountService);
+    const policyService = inject(PolicyService);
+    const configService = inject(ConfigService);
+    const syncService = inject(SyncService);
+
+    const synced = await firstValueFrom(
+      accountService.activeAccount$.pipe(
+        getUserId,
+        switchMap((userId) => syncService.lastSync$(userId)),
+      ),
+    );
+
+    if (synced == null) {
+      await syncService.fullSync(false);
+    }
+
+    const compliant = await firstValueFrom(
+      accountService.activeAccount$.pipe(
+        getUserId,
+        switchMap((userId) => featureCallback(userId, configService, policyService)),
+        tap((compliant) => {
+          if (typeof compliant !== "boolean") {
+            throw new Error("Feature callback must return a boolean.");
+          }
+        }),
+      ),
+    );
+
+    if (!compliant) {
+      toastService.showToast({
+        variant: "error",
+        message: i18nService.t("noPageAccess"),
+      });
+
+      return router.createUrlTree(["/"]);
+    }
+
+    return compliant;
+  };
+}

libs/angular/src/auth/components/user-verification.component.ts

@@ -24,6 +24,8 @@ import { KeyService } from "@bitwarden/key-management";
   selector: "app-user-verification",
   standalone: false,
 })
+// FIXME(https://bitwarden.atlassian.net/browse/PM-28232): Use Directive suffix
+// eslint-disable-next-line @angular-eslint/directive-class-suffix
 export class UserVerificationComponent implements ControlValueAccessor, OnInit, OnDestroy {
   private _invalidSecret = false;
   // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals

libs/angular/src/auth/device-management/default-device-management-component.service.ts

@@ -3,9 +3,7 @@ import { DeviceManagementComponentServiceAbstraction } from "./device-management
 /**
  * Default implementation of the device management component service
  */
-export class DefaultDeviceManagementComponentService
-  implements DeviceManagementComponentServiceAbstraction
-{
+export class DefaultDeviceManagementComponentService implements DeviceManagementComponentServiceAbstraction {
   /**
    * Show header information in web client
    */

libs/angular/src/auth/guards/auth.guard.spec.ts

@@ -5,11 +5,7 @@ import { MockProxy, mock } from "jest-mock-extended";
 import { BehaviorSubject, of } from "rxjs";
 
 import { EmptyComponent } from "@bitwarden/angular/platform/guard/feature-flag.guard.spec";
-import {
-  Account,
-  AccountInfo,
-  AccountService,
-} from "@bitwarden/common/auth/abstractions/account.service";
+import { Account, AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
@@ -18,6 +14,7 @@ import { KeyConnectorService } from "@bitwarden/common/key-management/key-connec
 import { MasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
+import { mockAccountInfoWith } from "@bitwarden/common/spec";
 import { UserId } from "@bitwarden/common/types/guid";
 
 import { authGuard } from "./auth.guard";
@@ -38,16 +35,13 @@ describe("AuthGuard", () => {
     const accountService: MockProxy<AccountService> = mock<AccountService>();
     const activeAccountSubject = new BehaviorSubject<Account | null>(null);
     accountService.activeAccount$ = activeAccountSubject;
-    activeAccountSubject.next(
-      Object.assign(
-        {
-          name: "Test User 1",
-          email: "test@email.com",
-          emailVerified: true,
-        } as AccountInfo,
-        { id: "test-id" as UserId },
-      ),
-    );
+    activeAccountSubject.next({
+      id: "test-id" as UserId,
+      ...mockAccountInfoWith({
+        name: "Test User 1",
+        email: "test@email.com",
+      }),
+    });
 
     if (featureFlag) {
       configService.getFeatureFlag.mockResolvedValue(true);

libs/angular/src/auth/guards/lock.guard.spec.ts

@@ -5,11 +5,7 @@ import { MockProxy, mock } from "jest-mock-extended";
 import { BehaviorSubject, of } from "rxjs";
 
 import { EmptyComponent } from "@bitwarden/angular/platform/guard/feature-flag.guard.spec";
-import {
-  Account,
-  AccountInfo,
-  AccountService,
-} from "@bitwarden/common/auth/abstractions/account.service";
+import { Account, AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
@@ -20,6 +16,7 @@ import { KeyConnectorDomainConfirmation } from "@bitwarden/common/key-management
 import { VaultTimeoutSettingsService } from "@bitwarden/common/key-management/vault-timeout";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { mockAccountInfoWith } from "@bitwarden/common/spec";
 import { UserId } from "@bitwarden/common/types/guid";
 import { KeyService } from "@bitwarden/key-management";
 
@@ -68,16 +65,13 @@ describe("lockGuard", () => {
     const accountService: MockProxy<AccountService> = mock<AccountService>();
     const activeAccountSubject = new BehaviorSubject<Account | null>(null);
     accountService.activeAccount$ = activeAccountSubject;
-    activeAccountSubject.next(
-      Object.assign(
-        {
-          name: "Test User 1",
-          email: "test@email.com",
-          emailVerified: true,
-        } as AccountInfo,
-        { id: "test-id" as UserId },
-      ),
-    );
+    activeAccountSubject.next({
+      id: "test-id" as UserId,
+      ...mockAccountInfoWith({
+        name: "Test User 1",
+        email: "test@email.com",
+      }),
+    });
 
     const testBed = TestBed.configureTestingModule({
       imports: [

libs/angular/src/auth/guards/redirect-to-vault-if-unlocked/redirect-to-vault-if-unlocked.guard.spec.ts

@@ -7,6 +7,7 @@ import { EmptyComponent } from "@bitwarden/angular/platform/guard/feature-flag.g
 import { Account, AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { mockAccountInfoWith } from "@bitwarden/common/spec";
 import { UserId } from "@bitwarden/common/types/guid";
 
 import { redirectToVaultIfUnlockedGuard } from "./redirect-to-vault-if-unlocked.guard";
@@ -14,9 +15,10 @@ import { redirectToVaultIfUnlockedGuard } from "./redirect-to-vault-if-unlocked.
 describe("redirectToVaultIfUnlockedGuard", () => {
   const activeUser: Account = {
     id: "userId" as UserId,
-    email: "test@email.com",
-    emailVerified: true,
-    name: "Test User",
+    ...mockAccountInfoWith({
+      email: "test@email.com",
+      name: "Test User",
+    }),
   };
 
   const setup = (activeUser: Account | null, authStatus: AuthenticationStatus | null) => {

libs/angular/src/auth/guards/tde-decryption-required.guard.spec.ts

@@ -9,6 +9,7 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { mockAccountInfoWith } from "@bitwarden/common/spec";
 import { UserId } from "@bitwarden/common/types/guid";
 import { KeyService } from "@bitwarden/key-management";
 
@@ -17,9 +18,10 @@ import { tdeDecryptionRequiredGuard } from "./tde-decryption-required.guard";
 describe("tdeDecryptionRequiredGuard", () => {
   const activeUser: Account = {
     id: "fake_user_id" as UserId,
-    email: "test@email.com",
-    emailVerified: true,
-    name: "Test User",
+    ...mockAccountInfoWith({
+      email: "test@email.com",
+      name: "Test User",
+    }),
   };
 
   const setup = (

libs/angular/src/auth/guards/unauth.guard.spec.ts

@@ -10,6 +10,7 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { mockAccountInfoWith } from "@bitwarden/common/spec";
 import { UserId } from "@bitwarden/common/types/guid";
 import { KeyService } from "@bitwarden/key-management";
 
@@ -18,9 +19,10 @@ import { unauthGuardFn } from "./unauth.guard";
 describe("UnauthGuard", () => {
   const activeUser: Account = {
     id: "fake_user_id" as UserId,
-    email: "test@email.com",
-    emailVerified: true,
-    name: "Test User",
+    ...mockAccountInfoWith({
+      email: "test@email.com",
+      name: "Test User",
+    }),
   };
 
   const setup = (

libs/angular/src/auth/login-approval/default-login-approval-dialog-component.service.spec.ts

@@ -1,30 +0,0 @@
-import { TestBed } from "@angular/core/testing";
-
-import { DefaultLoginApprovalDialogComponentService } from "./default-login-approval-dialog-component.service";
-import { LoginApprovalDialogComponent } from "./login-approval-dialog.component";
-
-describe("DefaultLoginApprovalDialogComponentService", () => {
-  let service: DefaultLoginApprovalDialogComponentService;
-
-  beforeEach(() => {
-    TestBed.configureTestingModule({
-      providers: [DefaultLoginApprovalDialogComponentService],
-    });
-
-    service = TestBed.inject(DefaultLoginApprovalDialogComponentService);
-  });
-
-  it("is created successfully", () => {
-    expect(service).toBeTruthy();
-  });
-
-  it("has showLoginRequestedAlertIfWindowNotVisible method that is a no-op", async () => {
-    const loginApprovalDialogComponent = {} as LoginApprovalDialogComponent;
-
-    const result = await service.showLoginRequestedAlertIfWindowNotVisible(
-      loginApprovalDialogComponent.email,
-    );
-
-    expect(result).toBeUndefined();
-  });
-});

libs/angular/src/auth/login-approval/default-login-approval-dialog-component.service.ts

@@ -1,16 +0,0 @@
-import { LoginApprovalDialogComponentServiceAbstraction } from "./login-approval-dialog-component.service.abstraction";
-
-/**
- * Default implementation of the LoginApprovalDialogComponentServiceAbstraction.
- */
-export class DefaultLoginApprovalDialogComponentService
-  implements LoginApprovalDialogComponentServiceAbstraction
-{
-  /**
-   * No-op implementation of the showLoginRequestedAlertIfWindowNotVisible method.
-   * @returns
-   */
-  async showLoginRequestedAlertIfWindowNotVisible(email?: string): Promise<void> {
-    return;
-  }
-}

libs/angular/src/auth/login-approval/index.ts

@@ -1,3 +1 @@
 export * from "./login-approval-dialog.component";
-export * from "./login-approval-dialog-component.service.abstraction";
-export * from "./default-login-approval-dialog-component.service";

libs/angular/src/auth/login-approval/login-approval-dialog-component.service.abstraction.ts

@@ -1,9 +0,0 @@
-/**
- * Abstraction for the LoginApprovalDialogComponent service.
- */
-export abstract class LoginApprovalDialogComponentServiceAbstraction {
-  /**
-   * Shows a login requested alert if the window is not visible.
-   */
-  abstract showLoginRequestedAlertIfWindowNotVisible: (email?: string) => Promise<void>;
-}

libs/angular/src/auth/login-approval/login-approval-dialog.component.spec.ts

@@ -11,11 +11,11 @@ import { DevicesServiceAbstraction } from "@bitwarden/common/auth/abstractions/d
 import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
+import { mockAccountInfoWith } from "@bitwarden/common/spec";
 import { UserId } from "@bitwarden/common/types/guid";
 import { DialogRef, DIALOG_DATA, ToastService } from "@bitwarden/components";
 import { LogService } from "@bitwarden/logging";
 
-import { LoginApprovalDialogComponentServiceAbstraction } from "./login-approval-dialog-component.service.abstraction";
 import { LoginApprovalDialogComponent } from "./login-approval-dialog.component";
 
 describe("LoginApprovalDialogComponent", () => {
@@ -48,10 +48,11 @@ describe("LoginApprovalDialogComponent", () => {
     validationService = mock<ValidationService>();
 
     accountService.activeAccount$ = of({
-      email: testEmail,
       id: "test-user-id" as UserId,
-      emailVerified: true,
-      name: null,
+      ...mockAccountInfoWith({
+        email: testEmail,
+        name: null,
+      }),
     });
 
     await TestBed.configureTestingModule({
@@ -67,10 +68,6 @@ describe("LoginApprovalDialogComponent", () => {
         { provide: LogService, useValue: logService },
         { provide: ToastService, useValue: toastService },
         { provide: ValidationService, useValue: validationService },
-        {
-          provide: LoginApprovalDialogComponentServiceAbstraction,
-          useValue: mock<LoginApprovalDialogComponentServiceAbstraction>(),
-        },
       ],
     }).compileComponents();
 

libs/angular/src/auth/login-approval/login-approval-dialog.component.ts

@@ -24,8 +24,6 @@ import {
 } from "@bitwarden/components";
 import { LogService } from "@bitwarden/logging";
 
-import { LoginApprovalDialogComponentServiceAbstraction } from "./login-approval-dialog-component.service.abstraction";
-
 const RequestTimeOut = 60000 * 15; // 15 Minutes
 const RequestTimeUpdate = 60000 * 5; // 5 Minutes
 
@@ -57,7 +55,6 @@ export class LoginApprovalDialogComponent implements OnInit, OnDestroy {
     private devicesService: DevicesServiceAbstraction,
     private dialogRef: DialogRef,
     private i18nService: I18nService,
-    private loginApprovalDialogComponentService: LoginApprovalDialogComponentServiceAbstraction,
     private logService: LogService,
     private toastService: ToastService,
     private validationService: ValidationService,
@@ -113,10 +110,6 @@ export class LoginApprovalDialogComponent implements OnInit, OnDestroy {
       this.updateTimeText();
     }, RequestTimeUpdate);
 
-    await this.loginApprovalDialogComponentService.showLoginRequestedAlertIfWindowNotVisible(
-      this.email,
-    );
-
     this.loading = false;
   }
 

libs/angular/src/auth/login-via-webauthn/login-via-webauthn.component.ts

@@ -2,7 +2,7 @@
 // @ts-strict-ignore
 import { CommonModule } from "@angular/common";
 import { Component, OnInit } from "@angular/core";
-import { Router, RouterModule } from "@angular/router";
+import { ActivatedRoute, Router, RouterModule } from "@angular/router";
 import { firstValueFrom } from "rxjs";
 
 import { JslibModule } from "@bitwarden/angular/jslib.module";
@@ -19,6 +19,7 @@ import { ClientType } from "@bitwarden/common/enums";
 import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
 import {
@@ -49,6 +50,7 @@ export type State = "assert" | "assertFailed";
 })
 export class LoginViaWebAuthnComponent implements OnInit {
   protected currentState: State = "assert";
+  private shouldAutoClosePopout = false;
 
   protected readonly Icons = {
     TwoFactorAuthSecurityKeyIcon,
@@ -70,6 +72,7 @@ export class LoginViaWebAuthnComponent implements OnInit {
   constructor(
     private webAuthnLoginService: WebAuthnLoginServiceAbstraction,
     private router: Router,
+    private route: ActivatedRoute,
     private logService: LogService,
     private validationService: ValidationService,
     private i18nService: I18nService,
@@ -77,9 +80,14 @@ export class LoginViaWebAuthnComponent implements OnInit {
     private keyService: KeyService,
     private platformUtilsService: PlatformUtilsService,
     private anonLayoutWrapperDataService: AnonLayoutWrapperDataService,
+    private messagingService: MessagingService,
   ) {}
 
   ngOnInit(): void {
+    // Check if we should auto-close the popout after successful authentication
+    this.shouldAutoClosePopout =
+      this.route.snapshot.queryParamMap.get("autoClosePopout") === "true";
+
     // FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
     // eslint-disable-next-line @typescript-eslint/no-floating-promises
     this.authenticate();
@@ -120,7 +128,18 @@ export class LoginViaWebAuthnComponent implements OnInit {
       // Only run loginSuccessHandlerService if webAuthn is used for vault decryption.
       const userKey = await firstValueFrom(this.keyService.userKey$(authResult.userId));
       if (userKey) {
-        await this.loginSuccessHandlerService.run(authResult.userId);
+        await this.loginSuccessHandlerService.run(authResult.userId, null);
+      }
+
+      // If autoClosePopout is enabled and we're in a browser extension,
+      // re-open the regular popup and close this popout window
+      if (
+        this.shouldAutoClosePopout &&
+        this.platformUtilsService.getClientType() === ClientType.Browser
+      ) {
+        this.messagingService.send("openPopup");
+        window.close();
+        return;
       }
 
       await this.router.navigate([this.successRoute]);

libs/angular/src/auth/password-management/change-password/default-change-password.service.spec.ts

