Merge branch 'main' of github.com:bitwarden/server into arch/seeder-api

# Conflicts:
#	util/Seeder/Recipes/OrganizationWithUsersRecipe.cs

test/Api.IntegrationTest/AdminConsole/Controllers/GroupsControllerPerformanceTests.cs

@@ -0,0 +1,63 @@
+using System.Net;
+using System.Text;
+using System.Text.Json;
+using Bit.Api.AdminConsole.Models.Request;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Api.Models.Request;
+using Bit.Seeder.Recipes;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
+
+public class GroupsControllerPerformanceTests(ITestOutputHelper testOutputHelper)
+{
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/groups/{id}
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10, 5)]
+    //[InlineData(100, 10)]
+    //[InlineData(1000, 20)]
+    public async Task UpdateGroup_WithUsersAndCollections(int userCount, int collectionCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        var collectionIds = collectionsSeeder.AddToOrganization(orgId, collectionCount, orgUserIds, 0);
+        var groupIds = groupsSeeder.AddToOrganization(orgId, 1, orgUserIds, 0);
+
+        var groupId = groupIds.First();
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var updateRequest = new GroupRequestModel
+        {
+            Name = "Updated Group Name",
+            Collections = collectionIds.Select(c => new SelectionReadOnlyRequestModel { Id = c, ReadOnly = false, HidePasswords = false, Manage = false }),
+            Users = orgUserIds
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(updateRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/groups/{groupId}", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /organizations/{{orgId}}/groups/{{id}} - Users: {orgUserIds.Count}; Collections: {collectionIds.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+}

test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUserControllerBulkRevokeTests.cs

@@ -0,0 +1,347 @@
+using System.Net;
+using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.AdminConsole.Models.Response.Organizations;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Api.Models.Response;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Providers.Interfaces;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
+
+public class OrganizationUserControllerBulkRevokeTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private readonly HttpClient _client;
+    private readonly ApiApplicationFactory _factory;
+    private readonly LoginHelper _loginHelper;
+
+    private Organization _organization = null!;
+    private string _ownerEmail = null!;
+
+    public OrganizationUserControllerBulkRevokeTests(ApiApplicationFactory apiFactory)
+    {
+        _factory = apiFactory;
+        _factory.SubstituteService<IFeatureService>(featureService =>
+        {
+            featureService
+                .IsEnabled(FeatureFlagKeys.BulkRevokeUsersV2)
+                .Returns(true);
+        });
+        _client = _factory.CreateClient();
+        _loginHelper = new LoginHelper(_factory, _client);
+    }
+
+    public async Task InitializeAsync()
+    {
+        _ownerEmail = $"org-user-bulk-revoke-test-{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(_ownerEmail);
+
+        (_organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseMonthly,
+            ownerEmail: _ownerEmail, passwordManagerSeats: 10, paymentMethod: PaymentMethodType.Card);
+    }
+
+    public Task DisposeAsync()
+    {
+        _client.Dispose();
+        return Task.CompletedTask;
+    }
+
+    [Fact]
+    public async Task BulkRevoke_Success()
+    {
+        var (ownerEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory,
+            _organization.Id, OrganizationUserType.Owner);
+
+        await _loginHelper.LoginAsync(ownerEmail);
+
+        var (_, orgUser1) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, _organization.Id, OrganizationUserType.User);
+        var (_, orgUser2) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, _organization.Id, OrganizationUserType.User);
+
+        var organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = [orgUser1.Id, orgUser2.Id]
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{_organization.Id}/users/revoke", request);
+        var content = await httpResponse.Content.ReadFromJsonAsync<ListResponseModel<OrganizationUserBulkResponseModel>>();
+
+        Assert.Equal(HttpStatusCode.OK, httpResponse.StatusCode);
+        Assert.NotNull(content);
+        Assert.Equal(2, content.Data.Count());
+        Assert.All(content.Data, r => Assert.Empty(r.Error));
+
+        var actualUsers = await organizationUserRepository.GetManyAsync([orgUser1.Id, orgUser2.Id]);
+        Assert.All(actualUsers, u => Assert.Equal(OrganizationUserStatusType.Revoked, u.Status));
+    }
+
+    [Fact]
+    public async Task BulkRevoke_AsAdmin_Success()
+    {
+        var (adminEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory,
+            _organization.Id, OrganizationUserType.Admin);
+
+        await _loginHelper.LoginAsync(adminEmail);
+
+        var (_, orgUser) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, _organization.Id, OrganizationUserType.User);
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = [orgUser.Id]
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{_organization.Id}/users/revoke", request);
+        var content = await httpResponse.Content.ReadFromJsonAsync<ListResponseModel<OrganizationUserBulkResponseModel>>();
+
+        Assert.Equal(HttpStatusCode.OK, httpResponse.StatusCode);
+        Assert.NotNull(content);
+        Assert.Single(content.Data);
+        Assert.All(content.Data, r => Assert.Empty(r.Error));
+
+        var actualUser = await _factory.GetService<IOrganizationUserRepository>().GetByIdAsync(orgUser.Id);
+        Assert.NotNull(actualUser);
+        Assert.Equal(OrganizationUserStatusType.Revoked, actualUser.Status);
+    }
+
+    [Fact]
+    public async Task BulkRevoke_CannotRevokeSelf_ReturnsError()
+    {
+        var (userEmail, orgUser) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory,
+            _organization.Id, OrganizationUserType.Admin);
+
+        await _loginHelper.LoginAsync(userEmail);
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = [orgUser.Id]
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{_organization.Id}/users/revoke", request);
+        var content = await httpResponse.Content.ReadFromJsonAsync<ListResponseModel<OrganizationUserBulkResponseModel>>();
+
+        Assert.Equal(HttpStatusCode.OK, httpResponse.StatusCode);
+        Assert.NotNull(content);
+        Assert.Single(content.Data);
+        Assert.Contains(content.Data, r => r.Id == orgUser.Id && r.Error == "You cannot revoke yourself.");
+
+        var actualUser = await _factory.GetService<IOrganizationUserRepository>().GetByIdAsync(orgUser.Id);
+        Assert.NotNull(actualUser);
+        Assert.Equal(OrganizationUserStatusType.Confirmed, actualUser.Status);
+    }
+
+    [Fact]
+    public async Task BulkRevoke_AlreadyRevoked_ReturnsError()
+    {
+        var (ownerEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory,
+            _organization.Id, OrganizationUserType.Owner);
+
+        await _loginHelper.LoginAsync(ownerEmail);
+
+        var (_, orgUser) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, _organization.Id, OrganizationUserType.User);
+
+        var organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
+
+        await organizationUserRepository.RevokeAsync(orgUser.Id);
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = [orgUser.Id]
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{_organization.Id}/users/revoke", request);
+        var content = await httpResponse.Content.ReadFromJsonAsync<ListResponseModel<OrganizationUserBulkResponseModel>>();
+
+        Assert.Equal(HttpStatusCode.OK, httpResponse.StatusCode);
+        Assert.NotNull(content);
+        Assert.Single(content.Data);
+        Assert.Contains(content.Data, r => r.Id == orgUser.Id && r.Error == "Already revoked.");
+
+        var actualUser = await organizationUserRepository.GetByIdAsync(orgUser.Id);
+        Assert.NotNull(actualUser);
+        Assert.Equal(OrganizationUserStatusType.Revoked, actualUser.Status);
+    }
+
+    [Fact]
+    public async Task BulkRevoke_AdminCannotRevokeOwner_ReturnsError()
+    {
+        var (adminEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory,
+            _organization.Id, OrganizationUserType.Admin);
+
+        await _loginHelper.LoginAsync(adminEmail);
+
+        var (_, ownerOrgUser) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, _organization.Id, OrganizationUserType.Owner);
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = [ownerOrgUser.Id]
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{_organization.Id}/users/revoke", request);
+        var content = await httpResponse.Content.ReadFromJsonAsync<ListResponseModel<OrganizationUserBulkResponseModel>>();
+
+        Assert.Equal(HttpStatusCode.OK, httpResponse.StatusCode);
+        Assert.NotNull(content);
+        Assert.Single(content.Data);
+        Assert.Contains(content.Data, r => r.Id == ownerOrgUser.Id && r.Error == "Only owners can revoke other owners.");
+
+        var actualUser = await _factory.GetService<IOrganizationUserRepository>().GetByIdAsync(ownerOrgUser.Id);
+        Assert.NotNull(actualUser);
+        Assert.Equal(OrganizationUserStatusType.Confirmed, actualUser.Status);
+    }
+
+    [Fact]
+    public async Task BulkRevoke_MixedResults()
+    {
+        var (ownerEmail, requestingOwner) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory,
+            _organization.Id, OrganizationUserType.Owner);
+
+        await _loginHelper.LoginAsync(ownerEmail);
+
+        var (_, validOrgUser) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, _organization.Id, OrganizationUserType.User);
+        var (_, alreadyRevokedOrgUser) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, _organization.Id, OrganizationUserType.User);
+
+        var organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
+
+        await organizationUserRepository.RevokeAsync(alreadyRevokedOrgUser.Id);
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = [validOrgUser.Id, alreadyRevokedOrgUser.Id, requestingOwner.Id]
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{_organization.Id}/users/revoke", request);
+        var content = await httpResponse.Content.ReadFromJsonAsync<ListResponseModel<OrganizationUserBulkResponseModel>>();
+
+        Assert.Equal(HttpStatusCode.OK, httpResponse.StatusCode);
+        Assert.NotNull(content);
+        Assert.Equal(3, content.Data.Count());
+
+        Assert.Contains(content.Data, r => r.Id == validOrgUser.Id && r.Error == string.Empty);
+        Assert.Contains(content.Data, r => r.Id == alreadyRevokedOrgUser.Id && r.Error == "Already revoked.");
+        Assert.Contains(content.Data, r => r.Id == requestingOwner.Id && r.Error == "You cannot revoke yourself.");
+
+        var actualUsers = await organizationUserRepository.GetManyAsync([validOrgUser.Id, alreadyRevokedOrgUser.Id, requestingOwner.Id]);
+        Assert.Equal(OrganizationUserStatusType.Revoked, actualUsers.First(u => u.Id == validOrgUser.Id).Status);
+        Assert.Equal(OrganizationUserStatusType.Revoked, actualUsers.First(u => u.Id == alreadyRevokedOrgUser.Id).Status);
+        Assert.Equal(OrganizationUserStatusType.Confirmed, actualUsers.First(u => u.Id == requestingOwner.Id).Status);
+    }
+
+    [Theory]
+    [InlineData(OrganizationUserType.User)]
+    [InlineData(OrganizationUserType.Custom)]
+    public async Task BulkRevoke_WithoutManageUsersPermission_ReturnsForbidden(OrganizationUserType organizationUserType)
+    {
+        var (userEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory,
+            _organization.Id, organizationUserType, new Permissions { ManageUsers = false });
+
+        await _loginHelper.LoginAsync(userEmail);
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = [Guid.NewGuid()]
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{_organization.Id}/users/revoke", request);
+
+        Assert.Equal(HttpStatusCode.Forbidden, httpResponse.StatusCode);
+    }
+
+    [Fact]
+    public async Task BulkRevoke_WithEmptyIds_ReturnsBadRequest()
+    {
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = []
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{_organization.Id}/users/revoke", request);
+
+        Assert.Equal(HttpStatusCode.BadRequest, httpResponse.StatusCode);
+    }
+
+    [Fact]
+    public async Task BulkRevoke_WithInvalidOrganizationId_ReturnsForbidden()
+    {
+        var (ownerEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory,
+            _organization.Id, OrganizationUserType.Owner);
+
+        await _loginHelper.LoginAsync(ownerEmail);
+
+        var (_, orgUser) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, _organization.Id, OrganizationUserType.User);
+
+        var invalidOrgId = Guid.NewGuid();
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = [orgUser.Id]
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{invalidOrgId}/users/revoke", request);
+
+        Assert.Equal(HttpStatusCode.Forbidden, httpResponse.StatusCode);
+    }
+
+    [Fact]
+    public async Task BulkRevoke_ProviderRevokesOwner_ReturnsOk()
+    {
+        var providerEmail = $"provider-user{Guid.NewGuid()}@example.com";
+
+        // create user for provider
+        await _factory.LoginWithNewAccount(providerEmail);
+
+        // create provider and provider user
+        await _factory.GetService<ICreateProviderCommand>()
+            .CreateBusinessUnitAsync(
+                new Provider
+                {
+                    Name = "provider",
+                    Type = ProviderType.BusinessUnit
+                },
+                providerEmail,
+                PlanType.EnterpriseAnnually2023,
+                10);
+
+        await _loginHelper.LoginAsync(providerEmail);
+
+        var providerUserUser = await _factory.GetService<IUserRepository>().GetByEmailAsync(providerEmail);
+
+        var providerUserCollection = await _factory.GetService<IProviderUserRepository>()
+            .GetManyByUserAsync(providerUserUser!.Id);
+
+        var providerUser = providerUserCollection.First();
+
+        await _factory.GetService<IProviderOrganizationRepository>().CreateAsync(new ProviderOrganization
+        {
+            ProviderId = providerUser.ProviderId,
+            OrganizationId = _organization.Id,
+            Key = null,
+            Settings = null
+        });
+
+        var (_, ownerOrgUser) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory,
+            _organization.Id, OrganizationUserType.Owner);
+
+        var request = new OrganizationUserBulkRequestModel
+        {
+            Ids = [ownerOrgUser.Id]
+        };
+
+        var httpResponse = await _client.PutAsJsonAsync($"organizations/{_organization.Id}/users/revoke", request);
+
+        Assert.Equal(HttpStatusCode.OK, httpResponse.StatusCode);
+    }
+}

test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUsersControllerPerformanceTests.cs

@@ -1,39 +1,593 @@
 using System.Net;
-using System.Net.Http.Headers;
+using System.Text;
+using System.Text.Json;
+using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Api.Models.Request;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
 using Bit.Seeder.Recipes;
 using Xunit;
 using Xunit.Abstractions;
 
 namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
 
-public class OrganizationUsersControllerPerformanceTest(ITestOutputHelper testOutputHelper)
+public class OrganizationUsersControllerPerformanceTests(ITestOutputHelper testOutputHelper)
 {
+    /// <summary>
+    /// Tests GET /organizations/{orgId}/users?includeCollections=true
+    /// </summary>
     [Theory(Skip = "Performance test")]
-    [InlineData(100)]
-    [InlineData(60000)]
-    public async Task GetAsync(int seats)
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task GetAllUsers_WithCollections(int seats)
     {
         await using var factory = new SqlServerApiApplicationFactory();
         var client = factory.CreateClient();
 
         var db = factory.GetDatabaseContext();
-        var seeder = new OrganizationWithUsersRecipe(db);
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
 
-        var orgId = seeder.Seed("Org", seats, "large.test");
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
 
-        var tokens = await factory.LoginAsync("admin@large.test", "c55hlJ/cfdvTd4awTXUqow6X3cOQCfGwn11o3HblnPs=");
-        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: seats);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        collectionsSeeder.AddToOrganization(orgId, 10, orgUserIds);
+        groupsSeeder.AddToOrganization(orgId, 5, orgUserIds);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
 
         var stopwatch = System.Diagnostics.Stopwatch.StartNew();
 
         var response = await client.GetAsync($"/organizations/{orgId}/users?includeCollections=true");
         Assert.Equal(HttpStatusCode.OK, response.StatusCode);
 
-        var result = await response.Content.ReadAsStringAsync();
-        Assert.NotEmpty(result);
+        stopwatch.Stop();
+        testOutputHelper.WriteLine($"GET /users - Seats: {seats}; Request duration: {stopwatch.ElapsedMilliseconds} ms");
+    }
+
+    /// <summary>
+    /// Tests GET /organizations/{orgId}/users/mini-details
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task GetAllUsers_MiniDetails(int seats)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: seats);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        collectionsSeeder.AddToOrganization(orgId, 10, orgUserIds);
+        groupsSeeder.AddToOrganization(orgId, 5, orgUserIds);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.GetAsync($"/organizations/{orgId}/users/mini-details");
 
         stopwatch.Stop();
-        testOutputHelper.WriteLine($"Seed: {seats}; Request duration: {stopwatch.ElapsedMilliseconds} ms");
+
+        testOutputHelper.WriteLine($"GET /users/mini-details - Seats: {seats}; Request duration: {stopwatch.ElapsedMilliseconds} ms");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests GET /organizations/{orgId}/users/{id}?includeGroups=true
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task GetSingleUser_WithGroups()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: 1);
+
+        var orgUserId = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).FirstOrDefault();
+        groupsSeeder.AddToOrganization(orgId, 2, [orgUserId]);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.GetAsync($"/organizations/{orgId}/users/{orgUserId}?includeGroups=true");
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"GET /users/{{id}} - Request duration: {stopwatch.ElapsedMilliseconds} ms");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests GET /organizations/{orgId}/users/{id}/reset-password-details
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task GetResetPasswordDetails_ForSingleUser()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: 1);
+
+        var orgUserId = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).FirstOrDefault();
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.GetAsync($"/organizations/{orgId}/users/{orgUserId}/reset-password-details");
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"GET /users/{{id}}/reset-password-details - Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/confirm
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkConfirmUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Accepted);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var acceptedUserIds = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Status == OrganizationUserStatusType.Accepted)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var confirmRequest = new OrganizationUserBulkConfirmRequestModel
+        {
+            Keys = acceptedUserIds.Select(id => new OrganizationUserBulkConfirmRequestModelEntry { Id = id, Key = "test-key-" + id }),
+            DefaultUserCollectionName = "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk="
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(confirmRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/confirm", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/confirm - Users: {acceptedUserIds.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/remove
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkRemoveUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToRemove = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var removeRequest = new OrganizationUserBulkRequestModel { Ids = usersToRemove };
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(removeRequest), Encoding.UTF8, "application/json");
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/remove", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/remove - Users: {usersToRemove.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/users/revoke
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkRevokeUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Confirmed);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToRevoke = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var revokeRequest = new OrganizationUserBulkRequestModel { Ids = usersToRevoke };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(revokeRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/users/revoke", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /users/revoke - Users: {usersToRevoke.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/users/restore
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkRestoreUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Revoked);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToRestore = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var restoreRequest = new OrganizationUserBulkRequestModel { Ids = usersToRestore };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(restoreRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/users/restore", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /users/restore - Users: {usersToRestore.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/delete-account
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkDeleteAccounts(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var domainSeeder = new OrganizationDomainRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Confirmed);
+
+        domainSeeder.AddVerifiedDomainToOrganization(orgId, domain);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToDelete = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var deleteRequest = new OrganizationUserBulkRequestModel { Ids = usersToDelete };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(deleteRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/delete-account", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/delete-account - Users: {usersToDelete.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/users/{id}
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task UpdateSingleUser_WithCollectionsAndGroups()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: 1);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        var collectionIds = collectionsSeeder.AddToOrganization(orgId, 3, orgUserIds, 0);
+        var groupIds = groupsSeeder.AddToOrganization(orgId, 2, orgUserIds, 0);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var userToUpdate = db.OrganizationUsers
+            .FirstOrDefault(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User);
+
+        var updateRequest = new OrganizationUserUpdateRequestModel
+        {
+            Type = OrganizationUserType.Custom,
+            Collections = collectionIds.Select(c => new SelectionReadOnlyRequestModel { Id = c, ReadOnly = false, HidePasswords = false, Manage = false }),
+            Groups = groupIds,
+            AccessSecretsManager = false,
+            Permissions = new Permissions { AccessEventLogs = true }
+        };
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/users/{userToUpdate.Id}",
+            new StringContent(JsonSerializer.Serialize(updateRequest), Encoding.UTF8, "application/json"));
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /users/{{id}} - Collections: {collectionIds.Count}; Groups: {groupIds.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/users/enable-secrets-manager
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkEnableSecretsManager(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToEnable = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var enableRequest = new OrganizationUserBulkRequestModel { Ids = usersToEnable };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(enableRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/users/enable-secrets-manager", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /users/enable-secrets-manager - Users: {usersToEnable.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests DELETE /organizations/{orgId}/users/{id}/delete-account
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task DeleteSingleUserAccount_FromVerifiedDomain()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var domainSeeder = new OrganizationDomainRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: 2,
+            usersStatus: OrganizationUserStatusType.Confirmed);
+
+        domainSeeder.AddVerifiedDomainToOrganization(orgId, domain);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var userToDelete = db.OrganizationUsers
+            .FirstOrDefault(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User);
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.DeleteAsync($"/organizations/{orgId}/users/{userToDelete.Id}/delete-account");
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"DELETE /users/{{id}}/delete-account - Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/invite
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(1)]
+    //[InlineData(5)]
+    //[InlineData(20)]
+    public async Task InviteUsers(int emailCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: 1);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        var collectionIds = collectionsSeeder.AddToOrganization(orgId, 2, orgUserIds, 0);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var emails = Enumerable.Range(0, emailCount).Select(i => $"{i:D4}@{domain}").ToArray();
+        var inviteRequest = new OrganizationUserInviteRequestModel
+        {
+            Emails = emails,
+            Type = OrganizationUserType.User,
+            AccessSecretsManager = false,
+            Collections = Array.Empty<SelectionReadOnlyRequestModel>(),
+            Groups = Array.Empty<Guid>(),
+            Permissions = null
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(inviteRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/invite", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/invite - Emails: {emails.Length}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/reinvite
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkReinviteUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Invited);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToReinvite = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Status == OrganizationUserStatusType.Invited)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var reinviteRequest = new OrganizationUserBulkRequestModel { Ids = usersToReinvite };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(reinviteRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/reinvite", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/reinvite - Users: {usersToReinvite.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
     }
 }

test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUsersControllerPutResetPasswordTests.cs

@@ -3,7 +3,6 @@ using Bit.Api.AdminConsole.Authorization;
 using Bit.Api.IntegrationTest.Factories;
 using Bit.Api.IntegrationTest.Helpers;
 using Bit.Api.Models.Request.Organizations;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums;
@@ -14,8 +13,6 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
-using NSubstitute;
 using Xunit;
 
 namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
@@ -32,12 +29,6 @@ public class OrganizationUsersControllerPutResetPasswordTests : IClassFixture<Ap
     public OrganizationUsersControllerPutResetPasswordTests(ApiApplicationFactory apiFactory)
     {
         _factory = apiFactory;
-        _factory.SubstituteService<IFeatureService>(featureService =>
-        {
-            featureService
-                .IsEnabled(FeatureFlagKeys.AccountRecoveryCommand)
-                .Returns(true);
-        });
         _client = _factory.CreateClient();
         _loginHelper = new LoginHelper(_factory, _client);
     }

test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationsControllerPerformanceTests.cs

@@ -0,0 +1,163 @@
+using System.Net;
+using System.Text;
+using System.Text.Json;
+using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Core.AdminConsole.Models.Business.Tokenables;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Tokens;
+using Bit.Seeder.Recipes;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
+
+public class OrganizationsControllerPerformanceTests(ITestOutputHelper testOutputHelper)
+{
+    /// <summary>
+    /// Tests DELETE /organizations/{id} with password verification
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10, 5, 3)]
+    //[InlineData(100, 20, 10)]
+    //[InlineData(1000, 50, 25)]
+    public async Task DeleteOrganization_WithPasswordVerification(int userCount, int collectionCount, int groupCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        collectionsSeeder.AddToOrganization(orgId, collectionCount, orgUserIds, 0);
+        groupsSeeder.AddToOrganization(orgId, groupCount, orgUserIds, 0);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var deleteRequest = new SecretVerificationRequestModel
+        {
+            MasterPasswordHash = "c55hlJ/cfdvTd4awTXUqow6X3cOQCfGwn11o3HblnPs="
+        };
+
+        var request = new HttpRequestMessage(HttpMethod.Delete, $"/organizations/{orgId}")
+        {
+            Content = new StringContent(JsonSerializer.Serialize(deleteRequest), Encoding.UTF8, "application/json")
+        };
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+
+        var response = await client.SendAsync(request);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"DELETE /organizations/{{id}} - Users: {userCount}; Collections: {collectionCount}; Groups: {groupCount}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{id}/delete-recover-token with token verification
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10, 5, 3)]
+    //[InlineData(100, 20, 10)]
+    //[InlineData(1000, 50, 25)]
+    public async Task DeleteOrganization_WithTokenVerification(int userCount, int collectionCount, int groupCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        collectionsSeeder.AddToOrganization(orgId, collectionCount, orgUserIds, 0);
+        groupsSeeder.AddToOrganization(orgId, groupCount, orgUserIds, 0);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var organization = db.Organizations.FirstOrDefault(o => o.Id == orgId);
+        Assert.NotNull(organization);
+
+        var tokenFactory = factory.GetService<IDataProtectorTokenFactory<OrgDeleteTokenable>>();
+        var tokenable = new OrgDeleteTokenable(organization, 24);
+        var token = tokenFactory.Protect(tokenable);
+
+        var deleteRequest = new OrganizationVerifyDeleteRecoverRequestModel
+        {
+            Token = token
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(deleteRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/delete-recover-token", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /organizations/{{id}}/delete-recover-token - Users: {userCount}; Collections: {collectionCount}; Groups: {groupCount}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/create-without-payment
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task CreateOrganization_WithoutPayment()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var email = $"user@{OrganizationTestHelpers.GenerateRandomDomain()}";
+        var masterPasswordHash = "c55hlJ/cfdvTd4awTXUqow6X3cOQCfGwn11o3HblnPs=";
+
+        await factory.LoginWithNewAccount(email, masterPasswordHash);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, email, masterPasswordHash);
+
+        var createRequest = new OrganizationNoPaymentCreateRequest
+        {
+            Name = "Test Organization",
+            BusinessName = "Test Business Name",
+            BillingEmail = email,
+            PlanType = PlanType.EnterpriseAnnually,
+            Key = "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk=",
+            AdditionalSeats = 1,
+            AdditionalStorageGb = 1,
+            UseSecretsManager = true,
+            AdditionalSmSeats = 1,
+            AdditionalServiceAccounts = 2,
+            MaxAutoscaleSeats = 100,
+            PremiumAccessAddon = false,
+            CollectionName = "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk="
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(createRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync("/organizations/create-without-payment", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /organizations/create-without-payment - AdditionalSeats: {createRequest.AdditionalSeats}; AdditionalStorageGb: {createRequest.AdditionalStorageGb}; AdditionalSmSeats: {createRequest.AdditionalSmSeats}; AdditionalServiceAccounts: {createRequest.AdditionalServiceAccounts}; MaxAutoscaleSeats: {createRequest.MaxAutoscaleSeats}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+}

test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs

@@ -192,6 +192,15 @@ public static class OrganizationTestHelpers
         await policyRepository.CreateAsync(policy);
     }
 
+    /// <summary>
+    /// Generates a unique random domain name for testing purposes.
+    /// </summary>
+    /// <returns>A domain string like "a1b2c3d4.com"</returns>
+    public static string GenerateRandomDomain()
+    {
+        return $"{Guid.NewGuid().ToString("N").Substring(0, 8)}.com";
+    }
+
     /// <summary>
     /// Creates a user account without a Master Password and adds them as a member to the specified organization.
     /// </summary>

test/Api.IntegrationTest/Helpers/PerformanceTestHelpers.cs

@@ -0,0 +1,32 @@
+using System.Net.Http.Headers;
+using Bit.Api.IntegrationTest.Factories;
+
+namespace Bit.Api.IntegrationTest.Helpers;
+
+/// <summary>
+/// Helper methods for performance tests to reduce code duplication.
+/// </summary>
+public static class PerformanceTestHelpers
+{
+    /// <summary>
+    /// Standard password hash used across performance tests.
+    /// </summary>
+    public const string StandardPasswordHash = "c55hlJ/cfdvTd4awTXUqow6X3cOQCfGwn11o3HblnPs=";
+
+    /// <summary>
+    /// Authenticates an HttpClient with a bearer token for the specified user.
+    /// </summary>
+    /// <param name="factory">The application factory to use for login.</param>
+    /// <param name="client">The HttpClient to authenticate.</param>
+    /// <param name="email">The user's email address.</param>
+    /// <param name="masterPasswordHash">The user's master password hash. Defaults to StandardPasswordHash.</param>
+    public static async Task AuthenticateClientAsync(
+        SqlServerApiApplicationFactory factory,
+        HttpClient client,
+        string email,
+        string? masterPasswordHash = null)
+    {
+        var tokens = await factory.LoginAsync(email, masterPasswordHash ?? StandardPasswordHash);
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+    }
+}

test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs

@@ -3,9 +3,11 @@ using System.Net;
 using Bit.Api.IntegrationTest.Factories;
 using Bit.Api.IntegrationTest.Helpers;
 using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Api.KeyManagement.Models.Responses;
 using Bit.Api.Tools.Models.Request;
 using Bit.Api.Vault.Models;
 using Bit.Api.Vault.Models.Request;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
@@ -286,20 +288,7 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
     public async Task PostSetKeyConnectorKeyAsync_Success(string organizationSsoIdentifier,
         SetKeyConnectorKeyRequestModel request)
     {
-        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory,
-            PlanType.EnterpriseAnnually, _ownerEmail, passwordManagerSeats: 10,
-            paymentMethod: PaymentMethodType.Card);
-        organization.UseKeyConnector = true;
-        organization.UseSso = true;
-        organization.Identifier = organizationSsoIdentifier;
-        await _organizationRepository.ReplaceAsync(organization);
-
-        var ssoUserEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
-        await _factory.LoginWithNewAccount(ssoUserEmail);
-        await _loginHelper.LoginAsync(ssoUserEmail);
-
-        await OrganizationTestHelpers.CreateUserAsync(_factory, organization.Id, ssoUserEmail,
-            OrganizationUserType.User, userStatusType: OrganizationUserStatusType.Invited);
+        var (ssoUserEmail, organization) = await SetupKeyConnectorTestAsync(OrganizationUserStatusType.Invited, organizationSsoIdentifier);
 
         var ssoUser = await _userRepository.GetByEmailAsync(ssoUserEmail);
         Assert.NotNull(ssoUser);
@@ -340,19 +329,7 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
     [Fact]
     public async Task PostConvertToKeyConnectorAsync_Success()
     {
-        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory,
-            PlanType.EnterpriseAnnually, _ownerEmail, passwordManagerSeats: 10,
-            paymentMethod: PaymentMethodType.Card);
-        organization.UseKeyConnector = true;
-        organization.UseSso = true;
-        await _organizationRepository.ReplaceAsync(organization);
-
-        var ssoUserEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
-        await _factory.LoginWithNewAccount(ssoUserEmail);
-        await _loginHelper.LoginAsync(ssoUserEmail);
-
-        await OrganizationTestHelpers.CreateUserAsync(_factory, organization.Id, ssoUserEmail,
-            OrganizationUserType.User, userStatusType: OrganizationUserStatusType.Accepted);
+        var (ssoUserEmail, organization) = await SetupKeyConnectorTestAsync(OrganizationUserStatusType.Accepted);
 
         var response = await _client.PostAsJsonAsync("/accounts/convert-to-key-connector", new { });
         response.EnsureSuccessStatusCode();
@@ -556,4 +533,41 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
         Assert.Equal(request.AccountUnlockData.MasterPasswordUnlockData.KdfMemory, userNewState.KdfMemory);
         Assert.Equal(request.AccountUnlockData.MasterPasswordUnlockData.KdfParallelism, userNewState.KdfParallelism);
     }
+
+    [Fact]
+    public async Task GetKeyConnectorConfirmationDetailsAsync_Success()
+    {
+        var (ssoUserEmail, organization) = await SetupKeyConnectorTestAsync(OrganizationUserStatusType.Invited);
+
+        await OrganizationTestHelpers.CreateUserAsync(_factory, organization.Id, ssoUserEmail,
+            OrganizationUserType.User, userStatusType: OrganizationUserStatusType.Accepted);
+
+        var response = await _client.GetAsync($"/accounts/key-connector/confirmation-details/{organization.Identifier}");
+        response.EnsureSuccessStatusCode();
+        var result = await response.Content.ReadFromJsonAsync<KeyConnectorConfirmationDetailsResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Equal(organization.Name, result.OrganizationName);
+    }
+
+    private async Task<(string, Organization)> SetupKeyConnectorTestAsync(OrganizationUserStatusType userStatusType,
+        string organizationSsoIdentifier = "test-sso-identifier")
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory,
+            PlanType.EnterpriseAnnually, _ownerEmail, passwordManagerSeats: 10,
+            paymentMethod: PaymentMethodType.Card);
+        organization.UseKeyConnector = true;
+        organization.UseSso = true;
+        organization.Identifier = organizationSsoIdentifier;
+        await _organizationRepository.ReplaceAsync(organization);
+
+        var ssoUserEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(ssoUserEmail);
+        await _loginHelper.LoginAsync(ssoUserEmail);
+
+        await OrganizationTestHelpers.CreateUserAsync(_factory, organization.Id, ssoUserEmail,
+            OrganizationUserType.User, userStatusType: userStatusType);
+
+        return (ssoUserEmail, organization);
+    }
 }

test/Api.IntegrationTest/SecretsManager/Controllers/SecretVersionsControllerTests.cs

@@ -0,0 +1,289 @@
+using System.Net;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.SecretsManager.Enums;
+using Bit.Api.IntegrationTest.SecretsManager.Helpers;
+using Bit.Api.Models.Response;
+using Bit.Api.SecretsManager.Models.Request;
+using Bit.Api.SecretsManager.Models.Response;
+using Bit.Core.Enums;
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Repositories;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.SecretsManager.Controllers;
+
+public class SecretVersionsControllerTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private readonly string _mockEncryptedString =
+        "2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98sp4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";
+
+    private readonly HttpClient _client;
+    private readonly ApiApplicationFactory _factory;
+    private readonly ISecretRepository _secretRepository;
+    private readonly ISecretVersionRepository _secretVersionRepository;
+    private readonly IAccessPolicyRepository _accessPolicyRepository;
+    private readonly LoginHelper _loginHelper;
+
+    private string _email = null!;
+    private SecretsManagerOrganizationHelper _organizationHelper = null!;
+
+    public SecretVersionsControllerTests(ApiApplicationFactory factory)
+    {
+        _factory = factory;
+        _client = _factory.CreateClient();
+        _secretRepository = _factory.GetService<ISecretRepository>();
+        _secretVersionRepository = _factory.GetService<ISecretVersionRepository>();
+        _accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
+        _loginHelper = new LoginHelper(_factory, _client);
+    }
+
+    public async Task InitializeAsync()
+    {
+        _email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(_email);
+        _organizationHelper = new SecretsManagerOrganizationHelper(_factory, _email);
+    }
+
+    public Task DisposeAsync()
+    {
+        _client.Dispose();
+        return Task.CompletedTask;
+    }
+
+    [Theory]
+    [InlineData(false, false, false)]
+    [InlineData(false, false, true)]
+    [InlineData(false, true, false)]
+    [InlineData(false, true, true)]
+    [InlineData(true, false, false)]
+    [InlineData(true, false, true)]
+    [InlineData(true, true, false)]
+    public async Task GetVersionsBySecretId_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
+    {
+        var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        var response = await _client.GetAsync($"/secrets/{secret.Id}/versions");
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task GetVersionsBySecretId_Success(PermissionType permissionType)
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        // Create some versions
+        var version1 = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow.AddDays(-2)
+        });
+
+        var version2 = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow.AddDays(-1)
+        });
+
+        if (permissionType == PermissionType.RunAsUserWithPermission)
+        {
+            var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+            await _loginHelper.LoginAsync(email);
+
+            var accessPolicies = new List<BaseAccessPolicy>
+            {
+                new UserSecretAccessPolicy
+                {
+                    GrantedSecretId = secret.Id,
+                    OrganizationUserId = orgUser.Id,
+                    Read = true,
+                    Write = true
+                }
+            };
+            await _accessPolicyRepository.CreateManyAsync(accessPolicies);
+        }
+
+        var response = await _client.GetAsync($"/secrets/{secret.Id}/versions");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ListResponseModel<SecretVersionResponseModel>>();
+
+        Assert.NotNull(result);
+        Assert.Equal(2, result.Data.Count());
+    }
+
+    [Fact]
+    public async Task GetVersionById_Success()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        var version = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow
+        });
+
+        var response = await _client.GetAsync($"/secret-versions/{version.Id}");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<SecretVersionResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Equal(version.Id, result.Id);
+        Assert.Equal(secret.Id, result.SecretId);
+    }
+
+    [Fact]
+    public async Task RestoreVersion_Success()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = "OriginalValue",
+            Note = _mockEncryptedString
+        });
+
+        var version = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = "OldValue",
+            VersionDate = DateTime.UtcNow.AddDays(-1)
+        });
+
+        var request = new RestoreSecretVersionRequestModel
+        {
+            VersionId = version.Id
+        };
+
+        var response = await _client.PutAsJsonAsync($"/secrets/{secret.Id}/versions/restore", request);
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<SecretResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Equal("OldValue", result.Value);
+    }
+
+    [Fact]
+    public async Task BulkDelete_Success()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        var version1 = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow.AddDays(-2)
+        });
+
+        var version2 = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow.AddDays(-1)
+        });
+
+        var ids = new List<Guid> { version1.Id, version2.Id };
+
+        var response = await _client.PostAsJsonAsync("/secret-versions/delete", ids);
+        response.EnsureSuccessStatusCode();
+
+        var versions = await _secretVersionRepository.GetManyBySecretIdAsync(secret.Id);
+        Assert.Empty(versions);
+    }
+
+    [Fact]
+    public async Task GetVersionsBySecretId_ReturnsOrderedByVersionDate()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        // Create versions in random order
+        await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = "Version2",
+            VersionDate = DateTime.UtcNow.AddDays(-1)
+        });
+
+        await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = "Version3",
+            VersionDate = DateTime.UtcNow
+        });
+
+        await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = "Version1",
+            VersionDate = DateTime.UtcNow.AddDays(-2)
+        });
+
+        var response = await _client.GetAsync($"/secrets/{secret.Id}/versions");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ListResponseModel<SecretVersionResponseModel>>();
+
+        Assert.NotNull(result);
+        Assert.Equal(3, result.Data.Count());
+
+        var versions = result.Data.ToList();
+        // Should be ordered by VersionDate descending (newest first)
+        Assert.Equal("Version3", versions[0].Value);
+        Assert.Equal("Version2", versions[1].Value);
+        Assert.Equal("Version1", versions[2].Value);
+    }
+}

test/Api.Test/AdminConsole/Controllers/OrganizationIntegrationControllerTests.cs

@@ -2,15 +2,14 @@
 using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.AdminConsole.Models.Response.Organizations;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrations.Interfaces;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.Repositories;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Mvc;
 using NSubstitute;
-using NSubstitute.ReturnsExtensions;
 using Xunit;
 
 namespace Bit.Api.Test.AdminConsole.Controllers;
@@ -19,7 +18,7 @@ namespace Bit.Api.Test.AdminConsole.Controllers;
 [SutProviderCustomize]
 public class OrganizationIntegrationControllerTests
 {
-    private OrganizationIntegrationRequestModel _webhookRequestModel = new OrganizationIntegrationRequestModel()
+    private readonly OrganizationIntegrationRequestModel _webhookRequestModel = new()
     {
         Configuration = null,
         Type = IntegrationType.Webhook
@@ -48,13 +47,13 @@ public class OrganizationIntegrationControllerTests
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+        sutProvider.GetDependency<IGetOrganizationIntegrationsQuery>()
             .GetManyByOrganizationAsync(organizationId)
             .Returns(integrations);
 
         var result = await sutProvider.Sut.GetAsync(organizationId);
 
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+        await sutProvider.GetDependency<IGetOrganizationIntegrationsQuery>().Received(1)
             .GetManyByOrganizationAsync(organizationId);
 
         Assert.Equal(integrations.Count, result.Count);
@@ -70,7 +69,7 @@ public class OrganizationIntegrationControllerTests
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+        sutProvider.GetDependency<IGetOrganizationIntegrationsQuery>()
             .GetManyByOrganizationAsync(organizationId)
             .Returns([]);
 
