[PM-27662] Introduce vault item transfer service (#17876)

* [PM-27662] Add revision date to policy response * [PM-27662] Introduce vault item transfer service * [PM-27662] Add feature flag check * [PM-27662] Add tests * [PM-27662] Add basic implementation to Web vault * [PM-27662] Remove redundant for loop * [PM-27662] Remove unnecessary distinctUntilChanged * [PM-27662] Avoid subscribing to userMigrationInfo$ if feature flag disabled * [PM-27662] Make UserMigrationInfo type more strict * [PM-27662] Typo * [PM-27662] Fix missing i18n * [PM-27662] Fix tests * [PM-27662] Fix tests/types related to policy changes * [PM-27662] Use getById operator
2025-12-19 09:43:23 +00:00 · 2025-12-09 15:14:40 -08:00
parent 6dba3ac377
commit f161a8c454
19 changed files with 1090 additions and 2 deletions
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -1475,6 +1475,9 @@
  "selectFile": {
    "message": "Select a file"
  },
  "itemsTransferred": {
    "message": "Items transferred"
  },
  "maxFileSize": {
    "message": "Maximum file size is 500 MB."
  },
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -708,6 +708,9 @@
  "addAttachment": {
    "message": "Add attachment"
  },
  "itemsTransferred": {
    "message": "Items transferred"
  },
  "fixEncryption": {
    "message": "Fix encryption"
  },
--- a/apps/web/src/app/vault/individual-vault/vault.component.ts
+++ b/apps/web/src/app/vault/individual-vault/vault.component.ts
@@ -84,7 +84,7 @@ import {
  CipherViewLikeUtils,
 } from "@bitwarden/common/vault/utils/cipher-view-like-utils";
 import { filterOutNullish } from "@bitwarden/common/vault/utils/observable-utilities";
-import { DialogRef, DialogService, ToastService, BannerComponent } from "@bitwarden/components";
+import { DialogRef, DialogService, ToastService } from "@bitwarden/components";
 import { CipherListView } from "@bitwarden/sdk-internal";
 import {
  AddEditFolderDialogComponent,
@@ -97,6 +97,8 @@ import {
  DecryptionFailureDialogComponent,
  DefaultCipherFormConfigService,
  PasswordRepromptService,
  VaultItemsTransferService,
  DefaultVaultItemsTransferService,
 } from "@bitwarden/vault";
 import { UnifiedUpgradePromptService } from "@bitwarden/web-vault/app/billing/individual/upgrade/services";
 import { OrganizationWarningsModule } from "@bitwarden/web-vault/app/billing/organizations/warnings/organization-warnings.module";
@@ -177,12 +179,12 @@ type EmptyStateMap = Record<EmptyStateType, EmptyStateItem>;
    VaultItemsModule,
    SharedModule,
    OrganizationWarningsModule,
    BannerComponent,
  ],
  providers: [
    RoutedVaultFilterService,
    RoutedVaultFilterBridgeService,
    DefaultCipherFormConfigService,
    { provide: VaultItemsTransferService, useClass: DefaultVaultItemsTransferService },
  ],
 })
 export class VaultComponent<C extends CipherViewLike> implements OnInit, OnDestroy {
@@ -349,6 +351,7 @@ export class VaultComponent<C extends CipherViewLike> implements OnInit, OnDestr
    private premiumUpgradePromptService: PremiumUpgradePromptService,
    private autoConfirmService: AutomaticUserConfirmationService,
    private configService: ConfigService,
    private vaultItemTransferService: VaultItemsTransferService,
  ) {}
  async ngOnInit() {
@@ -644,6 +647,8 @@ export class VaultComponent<C extends CipherViewLike> implements OnInit, OnDestr
    void this.unifiedUpgradePromptService.displayUpgradePromptConditionally();
    this.setupAutoConfirm();
    void this.vaultItemTransferService.enforceOrganizationDataOwnership(activeUserId);
  }
  ngOnDestroy() {
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -5185,6 +5185,9 @@
  "oldAttachmentsNeedFixDesc": {
    "message": "There are old file attachments in your vault that need to be fixed before you can rotate your account's encryption key."