@@ -8,6 +8,7 @@ import { MasterPasswordApiService } from "@bitwarden/common/auth/abstractions/ma
 import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { mockAccountInfoWith } from "@bitwarden/common/spec";
 import { UserId } from "@bitwarden/common/types/guid";
 import { MasterKey, UserKey } from "@bitwarden/common/types/key";
 import { KeyService, PBKDF2KdfConfig } from "@bitwarden/key-management";
@@ -26,9 +27,11 @@ describe("DefaultChangePasswordService", () => {
 
   const user: Account = {
     id: userId,
-    email: "email",
-    emailVerified: false,
-    name: "name",
+    ...mockAccountInfoWith({
+      email: "email",
+      name: "name",
+      emailVerified: false,
+    }),
   };
 
   const passwordInputResult: PasswordInputResult = {

libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.implementation.ts

@@ -15,9 +15,11 @@ import { MasterPasswordApiService } from "@bitwarden/common/auth/abstractions/ma
 import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
 import { SetPasswordRequest } from "@bitwarden/common/auth/models/request/set-password.request";
 import { UpdateTdeOffboardingPasswordRequest } from "@bitwarden/common/auth/models/request/update-tde-offboarding-password.request";
+import { AccountCryptographicStateService } from "@bitwarden/common/key-management/account-cryptography/account-cryptographic-state.service";
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
+import { MasterPasswordSalt } from "@bitwarden/common/key-management/master-password/types/master-password.types";
 import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
@@ -44,6 +46,7 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
     protected organizationApiService: OrganizationApiServiceAbstraction,
     protected organizationUserApiService: OrganizationUserApiService,
     protected userDecryptionOptionsService: InternalUserDecryptionOptionsServiceAbstraction,
+    protected accountCryptographicStateService: AccountCryptographicStateService,
   ) {}
 
   async setInitialPassword(
@@ -60,6 +63,8 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
       orgSsoIdentifier,
       orgId,
       resetPasswordAutoEnroll,
+      newPassword,
+      salt,
     } = credentials;
 
     for (const [key, value] of Object.entries(credentials)) {
@@ -153,6 +158,20 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
       userId,
     );
 
+    // Set master password unlock data for unlock path pointed to with
+    // MasterPasswordUnlockData feature development
+    // (requires: password, salt, kdf, userKey).
+    // As migration to this strategy continues, both unlock paths need supported.
+    // Several invocations in this file become redundant and can be removed once
+    // the feature is enshrined/unwound. These are marked with [PM-23246] below.
+    await this.setMasterPasswordUnlockData(
+      newPassword,
+      salt,
+      kdfConfig,
+      masterKeyEncryptedUserKey[0],
+      userId,
+    );
+
     /**
      * Set the private key only for new JIT provisioned users in MP encryption orgs.
      * (Existing TDE users will have their private key set on sync or on login.)
@@ -162,8 +181,17 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
         throw new Error("encrypted private key not found. Could not set private key in state.");
       }
       await this.keyService.setPrivateKey(keyPair[1].encryptedString, userId);
+      await this.accountCryptographicStateService.setAccountCryptographicState(
+        {
+          V1: {
+            private_key: keyPair[1].encryptedString,
+          },
+        },
+        userId,
+      );
     }
 
+    // [PM-23246] "Legacy" master key setting path - to be removed once unlock path migration is complete
     await this.masterPasswordService.setMasterKeyHash(newLocalMasterKeyHash, userId);
 
     if (resetPasswordAutoEnroll) {
@@ -182,7 +210,10 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
     if (userKey == null) {
       masterKeyEncryptedUserKey = await this.keyService.makeUserKey(masterKey);
     } else {
-      masterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(masterKey);
+      masterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(
+        masterKey,
+        userKey,
+      );
     }
 
     return masterKeyEncryptedUserKey;
@@ -195,15 +226,48 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
     userId: UserId,
   ) {
     const userDecryptionOpts = await firstValueFrom(
-      this.userDecryptionOptionsService.userDecryptionOptions$,
+      this.userDecryptionOptionsService.userDecryptionOptionsById$(userId),
     );
     userDecryptionOpts.hasMasterPassword = true;
-    await this.userDecryptionOptionsService.setUserDecryptionOptions(userDecryptionOpts);
+    await this.userDecryptionOptionsService.setUserDecryptionOptionsById(
+      userId,
+      userDecryptionOpts,
+    );
     await this.kdfConfigService.setKdfConfig(userId, kdfConfig);
+    // [PM-23246] "Legacy" master key setting path - to be removed once unlock path migration is complete
     await this.masterPasswordService.setMasterKey(masterKey, userId);
+    // [PM-23246] "Legacy" master key setting path - to be removed once unlock path migration is complete
+    await this.masterPasswordService.setMasterKeyEncryptedUserKey(
+      masterKeyEncryptedUserKey[1],
+      userId,
+    );
     await this.keyService.setUserKey(masterKeyEncryptedUserKey[0], userId);
   }
 
+  /**
+   * As part of [PM-28494], adding this setting path to accommodate the changes that are
+   * emerging with pm-23246-unlock-with-master-password-unlock-data.
+   * Without this, immediately locking/unlocking the vault with the new password _may_ still fail
+   * if sync has not completed. Sync will eventually set this data, but we want to ensure it's
+   * set right away here to prevent a race condition UX issue that prevents immediate unlock.
+   */
+  private async setMasterPasswordUnlockData(
+    password: string,
+    salt: MasterPasswordSalt,
+    kdfConfig: KdfConfig,
+    userKey: UserKey,
+    userId: UserId,
+  ): Promise<void> {
+    const masterPasswordUnlockData = await this.masterPasswordService.makeMasterPasswordUnlockData(
+      password,
+      kdfConfig,
+      salt,
+      userKey,
+    );
+
+    await this.masterPasswordService.setMasterPasswordUnlockData(masterPasswordUnlockData, userId);
+  }
+
   private async handleResetPasswordAutoEnroll(
     masterKeyHash: string,
     orgId: string,

libs/angular/src/auth/password-management/set-initial-password/default-set-initial-password.service.spec.ts

@@ -20,6 +20,7 @@ import { MasterPasswordApiService } from "@bitwarden/common/auth/abstractions/ma
 import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
 import { SetPasswordRequest } from "@bitwarden/common/auth/models/request/set-password.request";
 import { UpdateTdeOffboardingPasswordRequest } from "@bitwarden/common/auth/models/request/update-tde-offboarding-password.request";
+import { AccountCryptographicStateService } from "@bitwarden/common/key-management/account-cryptography/account-cryptographic-state.service";
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import {
   EncryptedString,
@@ -56,6 +57,7 @@ describe("DefaultSetInitialPasswordService", () => {
   let organizationApiService: MockProxy<OrganizationApiServiceAbstraction>;
   let organizationUserApiService: MockProxy<OrganizationUserApiService>;
   let userDecryptionOptionsService: MockProxy<InternalUserDecryptionOptionsServiceAbstraction>;
+  let accountCryptographicStateService: MockProxy<AccountCryptographicStateService>;
 
   let userId: UserId;
   let userKey: UserKey;
@@ -73,6 +75,7 @@ describe("DefaultSetInitialPasswordService", () => {
     organizationApiService = mock<OrganizationApiServiceAbstraction>();
     organizationUserApiService = mock<OrganizationUserApiService>();
     userDecryptionOptionsService = mock<InternalUserDecryptionOptionsServiceAbstraction>();
+    accountCryptographicStateService = mock<AccountCryptographicStateService>();
 
     userId = "userId" as UserId;
     userKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as UserKey;
@@ -90,6 +93,7 @@ describe("DefaultSetInitialPasswordService", () => {
       organizationApiService,
       organizationUserApiService,
       userDecryptionOptionsService,
+      accountCryptographicStateService,
     );
   });
 
@@ -130,6 +134,8 @@ describe("DefaultSetInitialPasswordService", () => {
         orgSsoIdentifier: "orgSsoIdentifier",
         orgId: "orgId",
         resetPasswordAutoEnroll: false,
+        newPassword: "Test@Password123!",
+        salt: "user@example.com" as any,
       };
       userType = SetInitialPasswordUserType.JIT_PROVISIONED_MP_ORG_USER;
 
@@ -149,7 +155,9 @@ describe("DefaultSetInitialPasswordService", () => {
 
       userDecryptionOptions = new UserDecryptionOptions({ hasMasterPassword: true });
       userDecryptionOptionsSubject = new BehaviorSubject(userDecryptionOptions);
-      userDecryptionOptionsService.userDecryptionOptions$ = userDecryptionOptionsSubject;
+      userDecryptionOptionsService.userDecryptionOptionsById$.mockReturnValue(
+        userDecryptionOptionsSubject,
+      );
 
       setPasswordRequest = new SetPasswordRequest(
         credentials.newServerMasterKeyHash,
@@ -220,6 +228,8 @@ describe("DefaultSetInitialPasswordService", () => {
         "orgSsoIdentifier",
         "orgId",
         "resetPasswordAutoEnroll",
+        "newPassword",
+        "salt",
       ].forEach((key) => {
         it(`should throw if ${key} is not provided on the SetInitialPasswordCredentials object`, async () => {
           // Arrange
@@ -351,6 +361,10 @@ describe("DefaultSetInitialPasswordService", () => {
             ForceSetPasswordReason.None,
             userId,
           );
+          expect(masterPasswordService.setMasterKeyEncryptedUserKey).toHaveBeenCalledWith(
+            masterKeyEncryptedUserKey[1],
+            userId,
+          );
         });
 
         it("should update account decryption properties", async () => {
@@ -362,7 +376,8 @@ describe("DefaultSetInitialPasswordService", () => {
 
           // Assert
           expect(masterPasswordApiService.setPassword).toHaveBeenCalledWith(setPasswordRequest);
-          expect(userDecryptionOptionsService.setUserDecryptionOptions).toHaveBeenCalledWith(
+          expect(userDecryptionOptionsService.setUserDecryptionOptionsById).toHaveBeenCalledWith(
+            userId,
             userDecryptionOptions,
           );
           expect(kdfConfigService.setKdfConfig).toHaveBeenCalledWith(userId, credentials.kdfConfig);
@@ -383,6 +398,16 @@ describe("DefaultSetInitialPasswordService", () => {
           // Assert
           expect(masterPasswordApiService.setPassword).toHaveBeenCalledWith(setPasswordRequest);
           expect(keyService.setPrivateKey).toHaveBeenCalledWith(keyPair[1].encryptedString, userId);
+          expect(
+            accountCryptographicStateService.setAccountCryptographicState,
+          ).toHaveBeenCalledWith(
+            {
+              V1: {
+                private_key: keyPair[1].encryptedString as EncryptedString,
+              },
+            },
+            userId,
+          );
         });
 
         it("should set the local master key hash to state", async () => {
@@ -400,6 +425,36 @@ describe("DefaultSetInitialPasswordService", () => {
           );
         });
 
+        it("should create and set master password unlock data to prevent race condition with sync", async () => {
+          // Arrange
+          setupMocks();
+
+          const mockUnlockData = {
+            salt: credentials.salt,
+            kdf: credentials.kdfConfig,
+            masterKeyWrappedUserKey: "wrapped_key_string",
+          };
+
+          masterPasswordService.makeMasterPasswordUnlockData.mockResolvedValue(
+            mockUnlockData as any,
+          );
+
+          // Act
+          await sut.setInitialPassword(credentials, userType, userId);
+
+          // Assert
+          expect(masterPasswordService.makeMasterPasswordUnlockData).toHaveBeenCalledWith(
+            credentials.newPassword,
+            credentials.kdfConfig,
+            credentials.salt,
+            masterKeyEncryptedUserKey[0],
+          );
+          expect(masterPasswordService.setMasterPasswordUnlockData).toHaveBeenCalledWith(
+            mockUnlockData,
+            userId,
+          );
+        });
+
         describe("given resetPasswordAutoEnroll is true", () => {
           it(`should handle reset password (account recovery) auto enroll`, async () => {
             // Arrange
@@ -560,7 +615,8 @@ describe("DefaultSetInitialPasswordService", () => {
 
           // Assert
           expect(masterPasswordApiService.setPassword).toHaveBeenCalledWith(setPasswordRequest);
-          expect(userDecryptionOptionsService.setUserDecryptionOptions).toHaveBeenCalledWith(
+          expect(userDecryptionOptionsService.setUserDecryptionOptionsById).toHaveBeenCalledWith(
+            userId,
             userDecryptionOptions,
           );
           expect(kdfConfigService.setKdfConfig).toHaveBeenCalledWith(userId, credentials.kdfConfig);
@@ -568,6 +624,10 @@ describe("DefaultSetInitialPasswordService", () => {
             credentials.newMasterKey,
             userId,
           );
+          expect(masterPasswordService.setMasterKeyEncryptedUserKey).toHaveBeenCalledWith(
+            masterKeyEncryptedUserKey[1],
+            userId,
+          );
           expect(keyService.setUserKey).toHaveBeenCalledWith(masterKeyEncryptedUserKey[0], userId);
         });
 
@@ -598,6 +658,36 @@ describe("DefaultSetInitialPasswordService", () => {
           );
         });
 
+        it("should create and set master password unlock data to prevent race condition with sync", async () => {
+          // Arrange
+          setupMocks({ ...defaultMockConfig, userType });
+
+          const mockUnlockData = {
+            salt: credentials.salt,
+            kdf: credentials.kdfConfig,
+            masterKeyWrappedUserKey: "wrapped_key_string",
+          };
+
+          masterPasswordService.makeMasterPasswordUnlockData.mockResolvedValue(
+            mockUnlockData as any,
+          );
+
+          // Act
+          await sut.setInitialPassword(credentials, userType, userId);
+
+          // Assert
+          expect(masterPasswordService.makeMasterPasswordUnlockData).toHaveBeenCalledWith(
+            credentials.newPassword,
+            credentials.kdfConfig,
+            credentials.salt,
+            masterKeyEncryptedUserKey[0],
+          );
+          expect(masterPasswordService.setMasterPasswordUnlockData).toHaveBeenCalledWith(
+            mockUnlockData,
+            userId,
+          );
+        });
+
         describe("given resetPasswordAutoEnroll is true", () => {
           it(`should handle reset password (account recovery) auto enroll`, async () => {
             // Arrange

libs/angular/src/auth/password-management/set-initial-password/set-initial-password.component.ts

@@ -214,6 +214,8 @@ export class SetInitialPasswordComponent implements OnInit {
     assertTruthy(passwordInputResult.newServerMasterKeyHash, "newServerMasterKeyHash", ctx);
     assertTruthy(passwordInputResult.newLocalMasterKeyHash, "newLocalMasterKeyHash", ctx);
     assertTruthy(passwordInputResult.kdfConfig, "kdfConfig", ctx);
+    assertTruthy(passwordInputResult.newPassword, "newPassword", ctx);
+    assertTruthy(passwordInputResult.salt, "salt", ctx);
     assertTruthy(this.orgSsoIdentifier, "orgSsoIdentifier", ctx);
     assertTruthy(this.orgId, "orgId", ctx);
     assertTruthy(this.userType, "userType", ctx);
@@ -231,6 +233,8 @@ export class SetInitialPasswordComponent implements OnInit {
         orgSsoIdentifier: this.orgSsoIdentifier,
         orgId: this.orgId,
         resetPasswordAutoEnroll: this.resetPasswordAutoEnroll,
+        newPassword: passwordInputResult.newPassword,
+        salt: passwordInputResult.salt,
       };
 
       await this.setInitialPasswordService.setInitialPassword(

libs/angular/src/auth/password-management/set-initial-password/set-initial-password.service.abstraction.ts

@@ -1,3 +1,4 @@
+import { MasterPasswordSalt } from "@bitwarden/common/key-management/master-password/types/master-password.types";
 import { UserId } from "@bitwarden/common/types/guid";
 import { MasterKey } from "@bitwarden/common/types/key";
 import { KdfConfig } from "@bitwarden/key-management";
@@ -50,6 +51,8 @@ export interface SetInitialPasswordCredentials {
   orgSsoIdentifier: string;
   orgId: string;
   resetPasswordAutoEnroll: boolean;
+  newPassword: string;
+  salt: MasterPasswordSalt;
 }
 
 export interface SetInitialPasswordTdeOffboardingCredentials {

libs/angular/src/billing/components/premium-badge/premium-badge.component.ts

@@ -14,10 +14,11 @@ import { BadgeModule } from "@bitwarden/components";
       type="button"
       *appNotPremium
       bitBadge
-      variant="success"
+      [variant]="'primary'"
+      class="!tw-text-primary-600 !tw-border-primary-600"
       (click)="promptForPremium($event)"
     >
-      {{ "premium" | i18n }}
+      <i class="bwi bwi-premium tw-pe-1"></i>{{ "upgrade" | i18n }}
     </button>
   `,
   imports: [BadgeModule, JslibModule],

libs/angular/src/billing/components/premium-badge/premium-badge.stories.ts

@@ -29,7 +29,7 @@ export default {
           provide: I18nService,
           useFactory: () => {
             return new I18nMockService({
-              premium: "Premium",
+              upgrade: "Upgrade",
             });
           },
         },

libs/angular/src/billing/components/premium-upgrade-dialog/premium-upgrade-dialog.component.html