@@ -80,199 +79,133 @@ public class OrganizationIntegrationControllerTests
     }
 
     [Theory, BitAutoData]
-    public async Task CreateAsync_Webhook_AllParamsProvided_Succeeds(
+    public async Task CreateAsync_AllParamsProvided_Succeeds(
+        SutProvider<OrganizationIntegrationController> sutProvider,
+        Guid organizationId,
+        OrganizationIntegration integration)
+    {
+        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(organizationId)
+            .Returns(true);
+        sutProvider.GetDependency<ICreateOrganizationIntegrationCommand>()
+            .CreateAsync(Arg.Any<OrganizationIntegration>())
+            .Returns(integration);
+
+        var response = await sutProvider.Sut.CreateAsync(organizationId, _webhookRequestModel);
+
+        await sutProvider.GetDependency<ICreateOrganizationIntegrationCommand>().Received(1)
+            .CreateAsync(Arg.Is<OrganizationIntegration>(i =>
+                i.OrganizationId == organizationId &&
+                i.Type == IntegrationType.Webhook));
+        Assert.IsType<OrganizationIntegrationResponseModel>(response);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(
         SutProvider<OrganizationIntegrationController> sutProvider,
         Guid organizationId)
-    {
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .CreateAsync(Arg.Any<OrganizationIntegration>())
-            .Returns(callInfo => callInfo.Arg<OrganizationIntegration>());
-        var response = await sutProvider.Sut.CreateAsync(organizationId, _webhookRequestModel);
-
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .CreateAsync(Arg.Any<OrganizationIntegration>());
-        Assert.IsType<OrganizationIntegrationResponseModel>(response);
-        Assert.Equal(IntegrationType.Webhook, response.Type);
-    }
-
-    [Theory, BitAutoData]
-    public async Task CreateAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(SutProvider<OrganizationIntegrationController> sutProvider, Guid organizationId)
     {
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(false);
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.CreateAsync(organizationId, _webhookRequestModel));
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.CreateAsync(organizationId, _webhookRequestModel));
     }
 
     [Theory, BitAutoData]
     public async Task DeleteAsync_AllParamsProvided_Succeeds(
         SutProvider<OrganizationIntegrationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration)
+        Guid integrationId)
     {
-        organizationIntegration.OrganizationId = organizationId;
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
 
-        await sutProvider.Sut.DeleteAsync(organizationId, organizationIntegration.Id);
+        await sutProvider.Sut.DeleteAsync(organizationId, integrationId);
 
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .GetByIdAsync(organizationIntegration.Id);
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .DeleteAsync(organizationIntegration);
+        await sutProvider.GetDependency<IDeleteOrganizationIntegrationCommand>().Received(1)
+            .DeleteAsync(organizationId, integrationId);
     }
 
     [Theory, BitAutoData]
+    [Obsolete("Obsolete")]
     public async Task PostDeleteAsync_AllParamsProvided_Succeeds(
         SutProvider<OrganizationIntegrationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-
-        await sutProvider.Sut.PostDeleteAsync(organizationId, organizationIntegration.Id);
-
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .GetByIdAsync(organizationIntegration.Id);
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .DeleteAsync(organizationIntegration);
-    }
-
-    [Theory, BitAutoData]
-    public async Task DeleteAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration)
-    {
-        organizationIntegration.OrganizationId = Guid.NewGuid();
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.DeleteAsync(organizationId, Guid.Empty));
-    }
-
-    [Theory, BitAutoData]
-    public async Task DeleteAsync_IntegrationDoesNotExist_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationController> sutProvider,
-        Guid organizationId)
+        Guid integrationId)
     {
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.DeleteAsync(organizationId, Guid.Empty));
+        await sutProvider.Sut.PostDeleteAsync(organizationId, integrationId);
+
+        await sutProvider.GetDependency<IDeleteOrganizationIntegrationCommand>().Received(1)
+            .DeleteAsync(organizationId, integrationId);
     }
 
     [Theory, BitAutoData]
     public async Task DeleteAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(
         SutProvider<OrganizationIntegrationController> sutProvider,
-        Guid organizationId)
+        Guid organizationId,
+        Guid integrationId)
     {
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(false);
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.DeleteAsync(organizationId, Guid.Empty));
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.DeleteAsync(organizationId, integrationId));
     }
 
     [Theory, BitAutoData]
     public async Task UpdateAsync_AllParamsProvided_Succeeds(
         SutProvider<OrganizationIntegrationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration)
+        Guid integrationId,
+        OrganizationIntegration integration)
     {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegration.Type = IntegrationType.Webhook;
+        integration.OrganizationId = organizationId;
+        integration.Id = integrationId;
+        integration.Type = IntegrationType.Webhook;
+
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
+        sutProvider.GetDependency<IUpdateOrganizationIntegrationCommand>()
+            .UpdateAsync(organizationId, integrationId, Arg.Any<OrganizationIntegration>())
+            .Returns(integration);
 
-        var response = await sutProvider.Sut.UpdateAsync(organizationId, organizationIntegration.Id, _webhookRequestModel);
+        var response = await sutProvider.Sut.UpdateAsync(organizationId, integrationId, _webhookRequestModel);
 
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .GetByIdAsync(organizationIntegration.Id);
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .ReplaceAsync(organizationIntegration);
+        await sutProvider.GetDependency<IUpdateOrganizationIntegrationCommand>().Received(1)
+            .UpdateAsync(organizationId, integrationId, Arg.Is<OrganizationIntegration>(i =>
+                i.OrganizationId == organizationId &&
+                i.Type == IntegrationType.Webhook));
         Assert.IsType<OrganizationIntegrationResponseModel>(response);
         Assert.Equal(IntegrationType.Webhook, response.Type);
     }
 
-    [Theory, BitAutoData]
-    public async Task UpdateAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration)
-    {
-        organizationIntegration.OrganizationId = Guid.NewGuid();
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.UpdateAsync(organizationId, Guid.Empty, _webhookRequestModel));
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpdateAsync_IntegrationDoesNotExist_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationController> sutProvider,
-        Guid organizationId)
-    {
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.UpdateAsync(organizationId, Guid.Empty, _webhookRequestModel));
-    }
-
     [Theory, BitAutoData]
     public async Task UpdateAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(
         SutProvider<OrganizationIntegrationController> sutProvider,
-        Guid organizationId)
+        Guid organizationId,
+        Guid integrationId)
     {
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(false);
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.UpdateAsync(organizationId, Guid.Empty, _webhookRequestModel));
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.UpdateAsync(organizationId, integrationId, _webhookRequestModel));
     }
 }

test/Api.Test/AdminConsole/Controllers/OrganizationIntegrationsConfigurationControllerTests.cs

@@ -1,18 +1,14 @@
-using System.Text.Json;
-using Bit.Api.AdminConsole.Controllers;
+using Bit.Api.AdminConsole.Controllers;
 using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.AdminConsole.Models.Response.Organizations;
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations.Interfaces;
 using Bit.Core.Context;
-using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.Repositories;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Mvc;
 using NSubstitute;
-using NSubstitute.ReturnsExtensions;
 using Xunit;
 
 namespace Bit.Api.Test.AdminConsole.Controllers;
@@ -25,823 +21,191 @@ public class OrganizationIntegrationsConfigurationControllerTests
     public async Task DeleteAsync_AllParamsProvided_Succeeds(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration)
+        Guid integrationId,
+        Guid configurationId)
     {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegrationConfiguration.OrganizationIntegrationId = organizationIntegration.Id;
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegrationConfiguration);
 
-        await sutProvider.Sut.DeleteAsync(organizationId, organizationIntegration.Id, organizationIntegrationConfiguration.Id);
+        await sutProvider.Sut.DeleteAsync(organizationId, integrationId, configurationId);
 
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .GetByIdAsync(organizationIntegration.Id);
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .GetByIdAsync(organizationIntegrationConfiguration.Id);
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .DeleteAsync(organizationIntegrationConfiguration);
+        await sutProvider.GetDependency<IDeleteOrganizationIntegrationConfigurationCommand>().Received(1)
+            .DeleteAsync(organizationId, integrationId, configurationId);
     }
 
     [Theory, BitAutoData]
+    [Obsolete("Obsolete")]
     public async Task PostDeleteAsync_AllParamsProvided_Succeeds(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegrationConfiguration.OrganizationIntegrationId = organizationIntegration.Id;
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegrationConfiguration);
-
-        await sutProvider.Sut.PostDeleteAsync(organizationId, organizationIntegration.Id, organizationIntegrationConfiguration.Id);
-
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .GetByIdAsync(organizationIntegration.Id);
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .GetByIdAsync(organizationIntegrationConfiguration.Id);
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .DeleteAsync(organizationIntegrationConfiguration);
-    }
-
-    [Theory, BitAutoData]
-    public async Task DeleteAsync_IntegrationConfigurationDoesNotExist_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.DeleteAsync(organizationId, Guid.Empty, Guid.Empty));
-    }
-
-    [Theory, BitAutoData]
-    public async Task DeleteAsync_IntegrationDoesNotExist_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId)
+        Guid integrationId,
+        Guid configurationId)
     {
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.DeleteAsync(organizationId, Guid.Empty, Guid.Empty));
-    }
+        await sutProvider.Sut.PostDeleteAsync(organizationId, integrationId, configurationId);
 
-    [Theory, BitAutoData]
-    public async Task DeleteAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration)
-    {
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.DeleteAsync(organizationId, organizationIntegration.Id, Guid.Empty));
-    }
-
-    [Theory, BitAutoData]
-    public async Task DeleteAsync_IntegrationConfigDoesNotBelongToIntegration_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegrationConfiguration.OrganizationIntegrationId = Guid.Empty;
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegrationConfiguration);
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.DeleteAsync(organizationId, organizationIntegration.Id, Guid.Empty));
+        await sutProvider.GetDependency<IDeleteOrganizationIntegrationConfigurationCommand>().Received(1)
+            .DeleteAsync(organizationId, integrationId, configurationId);
     }
 
     [Theory, BitAutoData]
     public async Task DeleteAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId)
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId)
     {
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(false);
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.DeleteAsync(organizationId, Guid.Empty, Guid.Empty));
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.DeleteAsync(organizationId, integrationId, configurationId));
     }
 
     [Theory, BitAutoData]
     public async Task GetAsync_ConfigurationsExist_Succeeds(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        List<OrganizationIntegrationConfiguration> organizationIntegrationConfigurations)
+        Guid integrationId,
+        List<OrganizationIntegrationConfiguration> configurations)
     {
-        organizationIntegration.OrganizationId = organizationId;
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetManyByIntegrationAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegrationConfigurations);
+        sutProvider.GetDependency<IGetOrganizationIntegrationConfigurationsQuery>()
+            .GetManyByIntegrationAsync(organizationId, integrationId)
+            .Returns(configurations);
+
+        var result = await sutProvider.Sut.GetAsync(organizationId, integrationId);
 
-        var result = await sutProvider.Sut.GetAsync(organizationId, organizationIntegration.Id);
         Assert.NotNull(result);
-        Assert.Equal(organizationIntegrationConfigurations.Count, result.Count);
+        Assert.Equal(configurations.Count, result.Count);
         Assert.All(result, r => Assert.IsType<OrganizationIntegrationConfigurationResponseModel>(r));
-
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .GetByIdAsync(organizationIntegration.Id);
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .GetManyByIntegrationAsync(organizationIntegration.Id);
+        await sutProvider.GetDependency<IGetOrganizationIntegrationConfigurationsQuery>().Received(1)
+            .GetManyByIntegrationAsync(organizationId, integrationId);
     }
 
     [Theory, BitAutoData]
     public async Task GetAsync_NoConfigurationsExist_ReturnsEmptyList(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration)
+        Guid integrationId)
     {
-        organizationIntegration.OrganizationId = organizationId;
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetManyByIntegrationAsync(Arg.Any<Guid>())
+        sutProvider.GetDependency<IGetOrganizationIntegrationConfigurationsQuery>()
+            .GetManyByIntegrationAsync(organizationId, integrationId)
             .Returns([]);
 
-        var result = await sutProvider.Sut.GetAsync(organizationId, organizationIntegration.Id);
+        var result = await sutProvider.Sut.GetAsync(organizationId, integrationId);
+
         Assert.NotNull(result);
         Assert.Empty(result);
-
-        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
-            .GetByIdAsync(organizationIntegration.Id);
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .GetManyByIntegrationAsync(organizationIntegration.Id);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetAsync_IntegrationDoesNotExist_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId)
-    {
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetAsync(organizationId, Guid.NewGuid()));
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration)
-    {
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetAsync(organizationId, organizationIntegration.Id));
+        await sutProvider.GetDependency<IGetOrganizationIntegrationConfigurationsQuery>().Received(1)
+            .GetManyByIntegrationAsync(organizationId, integrationId);
     }
 
     [Theory, BitAutoData]
     public async Task GetAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId)
+        Guid organizationId,
+        Guid integrationId)
     {
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(false);
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetAsync(organizationId, Guid.NewGuid()));
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.GetAsync(organizationId, integrationId));
     }
 
     [Theory, BitAutoData]
-    public async Task PostAsync_AllParamsProvided_Slack_Succeeds(
+    public async Task PostAsync_AllParamsProvided_Succeeds(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
+        Guid integrationId,
+        OrganizationIntegrationConfiguration configuration,
         OrganizationIntegrationConfigurationRequestModel model)
     {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegration.Type = IntegrationType.Slack;
-        var slackConfig = new SlackIntegrationConfiguration(ChannelId: "C123456");
-        model.Configuration = JsonSerializer.Serialize(slackConfig);
-        model.Template = "Template String";
-        model.Filters = null;
-
-        var expected = new OrganizationIntegrationConfigurationResponseModel(organizationIntegrationConfiguration);
-
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>())
-            .Returns(organizationIntegrationConfiguration);
-        var createResponse = await sutProvider.Sut.CreateAsync(organizationId, organizationIntegration.Id, model);
+        sutProvider.GetDependency<ICreateOrganizationIntegrationConfigurationCommand>()
+            .CreateAsync(organizationId, integrationId, Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(configuration);
 
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        var createResponse = await sutProvider.Sut.CreateAsync(organizationId, integrationId, model);
+
+        await sutProvider.GetDependency<ICreateOrganizationIntegrationConfigurationCommand>().Received(1)
+            .CreateAsync(organizationId, integrationId, Arg.Any<OrganizationIntegrationConfiguration>());
         Assert.IsType<OrganizationIntegrationConfigurationResponseModel>(createResponse);
-        Assert.Equal(expected.Id, createResponse.Id);
-        Assert.Equal(expected.Configuration, createResponse.Configuration);
-        Assert.Equal(expected.EventType, createResponse.EventType);
-        Assert.Equal(expected.Filters, createResponse.Filters);
-        Assert.Equal(expected.Template, createResponse.Template);
     }
 
     [Theory, BitAutoData]
-    public async Task PostAsync_AllParamsProvided_Webhook_Succeeds(
+    public async Task PostAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegration.Type = IntegrationType.Webhook;
-        var webhookConfig = new WebhookIntegrationConfiguration(Uri: new Uri("https://localhost"), Scheme: "Bearer", Token: "AUTH-TOKEN");
-        model.Configuration = JsonSerializer.Serialize(webhookConfig);
-        model.Template = "Template String";
-        model.Filters = null;
-
-        var expected = new OrganizationIntegrationConfigurationResponseModel(organizationIntegrationConfiguration);
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>())
-            .Returns(organizationIntegrationConfiguration);
-        var createResponse = await sutProvider.Sut.CreateAsync(organizationId, organizationIntegration.Id, model);
-
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>());
-        Assert.IsType<OrganizationIntegrationConfigurationResponseModel>(createResponse);
-        Assert.Equal(expected.Id, createResponse.Id);
-        Assert.Equal(expected.Configuration, createResponse.Configuration);
-        Assert.Equal(expected.EventType, createResponse.EventType);
-        Assert.Equal(expected.Filters, createResponse.Filters);
-        Assert.Equal(expected.Template, createResponse.Template);
-    }
-
-    [Theory, BitAutoData]
-    public async Task PostAsync_OnlyUrlProvided_Webhook_Succeeds(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegration.Type = IntegrationType.Webhook;
-        var webhookConfig = new WebhookIntegrationConfiguration(Uri: new Uri("https://localhost"));
-        model.Configuration = JsonSerializer.Serialize(webhookConfig);
-        model.Template = "Template String";
-        model.Filters = null;
-
-        var expected = new OrganizationIntegrationConfigurationResponseModel(organizationIntegrationConfiguration);
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>())
-            .Returns(organizationIntegrationConfiguration);
-        var createResponse = await sutProvider.Sut.CreateAsync(organizationId, organizationIntegration.Id, model);
-
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>());
-        Assert.IsType<OrganizationIntegrationConfigurationResponseModel>(createResponse);
-        Assert.Equal(expected.Id, createResponse.Id);
-        Assert.Equal(expected.Configuration, createResponse.Configuration);
-        Assert.Equal(expected.EventType, createResponse.EventType);
-        Assert.Equal(expected.Filters, createResponse.Filters);
-        Assert.Equal(expected.Template, createResponse.Template);
-    }
-
-    [Theory, BitAutoData]
-    public async Task PostAsync_IntegrationTypeCloudBillingSync_ThrowsBadRequestException(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegration.Type = IntegrationType.CloudBillingSync;
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>())
-            .Returns(organizationIntegrationConfiguration);
-
-        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.CreateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            model));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PostAsync_IntegrationTypeScim_ThrowsBadRequestException(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegration.Type = IntegrationType.Scim;
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>())
-            .Returns(organizationIntegrationConfiguration);
-
-        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.CreateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            model));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PostAsync_IntegrationDoesNotExist_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId)
-    {
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.CreateAsync(
-            organizationId,
-            Guid.Empty,
-            new OrganizationIntegrationConfigurationRequestModel()));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PostAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration)
-    {
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.CreateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            new OrganizationIntegrationConfigurationRequestModel()));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PostAsync_InvalidConfiguration_ThrowsBadRequestException(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegration.Type = IntegrationType.Webhook;
-        model.Configuration = null;
-        model.Template = "Template String";
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>())
-            .Returns(organizationIntegrationConfiguration);
-
-        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.CreateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            model));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PostAsync_InvalidTemplate_ThrowsBadRequestException(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegration.Type = IntegrationType.Webhook;
-        var webhookConfig = new WebhookIntegrationConfiguration(Uri: new Uri("https://localhost"), Scheme: "Bearer", Token: "AUTH-TOKEN");
-        model.Configuration = JsonSerializer.Serialize(webhookConfig);
-        model.Template = null;
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>())
-            .Returns(organizationIntegrationConfiguration);
-
-        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.CreateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            model));
-    }
-
-    [Theory, BitAutoData]
-    public async Task PostAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(SutProvider<OrganizationIntegrationConfigurationController> sutProvider, Guid organizationId)
+        Guid integrationId)
     {
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(false);
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.CreateAsync(organizationId, Guid.Empty, new OrganizationIntegrationConfigurationRequestModel()));
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.CreateAsync(organizationId, integrationId, new OrganizationIntegrationConfigurationRequestModel()));
     }
 
     [Theory, BitAutoData]
-    public async Task UpdateAsync_AllParamsProvided_Slack_Succeeds(
+    public async Task UpdateAsync_AllParamsProvided_Succeeds(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegrationConfiguration configuration,
         OrganizationIntegrationConfigurationRequestModel model)
     {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegrationConfiguration.OrganizationIntegrationId = organizationIntegration.Id;
-        organizationIntegration.Type = IntegrationType.Slack;
-        var slackConfig = new SlackIntegrationConfiguration(ChannelId: "C123456");
-        model.Configuration = JsonSerializer.Serialize(slackConfig);
-        model.Template = "Template String";
-        model.Filters = null;
-
-        var expected = new OrganizationIntegrationConfigurationResponseModel(model.ToOrganizationIntegrationConfiguration(organizationIntegrationConfiguration));
-
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegrationConfiguration);
-        var updateResponse = await sutProvider.Sut.UpdateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            organizationIntegrationConfiguration.Id,
-            model);
+        sutProvider.GetDependency<IUpdateOrganizationIntegrationConfigurationCommand>()
+            .UpdateAsync(organizationId, integrationId, configurationId, Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(configuration);
 
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .ReplaceAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        var updateResponse = await sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, model);
+
+        await sutProvider.GetDependency<IUpdateOrganizationIntegrationConfigurationCommand>().Received(1)
+            .UpdateAsync(organizationId, integrationId, configurationId, Arg.Any<OrganizationIntegrationConfiguration>());
         Assert.IsType<OrganizationIntegrationConfigurationResponseModel>(updateResponse);
-        Assert.Equal(expected.Id, updateResponse.Id);
-        Assert.Equal(expected.Configuration, updateResponse.Configuration);
-        Assert.Equal(expected.EventType, updateResponse.EventType);
-        Assert.Equal(expected.Filters, updateResponse.Filters);
-        Assert.Equal(expected.Template, updateResponse.Template);
     }
 
-
     [Theory, BitAutoData]
-    public async Task UpdateAsync_AllParamsProvided_Webhook_Succeeds(
+    public async Task UpdateAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(
         SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
         Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegrationConfiguration.OrganizationIntegrationId = organizationIntegration.Id;
-        organizationIntegration.Type = IntegrationType.Webhook;
-        var webhookConfig = new WebhookIntegrationConfiguration(Uri: new Uri("https://localhost"), Scheme: "Bearer", Token: "AUTH-TOKEN");
-        model.Configuration = JsonSerializer.Serialize(webhookConfig);
-        model.Template = "Template String";
-        model.Filters = null;
-
-        var expected = new OrganizationIntegrationConfigurationResponseModel(model.ToOrganizationIntegrationConfiguration(organizationIntegrationConfiguration));
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegrationConfiguration);
-        var updateResponse = await sutProvider.Sut.UpdateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            organizationIntegrationConfiguration.Id,
-            model);
-
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .ReplaceAsync(Arg.Any<OrganizationIntegrationConfiguration>());
-        Assert.IsType<OrganizationIntegrationConfigurationResponseModel>(updateResponse);
-        Assert.Equal(expected.Id, updateResponse.Id);
-        Assert.Equal(expected.Configuration, updateResponse.Configuration);
-        Assert.Equal(expected.EventType, updateResponse.EventType);
-        Assert.Equal(expected.Filters, updateResponse.Filters);
-        Assert.Equal(expected.Template, updateResponse.Template);
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpdateAsync_OnlyUrlProvided_Webhook_Succeeds(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegrationConfiguration.OrganizationIntegrationId = organizationIntegration.Id;
-        organizationIntegration.Type = IntegrationType.Webhook;
-        var webhookConfig = new WebhookIntegrationConfiguration(Uri: new Uri("https://localhost"));
-        model.Configuration = JsonSerializer.Serialize(webhookConfig);
-        model.Template = "Template String";
-        model.Filters = null;
-
-        var expected = new OrganizationIntegrationConfigurationResponseModel(model.ToOrganizationIntegrationConfiguration(organizationIntegrationConfiguration));
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegrationConfiguration);
-        var updateResponse = await sutProvider.Sut.UpdateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            organizationIntegrationConfiguration.Id,
-            model);
-
-        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
-            .ReplaceAsync(Arg.Any<OrganizationIntegrationConfiguration>());
-        Assert.IsType<OrganizationIntegrationConfigurationResponseModel>(updateResponse);
-        Assert.Equal(expected.Id, updateResponse.Id);
-        Assert.Equal(expected.Configuration, updateResponse.Configuration);
-        Assert.Equal(expected.EventType, updateResponse.EventType);
-        Assert.Equal(expected.Filters, updateResponse.Filters);
-        Assert.Equal(expected.Template, updateResponse.Template);
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpdateAsync_IntegrationConfigurationDoesNotExist_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegration.Type = IntegrationType.Webhook;
-        var webhookConfig = new WebhookIntegrationConfiguration(Uri: new Uri("https://localhost"), Scheme: "Bearer", Token: "AUTH-TOKEN");
-        model.Configuration = JsonSerializer.Serialize(webhookConfig);
-        model.Template = "Template String";
-        model.Filters = null;
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.UpdateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            Guid.Empty,
-            model));
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpdateAsync_IntegrationDoesNotExist_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId)
-    {
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .ReturnsNull();
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.UpdateAsync(
-            organizationId,
-            Guid.Empty,
-            Guid.Empty,
-            new OrganizationIntegrationConfigurationRequestModel()));
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpdateAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration)
-    {
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.UpdateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            Guid.Empty,
-            new OrganizationIntegrationConfigurationRequestModel()));
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpdateAsync_InvalidConfiguration_ThrowsBadRequestException(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegrationConfiguration.OrganizationIntegrationId = organizationIntegration.Id;
-        organizationIntegration.Type = IntegrationType.Slack;
-        model.Configuration = null;
-        model.Template = "Template String";
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegrationConfiguration);
-
-        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.UpdateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            organizationIntegrationConfiguration.Id,
-            model));
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpdateAsync_InvalidTemplate_ThrowsBadRequestException(
-        SutProvider<OrganizationIntegrationConfigurationController> sutProvider,
-        Guid organizationId,
-        OrganizationIntegration organizationIntegration,
-        OrganizationIntegrationConfiguration organizationIntegrationConfiguration,
-        OrganizationIntegrationConfigurationRequestModel model)
-    {
-        organizationIntegration.OrganizationId = organizationId;
-        organizationIntegrationConfiguration.OrganizationIntegrationId = organizationIntegration.Id;
-        organizationIntegration.Type = IntegrationType.Slack;
-        var slackConfig = new SlackIntegrationConfiguration(ChannelId: "C123456");
-        model.Configuration = JsonSerializer.Serialize(slackConfig);
-        model.Template = null;
-
-        sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(organizationId)
-            .Returns(true);
-        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegration);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
-            .GetByIdAsync(Arg.Any<Guid>())
-            .Returns(organizationIntegrationConfiguration);
-
-        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.UpdateAsync(
-            organizationId,
-            organizationIntegration.Id,
-            organizationIntegrationConfiguration.Id,
-            model));
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpdateAsync_UserIsNotOrganizationAdmin_ThrowsNotFound(SutProvider<OrganizationIntegrationConfigurationController> sutProvider, Guid organizationId)
+        Guid integrationId,
+        Guid configurationId)
     {
         sutProvider.Sut.Url = Substitute.For<IUrlHelper>();
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationOwner(organizationId)
             .Returns(false);
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.UpdateAsync(
-            organizationId,
-            Guid.Empty,
-            Guid.Empty,
-            new OrganizationIntegrationConfigurationRequestModel()));
+        await Assert.ThrowsAsync<NotFoundException>(async () =>
+            await sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, new OrganizationIntegrationConfigurationRequestModel()));
     }
 }

test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs

@@ -11,6 +11,7 @@ using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.AccountRecovery;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
@@ -452,60 +453,10 @@ public class OrganizationUsersControllerTests
 
     [Theory]
     [BitAutoData]
-    public async Task PutResetPassword_WithFeatureFlagDisabled_CallsLegacyPath(
+    public async Task PutResetPassword_WhenOrganizationUserNotFound_ReturnsNotFound(
         Guid orgId, Guid orgUserId, OrganizationUserResetPasswordRequestModel model,
         SutProvider<OrganizationUsersController> sutProvider)
     {
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountRecoveryCommand).Returns(false);
-        sutProvider.GetDependency<ICurrentContext>().OrganizationOwner(orgId).Returns(true);
-        sutProvider.GetDependency<IUserService>().AdminResetPasswordAsync(Arg.Any<OrganizationUserType>(), orgId, orgUserId, model.NewMasterPasswordHash, model.Key)
-            .Returns(Microsoft.AspNetCore.Identity.IdentityResult.Success);
-
-        var result = await sutProvider.Sut.PutResetPassword(orgId, orgUserId, model);
-
-        Assert.IsType<Ok>(result);
-        await sutProvider.GetDependency<IUserService>().Received(1)
-            .AdminResetPasswordAsync(OrganizationUserType.Owner, orgId, orgUserId, model.NewMasterPasswordHash, model.Key);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PutResetPassword_WithFeatureFlagDisabled_WhenOrgUserTypeIsNull_ReturnsNotFound(
-        Guid orgId, Guid orgUserId, OrganizationUserResetPasswordRequestModel model,
-        SutProvider<OrganizationUsersController> sutProvider)
-    {
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountRecoveryCommand).Returns(false);
-        sutProvider.GetDependency<ICurrentContext>().OrganizationOwner(orgId).Returns(false);
-        sutProvider.GetDependency<ICurrentContext>().Organizations.Returns(new List<CurrentContextOrganization>());
-
-        var result = await sutProvider.Sut.PutResetPassword(orgId, orgUserId, model);
-
-        Assert.IsType<Microsoft.AspNetCore.Http.HttpResults.NotFound>(result);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PutResetPassword_WithFeatureFlagDisabled_WhenAdminResetPasswordFails_ReturnsBadRequest(
-        Guid orgId, Guid orgUserId, OrganizationUserResetPasswordRequestModel model,
-        SutProvider<OrganizationUsersController> sutProvider)
-    {
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountRecoveryCommand).Returns(false);
-        sutProvider.GetDependency<ICurrentContext>().OrganizationOwner(orgId).Returns(true);
-        sutProvider.GetDependency<IUserService>().AdminResetPasswordAsync(Arg.Any<OrganizationUserType>(), orgId, orgUserId, model.NewMasterPasswordHash, model.Key)
-            .Returns(Microsoft.AspNetCore.Identity.IdentityResult.Failed(new Microsoft.AspNetCore.Identity.IdentityError { Description = "Error 1" }));
-
-        var result = await sutProvider.Sut.PutResetPassword(orgId, orgUserId, model);
-
-        Assert.IsType<BadRequest<ModelStateDictionary>>(result);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PutResetPassword_WithFeatureFlagEnabled_WhenOrganizationUserNotFound_ReturnsNotFound(
-        Guid orgId, Guid orgUserId, OrganizationUserResetPasswordRequestModel model,
-        SutProvider<OrganizationUsersController> sutProvider)
-    {
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountRecoveryCommand).Returns(true);
         sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns((OrganizationUser)null);
 
         var result = await sutProvider.Sut.PutResetPassword(orgId, orgUserId, model);
@@ -515,12 +466,11 @@ public class OrganizationUsersControllerTests
 
     [Theory]
     [BitAutoData]
-    public async Task PutResetPassword_WithFeatureFlagEnabled_WhenOrganizationIdMismatch_ReturnsNotFound(
+    public async Task PutResetPassword_WhenOrganizationIdMismatch_ReturnsNotFound(
         Guid orgId, Guid orgUserId, OrganizationUserResetPasswordRequestModel model, OrganizationUser organizationUser,
         SutProvider<OrganizationUsersController> sutProvider)
     {
         organizationUser.OrganizationId = Guid.NewGuid();
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountRecoveryCommand).Returns(true);
         sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);
 
         var result = await sutProvider.Sut.PutResetPassword(orgId, orgUserId, model);
@@ -530,12 +480,11 @@ public class OrganizationUsersControllerTests
 
     [Theory]
     [BitAutoData]
-    public async Task PutResetPassword_WithFeatureFlagEnabled_WhenAuthorizationFails_ReturnsBadRequest(
+    public async Task PutResetPassword_WhenAuthorizationFails_ReturnsBadRequest(
         Guid orgId, Guid orgUserId, OrganizationUserResetPasswordRequestModel model, OrganizationUser organizationUser,
         SutProvider<OrganizationUsersController> sutProvider)
     {
         organizationUser.OrganizationId = orgId;
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountRecoveryCommand).Returns(true);
         sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);
         sutProvider.GetDependency<IAuthorizationService>()
             .AuthorizeAsync(
@@ -551,12 +500,11 @@ public class OrganizationUsersControllerTests
 
     [Theory]
     [BitAutoData]
-    public async Task PutResetPassword_WithFeatureFlagEnabled_WhenRecoverAccountSucceeds_ReturnsOk(
+    public async Task PutResetPassword_WhenRecoverAccountSucceeds_ReturnsOk(
         Guid orgId, Guid orgUserId, OrganizationUserResetPasswordRequestModel model, OrganizationUser organizationUser,
         SutProvider<OrganizationUsersController> sutProvider)
     {
         organizationUser.OrganizationId = orgId;
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountRecoveryCommand).Returns(true);
         sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);
         sutProvider.GetDependency<IAuthorizationService>()
             .AuthorizeAsync(
@@ -577,12 +525,11 @@ public class OrganizationUsersControllerTests
 
     [Theory]
     [BitAutoData]
-    public async Task PutResetPassword_WithFeatureFlagEnabled_WhenRecoverAccountFails_ReturnsBadRequest(
+    public async Task PutResetPassword_WhenRecoverAccountFails_ReturnsBadRequest(
         Guid orgId, Guid orgUserId, OrganizationUserResetPasswordRequestModel model, OrganizationUser organizationUser,
         SutProvider<OrganizationUsersController> sutProvider)
     {
         organizationUser.OrganizationId = orgId;
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountRecoveryCommand).Returns(true);
         sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(orgUserId).Returns(organizationUser);
         sutProvider.GetDependency<IAuthorizationService>()
             .AuthorizeAsync(
@@ -784,4 +731,68 @@ public class OrganizationUsersControllerTests
         var problemResult = Assert.IsType<JsonHttpResult<ErrorResponseModel>>(result);
         Assert.Equal(StatusCodes.Status500InternalServerError, problemResult.StatusCode);
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkReinvite_WhenFeatureFlagEnabled_UsesBulkResendOrganizationInvitesCommand(
+        Guid organizationId,
+        OrganizationUserBulkRequestModel bulkRequestModel,
+        List<OrganizationUser> organizationUsers,
+        Guid userId,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<ICurrentContext>().ManageUsers(organizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.IncreaseBulkReinviteLimitForCloud)
+            .Returns(true);
+
+        var expectedResults = organizationUsers.Select(u => Tuple.Create(u, "")).ToList();
+        sutProvider.GetDependency<IBulkResendOrganizationInvitesCommand>()
+            .BulkResendInvitesAsync(organizationId, userId, bulkRequestModel.Ids)
+            .Returns(expectedResults);
+
+        // Act
+        var response = await sutProvider.Sut.BulkReinvite(organizationId, bulkRequestModel);
+
+        // Assert
+        Assert.Equal(organizationUsers.Count, response.Data.Count());
+
+        await sutProvider.GetDependency<IBulkResendOrganizationInvitesCommand>()
+            .Received(1)
+            .BulkResendInvitesAsync(organizationId, userId, bulkRequestModel.Ids);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkReinvite_WhenFeatureFlagDisabled_UsesLegacyOrganizationService(
+        Guid organizationId,
+        OrganizationUserBulkRequestModel bulkRequestModel,
+        List<OrganizationUser> organizationUsers,
+        Guid userId,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<ICurrentContext>().ManageUsers(organizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.IncreaseBulkReinviteLimitForCloud)
+            .Returns(false);
+
+        var expectedResults = organizationUsers.Select(u => Tuple.Create(u, "")).ToList();
+        sutProvider.GetDependency<IOrganizationService>()
+            .ResendInvitesAsync(organizationId, userId, bulkRequestModel.Ids)
+            .Returns(expectedResults);
+
+        // Act
+        var response = await sutProvider.Sut.BulkReinvite(organizationId, bulkRequestModel);
+
+        // Assert
+        Assert.Equal(organizationUsers.Count, response.Data.Count());
+
+        await sutProvider.GetDependency<IOrganizationService>()
+            .Received(1)
+            .ResendInvitesAsync(organizationId, userId, bulkRequestModel.Ids);
+    }
 }

test/Api.Test/AdminConsole/Models/Request/Organizations/OrganizationIntegrationConfigurationRequestModelTests.cs

@@ -1,248 +0,0 @@
-using System.Text.Json;
-using Bit.Api.AdminConsole.Models.Request.Organizations;
-using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
-using Bit.Core.Enums;
-using Xunit;
-
-namespace Bit.Api.Test.AdminConsole.Models.Request.Organizations;
-
-public class OrganizationIntegrationConfigurationRequestModelTests
-{
-    [Fact]
-    public void IsValidForType_CloudBillingSyncIntegration_ReturnsFalse()
-    {
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = "{}",
-            Template = "template"
-        };
-
-        Assert.False(condition: model.IsValidForType(IntegrationType.CloudBillingSync));
-    }
-
-    [Theory]
-    [InlineData(data: null)]
-    [InlineData(data: "")]
-    [InlineData(data: "    ")]
-    public void IsValidForType_EmptyConfiguration_ReturnsFalse(string? config)
-    {
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = config,
-            Template = "template"
-        };
-
-        Assert.False(condition: model.IsValidForType(IntegrationType.Slack));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Webhook));
-    }
-
-    [Theory]
-    [InlineData(data: "")]
-    [InlineData(data: "    ")]
-    public void IsValidForType_EmptyNonNullConfiguration_ReturnsFalse(string? config)
-    {
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = config,
-            Template = "template"
-        };
-
-        Assert.False(condition: model.IsValidForType(IntegrationType.Hec));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Datadog));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Teams));
-    }
-
-    [Fact]
-    public void IsValidForType_NullConfiguration_ReturnsTrue()
-    {
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = null,
-            Template = "template"
-        };
-
-        Assert.True(condition: model.IsValidForType(IntegrationType.Hec));
-        Assert.True(condition: model.IsValidForType(IntegrationType.Datadog));
-        Assert.True(condition: model.IsValidForType(IntegrationType.Teams));
-    }
-
-    [Theory]
-    [InlineData(data: null)]
-    [InlineData(data: "")]
-    [InlineData(data: "    ")]
-    public void IsValidForType_EmptyTemplate_ReturnsFalse(string? template)
-    {
-        var config = JsonSerializer.Serialize(value: new WebhookIntegrationConfiguration(
-            Uri: new Uri("https://localhost"),
-            Scheme: "Bearer",
-            Token: "AUTH-TOKEN"));
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = config,
-            Template = template
-        };
-
-        Assert.False(condition: model.IsValidForType(IntegrationType.Slack));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Webhook));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Hec));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Datadog));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Teams));
-    }
-
-    [Fact]
-    public void IsValidForType_InvalidJsonConfiguration_ReturnsFalse()
-    {
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = "{not valid json}",
-            Template = "template"
-        };
-
-        Assert.False(condition: model.IsValidForType(IntegrationType.Slack));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Webhook));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Hec));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Datadog));
-        Assert.False(condition: model.IsValidForType(IntegrationType.Teams));
-    }
-
-
-    [Fact]
-    public void IsValidForType_InvalidJsonFilters_ReturnsFalse()
-    {
-        var config = JsonSerializer.Serialize(new WebhookIntegrationConfiguration(Uri: new Uri("https://example.com")));
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = config,
-            Filters = "{Not valid json",
-            Template = "template"
-        };
-
-        Assert.False(model.IsValidForType(IntegrationType.Webhook));
-    }
-
-    [Fact]
-    public void IsValidForType_ScimIntegration_ReturnsFalse()
-    {
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = "{}",
-            Template = "template"
-        };
-
-        Assert.False(condition: model.IsValidForType(IntegrationType.Scim));
-    }
-
-    [Fact]
-    public void IsValidForType_ValidSlackConfiguration_ReturnsTrue()
-    {
-        var config = JsonSerializer.Serialize(value: new SlackIntegrationConfiguration(ChannelId: "C12345"));
-
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = config,
-            Template = "template"
-        };
-
-        Assert.True(condition: model.IsValidForType(IntegrationType.Slack));
-    }
-
-    [Fact]
-    public void IsValidForType_ValidSlackConfigurationWithFilters_ReturnsTrue()
-    {
-        var config = JsonSerializer.Serialize(new SlackIntegrationConfiguration("C12345"));
-        var filters = JsonSerializer.Serialize(new IntegrationFilterGroup()
-        {
-            AndOperator = true,
-            Rules = [
-                new IntegrationFilterRule()
-                {
-                    Operation = IntegrationFilterOperation.Equals,
-                    Property = "CollectionId",
-                    Value = Guid.NewGuid()
-                }
-            ],
-            Groups = []
-        });
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = config,
-            Filters = filters,
-            Template = "template"
-        };
-
-        Assert.True(model.IsValidForType(IntegrationType.Slack));
-    }
-
-    [Fact]
-    public void IsValidForType_ValidNoAuthWebhookConfiguration_ReturnsTrue()
-    {
-        var config = JsonSerializer.Serialize(value: new WebhookIntegrationConfiguration(Uri: new Uri("https://localhost")));
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = config,
-            Template = "template"
-        };
-
-        Assert.True(condition: model.IsValidForType(IntegrationType.Webhook));
-    }
-
-    [Fact]
-    public void IsValidForType_ValidWebhookConfiguration_ReturnsTrue()
-    {
-        var config = JsonSerializer.Serialize(value: new WebhookIntegrationConfiguration(
-            Uri: new Uri("https://localhost"),
-            Scheme: "Bearer",
-            Token: "AUTH-TOKEN"));
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = config,
-            Template = "template"
-        };
-
-        Assert.True(condition: model.IsValidForType(IntegrationType.Webhook));
-    }
-
-    [Fact]
-    public void IsValidForType_ValidWebhookConfigurationWithFilters_ReturnsTrue()
-    {
-        var config = JsonSerializer.Serialize(new WebhookIntegrationConfiguration(
-            Uri: new Uri("https://example.com"),
-            Scheme: "Bearer",
-            Token: "AUTH-TOKEN"));
-        var filters = JsonSerializer.Serialize(new IntegrationFilterGroup()
-        {
-            AndOperator = true,
-            Rules = [
-                new IntegrationFilterRule()
-                {
-                    Operation = IntegrationFilterOperation.Equals,
-                    Property = "CollectionId",
-                    Value = Guid.NewGuid()
-                }
-            ],
-            Groups = []
-        });
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = config,
-            Filters = filters,
-            Template = "template"
-        };
-
-        Assert.True(model.IsValidForType(IntegrationType.Webhook));
-    }
-
-    [Fact]
-    public void IsValidForType_UnknownIntegrationType_ReturnsFalse()
-    {
-        var model = new OrganizationIntegrationConfigurationRequestModel
-        {
-            Configuration = "{}",
-            Template = "template"
-        };
-
-        var unknownType = (IntegrationType)999;
-
-        Assert.False(condition: model.IsValidForType(unknownType));
-    }
-}

test/Api.Test/AdminConsole/Models/Response/ProfileOrganizationResponseModelTests.cs