  },
  "itemsTransferred": {
    "message": "Items transferred"
  },
  "yourAccountsFingerprint": {
    "message": "Your account's fingerprint phrase",
    "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
--- a/libs/common/src/admin-console/models/data/policy.data.ts
+++ b/libs/common/src/admin-console/models/data/policy.data.ts
@@ -11,6 +11,7 @@ export class PolicyData {
  type: PolicyType;
  data: Record<string, string | number | boolean>;
  enabled: boolean;
  revisionDate: string;
  constructor(response?: PolicyResponse) {
    if (response == null) {
@@ -22,6 +23,7 @@ export class PolicyData {
    this.type = response.type;
    this.data = response.data;
    this.enabled = response.enabled;
    this.revisionDate = response.revisionDate;
  }
  static fromPolicy(policy: Policy): PolicyData {
--- a/libs/common/src/admin-console/models/domain/policy.ts
+++ b/libs/common/src/admin-console/models/domain/policy.ts
@@ -19,6 +19,8 @@ export class Policy extends Domain {
   */
  enabled: boolean;
  revisionDate: Date;
  constructor(obj?: PolicyData) {
    super();
    if (obj == null) {
@@ -30,6 +32,7 @@ export class Policy extends Domain {
    this.type = obj.type;
    this.data = obj.data;
    this.enabled = obj.enabled;
    this.revisionDate = new Date(obj.revisionDate);
  }
  static fromResponse(response: PolicyResponse): Policy {
--- a/libs/common/src/admin-console/models/response/policy.response.ts
+++ b/libs/common/src/admin-console/models/response/policy.response.ts
@@ -9,6 +9,7 @@ export class PolicyResponse extends BaseResponse {
  data: any;
  enabled: boolean;
  canToggleState: boolean;
  revisionDate: string;
  constructor(response: any) {
    super(response);
@@ -18,5 +19,6 @@ export class PolicyResponse extends BaseResponse {
    this.data = this.getResponseProperty("Data");
    this.enabled = this.getResponseProperty("Enabled");
    this.canToggleState = this.getResponseProperty("CanToggleState") ?? true;
    this.revisionDate = this.getResponseProperty("RevisionDate");
  }
 }
--- a/libs/common/src/admin-console/services/policy/default-policy.service.spec.ts
+++ b/libs/common/src/admin-console/services/policy/default-policy.service.spec.ts
@@ -83,12 +83,15 @@ describe("PolicyService", () => {
        type: PolicyType.MaximumVaultTimeout,
        enabled: true,
        data: { minutes: 14 },
        revisionDate: expect.any(Date),
      },
      {
        id: "99",
        organizationId: "test-organization",
        type: PolicyType.DisableSend,
        enabled: true,
        data: undefined,
        revisionDate: expect.any(Date),
      },
    ]);
  });
@@ -113,6 +116,8 @@ describe("PolicyService", () => {
        organizationId: "test-organization",
        type: PolicyType.DisableSend,
        enabled: true,
        data: undefined,
        revisionDate: expect.any(Date),
      },
    ]);
  });
@@ -242,6 +247,8 @@ describe("PolicyService", () => {
        organizationId: "org1",
        type: PolicyType.DisablePersonalVaultExport,
        enabled: true,
        data: undefined,
        revisionDate: expect.any(Date),
      });
    });
@@ -331,24 +338,32 @@ describe("PolicyService", () => {
          organizationId: "org4",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy2",
          organizationId: "org1",
          type: PolicyType.ActivateAutofill,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy3",
          organizationId: "org5",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy4",
          organizationId: "org1",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
      ]);
    });
@@ -371,24 +386,32 @@ describe("PolicyService", () => {
          organizationId: "org4",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy2",
          organizationId: "org1",
          type: PolicyType.ActivateAutofill,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy3",
          organizationId: "org5",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: false,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy4",
          organizationId: "org1",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
      ]);
    });
@@ -411,24 +434,32 @@ describe("PolicyService", () => {
          organizationId: "org4",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy2",
          organizationId: "org1",
          type: PolicyType.ActivateAutofill,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy3",
          organizationId: "org5",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy4",
          organizationId: "org2",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
      ]);
    });
@@ -451,24 +482,32 @@ describe("PolicyService", () => {
          organizationId: "org4",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy2",
          organizationId: "org1",
          type: PolicyType.ActivateAutofill,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy3",
          organizationId: "org3",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
        {
          id: "policy4",
          organizationId: "org1",
          type: PolicyType.DisablePersonalVaultExport,
          enabled: true,
          data: undefined,
          revisionDate: expect.any(Date),
        },
      ]);
    });
@@ -788,6 +827,7 @@ describe("PolicyService", () => {
    policyData.type = type;
    policyData.enabled = enabled;
    policyData.data = data;
    policyData.revisionDate = new Date().toISOString();
    return policyData;
  }
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -64,6 +64,7 @@ export enum FeatureFlag {
  RiskInsightsForPremium = "pm-23904-risk-insights-for-premium",
  VaultLoadingSkeletons = "pm-25081-vault-skeleton-loaders",
  BrowserPremiumSpotlight = "pm-23384-browser-premium-spotlight",
  MigrateMyVaultToMyItems = "pm-20558-migrate-myvault-to-myitems",
  /* Platform */
  IpcChannelFramework = "ipc-channel-framework",
@@ -123,6 +124,7 @@ export const DefaultFeatureFlagValue = {
  [FeatureFlag.RiskInsightsForPremium]: FALSE,
  [FeatureFlag.VaultLoadingSkeletons]: FALSE,
  [FeatureFlag.BrowserPremiumSpotlight]: FALSE,
  [FeatureFlag.MigrateMyVaultToMyItems]: FALSE,
  /* Auth */
  [FeatureFlag.PM23801_PrefetchPasswordPrelogin]: FALSE,
--- a/libs/tools/generator/core/src/policies/available-algorithms-policy.spec.ts
+++ b/libs/tools/generator/core/src/policies/available-algorithms-policy.spec.ts
@@ -24,6 +24,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
        overridePasswordType: override,
      },
      enabled: true,
      revisionDate: new Date().toISOString(),
    });
    const result = availableAlgorithms([policy]);