@@ -20,34 +20,37 @@
       <div
         class="tw-box-border tw-bg-background tw-text-main tw-size-full tw-flex tw-flex-col tw-px-8 tw-pb-2 tw-w-full tw-max-w-md"
       >
-        <div class="tw-flex tw-items-center tw-justify-between tw-mb-2">
+        <div class="tw-flex tw-items-center tw-justify-between">
           <h3 slot="title" class="tw-m-0" bitTypography="h3">
             {{ "upgradeToPremium" | i18n }}
           </h3>
         </div>
 
         <!-- Tagline with consistent height (exactly 2 lines) -->
-        <div class="tw-mb-6 tw-h-6">
+        <div class="tw-h-6">
           <p bitTypography="helper" class="tw-text-muted tw-m-0 tw-leading-relaxed tw-line-clamp-2">
             {{ cardDetails.tagline }}
           </p>
         </div>
 
         <!-- Price Section -->
-        <div class="tw-mb-6">
-          <div class="tw-flex tw-items-baseline tw-gap-1 tw-flex-wrap">
-            <span class="tw-text-3xl tw-font-medium tw-leading-none tw-m-0">{{
-              cardDetails.price.amount | currency: "$"
-            }}</span>
-            <span bitTypography="helper" class="tw-text-muted">
-              / {{ cardDetails.price.cadence }}
-            </span>
+        @if (cardDetails.price) {
+          <div class="tw-mt-5">
+            <div class="tw-flex tw-items-baseline tw-gap-1 tw-flex-wrap">
+              <span class="tw-text-3xl tw-font-medium tw-leading-none tw-m-0">{{
+                cardDetails.price.amount | currency: "$"
+              }}</span>
+              <span bitTypography="helper" class="tw-text-muted">
+                / {{ cardDetails.price.cadence | i18n }}
+              </span>
+            </div>
           </div>
-        </div>
+        }
 
         <!-- Button space (always reserved) -->
-        <div class="tw-mb-6 tw-h-12">
+        <div class="tw-my-5 tw-h-12">
           <button
+            cdkFocusInitial
             bitButton
             [buttonType]="cardDetails.button.type"
             [block]="true"

libs/angular/src/billing/components/premium-upgrade-dialog/premium-upgrade-dialog.component.spec.ts

@@ -40,6 +40,7 @@ describe("PremiumUpgradeDialogComponent", () => {
       type: "standalone",
       annualPrice: 10,
       annualPricePerAdditionalStorageGB: 4,
+      providedStorageGB: 1,
       features: [
         { key: "feature1", value: "Feature 1" },
         { key: "feature2", value: "Feature 2" },
@@ -58,6 +59,7 @@ describe("PremiumUpgradeDialogComponent", () => {
       users: 6,
       annualPrice: 40,
       annualPricePerAdditionalStorageGB: 4,
+      providedStorageGB: 1,
       features: [{ key: "featureA", value: "Feature A" }],
     },
   };
@@ -204,4 +206,39 @@ describe("PremiumUpgradeDialogComponent", () => {
       });
     });
   });
+
+  describe("self-hosted environment", () => {
+    it("should handle null price data for self-hosted environment", async () => {
+      const selfHostedPremiumTier: PersonalSubscriptionPricingTier = {
+        id: PersonalSubscriptionPricingTierIds.Premium,
+        name: "Premium",
+        description: "Advanced features for power users",
+        availableCadences: [SubscriptionCadenceIds.Annually],
+        passwordManager: {
+          type: "standalone",
+          annualPrice: undefined as any, // self-host will have these prices empty
+          annualPricePerAdditionalStorageGB: undefined as any,
+          providedStorageGB: undefined as any,
+          features: [
+            { key: "feature1", value: "Feature 1" },
+            { key: "feature2", value: "Feature 2" },
+          ],
+        },
+      };
+
+      mockSubscriptionPricingService.getPersonalSubscriptionPricingTiers$.mockReturnValue(
+        of([selfHostedPremiumTier]),
+      );
+
+      const selfHostedFixture = TestBed.createComponent(PremiumUpgradeDialogComponent);
+      const selfHostedComponent = selfHostedFixture.componentInstance;
+      selfHostedFixture.detectChanges();
+
+      const cardDetails = await firstValueFrom(selfHostedComponent["cardDetails$"]);
+
+      expect(cardDetails?.title).toBe("Premium");
+      expect(cardDetails?.price).toBeUndefined();
+      expect(cardDetails?.features).toEqual(["Feature 1", "Feature 2"]);
+    });
+  });
 });

libs/angular/src/billing/components/premium-upgrade-dialog/premium-upgrade-dialog.component.stories.ts

@@ -31,6 +31,24 @@ const mockPremiumTier: PersonalSubscriptionPricingTier = {
     type: "standalone",
     annualPrice: 10,
     annualPricePerAdditionalStorageGB: 4,
+    providedStorageGB: 1,
+    features: [
+      { key: "builtInAuthenticator", value: "Built-in authenticator" },
+      { key: "secureFileStorage", value: "Secure file storage" },
+      { key: "emergencyAccess", value: "Emergency access" },
+      { key: "breachMonitoring", value: "Breach monitoring" },
+      { key: "andMoreFeatures", value: "And more!" },
+    ],
+  },
+};
+
+const mockPremiumTierNoPricingData: PersonalSubscriptionPricingTier = {
+  id: PersonalSubscriptionPricingTierIds.Premium,
+  name: "Premium",
+  description: "Complete online security",
+  availableCadences: [SubscriptionCadenceIds.Annually],
+  passwordManager: {
+    type: "standalone",
     features: [
       { key: "builtInAuthenticator", value: "Built-in authenticator" },
       { key: "secureFileStorage", value: "Secure file storage" },
@@ -85,11 +103,11 @@ export default {
             t: (key: string) => {
               switch (key) {
                 case "upgradeNow":
-                  return "Upgrade Now";
+                  return "Upgrade now";
                 case "month":
                   return "month";
                 case "upgradeToPremium":
-                  return "Upgrade To Premium";
+                  return "Upgrade to Premium";
                 default:
                   return key;
               }
@@ -115,3 +133,18 @@ export default {
 
 type Story = StoryObj<PremiumUpgradeDialogComponent>;
 export const Default: Story = {};
+
+export const NoPricingData: Story = {
+  decorators: [
+    moduleMetadata({
+      providers: [
+        {
+          provide: SubscriptionPricingServiceAbstraction,
+          useValue: {
+            getPersonalSubscriptionPricingTiers$: () => of([mockPremiumTierNoPricingData]),
+          },
+        },
+      ],
+    }),
+  ],
+};

libs/angular/src/billing/components/premium-upgrade-dialog/premium-upgrade-dialog.component.ts

@@ -3,12 +3,12 @@ import { CommonModule } from "@angular/common";
 import { ChangeDetectionStrategy, Component } from "@angular/core";
 import { catchError, EMPTY, firstValueFrom, map, Observable } from "rxjs";
 
+import { SubscriptionPricingCardDetails } from "@bitwarden/angular/billing/types/subscription-pricing-card-details";
 import { JslibModule } from "@bitwarden/angular/jslib.module";
 import { SubscriptionPricingServiceAbstraction } from "@bitwarden/common/billing/abstractions/subscription-pricing.service.abstraction";
 import {
   PersonalSubscriptionPricingTier,
   PersonalSubscriptionPricingTierIds,
-  SubscriptionCadence,
   SubscriptionCadenceIds,
 } from "@bitwarden/common/billing/types/subscription-pricing-tier";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
@@ -16,7 +16,7 @@ import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.servic
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import {
   ButtonModule,
-  ButtonType,
+  CenterPositionStrategy,
   DialogModule,
   DialogRef,
   DialogService,
@@ -26,14 +26,6 @@ import {
 } from "@bitwarden/components";
 import { LogService } from "@bitwarden/logging";
 
-type CardDetails = {
-  title: string;
-  tagline: string;
-  price: { amount: number; cadence: SubscriptionCadence };
-  button: { text: string; type: ButtonType; icon?: { type: string; position: "before" | "after" } };
-  features: string[];
-};
-
 @Component({
   selector: "billing-premium-upgrade-dialog",
   standalone: true,
@@ -50,9 +42,8 @@ type CardDetails = {
   templateUrl: "./premium-upgrade-dialog.component.html",
 })
 export class PremiumUpgradeDialogComponent {
-  protected cardDetails$: Observable<CardDetails | null> = this.subscriptionPricingService
-    .getPersonalSubscriptionPricingTiers$()
-    .pipe(
+  protected cardDetails$: Observable<SubscriptionPricingCardDetails | null> =
+    this.subscriptionPricingService.getPersonalSubscriptionPricingTiers$().pipe(
       map((tiers) => tiers.find((tier) => tier.id === PersonalSubscriptionPricingTierIds.Premium)),
       map((tier) => this.mapPremiumTierToCardDetails(tier!)),
       catchError((error: unknown) => {
@@ -90,14 +81,18 @@ export class PremiumUpgradeDialogComponent {
     this.dialogRef.close();
   }
 
-  private mapPremiumTierToCardDetails(tier: PersonalSubscriptionPricingTier): CardDetails {
+  private mapPremiumTierToCardDetails(
+    tier: PersonalSubscriptionPricingTier,
+  ): SubscriptionPricingCardDetails {
     return {
       title: tier.name,
       tagline: tier.description,
-      price: {
-        amount: tier.passwordManager.annualPrice / 12,
-        cadence: SubscriptionCadenceIds.Monthly,
-      },
+      price: tier.passwordManager.annualPrice
+        ? {
+            amount: tier.passwordManager.annualPrice / 12,
+            cadence: SubscriptionCadenceIds.Monthly,
+          }
+        : undefined,
       button: {
         text: this.i18nService.t("upgradeNow"),
         type: "primary",
@@ -114,6 +109,8 @@ export class PremiumUpgradeDialogComponent {
    * @returns A dialog reference object
    */
   static open(dialogService: DialogService): DialogRef<PremiumUpgradeDialogComponent> {
-    return dialogService.open(PremiumUpgradeDialogComponent);
+    return dialogService.open(PremiumUpgradeDialogComponent, {
+      positionStrategy: new CenterPositionStrategy(),
+    });
   }
 }

libs/angular/src/billing/components/premium.component.ts

@@ -5,6 +5,7 @@ import { firstValueFrom, Observable, switchMap } from "rxjs";
 
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { BillingApiServiceAbstraction } from "@bitwarden/common/billing/abstractions";
 import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -16,6 +17,7 @@ import { DialogService, SimpleDialogOptions, ToastService } from "@bitwarden/com
 export class PremiumComponent implements OnInit {
   isPremium$: Observable<boolean>;
   price = 10;
+  storageProvidedGb = 0;
   refreshPromise: Promise<any>;
   cloudWebVaultUrl: string;
 
@@ -29,6 +31,7 @@ export class PremiumComponent implements OnInit {
     billingAccountProfileStateService: BillingAccountProfileStateService,
     private toastService: ToastService,
     accountService: AccountService,
+    private billingApiService: BillingApiServiceAbstraction,
   ) {
     this.isPremium$ = accountService.activeAccount$.pipe(
       switchMap((account) =>
@@ -39,6 +42,9 @@ export class PremiumComponent implements OnInit {
 
   async ngOnInit() {
     this.cloudWebVaultUrl = await firstValueFrom(this.environmentService.cloudWebVaultUrl$);
+    const premiumResponse = await this.billingApiService.getPremiumPlan();
+    this.storageProvidedGb = premiumResponse.storage.provided;
+    this.price = premiumResponse.seat.price;
   }
 
   async refresh() {

libs/angular/src/billing/types/subscription-pricing-card-details.ts

@@ -0,0 +1,10 @@
+import { SubscriptionCadence } from "@bitwarden/common/billing/types/subscription-pricing-tier";
+import { ButtonType } from "@bitwarden/components";
+
+export type SubscriptionPricingCardDetails = {
+  title: string;
+  tagline: string;
+  price?: { amount: number; cadence: SubscriptionCadence };
+  button: { text: string; type: ButtonType; icon?: { type: string; position: "before" | "after" } };
+  features: string[];
+};

libs/angular/src/components/callout.component.html

@@ -1,26 +0,0 @@
-<bit-callout [icon]="icon" [title]="title" [type]="$any(type)" [useAlertRole]="useAlertRole">
-  <div class="tw-pl-7 tw-m-0" *ngIf="enforcedPolicyOptions">
-    {{ enforcedPolicyMessage }}
-    <ul>
-      <li *ngIf="enforcedPolicyOptions?.minComplexity > 0">
-        {{ "policyInEffectMinComplexity" | i18n: getPasswordScoreAlertDisplay() }}
-      </li>
-      <li *ngIf="enforcedPolicyOptions?.minLength > 0">
-        {{ "policyInEffectMinLength" | i18n: enforcedPolicyOptions?.minLength.toString() }}
-      </li>
-      <li *ngIf="enforcedPolicyOptions?.requireUpper">
-        {{ "policyInEffectUppercase" | i18n }}
-      </li>
-      <li *ngIf="enforcedPolicyOptions?.requireLower">
-        {{ "policyInEffectLowercase" | i18n }}
-      </li>
-      <li *ngIf="enforcedPolicyOptions?.requireNumbers">
-        {{ "policyInEffectNumbers" | i18n }}
-      </li>
-      <li *ngIf="enforcedPolicyOptions?.requireSpecial">
-        {{ "policyInEffectSpecial" | i18n: "!@#$%^&*" }}
-      </li>
-    </ul>
-  </div>
-  <ng-content></ng-content>
-</bit-callout>

libs/angular/src/components/callout.component.ts

@@ -1,70 +0,0 @@
-// FIXME: Update this file to be type safe and remove this and next line
-// @ts-strict-ignore
-import { Component, Input, OnInit } from "@angular/core";
-
-import { MasterPasswordPolicyOptions } from "@bitwarden/common/admin-console/models/domain/master-password-policy-options";
-import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
-import { CalloutTypes } from "@bitwarden/components";
-
-/**
- * @deprecated use the CL's `CalloutComponent` instead
- */
-// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
-// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
-@Component({
-  selector: "app-callout",
-  templateUrl: "callout.component.html",
-  standalone: false,
-})
-export class DeprecatedCalloutComponent implements OnInit {
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() type: CalloutTypes = "info";
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() icon: string;
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() title: string;
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() enforcedPolicyOptions: MasterPasswordPolicyOptions;
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() enforcedPolicyMessage: string;
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() useAlertRole = false;
-
-  calloutStyle: string;
-
-  constructor(private i18nService: I18nService) {}
-
-  ngOnInit() {
-    this.calloutStyle = this.type;
-
-    if (this.enforcedPolicyMessage === undefined) {
-      this.enforcedPolicyMessage = this.i18nService.t("masterPasswordPolicyInEffect");
-    }
-  }
-
-  getPasswordScoreAlertDisplay() {
-    if (this.enforcedPolicyOptions == null) {
-      return "";
-    }
-
-    let str: string;
-    switch (this.enforcedPolicyOptions.minComplexity) {
-      case 4:
-        str = this.i18nService.t("strong");
-        break;
-      case 3:
-        str = this.i18nService.t("good");
-        break;
-      default:
-        str = this.i18nService.t("weak");
-        break;
-    }
-    return str + " (" + this.enforcedPolicyOptions.minComplexity + ")";
-  }
-}

libs/angular/src/components/modal/modal-injector.ts

@@ -1,4 +1,4 @@
-import { InjectFlags, InjectOptions, Injector, ProviderToken } from "@angular/core";
+import { InjectOptions, Injector, ProviderToken } from "@angular/core";
 
 export class ModalInjector implements Injector {
   constructor(
@@ -12,8 +12,8 @@ export class ModalInjector implements Injector {
     options: InjectOptions & { optional?: false },
   ): T;
   get<T>(token: ProviderToken<T>, notFoundValue: null, options: InjectOptions): T;
-  get<T>(token: ProviderToken<T>, notFoundValue?: T, options?: InjectOptions | InjectFlags): T;
-  get<T>(token: ProviderToken<T>, notFoundValue?: T, flags?: InjectFlags): T;
+  get<T>(token: ProviderToken<T>, notFoundValue?: T, options?: InjectOptions | null): T;
+  get<T>(token: ProviderToken<T>, notFoundValue?: T, flags?: null): T;
   get(token: any, notFoundValue?: any): any;
   get(token: any, notFoundValue?: any, flags?: any): any {
     return this._additionalTokens.get(token) ?? this._parentInjector.get<any>(token, notFoundValue);