@@ -48,6 +48,7 @@ public class ProfileOrganizationResponseModelTests
             UsersGetPremium = organization.UsersGetPremium,
             UseCustomPermissions = organization.UseCustomPermissions,
             UseRiskInsights = organization.UseRiskInsights,
+            UsePhishingBlocker = organization.UsePhishingBlocker,
             UseOrganizationDomains = organization.UseOrganizationDomains,
             UseAdminSponsoredFamilies = organization.UseAdminSponsoredFamilies,
             UseAutomaticUserConfirmation = organization.UseAutomaticUserConfirmation,

test/Api.Test/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModelTests.cs

@@ -45,6 +45,7 @@ public class ProfileProviderOrganizationResponseModelTests
             UsersGetPremium = organization.UsersGetPremium,
             UseCustomPermissions = organization.UseCustomPermissions,
             UseRiskInsights = organization.UseRiskInsights,
+            UsePhishingBlocker = organization.UsePhishingBlocker,
             UseOrganizationDomains = organization.UseOrganizationDomains,
             UseAdminSponsoredFamilies = organization.UseAdminSponsoredFamilies,
             UseAutomaticUserConfirmation = organization.UseAutomaticUserConfirmation,

test/Api.Test/AdminConsole/Public/Controllers/PoliciesControllerTests.cs

@@ -1,14 +1,11 @@
 using Bit.Api.AdminConsole.Public.Controllers;
 using Bit.Api.AdminConsole.Public.Models.Request;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 using Bit.Core.Context;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -22,7 +19,7 @@ public class PoliciesControllerTests
 {
     [Theory]
     [BitAutoData]
-    public async Task Put_WhenPolicyValidatorsRefactorEnabled_UsesVNextSavePolicyCommand(
+    public async Task Put_UsesVNextSavePolicyCommand(
         Guid organizationId,
         PolicyType policyType,
         PolicyUpdateRequestModel model,
@@ -33,9 +30,6 @@ public class PoliciesControllerTests
         policy.Data = null;
         sutProvider.GetDependency<ICurrentContext>()
             .OrganizationId.Returns(organizationId);
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor)
-            .Returns(true);
         sutProvider.GetDependency<IVNextSavePolicyCommand>()
             .SaveAsync(Arg.Any<SavePolicyModel>())
             .Returns(policy);
@@ -52,36 +46,4 @@ public class PoliciesControllerTests
                 m.PolicyUpdate.Enabled == model.Enabled.GetValueOrDefault() &&
                 m.PerformedBy is SystemUser));
     }
-
-    [Theory]
-    [BitAutoData]
-    public async Task Put_WhenPolicyValidatorsRefactorDisabled_UsesLegacySavePolicyCommand(
-        Guid organizationId,
-        PolicyType policyType,
-        PolicyUpdateRequestModel model,
-        Policy policy,
-        SutProvider<PoliciesController> sutProvider)
-    {
-        // Arrange
-        policy.Data = null;
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationId.Returns(organizationId);
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor)
-            .Returns(false);
-        sutProvider.GetDependency<ISavePolicyCommand>()
-            .SaveAsync(Arg.Any<PolicyUpdate>())
-            .Returns(policy);
-
-        // Act
-        await sutProvider.Sut.Put(policyType, model);
-
-        // Assert
-        await sutProvider.GetDependency<ISavePolicyCommand>()
-            .Received(1)
-            .SaveAsync(Arg.Is<PolicyUpdate>(p =>
-                p.OrganizationId == organizationId &&
-                p.Type == policyType &&
-                p.Enabled == model.Enabled));
-    }
 }

test/Api.Test/Auth/Controllers/AccountsControllerTests.cs

@@ -11,6 +11,7 @@ using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.Kdf;
+using Bit.Core.KeyManagement.Models.Api.Request;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.Queries.Interfaces;
 using Bit.Core.Repositories;
@@ -38,6 +39,7 @@ public class AccountsControllerTests : IDisposable
     private readonly IUserAccountKeysQuery _userAccountKeysQuery;
     private readonly ITwoFactorEmailService _twoFactorEmailService;
     private readonly IChangeKdfCommand _changeKdfCommand;
+    private readonly IUserRepository _userRepository;
 
     public AccountsControllerTests()
     {
@@ -53,6 +55,7 @@ public class AccountsControllerTests : IDisposable
         _userAccountKeysQuery = Substitute.For<IUserAccountKeysQuery>();
         _twoFactorEmailService = Substitute.For<ITwoFactorEmailService>();
         _changeKdfCommand = Substitute.For<IChangeKdfCommand>();
+        _userRepository = Substitute.For<IUserRepository>();
 
         _sut = new AccountsController(
             _organizationService,
@@ -66,7 +69,8 @@ public class AccountsControllerTests : IDisposable
             _featureService,
             _userAccountKeysQuery,
             _twoFactorEmailService,
-            _changeKdfCommand
+            _changeKdfCommand,
+            _userRepository
         );
     }
 
@@ -688,6 +692,37 @@ public class AccountsControllerTests : IDisposable
         await _sut.PostKdf(model);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task PostKeys_NoUser_Errors(KeysRequestModel model)
+    {
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult<User>(null));
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(() => _sut.PostKeys(model));
+    }
+
+    [Theory]
+    [BitAutoData("existing", "existing")]
+    [BitAutoData((string)null, "existing")]
+    [BitAutoData("", "existing")]
+    [BitAutoData(" ", "existing")]
+    [BitAutoData("existing", null)]
+    [BitAutoData("existing", "")]
+    [BitAutoData("existing", " ")]
+    public async Task PostKeys_UserAlreadyHasKeys_Errors(string? existingPrivateKey, string? existingPublicKey,
+        KeysRequestModel model)
+    {
+        var user = GenerateExampleUser();
+        user.PrivateKey = existingPrivateKey;
+        user.PublicKey = existingPublicKey;
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult(user));
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostKeys(model));
+
+        Assert.NotNull(exception.Message);
+        Assert.Contains("User has existing keypair", exception.Message);
+    }
+
     // Below are helper functions that currently belong to this
     // test class, but ultimately may need to be split out into
     // something greater in order to share common test steps with
@@ -738,5 +773,77 @@ public class AccountsControllerTests : IDisposable
         _userService.GetUserByIdAsync(Arg.Any<Guid>())
                     .Returns(Task.FromResult((User)null));
     }
+
+    [Theory, BitAutoData]
+    public async Task PostKeys_WithAccountKeys_CallsSetV2AccountCryptographicState(
+        User user,
+        KeysRequestModel model)
+    {
+        // Arrange
+        user.PublicKey = null;
+        user.PrivateKey = null;
+        model.AccountKeys = new AccountKeysRequestModel
+        {
+            UserKeyEncryptedAccountPrivateKey = "wrapped-private-key",
+            AccountPublicKey = "public-key",
+            PublicKeyEncryptionKeyPair = new PublicKeyEncryptionKeyPairRequestModel
+            {
+                PublicKey = "public-key",
+                WrappedPrivateKey = "wrapped-private-key",
+                SignedPublicKey = "signed-public-key"
+            },
+            SignatureKeyPair = new SignatureKeyPairRequestModel
+            {
+                VerifyingKey = "verifying-key",
+                SignatureAlgorithm = "ed25519",
+                WrappedSigningKey = "wrapped-signing-key"
+            },
+            SecurityState = new SecurityStateModel
+            {
+                SecurityState = "security-state",
+                SecurityVersion = 2
+            }
+        };
+
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+
+        // Act
+        var result = await _sut.PostKeys(model);
+
+        // Assert
+        await _userRepository.Received(1).SetV2AccountCryptographicStateAsync(
+            user.Id,
+            Arg.Any<UserAccountKeysData>());
+        await _userService.DidNotReceiveWithAnyArgs().SaveUserAsync(Arg.Any<User>());
+        Assert.NotNull(result);
+        Assert.Equal("keys", result.Object);
+    }
+
+    [Theory, BitAutoData]
+    public async Task PostKeys_WithoutAccountKeys_CallsSaveUser(
+        User user,
+        KeysRequestModel model)
+    {
+        // Arrange
+        user.PublicKey = null;
+        user.PrivateKey = null;
+        model.AccountKeys = null;
+        model.PublicKey = "public-key";
+        model.EncryptedPrivateKey = "encrypted-private-key";
+
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+
+        // Act
+        var result = await _sut.PostKeys(model);
+
+        // Assert
+        await _userService.Received(1).SaveUserAsync(Arg.Is<User>(u =>
+            u.PublicKey == model.PublicKey &&
+            u.PrivateKey == model.EncryptedPrivateKey));
+        await _userRepository.DidNotReceiveWithAnyArgs()
+            .SetV2AccountCryptographicStateAsync(Arg.Any<Guid>(), Arg.Any<UserAccountKeysData>());
+        Assert.NotNull(result);
+        Assert.Equal("keys", result.Object);
+    }
 }
 

test/Api.Test/Billing/Controllers/AccountsControllerTests.cs

@@ -4,6 +4,7 @@ using Bit.Core;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Models.Business;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.KeyManagement.Queries.Interfaces;
@@ -27,9 +28,10 @@ public class AccountsControllerTests : IDisposable
 
     private readonly IUserService _userService;
     private readonly IFeatureService _featureService;
-    private readonly IPaymentService _paymentService;
+    private readonly IStripePaymentService _paymentService;
     private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
     private readonly IUserAccountKeysQuery _userAccountKeysQuery;
+    private readonly ILicensingService _licensingService;
     private readonly GlobalSettings _globalSettings;
     private readonly AccountsController _sut;
 
@@ -37,16 +39,18 @@ public class AccountsControllerTests : IDisposable
     {
         _userService = Substitute.For<IUserService>();
         _featureService = Substitute.For<IFeatureService>();
-        _paymentService = Substitute.For<IPaymentService>();
+        _paymentService = Substitute.For<IStripePaymentService>();
         _twoFactorIsEnabledQuery = Substitute.For<ITwoFactorIsEnabledQuery>();
         _userAccountKeysQuery = Substitute.For<IUserAccountKeysQuery>();
+        _licensingService = Substitute.For<ILicensingService>();
         _globalSettings = new GlobalSettings { SelfHosted = false };
 
         _sut = new AccountsController(
             _userService,
             _twoFactorIsEnabledQuery,
             _userAccountKeysQuery,
-            _featureService
+            _featureService,
+            _licensingService
         );
     }
 

test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs

@@ -3,9 +3,9 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Organizations.Models;
 using Bit.Core.Billing.Organizations.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Http.HttpResults;
@@ -103,7 +103,7 @@ public class OrganizationBillingControllerTests
         // Manually create a BillingHistoryInfo object to avoid requiring AutoFixture to create HttpResponseHeaders
         var billingInfo = new BillingHistoryInfo();
 
-        sutProvider.GetDependency<IPaymentService>().GetBillingHistoryAsync(organization).Returns(billingInfo);
+        sutProvider.GetDependency<IStripePaymentService>().GetBillingHistoryAsync(organization).Returns(billingInfo);
 
         // Act
         var result = await sutProvider.Sut.GetHistoryAsync(organizationId);

test/Api.Test/Billing/Controllers/OrganizationsControllerTests.cs

@@ -37,7 +37,7 @@ public class OrganizationsControllerTests : IDisposable
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IOrganizationService _organizationService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IPaymentService _paymentService;
+    private readonly IStripePaymentService _paymentService;
     private readonly ISsoConfigRepository _ssoConfigRepository;
     private readonly IUserService _userService;
     private readonly IGetCloudOrganizationLicenseQuery _getCloudOrganizationLicenseQuery;
@@ -59,7 +59,7 @@ public class OrganizationsControllerTests : IDisposable
         _organizationRepository = Substitute.For<IOrganizationRepository>();
         _organizationService = Substitute.For<IOrganizationService>();
         _organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
-        _paymentService = Substitute.For<IPaymentService>();
+        _paymentService = Substitute.For<IStripePaymentService>();
         Substitute.For<IPolicyRepository>();
         _ssoConfigRepository = Substitute.For<ISsoConfigRepository>();
         Substitute.For<ISsoConfigService>();

test/Api.Test/Billing/Controllers/ProviderBillingControllerTests.cs

@@ -1,5 +1,4 @@
 using Bit.Api.Billing.Controllers;
-using Bit.Api.Billing.Models.Requests;
 using Bit.Api.Billing.Models.Responses;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
@@ -12,11 +11,9 @@ using Bit.Core.Billing.Providers.Entities;
 using Bit.Core.Billing.Providers.Repositories;
 using Bit.Core.Billing.Providers.Services;
 using Bit.Core.Billing.Services;
-using Bit.Core.Billing.Tax.Models;
 using Bit.Core.Context;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.BitStripe;
-using Bit.Core.Services;
 using Bit.Core.Test.Billing.Mocks;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -124,7 +121,7 @@ public class ProviderBillingControllerTests
             }
         };
 
-        sutProvider.GetDependency<IStripeAdapter>().InvoiceListAsync(Arg.Is<StripeInvoiceListOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().ListInvoicesAsync(Arg.Is<StripeInvoiceListOptions>(
             options =>
                 options.Customer == provider.GatewayCustomerId)).Returns(invoices);
 
@@ -304,7 +301,7 @@ public class ProviderBillingControllerTests
             Status = "unpaid"
         };
 
-        stripeAdapter.SubscriptionGetAsync(provider.GatewaySubscriptionId, Arg.Is<SubscriptionGetOptions>(
+        stripeAdapter.GetSubscriptionAsync(provider.GatewaySubscriptionId, Arg.Is<SubscriptionGetOptions>(
             options =>
                 options.Expand.Contains("customer.tax_ids") &&
                 options.Expand.Contains("discounts") &&
@@ -321,7 +318,7 @@ public class ProviderBillingControllerTests
             Attempted = true
         };
 
-        stripeAdapter.InvoiceSearchAsync(Arg.Is<InvoiceSearchOptions>(
+        stripeAdapter.SearchInvoiceAsync(Arg.Is<InvoiceSearchOptions>(
                 options => options.Query == $"subscription:'{subscription.Id}' status:'open'"))
             .Returns([overdueInvoice]);
 
@@ -354,7 +351,7 @@ public class ProviderBillingControllerTests
             var plan = MockPlans.Get(providerPlan.PlanType);
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(providerPlan.PlanType).Returns(plan);
             var priceId = ProviderPriceAdapter.GetPriceId(provider, subscription, providerPlan.PlanType);
-            sutProvider.GetDependency<IStripeAdapter>().PriceGetAsync(priceId)
+            sutProvider.GetDependency<IStripeAdapter>().GetPriceAsync(priceId)
                 .Returns(new Price
                 {
                     UnitAmountDecimal = plan.PasswordManager.ProviderPortalSeatPrice * 100
@@ -462,13 +459,13 @@ public class ProviderBillingControllerTests
             Status = "active"
         };
 
-        stripeAdapter.SubscriptionGetAsync(provider.GatewaySubscriptionId, Arg.Is<SubscriptionGetOptions>(
+        stripeAdapter.GetSubscriptionAsync(provider.GatewaySubscriptionId, Arg.Is<SubscriptionGetOptions>(
             options =>
                 options.Expand.Contains("customer.tax_ids") &&
                 options.Expand.Contains("discounts") &&
                 options.Expand.Contains("test_clock"))).Returns(subscription);
 
-        stripeAdapter.InvoiceSearchAsync(Arg.Is<InvoiceSearchOptions>(
+        stripeAdapter.SearchInvoiceAsync(Arg.Is<InvoiceSearchOptions>(
                 options => options.Query == $"subscription:'{subscription.Id}' status:'open'"))
             .Returns([]);
 
@@ -501,7 +498,7 @@ public class ProviderBillingControllerTests
             var plan = MockPlans.Get(providerPlan.PlanType);
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(providerPlan.PlanType).Returns(plan);
             var priceId = ProviderPriceAdapter.GetPriceId(provider, subscription, providerPlan.PlanType);
-            sutProvider.GetDependency<IStripeAdapter>().PriceGetAsync(priceId)
+            sutProvider.GetDependency<IStripeAdapter>().GetPriceAsync(priceId)
                 .Returns(new Price
                 {
                     UnitAmountDecimal = plan.PasswordManager.ProviderPortalSeatPrice * 100
@@ -521,49 +518,4 @@ public class ProviderBillingControllerTests
     }
 
     #endregion
-
-    #region UpdateTaxInformationAsync
-
-    [Theory, BitAutoData]
-    public async Task UpdateTaxInformation_NoCountry_BadRequest(
-        Provider provider,
-        TaxInformationRequestBody requestBody,
-        SutProvider<ProviderBillingController> sutProvider)
-    {
-        ConfigureStableProviderAdminInputs(provider, sutProvider);
-
-        requestBody.Country = null;
-
-        var result = await sutProvider.Sut.UpdateTaxInformationAsync(provider.Id, requestBody);
-
-        Assert.IsType<BadRequest<ErrorResponseModel>>(result);
-
-        var response = (BadRequest<ErrorResponseModel>)result;
-
-        Assert.Equal("Country and postal code are required to update your tax information.", response.Value.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task UpdateTaxInformation_Ok(
-        Provider provider,
-        TaxInformationRequestBody requestBody,
-        SutProvider<ProviderBillingController> sutProvider)
-    {
-        ConfigureStableProviderAdminInputs(provider, sutProvider);
-
-        await sutProvider.Sut.UpdateTaxInformationAsync(provider.Id, requestBody);
-
-        await sutProvider.GetDependency<ISubscriberService>().Received(1).UpdateTaxInformation(
-            provider, Arg.Is<TaxInformation>(
-                options =>
-                    options.Country == requestBody.Country &&
-                    options.PostalCode == requestBody.PostalCode &&
-                    options.TaxId == requestBody.TaxId &&
-                    options.Line1 == requestBody.Line1 &&
-                    options.Line2 == requestBody.Line2 &&
-                    options.City == requestBody.City &&
-                    options.State == requestBody.State));
-    }
-
-    #endregion
 }

test/Api.Test/Controllers/PoliciesControllerTests.cs

@@ -3,7 +3,6 @@ using System.Text.Json;
 using Bit.Api.AdminConsole.Controllers;
 using Bit.Api.AdminConsole.Models.Request;
 using Bit.Api.AdminConsole.Models.Response.Organizations;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
@@ -291,7 +290,7 @@ public class PoliciesControllerTests
         string token,
         string email,
         Organization organization
-        )
+    )
     {
         // Arrange
         organization.UsePolicies = true;
@@ -302,14 +301,15 @@ public class PoliciesControllerTests
         var decryptedToken = Substitute.For<OrgUserInviteTokenable>();
         decryptedToken.Valid.Returns(false);
 
-        var orgUserInviteTokenDataFactory = sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
+        var orgUserInviteTokenDataFactory =
+            sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
 
         orgUserInviteTokenDataFactory.TryUnprotect(token, out Arg.Any<OrgUserInviteTokenable>())
             .Returns(x =>
-        {
-            x[1] = decryptedToken;
-            return true;
-        });
+            {
+                x[1] = decryptedToken;
+                return true;
+            });
 
         // Act & Assert
         await Assert.ThrowsAsync<NotFoundException>(() =>
@@ -325,7 +325,7 @@ public class PoliciesControllerTests
         string token,
         string email,
         Organization organization
-        )
+    )
     {
         // Arrange
         organization.UsePolicies = true;
@@ -338,14 +338,15 @@ public class PoliciesControllerTests
         decryptedToken.OrgUserId = organizationUserId;
         decryptedToken.OrgUserEmail = email;
 
-        var orgUserInviteTokenDataFactory = sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
+        var orgUserInviteTokenDataFactory =
+            sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
 
         orgUserInviteTokenDataFactory.TryUnprotect(token, out Arg.Any<OrgUserInviteTokenable>())
             .Returns(x =>
-        {
-            x[1] = decryptedToken;
-            return true;
-        });
+            {
+                x[1] = decryptedToken;
+                return true;
+            });
 
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetByIdAsync(organizationUserId)
@@ -366,7 +367,7 @@ public class PoliciesControllerTests
         string email,
         OrganizationUser orgUser,
         Organization organization
-        )
+    )
     {
         // Arrange
         organization.UsePolicies = true;
@@ -379,14 +380,15 @@ public class PoliciesControllerTests
         decryptedToken.OrgUserId = organizationUserId;
         decryptedToken.OrgUserEmail = email;
 
-        var orgUserInviteTokenDataFactory = sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
+        var orgUserInviteTokenDataFactory =
+            sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
 
         orgUserInviteTokenDataFactory.TryUnprotect(token, out Arg.Any<OrgUserInviteTokenable>())
             .Returns(x =>
-        {
-            x[1] = decryptedToken;
-            return true;
-        });
+            {
+                x[1] = decryptedToken;
+                return true;
+            });
 
         orgUser.OrganizationId = Guid.Empty;
 
@@ -409,7 +411,7 @@ public class PoliciesControllerTests
         string email,
         OrganizationUser orgUser,
         Organization organization
-        )
+    )
     {
         // Arrange
         organization.UsePolicies = true;
@@ -422,14 +424,15 @@ public class PoliciesControllerTests
         decryptedToken.OrgUserId = organizationUserId;
         decryptedToken.OrgUserEmail = email;
 
-        var orgUserInviteTokenDataFactory = sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
+        var orgUserInviteTokenDataFactory =
+            sutProvider.GetDependency<IDataProtectorTokenFactory<OrgUserInviteTokenable>>();
 
         orgUserInviteTokenDataFactory.TryUnprotect(token, out Arg.Any<OrgUserInviteTokenable>())
             .Returns(x =>
-        {
-            x[1] = decryptedToken;
-            return true;
-        });
+            {
+                x[1] = decryptedToken;
+                return true;
+            });
 
         orgUser.OrganizationId = orgId;
         sutProvider.GetDependency<IOrganizationUserRepository>()
@@ -463,7 +466,7 @@ public class PoliciesControllerTests
 
     [Theory]
     [BitAutoData]
-    public async Task PutVNext_WhenPolicyValidatorsRefactorEnabled_UsesVNextSavePolicyCommand(
+    public async Task PutVNext_UsesVNextSavePolicyCommand(
         SutProvider<PoliciesController> sutProvider, Guid orgId,
         SavePolicyRequest model, Policy policy, Guid userId)
     {
@@ -478,10 +481,6 @@ public class PoliciesControllerTests
             .OrganizationOwner(orgId)
             .Returns(true);
 
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor)
-            .Returns(true);
-
         sutProvider.GetDependency<IVNextSavePolicyCommand>()
             .SaveAsync(Arg.Any<SavePolicyModel>())
             .Returns(policy);
@@ -492,12 +491,11 @@ public class PoliciesControllerTests
         // Assert
         await sutProvider.GetDependency<IVNextSavePolicyCommand>()
             .Received(1)
-            .SaveAsync(Arg.Is<SavePolicyModel>(
-                m => m.PolicyUpdate.OrganizationId == orgId &&
-                     m.PolicyUpdate.Type == policy.Type &&
-                     m.PolicyUpdate.Enabled == model.Policy.Enabled &&
-                     m.PerformedBy.UserId == userId &&
-                     m.PerformedBy.IsOrganizationOwnerOrProvider == true));
+            .SaveAsync(Arg.Is<SavePolicyModel>(m => m.PolicyUpdate.OrganizationId == orgId &&
+                                                    m.PolicyUpdate.Type == policy.Type &&
+                                                    m.PolicyUpdate.Enabled == model.Policy.Enabled &&
+                                                    m.PerformedBy.UserId == userId &&
+                                                    m.PerformedBy.IsOrganizationOwnerOrProvider == true));
 
         await sutProvider.GetDependency<ISavePolicyCommand>()
             .DidNotReceiveWithAnyArgs()
@@ -507,51 +505,4 @@ public class PoliciesControllerTests
         Assert.Equal(policy.Id, result.Id);
         Assert.Equal(policy.Type, result.Type);
     }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PutVNext_WhenPolicyValidatorsRefactorDisabled_UsesSavePolicyCommand(
-        SutProvider<PoliciesController> sutProvider, Guid orgId,
-        SavePolicyRequest model, Policy policy, Guid userId)
-    {
-        // Arrange
-        policy.Data = null;
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .UserId
-            .Returns(userId);
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationOwner(orgId)
-            .Returns(true);
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor)
-            .Returns(false);
-
-        sutProvider.GetDependency<ISavePolicyCommand>()
-            .VNextSaveAsync(Arg.Any<SavePolicyModel>())
-            .Returns(policy);
-
-        // Act
-        var result = await sutProvider.Sut.PutVNext(orgId, policy.Type, model);
-
-        // Assert
-        await sutProvider.GetDependency<ISavePolicyCommand>()
-            .Received(1)
-            .VNextSaveAsync(Arg.Is<SavePolicyModel>(
-                m => m.PolicyUpdate.OrganizationId == orgId &&
-                     m.PolicyUpdate.Type == policy.Type &&
-                     m.PolicyUpdate.Enabled == model.Policy.Enabled &&
-                     m.PerformedBy.UserId == userId &&
-                     m.PerformedBy.IsOrganizationOwnerOrProvider == true));
-
-        await sutProvider.GetDependency<IVNextSavePolicyCommand>()
-            .DidNotReceiveWithAnyArgs()
-            .SaveAsync(default);
-
-        Assert.NotNull(result);
-        Assert.Equal(policy.Id, result.Id);
-        Assert.Equal(policy.Type, result.Type);
-    }
 }

test/Api.Test/Dirt/HibpControllerTests.cs

@@ -0,0 +1,292 @@
+using System.Net;
+using System.Reflection;
+using Bit.Api.Dirt.Controllers;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Mvc;
+using NSubstitute;
+using Xunit;
+using GlobalSettings = Bit.Core.Settings.GlobalSettings;
+
+namespace Bit.Api.Test.Dirt;
+
+[ControllerCustomize(typeof(HibpController))]
+[SutProviderCustomize]
+public class HibpControllerTests : IDisposable
+{
+    private readonly HttpClient _originalHttpClient;
+    private readonly FieldInfo _httpClientField;
+
+    public HibpControllerTests()
+    {
+        // Store original HttpClient for restoration
+        _httpClientField = typeof(HibpController).GetField("_httpClient", BindingFlags.Static | BindingFlags.NonPublic);
+        _originalHttpClient = (HttpClient)_httpClientField?.GetValue(null);
+    }
+
+    public void Dispose()
+    {
+        // Restore original HttpClient after tests
+        _httpClientField?.SetValue(null, _originalHttpClient);
+    }
+
+    [Theory, BitAutoData]
+    public async Task Get_WithMissingApiKey_ThrowsBadRequestException(
+        SutProvider<HibpController> sutProvider,
+        string username)
+    {
+        // Arrange
+        sutProvider.GetDependency<GlobalSettings>().HibpApiKey = null;
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            async () => await sutProvider.Sut.Get(username));
+        Assert.Equal("HaveIBeenPwned API key not set.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task Get_WithValidApiKeyAndNoBreaches_Returns200WithEmptyArray(
+        SutProvider<HibpController> sutProvider,
+        string username,
+        Guid userId)
+    {
+        // Arrange
+        sutProvider.GetDependency<GlobalSettings>().HibpApiKey = "test-api-key";
+        var user = new User { Id = userId };
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<System.Security.Claims.ClaimsPrincipal>())
+            .Returns(userId);
+
+        // Mock HttpClient to return 404 (no breaches found)
+        var mockHttpClient = CreateMockHttpClient(HttpStatusCode.NotFound, "");
+        _httpClientField.SetValue(null, mockHttpClient);
+
+        // Act
+        var result = await sutProvider.Sut.Get(username);
+
+        // Assert
+        var contentResult = Assert.IsType<ContentResult>(result);
+        Assert.Equal("[]", contentResult.Content);
+        Assert.Equal("application/json", contentResult.ContentType);
+    }
+
+    [Theory, BitAutoData]
+    public async Task Get_WithValidApiKeyAndBreachesFound_Returns200WithBreachData(
+        SutProvider<HibpController> sutProvider,
+        string username,
+        Guid userId)
+    {
+        // Arrange
+        sutProvider.GetDependency<GlobalSettings>().HibpApiKey = "test-api-key";
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<System.Security.Claims.ClaimsPrincipal>())
+            .Returns(userId);
+
+        var breachData = "[{\"Name\":\"Adobe\",\"Title\":\"Adobe\",\"Domain\":\"adobe.com\"}]";
+        var mockHttpClient = CreateMockHttpClient(HttpStatusCode.OK, breachData);
+        _httpClientField.SetValue(null, mockHttpClient);
+
+        // Act
+        var result = await sutProvider.Sut.Get(username);
+
+        // Assert
+        var contentResult = Assert.IsType<ContentResult>(result);
+        Assert.Equal(breachData, contentResult.Content);
+        Assert.Equal("application/json", contentResult.ContentType);
+    }
+
+    [Theory, BitAutoData]
+    public async Task Get_WithRateLimiting_RetriesWithDelay(
+        SutProvider<HibpController> sutProvider,
+        string username,
+        Guid userId)
+    {
+        // Arrange
+        sutProvider.GetDependency<GlobalSettings>().HibpApiKey = "test-api-key";
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<System.Security.Claims.ClaimsPrincipal>())
+            .Returns(userId);
+
+        // First response is rate limited, second is success
+        var requestCount = 0;
+        var mockHandler = new MockHttpMessageHandler((request, cancellationToken) =>
+        {
+            requestCount++;
+            if (requestCount == 1)
+            {
+                var response = new HttpResponseMessage(HttpStatusCode.TooManyRequests);
+                response.Headers.Add("retry-after", "1");
+                return Task.FromResult(response);
+            }
+            else
+            {
+                return Task.FromResult(new HttpResponseMessage(HttpStatusCode.NotFound)
+                {
+                    Content = new StringContent("")
+                });
+            }
+        });
+
+        var mockHttpClient = new HttpClient(mockHandler);
+        _httpClientField.SetValue(null, mockHttpClient);
+
+        // Act
+        var result = await sutProvider.Sut.Get(username);
+
+        // Assert
+        Assert.Equal(2, requestCount); // Verify retry happened
+        var contentResult = Assert.IsType<ContentResult>(result);
+        Assert.Equal("[]", contentResult.Content);
+    }
+
+    [Theory, BitAutoData]
+    public async Task Get_WithServerError_ThrowsBadRequestException(
+        SutProvider<HibpController> sutProvider,
+        string username,
+        Guid userId)
+    {
+        // Arrange
+        sutProvider.GetDependency<GlobalSettings>().HibpApiKey = "test-api-key";
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<System.Security.Claims.ClaimsPrincipal>())
+            .Returns(userId);
+
+        var mockHttpClient = CreateMockHttpClient(HttpStatusCode.InternalServerError, "");
+        _httpClientField.SetValue(null, mockHttpClient);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            async () => await sutProvider.Sut.Get(username));
+        Assert.Contains("Request failed. Status code:", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task Get_WithBadRequest_ThrowsBadRequestException(
+        SutProvider<HibpController> sutProvider,
+        string username,
+        Guid userId)
+    {
+        // Arrange
+        sutProvider.GetDependency<GlobalSettings>().HibpApiKey = "test-api-key";
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<System.Security.Claims.ClaimsPrincipal>())
+            .Returns(userId);
+
+        var mockHttpClient = CreateMockHttpClient(HttpStatusCode.BadRequest, "");
+        _httpClientField.SetValue(null, mockHttpClient);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            async () => await sutProvider.Sut.Get(username));
+        Assert.Contains("Request failed. Status code:", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task Get_EncodesUsernameCorrectly(
+        SutProvider<HibpController> sutProvider,
+        Guid userId)
+    {
+        // Arrange
+        var usernameWithSpecialChars = "test+user@example.com";
+        sutProvider.GetDependency<GlobalSettings>().HibpApiKey = "test-api-key";
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<System.Security.Claims.ClaimsPrincipal>())
+            .Returns(userId);
+
+        string capturedUrl = null;
+        var mockHandler = new MockHttpMessageHandler((request, cancellationToken) =>
+        {
+            capturedUrl = request.RequestUri.ToString();
+            return Task.FromResult(new HttpResponseMessage(HttpStatusCode.NotFound)
+            {
+                Content = new StringContent("")
+            });
+        });
+
+        var mockHttpClient = new HttpClient(mockHandler);
+        _httpClientField.SetValue(null, mockHttpClient);
+
+        // Act
+        await sutProvider.Sut.Get(usernameWithSpecialChars);
+
+        // Assert
+        Assert.NotNull(capturedUrl);
+        // Username should be URL encoded (+ becomes %2B, @ becomes %40)
+        Assert.Contains("test%2Buser%40example.com", capturedUrl);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SendAsync_IncludesRequiredHeaders(
+        SutProvider<HibpController> sutProvider,
+        string username,
+        Guid userId)
+    {
+        // Arrange
+        sutProvider.GetDependency<GlobalSettings>().HibpApiKey = "test-api-key";
+        sutProvider.GetDependency<GlobalSettings>().SelfHosted = false;
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<System.Security.Claims.ClaimsPrincipal>())
+            .Returns(userId);
+
+        HttpRequestMessage capturedRequest = null;
+        var mockHandler = new MockHttpMessageHandler((request, cancellationToken) =>
+        {
+            capturedRequest = request;
+            return Task.FromResult(new HttpResponseMessage(HttpStatusCode.NotFound)
+            {
+                Content = new StringContent("")
+            });
+        });
+
+        var mockHttpClient = new HttpClient(mockHandler);
+        _httpClientField.SetValue(null, mockHttpClient);
+
+        // Act
+        await sutProvider.Sut.Get(username);
+
+        // Assert
+        Assert.NotNull(capturedRequest);
+        Assert.True(capturedRequest.Headers.Contains("hibp-api-key"));
+        Assert.True(capturedRequest.Headers.Contains("hibp-client-id"));
+        Assert.True(capturedRequest.Headers.Contains("User-Agent"));
+        Assert.Equal("Bitwarden", capturedRequest.Headers.GetValues("User-Agent").First());
+    }
+
+    /// <summary>
+    /// Helper to create a mock HttpClient that returns a specific status code and content
+    /// </summary>
+    private HttpClient CreateMockHttpClient(HttpStatusCode statusCode, string content)
+    {
+        var mockHandler = new MockHttpMessageHandler((request, cancellationToken) =>
+        {
+            return Task.FromResult(new HttpResponseMessage(statusCode)
+            {
+                Content = new StringContent(content)
+            });
+        });
+
+        return new HttpClient(mockHandler);
+    }
+}
+
+/// <summary>
+/// Mock HttpMessageHandler for testing HttpClient behavior
+/// </summary>
+public class MockHttpMessageHandler : HttpMessageHandler
+{
+    private readonly Func<HttpRequestMessage, CancellationToken, Task<HttpResponseMessage>> _sendAsync;
+
+    public MockHttpMessageHandler(Func<HttpRequestMessage, CancellationToken, Task<HttpResponseMessage>> sendAsync)
+    {
+        _sendAsync = sendAsync;
+    }
+
+    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        return _sendAsync(request, cancellationToken);
+    }
+}
+

test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs

@@ -14,7 +14,9 @@ using Bit.Core.Auth.Models.Data;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.Commands.Interfaces;
+using Bit.Core.KeyManagement.Models.Api.Request;
 using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.Queries.Interfaces;
 using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -362,4 +364,39 @@ public class AccountsKeyManagementControllerTests
         await sutProvider.GetDependency<IUserService>().Received(1)
             .ConvertToKeyConnectorAsync(Arg.Is(expectedUser));
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetKeyConnectorConfirmationDetailsAsync_NoUser_Throws(
+        SutProvider<AccountsKeyManagementController> sutProvider, string orgSsoIdentifier)
+    {
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
+            .ReturnsNull();
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(() =>
+            sutProvider.Sut.GetKeyConnectorConfirmationDetailsAsync(orgSsoIdentifier));
+
+        await sutProvider.GetDependency<IKeyConnectorConfirmationDetailsQuery>().ReceivedWithAnyArgs(0)
+            .Run(Arg.Any<string>(), Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetKeyConnectorConfirmationDetailsAsync_Success(
+        SutProvider<AccountsKeyManagementController> sutProvider, User expectedUser, string orgSsoIdentifier)
+    {
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
+            .Returns(expectedUser);
+        sutProvider.GetDependency<IKeyConnectorConfirmationDetailsQuery>().Run(orgSsoIdentifier, expectedUser.Id)
+            .Returns(
+                new KeyConnectorConfirmationDetails { OrganizationName = "test" }
+            );
+
+        var result = await sutProvider.Sut.GetKeyConnectorConfirmationDetailsAsync(orgSsoIdentifier);
+
+        Assert.NotNull(result);
+        Assert.Equal("test", result.OrganizationName);
+        await sutProvider.GetDependency<IKeyConnectorConfirmationDetailsQuery>().Received(1)
+            .Run(orgSsoIdentifier, expectedUser.Id);
+    }
 }

test/Api.Test/KeyManagement/Models/Request/SignatureKeyPairRequestModel.cs

@@ -1,6 +1,6 @@
 #nullable enable
 
-using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Core.KeyManagement.Models.Api.Request;
 using Xunit;
 
 namespace Bit.Api.Test.KeyManagement.Models.Request;

test/Api.Test/SecretsManager/Controllers/SecretVersionsControllerTests.cs

@@ -0,0 +1,307 @@
+using Bit.Api.SecretsManager.Controllers;
+using Bit.Api.SecretsManager.Models.Request;
+using Bit.Core.Auth.Identity;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.SecretsManager.AutoFixture.SecretsFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.SecretsManager.Controllers;
+
+[ControllerCustomize(typeof(SecretVersionsController))]
+[SutProviderCustomize]
+[SecretCustomize]
+public class SecretVersionsControllerTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task GetVersionsBySecretId_SecretNotFound_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Guid secretId)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secretId).Returns((Secret?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetVersionsBySecretIdAsync(secretId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetVersionsBySecretId_NoAccess_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(false);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetVersionsBySecretIdAsync(secret.Id));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetVersionsBySecretId_NoReadAccess_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        Guid userId)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((false, false));
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetVersionsBySecretIdAsync(secret.Id));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetVersionsBySecretId_Success(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        List<SecretVersion> versions,
+        Guid userId)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, false));
+
+        foreach (var version in versions)
+        {
+            version.SecretId = secret.Id;
+        }
+        sutProvider.GetDependency<ISecretVersionRepository>().GetManyBySecretIdAsync(secret.Id).Returns(versions);
+
+        var result = await sutProvider.Sut.GetVersionsBySecretIdAsync(secret.Id);
+
+        Assert.Equal(versions.Count, result.Data.Count());
+        await sutProvider.GetDependency<ISecretVersionRepository>().Received(1)
+            .GetManyBySecretIdAsync(Arg.Is(secret.Id));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetById_VersionNotFound_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Guid versionId)
+    {
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(versionId).Returns((SecretVersion?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetByIdAsync(versionId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetById_Success(
+        SutProvider<SecretVersionsController> sutProvider,
+        SecretVersion version,
+        Secret secret,
+        Guid userId)
+    {
+        version.SecretId = secret.Id;
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(version.Id).Returns(version);
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, false));
+
+        var result = await sutProvider.Sut.GetByIdAsync(version.Id);
+
+        Assert.Equal(version.Id, result.Id);
+        Assert.Equal(version.SecretId, result.SecretId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreVersion_NoWriteAccess_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        SecretVersion version,
+        RestoreSecretVersionRequestModel request,
+        Guid userId)
+    {
+        version.SecretId = secret.Id;
+        request.VersionId = version.Id;
+
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, false));
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.RestoreVersionAsync(secret.Id, request));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreVersion_VersionNotFound_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        RestoreSecretVersionRequestModel request,
+        Guid userId)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, true));
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(request.VersionId).Returns((SecretVersion?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.RestoreVersionAsync(secret.Id, request));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreVersion_VersionBelongsToDifferentSecret_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        SecretVersion version,
+        RestoreSecretVersionRequestModel request,
+        Guid userId)
+    {
+        version.SecretId = Guid.NewGuid(); // Different secret
+        request.VersionId = version.Id;
+
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, true));
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(request.VersionId).Returns(version);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.RestoreVersionAsync(secret.Id, request));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreVersion_Success(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        SecretVersion version,
+        RestoreSecretVersionRequestModel request,
+        Guid userId,
+        OrganizationUser organizationUser)
+    {
+        version.SecretId = secret.Id;
+        request.VersionId = version.Id;
+        var versionValue = version.Value;
+        organizationUser.OrganizationId = secret.OrganizationId;
+        organizationUser.UserId = userId;
+
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, true));
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(request.VersionId).Returns(version);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(secret.OrganizationId, userId).Returns(organizationUser);
+        sutProvider.GetDependency<ISecretRepository>().UpdateAsync(Arg.Any<Secret>()).Returns(x => x.Arg<Secret>());
+
+        var result = await sutProvider.Sut.RestoreVersionAsync(secret.Id, request);
+
+        await sutProvider.GetDependency<ISecretRepository>().Received(1)
+            .UpdateAsync(Arg.Is<Secret>(s => s.Value == versionValue));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkDelete_EmptyIds_Throws(
+        SutProvider<SecretVersionsController> sutProvider)
+    {
+        await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.BulkDeleteAsync(new List<Guid>()));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkDelete_VersionNotFound_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        List<Guid> ids)
+    {
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(ids[0]).Returns((SecretVersion?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.BulkDeleteAsync(ids));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkDelete_NoWriteAccess_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        List<SecretVersion> versions,
+        Secret secret,
+        Guid userId)
+    {
+        var ids = versions.Select(v => v.Id).ToList();
+        foreach (var version in versions)
+        {
+            version.SecretId = secret.Id;
+            sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(version.Id).Returns(version);
+        }
+
+        sutProvider.GetDependency<ISecretRepository>().GetManyByIds(Arg.Any<IEnumerable<Guid>>())
+            .Returns(new List<Secret> { secret });
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, false));
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.BulkDeleteAsync(ids));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkDelete_Success(
+        SutProvider<SecretVersionsController> sutProvider,
+        List<SecretVersion> versions,
+        Secret secret,
+        Guid userId)
+    {
+        var ids = versions.Select(v => v.Id).ToList();
+        foreach (var version in versions)
+        {
+            version.SecretId = secret.Id;
+        }
+
+        sutProvider.GetDependency<ISecretVersionRepository>().GetManyByIdsAsync(ids).Returns(versions);
+        sutProvider.GetDependency<ISecretRepository>().GetManyByIds(Arg.Any<IEnumerable<Guid>>())
+            .Returns(new List<Secret> { secret });
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ICurrentContext>().IdentityClientType.Returns(IdentityClientType.ServiceAccount);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, true));
+
+        await sutProvider.Sut.BulkDeleteAsync(ids);
+
+        await sutProvider.GetDependency<ISecretVersionRepository>().Received(1)
+            .DeleteManyByIdAsync(Arg.Is<IEnumerable<Guid>>(x => x.SequenceEqual(ids)));
+    }
+}

test/Api.Test/SecretsManager/Controllers/SecretsControllerTests.cs

@@ -2,6 +2,7 @@
 using Bit.Api.SecretsManager.Controllers;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.Test.SecretsManager.Enums;
+using Bit.Core.Auth.Identity;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -244,6 +245,7 @@ public class SecretsControllerTests
     {
         data = SetupSecretUpdateRequest(data);
         SetControllerUser(sutProvider, new Guid());
+        sutProvider.GetDependency<ICurrentContext>().IdentityClientType.Returns(IdentityClientType.ServiceAccount);
         sutProvider.GetDependency<IAuthorizationService>()
             .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<Secret>(),
                 Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
@@ -602,6 +604,7 @@ public class SecretsControllerTests
     {
         data = SetupSecretUpdateRequest(data, true);
 