@@ -44,6 +45,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
        overridePasswordType: override,
      },
      enabled: true,
      revisionDate: new Date().toISOString(),
    });
    const result = availableAlgorithms([policy, policy]);
@@ -64,6 +66,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
        overridePasswordType: "password",
      },
      enabled: true,
      revisionDate: new Date().toISOString(),
    });
    const passphrase = new Policy({
      id: "" as PolicyId,
@@ -73,6 +76,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
        overridePasswordType: "passphrase",
      },
      enabled: true,
      revisionDate: new Date().toISOString(),
    });
    const result = availableAlgorithms([password, passphrase]);
@@ -93,6 +97,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
        some: "policy",
      },
      enabled: true,
      revisionDate: new Date().toISOString(),
    });
    const result = availableAlgorithms([policy]);
@@ -111,6 +116,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
        some: "policy",
      },
      enabled: false,
      revisionDate: new Date().toISOString(),
    });
    const result = availableAlgorithms([policy]);
@@ -129,6 +135,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
        some: "policy",
      },
      enabled: true,
      revisionDate: new Date().toISOString(),
    });
    const result = availableAlgorithms([policy]);
--- a/libs/tools/generator/core/src/policies/passphrase-least-privilege.spec.ts
+++ b/libs/tools/generator/core/src/policies/passphrase-least-privilege.spec.ts
@@ -17,6 +17,7 @@ function createPolicy(
    data,
    enabled,
    type,
    revisionDate: new Date().toISOString(),
  });
 }
--- a/libs/tools/generator/core/src/policies/password-least-privilege.spec.ts
+++ b/libs/tools/generator/core/src/policies/password-least-privilege.spec.ts
@@ -17,6 +17,7 @@ function createPolicy(
    data,
    enabled,
    type,
    revisionDate: new Date().toISOString(),
  });
 }
--- a/libs/tools/generator/core/src/providers/generator-profile-provider.spec.ts
+++ b/libs/tools/generator/core/src/providers/generator-profile-provider.spec.ts
@@ -57,6 +57,7 @@ const somePolicy = new Policy({
  id: "" as PolicyId,
  organizationId: "" as OrganizationId,
  enabled: true,
  revisionDate: new Date().toISOString(),
 });
 const stateProvider = new FakeStateProvider(accountService);
--- a/libs/tools/generator/extensions/navigation/src/default-generator-navigation.service.spec.ts
+++ b/libs/tools/generator/extensions/navigation/src/default-generator-navigation.service.spec.ts
@@ -70,6 +70,7 @@ describe("DefaultGeneratorNavigationService", () => {
              enabled: true,
              type: PolicyType.PasswordGenerator,
              data: { overridePasswordType: "password" },
              revisionDate: new Date().toISOString(),
            }),
          ]);
        },
--- a/libs/tools/generator/extensions/navigation/src/generator-navigation-policy.spec.ts
+++ b/libs/tools/generator/extensions/navigation/src/generator-navigation-policy.spec.ts
@@ -17,6 +17,7 @@ function createPolicy(
    data,
    enabled,
    type,
    revisionDate: new Date().toISOString(),
  });
 }
--- a/libs/vault/src/abstractions/vault-items-transfer.service.ts
+++ b/libs/vault/src/abstractions/vault-items-transfer.service.ts
@@ -0,0 +1,59 @@
 import { Observable } from "rxjs";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { OrganizationId, CollectionId } from "@bitwarden/common/types/guid";
 import { UserId } from "@bitwarden/user-core";
 export type UserMigrationInfo =
  | {
      /**
       * Whether the user requires migration of their vault items from My Vault to a My Items collection due to an
       * organizational policy change. (Enforce organization data ownership policy enabled)
       */
      requiresMigration: false;
    }
  | {
      /**
       * Whether the user requires migration of their vault items from My Vault to a My Items collection due to an
       * organizational policy change. (Enforce organization data ownership policy enabled)
       */
      requiresMigration: true;
      /**
       * The organization that is enforcing data ownership policies for the given user.
       */
      enforcingOrganization: Organization;
      /**
       * The default collection ID for the user in the enforcing organization, if available.
       */
      defaultCollectionId?: CollectionId;
    };
 export abstract class VaultItemsTransferService {
  /**
   * Gets information about whether the given user requires migration of their vault items
   * from My Vault to a My Items collection, and whether they are capable of performing that migration.
   * @param userId
   */
  abstract userMigrationInfo$(userId: UserId): Observable<UserMigrationInfo>;
  /**
   * Enforces organization data ownership for the given user by transferring vault items.
   * Checks if any organization policies require the transfer, and if so, prompts the user to confirm before proceeding.
   *
   * Rejecting the transfer will result in the user being revoked from the organization.
   *
   * @param userId
   */
  abstract enforceOrganizationDataOwnership(userId: UserId): Promise<void>;
  /**
   * Begins transfer of vault items from My Vault to the specified default collection for the given user.
   */
  abstract transferPersonalItems(
    userId: UserId,
    organizationId: OrganizationId,
    defaultCollectionId: CollectionId,
  ): Promise<void>;
 }
--- a/libs/vault/src/index.ts
+++ b/libs/vault/src/index.ts
@@ -35,5 +35,7 @@ export { DefaultSshImportPromptService } from "./services/default-ssh-import-pro
 export { SshImportPromptService } from "./services/ssh-import-prompt.service";
 export * from "./abstractions/change-login-password.service";
 export * from "./abstractions/vault-items-transfer.service";
 export * from "./services/default-vault-items-transfer.service";
 export * from "./services/default-change-login-password.service";
 export * from "./services/archive-cipher-utilities.service";
--- a/libs/vault/src/services/default-vault-items-transfer.service.spec.ts
+++ b/libs/vault/src/services/default-vault-items-transfer.service.spec.ts
@@ -0,0 +1,721 @@
 import { mock, MockProxy } from "jest-mock-extended";
 import { firstValueFrom, of } from "rxjs";
 // eslint-disable-next-line no-restricted-imports
 import { CollectionService, CollectionView } from "@bitwarden/admin-console/common";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { Policy } from "@bitwarden/common/admin-console/models/domain/policy";