libs/angular/src/directives/cipherListVirtualScroll.directive.ts

@@ -45,6 +45,8 @@ export function _cipherListVirtualScrollStrategyFactory(cipherListDir: CipherLis
     },
   ],
 })
+// FIXME(https://bitwarden.atlassian.net/browse/PM-28232): Use Directive suffix
+// eslint-disable-next-line @angular-eslint/directive-class-suffix
 export class CipherListVirtualScroll extends CdkFixedSizeVirtualScroll {
   _scrollStrategy: CipherListVirtualScrollStrategy;
 

libs/angular/src/jslib.module.ts

@@ -26,7 +26,6 @@ import {
 
 import { TwoFactorIconComponent } from "./auth/components/two-factor-icon.component";
 import { NotPremiumDirective } from "./billing/directives/not-premium.directive";
-import { DeprecatedCalloutComponent } from "./components/callout.component";
 import { A11yInvalidDirective } from "./directives/a11y-invalid.directive";
 import { ApiActionDirective } from "./directives/api-action.directive";
 import { BoxRowDirective } from "./directives/box-row.directive";
@@ -86,7 +85,6 @@ import { IconComponent } from "./vault/components/icon.component";
     A11yInvalidDirective,
     ApiActionDirective,
     BoxRowDirective,
-    DeprecatedCalloutComponent,
     CopyTextDirective,
     CreditCardNumberPipe,
     EllipsisPipe,
@@ -115,7 +113,6 @@ import { IconComponent } from "./vault/components/icon.component";
     AutofocusDirective,
     ToastModule,
     BoxRowDirective,
-    DeprecatedCalloutComponent,
     CopyTextDirective,
     CreditCardNumberPipe,
     EllipsisPipe,

libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.abstraction.ts

@@ -0,0 +1,9 @@
+import { UserId } from "@bitwarden/common/types/guid";
+
+export abstract class EncryptedMigrationsSchedulerService {
+  /**
+   * Runs migrations for a user if needed, handling both interactive and non-interactive cases
+   * @param userId The user ID to run migrations for
+   */
+  abstract runMigrationsIfNeeded(userId: UserId): Promise<void>;
+}

libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.spec.ts

@@ -0,0 +1,267 @@
+import { Router } from "@angular/router";
+import { mock } from "jest-mock-extended";
+import { of } from "rxjs";
+
+import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { EncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/encrypted-migrator.abstraction";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { SingleUserState, StateProvider } from "@bitwarden/common/platform/state";
+import { SyncService } from "@bitwarden/common/platform/sync";
+import { mockAccountInfoWith, FakeAccountService } from "@bitwarden/common/spec";
+import { UserId } from "@bitwarden/common/types/guid";
+import { DialogService, ToastService } from "@bitwarden/components";
+import { LogService } from "@bitwarden/logging";
+
+import {
+  DefaultEncryptedMigrationsSchedulerService,
+  ENCRYPTED_MIGRATION_DISMISSED,
+} from "./encrypted-migrations-scheduler.service";
+import { PromptMigrationPasswordComponent } from "./prompt-migration-password.component";
+
+const SomeUser = "SomeUser" as UserId;
+const AnotherUser = "SomeOtherUser" as UserId;
+const accounts = {
+  [SomeUser]: mockAccountInfoWith({
+    name: "some user",
+    email: "some.user@example.com",
+  }),
+  [AnotherUser]: mockAccountInfoWith({
+    name: "some other user",
+    email: "some.other.user@example.com",
+  }),
+};
+
+describe("DefaultEncryptedMigrationsSchedulerService", () => {
+  let service: DefaultEncryptedMigrationsSchedulerService;
+  const mockAccountService = new FakeAccountService(accounts);
+  const mockAuthService = mock<AuthService>();
+  const mockEncryptedMigrator = mock<EncryptedMigrator>();
+  const mockStateProvider = mock<StateProvider>();
+  const mockSyncService = mock<SyncService>();
+  const mockDialogService = mock<DialogService>();
+  const mockToastService = mock<ToastService>();
+  const mockI18nService = mock<I18nService>();
+  const mockLogService = mock<LogService>();
+  const mockRouter = mock<Router>();
+
+  const mockUserId = "test-user-id" as UserId;
+  const mockMasterPassword = "test-master-password";
+
+  const createMockUserState = <T>(value: T): jest.Mocked<SingleUserState<T>> =>
+    ({
+      state$: of(value),
+      userId: mockUserId,
+      update: jest.fn(),
+      combinedState$: of([mockUserId, value]),
+    }) as any;
+
+  beforeEach(() => {
+    const mockDialogRef = {
+      closed: of(mockMasterPassword),
+    };
+
+    jest.spyOn(PromptMigrationPasswordComponent, "open").mockReturnValue(mockDialogRef as any);
+    mockI18nService.t.mockReturnValue("translated_migrationsFailed");
+    (mockRouter as any)["events"] = of({ url: "/vault" }) as any;
+
+    service = new DefaultEncryptedMigrationsSchedulerService(
+      mockSyncService,
+      mockAccountService,
+      mockStateProvider,
+      mockEncryptedMigrator,
+      mockAuthService,
+      mockLogService,
+      mockDialogService,
+      mockToastService,
+      mockI18nService,
+      mockRouter,
+    );
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe("runMigrationsIfNeeded", () => {
+    it("should return early if user is not unlocked", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Locked));
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.needsMigrations).not.toHaveBeenCalled();
+      expect(mockLogService.info).not.toHaveBeenCalled();
+    });
+
+    it("should log and return when no migration is needed", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("noMigrationNeeded");
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.needsMigrations).toHaveBeenCalledWith(mockUserId);
+      expect(mockLogService.info).toHaveBeenCalledWith(
+        `[EncryptedMigrationsScheduler] No migrations needed for user ${mockUserId}`,
+      );
+      expect(mockEncryptedMigrator.runMigrations).not.toHaveBeenCalled();
+    });
+
+    it("should run migrations without interaction when master password is not required", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigration");
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.needsMigrations).toHaveBeenCalledWith(mockUserId);
+      expect(mockLogService.info).toHaveBeenCalledWith(
+        `[EncryptedMigrationsScheduler] User ${mockUserId} needs migrations with master password`,
+      );
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(mockUserId, null);
+    });
+
+    it("should run migrations with interaction when migration is needed", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigrationWithMasterPassword");
+      const mockUserState = createMockUserState(null);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.needsMigrations).toHaveBeenCalledWith(mockUserId);
+      expect(mockLogService.info).toHaveBeenCalledWith(
+        `[EncryptedMigrationsScheduler] User ${mockUserId} needs migrations with master password`,
+      );
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(
+        mockUserId,
+        mockMasterPassword,
+      );
+    });
+  });
+
+  describe("runMigrationsWithoutInteraction", () => {
+    it("should run migrations without master password", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigration");
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(mockUserId, null);
+      expect(mockLogService.error).not.toHaveBeenCalled();
+    });
+
+    it("should handle errors during migration without interaction", async () => {
+      const mockError = new Error("Migration failed");
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigration");
+      mockEncryptedMigrator.runMigrations.mockRejectedValue(mockError);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(mockUserId, null);
+      expect(mockLogService.error).toHaveBeenCalledWith(
+        "[EncryptedMigrationsScheduler] Error during migration without interaction",
+        mockError,
+      );
+    });
+  });
+
+  describe("runMigrationsWithInteraction", () => {
+    beforeEach(() => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigrationWithMasterPassword");
+    });
+
+    it("should skip if migration was dismissed recently", async () => {
+      const recentDismissDate = new Date(Date.now() - 12 * 60 * 60 * 1000); // 12 hours ago
+      const mockUserState = createMockUserState(recentDismissDate);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockStateProvider.getUser).toHaveBeenCalledWith(
+        mockUserId,
+        ENCRYPTED_MIGRATION_DISMISSED,
+      );
+      expect(mockLogService.info).toHaveBeenCalledWith(
+        "[EncryptedMigrationsScheduler] Migration prompt dismissed recently, skipping for now.",
+      );
+      expect(PromptMigrationPasswordComponent.open).not.toHaveBeenCalled();
+    });
+
+    it("should prompt for migration if dismissed date is older than 24 hours", async () => {
+      const oldDismissDate = new Date(Date.now() - 25 * 60 * 60 * 1000); // 25 hours ago
+      const mockUserState = createMockUserState(oldDismissDate);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockStateProvider.getUser).toHaveBeenCalledWith(
+        mockUserId,
+        ENCRYPTED_MIGRATION_DISMISSED,
+      );
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(
+        mockUserId,
+        mockMasterPassword,
+      );
+    });
+
+    it("should prompt for migration if no dismiss date exists", async () => {
+      const mockUserState = createMockUserState(null);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(
+        mockUserId,
+        mockMasterPassword,
+      );
+    });
+
+    it("should set dismiss date when empty password is provided", async () => {
+      const mockUserState = createMockUserState(null);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      const mockDialogRef = {
+        closed: of(""), // Empty password
+      };
+      jest.spyOn(PromptMigrationPasswordComponent, "open").mockReturnValue(mockDialogRef as any);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).not.toHaveBeenCalled();
+      expect(mockStateProvider.setUserState).toHaveBeenCalledWith(
+        ENCRYPTED_MIGRATION_DISMISSED,
+        expect.any(Date),
+        mockUserId,
+      );
+    });
+
+    it("should handle errors during migration prompt and show toast", async () => {
+      const mockUserState = createMockUserState(null);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      const mockError = new Error("Migration failed");
+      mockEncryptedMigrator.runMigrations.mockRejectedValue(mockError);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(
+        mockUserId,
+        mockMasterPassword,
+      );
+      expect(mockLogService.error).toHaveBeenCalledWith(
+        "[EncryptedMigrationsScheduler] Error during migration prompt",
+        mockError,
+      );
+      expect(mockToastService.showToast).toHaveBeenCalledWith({
+        variant: "error",
+        message: "translated_migrationsFailed",
+      });
+    });
+  });
+});

libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts

@@ -0,0 +1,186 @@
+import { NavigationEnd, Router } from "@angular/router";
+import {
+  combineLatest,
+  switchMap,
+  of,
+  firstValueFrom,
+  filter,
+  concatMap,
+  Observable,
+  map,
+} from "rxjs";
+
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { EncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/encrypted-migrator.abstraction";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { Utils } from "@bitwarden/common/platform/misc/utils";
+import {
+  UserKeyDefinition,
+  ENCRYPTED_MIGRATION_DISK,
+  StateProvider,
+} from "@bitwarden/common/platform/state";
+import { SyncService } from "@bitwarden/common/platform/sync";
+import { UserId } from "@bitwarden/common/types/guid";
+import { DialogService, ToastService } from "@bitwarden/components";
+import { LogService } from "@bitwarden/logging";
+
+import { EncryptedMigrationsSchedulerService } from "./encrypted-migrations-scheduler.service.abstraction";
+import { PromptMigrationPasswordComponent } from "./prompt-migration-password.component";
+
+export const ENCRYPTED_MIGRATION_DISMISSED = new UserKeyDefinition<Date>(
+  ENCRYPTED_MIGRATION_DISK,
+  "encryptedMigrationDismissed",
+  {
+    deserializer: (obj: string) => (obj != null ? new Date(obj) : null),
+    clearOn: [],
+  },
+);
+const DISMISS_TIME_HOURS = 24;
+const VAULT_ROUTES = ["/vault", "/tabs/vault", "/tabs/current"];
+
+/**
+ * This services schedules encrypted migrations for users on clients that are interactive (non-cli), and handles manual interaction,
+ * if it is required by showing a UI prompt. It is only one means of triggering migrations, in case the user stays unlocked for a while,
+ * or regularly logs in without a master-password, when the migrations do require a master-password to run.
+ */
+export class DefaultEncryptedMigrationsSchedulerService implements EncryptedMigrationsSchedulerService {
+  isMigrating = false;
+  url$: Observable<string>;
+
+  constructor(
+    private syncService: SyncService,
+    private accountService: AccountService,
+    private stateProvider: StateProvider,
+    private encryptedMigrator: EncryptedMigrator,
+    private authService: AuthService,
+    private logService: LogService,
+    private dialogService: DialogService,
+    private toastService: ToastService,
+    private i18nService: I18nService,
+    private router: Router,
+  ) {
+    this.url$ = this.router.events.pipe(
+      filter((event: any) => event instanceof NavigationEnd),
+      map((event: NavigationEnd) => event.url),
+    );
+
+    // For all accounts, if the auth status changes to unlocked or a sync happens, prompt for migration
+    this.accountService.accounts$
+      .pipe(
+        switchMap((accounts) => {
+          const userIds = Object.keys(accounts) as UserId[];
+
+          if (userIds.length === 0) {
+            return of([]);
+          }
+
+          return combineLatest(
+            userIds.map((userId) =>
+              combineLatest([
+                this.authService.authStatusFor$(userId),
+                this.syncService.lastSync$(userId).pipe(filter((lastSync) => lastSync != null)),
+                this.url$,
+              ]).pipe(
+                filter(
+                  ([authStatus, _date, url]) =>
+                    authStatus === AuthenticationStatus.Unlocked && VAULT_ROUTES.includes(url),
+                ),
+                concatMap(() => this.runMigrationsIfNeeded(userId)),
+              ),
+            ),
+          );
+        }),
+      )
+      .subscribe();
+  }
+
+  async runMigrationsIfNeeded(userId: UserId): Promise<void> {
+    const authStatus = await firstValueFrom(this.authService.authStatusFor$(userId));
+    if (authStatus !== AuthenticationStatus.Unlocked) {
+      return;
+    }
+
+    if (this.isMigrating || this.encryptedMigrator.isRunningMigrations()) {
+      this.logService.info(
+        `[EncryptedMigrationsScheduler] Skipping migration check for user ${userId} because migrations are already in progress`,
+      );
+      return;
+    }
+
+    this.isMigrating = true;
+    switch (await this.encryptedMigrator.needsMigrations(userId)) {
+      case "noMigrationNeeded":
+        this.logService.info(
+          `[EncryptedMigrationsScheduler] No migrations needed for user ${userId}`,
+        );
+        break;
+      case "needsMigrationWithMasterPassword":
+        this.logService.info(
+          `[EncryptedMigrationsScheduler] User ${userId} needs migrations with master password`,
+        );
+        // If the user is unlocked, we can run migrations with the master password
+        await this.runMigrationsWithInteraction(userId);
+        break;
+      case "needsMigration":
+        this.logService.info(
+          `[EncryptedMigrationsScheduler] User ${userId} needs migrations with master password`,
+        );
+        // If the user is unlocked, we can prompt for the master password
+        await this.runMigrationsWithoutInteraction(userId);
+        break;
+    }
+    this.isMigrating = false;
+  }
+
+  private async runMigrationsWithoutInteraction(userId: UserId): Promise<void> {
+    try {
+      await this.encryptedMigrator.runMigrations(userId, null);
+    } catch (error) {
+      this.logService.error(
+        "[EncryptedMigrationsScheduler] Error during migration without interaction",
+        error,
+      );
+    }
+  }
+
+  private async runMigrationsWithInteraction(userId: UserId): Promise<void> {
+    // A dialog can be dismissed for a certain amount of time
+    const dismissedDate = await firstValueFrom(
+      this.stateProvider.getUser(userId, ENCRYPTED_MIGRATION_DISMISSED).state$,
+    );
+    if (dismissedDate != null) {
+      const now = new Date();
+      const timeDiff = now.getTime() - (dismissedDate as Date).getTime();
+      const hoursDiff = timeDiff / (1000 * 60 * 60);
+
+      if (hoursDiff < DISMISS_TIME_HOURS) {
+        this.logService.info(
+          "[EncryptedMigrationsScheduler] Migration prompt dismissed recently, skipping for now.",
+        );
+        return;
+      }
+    }
+
+    try {
+      const dialog = PromptMigrationPasswordComponent.open(this.dialogService);
+      const masterPassword = await firstValueFrom(dialog.closed);
+      if (Utils.isNullOrWhitespace(masterPassword)) {
+        await this.stateProvider.setUserState(ENCRYPTED_MIGRATION_DISMISSED, new Date(), userId);
+      } else {
+        await this.encryptedMigrator.runMigrations(
+          userId,
+          masterPassword === undefined ? null : masterPassword,
+        );
+      }
+    } catch (error) {
+      this.logService.error("[EncryptedMigrationsScheduler] Error during migration prompt", error);
+      // If migrations failed when the user actively was prompted, show a toast
+      this.toastService.showToast({
+        variant: "error",
+        message: this.i18nService.t("migrationsFailed"),
+      });
+    }
+  }
+}

libs/angular/src/key-management/encrypted-migration/prompt-migration-password.component.html