+        sutProvider.GetDependency<ICurrentContext>().IdentityClientType.Returns(IdentityClientType.ServiceAccount);
         sutProvider.GetDependency<IAuthorizationService>()
             .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<Secret>(),
                 Arg.Any<IEnumerable<IAuthorizationRequirement>>()).Returns(AuthorizationResult.Success());

test/Api.Test/Vault/Controllers/CiphersControllerTests.cs

@@ -79,7 +79,7 @@ public class CiphersControllerTests
         sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(id, userId).ReturnsForAnyArgs(cipherDetails);
 
         sutProvider.GetDependency<ICollectionCipherRepository>().GetManyByUserIdCipherIdAsync(userId, id).Returns((ICollection<CollectionCipher>)new List<CollectionCipher>());
-        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(new Dictionary<Guid, OrganizationAbility> { { cipherDetails.OrganizationId.Value, new OrganizationAbility() } });
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(new Dictionary<Guid, OrganizationAbility> { { cipherDetails.OrganizationId.Value, new OrganizationAbility { Id = cipherDetails.OrganizationId.Value } } });
         var cipherService = sutProvider.GetDependency<ICipherService>();
 
         await sutProvider.Sut.PutCollections_vNext(id, model);
@@ -95,7 +95,7 @@ public class CiphersControllerTests
         sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(id, userId).ReturnsForAnyArgs(cipherDetails);
 
         sutProvider.GetDependency<ICollectionCipherRepository>().GetManyByUserIdCipherIdAsync(userId, id).Returns((ICollection<CollectionCipher>)new List<CollectionCipher>());
-        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(new Dictionary<Guid, OrganizationAbility> { { cipherDetails.OrganizationId.Value, new OrganizationAbility() } });
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(new Dictionary<Guid, OrganizationAbility> { { cipherDetails.OrganizationId.Value, new OrganizationAbility { Id = cipherDetails.OrganizationId.Value } } });
 
         var result = await sutProvider.Sut.PutCollections_vNext(id, model);
 
@@ -1790,118 +1790,6 @@ public class CiphersControllerTests
         );
     }
 
-    [Theory, BitAutoData]
-    public async Task PutShareMany_ArchivedCipher_ThrowsBadRequestException(
-        Guid organizationId,
-        Guid userId,
-        CipherWithIdRequestModel request,
-        SutProvider<CiphersController> sutProvider)
-    {
-        request.EncryptedFor = userId;
-        request.OrganizationId = organizationId.ToString();
-        request.ArchivedDate = DateTime.UtcNow;
-        var model = new CipherBulkShareRequestModel
-        {
-            Ciphers = [request],
-            CollectionIds = [Guid.NewGuid().ToString()]
-        };
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationUser(organizationId)
-            .Returns(Task.FromResult(true));
-        sutProvider.GetDependency<IUserService>()
-            .GetProperUserId(default)
-            .ReturnsForAnyArgs(userId);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.PutShareMany(model)
-        );
-
-        Assert.Equal("Cannot move archived items to an organization.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task PutShareMany_ExistingCipherArchived_ThrowsBadRequestException(
-        Guid organizationId,
-        Guid userId,
-        CipherWithIdRequestModel request,
-        SutProvider<CiphersController> sutProvider)
-    {
-        // Request model does not have ArchivedDate (only the existing cipher does)
-        request.EncryptedFor = userId;
-        request.OrganizationId = organizationId.ToString();
-        request.ArchivedDate = null;
-
-        var model = new CipherBulkShareRequestModel
-        {
-            Ciphers = [request],
-            CollectionIds = [Guid.NewGuid().ToString()]
-        };
-
-        // The existing cipher from the repository IS archived
-        var existingCipher = new CipherDetails
-        {
-            Id = request.Id!.Value,
-            UserId = userId,
-            Type = CipherType.Login,
-            Data = JsonSerializer.Serialize(new CipherLoginData()),
-            ArchivedDate = DateTime.UtcNow
-        };
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationUser(organizationId)
-            .Returns(Task.FromResult(true));
-        sutProvider.GetDependency<IUserService>()
-            .GetProperUserId(default)
-            .ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>()
-            .GetManyByUserIdAsync(userId, withOrganizations: false)
-            .Returns(Task.FromResult((ICollection<CipherDetails>)[existingCipher]));
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.PutShareMany(model)
-        );
-
-        Assert.Equal("Cannot move archived items to an organization.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task PutShare_ArchivedCipher_ThrowsBadRequestException(
-        Guid cipherId,
-        Guid organizationId,
-        User user,
-        CipherShareRequestModel model,
-        SutProvider<CiphersController> sutProvider)
-    {
-        model.Cipher.OrganizationId = organizationId.ToString();
-        model.Cipher.EncryptedFor = user.Id;
-
-        var cipher = new Cipher
-        {
-            Id = cipherId,
-            UserId = user.Id,
-            ArchivedDate = DateTime.UtcNow.AddDays(-1),
-            Type = CipherType.Login,
-            Data = JsonSerializer.Serialize(new CipherLoginData())
-        };
-
-        sutProvider.GetDependency<IUserService>()
-            .GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
-            .Returns(user);
-        sutProvider.GetDependency<ICipherRepository>()
-            .GetByIdAsync(cipherId)
-            .Returns(cipher);
-        sutProvider.GetDependency<ICurrentContext>()
-            .OrganizationUser(organizationId)
-            .Returns(Task.FromResult(true));
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.PutShare(cipherId, model)
-        );
-
-        Assert.Equal("Cannot move an archived item to an organization.", exception.Message);
-    }
-
     [Theory, BitAutoData]
     public async Task PostPurge_WhenUserNotFound_ThrowsUnauthorizedAccessException(
         SecretVerificationRequestModel model,
@@ -2021,4 +1909,237 @@ public class CiphersControllerTests
 
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PostPurge(model, organizationId));
     }
+
+    [Theory, BitAutoData]
+    public async Task PutShare_WithNullFolderAndFalseFavorite_UpdatesFieldsCorrectly(
+        Guid cipherId,
+        Guid userId,
+        Guid organizationId,
+        Guid folderId,
+        SutProvider<CiphersController> sutProvider)
+    {
+        var user = new User { Id = userId };
+        var userIdKey = userId.ToString().ToUpperInvariant();
+
+        var existingCipher = new Cipher
+        {
+            Id = cipherId,
+            UserId = userId,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new { Username = "test", Password = "test" }),
+            Folders = JsonSerializer.Serialize(new Dictionary<string, object> { { userIdKey, folderId.ToString().ToUpperInvariant() } }),
+            Favorites = JsonSerializer.Serialize(new Dictionary<string, object> { { userIdKey, true } })
+        };
+
+        // Clears folder and favorite when sharing
+        var model = new CipherShareRequestModel
+        {
+            Cipher = new CipherRequestModel
+            {
+                Type = CipherType.Login,
+                OrganizationId = organizationId.ToString(),
+                Name = "SharedCipher",
+                Data = JsonSerializer.Serialize(new { Username = "test", Password = "test" }),
+                FolderId = null,
+                Favorite = false,
+                EncryptedFor = userId
+            },
+            CollectionIds = [Guid.NewGuid().ToString()]
+        };
+
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
+            .Returns(user);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetByIdAsync(cipherId)
+            .Returns(existingCipher);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationUser(organizationId)
+            .Returns(true);
+
+        var sharedCipher = new CipherDetails
+        {
+            Id = cipherId,
+            OrganizationId = organizationId,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new { Username = "test", Password = "test" }),
+            FolderId = null,
+            Favorite = false
+        };
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetByIdAsync(cipherId, userId)
+            .Returns(sharedCipher);
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilitiesAsync()
+            .Returns(new Dictionary<Guid, OrganizationAbility>
+            {
+                { organizationId, new OrganizationAbility { Id = organizationId } }
+            });
+
+        var result = await sutProvider.Sut.PutShare(cipherId, model);
+
+        Assert.Null(result.FolderId);
+        Assert.False(result.Favorite);
+    }
+
+    [Theory, BitAutoData]
+    public async Task PutShare_WithFolderAndFavoriteSet_AddsUserSpecificFields(
+        Guid cipherId,
+        Guid userId,
+        Guid organizationId,
+        Guid folderId,
+        SutProvider<CiphersController> sutProvider)
+    {
+        var user = new User { Id = userId };
+        var userIdKey = userId.ToString().ToUpperInvariant();
+
+        var existingCipher = new Cipher
+        {
+            Id = cipherId,
+            UserId = userId,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new { Username = "test", Password = "test" }),
+            Folders = null,
+            Favorites = null
+        };
+
+        // Sets folder and favorite when sharing
+        var model = new CipherShareRequestModel
+        {
+            Cipher = new CipherRequestModel
+            {
+                Type = CipherType.Login,
+                OrganizationId = organizationId.ToString(),
+                Name = "SharedCipher",
+                Data = JsonSerializer.Serialize(new { Username = "test", Password = "test" }),
+                FolderId = folderId.ToString(),
+                Favorite = true,
+                EncryptedFor = userId
+            },
+            CollectionIds = [Guid.NewGuid().ToString()]
+        };
+
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
+            .Returns(user);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetByIdAsync(cipherId)
+            .Returns(existingCipher);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationUser(organizationId)
+            .Returns(true);
+
+        var sharedCipher = new CipherDetails
+        {
+            Id = cipherId,
+            OrganizationId = organizationId,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new { Username = "test", Password = "test" }),
+            Folders = JsonSerializer.Serialize(new Dictionary<string, object> { { userIdKey, folderId.ToString().ToUpperInvariant() } }),
+            Favorites = JsonSerializer.Serialize(new Dictionary<string, object> { { userIdKey, true } }),
+            FolderId = folderId,
+            Favorite = true
+        };
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetByIdAsync(cipherId, userId)
+            .Returns(sharedCipher);
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilitiesAsync()
+            .Returns(new Dictionary<Guid, OrganizationAbility>
+            {
+                { organizationId, new OrganizationAbility { Id = organizationId } }
+            });
+
+        var result = await sutProvider.Sut.PutShare(cipherId, model);
+
+        Assert.Equal(folderId, result.FolderId);
+        Assert.True(result.Favorite);
+    }
+
+    [Theory, BitAutoData]
+    public async Task PutShare_UpdateExistingFolderAndFavorite_UpdatesUserSpecificFields(
+        Guid cipherId,
+        Guid userId,
+        Guid organizationId,
+        Guid oldFolderId,
+        Guid newFolderId,
+        SutProvider<CiphersController> sutProvider)
+    {
+        var user = new User { Id = userId };
+        var userIdKey = userId.ToString().ToUpperInvariant();
+
+        // Existing cipher with old folder and not favorited
+        var existingCipher = new Cipher
+        {
+            Id = cipherId,
+            UserId = userId,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new { Username = "test", Password = "test" }),
+            Folders = JsonSerializer.Serialize(new Dictionary<string, object> { { userIdKey, oldFolderId.ToString().ToUpperInvariant() } }),
+            Favorites = null
+        };
+
+        var model = new CipherShareRequestModel
+        {
+            Cipher = new CipherRequestModel
+            {
+                Type = CipherType.Login,
+                OrganizationId = organizationId.ToString(),
+                Name = "SharedCipher",
+                Data = JsonSerializer.Serialize(new { Username = "test", Password = "test" }),
+                FolderId = newFolderId.ToString(),  // Update to new folder
+                Favorite = true,  // Add favorite
+                EncryptedFor = userId
+            },
+            CollectionIds = [Guid.NewGuid().ToString()]
+        };
+
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
+            .Returns(user);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetByIdAsync(cipherId)
+            .Returns(existingCipher);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationUser(organizationId)
+            .Returns(true);
+
+        var sharedCipher = new CipherDetails
+        {
+            Id = cipherId,
+            OrganizationId = organizationId,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new { Username = "test", Password = "test" }),
+            Folders = JsonSerializer.Serialize(new Dictionary<string, object> { { userIdKey, newFolderId.ToString().ToUpperInvariant() } }),
+            Favorites = JsonSerializer.Serialize(new Dictionary<string, object> { { userIdKey, true } }),
+            FolderId = newFolderId,
+            Favorite = true
+        };
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetByIdAsync(cipherId, userId)
+            .Returns(sharedCipher);
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilitiesAsync()
+            .Returns(new Dictionary<Guid, OrganizationAbility>
+            {
+                { organizationId, new OrganizationAbility { Id = organizationId } }
+            });
+
+        var result = await sutProvider.Sut.PutShare(cipherId, model);
+
+        Assert.Equal(newFolderId, result.FolderId);
+        Assert.True(result.Favorite);
+    }
 }

test/Billing.Test/Billing.Test.csproj

@@ -5,8 +5,8 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Divergic.Logging.Xunit" Version="4.3.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
+    <PackageReference Include="Neovolve.Logging.Xunit" Version="6.3.0" />
     <PackageReference Include="RichardSzalay.MockHttp" Version="7.0.0" />
     <PackageReference Include="xunit" Version="$(XUnitVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XUnitRunnerVisualStudioVersion)">

test/Billing.Test/Controllers/BitPayControllerTests.cs

@@ -31,7 +31,7 @@ public class BitPayControllerTests
     private readonly IUserRepository _userRepository = Substitute.For<IUserRepository>();
     private readonly IProviderRepository _providerRepository = Substitute.For<IProviderRepository>();
     private readonly IMailService _mailService = Substitute.For<IMailService>();
-    private readonly IPaymentService _paymentService = Substitute.For<IPaymentService>();
+    private readonly IStripePaymentService _paymentService = Substitute.For<IStripePaymentService>();
 
     private readonly IPremiumUserBillingService _premiumUserBillingService =
         Substitute.For<IPremiumUserBillingService>();

test/Billing.Test/Controllers/PayPalControllerTests.cs

@@ -8,13 +8,13 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Divergic.Logging.Xunit;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Infrastructure;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
+using Neovolve.Logging.Xunit;
 using NSubstitute;
 using NSubstitute.ReturnsExtensions;
 using Xunit;
@@ -23,14 +23,12 @@ using Transaction = Bit.Core.Entities.Transaction;
 
 namespace Bit.Billing.Test.Controllers;
 
-public class PayPalControllerTests
+public class PayPalControllerTests(ITestOutputHelper testOutputHelper)
 {
-    private readonly ITestOutputHelper _testOutputHelper;
-
     private readonly IOptions<BillingSettings> _billingSettings = Substitute.For<IOptions<BillingSettings>>();
     private readonly IMailService _mailService = Substitute.For<IMailService>();
     private readonly IOrganizationRepository _organizationRepository = Substitute.For<IOrganizationRepository>();
-    private readonly IPaymentService _paymentService = Substitute.For<IPaymentService>();
+    private readonly IStripePaymentService _paymentService = Substitute.For<IStripePaymentService>();
     private readonly ITransactionRepository _transactionRepository = Substitute.For<ITransactionRepository>();
     private readonly IUserRepository _userRepository = Substitute.For<IUserRepository>();
     private readonly IProviderRepository _providerRepository = Substitute.For<IProviderRepository>();
@@ -38,15 +36,10 @@ public class PayPalControllerTests
 
     private const string _defaultWebhookKey = "webhook-key";
 
-    public PayPalControllerTests(ITestOutputHelper testOutputHelper)
-    {
-        _testOutputHelper = testOutputHelper;
-    }
-
     [Fact]
     public async Task PostIpn_NullKey_BadRequest()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         var controller = ConfigureControllerContextWith(logger, null, null);
 
@@ -60,7 +53,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_IncorrectKey_BadRequest()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -79,7 +72,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_EmptyIPNBody_BadRequest()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -98,7 +91,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_IPNHasNoEntityId_BadRequest()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -119,15 +112,13 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_OtherTransactionType_Unprocessed_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
             PayPal = { WebhookKey = _defaultWebhookKey }
         });
 
-        var organizationId = new Guid("ca8c6f2b-2d7b-4639-809f-b0e5013a304e");
-
         var ipnBody = await PayPalTestIPN.GetAsync(IPNBody.UnsupportedTransactionType);
 
         var controller = ConfigureControllerContextWith(logger, _defaultWebhookKey, ipnBody);
@@ -142,7 +133,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_MismatchedReceiverID_Unprocessed_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -153,8 +144,6 @@ public class PayPalControllerTests
             }
         });
 
-        var organizationId = new Guid("ca8c6f2b-2d7b-4639-809f-b0e5013a304e");
-
         var ipnBody = await PayPalTestIPN.GetAsync(IPNBody.SuccessfulPayment);
 
         var controller = ConfigureControllerContextWith(logger, _defaultWebhookKey, ipnBody);
@@ -169,7 +158,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_RefundMissingParent_Unprocessed_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -180,8 +169,6 @@ public class PayPalControllerTests
             }
         });
 
-        var organizationId = new Guid("ca8c6f2b-2d7b-4639-809f-b0e5013a304e");
-
         var ipnBody = await PayPalTestIPN.GetAsync(IPNBody.RefundMissingParentTransaction);
 
         var controller = ConfigureControllerContextWith(logger, _defaultWebhookKey, ipnBody);
@@ -196,7 +183,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_eCheckPayment_Unprocessed_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -207,8 +194,6 @@ public class PayPalControllerTests
             }
         });
 
-        var organizationId = new Guid("ca8c6f2b-2d7b-4639-809f-b0e5013a304e");
-
         var ipnBody = await PayPalTestIPN.GetAsync(IPNBody.ECheckPayment);
 
         var controller = ConfigureControllerContextWith(logger, _defaultWebhookKey, ipnBody);
@@ -223,7 +208,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_NonUSD_Unprocessed_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -234,8 +219,6 @@ public class PayPalControllerTests
             }
         });
 
-        var organizationId = new Guid("ca8c6f2b-2d7b-4639-809f-b0e5013a304e");
-
         var ipnBody = await PayPalTestIPN.GetAsync(IPNBody.NonUSDPayment);
 
         var controller = ConfigureControllerContextWith(logger, _defaultWebhookKey, ipnBody);
@@ -250,7 +233,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_Completed_ExistingTransaction_Unprocessed_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -261,8 +244,6 @@ public class PayPalControllerTests
             }
         });
 
-        var organizationId = new Guid("ca8c6f2b-2d7b-4639-809f-b0e5013a304e");
-
         var ipnBody = await PayPalTestIPN.GetAsync(IPNBody.SuccessfulPayment);
 
         _transactionRepository.GetByGatewayIdAsync(
@@ -281,7 +262,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_Completed_CreatesTransaction_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -292,8 +273,6 @@ public class PayPalControllerTests
             }
         });
 
-        var organizationId = new Guid("ca8c6f2b-2d7b-4639-809f-b0e5013a304e");
-
         var ipnBody = await PayPalTestIPN.GetAsync(IPNBody.SuccessfulPayment);
 
         _transactionRepository.GetByGatewayIdAsync(
@@ -314,7 +293,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_Completed_CreatesTransaction_CreditsOrganizationAccount_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -362,7 +341,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_Completed_CreatesTransaction_CreditsUserAccount_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -406,7 +385,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_Refunded_ExistingTransaction_Unprocessed_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -417,8 +396,6 @@ public class PayPalControllerTests
             }
         });
 
-        var organizationId = new Guid("ca8c6f2b-2d7b-4639-809f-b0e5013a304e");
-
         var ipnBody = await PayPalTestIPN.GetAsync(IPNBody.SuccessfulRefund);
 
         _transactionRepository.GetByGatewayIdAsync(
@@ -441,7 +418,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_Refunded_MissingParentTransaction_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -452,8 +429,6 @@ public class PayPalControllerTests
             }
         });
 
-        var organizationId = new Guid("ca8c6f2b-2d7b-4639-809f-b0e5013a304e");
-
         var ipnBody = await PayPalTestIPN.GetAsync(IPNBody.SuccessfulRefund);
 
         _transactionRepository.GetByGatewayIdAsync(
@@ -480,7 +455,7 @@ public class PayPalControllerTests
     [Fact]
     public async Task PostIpn_Refunded_ReplacesParent_CreatesTransaction_Ok()
     {
-        var logger = _testOutputHelper.BuildLoggerFor<PayPalController>();
+        var logger = testOutputHelper.BuildLoggerFor<PayPalController>();
 
         _billingSettings.Value.Returns(new BillingSettings
         {
@@ -531,8 +506,8 @@ public class PayPalControllerTests
 
     private PayPalController ConfigureControllerContextWith(
         ILogger<PayPalController> logger,
-        string webhookKey,
-        string ipnBody)
+        string? webhookKey,
+        string? ipnBody)
     {
         var controller = new PayPalController(
             _billingSettings,
@@ -578,16 +553,16 @@ public class PayPalControllerTests
         Assert.Equal(statusCode, statusCodeActionResult.StatusCode);
     }
 
-    private static void Logged(ICacheLogger logger, LogLevel logLevel, string message)
+    private static void Logged(ICacheLogger<PayPalController> logger, LogLevel logLevel, string message)
     {
         Assert.NotNull(logger.Last);
         Assert.Equal(logLevel, logger.Last!.LogLevel);
         Assert.Equal(message, logger.Last!.Message);
     }
 
-    private static void LoggedError(ICacheLogger logger, string message)
+    private static void LoggedError(ICacheLogger<PayPalController> logger, string message)
         => Logged(logger, LogLevel.Error, message);
 
-    private static void LoggedWarning(ICacheLogger logger, string message)
+    private static void LoggedWarning(ICacheLogger<PayPalController> logger, string message)
         => Logged(logger, LogLevel.Warning, message);
 }

test/Billing.Test/Jobs/SubscriptionCancellationJobTests.cs

@@ -0,0 +1,388 @@
+using Bit.Billing.Constants;
+using Bit.Billing.Jobs;
+using Bit.Billing.Services;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Repositories;
+using Microsoft.Extensions.Logging;
+using NSubstitute;
+using Quartz;
+using Stripe;
+using Xunit;
+
+namespace Bit.Billing.Test.Jobs;
+
+public class SubscriptionCancellationJobTests
+{
+    private readonly IStripeFacade _stripeFacade;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly SubscriptionCancellationJob _sut;
+
+    public SubscriptionCancellationJobTests()
+    {
+        _stripeFacade = Substitute.For<IStripeFacade>();
+        _organizationRepository = Substitute.For<IOrganizationRepository>();
+        _sut = new SubscriptionCancellationJob(_stripeFacade, _organizationRepository, Substitute.For<ILogger<SubscriptionCancellationJob>>());
+    }
+
+    [Fact]
+    public async Task Execute_OrganizationIsNull_SkipsCancellation()
+    {
+        // Arrange
+        const string subscriptionId = "sub_123";
+        var organizationId = Guid.NewGuid();
+        var context = CreateJobExecutionContext(subscriptionId, organizationId);
+
+        _organizationRepository.GetByIdAsync(organizationId).Returns((Organization)null);
+
+        // Act
+        await _sut.Execute(context);
+
+        // Assert
+        await _stripeFacade.DidNotReceiveWithAnyArgs().GetSubscription(Arg.Any<string>(), Arg.Any<SubscriptionGetOptions>());
+        await _stripeFacade.DidNotReceiveWithAnyArgs().CancelSubscription(Arg.Any<string>(), Arg.Any<SubscriptionCancelOptions>());
+    }
+
+    [Fact]
+    public async Task Execute_OrganizationIsEnabled_SkipsCancellation()
+    {
+        // Arrange
+        const string subscriptionId = "sub_123";
+        var organizationId = Guid.NewGuid();
+        var context = CreateJobExecutionContext(subscriptionId, organizationId);
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Enabled = true
+        };
+        _organizationRepository.GetByIdAsync(organizationId).Returns(organization);
+
+        // Act
+        await _sut.Execute(context);
+
+        // Assert
+        await _stripeFacade.DidNotReceiveWithAnyArgs().GetSubscription(Arg.Any<string>(), Arg.Any<SubscriptionGetOptions>());
+        await _stripeFacade.DidNotReceiveWithAnyArgs().CancelSubscription(Arg.Any<string>(), Arg.Any<SubscriptionCancelOptions>());
+    }
+
+    [Fact]
+    public async Task Execute_SubscriptionStatusIsNotUnpaid_SkipsCancellation()
+    {
+        // Arrange
+        const string subscriptionId = "sub_123";
+        var organizationId = Guid.NewGuid();
+        var context = CreateJobExecutionContext(subscriptionId, organizationId);
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Enabled = false
+        };
+        _organizationRepository.GetByIdAsync(organizationId).Returns(organization);
+
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Active,
+            LatestInvoice = new Invoice
+            {
+                BillingReason = "subscription_cycle"
+            }
+        };
+        _stripeFacade.GetSubscription(subscriptionId, Arg.Is<SubscriptionGetOptions>(o => o.Expand.Contains("latest_invoice")))
+            .Returns(subscription);
+
+        // Act
+        await _sut.Execute(context);
+
+        // Assert
+        await _stripeFacade.DidNotReceive().CancelSubscription(subscriptionId, Arg.Any<SubscriptionCancelOptions>());
+    }
+
+    [Fact]
+    public async Task Execute_BillingReasonIsInvalid_SkipsCancellation()
+    {
+        // Arrange
+        const string subscriptionId = "sub_123";
+        var organizationId = Guid.NewGuid();
+        var context = CreateJobExecutionContext(subscriptionId, organizationId);
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Enabled = false
+        };
+        _organizationRepository.GetByIdAsync(organizationId).Returns(organization);
+
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Unpaid,
+            LatestInvoice = new Invoice
+            {
+                BillingReason = "manual"
+            }
+        };
+        _stripeFacade.GetSubscription(subscriptionId, Arg.Is<SubscriptionGetOptions>(o => o.Expand.Contains("latest_invoice")))
+            .Returns(subscription);
+
+        // Act
+        await _sut.Execute(context);
+
+        // Assert
+        await _stripeFacade.DidNotReceive().CancelSubscription(subscriptionId, Arg.Any<SubscriptionCancelOptions>());
+    }
+
+    [Fact]
+    public async Task Execute_ValidConditions_CancelsSubscriptionAndVoidsInvoices()
+    {
+        // Arrange
+        const string subscriptionId = "sub_123";
+        var organizationId = Guid.NewGuid();
+        var context = CreateJobExecutionContext(subscriptionId, organizationId);
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Enabled = false
+        };
+        _organizationRepository.GetByIdAsync(organizationId).Returns(organization);
+
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Unpaid,
+            LatestInvoice = new Invoice
+            {
+                BillingReason = "subscription_cycle"
+            }
+        };
+        _stripeFacade.GetSubscription(subscriptionId, Arg.Is<SubscriptionGetOptions>(o => o.Expand.Contains("latest_invoice")))
+            .Returns(subscription);
+
+        var invoices = new StripeList<Invoice>
+        {
+            Data =
+            [
+                new Invoice { Id = "inv_1" },
+                new Invoice { Id = "inv_2" }
+            ],
+            HasMore = false
+        };
+        _stripeFacade.ListInvoices(Arg.Any<InvoiceListOptions>()).Returns(invoices);
+
+        // Act
+        await _sut.Execute(context);
+
+        // Assert
+        await _stripeFacade.Received(1).CancelSubscription(subscriptionId, Arg.Any<SubscriptionCancelOptions>());
+        await _stripeFacade.Received(1).VoidInvoice("inv_1");
+        await _stripeFacade.Received(1).VoidInvoice("inv_2");
+    }
+
+    [Fact]
+    public async Task Execute_WithSubscriptionCreateBillingReason_CancelsSubscription()
+    {
+        // Arrange
+        const string subscriptionId = "sub_123";
+        var organizationId = Guid.NewGuid();
+        var context = CreateJobExecutionContext(subscriptionId, organizationId);
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Enabled = false
+        };
+        _organizationRepository.GetByIdAsync(organizationId).Returns(organization);
+
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Unpaid,
+            LatestInvoice = new Invoice
+            {
+                BillingReason = "subscription_create"
+            }
+        };
+        _stripeFacade.GetSubscription(subscriptionId, Arg.Is<SubscriptionGetOptions>(o => o.Expand.Contains("latest_invoice")))
+            .Returns(subscription);
+
+        var invoices = new StripeList<Invoice>
+        {
+            Data = [],
+            HasMore = false
+        };
+        _stripeFacade.ListInvoices(Arg.Any<InvoiceListOptions>()).Returns(invoices);
+
+        // Act
+        await _sut.Execute(context);
+
+        // Assert
+        await _stripeFacade.Received(1).CancelSubscription(subscriptionId, Arg.Any<SubscriptionCancelOptions>());
+    }
+
+    [Fact]
+    public async Task Execute_NoOpenInvoices_CancelsSubscriptionOnly()
+    {
+        // Arrange
+        const string subscriptionId = "sub_123";
+        var organizationId = Guid.NewGuid();
+        var context = CreateJobExecutionContext(subscriptionId, organizationId);
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Enabled = false
+        };
+        _organizationRepository.GetByIdAsync(organizationId).Returns(organization);
+
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Unpaid,
+            LatestInvoice = new Invoice
+            {
+                BillingReason = "subscription_cycle"
+            }
+        };
+        _stripeFacade.GetSubscription(subscriptionId, Arg.Is<SubscriptionGetOptions>(o => o.Expand.Contains("latest_invoice")))
+            .Returns(subscription);
+
+        var invoices = new StripeList<Invoice>
+        {
+            Data = [],
+            HasMore = false
+        };
+        _stripeFacade.ListInvoices(Arg.Any<InvoiceListOptions>()).Returns(invoices);
+
+        // Act
+        await _sut.Execute(context);
+
+        // Assert
+        await _stripeFacade.Received(1).CancelSubscription(subscriptionId, Arg.Any<SubscriptionCancelOptions>());
+        await _stripeFacade.DidNotReceiveWithAnyArgs().VoidInvoice(Arg.Any<string>());
+    }
+
+    [Fact]
+    public async Task Execute_WithPagination_VoidsAllInvoices()
+    {
+        // Arrange
+        const string subscriptionId = "sub_123";
+        var organizationId = Guid.NewGuid();
+        var context = CreateJobExecutionContext(subscriptionId, organizationId);
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Enabled = false
+        };
+        _organizationRepository.GetByIdAsync(organizationId).Returns(organization);
+
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Unpaid,
+            LatestInvoice = new Invoice
+            {
+                BillingReason = "subscription_cycle"
+            }
+        };
+        _stripeFacade.GetSubscription(subscriptionId, Arg.Is<SubscriptionGetOptions>(o => o.Expand.Contains("latest_invoice")))
+            .Returns(subscription);
+
+        // First page of invoices
+        var firstPage = new StripeList<Invoice>
+        {
+            Data =
+            [
+                new Invoice { Id = "inv_1" },
+                new Invoice { Id = "inv_2" }
+            ],
+            HasMore = true
+        };
+
+        // Second page of invoices
+        var secondPage = new StripeList<Invoice>
+        {
+            Data =
+            [
+                new Invoice { Id = "inv_3" },
+                new Invoice { Id = "inv_4" }
+            ],
+            HasMore = false
+        };
+
+        _stripeFacade.ListInvoices(Arg.Is<InvoiceListOptions>(o => o.StartingAfter == null))
+            .Returns(firstPage);
+        _stripeFacade.ListInvoices(Arg.Is<InvoiceListOptions>(o => o.StartingAfter == "inv_2"))
+            .Returns(secondPage);
+
+        // Act
+        await _sut.Execute(context);
+
+        // Assert
+        await _stripeFacade.Received(1).CancelSubscription(subscriptionId, Arg.Any<SubscriptionCancelOptions>());
+        await _stripeFacade.Received(1).VoidInvoice("inv_1");
+        await _stripeFacade.Received(1).VoidInvoice("inv_2");
+        await _stripeFacade.Received(1).VoidInvoice("inv_3");
+        await _stripeFacade.Received(1).VoidInvoice("inv_4");
+        await _stripeFacade.Received(2).ListInvoices(Arg.Any<InvoiceListOptions>());
+    }
+
+    [Fact]
+    public async Task Execute_ListInvoicesCalledWithCorrectOptions()
+    {
+        // Arrange
+        const string subscriptionId = "sub_123";
+        var organizationId = Guid.NewGuid();
+        var context = CreateJobExecutionContext(subscriptionId, organizationId);
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Enabled = false
+        };
+        _organizationRepository.GetByIdAsync(organizationId).Returns(organization);
+
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Unpaid,
+            LatestInvoice = new Invoice
+            {
+                BillingReason = "subscription_cycle"
+            }
+        };
+        _stripeFacade.GetSubscription(subscriptionId, Arg.Is<SubscriptionGetOptions>(o => o.Expand.Contains("latest_invoice")))
+            .Returns(subscription);
+
+        var invoices = new StripeList<Invoice>
+        {
+            Data = [],
+            HasMore = false
+        };
+        _stripeFacade.ListInvoices(Arg.Any<InvoiceListOptions>()).Returns(invoices);
+
+        // Act
+        await _sut.Execute(context);
+
+        // Assert
+        await _stripeFacade.Received(1).GetSubscription(subscriptionId, Arg.Is<SubscriptionGetOptions>(o => o.Expand.Contains("latest_invoice")));
+        await _stripeFacade.Received(1).ListInvoices(Arg.Is<InvoiceListOptions>(o =>
+            o.Status == "open" &&
+            o.Subscription == subscriptionId &&
+            o.Limit == 100));
+    }
+
+    private static IJobExecutionContext CreateJobExecutionContext(string subscriptionId, Guid organizationId)
+    {
+        var context = Substitute.For<IJobExecutionContext>();
+        var jobDataMap = new JobDataMap
+        {
+            { "subscriptionId", subscriptionId },
+            { "organizationId", organizationId.ToString() }
+        };
+        context.MergedJobDataMap.Returns(jobDataMap);
+        return context;
+    }
+}

test/Billing.Test/Services/SetupIntentSucceededHandlerTests.cs

@@ -4,8 +4,8 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Caches;
+using Bit.Core.Billing.Services;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using NSubstitute;
 using Stripe;
 using Xunit;
@@ -61,7 +61,7 @@ public class SetupIntentSucceededHandlerTests
 
         // Assert
         await _setupIntentCache.DidNotReceiveWithAnyArgs().GetSubscriberIdForSetupIntent(Arg.Any<string>());
-        await _stripeAdapter.DidNotReceiveWithAnyArgs().PaymentMethodAttachAsync(
+        await _stripeAdapter.DidNotReceiveWithAnyArgs().AttachPaymentMethodAsync(
             Arg.Any<string>(), Arg.Any<PaymentMethodAttachOptions>());
         await _pushNotificationAdapter.DidNotReceiveWithAnyArgs().NotifyBankAccountVerifiedAsync(Arg.Any<Organization>());
         await _pushNotificationAdapter.DidNotReceiveWithAnyArgs().NotifyBankAccountVerifiedAsync(Arg.Any<Provider>());
@@ -86,7 +86,7 @@ public class SetupIntentSucceededHandlerTests
         await _handler.HandleAsync(_mockEvent);
 
         // Assert
-        await _stripeAdapter.DidNotReceiveWithAnyArgs().PaymentMethodAttachAsync(
+        await _stripeAdapter.DidNotReceiveWithAnyArgs().AttachPaymentMethodAsync(
             Arg.Any<string>(), Arg.Any<PaymentMethodAttachOptions>());
         await _pushNotificationAdapter.DidNotReceiveWithAnyArgs().NotifyBankAccountVerifiedAsync(Arg.Any<Organization>());
         await _pushNotificationAdapter.DidNotReceiveWithAnyArgs().NotifyBankAccountVerifiedAsync(Arg.Any<Provider>());
@@ -116,7 +116,7 @@ public class SetupIntentSucceededHandlerTests
         await _handler.HandleAsync(_mockEvent);
 
         // Assert
-        await _stripeAdapter.Received(1).PaymentMethodAttachAsync(
+        await _stripeAdapter.Received(1).AttachPaymentMethodAsync(
             "pm_test",
             Arg.Is<PaymentMethodAttachOptions>(o => o.Customer == organization.GatewayCustomerId));
 
@@ -151,7 +151,7 @@ public class SetupIntentSucceededHandlerTests
         await _handler.HandleAsync(_mockEvent);
 
         // Assert
-        await _stripeAdapter.Received(1).PaymentMethodAttachAsync(
+        await _stripeAdapter.Received(1).AttachPaymentMethodAsync(
             "pm_test",
             Arg.Is<PaymentMethodAttachOptions>(o => o.Customer == provider.GatewayCustomerId));
 
@@ -183,7 +183,7 @@ public class SetupIntentSucceededHandlerTests
         await _handler.HandleAsync(_mockEvent);
 
         // Assert
-        await _stripeAdapter.DidNotReceiveWithAnyArgs().PaymentMethodAttachAsync(
+        await _stripeAdapter.DidNotReceiveWithAnyArgs().AttachPaymentMethodAsync(
             Arg.Any<string>(), Arg.Any<PaymentMethodAttachOptions>());
         await _pushNotificationAdapter.DidNotReceiveWithAnyArgs().NotifyBankAccountVerifiedAsync(Arg.Any<Organization>());
         await _pushNotificationAdapter.DidNotReceiveWithAnyArgs().NotifyBankAccountVerifiedAsync(Arg.Any<Provider>());
@@ -216,7 +216,7 @@ public class SetupIntentSucceededHandlerTests
         await _handler.HandleAsync(_mockEvent);
 