 import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { OrganizationId, CollectionId } from "@bitwarden/common/types/guid";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { DialogService, ToastService } from "@bitwarden/components";
 import { LogService } from "@bitwarden/logging";
 import { UserId } from "@bitwarden/user-core";
 import { DefaultVaultItemsTransferService } from "./default-vault-items-transfer.service";
 describe("DefaultVaultItemsTransferService", () => {
  let service: DefaultVaultItemsTransferService;
  let mockCipherService: MockProxy<CipherService>;
  let mockPolicyService: MockProxy<PolicyService>;
  let mockOrganizationService: MockProxy<OrganizationService>;
  let mockCollectionService: MockProxy<CollectionService>;
  let mockLogService: MockProxy<LogService>;
  let mockI18nService: MockProxy<I18nService>;
  let mockDialogService: MockProxy<DialogService>;
  let mockToastService: MockProxy<ToastService>;
  let mockConfigService: MockProxy<ConfigService>;
  const userId = "user-id" as UserId;
  const organizationId = "org-id" as OrganizationId;
  const collectionId = "collection-id" as CollectionId;
  beforeEach(() => {
    mockCipherService = mock<CipherService>();
    mockPolicyService = mock<PolicyService>();
    mockOrganizationService = mock<OrganizationService>();
    mockCollectionService = mock<CollectionService>();
    mockLogService = mock<LogService>();
    mockI18nService = mock<I18nService>();
    mockDialogService = mock<DialogService>();
    mockToastService = mock<ToastService>();
    mockConfigService = mock<ConfigService>();
    mockI18nService.t.mockImplementation((key) => key);
    service = new DefaultVaultItemsTransferService(
      mockCipherService,
      mockPolicyService,
      mockOrganizationService,
      mockCollectionService,
      mockLogService,
      mockI18nService,
      mockDialogService,
      mockToastService,
      mockConfigService,
    );
  });
  describe("userMigrationInfo$", () => {
    // Helper to setup common mock scenario
    function setupMocksForMigrationScenario(options: {
      policies?: Policy[];
      organizations?: Organization[];
      ciphers?: CipherView[];
      collections?: CollectionView[];
    }): void {
      mockPolicyService.policiesByType$.mockReturnValue(of(options.policies ?? []));
      mockOrganizationService.organizations$.mockReturnValue(of(options.organizations ?? []));
      mockCipherService.cipherViews$.mockReturnValue(of(options.ciphers ?? []));
      mockCollectionService.decryptedCollections$.mockReturnValue(of(options.collections ?? []));
    }
    it("calls policiesByType$ with correct PolicyType", async () => {
      setupMocksForMigrationScenario({ policies: [] });
      await firstValueFrom(service.userMigrationInfo$(userId));
      expect(mockPolicyService.policiesByType$).toHaveBeenCalledWith(
        PolicyType.OrganizationDataOwnership,
        userId,
      );
    });
    describe("when no policy exists", () => {
      beforeEach(() => {
        setupMocksForMigrationScenario({ policies: [] });
      });
      it("returns requiresMigration: false", async () => {
        const result = await firstValueFrom(service.userMigrationInfo$(userId));
        expect(result).toEqual({
          requiresMigration: false,
        });
      });
    });
    describe("when policy exists", () => {
      const policy = {
        organizationId: organizationId,
        revisionDate: new Date("2024-01-01"),
      } as Policy;
      const organization = {
        id: organizationId,
        name: "Test Org",
      } as Organization;
      beforeEach(() => {
        setupMocksForMigrationScenario({
          policies: [policy],
          organizations: [organization],
        });
      });
      describe("and user has no personal ciphers", () => {
        beforeEach(() => {
          mockCipherService.cipherViews$.mockReturnValue(of([]));
        });
        it("returns requiresMigration: false", async () => {
          const result = await firstValueFrom(service.userMigrationInfo$(userId));
          expect(result).toEqual({
            requiresMigration: false,
            enforcingOrganization: organization,
            defaultCollectionId: undefined,
          });
        });
      });
      describe("and user has personal ciphers", () => {
        beforeEach(() => {
          mockCipherService.cipherViews$.mockReturnValue(of([{ id: "cipher-1" } as CipherView]));
        });
        it("returns requiresMigration: true", async () => {
          const result = await firstValueFrom(service.userMigrationInfo$(userId));
          expect(result).toEqual({
            requiresMigration: true,
            enforcingOrganization: organization,
            defaultCollectionId: undefined,
          });
        });
        it("includes defaultCollectionId when a default collection exists", async () => {
          mockCollectionService.decryptedCollections$.mockReturnValue(
            of([
              {
                id: collectionId,
                organizationId: organizationId,
                isDefaultCollection: true,
              } as CollectionView,
            ]),
          );
          const result = await firstValueFrom(service.userMigrationInfo$(userId));
          expect(result).toEqual({
            requiresMigration: true,
            enforcingOrganization: organization,
            defaultCollectionId: collectionId,
          });
        });
        it("returns default collection only for the enforcing organization", async () => {
          mockCollectionService.decryptedCollections$.mockReturnValue(
            of([
              {
                id: "wrong-collection-id" as CollectionId,
                organizationId: "wrong-org-id" as OrganizationId,
                isDefaultCollection: true,
              } as CollectionView,
              {
                id: collectionId,
                organizationId: organizationId,
                isDefaultCollection: true,
              } as CollectionView,
            ]),
          );
          const result = await firstValueFrom(service.userMigrationInfo$(userId));
          expect(result).toEqual({
            requiresMigration: true,
            enforcingOrganization: organization,
            defaultCollectionId: collectionId,
          });
        });
      });
      it("filters out organization ciphers when checking for personal ciphers", async () => {
        mockCipherService.cipherViews$.mockReturnValue(
          of([
            {
              id: "cipher-1",