@@ -0,0 +1,55 @@
+<form [bitSubmit]="submit" [formGroup]="migrationPasswordForm">
+  <bit-dialog>
+    <div class="tw-font-semibold" bitDialogTitle>
+      {{ "updateEncryptionSettingsTitle" | i18n }}
+    </div>
+    <div bitDialogContent>
+      <p>
+        {{ "updateEncryptionSettingsDesc" | i18n }}
+        <a
+          bitLink
+          href="https://bitwarden.com/help/kdf-algorithms/"
+          target="_blank"
+          rel="noreferrer"
+          aria-label="external link"
+        >
+          {{ "learnMore" | i18n }}
+          <i class="bwi bwi-external-link" aria-hidden="true"></i>
+        </a>
+      </p>
+      <bit-form-field>
+        <bit-label>{{ "masterPass" | i18n }}</bit-label>
+        <bit-hint>{{ "confirmIdentityToContinue" | i18n }}</bit-hint>
+        <input
+          class="tw-font-mono"
+          bitInput
+          type="password"
+          formControlName="masterPassword"
+          [attr.title]="'masterPass' | i18n"
+        />
+        <button
+          type="button"
+          bitIconButton
+          bitSuffix
+          bitPasswordInputToggle
+          [attr.title]="'toggleVisibility' | i18n"
+          [attr.aria-label]="'toggleVisibility' | i18n"
+        ></button>
+      </bit-form-field>
+    </div>
+    <ng-container bitDialogFooter>
+      <button
+        type="submit"
+        bitButton
+        bitFormButton
+        buttonType="primary"
+        [disabled]="migrationPasswordForm.invalid"
+      >
+        <span>{{ "updateSettings" | i18n }}</span>
+      </button>
+      <button type="button" bitButton bitFormButton buttonType="secondary" bitDialogClose>
+        {{ "later" | i18n }}
+      </button>
+    </ng-container>
+  </bit-dialog>
+</form>

libs/angular/src/key-management/encrypted-migration/prompt-migration-password.component.ts

@@ -0,0 +1,90 @@
+import { CommonModule } from "@angular/common";
+import { Component, inject, ChangeDetectionStrategy } from "@angular/core";
+import { FormBuilder, ReactiveFormsModule, Validators } from "@angular/forms";
+import { filter, firstValueFrom, map } from "rxjs";
+
+import { JslibModule } from "@bitwarden/angular/jslib.module";
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { MasterPasswordUnlockService } from "@bitwarden/common/key-management/master-password/abstractions/master-password-unlock.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import {
+  LinkModule,
+  AsyncActionsModule,
+  ButtonModule,
+  DialogModule,
+  DialogRef,
+  DialogService,
+  FormFieldModule,
+  IconButtonModule,
+  ToastService,
+} from "@bitwarden/components";
+
+/**
+ * This is a generic prompt to run encryption migrations that require the master password.
+ */
+@Component({
+  changeDetection: ChangeDetectionStrategy.OnPush,
+  templateUrl: "prompt-migration-password.component.html",
+  imports: [
+    DialogModule,
+    LinkModule,
+    CommonModule,
+    JslibModule,
+    ButtonModule,
+    IconButtonModule,
+    ReactiveFormsModule,
+    AsyncActionsModule,
+    FormFieldModule,
+  ],
+})
+export class PromptMigrationPasswordComponent {
+  private dialogRef = inject(DialogRef<string>);
+  private formBuilder = inject(FormBuilder);
+  private masterPasswordUnlockService = inject(MasterPasswordUnlockService);
+  private accountService = inject(AccountService);
+  private toastService = inject(ToastService);
+  private i18nService = inject(I18nService);
+
+  migrationPasswordForm = this.formBuilder.group({
+    masterPassword: ["", [Validators.required]],
+  });
+
+  static open(dialogService: DialogService) {
+    return dialogService.open<string>(PromptMigrationPasswordComponent);
+  }
+
+  submit = async () => {
+    const masterPasswordControl = this.migrationPasswordForm.controls.masterPassword;
+
+    if (!masterPasswordControl.value || masterPasswordControl.invalid) {
+      return;
+    }
+
+    const { userId } = await firstValueFrom(
+      this.accountService.activeAccount$.pipe(
+        filter((account) => account != null),
+        map((account) => {
+          return {
+            userId: account!.id,
+          };
+        }),
+      ),
+    );
+
+    if (
+      !(await this.masterPasswordUnlockService.proofOfDecryption(
+        masterPasswordControl.value,
+        userId,
+      ))
+    ) {
+      this.toastService.showToast({
+        variant: "error",
+        message: this.i18nService.t("incorrectPassword"),
+      });
+      return;
+    }
+
+    // Return the master password to the caller
+    this.dialogRef.close(masterPasswordControl.value);
+  };
+}

libs/angular/src/services/jslib-services.module.ts

@@ -1,6 +1,7 @@
 // FIXME: Update this file to be type safe and remove this and next line
 // @ts-strict-ignore
-import { ErrorHandler, LOCALE_ID, NgModule } from "@angular/core";
+import { APP_INITIALIZER, ErrorHandler, LOCALE_ID, NgModule } from "@angular/core";
+import { Router } from "@angular/router";
 import { Subject } from "rxjs";
 
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
@@ -93,7 +94,7 @@ import {
   InternalAccountService,
 } from "@bitwarden/common/auth/abstractions/account.service";
 import { AnonymousHubService as AnonymousHubServiceAbstraction } from "@bitwarden/common/auth/abstractions/anonymous-hub.service";
-import { AuthRequestAnsweringServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-answering/auth-request-answering.service.abstraction";
+import { AuthRequestAnsweringService } from "@bitwarden/common/auth/abstractions/auth-request-answering/auth-request-answering.service.abstraction";
 import { AuthService as AuthServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AvatarService as AvatarServiceAbstraction } from "@bitwarden/common/auth/abstractions/avatar.service";
 import { DevicesServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices/devices.service.abstraction";
@@ -102,7 +103,6 @@ import { MasterPasswordApiService as MasterPasswordApiServiceAbstraction } from
 import { PasswordResetEnrollmentServiceAbstraction } from "@bitwarden/common/auth/abstractions/password-reset-enrollment.service.abstraction";
 import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
 import { TokenService as TokenServiceAbstraction } from "@bitwarden/common/auth/abstractions/token.service";
-import { TwoFactorService as TwoFactorServiceAbstraction } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { UserVerificationApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/user-verification/user-verification-api.service.abstraction";
 import { UserVerificationService as UserVerificationServiceAbstraction } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { WebAuthnLoginApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/webauthn/webauthn-login-api.service.abstraction";
@@ -112,7 +112,7 @@ import { SendTokenService, DefaultSendTokenService } from "@bitwarden/common/aut
 import { AccountApiServiceImplementation } from "@bitwarden/common/auth/services/account-api.service";
 import { AccountServiceImplementation } from "@bitwarden/common/auth/services/account.service";
 import { AnonymousHubService } from "@bitwarden/common/auth/services/anonymous-hub.service";
-import { NoopAuthRequestAnsweringService } from "@bitwarden/common/auth/services/auth-request-answering/noop-auth-request-answering.service";
+import { DefaultAuthRequestAnsweringService } from "@bitwarden/common/auth/services/auth-request-answering/default-auth-request-answering.service";
 import { PendingAuthRequestsStateService } from "@bitwarden/common/auth/services/auth-request-answering/pending-auth-requests.state";
 import { AuthService } from "@bitwarden/common/auth/services/auth.service";
 import { AvatarService } from "@bitwarden/common/auth/services/avatar.service";
@@ -125,13 +125,17 @@ import { OrganizationInviteService } from "@bitwarden/common/auth/services/organ
 import { PasswordResetEnrollmentServiceImplementation } from "@bitwarden/common/auth/services/password-reset-enrollment.service.implementation";
 import { SsoLoginService } from "@bitwarden/common/auth/services/sso-login.service";
 import { TokenService } from "@bitwarden/common/auth/services/token.service";
-import { TwoFactorService } from "@bitwarden/common/auth/services/two-factor.service";
 import { UserVerificationApiService } from "@bitwarden/common/auth/services/user-verification/user-verification-api.service";
 import { UserVerificationService } from "@bitwarden/common/auth/services/user-verification/user-verification.service";
 import { WebAuthnLoginApiService } from "@bitwarden/common/auth/services/webauthn-login/webauthn-login-api.service";
 import { WebAuthnLoginPrfKeyService } from "@bitwarden/common/auth/services/webauthn-login/webauthn-login-prf-key.service";
 import { WebAuthnLoginService } from "@bitwarden/common/auth/services/webauthn-login/webauthn-login.service";
-import { TwoFactorApiService, DefaultTwoFactorApiService } from "@bitwarden/common/auth/two-factor";
+import {
+  TwoFactorApiService,
+  DefaultTwoFactorApiService,
+  TwoFactorService,
+  DefaultTwoFactorService,
+} from "@bitwarden/common/auth/two-factor";
 import {
   AutofillSettingsService,
   AutofillSettingsServiceAbstraction,
@@ -164,6 +168,8 @@ import { OrganizationBillingService } from "@bitwarden/common/billing/services/o
 import { DefaultSubscriptionPricingService } from "@bitwarden/common/billing/services/subscription-pricing.service";
 import { HibpApiService } from "@bitwarden/common/dirt/services/hibp-api.service";
 import { ProcessReloadServiceAbstraction } from "@bitwarden/common/key-management/abstractions/process-reload.service";
+import { AccountCryptographicStateService } from "@bitwarden/common/key-management/account-cryptography/account-cryptographic-state.service";
+import { DefaultAccountCryptographicStateService } from "@bitwarden/common/key-management/account-cryptography/default-account-cryptographic-state.service";
 import {
   DefaultKeyGenerationService,
   KeyGenerationService,
@@ -174,14 +180,20 @@ import { EncryptServiceImplementation } from "@bitwarden/common/key-management/c
 import { WebCryptoFunctionService } from "@bitwarden/common/key-management/crypto/services/web-crypto-function.service";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
 import { DeviceTrustService } from "@bitwarden/common/key-management/device-trust/services/device-trust.service.implementation";
+import { DefaultEncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/default-encrypted-migrator";
+import { EncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/encrypted-migrator.abstraction";
 import { DefaultChangeKdfApiService } from "@bitwarden/common/key-management/kdf/change-kdf-api.service";
 import { ChangeKdfApiService } from "@bitwarden/common/key-management/kdf/change-kdf-api.service.abstraction";
-import { DefaultChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf-service";
-import { ChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf-service.abstraction";
+import { DefaultChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf.service";
+import { ChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf.service.abstraction";
+import { KeyConnectorApiService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector-api.service";
 import { KeyConnectorService as KeyConnectorServiceAbstraction } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
+import { DefaultKeyConnectorApiService } from "@bitwarden/common/key-management/key-connector/services/default-key-connector-api.service";
 import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/services/key-connector.service";
 import { KeyApiService } from "@bitwarden/common/key-management/keys/services/abstractions/key-api-service.abstraction";
+import { RotateableKeySetService } from "@bitwarden/common/key-management/keys/services/abstractions/rotateable-key-set.service";
 import { DefaultKeyApiService } from "@bitwarden/common/key-management/keys/services/default-key-api-service.service";
+import { DefaultRotateableKeySetService } from "@bitwarden/common/key-management/keys/services/default-rotateable-key-set.service";
 import { MasterPasswordUnlockService } from "@bitwarden/common/key-management/master-password/abstractions/master-password-unlock.service";
 import {
   InternalMasterPasswordServiceAbstraction,
@@ -199,6 +211,7 @@ import {
   SendPasswordService,
   DefaultSendPasswordService,
 } from "@bitwarden/common/key-management/sends";
+import { SessionTimeoutTypeService } from "@bitwarden/common/key-management/session-timeout";
 import {
   DefaultVaultTimeoutService,
   DefaultVaultTimeoutSettingsService,
@@ -218,6 +231,7 @@ import { I18nService as I18nServiceAbstraction } from "@bitwarden/common/platfor
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { MessagingService as MessagingServiceAbstraction } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { PlatformUtilsService as PlatformUtilsServiceAbstraction } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { RegisterSdkService } from "@bitwarden/common/platform/abstractions/sdk/register-sdk.service";
 import { SdkClientFactory } from "@bitwarden/common/platform/abstractions/sdk/sdk-client-factory";
 import { SdkService } from "@bitwarden/common/platform/abstractions/sdk/sdk.service";
 import { StateService as StateServiceAbstraction } from "@bitwarden/common/platform/abstractions/state.service";
@@ -226,6 +240,7 @@ import { SystemService } from "@bitwarden/common/platform/abstractions/system.se
 import { ValidationService as ValidationServiceAbstraction } from "@bitwarden/common/platform/abstractions/validation.service";
 import { ActionsService } from "@bitwarden/common/platform/actions";
 import { UnsupportedActionsService } from "@bitwarden/common/platform/actions/unsupported-actions.service";
+import { IpcSessionRepository } from "@bitwarden/common/platform/ipc";
 import { Message, MessageListener, MessageSender } from "@bitwarden/common/platform/messaging";
 // eslint-disable-next-line no-restricted-imports -- Used for dependency injection
 import { SubjectMessageSender } from "@bitwarden/common/platform/messaging/internal";
@@ -255,6 +270,7 @@ import { FileUploadService } from "@bitwarden/common/platform/services/file-uplo
 import { MigrationBuilderService } from "@bitwarden/common/platform/services/migration-builder.service";
 import { MigrationRunner } from "@bitwarden/common/platform/services/migration-runner";
 import { DefaultSdkService } from "@bitwarden/common/platform/services/sdk/default-sdk.service";
+import { DefaultRegisterSdkService } from "@bitwarden/common/platform/services/sdk/register-sdk.service";
 import { StorageServiceProvider } from "@bitwarden/common/platform/services/storage-service.provider";
 import { UserAutoUnlockKeyService } from "@bitwarden/common/platform/services/user-auto-unlock-key.service";
 import { ValidationService } from "@bitwarden/common/platform/services/validation.service";
@@ -320,6 +336,7 @@ import { DefaultTaskService, TaskService } from "@bitwarden/common/vault/tasks";
 import {
   AnonLayoutWrapperDataService,
   DefaultAnonLayoutWrapperDataService,
+  DialogService,
   ToastService,
 } from "@bitwarden/components";
 import {
@@ -380,14 +397,14 @@ import {
   VaultExportServiceAbstraction,
 } from "@bitwarden/vault-export-core";
 