         // Assert
-        await _stripeAdapter.DidNotReceiveWithAnyArgs().PaymentMethodAttachAsync(
+        await _stripeAdapter.DidNotReceiveWithAnyArgs().AttachPaymentMethodAsync(
             Arg.Any<string>(), Arg.Any<PaymentMethodAttachOptions>());
         await _pushNotificationAdapter.DidNotReceiveWithAnyArgs().NotifyBankAccountVerifiedAsync(Arg.Any<Organization>());
         await _pushNotificationAdapter.DidNotReceiveWithAnyArgs().NotifyBankAccountVerifiedAsync(Arg.Any<Provider>());

test/Billing.Test/Services/SubscriptionUpdatedHandlerTests.cs

@@ -1,7 +1,6 @@
 using Bit.Billing.Constants;
 using Bit.Billing.Services;
 using Bit.Billing.Services.Implementations;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
@@ -21,6 +20,8 @@ using Quartz;
 using Stripe;
 using Xunit;
 using Event = Stripe.Event;
+using PremiumPlan = Bit.Core.Billing.Pricing.Premium.Plan;
+using PremiumPurchasable = Bit.Core.Billing.Pricing.Premium.Purchasable;
 
 namespace Bit.Billing.Test.Services;
 
@@ -126,79 +127,6 @@ public class SubscriptionUpdatedHandlerTests
             Arg.Is<ITrigger>(t => t.Key.Name == $"cancel-trigger-{subscriptionId}"));
     }
 
-    [Fact]
-    public async Task
-        HandleAsync_UnpaidProviderSubscription_WithManualSuspensionViaMetadata_DisablesProviderAndSchedulesCancellation()
-    {
-        // Arrange
-        var providerId = Guid.NewGuid();
-        var subscriptionId = "sub_test123";
-
-        var previousSubscription = new Subscription
-        {
-            Id = subscriptionId,
-            Status = StripeSubscriptionStatus.Active,
-            Metadata = new Dictionary<string, string>
-            {
-                ["suspend_provider"] = null // This is the key part - metadata exists, but value is null
-            }
-        };
-
-        var currentSubscription = new Subscription
-        {
-            Id = subscriptionId,
-            Status = StripeSubscriptionStatus.Unpaid,
-            Items = new StripeList<SubscriptionItem>
-            {
-                Data =
-                [
-                    new SubscriptionItem { CurrentPeriodEnd = DateTime.UtcNow.AddDays(30) }
-                ]
-            },
-            Metadata = new Dictionary<string, string>
-            {
-                ["providerId"] = providerId.ToString(),
-                ["suspend_provider"] = "true" // Now has a value, indicating manual suspension
-            },
-            TestClock = null
-        };
-
-        var parsedEvent = new Event
-        {
-            Id = "evt_test123",
-            Type = HandledStripeWebhook.SubscriptionUpdated,
-            Data = new EventData
-            {
-                Object = currentSubscription,
-                PreviousAttributes = JObject.FromObject(previousSubscription)
-            }
-        };
-
-        var provider = new Provider { Id = providerId, Enabled = true };
-
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover).Returns(true);
-        _stripeEventService.GetSubscription(parsedEvent, true, Arg.Any<List<string>>()).Returns(currentSubscription);
-        _stripeEventUtilityService.GetIdsFromMetadata(currentSubscription.Metadata)
-            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, null, providerId));
-        _providerRepository.GetByIdAsync(providerId).Returns(provider);
-
-        // Act
-        await _sut.HandleAsync(parsedEvent);
-
-        // Assert
-        Assert.False(provider.Enabled);
-        await _providerService.Received(1).UpdateAsync(provider);
-
-        // Verify that UpdateSubscription was called with both CancelAt and the new metadata
-        await _stripeFacade.Received(1).UpdateSubscription(
-            subscriptionId,
-            Arg.Is<SubscriptionUpdateOptions>(options =>
-                options.CancelAt.HasValue &&
-                options.CancelAt.Value <= DateTime.UtcNow.AddDays(7).AddMinutes(1) &&
-                options.Metadata != null &&
-                options.Metadata.ContainsKey("suspended_provider_via_webhook_at")));
-    }
-
     [Fact]
     public async Task
         HandleAsync_UnpaidProviderSubscription_WithValidTransition_DisablesProviderAndSchedulesCancellation()
@@ -243,7 +171,6 @@ public class SubscriptionUpdatedHandlerTests
 
         var provider = new Provider { Id = providerId, Enabled = true };
 
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover).Returns(true);
         _stripeEventService.GetSubscription(parsedEvent, true, Arg.Any<List<string>>()).Returns(currentSubscription);
         _stripeEventUtilityService.GetIdsFromMetadata(currentSubscription.Metadata)
             .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, null, providerId));
@@ -256,13 +183,12 @@ public class SubscriptionUpdatedHandlerTests
         Assert.False(provider.Enabled);
         await _providerService.Received(1).UpdateAsync(provider);
 
-        // Verify that UpdateSubscription was called with CancelAt but WITHOUT suspension metadata
+        // Verify that UpdateSubscription was called with CancelAt
         await _stripeFacade.Received(1).UpdateSubscription(
             subscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options =>
                 options.CancelAt.HasValue &&
-                options.CancelAt.Value <= DateTime.UtcNow.AddDays(7).AddMinutes(1) &&
-                (options.Metadata == null || !options.Metadata.ContainsKey("suspended_provider_via_webhook_at"))));
+                options.CancelAt.Value <= DateTime.UtcNow.AddDays(7).AddMinutes(1)));
     }
 
     [Fact]
@@ -306,9 +232,6 @@ public class SubscriptionUpdatedHandlerTests
         _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
             .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, null, providerId));
 
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
-
         _providerRepository.GetByIdAsync(providerId)
             .Returns(provider);
 
@@ -353,9 +276,6 @@ public class SubscriptionUpdatedHandlerTests
         _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
             .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, null, providerId));
 
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
-
         _providerRepository.GetByIdAsync(providerId)
             .Returns(provider);
 
@@ -401,9 +321,6 @@ public class SubscriptionUpdatedHandlerTests
         _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
             .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, null, providerId));
 
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
-
         _providerRepository.GetByIdAsync(providerId)
             .Returns(provider);
 
@@ -416,48 +333,6 @@ public class SubscriptionUpdatedHandlerTests
         await _stripeFacade.DidNotReceive().UpdateSubscription(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
     }
 
-    [Fact]
-    public async Task HandleAsync_UnpaidProviderSubscription_WhenFeatureFlagDisabled_DoesNothing()
-    {
-        // Arrange
-        var providerId = Guid.NewGuid();
-        var subscriptionId = "sub_123";
-        var currentPeriodEnd = DateTime.UtcNow.AddDays(30);
-
-        var subscription = new Subscription
-        {
-            Id = subscriptionId,
-            Status = StripeSubscriptionStatus.Unpaid,
-            Items = new StripeList<SubscriptionItem>
-            {
-                Data =
-                [
-                    new SubscriptionItem { CurrentPeriodEnd = currentPeriodEnd }
-                ]
-            },
-            Metadata = new Dictionary<string, string> { { "providerId", providerId.ToString() } },
-            LatestInvoice = new Invoice { BillingReason = "subscription_cycle" }
-        };
-
-        var parsedEvent = new Event { Data = new EventData() };
-
-        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
-            .Returns(subscription);
-
-        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
-            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, null, providerId));
-
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(false);
-
-        // Act
-        await _sut.HandleAsync(parsedEvent);
-
-        // Assert
-        await _providerRepository.DidNotReceive().GetByIdAsync(Arg.Any<Guid>());
-        await _providerService.DidNotReceive().UpdateAsync(Arg.Any<Provider>());
-    }
-
     [Fact]
     public async Task HandleAsync_UnpaidProviderSubscription_WhenProviderNotFound_DoesNothing()
     {
@@ -489,9 +364,6 @@ public class SubscriptionUpdatedHandlerTests
         _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
             .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, null, providerId));
 
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
-
         _providerRepository.GetByIdAsync(providerId)
             .Returns((Provider)null);
 
@@ -530,6 +402,75 @@ public class SubscriptionUpdatedHandlerTests
 
         var parsedEvent = new Event { Data = new EventData() };
 
+        var premiumPlan = new PremiumPlan
+        {
+            Name = "Premium",
+            Available = true,
+            LegacyYear = null,
+            Seat = new PremiumPurchasable { Price = 10M, StripePriceId = IStripeEventUtilityService.PremiumPlanId },
+            Storage = new PremiumPurchasable { Price = 4M, StripePriceId = "storage-plan-personal" }
+        };
+        _pricingClient.ListPremiumPlans().Returns(new List<PremiumPlan> { premiumPlan });
+
+        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
+            .Returns(subscription);
+
+        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, userId, null));
+
+        _stripeFacade.ListInvoices(Arg.Any<InvoiceListOptions>())
+            .Returns(new StripeList<Invoice> { Data = new List<Invoice>() });
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        await _userService.Received(1)
+            .DisablePremiumAsync(userId, currentPeriodEnd);
+        await _stripeFacade.Received(1)
+            .CancelSubscription(subscriptionId, Arg.Any<SubscriptionCancelOptions>());
+        await _stripeFacade.Received(1)
+            .ListInvoices(Arg.Is<InvoiceListOptions>(o =>
+                o.Status == StripeInvoiceStatus.Open && o.Subscription == subscriptionId));
+    }
+
+    [Fact]
+    public async Task HandleAsync_IncompleteExpiredUserSubscription_DisablesPremiumAndCancelsSubscription()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var subscriptionId = "sub_123";
+        var currentPeriodEnd = DateTime.UtcNow.AddDays(30);
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.IncompleteExpired,
+            Metadata = new Dictionary<string, string> { { "userId", userId.ToString() } },
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem
+                    {
+                        CurrentPeriodEnd = currentPeriodEnd,
+                        Price = new Price { Id = IStripeEventUtilityService.PremiumPlanId }
+                    }
+                ]
+            }
+        };
+
+        var parsedEvent = new Event { Data = new EventData() };
+
+        var premiumPlan = new PremiumPlan
+        {
+            Name = "Premium",
+            Available = true,
+            LegacyYear = null,
+            Seat = new PremiumPurchasable { Price = 10M, StripePriceId = IStripeEventUtilityService.PremiumPlanId },
+            Storage = new PremiumPurchasable { Price = 4M, StripePriceId = "storage-plan-personal" }
+        };
+        _pricingClient.ListPremiumPlans().Returns(new List<PremiumPlan> { premiumPlan });
+
         _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
             .Returns(subscription);
 
@@ -695,7 +636,7 @@ public class SubscriptionUpdatedHandlerTests
                     new SubscriptionItem
                     {
                         CurrentPeriodEnd = DateTime.UtcNow.AddDays(10),
-                        Plan = new Plan { Id = "2023-enterprise-org-seat-annually" }
+                        Plan = new Stripe.Plan { Id = "2023-enterprise-org-seat-annually" }
                     }
                 ]
             },
@@ -729,7 +670,7 @@ public class SubscriptionUpdatedHandlerTests
                     {
                         Data =
                         [
-                            new SubscriptionItem { Plan = new Plan { Id = "secrets-manager-enterprise-seat-annually" } }
+                            new SubscriptionItem { Plan = new Stripe.Plan { Id = "secrets-manager-enterprise-seat-annually" } }
                         ]
                     }
                 })
@@ -777,8 +718,6 @@ public class SubscriptionUpdatedHandlerTests
         _stripeFacade
             .UpdateSubscription(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>())
             .Returns(newSubscription);
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
 
         // Act
         await _sut.HandleAsync(parsedEvent);
@@ -800,9 +739,6 @@ public class SubscriptionUpdatedHandlerTests
             .Received(1)
             .UpdateSubscription(newSubscription.Id,
                 Arg.Is<SubscriptionUpdateOptions>(options => options.CancelAtPeriodEnd == false));
-        _featureService
-            .Received(1)
-            .IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover);
     }
 
     [Fact]
@@ -823,8 +759,6 @@ public class SubscriptionUpdatedHandlerTests
         _providerRepository
             .GetByIdAsync(Arg.Any<Guid>())
             .Returns(provider);
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
 
         // Act
         await _sut.HandleAsync(parsedEvent);
@@ -843,9 +777,6 @@ public class SubscriptionUpdatedHandlerTests
         await _stripeFacade
             .DidNotReceiveWithAnyArgs()
             .UpdateSubscription(Arg.Any<string>());
-        _featureService
-            .Received(1)
-            .IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover);
     }
 
     [Fact]
@@ -866,8 +797,6 @@ public class SubscriptionUpdatedHandlerTests
         _providerRepository
             .GetByIdAsync(Arg.Any<Guid>())
             .Returns(provider);
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
 
         // Act
         await _sut.HandleAsync(parsedEvent);
@@ -886,9 +815,6 @@ public class SubscriptionUpdatedHandlerTests
         await _stripeFacade
             .DidNotReceiveWithAnyArgs()
             .UpdateSubscription(Arg.Any<string>());
-        _featureService
-            .Received(1)
-            .IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover);
     }
 
     [Fact]
@@ -909,8 +835,6 @@ public class SubscriptionUpdatedHandlerTests
         _providerRepository
             .GetByIdAsync(Arg.Any<Guid>())
             .Returns(provider);
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
 
         // Act
         await _sut.HandleAsync(parsedEvent);
@@ -929,9 +853,6 @@ public class SubscriptionUpdatedHandlerTests
         await _stripeFacade
             .DidNotReceiveWithAnyArgs()
             .UpdateSubscription(Arg.Any<string>());
-        _featureService
-            .Received(1)
-            .IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover);
     }
 
     [Fact]
@@ -953,8 +874,6 @@ public class SubscriptionUpdatedHandlerTests
         _providerRepository
             .GetByIdAsync(Arg.Any<Guid>())
             .Returns(provider);
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
 
         // Act
         await _sut.HandleAsync(parsedEvent);
@@ -975,9 +894,6 @@ public class SubscriptionUpdatedHandlerTests
         await _stripeFacade
             .DidNotReceiveWithAnyArgs()
             .UpdateSubscription(Arg.Any<string>());
-        _featureService
-            .Received(1)
-            .IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover);
     }
 
     [Fact]
@@ -997,8 +913,6 @@ public class SubscriptionUpdatedHandlerTests
         _providerRepository
             .GetByIdAsync(Arg.Any<Guid>())
             .ReturnsNull();
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
 
         // Act
         await _sut.HandleAsync(parsedEvent);
@@ -1019,9 +933,6 @@ public class SubscriptionUpdatedHandlerTests
         await _stripeFacade
             .DidNotReceive()
             .UpdateSubscription(Arg.Any<string>());
-        _featureService
-            .Received(1)
-            .IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover);
     }
 
     [Fact]
@@ -1040,8 +951,6 @@ public class SubscriptionUpdatedHandlerTests
         _providerRepository
             .GetByIdAsync(Arg.Any<Guid>())
             .Returns(provider);
-        _featureService.IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover)
-            .Returns(true);
 
         // Act
         await _sut.HandleAsync(parsedEvent);
@@ -1062,9 +971,6 @@ public class SubscriptionUpdatedHandlerTests
         await _stripeFacade
             .DidNotReceive()
             .UpdateSubscription(Arg.Any<string>());
-        _featureService
-            .Received(1)
-            .IsEnabled(FeatureFlagKeys.PM21821_ProviderPortalTakeover);
     }
 
     private static (Guid providerId, Subscription newSubscription, Provider provider, Event parsedEvent)
@@ -1098,6 +1004,134 @@ public class SubscriptionUpdatedHandlerTests
         return (providerId, newSubscription, provider, parsedEvent);
     }
 
+    [Fact]
+    public async Task HandleAsync_IncompleteUserSubscriptionWithOpenInvoice_CancelsSubscriptionAndDisablesPremium()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var subscriptionId = "sub_123";
+        var currentPeriodEnd = DateTime.UtcNow.AddDays(30);
+        var openInvoice = new Invoice
+        {
+            Id = "inv_123",
+            Status = StripeInvoiceStatus.Open
+        };
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Incomplete,
+            Metadata = new Dictionary<string, string> { { "userId", userId.ToString() } },
+            LatestInvoice = openInvoice,
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem
+                    {
+                        CurrentPeriodEnd = currentPeriodEnd,
+                        Price = new Price { Id = IStripeEventUtilityService.PremiumPlanId }
+                    }
+                ]
+            }
+        };
+
+        var parsedEvent = new Event { Data = new EventData() };
+
+        var premiumPlan = new PremiumPlan
+        {
+            Name = "Premium",
+            Available = true,
+            LegacyYear = null,
+            Seat = new PremiumPurchasable { Price = 10M, StripePriceId = IStripeEventUtilityService.PremiumPlanId },
+            Storage = new PremiumPurchasable { Price = 4M, StripePriceId = "storage-plan-personal" }
+        };
+        _pricingClient.ListPremiumPlans().Returns(new List<PremiumPlan> { premiumPlan });
+
+        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
+            .Returns(subscription);
+
+        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, userId, null));
+
+        _stripeFacade.ListInvoices(Arg.Any<InvoiceListOptions>())
+            .Returns(new StripeList<Invoice> { Data = new List<Invoice> { openInvoice } });
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        await _userService.Received(1)
+            .DisablePremiumAsync(userId, currentPeriodEnd);
+        await _stripeFacade.Received(1)
+            .CancelSubscription(subscriptionId, Arg.Any<SubscriptionCancelOptions>());
+        await _stripeFacade.Received(1)
+            .ListInvoices(Arg.Is<InvoiceListOptions>(o =>
+                o.Status == StripeInvoiceStatus.Open && o.Subscription == subscriptionId));
+        await _stripeFacade.Received(1)
+            .VoidInvoice(openInvoice.Id);
+    }
+
+    [Fact]
+    public async Task HandleAsync_IncompleteUserSubscriptionWithoutOpenInvoice_DoesNotCancelSubscription()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var subscriptionId = "sub_123";
+        var currentPeriodEnd = DateTime.UtcNow.AddDays(30);
+        var paidInvoice = new Invoice
+        {
+            Id = "inv_123",
+            Status = StripeInvoiceStatus.Paid
+        };
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Incomplete,
+            Metadata = new Dictionary<string, string> { { "userId", userId.ToString() } },
+            LatestInvoice = paidInvoice,
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem
+                    {
+                        CurrentPeriodEnd = currentPeriodEnd,
+                        Price = new Price { Id = IStripeEventUtilityService.PremiumPlanId }
+                    }
+                ]
+            }
+        };
+
+        var parsedEvent = new Event { Data = new EventData() };
+
+        var premiumPlan = new PremiumPlan
+        {
+            Name = "Premium",
+            Available = true,
+            LegacyYear = null,
+            Seat = new PremiumPurchasable { Price = 10M, StripePriceId = IStripeEventUtilityService.PremiumPlanId },
+            Storage = new PremiumPurchasable { Price = 4M, StripePriceId = "storage-plan-personal" }
+        };
+        _pricingClient.ListPremiumPlans().Returns(new List<PremiumPlan> { premiumPlan });
+
+        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
+            .Returns(subscription);
+
+        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, userId, null));
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        await _userService.DidNotReceive()
+            .DisablePremiumAsync(Arg.Any<Guid>(), Arg.Any<DateTime?>());
+        await _stripeFacade.DidNotReceive()
+            .CancelSubscription(Arg.Any<string>(), Arg.Any<SubscriptionCancelOptions>());
+        await _stripeFacade.DidNotReceive()
+            .ListInvoices(Arg.Any<InvoiceListOptions>());
+    }
+
     public static IEnumerable<object[]> GetNonActiveSubscriptions()
     {
         return new List<object[]>

test/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs

@@ -11,7 +11,9 @@ using Bit.Core.Billing.Payment.Queries;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Pricing.Premium;
 using Bit.Core.Entities;
+using Bit.Core.Models.Mail.Billing.Renewal.Families2019Renewal;
 using Bit.Core.Models.Mail.Billing.Renewal.Families2020Renewal;
+using Bit.Core.Models.Mail.Billing.Renewal.Premium;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Platform.Mail.Mailer;
 using Bit.Core.Repositories;
@@ -252,6 +254,9 @@ public class UpcomingInvoiceHandlerTests
             .IsEnabled(FeatureFlagKeys.PM23341_Milestone_2)
             .Returns(true);
 
+        var coupon = new Coupon { PercentOff = 20, Id = CouponIDs.Milestone2SubscriptionDiscount };
+
+        _stripeFacade.GetCoupon(CouponIDs.Milestone2SubscriptionDiscount).Returns(coupon);
 
         // Act
         await _sut.HandleAsync(parsedEvent);
@@ -259,6 +264,7 @@ public class UpcomingInvoiceHandlerTests
         // Assert
         await _userRepository.Received(1).GetByIdAsync(_userId);
         await _pricingClient.Received(1).GetAvailablePremiumPlan();
+        await _stripeFacade.Received(1).GetCoupon(CouponIDs.Milestone2SubscriptionDiscount);
         await _stripeFacade.Received(1).UpdateSubscription(
             Arg.Is("sub_123"),
             Arg.Is<SubscriptionUpdateOptions>(o =>
@@ -268,11 +274,15 @@ public class UpcomingInvoiceHandlerTests
                 o.ProrationBehavior == "none"));
 
         // Verify the updated invoice email was sent with correct price
+        var discountedPrice = plan.Seat.Price * (100 - coupon.PercentOff.Value) / 100;
         await _mailer.Received(1).SendEmail(
-            Arg.Is<Families2020RenewalMail>(email =>
+            Arg.Is<PremiumRenewalMail>(email =>
                 email.ToEmails.Contains("user@example.com") &&
-                email.Subject == "Your Bitwarden Families renewal is updating" &&
-                email.View.MonthlyRenewalPrice == (plan.Seat.Price / 12).ToString("C", new CultureInfo("en-US"))));
+                email.Subject == "Your Bitwarden Premium renewal is updating" &&
+                email.View.BaseMonthlyRenewalPrice == (plan.Seat.Price / 12).ToString("C", new CultureInfo("en-US")) &&
+                email.View.DiscountedMonthlyRenewalPrice == (discountedPrice / 12).ToString("C", new CultureInfo("en-US")) &&
+                email.View.DiscountAmount == $"{coupon.PercentOff}%"
+            ));
     }
 
     [Fact]
@@ -1006,8 +1016,11 @@ public class UpcomingInvoiceHandlerTests
             PlanType = PlanType.FamiliesAnnually2019
         };
 
+        var coupon = new Coupon { PercentOff = 25, Id = CouponIDs.Milestone3SubscriptionDiscount };
+
         _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
         _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone3SubscriptionDiscount).Returns(coupon);
         _stripeEventUtilityService
             .GetIdsFromMetadata(subscription.Metadata)
             .Returns(new Tuple<Guid?, Guid?, Guid?>(_organizationId, null, null));
@@ -1033,6 +1046,8 @@ public class UpcomingInvoiceHandlerTests
                 o.Discounts[0].Coupon == CouponIDs.Milestone3SubscriptionDiscount &&
                 o.ProrationBehavior == ProrationBehavior.None));
 
+        await _stripeFacade.Received(1).GetCoupon(CouponIDs.Milestone3SubscriptionDiscount);
+
         await _organizationRepository.Received(1).ReplaceAsync(
             Arg.Is<Organization>(org =>
                 org.Id == _organizationId &&
@@ -1042,10 +1057,13 @@ public class UpcomingInvoiceHandlerTests
                 org.Seats == familiesPlan.PasswordManager.BaseSeats));
 
         await _mailer.Received(1).SendEmail(
-            Arg.Is<Families2020RenewalMail>(email =>
+            Arg.Is<Families2019RenewalMail>(email =>
                 email.ToEmails.Contains("org@example.com") &&
                 email.Subject == "Your Bitwarden Families renewal is updating" &&
-                email.View.MonthlyRenewalPrice == (familiesPlan.PasswordManager.BasePrice / 12).ToString("C", new CultureInfo("en-US"))));
+                email.View.BaseMonthlyRenewalPrice == (familiesPlan.PasswordManager.BasePrice / 12).ToString("C", new CultureInfo("en-US")) &&
+                email.View.BaseAnnualRenewalPrice == familiesPlan.PasswordManager.BasePrice.ToString("C", new CultureInfo("en-US")) &&
+                email.View.DiscountAmount == $"{coupon.PercentOff}%"
+                ));
     }
 
     [Fact]
@@ -1465,6 +1483,200 @@ public class UpcomingInvoiceHandlerTests
         await _mailer.DidNotReceive().SendEmail(Arg.Any<Families2020RenewalMail>());
     }
 
+    [Fact]
+    public async Task HandleAsync_WhenMilestone3Enabled_AndCouponNotFound_LogsErrorAndSendsTraditionalEmail()
+    {
+        // Arrange
+        var parsedEvent = new Event { Id = "evt_123", Type = "invoice.upcoming" };
+        var customerId = "cus_123";
+        var subscriptionId = "sub_123";
+        var passwordManagerItemId = "si_pm_123";
+
+        var invoice = new Invoice
+        {
+            CustomerId = customerId,
+            AmountDue = 40000,
+            NextPaymentAttempt = DateTime.UtcNow.AddDays(7),
+            Lines = new StripeList<InvoiceLineItem>
+            {
+                Data = [new() { Description = "Test Item" }]
+            }
+        };
+
+        var families2019Plan = new Families2019Plan();
+        var familiesPlan = new FamiliesPlan();
+
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            CustomerId = customerId,
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new()
+                    {
+                        Id = passwordManagerItemId,
+                        Price = new Price { Id = families2019Plan.PasswordManager.StripePlanId }
+                    }
+                ]
+            },
+            AutomaticTax = new SubscriptionAutomaticTax { Enabled = true },
+            Metadata = new Dictionary<string, string>()
+        };
+
+        var customer = new Customer
+        {
+            Id = customerId,
+            Subscriptions = new StripeList<Subscription> { Data = [subscription] },
+            Address = new Address { Country = "US" }
+        };
+
+        var organization = new Organization
+        {
+            Id = _organizationId,
+            BillingEmail = "org@example.com",
+            PlanType = PlanType.FamiliesAnnually2019
+        };
+
+        _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
+        _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeEventUtilityService
+            .GetIdsFromMetadata(subscription.Metadata)
+            .Returns(new Tuple<Guid?, Guid?, Guid?>(_organizationId, null, null));
+        _organizationRepository.GetByIdAsync(_organizationId).Returns(organization);
+        _pricingClient.GetPlanOrThrow(PlanType.FamiliesAnnually2019).Returns(families2019Plan);
+        _pricingClient.GetPlanOrThrow(PlanType.FamiliesAnnually).Returns(familiesPlan);
+        _featureService.IsEnabled(FeatureFlagKeys.PM26462_Milestone_3).Returns(true);
+        _stripeEventUtilityService.IsSponsoredSubscription(subscription).Returns(false);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone3SubscriptionDiscount).Returns((Coupon)null);
+        _stripeFacade.UpdateSubscription(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>())
+            .Returns(subscription);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert - Exception is caught, error is logged, and traditional email is sent
+        _logger.Received(1).Log(
+            LogLevel.Error,
+            Arg.Any<EventId>(),
+            Arg.Is<object>(o =>
+                o.ToString().Contains($"Failed to align subscription concerns for Organization ({_organizationId})") &&
+                o.ToString().Contains(parsedEvent.Type) &&
+                o.ToString().Contains(parsedEvent.Id)),
+            Arg.Is<Exception>(e => e is InvalidOperationException && e.Message.Contains("Coupon for sending families 2019 email")),
+            Arg.Any<Func<object, Exception, string>>());
+
+        await _mailer.DidNotReceive().SendEmail(Arg.Any<Families2019RenewalMail>());
+
+        await _mailService.Received(1).SendInvoiceUpcoming(
+            Arg.Is<IEnumerable<string>>(emails => emails.Contains("org@example.com")),
+            Arg.Is<decimal>(amount => amount == invoice.AmountDue / 100M),
+            Arg.Is<DateTime>(dueDate => dueDate == invoice.NextPaymentAttempt.Value),
+            Arg.Is<List<string>>(items => items.Count == invoice.Lines.Data.Count),
+            Arg.Is<bool>(b => b == true));
+    }
+
+    [Fact]
+    public async Task HandleAsync_WhenMilestone3Enabled_AndCouponPercentOffIsNull_LogsErrorAndSendsTraditionalEmail()
+    {
+        // Arrange
+        var parsedEvent = new Event { Id = "evt_123", Type = "invoice.upcoming" };
+        var customerId = "cus_123";
+        var subscriptionId = "sub_123";
+        var passwordManagerItemId = "si_pm_123";
+
+        var invoice = new Invoice
+        {
+            CustomerId = customerId,
+            AmountDue = 40000,
+            NextPaymentAttempt = DateTime.UtcNow.AddDays(7),
+            Lines = new StripeList<InvoiceLineItem>
+            {
+                Data = [new() { Description = "Test Item" }]
+            }
+        };
+
+        var families2019Plan = new Families2019Plan();
+        var familiesPlan = new FamiliesPlan();
+
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            CustomerId = customerId,
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new()
+                    {
+                        Id = passwordManagerItemId,
+                        Price = new Price { Id = families2019Plan.PasswordManager.StripePlanId }
+                    }
+                ]
+            },
+            AutomaticTax = new SubscriptionAutomaticTax { Enabled = true },
+            Metadata = new Dictionary<string, string>()
+        };
+
+        var customer = new Customer
+        {
+            Id = customerId,
+            Subscriptions = new StripeList<Subscription> { Data = [subscription] },
+            Address = new Address { Country = "US" }
+        };
+
+        var organization = new Organization
+        {
+            Id = _organizationId,
+            BillingEmail = "org@example.com",
+            PlanType = PlanType.FamiliesAnnually2019
+        };
+
+        var coupon = new Coupon
+        {
+            Id = CouponIDs.Milestone3SubscriptionDiscount,
+            PercentOff = null
+        };
+
+        _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
+        _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeEventUtilityService
+            .GetIdsFromMetadata(subscription.Metadata)
+            .Returns(new Tuple<Guid?, Guid?, Guid?>(_organizationId, null, null));
+        _organizationRepository.GetByIdAsync(_organizationId).Returns(organization);
+        _pricingClient.GetPlanOrThrow(PlanType.FamiliesAnnually2019).Returns(families2019Plan);
+        _pricingClient.GetPlanOrThrow(PlanType.FamiliesAnnually).Returns(familiesPlan);
+        _featureService.IsEnabled(FeatureFlagKeys.PM26462_Milestone_3).Returns(true);
+        _stripeEventUtilityService.IsSponsoredSubscription(subscription).Returns(false);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone3SubscriptionDiscount).Returns(coupon);
+        _stripeFacade.UpdateSubscription(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>())
+            .Returns(subscription);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert - Exception is caught, error is logged, and traditional email is sent
+        _logger.Received(1).Log(
+            LogLevel.Error,
+            Arg.Any<EventId>(),
+            Arg.Is<object>(o =>
+                o.ToString().Contains($"Failed to align subscription concerns for Organization ({_organizationId})") &&
+                o.ToString().Contains(parsedEvent.Type) &&
+                o.ToString().Contains(parsedEvent.Id)),
+            Arg.Is<Exception>(e => e is InvalidOperationException && e.Message.Contains("coupon.PercentOff")),
+            Arg.Any<Func<object, Exception, string>>());
+
+        await _mailer.DidNotReceive().SendEmail(Arg.Any<Families2019RenewalMail>());
+
+        await _mailService.Received(1).SendInvoiceUpcoming(
+            Arg.Is<IEnumerable<string>>(emails => emails.Contains("org@example.com")),
+            Arg.Is<decimal>(amount => amount == invoice.AmountDue / 100M),
+            Arg.Is<DateTime>(dueDate => dueDate == invoice.NextPaymentAttempt.Value),
+            Arg.Is<List<string>>(items => items.Count == invoice.Lines.Data.Count),
+            Arg.Is<bool>(b => b == true));
+    }
+
     [Fact]
     public async Task HandleAsync_WhenMilestone3Enabled_AndSeatAddOnExists_DeletesItem()
     {
@@ -1529,8 +1741,11 @@ public class UpcomingInvoiceHandlerTests
             PlanType = PlanType.FamiliesAnnually2019
         };
 
+        var coupon = new Coupon { PercentOff = 25, Id = CouponIDs.Milestone3SubscriptionDiscount };
+
         _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
         _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone3SubscriptionDiscount).Returns(coupon);
         _stripeEventUtilityService
             .GetIdsFromMetadata(subscription.Metadata)
             .Returns(new Tuple<Guid?, Guid?, Guid?>(_organizationId, null, null));
@@ -1556,6 +1771,8 @@ public class UpcomingInvoiceHandlerTests
                 o.Discounts[0].Coupon == CouponIDs.Milestone3SubscriptionDiscount &&
                 o.ProrationBehavior == ProrationBehavior.None));
 
+        await _stripeFacade.Received(1).GetCoupon(CouponIDs.Milestone3SubscriptionDiscount);
+
         await _organizationRepository.Received(1).ReplaceAsync(
             Arg.Is<Organization>(org =>
                 org.Id == _organizationId &&
@@ -1565,10 +1782,13 @@ public class UpcomingInvoiceHandlerTests
                 org.Seats == familiesPlan.PasswordManager.BaseSeats));
 
         await _mailer.Received(1).SendEmail(
-            Arg.Is<Families2020RenewalMail>(email =>
+            Arg.Is<Families2019RenewalMail>(email =>
                 email.ToEmails.Contains("org@example.com") &&
                 email.Subject == "Your Bitwarden Families renewal is updating" &&
-                email.View.MonthlyRenewalPrice == (familiesPlan.PasswordManager.BasePrice / 12).ToString("C", new CultureInfo("en-US"))));
+                email.View.BaseMonthlyRenewalPrice == (familiesPlan.PasswordManager.BasePrice / 12).ToString("C", new CultureInfo("en-US")) &&
+                email.View.BaseAnnualRenewalPrice == familiesPlan.PasswordManager.BasePrice.ToString("C", new CultureInfo("en-US")) &&
+                email.View.DiscountAmount == $"{coupon.PercentOff}%"
+            ));
     }
 
     [Fact]
@@ -1635,8 +1855,11 @@ public class UpcomingInvoiceHandlerTests
             PlanType = PlanType.FamiliesAnnually2019
         };
 
+        var coupon = new Coupon { PercentOff = 25, Id = CouponIDs.Milestone3SubscriptionDiscount };
+
         _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
         _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone3SubscriptionDiscount).Returns(coupon);
         _stripeEventUtilityService
             .GetIdsFromMetadata(subscription.Metadata)
             .Returns(new Tuple<Guid?, Guid?, Guid?>(_organizationId, null, null));
@@ -1662,6 +1885,8 @@ public class UpcomingInvoiceHandlerTests
                 o.Discounts[0].Coupon == CouponIDs.Milestone3SubscriptionDiscount &&
                 o.ProrationBehavior == ProrationBehavior.None));
 
+        await _stripeFacade.Received(1).GetCoupon(CouponIDs.Milestone3SubscriptionDiscount);
+
         await _organizationRepository.Received(1).ReplaceAsync(
             Arg.Is<Organization>(org =>
                 org.Id == _organizationId &&
@@ -1671,10 +1896,13 @@ public class UpcomingInvoiceHandlerTests
                 org.Seats == familiesPlan.PasswordManager.BaseSeats));
 
         await _mailer.Received(1).SendEmail(
-            Arg.Is<Families2020RenewalMail>(email =>
+            Arg.Is<Families2019RenewalMail>(email =>
                 email.ToEmails.Contains("org@example.com") &&
                 email.Subject == "Your Bitwarden Families renewal is updating" &&
-                email.View.MonthlyRenewalPrice == (familiesPlan.PasswordManager.BasePrice / 12).ToString("C", new CultureInfo("en-US"))));
+                email.View.BaseMonthlyRenewalPrice == (familiesPlan.PasswordManager.BasePrice / 12).ToString("C", new CultureInfo("en-US")) &&
+                email.View.BaseAnnualRenewalPrice == familiesPlan.PasswordManager.BasePrice.ToString("C", new CultureInfo("en-US")) &&
+                email.View.DiscountAmount == $"{coupon.PercentOff}%"
+            ));
     }
 
     [Fact]
@@ -1748,8 +1976,11 @@ public class UpcomingInvoiceHandlerTests
             PlanType = PlanType.FamiliesAnnually2019
         };
 
+        var coupon = new Coupon { PercentOff = 25, Id = CouponIDs.Milestone3SubscriptionDiscount };
+
         _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
         _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone3SubscriptionDiscount).Returns(coupon);
         _stripeEventUtilityService
             .GetIdsFromMetadata(subscription.Metadata)
             .Returns(new Tuple<Guid?, Guid?, Guid?>(_organizationId, null, null));
@@ -1777,6 +2008,8 @@ public class UpcomingInvoiceHandlerTests
                 o.Discounts[0].Coupon == CouponIDs.Milestone3SubscriptionDiscount &&
                 o.ProrationBehavior == ProrationBehavior.None));
 
+        await _stripeFacade.Received(1).GetCoupon(CouponIDs.Milestone3SubscriptionDiscount);
+
         await _organizationRepository.Received(1).ReplaceAsync(
             Arg.Is<Organization>(org =>
                 org.Id == _organizationId &&
@@ -1786,10 +2019,13 @@ public class UpcomingInvoiceHandlerTests
                 org.Seats == familiesPlan.PasswordManager.BaseSeats));
 
         await _mailer.Received(1).SendEmail(
-            Arg.Is<Families2020RenewalMail>(email =>
+            Arg.Is<Families2019RenewalMail>(email =>
                 email.ToEmails.Contains("org@example.com") &&
                 email.Subject == "Your Bitwarden Families renewal is updating" &&
-                email.View.MonthlyRenewalPrice == (familiesPlan.PasswordManager.BasePrice / 12).ToString("C", new CultureInfo("en-US"))));
+                email.View.BaseMonthlyRenewalPrice == (familiesPlan.PasswordManager.BasePrice / 12).ToString("C", new CultureInfo("en-US")) &&
+                email.View.BaseAnnualRenewalPrice == familiesPlan.PasswordManager.BasePrice.ToString("C", new CultureInfo("en-US")) &&
+                email.View.DiscountAmount == $"{coupon.PercentOff}%"
+            ));
     }
 
     [Fact]
@@ -1879,6 +2115,12 @@ public class UpcomingInvoiceHandlerTests
                 org.Plan == familiesPlan.Name &&
                 org.UsersGetPremium == familiesPlan.UsersGetPremium &&
                 org.Seats == familiesPlan.PasswordManager.BaseSeats));
+
+        await _mailer.Received(1).SendEmail(
+            Arg.Is<Families2020RenewalMail>(email =>
+                email.ToEmails.Contains("org@example.com") &&
+                email.Subject == "Your Bitwarden Families renewal is updating" &&
+                email.View.MonthlyRenewalPrice == (familiesPlan.PasswordManager.BasePrice / 12).ToString("C", new CultureInfo("en-US"))));
     }
 