              organizationId: organizationId as string,
            } as CipherView,
          ]),
        );
        const result = await firstValueFrom(service.userMigrationInfo$(userId));
        expect(result).toEqual({
          requiresMigration: false,
          enforcingOrganization: organization,
          defaultCollectionId: undefined,
        });
      });
    });
    describe("when multiple policies exist", () => {
      const olderPolicy = {
        organizationId: "older-org-id" as OrganizationId,
        revisionDate: new Date("2024-01-01"),
      } as Policy;
      const newerPolicy = {
        organizationId: organizationId,
        revisionDate: new Date("2024-06-01"),
      } as Policy;
      const olderOrganization = {
        id: "older-org-id" as OrganizationId,
        name: "Older Org",
      } as Organization;
      const newerOrganization = {
        id: organizationId,
        name: "Newer Org",
      } as Organization;
      beforeEach(() => {
        setupMocksForMigrationScenario({
          policies: [newerPolicy, olderPolicy],
          organizations: [olderOrganization, newerOrganization],
          ciphers: [{ id: "cipher-1" } as CipherView],
        });
      });
      it("uses the oldest policy when selecting enforcing organization", async () => {
        const result = await firstValueFrom(service.userMigrationInfo$(userId));
        expect(result).toEqual({
          requiresMigration: true,
          enforcingOrganization: olderOrganization,
          defaultCollectionId: undefined,
        });
      });
    });
  });
  describe("transferPersonalItems", () => {
    it("does nothing when user has no personal ciphers", async () => {
      mockCipherService.cipherViews$.mockReturnValue(of([]));
      await service.transferPersonalItems(userId, organizationId, collectionId);
      expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
      expect(mockLogService.info).not.toHaveBeenCalled();
    });
    it("calls shareManyWithServer with correct parameters", async () => {
      const personalCiphers = [{ id: "cipher-1" }, { id: "cipher-2" }] as CipherView[];
      mockCipherService.cipherViews$.mockReturnValue(of(personalCiphers));
      mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
      await service.transferPersonalItems(userId, organizationId, collectionId);
      expect(mockCipherService.shareManyWithServer).toHaveBeenCalledWith(
        personalCiphers,
        organizationId,
        [collectionId],
        userId,
      );
    });
    it("transfers only personal ciphers, not organization ciphers", async () => {
      const allCiphers = [
        { id: "cipher-1" },
        { id: "cipher-2", organizationId: "other-org-id" },
        { id: "cipher-3" },
      ] as CipherView[];
      const expectedPersonalCiphers = [allCiphers[0], allCiphers[2]];
      mockCipherService.cipherViews$.mockReturnValue(of(allCiphers));
      mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
      await service.transferPersonalItems(userId, organizationId, collectionId);
      expect(mockCipherService.shareManyWithServer).toHaveBeenCalledWith(
        expectedPersonalCiphers,
        organizationId,
        [collectionId],
        userId,
      );
    });
    it("propagates errors from shareManyWithServer", async () => {
      const personalCiphers = [{ id: "cipher-1" }] as CipherView[];
      const error = new Error("Transfer failed");
      mockCipherService.cipherViews$.mockReturnValue(of(personalCiphers));
      mockCipherService.shareManyWithServer.mockRejectedValue(error);
      await expect(
        service.transferPersonalItems(userId, organizationId, collectionId),
      ).rejects.toThrow("Transfer failed");
    });
  });
  describe("upgradeOldAttachments", () => {
    it("upgrades old attachments before transferring", async () => {
      const cipherWithOldAttachment = {
        id: "cipher-1",
        name: "Cipher 1",
        hasOldAttachments: true,
        attachments: [{ key: null }],
      } as unknown as CipherView;
      const upgradedCipher = {
        id: "cipher-1",
        name: "Cipher 1",
        hasOldAttachments: false,
        attachments: [{ key: "new-key" }],
      } as unknown as CipherView;
      mockCipherService.cipherViews$
        .mockReturnValueOnce(of([cipherWithOldAttachment]))
        .mockReturnValueOnce(of([upgradedCipher]));
      mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(upgradedCipher);
      mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
      await service.transferPersonalItems(userId, organizationId, collectionId);
      expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledWith(
        cipherWithOldAttachment,
        userId,
      );
      expect(mockCipherService.shareManyWithServer).toHaveBeenCalledWith(
        [upgradedCipher],
        organizationId,
        [collectionId],
        userId,
      );
    });
    it("upgrades multiple ciphers with old attachments", async () => {
      const cipher1 = {
        id: "cipher-1",
        name: "Cipher 1",
        hasOldAttachments: true,
        attachments: [{ key: null }],
      } as unknown as CipherView;
      const cipher2 = {
        id: "cipher-2",
        name: "Cipher 2",
        hasOldAttachments: true,
        attachments: [{ key: null }],
      } as unknown as CipherView;
      const upgradedCipher1 = { ...cipher1, hasOldAttachments: false } as CipherView;
      const upgradedCipher2 = { ...cipher2, hasOldAttachments: false } as CipherView;
      mockCipherService.cipherViews$
        .mockReturnValueOnce(of([cipher1, cipher2]))
        .mockReturnValueOnce(of([upgradedCipher1, upgradedCipher2]));
      mockCipherService.upgradeOldCipherAttachments
        .mockResolvedValueOnce(upgradedCipher1)
        .mockResolvedValueOnce(upgradedCipher2);
      mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
      await service.transferPersonalItems(userId, organizationId, collectionId);
      expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledTimes(2);
      expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledWith(cipher1, userId);
      expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledWith(cipher2, userId);
    });
    it("skips attachments that already have keys", async () => {
      const cipherWithMixedAttachments = {
        id: "cipher-1",
        name: "Cipher 1",
        hasOldAttachments: true,
        attachments: [{ key: "existing-key" }, { key: null }],
      } as unknown as CipherView;
      const upgradedCipher = {
        ...cipherWithMixedAttachments,