-import { DefaultLoginApprovalDialogComponentService } from "../auth/login-approval/default-login-approval-dialog-component.service";
-import { LoginApprovalDialogComponentServiceAbstraction } from "../auth/login-approval/login-approval-dialog-component.service.abstraction";
 import { DefaultSetInitialPasswordService } from "../auth/password-management/set-initial-password/default-set-initial-password.service.implementation";
 import { SetInitialPasswordService } from "../auth/password-management/set-initial-password/set-initial-password.service.abstraction";
 import { DeviceTrustToastService as DeviceTrustToastServiceAbstraction } from "../auth/services/device-trust-toast.service.abstraction";
 import { DeviceTrustToastService } from "../auth/services/device-trust-toast.service.implementation";
 import { NoopPremiumInterestStateService } from "../billing/services/premium-interest/noop-premium-interest-state.service";
 import { PremiumInterestStateService } from "../billing/services/premium-interest/premium-interest-state.service.abstraction";
+import { DefaultEncryptedMigrationsSchedulerService } from "../key-management/encrypted-migration/encrypted-migrations-scheduler.service";
+import { EncryptedMigrationsSchedulerService } from "../key-management/encrypted-migration/encrypted-migrations-scheduler.service.abstraction";
 import { FormValidationErrorsService as FormValidationErrorsServiceAbstraction } from "../platform/abstractions/form-validation-errors.service";
 import { DocumentLangSetter } from "../platform/i18n";
 import { FormValidationErrorsService } from "../platform/services/form-validation-errors.service";
@@ -508,6 +525,23 @@ const safeProviders: SafeProvider[] = [
       TokenServiceAbstraction,
     ],
   }),
+  safeProvider({
+    provide: ChangeKdfService,
+    useClass: DefaultChangeKdfService,
+    deps: [ChangeKdfApiService, SdkService, KeyService, InternalMasterPasswordServiceAbstraction],
+  }),
+  safeProvider({
+    provide: EncryptedMigrator,
+    useClass: DefaultEncryptedMigrator,
+    deps: [
+      KdfConfigService,
+      ChangeKdfService,
+      LogService,
+      ConfigService,
+      MasterPasswordServiceAbstraction,
+      SyncService,
+    ],
+  }),
   safeProvider({
     provide: LoginStrategyServiceAbstraction,
     useClass: LoginStrategyService,
@@ -524,7 +558,7 @@ const safeProviders: SafeProvider[] = [
       KeyConnectorServiceAbstraction,
       EnvironmentService,
       StateServiceAbstraction,
-      TwoFactorServiceAbstraction,
+      TwoFactorService,
       I18nServiceAbstraction,
       EncryptService,
       PasswordStrengthServiceAbstraction,
@@ -538,6 +572,7 @@ const safeProviders: SafeProvider[] = [
       KdfConfigService,
       TaskSchedulerService,
       ConfigService,
+      AccountCryptographicStateService,
     ],
   }),
   safeProvider({
@@ -678,7 +713,7 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: InternalUserDecryptionOptionsServiceAbstraction,
     useClass: UserDecryptionOptionsService,
-    deps: [StateProvider],
+    deps: [SingleUserStateProvider],
   }),
   safeProvider({
     provide: UserDecryptionOptionsServiceAbstraction,
@@ -860,8 +895,14 @@ const safeProviders: SafeProvider[] = [
       StateProvider,
       SecurityStateService,
       KdfConfigService,
+      AccountCryptographicStateService,
     ],
   }),
+  safeProvider({
+    provide: AccountCryptographicStateService,
+    useClass: DefaultAccountCryptographicStateService,
+    deps: [StateProvider],
+  }),
   safeProvider({
     provide: BroadcasterService,
     useClass: DefaultBroadcasterService,
@@ -881,6 +922,7 @@ const safeProviders: SafeProvider[] = [
       StateProvider,
       LogService,
       DEFAULT_VAULT_TIMEOUT,
+      SessionTimeoutTypeService,
     ],
   }),
   safeProvider({
@@ -917,7 +959,7 @@ const safeProviders: SafeProvider[] = [
     deps: [
       FolderServiceAbstraction,
       CipherServiceAbstraction,
-      PinServiceAbstraction,
+      KeyGenerationService,
       KeyService,
       EncryptService,
       CryptoFunctionServiceAbstraction,
@@ -937,7 +979,7 @@ const safeProviders: SafeProvider[] = [
     deps: [
       CipherServiceAbstraction,
       VaultExportApiService,
-      PinServiceAbstraction,
+      KeyGenerationService,
       KeyService,
       EncryptService,
       CryptoFunctionServiceAbstraction,
@@ -996,9 +1038,15 @@ const safeProviders: SafeProvider[] = [
     deps: [StateProvider],
   }),
   safeProvider({
-    provide: AuthRequestAnsweringServiceAbstraction,
-    useClass: NoopAuthRequestAnsweringService,
-    deps: [],
+    provide: AuthRequestAnsweringService,
+    useClass: DefaultAuthRequestAnsweringService,
+    deps: [
+      AccountServiceAbstraction,
+      AuthServiceAbstraction,
+      MasterPasswordServiceAbstraction,
+      MessagingServiceAbstraction,
+      PendingAuthRequestsStateService,
+    ],
   }),
   safeProvider({
     provide: ServerNotificationsService,
@@ -1016,8 +1064,9 @@ const safeProviders: SafeProvider[] = [
       SignalRConnectionService,
       AuthServiceAbstraction,
       WebPushConnectionService,
-      AuthRequestAnsweringServiceAbstraction,
+      AuthRequestAnsweringService,
       ConfigService,
+      InternalPolicyService,
     ],
   }),
   safeProvider({
@@ -1056,7 +1105,7 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: InternalPolicyService,
     useClass: DefaultPolicyService,
-    deps: [StateProvider, OrganizationServiceAbstraction],
+    deps: [StateProvider, OrganizationServiceAbstraction, AccountServiceAbstraction],
   }),
   safeProvider({
     provide: PolicyServiceAbstraction,
@@ -1085,7 +1134,7 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: MasterPasswordUnlockService,
     useClass: DefaultMasterPasswordUnlockService,
-    deps: [InternalMasterPasswordServiceAbstraction, KeyService],
+    deps: [InternalMasterPasswordServiceAbstraction, KeyService, LogService],
   }),
   safeProvider({
     provide: KeyConnectorServiceAbstraction,
@@ -1101,6 +1150,10 @@ const safeProviders: SafeProvider[] = [
       KeyGenerationService,
       LOGOUT_CALLBACK,
       StateProvider,
+      ConfigService,
+      RegisterSdkService,
+      SecurityStateService,
+      AccountCryptographicStateService,
     ],
   }),
   safeProvider({
@@ -1162,9 +1215,14 @@ const safeProviders: SafeProvider[] = [
     deps: [StateProvider],
   }),
   safeProvider({
-    provide: TwoFactorServiceAbstraction,
-    useClass: TwoFactorService,
-    deps: [I18nServiceAbstraction, PlatformUtilsServiceAbstraction, GlobalStateProvider],
+    provide: TwoFactorService,
+    useClass: DefaultTwoFactorService,
+    deps: [
+      I18nServiceAbstraction,
+      PlatformUtilsServiceAbstraction,
+      GlobalStateProvider,
+      TwoFactorApiService,
+    ],
   }),
   safeProvider({
     provide: FormValidationErrorsServiceAbstraction,
@@ -1281,6 +1339,7 @@ const safeProviders: SafeProvider[] = [
       UserDecryptionOptionsServiceAbstraction,
       LogService,
       ConfigService,
+      AccountServiceAbstraction,
     ],
   }),
   safeProvider({
@@ -1291,7 +1350,7 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: ChangeKdfService,
     useClass: DefaultChangeKdfService,
-    deps: [ChangeKdfApiService, SdkService],
+    deps: [ChangeKdfApiService, SdkService, KeyService, InternalMasterPasswordServiceAbstraction],
   }),
   safeProvider({
     provide: AuthRequestServiceAbstraction,
@@ -1315,16 +1374,7 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: PinServiceAbstraction,
     useClass: PinService,
-    deps: [
-      AccountServiceAbstraction,
-      EncryptService,
-      KdfConfigService,
-      KeyGenerationService,
-      LogService,
-      KeyService,
-      SdkService,
-      PinStateServiceAbstraction,
-    ],
+    deps: [EncryptService, LogService, KeyService, SdkService, PinStateServiceAbstraction],
   }),
   safeProvider({
     provide: WebAuthnLoginPrfKeyServiceAbstraction,
@@ -1448,7 +1498,7 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: OrganizationMetadataServiceAbstraction,
     useClass: DefaultOrganizationMetadataService,
-    deps: [BillingApiServiceAbstraction, ConfigService],
+    deps: [BillingApiServiceAbstraction, ConfigService, PlatformUtilsServiceAbstraction],
   }),
   safeProvider({
     provide: BillingAccountProfileStateService,
@@ -1458,7 +1508,13 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: SubscriptionPricingServiceAbstraction,
     useClass: DefaultSubscriptionPricingService,
-    deps: [BillingApiServiceAbstraction, ConfigService, I18nServiceAbstraction, LogService],
+    deps: [
+      BillingApiServiceAbstraction,
+      ConfigService,
+      I18nServiceAbstraction,
+      LogService,
+      EnvironmentService,
+    ],
   }),
   safeProvider({
     provide: OrganizationManagementPreferencesService,
@@ -1526,6 +1582,7 @@ const safeProviders: SafeProvider[] = [
       OrganizationApiServiceAbstraction,
       OrganizationUserApiService,
       InternalUserDecryptionOptionsServiceAbstraction,
+      AccountCryptographicStateService,
     ],
   }),
   safeProvider({
@@ -1574,6 +1631,19 @@ const safeProviders: SafeProvider[] = [
       SsoLoginServiceAbstraction,
     ],
   }),
+  safeProvider({
+    provide: RegisterSdkService,
+    useClass: DefaultRegisterSdkService,
+    deps: [
+      SdkClientFactory,
+      EnvironmentService,
+      PlatformUtilsServiceAbstraction,
+      AccountServiceAbstraction,
+      ApiServiceAbstraction,
+      StateProvider,
+      ConfigService,
+    ],
+  }),
   safeProvider({
     provide: SdkService,
     useClass: DefaultSdkService,
@@ -1600,11 +1670,6 @@ const safeProviders: SafeProvider[] = [
     useClass: DefaultSendPasswordService,
     deps: [CryptoFunctionServiceAbstraction],
   }),
-  safeProvider({
-    provide: LoginApprovalDialogComponentServiceAbstraction,
-    useClass: DefaultLoginApprovalDialogComponentService,
-    deps: [],
-  }),
   safeProvider({
     provide: LoginDecryptionOptionsService,
     useClass: DefaultLoginDecryptionOptionsService,
@@ -1637,6 +1702,7 @@ const safeProviders: SafeProvider[] = [
       SsoLoginServiceAbstraction,
       SyncService,
       UserAsymmetricKeysRegenerationService,
+      EncryptedMigrator,
       LogService,
     ],
   }),
@@ -1707,6 +1773,28 @@ const safeProviders: SafeProvider[] = [
       InternalMasterPasswordServiceAbstraction,
     ],
   }),
+  safeProvider({
+    provide: EncryptedMigrationsSchedulerService,
+    useClass: DefaultEncryptedMigrationsSchedulerService,
+    deps: [
+      SyncService,
+      AccountService,
+      StateProvider,
+      EncryptedMigrator,
+      AuthServiceAbstraction,
+      LogService,
+      DialogService,
+      ToastService,
+      I18nServiceAbstraction,
+      Router,
+    ],
+  }),
+  safeProvider({
+    provide: APP_INITIALIZER as SafeInjectionToken<() => Promise<void>>,
+    useFactory: (encryptedMigrationsScheduler: EncryptedMigrationsSchedulerService) => () => {},
+    deps: [EncryptedMigrationsSchedulerService],
+    multi: true,
+  }),
   safeProvider({
     provide: LockService,
     useClass: DefaultLockService,
@@ -1738,11 +1826,26 @@ const safeProviders: SafeProvider[] = [
       ConfigService,
     ],
   }),
+  safeProvider({
+    provide: RotateableKeySetService,
+    useClass: DefaultRotateableKeySetService,
+    deps: [KeyService, EncryptService],
+  }),
   safeProvider({
     provide: NewDeviceVerificationComponentService,
     useClass: DefaultNewDeviceVerificationComponentService,
     deps: [],
   }),
+  safeProvider({
+    provide: IpcSessionRepository,
+    useClass: IpcSessionRepository,
+    deps: [StateProvider],
+  }),
+  safeProvider({
+    provide: KeyConnectorApiService,
+    useClass: DefaultKeyConnectorApiService,
+    deps: [ApiServiceAbstraction],
+  }),
   safeProvider({
     provide: PremiumInterestStateService,
     useClass: NoopPremiumInterestStateService,

libs/angular/src/tools/send/add-edit.component.ts

@@ -27,13 +27,13 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncArrayBuffer } from "@bitwarden/common/platform/models/domain/enc-array-buffer";
-import { SendType } from "@bitwarden/common/tools/send/enums/send-type";
 import { Send } from "@bitwarden/common/tools/send/models/domain/send";
 import { SendFileView } from "@bitwarden/common/tools/send/models/view/send-file.view";
 import { SendTextView } from "@bitwarden/common/tools/send/models/view/send-text.view";
 import { SendView } from "@bitwarden/common/tools/send/models/view/send.view";
 import { SendApiService } from "@bitwarden/common/tools/send/services/send-api.service.abstraction";
 import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
+import { SendType } from "@bitwarden/common/tools/send/types/send-type";
 import { PremiumUpgradePromptService } from "@bitwarden/common/vault/abstractions/premium-upgrade-prompt.service";
 import { DialogService, ToastService } from "@bitwarden/components";
 

libs/angular/src/tools/send/send.component.ts

@@ -20,10 +20,10 @@ import { EnvironmentService } from "@bitwarden/common/platform/abstractions/envi
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
-import { SendType } from "@bitwarden/common/tools/send/enums/send-type";
 import { SendView } from "@bitwarden/common/tools/send/models/view/send.view";
 import { SendApiService } from "@bitwarden/common/tools/send/services/send-api.service.abstraction";
 import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
+import { SendType } from "@bitwarden/common/tools/send/types/send-type";
 import { SearchService } from "@bitwarden/common/vault/abstractions/search.service";
 import { DialogService, ToastService } from "@bitwarden/components";
 
@@ -78,7 +78,7 @@ export class SendComponent implements OnInit, OnDestroy {
     protected ngZone: NgZone,
     protected searchService: SearchService,
     protected policyService: PolicyService,
-    private logService: LogService,
+    protected logService: LogService,
     protected sendApiService: SendApiService,
     protected dialogService: DialogService,
     protected toastService: ToastService,

libs/angular/src/vault/abstractions/deprecated-vault-filter.service.ts

@@ -1,8 +1,6 @@
 import { Observable } from "rxjs";
 
-// This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
-// eslint-disable-next-line no-restricted-imports
-import { CollectionView } from "@bitwarden/admin-console/common";
+import { CollectionView } from "@bitwarden/common/admin-console/models/collections";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { UserId } from "@bitwarden/common/types/guid";
 import { FolderView } from "@bitwarden/common/vault/models/view/folder.view";

libs/angular/src/vault/components/icon.component.html

@@ -1,9 +1,5 @@
 <!-- Applying width and height styles directly to synchronize icon sizing between web/browser/desktop -->
-<div
-  class="tw-flex tw-justify-center tw-items-center"
-  [ngStyle]="coloredIcon() ? { width: '36px', height: '36px' } : {}"
-  aria-hidden="true"
->
+<div class="tw-flex tw-justify-center tw-items-center" [ngStyle]="iconStyle()" aria-hidden="true">
   <ng-container *ngIf="data$ | async as data">
     @if (data.imageEnabled && data.image) {
       <img
@@ -16,7 +12,7 @@
           'tw-invisible tw-absolute': !imageLoaded(),
           'tw-size-6': !coloredIcon(),
         }"
-        [ngStyle]="coloredIcon() ? { width: '36px', height: '36px' } : {}"
+        [ngStyle]="iconStyle()"
         (load)="imageLoaded.set(true)"
         (error)="imageLoaded.set(false)"
       />
@@ -28,7 +24,7 @@
           'tw-bg-illustration-bg-primary tw-rounded-full':
             data.icon?.startsWith('bwi-') && coloredIcon(),
         }"
-        [ngStyle]="coloredIcon() ? { width: '36px', height: '36px' } : {}"
+        [ngStyle]="iconStyle()"
       >
         <i
           class="tw-text-muted bwi bwi-lg {{ data.icon }}"
@@ -36,6 +32,7 @@
             color: coloredIcon() ? 'rgb(var(--color-illustration-outline))' : null,
             width: data.icon?.startsWith('credit-card') && coloredIcon() ? '36px' : null,
             height: data.icon?.startsWith('credit-card') && coloredIcon() ? '30px' : null,
+            fontSize: size() ? size() + 'px' : null,
           }"
         ></i>
       </div>

libs/angular/src/vault/components/icon.component.ts

@@ -1,4 +1,4 @@
-import { ChangeDetectionStrategy, Component, input, signal } from "@angular/core";
+import { ChangeDetectionStrategy, Component, computed, input, signal } from "@angular/core";
 import { toObservable } from "@angular/core/rxjs-interop";
 import {
   combineLatest,
@@ -32,8 +32,32 @@ export class IconComponent {
    */
   readonly coloredIcon = input<boolean>(false);
 
+  /**
+   * Optional custom size for the icon in pixels.
+   * When provided, forces explicit dimensions on the icon wrapper to prevent layout collapse at different zoom levels.
+   * If not provided, the wrapper has no explicit dimensions and relies on CSS classes (tw-size-6/24px for images).
+   * This can cause the wrapper to collapse when images are loading/hidden, especially at high browser zoom levels.
+   * Reference: default image size is tw-size-6 (24px), coloredIcon uses 36px.
+   */
+  readonly size = input<number>();
+
   readonly imageLoaded = signal(false);
 