     [Fact]
@@ -1957,4 +2199,332 @@ public class UpcomingInvoiceHandlerTests
         await _organizationRepository.DidNotReceive().ReplaceAsync(
             Arg.Is<Organization>(org => org.PlanType == PlanType.FamiliesAnnually));
     }
+
+    #region Premium Renewal Email Tests
+
+    [Fact]
+    public async Task HandleAsync_WhenMilestone2Enabled_AndCouponNotFound_LogsErrorAndSendsTraditionalEmail()
+    {
+        // Arrange
+        var parsedEvent = new Event { Id = "evt_123" };
+        var customerId = "cus_123";
+        var invoice = new Invoice
+        {
+            CustomerId = customerId,
+            AmountDue = 10000,
+            NextPaymentAttempt = DateTime.UtcNow.AddDays(7),
+            Lines = new StripeList<InvoiceLineItem>
+            {
+                Data = [new() { Description = "Test Item" }]
+            }
+        };
+        var subscription = new Subscription
+        {
+            Id = "sub_123",
+            CustomerId = customerId,
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data = [new() { Id = "si_123", Price = new Price { Id = Prices.PremiumAnnually } }]
+            },
+            AutomaticTax = new SubscriptionAutomaticTax { Enabled = false },
+            Customer = new Customer { Id = customerId },
+            Metadata = new Dictionary<string, string>()
+        };
+        var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
+        var plan = new PremiumPlan
+        {
+            Name = "Premium",
+            Available = true,
+            LegacyYear = null,
+            Seat = new Purchasable { Price = 10M, StripePriceId = Prices.PremiumAnnually },
+            Storage = new Purchasable { Price = 4M, StripePriceId = Prices.StoragePlanPersonal }
+        };
+        var customer = new Customer
+        {
+            Id = customerId,
+            Tax = new CustomerTax { AutomaticTax = AutomaticTaxStatus.Supported },
+            Subscriptions = new StripeList<Subscription> { Data = [subscription] }
+        };
+
+        _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
+        _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata)
+            .Returns(new Tuple<Guid?, Guid?, Guid?>(null, _userId, null));
+        _userRepository.GetByIdAsync(_userId).Returns(user);
+        _pricingClient.GetAvailablePremiumPlan().Returns(plan);
+        _featureService.IsEnabled(FeatureFlagKeys.PM23341_Milestone_2).Returns(true);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone2SubscriptionDiscount).Returns((Coupon)null);
+        _stripeFacade.UpdateSubscription(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>())
+            .Returns(subscription);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert - Exception is caught, error is logged, and traditional email is sent
+        _logger.Received(1).Log(
+            LogLevel.Error,
+            Arg.Any<EventId>(),
+            Arg.Is<object>(o =>
+                o.ToString().Contains($"Failed to update user's ({user.Id}) subscription price id") &&
+                o.ToString().Contains(parsedEvent.Id)),
+            Arg.Is<Exception>(e => e is InvalidOperationException
+                                   && e.Message == $"Coupon for sending premium renewal email id:{CouponIDs.Milestone2SubscriptionDiscount} not found"),
+            Arg.Any<Func<object, Exception, string>>());
+
+        await _mailer.DidNotReceive().SendEmail(Arg.Any<PremiumRenewalMail>());
+
+        await _mailService.Received(1).SendInvoiceUpcoming(
+            Arg.Is<IEnumerable<string>>(emails => emails.Contains("user@example.com")),
+            Arg.Is<decimal>(amount => amount == invoice.AmountDue / 100M),
+            Arg.Is<DateTime>(dueDate => dueDate == invoice.NextPaymentAttempt.Value),
+            Arg.Is<List<string>>(items => items.Count == invoice.Lines.Data.Count),
+            Arg.Is<bool>(b => b == true));
+    }
+
+    [Fact]
+    public async Task HandleAsync_WhenMilestone2Enabled_AndCouponPercentOffIsNull_LogsErrorAndSendsTraditionalEmail()
+    {
+        // Arrange
+        var parsedEvent = new Event { Id = "evt_123" };
+        var customerId = "cus_123";
+        var invoice = new Invoice
+        {
+            CustomerId = customerId,
+            AmountDue = 10000,
+            NextPaymentAttempt = DateTime.UtcNow.AddDays(7),
+            Lines = new StripeList<InvoiceLineItem>
+            {
+                Data = [new() { Description = "Test Item" }]
+            }
+        };
+        var subscription = new Subscription
+        {
+            Id = "sub_123",
+            CustomerId = customerId,
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data = [new() { Id = "si_123", Price = new Price { Id = Prices.PremiumAnnually } }]
+            },
+            AutomaticTax = new SubscriptionAutomaticTax { Enabled = false },
+            Customer = new Customer { Id = customerId },
+            Metadata = new Dictionary<string, string>()
+        };
+        var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
+        var plan = new PremiumPlan
+        {
+            Name = "Premium",
+            Available = true,
+            LegacyYear = null,
+            Seat = new Purchasable { Price = 10M, StripePriceId = Prices.PremiumAnnually },
+            Storage = new Purchasable { Price = 4M, StripePriceId = Prices.StoragePlanPersonal }
+        };
+        var customer = new Customer
+        {
+            Id = customerId,
+            Tax = new CustomerTax { AutomaticTax = AutomaticTaxStatus.Supported },
+            Subscriptions = new StripeList<Subscription> { Data = [subscription] }
+        };
+        var coupon = new Coupon
+        {
+            Id = CouponIDs.Milestone2SubscriptionDiscount,
+            PercentOff = null
+        };
+
+        _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
+        _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata)
+            .Returns(new Tuple<Guid?, Guid?, Guid?>(null, _userId, null));
+        _userRepository.GetByIdAsync(_userId).Returns(user);
+        _pricingClient.GetAvailablePremiumPlan().Returns(plan);
+        _featureService.IsEnabled(FeatureFlagKeys.PM23341_Milestone_2).Returns(true);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone2SubscriptionDiscount).Returns(coupon);
+        _stripeFacade.UpdateSubscription(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>())
+            .Returns(subscription);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert - Exception is caught, error is logged, and traditional email is sent
+        _logger.Received(1).Log(
+            LogLevel.Error,
+            Arg.Any<EventId>(),
+            Arg.Is<object>(o =>
+                o.ToString().Contains($"Failed to update user's ({user.Id}) subscription price id") &&
+                o.ToString().Contains(parsedEvent.Id)),
+            Arg.Is<Exception>(e => e is InvalidOperationException
+                                   && e.Message == $"coupon.PercentOff for sending premium renewal email id:{CouponIDs.Milestone2SubscriptionDiscount} is null"),
+            Arg.Any<Func<object, Exception, string>>());
+
+        await _mailer.DidNotReceive().SendEmail(Arg.Any<PremiumRenewalMail>());
+
+        await _mailService.Received(1).SendInvoiceUpcoming(
+            Arg.Is<IEnumerable<string>>(emails => emails.Contains("user@example.com")),
+            Arg.Is<decimal>(amount => amount == invoice.AmountDue / 100M),
+            Arg.Is<DateTime>(dueDate => dueDate == invoice.NextPaymentAttempt.Value),
+            Arg.Is<List<string>>(items => items.Count == invoice.Lines.Data.Count),
+            Arg.Is<bool>(b => b == true));
+    }
+
+    [Fact]
+    public async Task HandleAsync_WhenMilestone2Enabled_AndValidCoupon_SendsPremiumRenewalEmail()
+    {
+        // Arrange
+        var parsedEvent = new Event { Id = "evt_123" };
+        var customerId = "cus_123";
+        var invoice = new Invoice
+        {
+            CustomerId = customerId,
+            AmountDue = 10000,
+            NextPaymentAttempt = DateTime.UtcNow.AddDays(7),
+            Lines = new StripeList<InvoiceLineItem>
+            {
+                Data = [new() { Description = "Test Item" }]
+            }
+        };
+        var subscription = new Subscription
+        {
+            Id = "sub_123",
+            CustomerId = customerId,
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data = [new() { Id = "si_123", Price = new Price { Id = Prices.PremiumAnnually } }]
+            },
+            AutomaticTax = new SubscriptionAutomaticTax { Enabled = false },
+            Customer = new Customer { Id = customerId },
+            Metadata = new Dictionary<string, string>()
+        };
+        var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
+        var plan = new PremiumPlan
+        {
+            Name = "Premium",
+            Available = true,
+            LegacyYear = null,
+            Seat = new Purchasable { Price = 10M, StripePriceId = Prices.PremiumAnnually },
+            Storage = new Purchasable { Price = 4M, StripePriceId = Prices.StoragePlanPersonal }
+        };
+        var customer = new Customer
+        {
+            Id = customerId,
+            Tax = new CustomerTax { AutomaticTax = AutomaticTaxStatus.Supported },
+            Subscriptions = new StripeList<Subscription> { Data = [subscription] }
+        };
+        var coupon = new Coupon
+        {
+            Id = CouponIDs.Milestone2SubscriptionDiscount,
+            PercentOff = 30
+        };
+
+        _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
+        _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata)
+            .Returns(new Tuple<Guid?, Guid?, Guid?>(null, _userId, null));
+        _userRepository.GetByIdAsync(_userId).Returns(user);
+        _pricingClient.GetAvailablePremiumPlan().Returns(plan);
+        _featureService.IsEnabled(FeatureFlagKeys.PM23341_Milestone_2).Returns(true);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone2SubscriptionDiscount).Returns(coupon);
+        _stripeFacade.UpdateSubscription(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>())
+            .Returns(subscription);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        var expectedDiscountedPrice = plan.Seat.Price * (100 - coupon.PercentOff.Value) / 100;
+        await _mailer.Received(1).SendEmail(
+            Arg.Is<PremiumRenewalMail>(email =>
+                email.ToEmails.Contains("user@example.com") &&
+                email.Subject == "Your Bitwarden Premium renewal is updating" &&
+                email.View.BaseMonthlyRenewalPrice == (plan.Seat.Price / 12).ToString("C", new CultureInfo("en-US")) &&
+                email.View.DiscountAmount == "30%" &&
+                email.View.DiscountedMonthlyRenewalPrice == (expectedDiscountedPrice / 12).ToString("C", new CultureInfo("en-US"))
+            ));
+
+        await _mailService.DidNotReceive().SendInvoiceUpcoming(
+            Arg.Any<IEnumerable<string>>(),
+            Arg.Any<decimal>(),
+            Arg.Any<DateTime>(),
+            Arg.Any<List<string>>(),
+            Arg.Any<bool>());
+    }
+
+    [Fact]
+    public async Task HandleAsync_WhenMilestone2Enabled_AndGetCouponThrowsException_LogsErrorAndSendsTraditionalEmail()
+    {
+        // Arrange
+        var parsedEvent = new Event { Id = "evt_123" };
+        var customerId = "cus_123";
+        var invoice = new Invoice
+        {
+            CustomerId = customerId,
+            AmountDue = 10000,
+            NextPaymentAttempt = DateTime.UtcNow.AddDays(7),
+            Lines = new StripeList<InvoiceLineItem>
+            {
+                Data = [new() { Description = "Test Item" }]
+            }
+        };
+        var subscription = new Subscription
+        {
+            Id = "sub_123",
+            CustomerId = customerId,
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data = [new() { Id = "si_123", Price = new Price { Id = Prices.PremiumAnnually } }]
+            },
+            AutomaticTax = new SubscriptionAutomaticTax { Enabled = false },
+            Customer = new Customer { Id = customerId },
+            Metadata = new Dictionary<string, string>()
+        };
+        var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
+        var plan = new PremiumPlan
+        {
+            Name = "Premium",
+            Available = true,
+            LegacyYear = null,
+            Seat = new Purchasable { Price = 10M, StripePriceId = Prices.PremiumAnnually },
+            Storage = new Purchasable { Price = 4M, StripePriceId = Prices.StoragePlanPersonal }
+        };
+        var customer = new Customer
+        {
+            Id = customerId,
+            Tax = new CustomerTax { AutomaticTax = AutomaticTaxStatus.Supported },
+            Subscriptions = new StripeList<Subscription> { Data = [subscription] }
+        };
+
+        _stripeEventService.GetInvoice(parsedEvent).Returns(invoice);
+        _stripeFacade.GetCustomer(customerId, Arg.Any<CustomerGetOptions>()).Returns(customer);
+        _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata)
+            .Returns(new Tuple<Guid?, Guid?, Guid?>(null, _userId, null));
+        _userRepository.GetByIdAsync(_userId).Returns(user);
+        _pricingClient.GetAvailablePremiumPlan().Returns(plan);
+        _featureService.IsEnabled(FeatureFlagKeys.PM23341_Milestone_2).Returns(true);
+        _stripeFacade.GetCoupon(CouponIDs.Milestone2SubscriptionDiscount)
+            .ThrowsAsync(new StripeException("Stripe API error"));
+        _stripeFacade.UpdateSubscription(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>())
+            .Returns(subscription);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert - Exception is caught, error is logged, and traditional email is sent
+        _logger.Received(1).Log(
+            LogLevel.Error,
+            Arg.Any<EventId>(),
+            Arg.Is<object>(o =>
+                o.ToString().Contains($"Failed to update user's ({user.Id}) subscription price id") &&
+                o.ToString().Contains(parsedEvent.Id)),
+            Arg.Is<Exception>(e => e is StripeException),
+            Arg.Any<Func<object, Exception, string>>());
+
+        await _mailer.DidNotReceive().SendEmail(Arg.Any<PremiumRenewalMail>());
+
+        await _mailService.Received(1).SendInvoiceUpcoming(
+            Arg.Is<IEnumerable<string>>(emails => emails.Contains("user@example.com")),
+            Arg.Is<decimal>(amount => amount == invoice.AmountDue / 100M),
+            Arg.Is<DateTime>(dueDate => dueDate == invoice.NextPaymentAttempt.Value),
+            Arg.Is<List<string>>(items => items.Count == invoice.Lines.Data.Count),
+            Arg.Is<bool>(b => b == true));
+    }
+
+    #endregion
 }

test/Core.IntegrationTest/Core.IntegrationTest.csproj

@@ -11,11 +11,11 @@
 
   <ItemGroup>
     <PackageReference Include="coverlet.collector" Version="6.0.4" />
-    <PackageReference Include="MartinCostello.Logging.XUnit" Version="0.5.1" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
+    <PackageReference Include="MartinCostello.Logging.XUnit" Version="0.7.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
     <PackageReference Include="Rnwood.SmtpServer" Version="3.1.0-ci0868" />
     <PackageReference Include="xunit" Version="2.9.3" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="3.1.5" />
   </ItemGroup>
 
   <ItemGroup>

test/Core.Test/AdminConsole/AutoFixture/OrganizationUserPolicyDetailsFixtures.cs

@@ -2,6 +2,7 @@
 using AutoFixture;
 using AutoFixture.Xunit2;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 
 namespace Bit.Core.Test.AdminConsole.AutoFixture;
@@ -9,10 +10,16 @@ namespace Bit.Core.Test.AdminConsole.AutoFixture;
 internal class OrganizationUserPolicyDetailsCustomization : ICustomization
 {
     public PolicyType Type { get; set; }
+    public OrganizationUserStatusType Status { get; set; }
+    public OrganizationUserType UserType { get; set; }
+    public bool IsProvider { get; set; }
 
-    public OrganizationUserPolicyDetailsCustomization(PolicyType type)
+    public OrganizationUserPolicyDetailsCustomization(PolicyType type, OrganizationUserStatusType status, OrganizationUserType userType, bool isProvider)
     {
         Type = type;
+        Status = status;
+        UserType = userType;
+        IsProvider = isProvider;
     }
 
     public void Customize(IFixture fixture)
@@ -20,6 +27,9 @@ internal class OrganizationUserPolicyDetailsCustomization : ICustomization
         fixture.Customize<OrganizationUserPolicyDetails>(composer => composer
             .With(o => o.OrganizationId, Guid.NewGuid())
             .With(o => o.PolicyType, Type)
+            .With(o => o.OrganizationUserStatus, Status)
+            .With(o => o.OrganizationUserType, UserType)
+            .With(o => o.IsProvider, IsProvider)
             .With(o => o.PolicyEnabled, true));
     }
 }
@@ -27,14 +37,25 @@ internal class OrganizationUserPolicyDetailsCustomization : ICustomization
 public class OrganizationUserPolicyDetailsAttribute : CustomizeAttribute
 {
     private readonly PolicyType _type;
+    private readonly OrganizationUserStatusType _status;
+    private readonly OrganizationUserType _userType;
+    private readonly bool _isProvider;
 
-    public OrganizationUserPolicyDetailsAttribute(PolicyType type)
+    public OrganizationUserPolicyDetailsAttribute(PolicyType type) : this(type, OrganizationUserStatusType.Accepted, OrganizationUserType.User, false)
     {
         _type = type;
     }
 
+    public OrganizationUserPolicyDetailsAttribute(PolicyType type, OrganizationUserStatusType status, OrganizationUserType userType, bool isProvider)
+    {
+        _type = type;
+        _status = status;
+        _userType = userType;
+        _isProvider = isProvider;
+    }
+
     public override ICustomization GetCustomization(ParameterInfo parameter)
     {
-        return new OrganizationUserPolicyDetailsCustomization(_type);
+        return new OrganizationUserPolicyDetailsCustomization(_type, _status, _userType, _isProvider);
     }
 }

test/Core.Test/AdminConsole/EventIntegrations/EventIntegrationServiceCollectionExtensionsTests.cs

@@ -0,0 +1,866 @@
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations.Interfaces;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrations.Interfaces;
+using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.AdminConsole.Services.NoopImplementations;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Utilities;
+using Microsoft.Bot.Builder;
+using Microsoft.Bot.Builder.Integration.AspNet.Core;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Hosting;
+using NSubstitute;
+using StackExchange.Redis;
+using Xunit;
+using ZiggyCreatures.Caching.Fusion;
+
+namespace Bit.Core.Test.AdminConsole.EventIntegrations;
+
+public class EventIntegrationServiceCollectionExtensionsTests
+{
+    private readonly IServiceCollection _services;
+    private readonly GlobalSettings _globalSettings;
+
+    public EventIntegrationServiceCollectionExtensionsTests()
+    {
+        _services = new ServiceCollection();
+        _globalSettings = CreateGlobalSettings([]);
+
+        // Add required infrastructure services
+        _services.TryAddSingleton(_globalSettings);
+        _services.TryAddSingleton<IGlobalSettings>(_globalSettings);
+        _services.AddLogging();
+
+        // Mock Redis connection for cache
+        _services.AddSingleton(Substitute.For<IConnectionMultiplexer>());
+
+        // Mock required repository dependencies for commands
+        _services.TryAddScoped(_ => Substitute.For<IOrganizationIntegrationRepository>());
+        _services.TryAddScoped(_ => Substitute.For<IOrganizationIntegrationConfigurationRepository>());
+        _services.TryAddScoped(_ => Substitute.For<IOrganizationRepository>());
+    }
+
+    [Fact]
+    public void AddEventIntegrationsCommandsQueries_RegistersAllServices()
+    {
+        _services.AddEventIntegrationsCommandsQueries(_globalSettings);
+
+        using var provider = _services.BuildServiceProvider();
+
+        var cache = provider.GetRequiredKeyedService<IFusionCache>(EventIntegrationsCacheConstants.CacheName);
+        Assert.NotNull(cache);
+
+        var validator = provider.GetRequiredService<IOrganizationIntegrationConfigurationValidator>();
+        Assert.NotNull(validator);
+
+        using var scope = provider.CreateScope();
+        var sp = scope.ServiceProvider;
+
+        Assert.NotNull(sp.GetService<ICreateOrganizationIntegrationCommand>());
+        Assert.NotNull(sp.GetService<IUpdateOrganizationIntegrationCommand>());
+        Assert.NotNull(sp.GetService<IDeleteOrganizationIntegrationCommand>());
+        Assert.NotNull(sp.GetService<IGetOrganizationIntegrationsQuery>());
+
+        Assert.NotNull(sp.GetService<ICreateOrganizationIntegrationConfigurationCommand>());
+        Assert.NotNull(sp.GetService<IUpdateOrganizationIntegrationConfigurationCommand>());
+        Assert.NotNull(sp.GetService<IDeleteOrganizationIntegrationConfigurationCommand>());
+        Assert.NotNull(sp.GetService<IGetOrganizationIntegrationConfigurationsQuery>());
+    }
+
+    [Fact]
+    public void AddEventIntegrationsCommandsQueries_CommandsQueries_AreRegisteredAsScoped()
+    {
+        _services.AddEventIntegrationsCommandsQueries(_globalSettings);
+
+        var createIntegrationDescriptor = _services.First(s =>
+            s.ServiceType == typeof(ICreateOrganizationIntegrationCommand));
+        var createConfigDescriptor = _services.First(s =>
+            s.ServiceType == typeof(ICreateOrganizationIntegrationConfigurationCommand));
+
+        Assert.Equal(ServiceLifetime.Scoped, createIntegrationDescriptor.Lifetime);
+        Assert.Equal(ServiceLifetime.Scoped, createConfigDescriptor.Lifetime);
+    }
+
+    [Fact]
+    public void AddEventIntegrationsCommandsQueries_CommandsQueries_DifferentInstancesPerScope()
+    {
+        _services.AddEventIntegrationsCommandsQueries(_globalSettings);
+
+        var provider = _services.BuildServiceProvider();
+
+        ICreateOrganizationIntegrationCommand? instance1, instance2, instance3;
+        using (var scope1 = provider.CreateScope())
+        {
+            instance1 = scope1.ServiceProvider.GetService<ICreateOrganizationIntegrationCommand>();
+        }
+        using (var scope2 = provider.CreateScope())
+        {
+            instance2 = scope2.ServiceProvider.GetService<ICreateOrganizationIntegrationCommand>();
+        }
+        using (var scope3 = provider.CreateScope())
+        {
+            instance3 = scope3.ServiceProvider.GetService<ICreateOrganizationIntegrationCommand>();
+        }
+
+        Assert.NotNull(instance1);
+        Assert.NotNull(instance2);
+        Assert.NotNull(instance3);
+        Assert.NotSame(instance1, instance2);
+        Assert.NotSame(instance2, instance3);
+        Assert.NotSame(instance1, instance3);
+    }
+
+    [Fact]
+    public void AddEventIntegrationsCommandsQueries_CommandsQueries__SameInstanceWithinScope()
+    {
+        _services.AddEventIntegrationsCommandsQueries(_globalSettings);
+        var provider = _services.BuildServiceProvider();
+
+        using var scope = provider.CreateScope();
+        var instance1 = scope.ServiceProvider.GetService<ICreateOrganizationIntegrationCommand>();
+        var instance2 = scope.ServiceProvider.GetService<ICreateOrganizationIntegrationCommand>();
+
+        Assert.NotNull(instance1);
+        Assert.NotNull(instance2);
+        Assert.Same(instance1, instance2);
+    }
+
+    [Fact]
+    public void AddEventIntegrationsCommandsQueries_MultipleCalls_IsIdempotent()
+    {
+        _services.AddEventIntegrationsCommandsQueries(_globalSettings);
+        _services.AddEventIntegrationsCommandsQueries(_globalSettings);
+        _services.AddEventIntegrationsCommandsQueries(_globalSettings);
+
+        var createConfigCmdDescriptors = _services.Where(s =>
+            s.ServiceType == typeof(ICreateOrganizationIntegrationConfigurationCommand)).ToList();
+        Assert.Single(createConfigCmdDescriptors);
+
+        var updateIntegrationCmdDescriptors = _services.Where(s =>
+            s.ServiceType == typeof(IUpdateOrganizationIntegrationCommand)).ToList();
+        Assert.Single(updateIntegrationCmdDescriptors);
+    }
+
+    [Fact]
+    public void AddOrganizationIntegrationCommandsQueries_RegistersAllIntegrationServices()
+    {
+        _services.AddOrganizationIntegrationCommandsQueries();
+
+        Assert.Contains(_services, s => s.ServiceType == typeof(ICreateOrganizationIntegrationCommand));
+        Assert.Contains(_services, s => s.ServiceType == typeof(IUpdateOrganizationIntegrationCommand));
+        Assert.Contains(_services, s => s.ServiceType == typeof(IDeleteOrganizationIntegrationCommand));
+        Assert.Contains(_services, s => s.ServiceType == typeof(IGetOrganizationIntegrationsQuery));
+    }
+
+    [Fact]
+    public void AddOrganizationIntegrationCommandsQueries_MultipleCalls_IsIdempotent()
+    {
+        _services.AddOrganizationIntegrationCommandsQueries();
+        _services.AddOrganizationIntegrationCommandsQueries();
+        _services.AddOrganizationIntegrationCommandsQueries();
+
+        var createCmdDescriptors = _services.Where(s =>
+            s.ServiceType == typeof(ICreateOrganizationIntegrationCommand)).ToList();
+        Assert.Single(createCmdDescriptors);
+    }
+
+    [Fact]
+    public void AddOrganizationIntegrationConfigurationCommandsQueries_RegistersAllConfigurationServices()
+    {
+        _services.AddOrganizationIntegrationConfigurationCommandsQueries();
+
+        Assert.Contains(_services, s => s.ServiceType == typeof(ICreateOrganizationIntegrationConfigurationCommand));
+        Assert.Contains(_services, s => s.ServiceType == typeof(IUpdateOrganizationIntegrationConfigurationCommand));
+        Assert.Contains(_services, s => s.ServiceType == typeof(IDeleteOrganizationIntegrationConfigurationCommand));
+        Assert.Contains(_services, s => s.ServiceType == typeof(IGetOrganizationIntegrationConfigurationsQuery));
+    }
+
+    [Fact]
+    public void AddOrganizationIntegrationConfigurationCommandsQueries_MultipleCalls_IsIdempotent()
+    {
+        _services.AddOrganizationIntegrationConfigurationCommandsQueries();
+        _services.AddOrganizationIntegrationConfigurationCommandsQueries();
+        _services.AddOrganizationIntegrationConfigurationCommandsQueries();
+
+        var createCmdDescriptors = _services.Where(s =>
+            s.ServiceType == typeof(ICreateOrganizationIntegrationConfigurationCommand)).ToList();
+        Assert.Single(createCmdDescriptors);
+    }
+
+    [Fact]
+    public void IsRabbitMqEnabled_AllSettingsPresent_ReturnsTrue()
+    {
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = "localhost",
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = "user",
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = "pass",
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = "exchange"
+        });
+
+        Assert.True(EventIntegrationsServiceCollectionExtensions.IsRabbitMqEnabled(globalSettings));
+    }
+
+    [Fact]
+    public void IsRabbitMqEnabled_MissingHostName_ReturnsFalse()
+    {
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = null,
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = "user",
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = "pass",
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = "exchange"
+        });
+
+        Assert.False(EventIntegrationsServiceCollectionExtensions.IsRabbitMqEnabled(globalSettings));
+    }
+
+    [Fact]
+    public void IsRabbitMqEnabled_MissingUsername_ReturnsFalse()
+    {
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = "localhost",
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = null,
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = "pass",
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = "exchange"
+        });
+
+        Assert.False(EventIntegrationsServiceCollectionExtensions.IsRabbitMqEnabled(globalSettings));
+    }
+
+    [Fact]
+    public void IsRabbitMqEnabled_MissingPassword_ReturnsFalse()
+    {
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = "localhost",
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = "user",
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = null,
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = "exchange"
+        });
+
+        Assert.False(EventIntegrationsServiceCollectionExtensions.IsRabbitMqEnabled(globalSettings));
+    }
+
+    [Fact]
+    public void IsRabbitMqEnabled_MissingExchangeName_ReturnsFalse()
+    {
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = "localhost",
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = "user",
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = "pass",
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = null
+        });
+
+        Assert.False(EventIntegrationsServiceCollectionExtensions.IsRabbitMqEnabled(globalSettings));
+    }
+
+    [Fact]
+    public void IsAzureServiceBusEnabled_AllSettingsPresent_ReturnsTrue()
+    {
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:AzureServiceBus:ConnectionString"] = "Endpoint=sb://test.servicebus.windows.net/;SharedAccessKeyName=test;SharedAccessKey=test",
+            ["GlobalSettings:EventLogging:AzureServiceBus:EventTopicName"] = "events"
+        });
+
+        Assert.True(EventIntegrationsServiceCollectionExtensions.IsAzureServiceBusEnabled(globalSettings));
+    }
+
+    [Fact]
+    public void IsAzureServiceBusEnabled_MissingConnectionString_ReturnsFalse()
+    {
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:AzureServiceBus:ConnectionString"] = null,
+            ["GlobalSettings:EventLogging:AzureServiceBus:EventTopicName"] = "events"
+        });
+
+        Assert.False(EventIntegrationsServiceCollectionExtensions.IsAzureServiceBusEnabled(globalSettings));
+    }
+
+    [Fact]
+    public void IsAzureServiceBusEnabled_MissingTopicName_ReturnsFalse()
+    {
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:AzureServiceBus:ConnectionString"] = "Endpoint=sb://test.servicebus.windows.net/;SharedAccessKeyName=test;SharedAccessKey=test",
+            ["GlobalSettings:EventLogging:AzureServiceBus:EventTopicName"] = null
+        });
+
+        Assert.False(EventIntegrationsServiceCollectionExtensions.IsAzureServiceBusEnabled(globalSettings));
+    }
+
+    [Fact]
+    public void AddSlackService_AllSettingsPresent_RegistersSlackService()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:Slack:ClientId"] = "test-client-id",
+            ["GlobalSettings:Slack:ClientSecret"] = "test-client-secret",
+            ["GlobalSettings:Slack:Scopes"] = "test-scopes"
+        });
+
+        services.TryAddSingleton(globalSettings);
+        services.AddLogging();
+        services.AddSlackService(globalSettings);
+
+        var provider = services.BuildServiceProvider();
+        var slackService = provider.GetService<ISlackService>();
+
+        Assert.NotNull(slackService);
+        Assert.IsType<SlackService>(slackService);
+
+        var httpClientDescriptor = services.FirstOrDefault(s =>
+            s.ServiceType == typeof(IHttpClientFactory));
+        Assert.NotNull(httpClientDescriptor);
+    }
+
+    [Fact]
+    public void AddSlackService_SettingsMissing_RegistersNoopService()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:Slack:ClientId"] = null,
+            ["GlobalSettings:Slack:ClientSecret"] = null,
+            ["GlobalSettings:Slack:Scopes"] = null
+        });
+
+        services.AddSlackService(globalSettings);
+
+        var provider = services.BuildServiceProvider();
+        var slackService = provider.GetService<ISlackService>();
+
+        Assert.NotNull(slackService);
+        Assert.IsType<NoopSlackService>(slackService);
+    }
+
+    [Fact]
+    public void AddTeamsService_AllSettingsPresent_RegistersTeamsServices()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:Teams:ClientId"] = "test-client-id",
+            ["GlobalSettings:Teams:ClientSecret"] = "test-client-secret",
+            ["GlobalSettings:Teams:Scopes"] = "test-scopes"
+        });
+
+        services.TryAddSingleton(globalSettings);
+        services.AddLogging();
+        services.TryAddScoped(_ => Substitute.For<IOrganizationIntegrationRepository>());
+        services.AddTeamsService(globalSettings);
+
+        var provider = services.BuildServiceProvider();
+
+        var teamsService = provider.GetService<ITeamsService>();
+        Assert.NotNull(teamsService);
+        Assert.IsType<TeamsService>(teamsService);
+
+        var bot = provider.GetService<IBot>();
+        Assert.NotNull(bot);
+        Assert.IsType<TeamsService>(bot);
+
+        var adapter = provider.GetService<IBotFrameworkHttpAdapter>();
+        Assert.NotNull(adapter);
+        Assert.IsType<BotFrameworkHttpAdapter>(adapter);
+
+        var httpClientDescriptor = services.FirstOrDefault(s =>
+            s.ServiceType == typeof(IHttpClientFactory));
+        Assert.NotNull(httpClientDescriptor);
+    }
+
+    [Fact]
+    public void AddTeamsService_SettingsMissing_RegistersNoopService()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:Teams:ClientId"] = null,
+            ["GlobalSettings:Teams:ClientSecret"] = null,
+            ["GlobalSettings:Teams:Scopes"] = null
+        });
+
+        services.AddTeamsService(globalSettings);
+
+        var provider = services.BuildServiceProvider();
+        var teamsService = provider.GetService<ITeamsService>();
+
+        Assert.NotNull(teamsService);
+        Assert.IsType<NoopTeamsService>(teamsService);
+    }
+
+    [Fact]
+    public void AddRabbitMqIntegration_RegistersEventIntegrationHandler()
+    {
+        var services = new ServiceCollection();
+        var listenerConfig = new TestListenerConfiguration();
+
+        // Add required dependencies
+        services.TryAddSingleton(Substitute.For<IEventIntegrationPublisher>());
+        services.TryAddSingleton(Substitute.For<IIntegrationFilterService>());
+        services.TryAddKeyedSingleton(EventIntegrationsCacheConstants.CacheName, Substitute.For<IFusionCache>());
+        services.TryAddSingleton(Substitute.For<IOrganizationIntegrationConfigurationRepository>());
+        services.TryAddSingleton(Substitute.For<IGroupRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationUserRepository>());
+        services.AddLogging();
+
+        services.AddRabbitMqIntegration<WebhookIntegrationConfigurationDetails, TestListenerConfiguration>(listenerConfig);
+
+        var provider = services.BuildServiceProvider();
+        var handler = provider.GetRequiredKeyedService<IEventMessageHandler>(listenerConfig.RoutingKey);
+
+        Assert.NotNull(handler);
+    }
+
+    [Fact]
+    public void AddRabbitMqIntegration_RegistersEventListenerService()
+    {
+        var services = new ServiceCollection();
+        var listenerConfig = new TestListenerConfiguration();
+
+        // Add required dependencies
+        services.TryAddSingleton(Substitute.For<IEventIntegrationPublisher>());
+        services.TryAddSingleton(Substitute.For<IIntegrationFilterService>());
+        services.TryAddKeyedSingleton(EventIntegrationsCacheConstants.CacheName, Substitute.For<IFusionCache>());
+        services.TryAddSingleton(Substitute.For<IOrganizationIntegrationConfigurationRepository>());
+        services.TryAddSingleton(Substitute.For<IGroupRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationUserRepository>());
+        services.TryAddSingleton(Substitute.For<IRabbitMqService>());
+        services.AddLogging();
+
+        var beforeCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+        services.AddRabbitMqIntegration<WebhookIntegrationConfigurationDetails, TestListenerConfiguration>(listenerConfig);
+        var afterCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+
+        // AddRabbitMqIntegration should register 2 hosted services (Event + Integration listeners)
+        Assert.Equal(2, afterCount - beforeCount);
+    }
+
+    [Fact]
+    public void AddRabbitMqIntegration_RegistersIntegrationListenerService()
+    {
+        var services = new ServiceCollection();
+        var listenerConfig = new TestListenerConfiguration();
+
+        // Add required dependencies
+        services.TryAddSingleton(Substitute.For<IEventIntegrationPublisher>());
+        services.TryAddSingleton(Substitute.For<IIntegrationFilterService>());
+        services.TryAddKeyedSingleton(EventIntegrationsCacheConstants.CacheName, Substitute.For<IFusionCache>());
+        services.TryAddSingleton(Substitute.For<IOrganizationIntegrationConfigurationRepository>());
+        services.TryAddSingleton(Substitute.For<IGroupRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationUserRepository>());
+        services.TryAddSingleton(Substitute.For<IRabbitMqService>());
+        services.TryAddSingleton(Substitute.For<IIntegrationHandler<WebhookIntegrationConfigurationDetails>>());
+        services.TryAddSingleton(TimeProvider.System);
+        services.AddLogging();
+
+        var beforeCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+        services.AddRabbitMqIntegration<WebhookIntegrationConfigurationDetails, TestListenerConfiguration>(listenerConfig);
+        var afterCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+
+        // AddRabbitMqIntegration should register 2 hosted services (Event + Integration listeners)
+        Assert.Equal(2, afterCount - beforeCount);
+    }
+
+    [Fact]
+    public void AddAzureServiceBusIntegration_RegistersEventIntegrationHandler()
+    {
+        var services = new ServiceCollection();
+        var listenerConfig = new TestListenerConfiguration();
+
+        // Add required dependencies
+        services.TryAddSingleton(Substitute.For<IEventIntegrationPublisher>());
+        services.TryAddSingleton(Substitute.For<IIntegrationFilterService>());
+        services.TryAddKeyedSingleton(EventIntegrationsCacheConstants.CacheName, Substitute.For<IFusionCache>());
+        services.TryAddSingleton(Substitute.For<IOrganizationIntegrationConfigurationRepository>());
+        services.TryAddSingleton(Substitute.For<IGroupRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationUserRepository>());
+        services.AddLogging();
+
+        services.AddAzureServiceBusIntegration<WebhookIntegrationConfigurationDetails, TestListenerConfiguration>(listenerConfig);
+
+        var provider = services.BuildServiceProvider();
+        var handler = provider.GetRequiredKeyedService<IEventMessageHandler>(listenerConfig.RoutingKey);
+
+        Assert.NotNull(handler);
+    }
+
+    [Fact]
+    public void AddAzureServiceBusIntegration_RegistersEventListenerService()
+    {
+        var services = new ServiceCollection();
+        var listenerConfig = new TestListenerConfiguration();
+
+        // Add required dependencies
+        services.TryAddSingleton(Substitute.For<IEventIntegrationPublisher>());
+        services.TryAddSingleton(Substitute.For<IIntegrationFilterService>());
+        services.TryAddKeyedSingleton(EventIntegrationsCacheConstants.CacheName, Substitute.For<IFusionCache>());
+        services.TryAddSingleton(Substitute.For<IOrganizationIntegrationConfigurationRepository>());
+        services.TryAddSingleton(Substitute.For<IGroupRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationUserRepository>());
+        services.TryAddSingleton(Substitute.For<IAzureServiceBusService>());
+        services.AddLogging();
+
+        var beforeCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+        services.AddAzureServiceBusIntegration<WebhookIntegrationConfigurationDetails, TestListenerConfiguration>(listenerConfig);
+        var afterCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+
+        // AddAzureServiceBusIntegration should register 2 hosted services (Event + Integration listeners)
+        Assert.Equal(2, afterCount - beforeCount);
+    }
+
+    [Fact]
+    public void AddAzureServiceBusIntegration_RegistersIntegrationListenerService()
+    {
+        var services = new ServiceCollection();
+        var listenerConfig = new TestListenerConfiguration();
+
+        // Add required dependencies
+        services.TryAddSingleton(Substitute.For<IEventIntegrationPublisher>());
+        services.TryAddSingleton(Substitute.For<IIntegrationFilterService>());
+        services.TryAddKeyedSingleton(EventIntegrationsCacheConstants.CacheName, Substitute.For<IFusionCache>());
+        services.TryAddSingleton(Substitute.For<IOrganizationIntegrationConfigurationRepository>());
+        services.TryAddSingleton(Substitute.For<IGroupRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationRepository>());
+        services.TryAddSingleton(Substitute.For<IOrganizationUserRepository>());
+        services.TryAddSingleton(Substitute.For<IAzureServiceBusService>());
+        services.TryAddSingleton(Substitute.For<IIntegrationHandler<WebhookIntegrationConfigurationDetails>>());
+        services.AddLogging();
+
+        var beforeCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+        services.AddAzureServiceBusIntegration<WebhookIntegrationConfigurationDetails, TestListenerConfiguration>(listenerConfig);
+        var afterCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+
+        // AddAzureServiceBusIntegration should register 2 hosted services (Event + Integration listeners)
+        Assert.Equal(2, afterCount - beforeCount);
+    }
+
+    [Fact]
+    public void AddEventIntegrationServices_RegistersCommonServices()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings([]);
+
+        // Add prerequisites
+        services.TryAddSingleton(globalSettings);
+        services.TryAddSingleton(Substitute.For<IConnectionMultiplexer>());
+        services.AddLogging();
+
+        services.AddEventIntegrationServices(globalSettings);
+
+        // Verify common services are registered
+        Assert.Contains(services, s => s.ServiceType == typeof(IIntegrationFilterService));
+        Assert.Contains(services, s => s.ServiceType == typeof(TimeProvider));
+
+        // Verify HttpClients for handlers are registered
+        var httpClientDescriptors = services.Where(s => s.ServiceType == typeof(IHttpClientFactory)).ToList();
+        Assert.NotEmpty(httpClientDescriptors);
+    }
+
+    [Fact]
+    public void AddEventIntegrationServices_RegistersIntegrationHandlers()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings([]);
+
+        // Add prerequisites
+        services.TryAddSingleton(globalSettings);
+        services.TryAddSingleton(Substitute.For<IConnectionMultiplexer>());
+        services.AddLogging();
+
+        services.AddEventIntegrationServices(globalSettings);
+
+        // Verify integration handlers are registered
+        Assert.Contains(services, s => s.ServiceType == typeof(IIntegrationHandler<SlackIntegrationConfigurationDetails>));
+        Assert.Contains(services, s => s.ServiceType == typeof(IIntegrationHandler<WebhookIntegrationConfigurationDetails>));
+        Assert.Contains(services, s => s.ServiceType == typeof(IIntegrationHandler<DatadogIntegrationConfigurationDetails>));
+        Assert.Contains(services, s => s.ServiceType == typeof(IIntegrationHandler<TeamsIntegrationConfigurationDetails>));
+    }
+
+    [Fact]
+    public void AddEventIntegrationServices_RabbitMqEnabled_RegistersRabbitMqListeners()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = "localhost",
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = "user",
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = "pass",
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = "exchange"
+        });
+
+        // Add prerequisites
+        services.TryAddSingleton(globalSettings);
+        services.TryAddSingleton(Substitute.For<IConnectionMultiplexer>());
+        services.AddLogging();
+
+        var beforeCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+        services.AddEventIntegrationServices(globalSettings);
+        var afterCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+
+        // Should register 11 hosted services for RabbitMQ: 1 repository + 5*2 integration listeners (event+integration)
+        Assert.Equal(11, afterCount - beforeCount);
+    }
+
+    [Fact]
+    public void AddEventIntegrationServices_AzureServiceBusEnabled_RegistersAzureListeners()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:AzureServiceBus:ConnectionString"] = "Endpoint=sb://test.servicebus.windows.net/;SharedAccessKeyName=test;SharedAccessKey=test",
+            ["GlobalSettings:EventLogging:AzureServiceBus:EventTopicName"] = "events"
+        });
+
+        // Add prerequisites
+        services.TryAddSingleton(globalSettings);
+        services.TryAddSingleton(Substitute.For<IConnectionMultiplexer>());
+        services.AddLogging();
+
+        var beforeCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+        services.AddEventIntegrationServices(globalSettings);
+        var afterCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+
+        // Should register 11 hosted services for Azure Service Bus: 1 repository + 5*2 integration listeners (event+integration)
+        Assert.Equal(11, afterCount - beforeCount);
+    }
+
+    [Fact]
+    public void AddEventIntegrationServices_BothEnabled_AzureServiceBusTakesPrecedence()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = "localhost",
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = "user",
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = "pass",
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = "exchange",
+            ["GlobalSettings:EventLogging:AzureServiceBus:ConnectionString"] = "Endpoint=sb://test.servicebus.windows.net/;SharedAccessKeyName=test;SharedAccessKey=test",
+            ["GlobalSettings:EventLogging:AzureServiceBus:EventTopicName"] = "events"
+        });
+
+        // Add prerequisites
+        services.TryAddSingleton(globalSettings);
+        services.TryAddSingleton(Substitute.For<IConnectionMultiplexer>());
+        services.AddLogging();
+
+        var beforeCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+        services.AddEventIntegrationServices(globalSettings);
+        var afterCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+
+        // Should register 11 hosted services for Azure Service Bus: 1 repository + 5*2 integration listeners (event+integration)
+        // NO RabbitMQ services should be enabled because ASB takes precedence
+        Assert.Equal(11, afterCount - beforeCount);
+    }
+
+    [Fact]
+    public void AddEventIntegrationServices_NeitherEnabled_RegistersNoListeners()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings([]);
+
+        // Add prerequisites
+        services.TryAddSingleton(globalSettings);
+        services.TryAddSingleton(Substitute.For<IConnectionMultiplexer>());
+        services.AddLogging();
+
+        var beforeCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+        services.AddEventIntegrationServices(globalSettings);
+        var afterCount = services.Count(s => s.ServiceType == typeof(IHostedService));
+
+        // Should register no hosted services when neither RabbitMQ nor Azure Service Bus is enabled
+        Assert.Equal(0, afterCount - beforeCount);
+    }
+
+    [Fact]
+    public void AddEventWriteServices_AzureServiceBusEnabled_RegistersAzureServices()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:AzureServiceBus:ConnectionString"] = "Endpoint=sb://test.servicebus.windows.net/;SharedAccessKeyName=test;SharedAccessKey=test",
+            ["GlobalSettings:EventLogging:AzureServiceBus:EventTopicName"] = "events"
+        });
+
+        services.AddEventWriteServices(globalSettings);
+
+        Assert.Contains(services, s => s.ServiceType == typeof(IEventIntegrationPublisher) && s.ImplementationType == typeof(AzureServiceBusService));
+        Assert.Contains(services, s => s.ServiceType == typeof(IEventWriteService) && s.ImplementationType == typeof(EventIntegrationEventWriteService));
+    }
+
+    [Fact]
+    public void AddEventWriteServices_RabbitMqEnabled_RegistersRabbitMqServices()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = "localhost",
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = "user",
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = "pass",
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = "exchange"
+        });
+
+        services.AddEventWriteServices(globalSettings);
+
+        Assert.Contains(services, s => s.ServiceType == typeof(IEventIntegrationPublisher) && s.ImplementationType == typeof(RabbitMqService));
+        Assert.Contains(services, s => s.ServiceType == typeof(IEventWriteService) && s.ImplementationType == typeof(EventIntegrationEventWriteService));
+    }
+
+    [Fact]
+    public void AddEventWriteServices_EventsConnectionStringPresent_RegistersAzureQueueService()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:Events:ConnectionString"] = "DefaultEndpointsProtocol=https;AccountName=test;AccountKey=test;EndpointSuffix=core.windows.net",
+            ["GlobalSettings:Events:QueueName"] = "event"
+        });
+
+        services.AddEventWriteServices(globalSettings);
+
+        Assert.Contains(services, s => s.ServiceType == typeof(IEventWriteService) && s.ImplementationType == typeof(AzureQueueEventWriteService));
+    }
+
+    [Fact]
+    public void AddEventWriteServices_SelfHosted_RegistersRepositoryService()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:SelfHosted"] = "true"
+        });
+
+        services.AddEventWriteServices(globalSettings);
+
+        Assert.Contains(services, s => s.ServiceType == typeof(IEventWriteService) && s.ImplementationType == typeof(RepositoryEventWriteService));
+    }
+
+    [Fact]
+    public void AddEventWriteServices_NothingEnabled_RegistersNoopService()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings([]);
+
+        services.AddEventWriteServices(globalSettings);
+
+        Assert.Contains(services, s => s.ServiceType == typeof(IEventWriteService) && s.ImplementationType == typeof(NoopEventWriteService));
+    }
+
+    [Fact]
+    public void AddEventWriteServices_AzureTakesPrecedenceOverRabbitMq()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:AzureServiceBus:ConnectionString"] = "Endpoint=sb://test.servicebus.windows.net/;SharedAccessKeyName=test;SharedAccessKey=test",
+            ["GlobalSettings:EventLogging:AzureServiceBus:EventTopicName"] = "events",
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = "localhost",
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = "user",
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = "pass",
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = "exchange"
+        });
+
+        services.AddEventWriteServices(globalSettings);
+
+        // Should use Azure Service Bus, not RabbitMQ
+        Assert.Contains(services, s => s.ServiceType == typeof(IEventIntegrationPublisher) && s.ImplementationType == typeof(AzureServiceBusService));
+        Assert.DoesNotContain(services, s => s.ServiceType == typeof(IEventIntegrationPublisher) && s.ImplementationType == typeof(RabbitMqService));
+    }
+
+    [Fact]
+    public void AddAzureServiceBusListeners_AzureServiceBusEnabled_RegistersAzureServiceBusServices()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:AzureServiceBus:ConnectionString"] = "Endpoint=sb://test.servicebus.windows.net/;SharedAccessKeyName=test;SharedAccessKey=test",
+            ["GlobalSettings:EventLogging:AzureServiceBus:EventTopicName"] = "events"
+        });
+
+        // Add prerequisites
+        services.TryAddSingleton(globalSettings);
+        services.TryAddSingleton(Substitute.For<IConnectionMultiplexer>());
+        services.AddLogging();
+
+        services.AddAzureServiceBusListeners(globalSettings);
+
+        Assert.Contains(services, s => s.ServiceType == typeof(IAzureServiceBusService));
+        Assert.Contains(services, s => s.ServiceType == typeof(IEventRepository));
+        Assert.Contains(services, s => s.ServiceType == typeof(AzureTableStorageEventHandler));
+    }
+
+    [Fact]
+    public void AddAzureServiceBusListeners_AzureServiceBusDisabled_ReturnsEarly()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings([]);
+
+        var initialCount = services.Count;
+        services.AddAzureServiceBusListeners(globalSettings);
+        var finalCount = services.Count;
+
+        Assert.Equal(initialCount, finalCount);
+    }
+
+    [Fact]
+    public void AddRabbitMqListeners_RabbitMqEnabled_RegistersRabbitMqServices()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings(new Dictionary<string, string?>
+        {
+            ["GlobalSettings:EventLogging:RabbitMq:HostName"] = "localhost",
+            ["GlobalSettings:EventLogging:RabbitMq:Username"] = "user",
+            ["GlobalSettings:EventLogging:RabbitMq:Password"] = "pass",
+            ["GlobalSettings:EventLogging:RabbitMq:EventExchangeName"] = "exchange"
+        });
+
+        // Add prerequisites
+        services.TryAddSingleton(globalSettings);
+        services.TryAddSingleton(Substitute.For<IConnectionMultiplexer>());
+        services.AddLogging();
+
+        services.AddRabbitMqListeners(globalSettings);
+
+        Assert.Contains(services, s => s.ServiceType == typeof(IRabbitMqService));
+        Assert.Contains(services, s => s.ServiceType == typeof(EventRepositoryHandler));
+    }
+
+    [Fact]
+    public void AddRabbitMqListeners_RabbitMqDisabled_ReturnsEarly()
+    {
+        var services = new ServiceCollection();
+        var globalSettings = CreateGlobalSettings([]);
+
+        var initialCount = services.Count;
+        services.AddRabbitMqListeners(globalSettings);
+        var finalCount = services.Count;
+
+        Assert.Equal(initialCount, finalCount);
+    }
+
+    private static GlobalSettings CreateGlobalSettings(Dictionary<string, string?> data)
+    {
+        var config = new ConfigurationBuilder()
+            .AddInMemoryCollection(data)
+            .Build();
+
+        var settings = new GlobalSettings();
+        config.GetSection("GlobalSettings").Bind(settings);
+        return settings;
+    }
+}