        hasOldAttachments: false,
      } as unknown as CipherView;
      mockCipherService.cipherViews$
        .mockReturnValueOnce(of([cipherWithMixedAttachments]))
        .mockReturnValueOnce(of([upgradedCipher]));
      mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(upgradedCipher);
      mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
      await service.transferPersonalItems(userId, organizationId, collectionId);
      // Should only be called once for the attachment without a key
      expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledTimes(1);
    });
    it("throws error when upgradeOldCipherAttachments fails", async () => {
      const cipherWithOldAttachment = {
        id: "cipher-1",
        name: "Cipher 1",
        hasOldAttachments: true,
        attachments: [{ key: null }],
      } as unknown as CipherView;
      mockCipherService.cipherViews$.mockReturnValue(of([cipherWithOldAttachment]));
      mockCipherService.upgradeOldCipherAttachments.mockRejectedValue(new Error("Upgrade failed"));
      await expect(
        service.transferPersonalItems(userId, organizationId, collectionId),
      ).rejects.toThrow("Failed to upgrade old attachments for cipher cipher-1");
      expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
    });
    it("throws error when upgrade returns cipher still having old attachments", async () => {
      const cipherWithOldAttachment = {
        id: "cipher-1",
        name: "Cipher 1",
        hasOldAttachments: true,
        attachments: [{ key: null }],
      } as unknown as CipherView;
      // Upgrade returns but cipher still has old attachments
      const stillOldCipher = {
        ...cipherWithOldAttachment,
        hasOldAttachments: true,
      } as unknown as CipherView;
      mockCipherService.cipherViews$.mockReturnValue(of([cipherWithOldAttachment]));
      mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(stillOldCipher);
      await expect(
        service.transferPersonalItems(userId, organizationId, collectionId),
      ).rejects.toThrow("Failed to upgrade old attachments for cipher cipher-1");
      expect(mockLogService.error).toHaveBeenCalled();
      expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
    });
    it("throws error when sanity check finds remaining old attachments after upgrade", async () => {
      const cipherWithOldAttachment = {
        id: "cipher-1",
        name: "Cipher 1",
        hasOldAttachments: true,
        attachments: [{ key: null }],
      } as unknown as CipherView;
      const upgradedCipher = {
        ...cipherWithOldAttachment,
        hasOldAttachments: false,
      } as unknown as CipherView;
      // First call returns cipher with old attachment, second call (after upgrade) still returns old attachment
      mockCipherService.cipherViews$
        .mockReturnValueOnce(of([cipherWithOldAttachment]))
        .mockReturnValueOnce(of([cipherWithOldAttachment])); // Still has old attachments after re-fetch
      mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(upgradedCipher);
      await expect(
        service.transferPersonalItems(userId, organizationId, collectionId),
      ).rejects.toThrow(
        "Failed to upgrade all old attachments. 1 ciphers still have old attachments.",
      );
      expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
    });
    it("logs info when upgrading old attachments", async () => {
      const cipherWithOldAttachment = {
        id: "cipher-1",
        name: "Cipher 1",
        hasOldAttachments: true,
        attachments: [{ key: null }],
      } as unknown as CipherView;
      const upgradedCipher = {
        ...cipherWithOldAttachment,
        hasOldAttachments: false,
      } as unknown as CipherView;
      mockCipherService.cipherViews$
        .mockReturnValueOnce(of([cipherWithOldAttachment]))
        .mockReturnValueOnce(of([upgradedCipher]));
      mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(upgradedCipher);
      mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
      await service.transferPersonalItems(userId, organizationId, collectionId);
      expect(mockLogService.info).toHaveBeenCalledWith(
        expect.stringContaining("Found 1 ciphers with old attachments needing upgrade"),
      );
      expect(mockLogService.info).toHaveBeenCalledWith(
        expect.stringContaining("Successfully upgraded 1 ciphers with old attachments"),
      );
    });
    it("does not upgrade when ciphers have no old attachments", async () => {
      const cipherWithoutOldAttachment = {
        id: "cipher-1",
        name: "Cipher 1",
        hasOldAttachments: false,
      } as unknown as CipherView;
      mockCipherService.cipherViews$.mockReturnValue(of([cipherWithoutOldAttachment]));
      mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
      await service.transferPersonalItems(userId, organizationId, collectionId);
      expect(mockCipherService.upgradeOldCipherAttachments).not.toHaveBeenCalled();
      expect(mockCipherService.shareManyWithServer).toHaveBeenCalled();
    });
  });
  describe("enforceOrganizationDataOwnership", () => {
    const policy = {
      organizationId: organizationId,
      revisionDate: new Date("2024-01-01"),
    } as Policy;
    const organization = {
      id: organizationId,
      name: "Test Org",
    } as Organization;
    function setupMocksForEnforcementScenario(options: {
      featureEnabled?: boolean;
      policies?: Policy[];
      organizations?: Organization[];
      ciphers?: CipherView[];
      collections?: CollectionView[];
    }): void {
      mockConfigService.getFeatureFlag.mockResolvedValue(options.featureEnabled ?? true);
      mockPolicyService.policiesByType$.mockReturnValue(of(options.policies ?? []));
      mockOrganizationService.organizations$.mockReturnValue(of(options.organizations ?? []));
      mockCipherService.cipherViews$.mockReturnValue(of(options.ciphers ?? []));
      mockCollectionService.decryptedCollections$.mockReturnValue(of(options.collections ?? []));
    }
    it("does nothing when feature flag is disabled", async () => {
      setupMocksForEnforcementScenario({
        featureEnabled: false,
        policies: [policy],
        organizations: [organization],
        ciphers: [{ id: "cipher-1" } as CipherView],
        collections: [
          {
            id: collectionId,
            organizationId: organizationId,
            isDefaultCollection: true,
          } as CollectionView,
        ],
      });
      await service.enforceOrganizationDataOwnership(userId);