+  /**
+   * Computed style object for icon dimensions.
+   * Centralizes the sizing logic to avoid repetition in the template.
+   */
+  protected readonly iconStyle = computed(() => {
+    if (this.coloredIcon()) {
+      return { width: "36px", height: "36px" };
+    }
+    const size = this.size();
+    if (size) {
+      return { width: size + "px", height: size + "px" };
+    }
+    return {};
+  });
+
   protected data$: Observable<CipherIconDetails>;
 
   constructor(

libs/angular/src/vault/components/spotlight/spotlight.component.html

@@ -3,20 +3,20 @@
 >
   <div class="tw-flex tw-justify-between tw-items-start tw-flex-grow">
     <div>
-      <h2 bitTypography="h4" class="tw-font-medium !tw-mb-1">{{ title }}</h2>
+      <h2 *ngIf="title()" bitTypography="h4" class="tw-font-medium !tw-mb-1">{{ title() }}</h2>
       <p
-        *ngIf="subtitle"
+        *ngIf="subtitle()"
         class="tw-text-main tw-mb-0"
         bitTypography="body2"
-        [innerHTML]="subtitle"
+        [innerHTML]="subtitle()"
       ></p>
-      <ng-content *ngIf="!subtitle"></ng-content>
+      <ng-content *ngIf="!subtitle()"></ng-content>
     </div>
     <button
       type="button"
       bitIconButton="bwi-close"
       size="small"
-      *ngIf="!persistent"
+      *ngIf="!persistent()"
       (click)="handleDismiss()"
       class="-tw-me-2"
       [label]="'close' | i18n"
@@ -28,10 +28,10 @@
     bitButton
     type="button"
     buttonType="primary"
-    *ngIf="buttonText"
+    *ngIf="buttonText()"
     (click)="handleButtonClick($event)"
   >
-    {{ buttonText }}
-    <i *ngIf="buttonIcon" [ngClass]="buttonIcon" class="bwi tw-ml-1" aria-hidden="true"></i>
+    {{ buttonText() }}
+    <i *ngIf="buttonIcon()" [ngClass]="buttonIcon()" class="bwi tw-ml-1" aria-hidden="true"></i>
   </button>
 </div>

libs/angular/src/vault/components/spotlight/spotlight.component.spec.ts

@@ -0,0 +1,208 @@
+import { CommonModule } from "@angular/common";
+import { ChangeDetectionStrategy, Component } from "@angular/core";
+import { ComponentFixture, TestBed } from "@angular/core/testing";
+import { By } from "@angular/platform-browser";
+
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+
+import { SpotlightComponent } from "./spotlight.component";
+
+describe("SpotlightComponent", () => {
+  let fixture: ComponentFixture<SpotlightComponent>;
+  let component: SpotlightComponent;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      imports: [SpotlightComponent],
+      providers: [{ provide: I18nService, useValue: { t: (key: string) => key } }],
+    }).compileComponents();
+
+    fixture = TestBed.createComponent(SpotlightComponent);
+    component = fixture.componentInstance;
+  });
+
+  function detect(): void {
+    fixture.detectChanges();
+  }
+
+  it("should create", () => {
+    expect(component).toBeTruthy();
+  });
+
+  describe("rendering when inputs are null", () => {
+    it("should render without crashing when inputs are null/undefined", () => {
+      // Explicitly drive the inputs to null to exercise template null branches
+      fixture.componentRef.setInput("title", null);
+      fixture.componentRef.setInput("subtitle", null);
+      fixture.componentRef.setInput("buttonText", null);
+      fixture.componentRef.setInput("buttonIcon", null);
+      // persistent has a default, but drive it as well for coverage sanity
+      fixture.componentRef.setInput("persistent", false);
+
+      expect(() => detect()).not.toThrow();
+
+      const root = fixture.debugElement.nativeElement as HTMLElement;
+      expect(root).toBeTruthy();
+    });
+  });
+
+  describe("close button visibility based on persistent", () => {
+    it("should show the close button when persistent is false", () => {
+      fixture.componentRef.setInput("persistent", false);
+      detect();
+
+      // Assumes dismiss uses bitIconButton
+      const dismissButton = fixture.debugElement.query(By.css("button[bitIconButton]"));
+
+      expect(dismissButton).toBeTruthy();
+    });
+
+    it("should hide the close button when persistent is true", () => {
+      fixture.componentRef.setInput("persistent", true);
+      detect();
+
+      const dismissButton = fixture.debugElement.query(By.css("button[bitIconButton]"));
+      expect(dismissButton).toBeNull();
+    });
+  });
+
+  describe("event emission", () => {
+    it("should emit onButtonClick when CTA button is clicked", () => {
+      const clickSpy = jest.fn();
+      component.onButtonClick.subscribe(clickSpy);
+
+      fixture.componentRef.setInput("buttonText", "Click me");
+      detect();
+
+      const buttonDe = fixture.debugElement.query(By.css("button[bitButton]"));
+      expect(buttonDe).toBeTruthy();
+
+      const event = new MouseEvent("click");
+      buttonDe.triggerEventHandler("click", event);
+
+      expect(clickSpy).toHaveBeenCalledTimes(1);
+      expect(clickSpy.mock.calls[0][0]).toBeInstanceOf(MouseEvent);
+    });
+
+    it("should emit onDismiss when close button is clicked", () => {
+      const dismissSpy = jest.fn();
+      component.onDismiss.subscribe(dismissSpy);
+
+      fixture.componentRef.setInput("persistent", false);
+      detect();
+
+      const dismissButton = fixture.debugElement.query(By.css("button[bitIconButton]"));
+      expect(dismissButton).toBeTruthy();
+
+      dismissButton.triggerEventHandler("click", new MouseEvent("click"));
+
+      expect(dismissSpy).toHaveBeenCalledTimes(1);
+    });
+
+    it("handleButtonClick should emit via onButtonClick()", () => {
+      const clickSpy = jest.fn();
+      component.onButtonClick.subscribe(clickSpy);
+
+      const event = new MouseEvent("click");
+      component.handleButtonClick(event);
+
+      expect(clickSpy).toHaveBeenCalledTimes(1);
+      expect(clickSpy.mock.calls[0][0]).toBe(event);
+    });
+
+    it("handleDismiss should emit via onDismiss()", () => {
+      const dismissSpy = jest.fn();
+      component.onDismiss.subscribe(dismissSpy);
+
+      component.handleDismiss();
+
+      expect(dismissSpy).toHaveBeenCalledTimes(1);
+    });
+  });
+
+  describe("content projection behavior", () => {
+    @Component({
+      standalone: true,
+      imports: [SpotlightComponent],
+      changeDetection: ChangeDetectionStrategy.OnPush,
+      template: `
+        <bit-spotlight>
+          <span class="tw-text-sm">Projected content</span>
+        </bit-spotlight>
+      `,
+    })
+    class HostWithProjectionComponent {}
+
+    let hostFixture: ComponentFixture<HostWithProjectionComponent>;
+
+    beforeEach(async () => {
+      hostFixture = TestBed.createComponent(HostWithProjectionComponent);
+    });
+
+    it("should render projected content inside the spotlight", () => {
+      hostFixture.detectChanges();
+
+      const projected = hostFixture.debugElement.query(By.css(".tw-text-sm"));
+      expect(projected).toBeTruthy();
+      expect(projected.nativeElement.textContent.trim()).toBe("Projected content");
+    });
+  });
+
+  describe("boolean attribute transform for persistent", () => {
+    @Component({
+      standalone: true,
+      imports: [CommonModule, SpotlightComponent],
+      changeDetection: ChangeDetectionStrategy.OnPush,
+      template: `
+        <!-- bare persistent attribute -->
+        <bit-spotlight *ngIf="mode === 'bare'" persistent></bit-spotlight>
+
+        <!-- no persistent attribute -->
+        <bit-spotlight *ngIf="mode === 'none'"></bit-spotlight>
+
+        <!-- explicit persistent="false" -->
+        <bit-spotlight *ngIf="mode === 'falseStr'" persistent="false"></bit-spotlight>
+      `,
+    })
+    class BooleanHostComponent {
+      mode: "bare" | "none" | "falseStr" = "bare";
+    }
+
+    let boolFixture: ComponentFixture<BooleanHostComponent>;
+    let boolHost: BooleanHostComponent;
+
+    beforeEach(async () => {
+      boolFixture = TestBed.createComponent(BooleanHostComponent);
+      boolHost = boolFixture.componentInstance;
+    });
+
+    function getSpotlight(): SpotlightComponent {
+      const de = boolFixture.debugElement.query(By.directive(SpotlightComponent));
+      return de.componentInstance as SpotlightComponent;
+    }
+
+    it("treats bare 'persistent' attribute as true via booleanAttribute", () => {
+      boolHost.mode = "bare";
+      boolFixture.detectChanges();
+
+      const spotlight = getSpotlight();
+      expect(spotlight.persistent()).toBe(true);
+    });
+
+    it("uses default false when 'persistent' is omitted", () => {
+      boolHost.mode = "none";
+      boolFixture.detectChanges();
+
+      const spotlight = getSpotlight();
+      expect(spotlight.persistent()).toBe(false);
+    });
+
+    it('treats persistent="false" as false', () => {
+      boolHost.mode = "falseStr";
+      boolFixture.detectChanges();
+
+      const spotlight = getSpotlight();
+      expect(spotlight.persistent()).toBe(false);
+    });
+  });
+});

libs/angular/src/vault/components/spotlight/spotlight.component.ts

@@ -1,43 +1,28 @@
 import { CommonModule } from "@angular/common";
-import { Component, EventEmitter, Input, Output } from "@angular/core";
+import { booleanAttribute, ChangeDetectionStrategy, Component, input, output } from "@angular/core";
 
 import { ButtonModule, IconButtonModule, TypographyModule } from "@bitwarden/components";
 import { I18nPipe } from "@bitwarden/ui-common";
 
-// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
-// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
   selector: "bit-spotlight",
   templateUrl: "spotlight.component.html",
   imports: [ButtonModule, CommonModule, IconButtonModule, I18nPipe, TypographyModule],
+  changeDetection: ChangeDetectionStrategy.OnPush,
 })
 export class SpotlightComponent {
   // The title of the component
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input({ required: true }) title: string | null = null;
+  readonly title = input<string>();
   // The subtitle of the component
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() subtitle?: string | null = null;
+  readonly subtitle = input<string>();
   // The text to display on the button
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() buttonText?: string;
-  // Wheter the component can be dismissed, if true, the component will not show a close button
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() persistent = false;
+  readonly buttonText = input<string>();
+  // Whether the component can be dismissed, if true, the component will not show a close button
+  readonly persistent = input(false, { transform: booleanAttribute });
   // Optional icon to display on the button
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-signals
-  @Input() buttonIcon: string | null = null;
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
-  @Output() onDismiss = new EventEmitter<void>();
-  // FIXME(https://bitwarden.atlassian.net/browse/CL-903): Migrate to Signals
-  // eslint-disable-next-line @angular-eslint/prefer-output-emitter-ref
-  @Output() onButtonClick = new EventEmitter();
+  readonly buttonIcon = input<string>();
+  readonly onDismiss = output<void>();
+  readonly onButtonClick = output<MouseEvent>();
 
   handleButtonClick(event: MouseEvent): void {
     this.onButtonClick.emit(event);

libs/angular/src/vault/components/vault-items.component.ts

@@ -194,7 +194,12 @@ export class VaultItemsComponent<C extends CipherViewLike> implements OnDestroy
           return this.searchService.searchCiphers(
             userId,
             searchText,
-            [filter, this.deletedFilter, this.archivedFilter, restrictedTypeFilter],
+            [
+              filter,
+              this.deletedFilter,
+              ...(this.deleted ? [] : [this.archivedFilter]),
+              restrictedTypeFilter,
+            ],
             allCiphers,
           );
         }),

libs/angular/src/vault/index.ts

@@ -1,3 +1,4 @@
 // Note: Nudge related code is exported from `libs/angular` because it is consumed by multiple
 // `libs/*` packages. Exporting from the `libs/vault` package creates circular dependencies.
 export { NudgesService, NudgeStatus, NudgeType } from "./services/nudges.service";
+export { AUTOFILL_NUDGE_SERVICE } from "./services/nudge-injection-tokens";

libs/angular/src/vault/services/custom-nudges-services/auto-confirm-nudge.service.spec.ts

@@ -0,0 +1,226 @@
+import { TestBed } from "@angular/core/testing";
+import { mock, MockProxy } from "jest-mock-extended";
+import { BehaviorSubject, firstValueFrom } from "rxjs";
+
+import { AutomaticUserConfirmationService } from "@bitwarden/auto-confirm";
+import { StateProvider } from "@bitwarden/common/platform/state";
+import { UserId } from "@bitwarden/user-core";
+
+import { FakeStateProvider, mockAccountServiceWith } from "../../../../../../libs/common/spec";
+import { NUDGE_DISMISSED_DISK_KEY, NudgeType } from "../nudges.service";
+
+import { AutoConfirmNudgeService } from "./auto-confirm-nudge.service";
+
+describe("AutoConfirmNudgeService", () => {
+  let service: AutoConfirmNudgeService;
+  let autoConfirmService: MockProxy<AutomaticUserConfirmationService>;
+  let fakeStateProvider: FakeStateProvider;
+  const userId = "user-id" as UserId;
+
+  const mockAutoConfirmState = {
+    enabled: true,
+    showSetupDialog: false,
+    showBrowserNotification: true,
+  };
+
+  beforeEach(() => {
+    fakeStateProvider = new FakeStateProvider(mockAccountServiceWith(userId));
+    autoConfirmService = mock<AutomaticUserConfirmationService>();
+
+    TestBed.configureTestingModule({
+      providers: [
+        AutoConfirmNudgeService,
+        {
+          provide: StateProvider,
+          useValue: fakeStateProvider,
+        },
+        {
+          provide: AutomaticUserConfirmationService,
+          useValue: autoConfirmService,
+        },
+      ],
+    });
+
+    service = TestBed.inject(AutoConfirmNudgeService);
+  });
+
+  describe("nudgeStatus$", () => {
+    it("should return all dismissed when user cannot manage auto-confirm", async () => {
+      autoConfirmService.configuration$.mockReturnValue(new BehaviorSubject(mockAutoConfirmState));
+      autoConfirmService.canManageAutoConfirm$.mockReturnValue(new BehaviorSubject(false));
+
+      const result = await firstValueFrom(service.nudgeStatus$(NudgeType.AutoConfirmNudge, userId));
+
+      expect(result).toEqual({
+        hasBadgeDismissed: true,
+        hasSpotlightDismissed: true,
+      });
+    });
+
+    it("should return all dismissed when showBrowserNotification is false", async () => {
+      autoConfirmService.configuration$.mockReturnValue(
+        new BehaviorSubject({
+          ...mockAutoConfirmState,
+          showBrowserNotification: false,
+        }),
+      );
+      autoConfirmService.canManageAutoConfirm$.mockReturnValue(new BehaviorSubject(true));
+
+      const result = await firstValueFrom(service.nudgeStatus$(NudgeType.AutoConfirmNudge, userId));
+
+      expect(result).toEqual({
+        hasBadgeDismissed: true,
+        hasSpotlightDismissed: true,
+      });
+    });
+
+    it("should return not dismissed when showBrowserNotification is true and user can manage", async () => {
+      autoConfirmService.configuration$.mockReturnValue(
+        new BehaviorSubject({
+          ...mockAutoConfirmState,
+          showBrowserNotification: true,
+        }),
+      );
+      autoConfirmService.canManageAutoConfirm$.mockReturnValue(new BehaviorSubject(true));
+
+      const result = await firstValueFrom(service.nudgeStatus$(NudgeType.AutoConfirmNudge, userId));
+
+      expect(result).toEqual({
+        hasBadgeDismissed: false,
+        hasSpotlightDismissed: false,
+      });
+    });
+
+    it("should return not dismissed when showBrowserNotification is undefined and user can manage", async () => {
+      autoConfirmService.configuration$.mockReturnValue(
+        new BehaviorSubject({
+          ...mockAutoConfirmState,
+          showBrowserNotification: undefined,
+        }),
+      );
+      autoConfirmService.canManageAutoConfirm$.mockReturnValue(new BehaviorSubject(true));
+
+      const result = await firstValueFrom(service.nudgeStatus$(NudgeType.AutoConfirmNudge, userId));
+
+      expect(result).toEqual({
+        hasBadgeDismissed: false,
+        hasSpotlightDismissed: false,
+      });
+    });
+
+    it("should return stored nudge status when badge is already dismissed", async () => {
+      await fakeStateProvider.getUser(userId, NUDGE_DISMISSED_DISK_KEY).update(() => ({
+        [NudgeType.AutoConfirmNudge]: {
+          hasBadgeDismissed: true,
+          hasSpotlightDismissed: false,
+        },
+      }));
+
+      autoConfirmService.configuration$.mockReturnValue(
+        new BehaviorSubject({
+          ...mockAutoConfirmState,
+          showBrowserNotification: true,
+        }),
+      );
+      autoConfirmService.canManageAutoConfirm$.mockReturnValue(new BehaviorSubject(true));
+
+      const result = await firstValueFrom(service.nudgeStatus$(NudgeType.AutoConfirmNudge, userId));
+
+      expect(result).toEqual({
+        hasBadgeDismissed: true,
+        hasSpotlightDismissed: false,
+      });
+    });
+
+    it("should return stored nudge status when spotlight is already dismissed", async () => {
+      await fakeStateProvider.getUser(userId, NUDGE_DISMISSED_DISK_KEY).update(() => ({
+        [NudgeType.AutoConfirmNudge]: {
+          hasBadgeDismissed: false,
+          hasSpotlightDismissed: true,
+        },
+      }));
+
+      autoConfirmService.configuration$.mockReturnValue(
+        new BehaviorSubject({
+          ...mockAutoConfirmState,
+          showBrowserNotification: true,
+        }),
+      );
+      autoConfirmService.canManageAutoConfirm$.mockReturnValue(new BehaviorSubject(true));
+
+      const result = await firstValueFrom(service.nudgeStatus$(NudgeType.AutoConfirmNudge, userId));
+
+      expect(result).toEqual({
+        hasBadgeDismissed: false,
+        hasSpotlightDismissed: true,
+      });
+    });
+
+    it("should return stored nudge status when both badge and spotlight are already dismissed", async () => {
+      await fakeStateProvider.getUser(userId, NUDGE_DISMISSED_DISK_KEY).update(() => ({
+        [NudgeType.AutoConfirmNudge]: {
+          hasBadgeDismissed: true,
+          hasSpotlightDismissed: true,
+        },
+      }));
+
+      autoConfirmService.configuration$.mockReturnValue(
+        new BehaviorSubject({
+          ...mockAutoConfirmState,
+          showBrowserNotification: true,
+        }),
+      );
+      autoConfirmService.canManageAutoConfirm$.mockReturnValue(new BehaviorSubject(true));
+
+      const result = await firstValueFrom(service.nudgeStatus$(NudgeType.AutoConfirmNudge, userId));
+
+      expect(result).toEqual({
+        hasBadgeDismissed: true,
+        hasSpotlightDismissed: true,
+      });
+    });
+
+    it("should prioritize user permissions over showBrowserNotification setting", async () => {
+      await fakeStateProvider.getUser(userId, NUDGE_DISMISSED_DISK_KEY).update(() => ({
+        [NudgeType.AutoConfirmNudge]: {
+          hasBadgeDismissed: false,
+          hasSpotlightDismissed: false,
+        },
+      }));
+
+      autoConfirmService.configuration$.mockReturnValue(
+        new BehaviorSubject({
+          ...mockAutoConfirmState,
+          showBrowserNotification: true,
+        }),
+      );
+      autoConfirmService.canManageAutoConfirm$.mockReturnValue(new BehaviorSubject(false));
+
+      const result = await firstValueFrom(service.nudgeStatus$(NudgeType.AutoConfirmNudge, userId));
+
+      expect(result).toEqual({
+        hasBadgeDismissed: true,
+        hasSpotlightDismissed: true,
+      });
+    });
+
+    it("should respect stored dismissal even when user cannot manage auto-confirm", async () => {
+      await fakeStateProvider.getUser(userId, NUDGE_DISMISSED_DISK_KEY).update(() => ({
+        [NudgeType.AutoConfirmNudge]: {
+          hasBadgeDismissed: true,
+          hasSpotlightDismissed: false,
+        },
+      }));
+
+      autoConfirmService.configuration$.mockReturnValue(new BehaviorSubject(mockAutoConfirmState));
+      autoConfirmService.canManageAutoConfirm$.mockReturnValue(new BehaviorSubject(false));
+
+      const result = await firstValueFrom(service.nudgeStatus$(NudgeType.AutoConfirmNudge, userId));
+
+      expect(result).toEqual({
+        hasBadgeDismissed: true,
+        hasSpotlightDismissed: true,
+      });
+    });
+  });
+});