test/Core.Test/AdminConsole/EventIntegrations/OrganizationIntegrationConfigurations/CreateOrganizationIntegrationConfigurationCommandTests.cs

@@ -0,0 +1,179 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+using ZiggyCreatures.Caching.Fusion;
+
+namespace Bit.Core.Test.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations;
+
+[SutProviderCustomize]
+public class CreateOrganizationIntegrationConfigurationCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task CreateAsync_Success_CreatesConfigurationAndInvalidatesCache(
+        SutProvider<CreateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration configuration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        integration.Type = IntegrationType.Webhook;
+        configuration.OrganizationIntegrationId = integrationId;
+        configuration.EventType = EventType.User_LoggedIn;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .CreateAsync(configuration)
+            .Returns(configuration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationValidator>()
+            .ValidateConfiguration(Arg.Any<IntegrationType>(), Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(true);
+
+        var result = await sutProvider.Sut.CreateAsync(organizationId, integrationId, configuration);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .CreateAsync(configuration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveAsync(EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+                organizationId,
+                integration.Type,
+                configuration.EventType.Value));
+        // Also verify RemoveByTagAsync was NOT called
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+        Assert.Equal(configuration, result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_WildcardSuccess_CreatesConfigurationAndInvalidatesCache(
+        SutProvider<CreateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration configuration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        integration.Type = IntegrationType.Webhook;
+        configuration.OrganizationIntegrationId = integrationId;
+        configuration.EventType = null;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .CreateAsync(configuration)
+            .Returns(configuration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationValidator>()
+            .ValidateConfiguration(Arg.Any<IntegrationType>(), Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(true);
+
+        var result = await sutProvider.Sut.CreateAsync(organizationId, integrationId, configuration);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .CreateAsync(configuration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveByTagAsync(EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+                organizationId,
+                integration.Type));
+        // Also verify RemoveAsync was NOT called
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        Assert.Equal(configuration, result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_IntegrationDoesNotExist_ThrowsNotFound(
+        SutProvider<CreateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegrationConfiguration configuration)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns((OrganizationIntegration)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.CreateAsync(organizationId, integrationId, configuration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
+        SutProvider<CreateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration configuration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = Guid.NewGuid(); // Different organization
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.CreateAsync(organizationId, integrationId, configuration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_ValidationFails_ThrowsBadRequest(
+        SutProvider<CreateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration configuration)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationValidator>()
+            .ValidateConfiguration(Arg.Any<IntegrationType>(), Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(false);
+
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        configuration.OrganizationIntegrationId = integrationId;
+        configuration.Template = "template";
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+
+        await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.CreateAsync(organizationId, integrationId, configuration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .CreateAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+}

test/Core.Test/AdminConsole/EventIntegrations/OrganizationIntegrationConfigurations/DeleteOrganizationIntegrationConfigurationCommandTests.cs

@@ -0,0 +1,211 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+using ZiggyCreatures.Caching.Fusion;
+
+namespace Bit.Core.Test.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations;
+
+[SutProviderCustomize]
+public class DeleteOrganizationIntegrationConfigurationCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task DeleteAsync_Success_DeletesConfigurationAndInvalidatesCache(
+        SutProvider<DeleteOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration configuration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        integration.Type = IntegrationType.Webhook;
+        configuration.Id = configurationId;
+        configuration.OrganizationIntegrationId = integrationId;
+        configuration.EventType = EventType.User_LoggedIn;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns(configuration);
+
+        await sutProvider.Sut.DeleteAsync(organizationId, integrationId, configurationId);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .GetByIdAsync(configurationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .DeleteAsync(configuration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveAsync(EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+                organizationId,
+                integration.Type,
+                configuration.EventType.Value));
+        // Also verify RemoveByTagAsync was NOT called
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task DeleteAsync_WildcardSuccess_DeletesConfigurationAndInvalidatesCache(
+        SutProvider<DeleteOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration configuration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        integration.Type = IntegrationType.Webhook;
+        configuration.Id = configurationId;
+        configuration.OrganizationIntegrationId = integrationId;
+        configuration.EventType = null;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns(configuration);
+
+        await sutProvider.Sut.DeleteAsync(organizationId, integrationId, configurationId);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .GetByIdAsync(configurationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .DeleteAsync(configuration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveByTagAsync(EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+                organizationId,
+                integration.Type));
+        // Also verify RemoveAsync was NOT called
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task DeleteAsync_IntegrationDoesNotExist_ThrowsNotFound(
+        SutProvider<DeleteOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns((OrganizationIntegration)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.DeleteAsync(organizationId, integrationId, configurationId));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .GetByIdAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .DeleteAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task DeleteAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
+        SutProvider<DeleteOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = Guid.NewGuid(); // Different organization
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.DeleteAsync(organizationId, integrationId, configurationId));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .GetByIdAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .DeleteAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task DeleteAsync_ConfigurationDoesNotExist_ThrowsNotFound(
+        SutProvider<DeleteOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns((OrganizationIntegrationConfiguration)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.DeleteAsync(organizationId, integrationId, configurationId));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .DeleteAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task DeleteAsync_ConfigurationDoesNotBelongToIntegration_ThrowsNotFound(
+        SutProvider<DeleteOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration configuration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        configuration.Id = configurationId;
+        configuration.OrganizationIntegrationId = Guid.NewGuid(); // Different integration
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns(configuration);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.DeleteAsync(organizationId, integrationId, configurationId));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .DeleteAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+}

test/Core.Test/AdminConsole/EventIntegrations/OrganizationIntegrationConfigurations/GetOrganizationIntegrationConfigurationsQueryTests.cs

@@ -0,0 +1,101 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations;
+
+[SutProviderCustomize]
+public class GetOrganizationIntegrationConfigurationsQueryTests
+{
+    [Theory, BitAutoData]
+    public async Task GetManyByIntegrationAsync_Success_ReturnsConfigurations(
+        SutProvider<GetOrganizationIntegrationConfigurationsQuery> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration,
+        List<OrganizationIntegrationConfiguration> configurations)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetManyByIntegrationAsync(integrationId)
+            .Returns(configurations);
+
+        var result = await sutProvider.Sut.GetManyByIntegrationAsync(organizationId, integrationId);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .GetManyByIntegrationAsync(integrationId);
+        Assert.Equal(configurations.Count, result.Count);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetManyByIntegrationAsync_NoConfigurations_ReturnsEmptyList(
+        SutProvider<GetOrganizationIntegrationConfigurationsQuery> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetManyByIntegrationAsync(integrationId)
+            .Returns([]);
+
+        var result = await sutProvider.Sut.GetManyByIntegrationAsync(organizationId, integrationId);
+
+        Assert.Empty(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetManyByIntegrationAsync_IntegrationDoesNotExist_ThrowsNotFound(
+        SutProvider<GetOrganizationIntegrationConfigurationsQuery> sutProvider,
+        Guid organizationId,
+        Guid integrationId)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns((OrganizationIntegration)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.GetManyByIntegrationAsync(organizationId, integrationId));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .GetManyByIntegrationAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetManyByIntegrationAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
+        SutProvider<GetOrganizationIntegrationConfigurationsQuery> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = Guid.NewGuid(); // Different organization
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.GetManyByIntegrationAsync(organizationId, integrationId));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .GetManyByIntegrationAsync(Arg.Any<Guid>());
+    }
+}

test/Core.Test/AdminConsole/EventIntegrations/OrganizationIntegrationConfigurations/UpdateOrganizationIntegrationConfigurationCommandTests.cs

@@ -0,0 +1,390 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+using ZiggyCreatures.Caching.Fusion;
+
+namespace Bit.Core.Test.AdminConsole.EventIntegrations.OrganizationIntegrationConfigurations;
+
+[SutProviderCustomize]
+public class UpdateOrganizationIntegrationConfigurationCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_Success_UpdatesConfigurationAndInvalidatesCache(
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration existingConfiguration,
+        OrganizationIntegrationConfiguration updatedConfiguration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        integration.Type = IntegrationType.Webhook;
+        existingConfiguration.Id = configurationId;
+        existingConfiguration.OrganizationIntegrationId = integrationId;
+        existingConfiguration.EventType = EventType.User_LoggedIn;
+        updatedConfiguration.Id = configurationId;
+        updatedConfiguration.OrganizationIntegrationId = integrationId;
+        existingConfiguration.EventType = EventType.User_LoggedIn;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns(existingConfiguration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationValidator>()
+            .ValidateConfiguration(Arg.Any<IntegrationType>(), Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(true);
+
+        var result = await sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, updatedConfiguration);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .GetByIdAsync(configurationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .ReplaceAsync(updatedConfiguration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveAsync(EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+                organizationId,
+                integration.Type,
+                existingConfiguration.EventType.Value));
+        // Also verify RemoveByTagAsync was NOT called
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+        Assert.Equal(updatedConfiguration, result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_WildcardSuccess_UpdatesConfigurationAndInvalidatesCache(
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration existingConfiguration,
+        OrganizationIntegrationConfiguration updatedConfiguration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        integration.Type = IntegrationType.Webhook;
+        existingConfiguration.Id = configurationId;
+        existingConfiguration.OrganizationIntegrationId = integrationId;
+        existingConfiguration.EventType = null;
+        updatedConfiguration.Id = configurationId;
+        updatedConfiguration.OrganizationIntegrationId = integrationId;
+        updatedConfiguration.EventType = null;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns(existingConfiguration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationValidator>()
+            .ValidateConfiguration(Arg.Any<IntegrationType>(), Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(true);
+
+        var result = await sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, updatedConfiguration);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .GetByIdAsync(configurationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .ReplaceAsync(updatedConfiguration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveByTagAsync(EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+                organizationId,
+                integration.Type));
+        // Also verify RemoveAsync was NOT called
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        Assert.Equal(updatedConfiguration, result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_ChangedEventType_UpdatesConfigurationAndInvalidatesCacheForBothTypes(
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration existingConfiguration,
+        OrganizationIntegrationConfiguration updatedConfiguration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        integration.Type = IntegrationType.Webhook;
+        existingConfiguration.Id = configurationId;
+        existingConfiguration.OrganizationIntegrationId = integrationId;
+        existingConfiguration.EventType = EventType.User_LoggedIn;
+        updatedConfiguration.Id = configurationId;
+        updatedConfiguration.OrganizationIntegrationId = integrationId;
+        updatedConfiguration.EventType = EventType.Cipher_Created;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns(existingConfiguration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationValidator>()
+            .ValidateConfiguration(Arg.Any<IntegrationType>(), Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(true);
+
+        var result = await sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, updatedConfiguration);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .GetByIdAsync(configurationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().Received(1)
+            .ReplaceAsync(updatedConfiguration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveAsync(EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+                organizationId,
+                integration.Type,
+                existingConfiguration.EventType.Value));
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveAsync(EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+                organizationId,
+                integration.Type,
+                updatedConfiguration.EventType.Value));
+        // Verify RemoveByTagAsync was NOT called since both are specific event types
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+        Assert.Equal(updatedConfiguration, result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_IntegrationDoesNotExist_ThrowsNotFound(
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegrationConfiguration updatedConfiguration)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns((OrganizationIntegration)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, updatedConfiguration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .GetByIdAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .ReplaceAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration updatedConfiguration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = Guid.NewGuid(); // Different organization
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, updatedConfiguration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .GetByIdAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .ReplaceAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_ConfigurationDoesNotExist_ThrowsNotFound(
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration updatedConfiguration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns((OrganizationIntegrationConfiguration)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, updatedConfiguration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .ReplaceAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_ConfigurationDoesNotBelongToIntegration_ThrowsNotFound(
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration existingConfiguration,
+        OrganizationIntegrationConfiguration updatedConfiguration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        existingConfiguration.Id = configurationId;
+        existingConfiguration.OrganizationIntegrationId = Guid.NewGuid(); // Different integration
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns(existingConfiguration);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, updatedConfiguration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .ReplaceAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_ValidationFails_ThrowsBadRequest(
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        Guid configurationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration existingConfiguration,
+        OrganizationIntegrationConfiguration updatedConfiguration)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationValidator>()
+            .ValidateConfiguration(Arg.Any<IntegrationType>(), Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(false);
+
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        existingConfiguration.Id = configurationId;
+        existingConfiguration.OrganizationIntegrationId = integrationId;
+        updatedConfiguration.Id = configurationId;
+        updatedConfiguration.OrganizationIntegrationId = integrationId;
+        updatedConfiguration.Template = "template";
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(configurationId)
+            .Returns(existingConfiguration);
+
+        await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.UpdateAsync(organizationId, integrationId, configurationId, updatedConfiguration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().DidNotReceive()
+            .ReplaceAsync(Arg.Any<OrganizationIntegrationConfiguration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_ChangedFromWildcardToSpecific_InvalidatesAllCaches(
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration existingConfiguration,
+        OrganizationIntegrationConfiguration updatedConfiguration,
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider)
+    {
+        integration.OrganizationId = organizationId;
+        existingConfiguration.OrganizationIntegrationId = integrationId;
+        existingConfiguration.EventType = null; // Wildcard
+        updatedConfiguration.EventType = EventType.User_LoggedIn; // Specific
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId).Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(existingConfiguration.Id).Returns(existingConfiguration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationValidator>()
+            .ValidateConfiguration(Arg.Any<IntegrationType>(), Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(true);
+
+        await sutProvider.Sut.UpdateAsync(organizationId, integrationId, existingConfiguration.Id, updatedConfiguration);
+
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveByTagAsync(EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+                organizationId,
+                integration.Type));
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_ChangedFromSpecificToWildcard_InvalidatesAllCaches(
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration,
+        OrganizationIntegrationConfiguration existingConfiguration,
+        OrganizationIntegrationConfiguration updatedConfiguration,
+        SutProvider<UpdateOrganizationIntegrationConfigurationCommand> sutProvider)
+    {
+        integration.OrganizationId = organizationId;
+        existingConfiguration.OrganizationIntegrationId = integrationId;
+        existingConfiguration.EventType = EventType.User_LoggedIn; // Specific
+        updatedConfiguration.EventType = null; // Wildcard
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId).Returns(integration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>()
+            .GetByIdAsync(existingConfiguration.Id).Returns(existingConfiguration);
+        sutProvider.GetDependency<IOrganizationIntegrationConfigurationValidator>()
+            .ValidateConfiguration(Arg.Any<IntegrationType>(), Arg.Any<OrganizationIntegrationConfiguration>())
+            .Returns(true);
+
+        await sutProvider.Sut.UpdateAsync(organizationId, integrationId, existingConfiguration.Id, updatedConfiguration);
+
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveByTagAsync(EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+                organizationId,
+                integration.Type));
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveAsync(Arg.Any<string>());
+    }
+}

test/Core.Test/AdminConsole/EventIntegrations/OrganizationIntegrations/CreateOrganizationIntegrationCommandTests.cs

@@ -0,0 +1,92 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrations;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+using ZiggyCreatures.Caching.Fusion;
+
+namespace Bit.Core.Test.AdminConsole.EventIntegrations.OrganizationIntegrations;
+
+[SutProviderCustomize]
+public class CreateOrganizationIntegrationCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task CreateAsync_Success_CreatesIntegrationAndInvalidatesCache(
+        SutProvider<CreateOrganizationIntegrationCommand> sutProvider,
+        OrganizationIntegration integration)
+    {
+        integration.Type = IntegrationType.Webhook;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetManyByOrganizationAsync(integration.OrganizationId)
+            .Returns([]);
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .CreateAsync(integration)
+            .Returns(integration);
+
+        var result = await sutProvider.Sut.CreateAsync(integration);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetManyByOrganizationAsync(integration.OrganizationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .CreateAsync(integration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveByTagAsync(EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+                integration.OrganizationId,
+                integration.Type));
+        Assert.Equal(integration, result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_DuplicateType_ThrowsBadRequest(
+        SutProvider<CreateOrganizationIntegrationCommand> sutProvider,
+        OrganizationIntegration integration,
+        OrganizationIntegration existingIntegration)
+    {
+        integration.Type = IntegrationType.Webhook;
+        existingIntegration.Type = IntegrationType.Webhook;
+        existingIntegration.OrganizationId = integration.OrganizationId;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetManyByOrganizationAsync(integration.OrganizationId)
+            .Returns([existingIntegration]);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.CreateAsync(integration));
+
+        Assert.Contains("An integration of this type already exists", exception.Message);
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().DidNotReceive()
+            .CreateAsync(Arg.Any<OrganizationIntegration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_DifferentType_Success(
+        SutProvider<CreateOrganizationIntegrationCommand> sutProvider,
+        OrganizationIntegration integration,
+        OrganizationIntegration existingIntegration)
+    {
+        integration.Type = IntegrationType.Webhook;
+        existingIntegration.Type = IntegrationType.Slack;
+        existingIntegration.OrganizationId = integration.OrganizationId;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetManyByOrganizationAsync(integration.OrganizationId)
+            .Returns([existingIntegration]);
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .CreateAsync(integration)
+            .Returns(integration);
+
+        var result = await sutProvider.Sut.CreateAsync(integration);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .CreateAsync(integration);
+        Assert.Equal(integration, result);
+    }
+}

test/Core.Test/AdminConsole/EventIntegrations/OrganizationIntegrations/DeleteOrganizationIntegrationCommandTests.cs

@@ -0,0 +1,86 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrations;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+using ZiggyCreatures.Caching.Fusion;
+
+namespace Bit.Core.Test.AdminConsole.EventIntegrations.OrganizationIntegrations;
+
+[SutProviderCustomize]
+public class DeleteOrganizationIntegrationCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task DeleteAsync_Success_DeletesIntegrationAndInvalidatesCache(
+        SutProvider<DeleteOrganizationIntegrationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = organizationId;
+        integration.Type = IntegrationType.Webhook;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+
+        await sutProvider.Sut.DeleteAsync(organizationId, integrationId);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .DeleteAsync(integration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveByTagAsync(EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+                organizationId,
+                integration.Type));
+    }
+
+    [Theory, BitAutoData]
+    public async Task DeleteAsync_IntegrationDoesNotExist_ThrowsNotFound(
+        SutProvider<DeleteOrganizationIntegrationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns((OrganizationIntegration)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.DeleteAsync(organizationId, integrationId));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().DidNotReceive()
+            .DeleteAsync(Arg.Any<OrganizationIntegration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task DeleteAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
+        SutProvider<DeleteOrganizationIntegrationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration integration)
+    {
+        integration.Id = integrationId;
+        integration.OrganizationId = Guid.NewGuid(); // Different organization
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(integration);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.DeleteAsync(organizationId, integrationId));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().DidNotReceive()
+            .DeleteAsync(Arg.Any<OrganizationIntegration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+}

test/Core.Test/AdminConsole/EventIntegrations/OrganizationIntegrations/GetOrganizationIntegrationsQueryTests.cs

@@ -0,0 +1,44 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrations;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.EventIntegrations.OrganizationIntegrations;
+
+[SutProviderCustomize]
+public class GetOrganizationIntegrationsQueryTests
+{
+    [Theory, BitAutoData]
+    public async Task GetManyByOrganizationAsync_CallsRepository(
+        SutProvider<GetOrganizationIntegrationsQuery> sutProvider,
+        Guid organizationId,
+        List<OrganizationIntegration> integrations)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetManyByOrganizationAsync(organizationId)
+            .Returns(integrations);
+
+        var result = await sutProvider.Sut.GetManyByOrganizationAsync(organizationId);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetManyByOrganizationAsync(organizationId);
+        Assert.Equal(integrations.Count, result.Count);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetManyByOrganizationAsync_NoIntegrations_ReturnsEmptyList(
+        SutProvider<GetOrganizationIntegrationsQuery> sutProvider,
+        Guid organizationId)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetManyByOrganizationAsync(organizationId)
+            .Returns([]);
+
+        var result = await sutProvider.Sut.GetManyByOrganizationAsync(organizationId);
+
+        Assert.Empty(result);
+    }
+}

test/Core.Test/AdminConsole/EventIntegrations/OrganizationIntegrations/UpdateOrganizationIntegrationCommandTests.cs

@@ -0,0 +1,121 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.EventIntegrations.OrganizationIntegrations;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+using ZiggyCreatures.Caching.Fusion;
+
+namespace Bit.Core.Test.AdminConsole.EventIntegrations.OrganizationIntegrations;
+
+[SutProviderCustomize]
+public class UpdateOrganizationIntegrationCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_Success_UpdatesIntegrationAndInvalidatesCache(
+        SutProvider<UpdateOrganizationIntegrationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration existingIntegration,
+        OrganizationIntegration updatedIntegration)
+    {
+        existingIntegration.Id = integrationId;
+        existingIntegration.OrganizationId = organizationId;
+        existingIntegration.Type = IntegrationType.Webhook;
+        updatedIntegration.Id = integrationId;
+        updatedIntegration.OrganizationId = organizationId;
+        updatedIntegration.Type = IntegrationType.Webhook;
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(existingIntegration);
+
+        var result = await sutProvider.Sut.UpdateAsync(organizationId, integrationId, updatedIntegration);
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .GetByIdAsync(integrationId);
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().Received(1)
+            .ReplaceAsync(updatedIntegration);
+        await sutProvider.GetDependency<IFusionCache>().Received(1)
+            .RemoveByTagAsync(EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+                organizationId,
+                existingIntegration.Type));
+        Assert.Equal(updatedIntegration, result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_IntegrationDoesNotExist_ThrowsNotFound(
+        SutProvider<UpdateOrganizationIntegrationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration updatedIntegration)
+    {
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns((OrganizationIntegration)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.UpdateAsync(organizationId, integrationId, updatedIntegration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().DidNotReceive()
+            .ReplaceAsync(Arg.Any<OrganizationIntegration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_IntegrationDoesNotBelongToOrganization_ThrowsNotFound(
+        SutProvider<UpdateOrganizationIntegrationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration existingIntegration,
+        OrganizationIntegration updatedIntegration)
+    {
+        existingIntegration.Id = integrationId;
+        existingIntegration.OrganizationId = Guid.NewGuid(); // Different organization
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(existingIntegration);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.UpdateAsync(organizationId, integrationId, updatedIntegration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().DidNotReceive()
+            .ReplaceAsync(Arg.Any<OrganizationIntegration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_IntegrationIsDifferentType_ThrowsNotFound(
+        SutProvider<UpdateOrganizationIntegrationCommand> sutProvider,
+        Guid organizationId,
+        Guid integrationId,
+        OrganizationIntegration existingIntegration,
+        OrganizationIntegration updatedIntegration)
+    {
+        existingIntegration.Id = integrationId;
+        existingIntegration.OrganizationId = organizationId;
+        existingIntegration.Type = IntegrationType.Webhook;
+        updatedIntegration.Id = integrationId;
+        updatedIntegration.OrganizationId = organizationId;
+        updatedIntegration.Type = IntegrationType.Hec; // Different Type
+
+        sutProvider.GetDependency<IOrganizationIntegrationRepository>()
+            .GetByIdAsync(integrationId)
+            .Returns(existingIntegration);
+
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.UpdateAsync(organizationId, integrationId, updatedIntegration));
+
+        await sutProvider.GetDependency<IOrganizationIntegrationRepository>().DidNotReceive()
+            .ReplaceAsync(Arg.Any<OrganizationIntegration>());
+        await sutProvider.GetDependency<IFusionCache>().DidNotReceive()
+            .RemoveByTagAsync(Arg.Any<string>());
+    }
+}

test/Core.Test/AdminConsole/Models/Data/EventIntegrations/TestListenerConfiguration.cs

@@ -17,4 +17,5 @@ public class TestListenerConfiguration : IIntegrationListenerConfiguration
     public int EventPrefetchCount => 0;
     public int IntegrationMaxConcurrentCalls => 1;
     public int IntegrationPrefetchCount => 0;
+    public string RoutingKey => IntegrationType.ToRoutingKey();
 }

test/Core.Test/AdminConsole/OrganizationFeatures/Import/ImportOrganizationUsersAndGroupsCommandTests.cs

@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.AdminConsole.OrganizationFeatures.Import;
 using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -57,7 +58,7 @@ public class ImportOrganizationUsersAndGroupsCommandTests
         var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
         SetupOrgUserRepositoryCreateManyAsyncMock(organizationUserRepository);
 
-        sutProvider.GetDependency<IPaymentService>().HasSecretsManagerStandalone(org).Returns(true);
+        sutProvider.GetDependency<IStripePaymentService>().HasSecretsManagerStandalone(org).Returns(true);
         sutProvider.GetDependency<IOrganizationUserRepository>().GetManyDetailsByOrganizationAsync(org.Id).Returns(existingUsers);
         sutProvider.GetDependency<IOrganizationRepository>().GetOccupiedSeatCountByOrganizationIdAsync(org.Id).Returns(
             new OrganizationSeatCounts

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommandTests.cs

@@ -2,7 +2,6 @@
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 using Bit.Core.Context;
@@ -183,17 +182,17 @@ public class VerifyOrganizationDomainCommandTests
 
         _ = await sutProvider.Sut.UserVerifyOrganizationDomainAsync(domain);
 
-        await sutProvider.GetDependency<ISavePolicyCommand>()
+        await sutProvider.GetDependency<IVNextSavePolicyCommand>()
             .Received(1)
-            .SaveAsync(Arg.Is<PolicyUpdate>(x => x.Type == PolicyType.SingleOrg &&
-                x.OrganizationId == domain.OrganizationId &&
-                x.Enabled &&
+            .SaveAsync(Arg.Is<SavePolicyModel>(x => x.PolicyUpdate.Type == PolicyType.SingleOrg &&
+                                                    x.PolicyUpdate.OrganizationId == domain.OrganizationId &&
+                                                    x.PolicyUpdate.Enabled &&
                 x.PerformedBy is StandardUser &&
                 x.PerformedBy.UserId == userId));
     }
 
     [Theory, BitAutoData]
-    public async Task UserVerifyOrganizationDomainAsync_WhenPolicyValidatorsRefactorFlagEnabled_UsesVNextSavePolicyCommand(
+    public async Task UserVerifyOrganizationDomainAsync_UsesVNextSavePolicyCommand(
         OrganizationDomain domain, Guid userId, SutProvider<VerifyOrganizationDomainCommand> sutProvider)
     {
         sutProvider.GetDependency<IOrganizationDomainRepository>()
@@ -207,10 +206,6 @@ public class VerifyOrganizationDomainCommandTests
         sutProvider.GetDependency<ICurrentContext>()
             .UserId.Returns(userId);
 
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor)
-            .Returns(true);
-
         _ = await sutProvider.Sut.UserVerifyOrganizationDomainAsync(domain);
 
         await sutProvider.GetDependency<IVNextSavePolicyCommand>()
@@ -240,9 +235,9 @@ public class VerifyOrganizationDomainCommandTests
 
         _ = await sutProvider.Sut.UserVerifyOrganizationDomainAsync(domain);
 
-        await sutProvider.GetDependency<ISavePolicyCommand>()
+        await sutProvider.GetDependency<IVNextSavePolicyCommand>()
             .DidNotReceive()
-            .SaveAsync(Arg.Any<PolicyUpdate>());
+            .SaveAsync(Arg.Any<SavePolicyModel>());
     }
 
     [Theory, BitAutoData]

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommandTests.cs

@@ -1,7 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Models.Business.Tokenables;
@@ -24,6 +26,7 @@ using Bit.Test.Common.Fakes;
 using Microsoft.AspNetCore.DataProtection;
 using NSubstitute;
 using Xunit;
+using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;
 
 namespace Bit.Core.Test.OrganizationFeatures.OrganizationUsers;
 
@@ -673,6 +676,79 @@ public class AcceptOrgUserCommandTests
         Assert.Equal("User not found within organization.", exception.Message);
     }
 
+    // Auto-confirm policy validation tests --------------------------------------------------------------------------
+
+    [Theory]
+    [BitAutoData]
+    public async Task AcceptOrgUserAsync_WithAutoConfirmIsNotEnabled_DoesNotCheckCompliance(
+        SutProvider<AcceptOrgUserCommand> sutProvider,
+        User user, Organization org, OrganizationUser orgUser, OrganizationUserUserDetails adminUserDetails)
+    {
+        // Arrange
+        SetupCommonAcceptOrgUserMocks(sutProvider, user, org, orgUser, adminUserDetails);
+
+        // Act
+        var resultOrgUser = await sutProvider.Sut.AcceptOrgUserAsync(orgUser, user, _userService);
+
+        // Assert
+        AssertValidAcceptedOrgUser(resultOrgUser, orgUser, user);
+
+        await sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>().DidNotReceiveWithAnyArgs()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AcceptOrgUserAsync_WithUserThatIsCompliantWithAutoConfirm_AcceptsUser(
+        SutProvider<AcceptOrgUserCommand> sutProvider,
+        User user, Organization org, OrganizationUser orgUser, OrganizationUserUserDetails adminUserDetails)
+    {
+        // Arrange
+        SetupCommonAcceptOrgUserMocks(sutProvider, user, org, orgUser, adminUserDetails);
+
+        // Mock auto-confirm enforcement query to return valid (no auto-confirm restrictions)
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Valid(new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser], user)));
+
+        // Act
+        var resultOrgUser = await sutProvider.Sut.AcceptOrgUserAsync(orgUser, user, _userService);
+
+        // Assert
+        AssertValidAcceptedOrgUser(resultOrgUser, orgUser, user);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).ReplaceAsync(
+            Arg.Is<OrganizationUser>(ou => ou.Id == orgUser.Id && ou.Status == OrganizationUserStatusType.Accepted));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AcceptOrgUserAsync_WithAutoConfirmIsEnabledAndFailsCompliance_ThrowsBadRequestException(
+        SutProvider<AcceptOrgUserCommand> sutProvider,
+        User user, Organization org, OrganizationUser orgUser, OrganizationUserUserDetails adminUserDetails,
+        OrganizationUser otherOrgUser)
+    {
+        // Arrange
+        SetupCommonAcceptOrgUserMocks(sutProvider, user, org, orgUser, adminUserDetails);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Invalid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser, otherOrgUser], user),
+                new UserCannotBelongToAnotherOrganization()));
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.AcceptOrgUserAsync(orgUser, user, _userService));
+
+        // Should get auto-confirm error
+        Assert.Equal(new UserCannotBelongToAnotherOrganization().Message, exception.Message);
+    }
+
     // Private helpers -------------------------------------------------------------------------------------------------
 
     /// <summary>
@@ -716,7 +792,7 @@ public class AcceptOrgUserCommandTests
     /// - Provides mock data for an admin to validate email functionality.
     /// - Returns the corresponding organization for the given org ID.
     /// </summary>
-    private void SetupCommonAcceptOrgUserMocks(SutProvider<AcceptOrgUserCommand> sutProvider, User user,
+    private static void SetupCommonAcceptOrgUserMocks(SutProvider<AcceptOrgUserCommand> sutProvider, User user,
         Organization org,
         OrganizationUser orgUser, OrganizationUserUserDetails adminUserDetails)
     {
@@ -729,18 +805,12 @@ public class AcceptOrgUserCommandTests
         // User is not part of any other orgs
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyByUserAsync(user.Id)
-            .Returns(
-                Task.FromResult<ICollection<OrganizationUser>>(new List<OrganizationUser>())
-            );
+            .Returns([]);
 
         // Org they are trying to join does not have single org policy
         sutProvider.GetDependency<IPolicyService>()
             .GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg, OrganizationUserStatusType.Invited)
-            .Returns(
-                Task.FromResult<ICollection<OrganizationUserPolicyDetails>>(
-                    new List<OrganizationUserPolicyDetails>()
-                )
-            );
+            .Returns([]);
 
         // User is not part of any organization that applies the single org policy
         sutProvider.GetDependency<IPolicyService>()
@@ -750,20 +820,24 @@ public class AcceptOrgUserCommandTests
         // Org does not require 2FA
         sutProvider.GetDependency<IPolicyService>().GetPoliciesApplicableToUserAsync(user.Id,
                 PolicyType.TwoFactorAuthentication, OrganizationUserStatusType.Invited)
-            .Returns(Task.FromResult<ICollection<OrganizationUserPolicyDetails>>(
-                new List<OrganizationUserPolicyDetails>()));
+            .Returns([]);
 
         // Provide at least 1 admin to test email functionality
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyByMinimumRoleAsync(orgUser.OrganizationId, OrganizationUserType.Admin)
-            .Returns(Task.FromResult<IEnumerable<OrganizationUserUserDetails>>(
-                new List<OrganizationUserUserDetails>() { adminUserDetails }
-            ));
+            .Returns([adminUserDetails]);
 
         // Return org
         sutProvider.GetDependency<IOrganizationRepository>()
             .GetByIdAsync(org.Id)
-            .Returns(Task.FromResult(org));
+            .Returns(org);
+
+        // Auto-confirm enforcement query returns valid by default (no restrictions)
+        var request = new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser], user);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(request)
+            .Returns(Valid(request));
     }
 
 

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUsers/AutomaticallyConfirmOrganizationUsersValidatorTests.cs

@@ -5,6 +5,7 @@ using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
@@ -12,6 +13,7 @@ using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Test.AdminConsole.AutoFixture;
 using Bit.Core.Test.AutoFixture.OrganizationFixtures;
 using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
@@ -19,6 +21,7 @@ using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
+using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;
 
 namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUsers;
 