      expect(mockConfigService.getFeatureFlag).toHaveBeenCalledWith(
        FeatureFlag.MigrateMyVaultToMyItems,
      );
      expect(mockDialogService.openSimpleDialog).not.toHaveBeenCalled();
      expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
    });
    it("does nothing when no migration is required", async () => {
      setupMocksForEnforcementScenario({ policies: [] });
      await service.enforceOrganizationDataOwnership(userId);
      expect(mockDialogService.openSimpleDialog).not.toHaveBeenCalled();
      expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
    });
    it("does nothing when user has no personal ciphers", async () => {
      setupMocksForEnforcementScenario({
        policies: [policy],
        organizations: [organization],
        ciphers: [],
      });
      await service.enforceOrganizationDataOwnership(userId);
      expect(mockDialogService.openSimpleDialog).not.toHaveBeenCalled();
      expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
    });
    it("logs warning and returns when default collection is missing", async () => {
      setupMocksForEnforcementScenario({
        policies: [policy],
        organizations: [organization],
        ciphers: [{ id: "cipher-1" } as CipherView],
        collections: [],
      });
      await service.enforceOrganizationDataOwnership(userId);
      expect(mockLogService.warning).toHaveBeenCalledWith(
        "Default collection is missing for user during organization data ownership enforcement",
      );
      expect(mockDialogService.openSimpleDialog).not.toHaveBeenCalled();
      expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
    });
    it("shows confirmation dialog when migration is required", async () => {
      setupMocksForEnforcementScenario({
        policies: [policy],
        organizations: [organization],
        ciphers: [{ id: "cipher-1" } as CipherView],
        collections: [
          {
            id: collectionId,
            organizationId: organizationId,
            isDefaultCollection: true,
          } as CollectionView,
        ],
      });
      mockDialogService.openSimpleDialog.mockResolvedValue(false);
      await service.enforceOrganizationDataOwnership(userId);
      expect(mockDialogService.openSimpleDialog).toHaveBeenCalledWith({
        title: "Requires migration",
        content: "Your vault requires migration of personal items to your organization.",
        type: "warning",
      });
    });
    it("does not transfer items when user declines confirmation", async () => {
      setupMocksForEnforcementScenario({
        policies: [policy],
        organizations: [organization],
        ciphers: [{ id: "cipher-1" } as CipherView],
        collections: [
          {
            id: collectionId,
            organizationId: organizationId,
            isDefaultCollection: true,
          } as CollectionView,
        ],
      });
      mockDialogService.openSimpleDialog.mockResolvedValue(false);
      await service.enforceOrganizationDataOwnership(userId);
      expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
    });
    it("transfers items and shows success toast when user confirms", async () => {
      const personalCiphers = [{ id: "cipher-1" } as CipherView];
      setupMocksForEnforcementScenario({
        policies: [policy],
        organizations: [organization],
        ciphers: personalCiphers,
        collections: [
          {
            id: collectionId,
            organizationId: organizationId,
            isDefaultCollection: true,
          } as CollectionView,
        ],
      });
      mockDialogService.openSimpleDialog.mockResolvedValue(true);
      mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
      await service.enforceOrganizationDataOwnership(userId);
      expect(mockCipherService.shareManyWithServer).toHaveBeenCalledWith(
        personalCiphers,
        organizationId,
        [collectionId],
        userId,
      );
      expect(mockToastService.showToast).toHaveBeenCalledWith({
        variant: "success",
        message: "itemsTransferred",
      });
    });
    it("shows error toast when transfer fails", async () => {
      const personalCiphers = [{ id: "cipher-1" } as CipherView];
      setupMocksForEnforcementScenario({
        policies: [policy],
        organizations: [organization],
        ciphers: personalCiphers,
        collections: [
          {
            id: collectionId,
            organizationId: organizationId,
            isDefaultCollection: true,
          } as CollectionView,
        ],
      });
      mockDialogService.openSimpleDialog.mockResolvedValue(true);
      mockCipherService.shareManyWithServer.mockRejectedValue(new Error("Transfer failed"));
      await service.enforceOrganizationDataOwnership(userId);
      expect(mockLogService.error).toHaveBeenCalledWith(
        "Error transferring personal items to organization",
        expect.any(Error),
      );
      expect(mockToastService.showToast).toHaveBeenCalledWith({
        variant: "error",
        message: "errorOccurred",
      });
    });
  });
 });
--- a/libs/vault/src/services/default-vault-items-transfer.service.ts
+++ b/libs/vault/src/services/default-vault-items-transfer.service.ts
@@ -0,0 +1,231 @@
 import { Injectable } from "@angular/core";
 import { firstValueFrom, switchMap, map, of, Observable, combineLatest } from "rxjs";
 // eslint-disable-next-line no-restricted-imports
 import { CollectionService } from "@bitwarden/admin-console/common";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { getById } from "@bitwarden/common/platform/misc";
 import { OrganizationId, CollectionId } from "@bitwarden/common/types/guid";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { filterOutNullish } from "@bitwarden/common/vault/utils/observable-utilities";
 import { DialogService, ToastService } from "@bitwarden/components";
 import { LogService } from "@bitwarden/logging";
 import { UserId } from "@bitwarden/user-core";
 import {
  VaultItemsTransferService,
  UserMigrationInfo,
 } from "../abstractions/vault-items-transfer.service";
@Injectable()
 export class DefaultVaultItemsTransferService implements VaultItemsTransferService {
  constructor(
    private cipherService: CipherService,
    private policyService: PolicyService,
    private organizationService: OrganizationService,
    private collectionService: CollectionService,
    private logService: LogService,
    private i18nService: I18nService,
    private dialogService: DialogService,
    private toastService: ToastService,
    private configService: ConfigService,