libs/angular/src/vault/services/custom-nudges-services/auto-confirm-nudge.service.ts

@@ -0,0 +1,41 @@
+import { inject, Injectable } from "@angular/core";
+import { combineLatest, map, Observable } from "rxjs";
+
+import { AutomaticUserConfirmationService } from "@bitwarden/auto-confirm";
+import { UserId } from "@bitwarden/user-core";
+
+import { DefaultSingleNudgeService } from "../default-single-nudge.service";
+import { NudgeType, NudgeStatus } from "../nudges.service";
+
+@Injectable({ providedIn: "root" })
+export class AutoConfirmNudgeService extends DefaultSingleNudgeService {
+  autoConfirmService = inject(AutomaticUserConfirmationService);
+
+  nudgeStatus$(nudgeType: NudgeType, userId: UserId): Observable<NudgeStatus> {
+    return combineLatest([
+      this.getNudgeStatus$(nudgeType, userId),
+      this.autoConfirmService.configuration$(userId),
+      this.autoConfirmService.canManageAutoConfirm$(userId),
+    ]).pipe(
+      map(([nudgeStatus, autoConfirmState, canManageAutoConfirm]) => {
+        if (!canManageAutoConfirm) {
+          return {
+            hasBadgeDismissed: true,
+            hasSpotlightDismissed: true,
+          };
+        }
+
+        if (nudgeStatus.hasBadgeDismissed || nudgeStatus.hasSpotlightDismissed) {
+          return nudgeStatus;
+        }
+
+        const dismissed = autoConfirmState.showBrowserNotification === false;
+
+        return {
+          hasBadgeDismissed: dismissed,
+          hasSpotlightDismissed: dismissed,
+        };
+      }),
+    );
+  }
+}

libs/angular/src/vault/services/custom-nudges-services/index.ts

@@ -1,6 +1,8 @@
 export * from "./account-security-nudge.service";
+export * from "./auto-confirm-nudge.service";
 export * from "./has-items-nudge.service";
 export * from "./empty-vault-nudge.service";
 export * from "./vault-settings-import-nudge.service";
 export * from "./new-item-nudge.service";
 export * from "./new-account-nudge.service";
+export * from "./noop-nudge.service";

libs/angular/src/vault/services/custom-nudges-services/noop-nudge.service.ts

@@ -0,0 +1,27 @@
+import { Injectable } from "@angular/core";
+import { Observable, of } from "rxjs";
+
+import { UserId } from "@bitwarden/common/types/guid";
+
+import { SingleNudgeService } from "../default-single-nudge.service";
+import { NudgeStatus, NudgeType } from "../nudges.service";
+
+/**
+ * A no-op nudge service that always returns dismissed status.
+ * Use this for nudges that should be completely ignored/hidden in certain clients.
+ * For example, browser-specific nudges can use this as the default in non-browser clients.
+ */
+@Injectable({ providedIn: "root" })
+export class NoOpNudgeService implements SingleNudgeService {
+  nudgeStatus$(_nudgeType: NudgeType, _userId: UserId): Observable<NudgeStatus> {
+    return of({ hasBadgeDismissed: true, hasSpotlightDismissed: true });
+  }
+
+  async setNudgeStatus(
+    _nudgeType: NudgeType,
+    _newStatus: NudgeStatus,
+    _userId: UserId,
+  ): Promise<void> {
+    // No-op: state changes are ignored
+  }
+}

libs/angular/src/vault/services/nudge-injection-tokens.ts

@@ -0,0 +1,7 @@
+import { InjectionToken } from "@angular/core";
+
+import { SingleNudgeService } from "./default-single-nudge.service";
+
+export const AUTOFILL_NUDGE_SERVICE = new InjectionToken<SingleNudgeService>(
+  "AutofillNudgeService",
+);

libs/angular/src/vault/services/nudges.service.spec.ts

@@ -23,6 +23,7 @@ import {
   AccountSecurityNudgeService,
   VaultSettingsImportNudgeService,
 } from "./custom-nudges-services";
+import { AutoConfirmNudgeService } from "./custom-nudges-services/auto-confirm-nudge.service";
 import { DefaultSingleNudgeService } from "./default-single-nudge.service";
 import { NudgesService, NudgeType } from "./nudges.service";
 
@@ -35,6 +36,7 @@ describe("Vault Nudges Service", () => {
     EmptyVaultNudgeService,
     NewAccountNudgeService,
     AccountSecurityNudgeService,
+    AutoConfirmNudgeService,
   ];
 
   beforeEach(async () => {
@@ -73,6 +75,10 @@ describe("Vault Nudges Service", () => {
           provide: VaultSettingsImportNudgeService,
           useValue: mock<VaultSettingsImportNudgeService>(),
         },
+        {
+          provide: AutoConfirmNudgeService,
+          useValue: mock<AutoConfirmNudgeService>(),
+        },
         {
           provide: ApiService,
           useValue: mock<ApiService>(),

libs/angular/src/vault/services/nudges.service.ts

@@ -12,8 +12,11 @@ import {
   NewItemNudgeService,
   AccountSecurityNudgeService,
   VaultSettingsImportNudgeService,
+  AutoConfirmNudgeService,
+  NoOpNudgeService,
 } from "./custom-nudges-services";
 import { DefaultSingleNudgeService, SingleNudgeService } from "./default-single-nudge.service";
+import { AUTOFILL_NUDGE_SERVICE } from "./nudge-injection-tokens";
 
 export type NudgeStatus = {
   hasBadgeDismissed: boolean;
@@ -37,6 +40,8 @@ export const NudgeType = {
   NewNoteItemStatus: "new-note-item-status",
   NewSshItemStatus: "new-ssh-item-status",
   GeneratorNudgeStatus: "generator-nudge-status",
+  AutoConfirmNudge: "auto-confirm-nudge",
+  PremiumUpgrade: "premium-upgrade",
 } as const;
 
 export type NudgeType = UnionOfValues<typeof NudgeType>;
@@ -55,6 +60,12 @@ export class NudgesService {
   private newItemNudgeService = inject(NewItemNudgeService);
   private newAcctNudgeService = inject(NewAccountNudgeService);
 
+  // NoOp service that always returns dismissed
+  private noOpNudgeService = inject(NoOpNudgeService);
+
+  // Optional Browser-specific service provided via injection token (not all clients have autofill)
+  private autofillNudgeService = inject(AUTOFILL_NUDGE_SERVICE, { optional: true });
+
   /**
    * Custom nudge services to use for specific nudge types
    * Each nudge type can have its own service to determine when to show the nudge
@@ -65,7 +76,7 @@ export class NudgesService {
     [NudgeType.EmptyVaultNudge]: inject(EmptyVaultNudgeService),
     [NudgeType.VaultSettingsImportNudge]: inject(VaultSettingsImportNudgeService),
     [NudgeType.AccountSecurity]: inject(AccountSecurityNudgeService),
-    [NudgeType.AutofillNudge]: this.newAcctNudgeService,
+    [NudgeType.AutofillNudge]: this.autofillNudgeService ?? this.noOpNudgeService,
     [NudgeType.DownloadBitwarden]: this.newAcctNudgeService,
     [NudgeType.GeneratorNudgeStatus]: this.newAcctNudgeService,
     [NudgeType.NewLoginItemStatus]: this.newItemNudgeService,
@@ -73,6 +84,7 @@ export class NudgesService {
     [NudgeType.NewIdentityItemStatus]: this.newItemNudgeService,
     [NudgeType.NewNoteItemStatus]: this.newItemNudgeService,
     [NudgeType.NewSshItemStatus]: this.newItemNudgeService,
+    [NudgeType.AutoConfirmNudge]: inject(AutoConfirmNudgeService),
   };
 
   /**
@@ -139,6 +151,7 @@ export class NudgesService {
       NudgeType.EmptyVaultNudge,
       NudgeType.DownloadBitwarden,
       NudgeType.AutofillNudge,
+      NudgeType.AutoConfirmNudge,
     ];
 
     const nudgeTypesWithBadge$ = nudgeTypes.map((nudge) => {

libs/angular/src/vault/vault-filter/components/collection-filter.component.ts

@@ -2,9 +2,10 @@
 // @ts-strict-ignore
 import { Directive, EventEmitter, Input, Output } from "@angular/core";
 
-// This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
-// eslint-disable-next-line no-restricted-imports
-import { CollectionTypes, CollectionView } from "@bitwarden/admin-console/common";
+import {
+  CollectionView,
+  CollectionTypes,
+} from "@bitwarden/common/admin-console/models/collections";
 import { ITreeNodeObject } from "@bitwarden/common/vault/models/domain/tree-node";
 
 import { DynamicTreeNode } from "../models/dynamic-tree-node.model";

libs/angular/src/vault/vault-filter/components/vault-filter.component.ts

@@ -3,9 +3,7 @@
 import { Directive, EventEmitter, Input, OnInit, Output } from "@angular/core";
 import { firstValueFrom, Observable } from "rxjs";
 
-// This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
-// eslint-disable-next-line no-restricted-imports
-import { CollectionView } from "@bitwarden/admin-console/common";
+import { CollectionView } from "@bitwarden/common/admin-console/models/collections";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
@@ -88,14 +86,10 @@ export class VaultFilterComponent implements OnInit {
     this.folders$ = await this.vaultFilterService.buildNestedFolders();
     this.collections = await this.initCollections();
 
-    const userCanArchive = await firstValueFrom(
-      this.cipherArchiveService.userCanArchive$(this.activeUserId),
-    );
-    const showArchiveVault = await firstValueFrom(
-      this.cipherArchiveService.showArchiveVault$(this.activeUserId),
+    this.showArchiveVaultFilter = await firstValueFrom(
+      this.cipherArchiveService.hasArchiveFlagEnabled$,
     );
 
-    this.showArchiveVaultFilter = userCanArchive || showArchiveVault;
     this.isLoaded = true;
   }
 

libs/angular/src/vault/vault-filter/models/vault-filter.model.ts

@@ -51,7 +51,8 @@ export class VaultFilter {
         cipherPassesFilter = CipherViewLikeUtils.isDeleted(cipher);
       }
       if (this.status === "archive" && cipherPassesFilter) {
-        cipherPassesFilter = CipherViewLikeUtils.isArchived(cipher);
+        cipherPassesFilter =
+          CipherViewLikeUtils.isArchived(cipher) && !CipherViewLikeUtils.isDeleted(cipher);
       }
       if (this.cipherType != null && cipherPassesFilter) {
         cipherPassesFilter = CipherViewLikeUtils.getType(cipher) === this.cipherType;

libs/angular/src/vault/vault-filter/services/vault-filter.service.ts

@@ -3,19 +3,17 @@ import { firstValueFrom, from, map, mergeMap, Observable, switchMap, take } from
 
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
-import {
-  CollectionService,
-  CollectionTypes,
-  CollectionView,
-} from "@bitwarden/admin-console/common";
+import { CollectionService } from "@bitwarden/admin-console/common";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
+import {
+  CollectionView,
+  CollectionTypes,
+} from "@bitwarden/common/admin-console/models/collections";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
-import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
-import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { SingleUserState, StateProvider } from "@bitwarden/common/platform/state";
 import { UserId } from "@bitwarden/common/types/guid";
@@ -45,7 +43,6 @@ export class VaultFilterService implements DeprecatedVaultFilterServiceAbstracti
     protected policyService: PolicyService,
     protected stateProvider: StateProvider,
     protected accountService: AccountService,
-    protected configService: ConfigService,
     protected i18nService: I18nService,
   ) {}
 
@@ -116,18 +113,13 @@ export class VaultFilterService implements DeprecatedVaultFilterServiceAbstracti
       ),
     );
     const orgs = await this.buildOrganizations();
-    const defaulCollectionsFlagEnabled = await this.configService.getFeatureFlag(
-      FeatureFlag.CreateDefaultLocation,
-    );
 
     let collections =
       organizationId == null
         ? storedCollections
         : storedCollections.filter((c) => c.organizationId === organizationId);
 
-    if (defaulCollectionsFlagEnabled) {
-      collections = sortDefaultCollections(collections, orgs, this.i18nService.collator);
-    }
+    collections = sortDefaultCollections(collections, orgs, this.i18nService.collator);
 
     const nestedCollections = await this.collectionService.getAllNested(collections);
     return new DynamicTreeNode<CollectionView>({