  ) {}
  private enforcingOrganization$(userId: UserId): Observable<Organization | undefined> {
    return this.policyService.policiesByType$(PolicyType.OrganizationDataOwnership, userId).pipe(
      map(
        (policies) =>
          policies.sort((a, b) => a.revisionDate.getTime() - b.revisionDate.getTime())?.[0],
      ),
      switchMap((policy) => {
        if (policy == null) {
          return of(undefined);
        }
        return this.organizationService.organizations$(userId).pipe(getById(policy.organizationId));
      }),
    );
  }
  private personalCiphers$(userId: UserId): Observable<CipherView[]> {
    return this.cipherService.cipherViews$(userId).pipe(
      filterOutNullish(),
      map((ciphers) => ciphers.filter((c) => c.organizationId == null)),
    );
  }
  private defaultUserCollection$(
    userId: UserId,
    organizationId: OrganizationId,
  ): Observable<CollectionId | undefined> {
    return this.collectionService.decryptedCollections$(userId).pipe(
      map((collections) => {
        return collections.find((c) => c.isDefaultCollection && c.organizationId === organizationId)
          ?.id;
      }),
    );
  }
  userMigrationInfo$(userId: UserId): Observable<UserMigrationInfo> {
    return this.enforcingOrganization$(userId).pipe(
      switchMap((enforcingOrganization) => {
        if (enforcingOrganization == null) {
          return of<UserMigrationInfo>({
            requiresMigration: false,
          });
        }
        return combineLatest([
          this.personalCiphers$(userId),
          this.defaultUserCollection$(userId, enforcingOrganization.id),
        ]).pipe(
          map(([personalCiphers, defaultCollectionId]): UserMigrationInfo => {
            return {
              requiresMigration: personalCiphers.length > 0,
              enforcingOrganization,
              defaultCollectionId,
            };
          }),
        );
      }),
    );
  }
  async enforceOrganizationDataOwnership(userId: UserId): Promise<void> {
    const featureEnabled = await this.configService.getFeatureFlag(
      FeatureFlag.MigrateMyVaultToMyItems,
    );
    if (!featureEnabled) {
      return;
    }
    const migrationInfo = await firstValueFrom(this.userMigrationInfo$(userId));
    if (!migrationInfo.requiresMigration) {
      return;
    }
    if (migrationInfo.defaultCollectionId == null) {
      // TODO: Handle creating the default collection if missing (to be handled by AC in future work)
      this.logService.warning(
        "Default collection is missing for user during organization data ownership enforcement",
      );
      return;
    }
    // Temporary confirmation dialog. Full implementation in PM-27663
    const confirmMigration = await this.dialogService.openSimpleDialog({
      title: "Requires migration",
      content: "Your vault requires migration of personal items to your organization.",
      type: "warning",
    });
    if (!confirmMigration) {
      // TODO: Show secondary confirmation dialog in PM-27663, for now we just exit
      // TODO: Revoke user from organization if they decline migration PM-29465
      return;
    }
    try {
      await this.transferPersonalItems(
        userId,
        migrationInfo.enforcingOrganization.id,
        migrationInfo.defaultCollectionId,
      );
      this.toastService.showToast({
        variant: "success",
        message: this.i18nService.t("itemsTransferred"),
      });
    } catch (error) {
      this.logService.error("Error transferring personal items to organization", error);
      this.toastService.showToast({
        variant: "error",
        message: this.i18nService.t("errorOccurred"),
      });
    }
  }
  async transferPersonalItems(
    userId: UserId,
    organizationId: OrganizationId,
    defaultCollectionId: CollectionId,
  ): Promise<void> {
    let personalCiphers = await firstValueFrom(this.personalCiphers$(userId));
    if (personalCiphers.length === 0) {
      return;
    }
    const oldAttachmentCiphers = personalCiphers.filter((c) => c.hasOldAttachments);
    if (oldAttachmentCiphers.length > 0) {
      await this.upgradeOldAttachments(oldAttachmentCiphers, userId, organizationId);
      personalCiphers = await firstValueFrom(this.personalCiphers$(userId));
      // Sanity check to ensure all old attachments were upgraded, though upgradeOldAttachments should throw if any fail
      const remainingOldAttachments = personalCiphers.filter((c) => c.hasOldAttachments);
      if (remainingOldAttachments.length > 0) {
        throw new Error(
          `Failed to upgrade all old attachments. ${remainingOldAttachments.length} ciphers still have old attachments.`,
        );
      }
    }
    this.logService.info(
      `Starting transfer of ${personalCiphers.length} personal ciphers to organization ${organizationId} for user ${userId}`,
    );
    await this.cipherService.shareManyWithServer(
      personalCiphers,
      organizationId,
      [defaultCollectionId],
      userId,
    );
  }
  /**
   * Upgrades old attachments that don't have attachment keys.
   * Throws an error if any attachment fails to upgrade as it is not possible to share with an organization without a key.
   */
  private async upgradeOldAttachments(
    ciphers: CipherView[],
    userId: UserId,
    organizationId: OrganizationId,
  ): Promise<void> {
    this.logService.info(
      `Found ${ciphers.length} ciphers with old attachments needing upgrade during transfer to organization ${organizationId} for user ${userId}`,
    );
    for (const cipher of ciphers) {
      try {
        if (!cipher.hasOldAttachments) {
          continue;
        }
        const upgraded = await this.cipherService.upgradeOldCipherAttachments(cipher, userId);
        if (upgraded.hasOldAttachments) {
          this.logService.error(
            `Attachment upgrade did not complete successfully for cipher ${cipher.id} during transfer to organization ${organizationId} for user ${userId}`,
          );
          throw new Error(`Failed to upgrade old attachments for cipher ${cipher.id}`);
        }
      } catch (e) {
        this.logService.error(
          `Failed to upgrade old attachments for cipher ${cipher.id} during transfer to organization ${organizationId} for user ${userId}: ${e}`,
        );
        throw new Error(`Failed to upgrade old attachments for cipher ${cipher.id}`);
      }
    }
    this.logService.info(
      `Successfully upgraded ${ciphers.length} ciphers with old attachments during transfer to organization ${organizationId} for user ${userId}`,
    );
  }
 }