@@ -116,11 +119,11 @@ public class AutomaticallyConfirmOrganizationUsersValidatorTests
         SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
         [Organization(useAutomaticUserConfirmation: true, planType: PlanType.EnterpriseAnnually)] Organization organization,
         [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
-        Guid userId,
+        User user,
         [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
     {
         // Arrange
-        organizationUser.UserId = userId;
+        organizationUser.UserId = user.Id;
         organizationUser.OrganizationId = organization.Id;
 
         var request = new AutomaticallyConfirmOrganizationUserValidationRequest
@@ -140,12 +143,23 @@ public class AutomaticallyConfirmOrganizationUsersValidatorTests
 
         sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
             .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
-            .Returns([(userId, true)]);
+            .Returns([(user.Id, true)]);
 
         sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(userId)
+            .GetManyByUserAsync(user.Id)
             .Returns([organizationUser]);
 
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(user.Id)
+            .Returns(user);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Valid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(organization.Id,
+                    [organizationUser],
+                    user)));
+
         // Act
         var result = await sutProvider.Sut.ValidateAsync(request);
 
@@ -319,11 +333,11 @@ public class AutomaticallyConfirmOrganizationUsersValidatorTests
         SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
         [Organization(useAutomaticUserConfirmation: true)] Organization organization,
         [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
-        Guid userId,
+        User user,
         [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
     {
         // Arrange
-        organizationUser.UserId = userId;
+        organizationUser.UserId = user.Id;
         organizationUser.OrganizationId = organization.Id;
 
         var request = new AutomaticallyConfirmOrganizationUserValidationRequest
@@ -343,12 +357,24 @@ public class AutomaticallyConfirmOrganizationUsersValidatorTests
 
         sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
             .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
-            .Returns([(userId, true)]);
+            .Returns([(user.Id, true)]);
 
         sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(userId)
+            .GetManyByUserAsync(user.Id)
             .Returns([organizationUser]);
 
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(user.Id)
+            .Returns(user);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Valid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(organization.Id,
+                    [organizationUser],
+                    user)));
+
+
         // Act
         var result = await sutProvider.Sut.ValidateAsync(request);
 
@@ -362,11 +388,11 @@ public class AutomaticallyConfirmOrganizationUsersValidatorTests
         SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
         [Organization(useAutomaticUserConfirmation: true)] Organization organization,
         [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
-        Guid userId,
+        User user,
         [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
     {
         // Arrange
-        organizationUser.UserId = userId;
+        organizationUser.UserId = user.Id;
         organizationUser.OrganizationId = organization.Id;
 
         var request = new AutomaticallyConfirmOrganizationUserValidationRequest
@@ -386,16 +412,28 @@ public class AutomaticallyConfirmOrganizationUsersValidatorTests
 
         sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
             .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
-            .Returns([(userId, false)]);
+            .Returns([(user.Id, false)]);
 
         sutProvider.GetDependency<IPolicyRequirementQuery>()
-            .GetAsync<RequireTwoFactorPolicyRequirement>(userId)
+            .GetAsync<RequireTwoFactorPolicyRequirement>(user.Id)
             .Returns(new RequireTwoFactorPolicyRequirement([])); // No 2FA policy
 
         sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(userId)
+            .GetManyByUserAsync(user.Id)
             .Returns([organizationUser]);
 
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(user.Id)
+            .Returns(user);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Valid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(organization.Id,
+                    [organizationUser],
+                    user)));
+
+
         // Act
         var result = await sutProvider.Sut.ValidateAsync(request);
 
@@ -403,128 +441,17 @@ public class AutomaticallyConfirmOrganizationUsersValidatorTests
         Assert.True(result.IsValid);
     }
 
-    [Theory]
-    [BitAutoData]
-    public async Task ValidateAsync_UserInMultipleOrgs_WithSingleOrgPolicyOnThisOrg_ReturnsError(
-        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
-        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
-        OrganizationUser otherOrgUser,
-        Guid userId,
-        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
-    {
-        // Arrange
-        organizationUser.UserId = userId;
-        organizationUser.OrganizationId = organization.Id;
-
-        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
-        {
-            PerformedBy = Substitute.For<IActingUser>(),
-            DefaultUserCollectionName = "test-collection",
-            OrganizationUser = organizationUser,
-            OrganizationUserId = organizationUser.Id,
-            Organization = organization,
-            OrganizationId = organization.Id,
-            Key = "test-key"
-        };
-
-        var singleOrgPolicyDetails = new PolicyDetails
-        {
-            OrganizationId = organization.Id,
-            PolicyType = PolicyType.SingleOrg
-        };
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
-            .Returns(autoConfirmPolicy);
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
-            .Returns([(userId, true)]);
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(userId)
-            .Returns([organizationUser, otherOrgUser]);
-
-        sutProvider.GetDependency<IPolicyRequirementQuery>()
-            .GetAsync<SingleOrganizationPolicyRequirement>(userId)
-            .Returns(new SingleOrganizationPolicyRequirement([singleOrgPolicyDetails]));
-
-        // Act
-        var result = await sutProvider.Sut.ValidateAsync(request);
-
-        // Assert
-        Assert.True(result.IsError);
-        Assert.IsType<OrganizationEnforcesSingleOrgPolicy>(result.AsError);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task ValidateAsync_UserInMultipleOrgs_WithSingleOrgPolicyOnOtherOrg_ReturnsError(
-        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
-        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
-        OrganizationUser otherOrgUser,
-        Guid userId,
-        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
-    {
-        // Arrange
-        organizationUser.UserId = userId;
-        organizationUser.OrganizationId = organization.Id;
-
-        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
-        {
-            PerformedBy = Substitute.For<IActingUser>(),
-            DefaultUserCollectionName = "test-collection",
-            OrganizationUser = organizationUser,
-            OrganizationUserId = organizationUser.Id,
-            Organization = organization,
-            OrganizationId = organization.Id,
-            Key = "test-key"
-        };
-
-        var otherOrgId = Guid.NewGuid(); // Different org
-        var singleOrgPolicyDetails = new PolicyDetails
-        {
-            OrganizationId = otherOrgId,
-            PolicyType = PolicyType.SingleOrg,
-        };
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
-            .Returns(autoConfirmPolicy);
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
-            .Returns([(userId, true)]);
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(userId)
-            .Returns([organizationUser, otherOrgUser]);
-
-        sutProvider.GetDependency<IPolicyRequirementQuery>()
-            .GetAsync<SingleOrganizationPolicyRequirement>(userId)
-            .Returns(new SingleOrganizationPolicyRequirement([singleOrgPolicyDetails]));
-
-        // Act
-        var result = await sutProvider.Sut.ValidateAsync(request);
-
-        // Assert
-        Assert.True(result.IsError);
-        Assert.IsType<OtherOrganizationEnforcesSingleOrgPolicy>(result.AsError);
-    }
-
     [Theory]
     [BitAutoData]
     public async Task ValidateAsync_UserInSingleOrg_ReturnsValidResult(
         SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
         [Organization(useAutomaticUserConfirmation: true)] Organization organization,
         [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
-        Guid userId,
+        User user,
         [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
     {
         // Arrange
-        organizationUser.UserId = userId;
+        organizationUser.UserId = user.Id;
         organizationUser.OrganizationId = organization.Id;
 
         var request = new AutomaticallyConfirmOrganizationUserValidationRequest
@@ -544,61 +471,22 @@ public class AutomaticallyConfirmOrganizationUsersValidatorTests
 
         sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
             .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
-            .Returns([(userId, true)]);
+            .Returns([(user.Id, true)]);
 
         sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(userId)
+            .GetManyByUserAsync(user.Id)
             .Returns([organizationUser]); // Single org
 
-        // Act
-        var result = await sutProvider.Sut.ValidateAsync(request);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(user.Id)
+            .Returns(user);
 
-        // Assert
-        Assert.True(result.IsValid);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task ValidateAsync_UserInMultipleOrgs_WithNoSingleOrgPolicy_ReturnsValidResult(
-        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
-        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
-        OrganizationUser otherOrgUser,
-        Guid userId,
-        Policy autoConfirmPolicy)
-    {
-        // Arrange
-        organizationUser.UserId = userId;
-        organizationUser.OrganizationId = organization.Id;
-        autoConfirmPolicy.Type = PolicyType.AutomaticUserConfirmation;
-        autoConfirmPolicy.Enabled = true;
-
-        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
-        {
-            PerformedBy = Substitute.For<IActingUser>(),
-            DefaultUserCollectionName = "test-collection",
-            OrganizationUser = organizationUser,
-            OrganizationUserId = organizationUser.Id,
-            Organization = organization,
-            OrganizationId = organization.Id,
-            Key = "test-key"
-        };
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
-            .Returns(autoConfirmPolicy);
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
-            .Returns([(userId, true)]);
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(userId)
-            .Returns([organizationUser, otherOrgUser]);
-
-        sutProvider.GetDependency<IPolicyRequirementQuery>()
-            .GetAsync<SingleOrganizationPolicyRequirement>(userId)
-            .Returns(new SingleOrganizationPolicyRequirement([]));
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Valid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(organization.Id,
+                    [organizationUser],
+                    user)));
 
         // Act
         var result = await sutProvider.Sut.ValidateAsync(request);
@@ -693,4 +581,59 @@ public class AutomaticallyConfirmOrganizationUsersValidatorTests
         Assert.True(result.IsError);
         Assert.IsType<AutomaticallyConfirmUsersPolicyIsNotEnabled>(result.AsError);
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithNonProviderUser_ReturnsValidResult(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(user.Id, true)]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns([organizationUser]);
+
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(user.Id)
+            .Returns(user);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Valid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(organization.Id,
+                    [organizationUser],
+                    user)));
+
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+    }
 }

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommandTests.cs

@@ -2,7 +2,9 @@
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
@@ -21,6 +23,7 @@ using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
+using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;
 
 namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers;
 
@@ -559,4 +562,256 @@ public class ConfirmOrganizationUserCommandTests
             .DidNotReceive()
             .UpsertDefaultCollectionsAsync(Arg.Any<Guid>(), Arg.Any<IEnumerable<Guid>>(), Arg.Any<string>());
     }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_WithAutoConfirmEnabledAndUserBelongsToAnotherOrg_ThrowsBadRequest(
+        Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        OrganizationUser otherOrgUser, string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = user.Id;
+        otherOrgUser.UserId = user.Id;
+        otherOrgUser.OrganizationId = Guid.NewGuid(); // Different org
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync([]).ReturnsForAnyArgs([orgUser]);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync([])
+            .ReturnsForAnyArgs([orgUser, otherOrgUser]);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(org.Id).Returns(org);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([user]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Invalid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(orgUser.Id, [orgUser, otherOrgUser], user),
+                new UserCannotBelongToAnotherOrganization()));
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+
+        Assert.Equal(new UserCannotBelongToAnotherOrganization().Message, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_WithAutoConfirmEnabledForOtherOrg_ThrowsBadRequest(
+        Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        OrganizationUser otherOrgUser, string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = user.Id;
+        otherOrgUser.UserId = user.Id;
+        otherOrgUser.OrganizationId = Guid.NewGuid();
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync([]).ReturnsForAnyArgs([orgUser]);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync([])
+            .ReturnsForAnyArgs([orgUser, otherOrgUser]);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(org.Id).Returns(org);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([user]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Invalid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser, otherOrgUser], user),
+                new OtherOrganizationDoesNotAllowOtherMembership()));
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+
+        Assert.Equal(new OtherOrganizationDoesNotAllowOtherMembership().Message, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_WithAutoConfirmEnabledAndUserIsProvider_ThrowsBadRequest(
+        Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = user.Id;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync([]).ReturnsForAnyArgs([orgUser]);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync([])
+            .ReturnsForAnyArgs([orgUser]);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(org.Id).Returns(org);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([user]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Invalid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser], user),
+                new ProviderUsersCannotJoin()));
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+
+        Assert.Equal(new ProviderUsersCannotJoin().Message, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_WithAutoConfirmNotApplicable_Succeeds(
+        Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = user.Id;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync([]).ReturnsForAnyArgs([orgUser]);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync([])
+            .ReturnsForAnyArgs([orgUser]);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(org.Id).Returns(org);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([user]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Valid(new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser], user)));
+
+        // Act
+        await sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id);
+
+        // Assert
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1).LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1).SendOrganizationConfirmedEmailAsync(org.DisplayName(), user.Email, orgUser.AccessSecretsManager);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_WithAutoConfirmValidationBeforeSingleOrgPolicy_ChecksAutoConfirmFirst(
+        Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        OrganizationUser otherOrgUser,
+        [OrganizationUserPolicyDetails(PolicyType.SingleOrg)] OrganizationUserPolicyDetails singleOrgPolicy,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        // Arrange - Setup conditions that would fail BOTH auto-confirm AND single org policy
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = user.Id;
+        otherOrgUser.UserId = user.Id;
+        otherOrgUser.OrganizationId = Guid.NewGuid();
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync([]).ReturnsForAnyArgs([orgUser]);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync([])
+            .ReturnsForAnyArgs([orgUser, otherOrgUser]);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(org.Id).Returns(org);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([user]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        singleOrgPolicy.OrganizationId = org.Id;
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg)
+            .Returns([singleOrgPolicy]);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Any<AutomaticUserConfirmationPolicyEnforcementRequest>())
+            .Returns(Invalid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser, otherOrgUser], user),
+                new UserCannotBelongToAnotherOrganization()));
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+
+        Assert.Equal(new UserCannotBelongToAnotherOrganization().Message, exception.Message);
+        Assert.NotEqual("Cannot confirm this member to the organization until they leave or remove all other organizations.",
+            exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmEnabled_MixedResults(
+        Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser2,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser3,
+        OrganizationUser otherOrgUser, User user1, User user2, User user3,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser1.OrganizationId = orgUser2.OrganizationId = orgUser3.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser1.UserId = user1.Id;
+        orgUser2.UserId = user2.Id;
+        orgUser3.UserId = user3.Id;
+        otherOrgUser.UserId = user3.Id;
+        otherOrgUser.OrganizationId = Guid.NewGuid();
+
+        var orgUsers = new[] { orgUser1, orgUser2, orgUser3 };
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync([]).ReturnsForAnyArgs(orgUsers);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(org.Id).Returns(org);
+        sutProvider.GetDependency<IUserRepository>()
+            .GetManyAsync([]).ReturnsForAnyArgs([user1, user2, user3]);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync([])
+            .ReturnsForAnyArgs([orgUser1, orgUser2, orgUser3, otherOrgUser]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Is<AutomaticUserConfirmationPolicyEnforcementRequest>(r => r.User.Id == user1.Id))
+            .Returns(Valid(new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser1], user1)));
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Is<AutomaticUserConfirmationPolicyEnforcementRequest>(r => r.User.Id == user2.Id))
+            .Returns(Valid(new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser2], user2)));
+
+        sutProvider.GetDependency<IAutomaticUserConfirmationPolicyEnforcementValidator>()
+            .IsCompliantAsync(Arg.Is<AutomaticUserConfirmationPolicyEnforcementRequest>(r => r.User.Id == user3.Id))
+            .Returns(Invalid(
+                new AutomaticUserConfirmationPolicyEnforcementRequest(org.Id, [orgUser3, otherOrgUser], user3),
+                new OtherOrganizationDoesNotAllowOtherMembership()));
+
+        var keys = orgUsers.ToDictionary(ou => ou.Id, _ => key);
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(confirmingUser.OrganizationId, keys, confirmingUser.Id);
+
+        // Assert
+        Assert.Equal(3, result.Count);
+        Assert.Empty(result[0].Item2);
+        Assert.Empty(result[1].Item2);
+        Assert.Equal(new OtherOrganizationDoesNotAllowOtherMembership().Message, result[2].Item2);
+    }
 }

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/BulkResendOrganizationInvitesCommandTests.cs

@@ -0,0 +1,113 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+[SutProviderCustomize]
+public class BulkResendOrganizationInvitesCommandTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task BulkResendInvitesAsync_ValidatesUsersAndSendsBatchInvite(
+        Organization organization,
+        OrganizationUser validUser1,
+        OrganizationUser validUser2,
+        OrganizationUser acceptedUser,
+        OrganizationUser wrongOrgUser,
+        SutProvider<BulkResendOrganizationInvitesCommand> sutProvider)
+    {
+        validUser1.OrganizationId = organization.Id;
+        validUser1.Status = OrganizationUserStatusType.Invited;
+        validUser2.OrganizationId = organization.Id;
+        validUser2.Status = OrganizationUserStatusType.Invited;
+        acceptedUser.OrganizationId = organization.Id;
+        acceptedUser.Status = OrganizationUserStatusType.Accepted;
+        wrongOrgUser.OrganizationId = Guid.NewGuid();
+        wrongOrgUser.Status = OrganizationUserStatusType.Invited;
+
+        var users = new List<OrganizationUser> { validUser1, validUser2, acceptedUser, wrongOrgUser };
+        var userIds = users.Select(u => u.Id).ToList();
+
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyAsync(userIds).Returns(users);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        var result = (await sutProvider.Sut.BulkResendInvitesAsync(organization.Id, null, userIds)).ToList();
+
+        Assert.Equal(4, result.Count);
+        Assert.Equal(2, result.Count(r => string.IsNullOrEmpty(r.Item2)));
+        Assert.Equal(2, result.Count(r => r.Item2 == "User invalid."));
+
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>()
+            .Received(1)
+            .SendInvitesAsync(Arg.Is<SendInvitesRequest>(req =>
+                req.Organization == organization &&
+                req.Users.Length == 2 &&
+                req.InitOrganization == false));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkResendInvitesAsync_AllInvalidUsers_DoesNotSendInvites(
+        Organization organization,
+        List<OrganizationUser> organizationUsers,
+        SutProvider<BulkResendOrganizationInvitesCommand> sutProvider)
+    {
+        foreach (var user in organizationUsers)
+        {
+            user.OrganizationId = organization.Id;
+            user.Status = OrganizationUserStatusType.Confirmed;
+        }
+
+        var userIds = organizationUsers.Select(u => u.Id).ToList();
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyAsync(userIds).Returns(organizationUsers);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        var result = (await sutProvider.Sut.BulkResendInvitesAsync(organization.Id, null, userIds)).ToList();
+
+        Assert.Equal(organizationUsers.Count, result.Count);
+        Assert.All(result, r => Assert.Equal("User invalid.", r.Item2));
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().DidNotReceive()
+            .SendInvitesAsync(Arg.Any<SendInvitesRequest>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkResendInvitesAsync_OrganizationNotFound_ThrowsNotFoundException(
+        Guid organizationId,
+        List<Guid> userIds,
+        List<OrganizationUser> organizationUsers,
+        SutProvider<BulkResendOrganizationInvitesCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyAsync(userIds).Returns(organizationUsers);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns((Organization?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.BulkResendInvitesAsync(organizationId, null, userIds));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkResendInvitesAsync_EmptyUserList_ReturnsEmpty(
+        Organization organization,
+        SutProvider<BulkResendOrganizationInvitesCommand> sutProvider)
+    {
+        var emptyUserIds = new List<Guid>();
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyAsync(emptyUserIds).Returns(new List<OrganizationUser>());
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        var result = await sutProvider.Sut.BulkResendInvitesAsync(organization.Id, null, emptyUserIds);
+
+        Assert.Empty(result);
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().DidNotReceive()
+            .SendInvitesAsync(Arg.Any<SendInvitesRequest>());
+    }
+}

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUsersValidatorTests.cs

@@ -3,11 +3,11 @@ using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
 using Bit.Core.AdminConsole.Utilities.Validation;
+using Bit.Core.Billing.Services;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Test.Billing.Mocks.Plans;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -50,7 +50,7 @@ public class InviteOrganizationUsersValidatorTests
             OccupiedSmSeats = 9
         };
 
-        sutProvider.GetDependency<IPaymentService>()
+        sutProvider.GetDependency<IStripePaymentService>()
             .HasSecretsManagerStandalone(request.InviteOrganization)
             .Returns(true);
 
@@ -96,7 +96,7 @@ public class InviteOrganizationUsersValidatorTests
             OccupiedSmSeats = 9
         };
 
-        sutProvider.GetDependency<IPaymentService>()
+        sutProvider.GetDependency<IStripePaymentService>()
             .HasSecretsManagerStandalone(request.InviteOrganization)
             .Returns(true);
 
@@ -140,7 +140,7 @@ public class InviteOrganizationUsersValidatorTests
             OccupiedSmSeats = 4
         };
 
-        sutProvider.GetDependency<IPaymentService>()
+        sutProvider.GetDependency<IStripePaymentService>()
             .HasSecretsManagerStandalone(request.InviteOrganization)
             .Returns(true);
 

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeOrganizationUserCommandTests.cs

@@ -1,6 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v2/RevokeOrganizationUserCommandTests.cs

@@ -0,0 +1,215 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.Extensions.Logging;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+
+[SutProviderCustomize]
+public class RevokeOrganizationUserCommandTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task RevokeUsersAsync_WithValidUsers_RevokesUsersAndLogsEvents(
+        SutProvider<RevokeOrganizationUserCommand> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser2)
+    {
+        // Arrange
+        orgUser1.OrganizationId = orgUser2.OrganizationId = organizationId;
+        orgUser1.UserId = Guid.NewGuid();
+        orgUser2.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(actingUserId, false, null);
+        var request = new RevokeOrganizationUsersRequest(
+            organizationId,
+            [orgUser1.Id, orgUser2.Id],
+            actingUser);
+
+        SetupRepositoryMocks(sutProvider, [orgUser1, orgUser2]);
+        SetupValidatorMock(sutProvider, [
+            ValidationResultHelpers.Valid(orgUser1),
+            ValidationResultHelpers.Valid(orgUser2)
+        ]);
+
+        // Act
+        var results = (await sutProvider.Sut.RevokeUsersAsync(request)).ToList();
+
+        // Assert
+        Assert.Equal(2, results.Count);
+        Assert.All(results, r => Assert.True(r.Result.IsSuccess));
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RevokeManyByIdAsync(Arg.Is<IEnumerable<Guid>>(ids =>
+                ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id)));
+
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventsAsync(Arg.Is<IEnumerable<(OrganizationUser, EventType, DateTime?)>>(
+                events => events.Count() == 2));
+
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(orgUser1.UserId!.Value);
+
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(orgUser2.UserId!.Value);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RevokeUsersAsync_WithSystemUser_LogsEventsWithSystemUserType(
+        SutProvider<RevokeOrganizationUserCommand> sutProvider,
+        Guid organizationId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser)
+    {
+        // Arrange
+        orgUser.OrganizationId = organizationId;
+        orgUser.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(null, false, EventSystemUser.SCIM);
+
+        var request = new RevokeOrganizationUsersRequest(
+            organizationId,
+            [orgUser.Id],
+            actingUser);
+
+        SetupRepositoryMocks(sutProvider, [orgUser]);
+        SetupValidatorMock(sutProvider, [ValidationResultHelpers.Valid(orgUser)]);
+
+        // Act
+        await sutProvider.Sut.RevokeUsersAsync(request);
+
+        // Assert
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventsAsync(Arg.Is<IEnumerable<(OrganizationUser, EventType, EventSystemUser, DateTime?)>>(
+                events => events.All(e => e.Item3 == EventSystemUser.SCIM)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RevokeUsersAsync_WithValidationErrors_ReturnsErrorResults(
+        SutProvider<RevokeOrganizationUserCommand> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.User)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser2)
+    {
+        // Arrange
+        orgUser1.OrganizationId = orgUser2.OrganizationId = organizationId;
+
+        var actingUser = CreateActingUser(actingUserId, false, null);
+
+        var request = new RevokeOrganizationUsersRequest(
+            organizationId,
+            [orgUser1.Id, orgUser2.Id],
+            actingUser);
+
+        SetupRepositoryMocks(sutProvider, [orgUser1, orgUser2]);
+        SetupValidatorMock(sutProvider, [
+            ValidationResultHelpers.Invalid(orgUser1, new UserAlreadyRevoked()),
+            ValidationResultHelpers.Valid(orgUser2)
+        ]);
+
+        // Act
+        var results = (await sutProvider.Sut.RevokeUsersAsync(request)).ToList();
+
+        // Assert
+        Assert.Equal(2, results.Count);
+        var result1 = results.Single(r => r.Id == orgUser1.Id);
+        var result2 = results.Single(r => r.Id == orgUser2.Id);
+
+        Assert.True(result1.Result.IsError);
+        Assert.True(result2.Result.IsSuccess);
+
+        // Only the valid user should be revoked
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RevokeManyByIdAsync(Arg.Is<IEnumerable<Guid>>(ids =>
+                ids.Count() == 1 && ids.Contains(orgUser2.Id)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RevokeUsersAsync_WhenPushNotificationFails_ContinuesProcessing(
+        SutProvider<RevokeOrganizationUserCommand> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser)
+    {
+        // Arrange
+        orgUser.OrganizationId = organizationId;
+        orgUser.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(actingUserId, false, null);
+
+        var request = new RevokeOrganizationUsersRequest(
+            organizationId,
+            [orgUser.Id],
+            actingUser);
+
+        SetupRepositoryMocks(sutProvider, [orgUser]);
+        SetupValidatorMock(sutProvider, [ValidationResultHelpers.Valid(orgUser)]);
+
+        sutProvider.GetDependency<IPushNotificationService>()
+            .PushSyncOrgKeysAsync(orgUser.UserId!.Value)
+            .Returns(Task.FromException(new Exception("Push notification failed")));
+
+        // Act
+        var results = (await sutProvider.Sut.RevokeUsersAsync(request)).ToList();
+
+        // Assert
+        Assert.Single(results);
+        Assert.True(results[0].Result.IsSuccess);
+
+        // Should log warning but continue
+        sutProvider.GetDependency<ILogger<RevokeOrganizationUserCommand>>()
+            .Received()
+            .Log(
+                LogLevel.Warning,
+                Arg.Any<EventId>(),
+                Arg.Any<object>(),
+                Arg.Any<Exception>(),
+                Arg.Any<Func<object, Exception?, string>>());
+    }
+
+    private static IActingUser CreateActingUser(Guid? userId, bool isOwnerOrProvider, EventSystemUser? systemUserType) =>
+        (userId, systemUserType) switch
+        {
+            ({ } id, _) => new StandardUser(id, isOwnerOrProvider),
+            (null, { } type) => new SystemUser(type)
+        };
+
+    private static void SetupRepositoryMocks(
+        SutProvider<RevokeOrganizationUserCommand> sutProvider,
+        ICollection<OrganizationUser> organizationUsers)
+    {
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns(organizationUsers);
+    }
+
+    private static void SetupValidatorMock(
+        SutProvider<RevokeOrganizationUserCommand> sutProvider,
+        ICollection<ValidationResult<OrganizationUser>> validationResults)
+    {
+        sutProvider.GetDependency<IRevokeOrganizationUserValidator>()
+            .ValidateAsync(Arg.Any<RevokeOrganizationUsersValidationRequest>())
+            .Returns(validationResults);
+    }
+}

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v2/RevokeOrganizationUsersValidatorTests.cs

@@ -0,0 +1,325 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+
+[SutProviderCustomize]
+public class RevokeOrganizationUsersValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithValidUsers_ReturnsSuccess(
+        SutProvider<RevokeOrganizationUsersValidator> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser2)
+    {
+        // Arrange
+        orgUser1.OrganizationId = orgUser2.OrganizationId = organizationId;
+        orgUser1.UserId = Guid.NewGuid();
+        orgUser2.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(actingUserId, false, null);
+        var request = CreateValidationRequest(
+            organizationId,
+            [orgUser1, orgUser2],
+            actingUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var results = (await sutProvider.Sut.ValidateAsync(request)).ToList();
+
+        // Assert
+        Assert.Equal(2, results.Count);
+        Assert.All(results, r => Assert.True(r.IsValid));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithRevokedUser_ReturnsErrorForThatUser(
+        SutProvider<RevokeOrganizationUsersValidator> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.User)] OrganizationUser revokedUser)
+    {
+        // Arrange
+        revokedUser.OrganizationId = organizationId;
+        revokedUser.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(actingUserId, false, null);
+        var request = CreateValidationRequest(
+            organizationId,
+            [revokedUser],
+            actingUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var results = (await sutProvider.Sut.ValidateAsync(request)).ToList();
+
+        // Assert
+        Assert.Single(results);
+        Assert.True(results.First().IsError);
+        Assert.IsType<UserAlreadyRevoked>(results.First().AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WhenRevokingSelf_ReturnsErrorForThatUser(
+        SutProvider<RevokeOrganizationUsersValidator> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser)
+    {
+        // Arrange
+        orgUser.OrganizationId = organizationId;
+        orgUser.UserId = actingUserId;
+
+        var actingUser = CreateActingUser(actingUserId, false, null);
+        var request = CreateValidationRequest(
+            organizationId,
+            [orgUser],
+            actingUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var results = (await sutProvider.Sut.ValidateAsync(request)).ToList();
+
+        // Assert
+        Assert.Single(results);
+        Assert.True(results.First().IsError);
+        Assert.IsType<CannotRevokeYourself>(results.First().AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WhenNonOwnerRevokesOwner_ReturnsErrorForThatUser(
+        SutProvider<RevokeOrganizationUsersValidator> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser ownerUser)
+    {
+        // Arrange
+        ownerUser.OrganizationId = organizationId;
+        ownerUser.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(actingUserId, false, null);
+        var request = CreateValidationRequest(
+            organizationId,
+            [ownerUser],
+            actingUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var results = (await sutProvider.Sut.ValidateAsync(request)).ToList();
+
+        // Assert
+        Assert.Single(results);
+        Assert.True(results.First().IsError);
+        Assert.IsType<OnlyOwnersCanRevokeOwners>(results.First().AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WhenOwnerRevokesOwner_ReturnsSuccess(
+        SutProvider<RevokeOrganizationUsersValidator> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser ownerUser)
+    {
+        // Arrange
+        ownerUser.OrganizationId = organizationId;
+        ownerUser.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(actingUserId, true, null);
+        var request = CreateValidationRequest(
+            organizationId,
+            [ownerUser],
+            actingUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var results = (await sutProvider.Sut.ValidateAsync(request)).ToList();
+
+        // Assert
+        Assert.Single(results);
+        Assert.True(results.First().IsValid);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithMultipleUsers_SomeValid_ReturnsMixedResults(
+        SutProvider<RevokeOrganizationUsersValidator> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser validUser,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.User)] OrganizationUser revokedUser)
+    {
+        // Arrange
+        validUser.OrganizationId = revokedUser.OrganizationId = organizationId;
+        validUser.UserId = Guid.NewGuid();
+        revokedUser.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(actingUserId, false, null);
+        var request = CreateValidationRequest(
+            organizationId,
+            [validUser, revokedUser],
+            actingUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var results = (await sutProvider.Sut.ValidateAsync(request)).ToList();
+
+        // Assert
+        Assert.Equal(2, results.Count);
+
+        var validResult = results.Single(r => r.Request.Id == validUser.Id);
+        var errorResult = results.Single(r => r.Request.Id == revokedUser.Id);
+
+        Assert.True(validResult.IsValid);
+        Assert.True(errorResult.IsError);
+        Assert.IsType<UserAlreadyRevoked>(errorResult.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithSystemUser_DoesNotRequireActingUserId(
+        SutProvider<RevokeOrganizationUsersValidator> sutProvider,
+        Guid organizationId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser orgUser)
+    {
+        // Arrange
+        orgUser.OrganizationId = organizationId;
+        orgUser.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(null, false, EventSystemUser.SCIM);
+        var request = CreateValidationRequest(
+            organizationId,
+            [orgUser],
+            actingUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var results = (await sutProvider.Sut.ValidateAsync(request)).ToList();
+
+        // Assert
+        Assert.Single(results);
+        Assert.True(results.First().IsValid);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WhenRevokingLastOwner_ReturnsErrorForThatUser(
+        SutProvider<RevokeOrganizationUsersValidator> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser lastOwner)
+    {
+        // Arrange
+        lastOwner.OrganizationId = organizationId;
+        lastOwner.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(actingUserId, true, null); // Is an owner
+        var request = CreateValidationRequest(
+            organizationId,
+            [lastOwner],
+            actingUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(false);
+
+        // Act
+        var results = (await sutProvider.Sut.ValidateAsync(request)).ToList();
+
+        // Assert
+        Assert.Single(results);
+        Assert.True(results.First().IsError);
+        Assert.IsType<MustHaveConfirmedOwner>(results.First().AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithMultipleValidationErrors_ReturnsAllErrors(
+        SutProvider<RevokeOrganizationUsersValidator> sutProvider,
+        Guid organizationId,
+        Guid actingUserId,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.User)] OrganizationUser revokedUser,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser ownerUser)
+    {
+        // Arrange
+        revokedUser.OrganizationId = ownerUser.OrganizationId = organizationId;
+        revokedUser.UserId = Guid.NewGuid();
+        ownerUser.UserId = Guid.NewGuid();
+
+        var actingUser = CreateActingUser(actingUserId, false, null); // Not an owner
+        var request = CreateValidationRequest(
+            organizationId,
+            [revokedUser, ownerUser],
+            actingUser);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>())
+            .Returns(true);
+
+        // Act
+        var results = (await sutProvider.Sut.ValidateAsync(request)).ToList();
+
+        // Assert
+        Assert.Equal(2, results.Count);
+        Assert.All(results, r => Assert.True(r.IsError));
+
+        Assert.Contains(results, r => r.AsError is UserAlreadyRevoked);
+        Assert.Contains(results, r => r.AsError is OnlyOwnersCanRevokeOwners);
+    }
+
+    private static IActingUser CreateActingUser(Guid? userId, bool isOwnerOrProvider, EventSystemUser? systemUserType) =>
+        (userId, systemUserType) switch
+        {
+            ({ } id, _) => new StandardUser(id, isOwnerOrProvider),
+            (null, { } type) => new SystemUser(type)
+        };
+
+
+    private static RevokeOrganizationUsersValidationRequest CreateValidationRequest(
+        Guid organizationId,
+        ICollection<OrganizationUser> organizationUsers,
+        IActingUser actingUser)
+    {
+        return new RevokeOrganizationUsersValidationRequest(
+            organizationId,
+            organizationUsers.Select(u => u.Id).ToList(),
+            actingUser,
+            organizationUsers
+        );
+    }
+}

test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationSignUp/ResellerClientOrganizationSignUpCommandTests.cs

@@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
@@ -172,7 +173,7 @@ public class ResellerClientOrganizationSignUpCommandTests
 
     private static async Task AssertCleanupIsPerformed(SutProvider<ResellerClientOrganizationSignUpCommand> sutProvider)
     {
-        await sutProvider.GetDependency<IPaymentService>()
+        await sutProvider.GetDependency<IStripePaymentService>()
             .Received(1)
             .CancelAndRecoverChargesAsync(Arg.Any<Organization>());
         await sutProvider.GetDependency<IOrganizationRepository>()

test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/OrganizationUpdateCommandTests.cs

@@ -30,7 +30,7 @@ public class OrganizationUpdateCommandTests
         var organizationBillingService = sutProvider.GetDependency<IOrganizationBillingService>();
 
         organization.Id = organizationId;
-        organization.GatewayCustomerId = null; // No Stripe customer, so no billing update
+        organization.GatewayCustomerId = null; // No Stripe customer, but billing update is still called
 
         organizationRepository
             .GetByIdAsync(organizationId)
@@ -61,8 +61,8 @@ public class OrganizationUpdateCommandTests
                 result,
                 EventType.Organization_Updated);
         await organizationBillingService
-            .DidNotReceiveWithAnyArgs()
-            .UpdateOrganizationNameAndEmail(Arg.Any<Organization>());
+            .Received(1)
+            .UpdateOrganizationNameAndEmail(result);
     }
 
     [Theory, BitAutoData]
@@ -93,7 +93,7 @@ public class OrganizationUpdateCommandTests
     [Theory]
     [BitAutoData("")]
     [BitAutoData((string)null)]
-    public async Task UpdateAsync_WhenGatewayCustomerIdIsNullOrEmpty_SkipsBillingUpdate(
+    public async Task UpdateAsync_WhenGatewayCustomerIdIsNullOrEmpty_CallsBillingUpdateButHandledGracefully(
         string gatewayCustomerId,
         Guid organizationId,
         Organization organization,
@@ -133,8 +133,8 @@ public class OrganizationUpdateCommandTests
                 result,
                 EventType.Organization_Updated);
         await organizationBillingService
-            .DidNotReceiveWithAnyArgs()
-            .UpdateOrganizationNameAndEmail(Arg.Any<Organization>());
+            .Received(1)
+            .UpdateOrganizationNameAndEmail(result);
     }
 
     [Theory, BitAutoData]

test/Core.Test/AdminConsole/OrganizationFeatures/Organizations/UpdateOrganizationSubscriptionCommandTests.cs

@@ -2,9 +2,9 @@
 using Bit.Core.AdminConsole.Models.Data.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Services;
 using Bit.Core.Models.StaticStore;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Test.Billing.Mocks.Plans;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -28,7 +28,7 @@ public class UpdateOrganizationSubscriptionCommandTests
         // Act
         await sutProvider.Sut.UpdateOrganizationSubscriptionAsync(subscriptionsToUpdate);
 
-        await sutProvider.GetDependency<IPaymentService>()
+        await sutProvider.GetDependency<IStripePaymentService>()
             .DidNotReceive()
             .AdjustSeatsAsync(Arg.Any<Organization>(), Arg.Any<Plan>(), Arg.Any<int>());
 
@@ -53,7 +53,7 @@ public class UpdateOrganizationSubscriptionCommandTests
         // Act
         await sutProvider.Sut.UpdateOrganizationSubscriptionAsync(subscriptionsToUpdate);
 
-        await sutProvider.GetDependency<IPaymentService>()
+        await sutProvider.GetDependency<IStripePaymentService>()
             .Received(1)
             .AdjustSeatsAsync(
                 Arg.Is<Organization>(x => x.Id == organization.Id),
@@ -81,7 +81,7 @@ public class UpdateOrganizationSubscriptionCommandTests
         OrganizationSubscriptionUpdate[] subscriptionsToUpdate =
             [new() { Organization = organization, Plan = new Enterprise2023Plan(true) }];
 
-        sutProvider.GetDependency<IPaymentService>()
+        sutProvider.GetDependency<IStripePaymentService>()
             .AdjustSeatsAsync(
                 Arg.Is<Organization>(x => x.Id == organization.Id),
                 Arg.Is<Plan>(x => x.Type == organization.PlanType),
@@ -115,7 +115,7 @@ public class UpdateOrganizationSubscriptionCommandTests
             new() { Organization = failedOrganization, Plan = new Enterprise2023Plan(true) }
         ];
 
-        sutProvider.GetDependency<IPaymentService>()
+        sutProvider.GetDependency<IStripePaymentService>()
             .AdjustSeatsAsync(
                 Arg.Is<Organization>(x => x.Id == failedOrganization.Id),
                 Arg.Is<Plan>(x => x.Type == failedOrganization.PlanType),
@@ -124,7 +124,7 @@ public class UpdateOrganizationSubscriptionCommandTests
         // Act
         await sutProvider.Sut.UpdateOrganizationSubscriptionAsync(subscriptionsToUpdate);
 
-        await sutProvider.GetDependency<IPaymentService>()
+        await sutProvider.GetDependency<IStripePaymentService>()
             .Received(1)
             .AdjustSeatsAsync(
                 Arg.Is<Organization>(x => x.Id == successfulOrganization.Id),

test/Core.Test/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/AutomaticUserConfirmationPolicyEnforcementValidatorTests.cs

@@ -0,0 +1,306 @@
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Entities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
+
+[SutProviderCustomize]
+public class AutomaticUserConfirmationPolicyEnforcementValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task IsCompliantAsync_WithPolicyEnabledAndUserIsProviderMember_ReturnsProviderUsersCannotJoinError(
+        SutProvider<AutomaticUserConfirmationPolicyEnforcementValidator> sutProvider,
+        OrganizationUser organizationUser,
+        ProviderUser providerUser,
+        User user)
+    {
+        // Arrange
+        organizationUser.UserId = providerUser.UserId = user.Id;
+
+        var policyDetails = new PolicyDetails
+        {
+            OrganizationId = organizationUser.OrganizationId,
+            PolicyType = PolicyType.AutomaticUserConfirmation
+        };
+
+        var request = new AutomaticUserConfirmationPolicyEnforcementRequest(
+            organizationUser.OrganizationId,
+            [organizationUser],
+            user);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(new AutomaticUserConfirmationPolicyRequirement([policyDetails]));
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns([providerUser]);
+
+        // Act
+        var result = await sutProvider.Sut.IsCompliantAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<ProviderUsersCannotJoin>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task IsCompliantAsync_WithPolicyEnabledOnOtherOrganization_ReturnsOtherOrganizationDoesNotAllowOtherMembershipError(
+        SutProvider<AutomaticUserConfirmationPolicyEnforcementValidator> sutProvider,
+        OrganizationUser organizationUser,
+        OrganizationUser otherOrganizationUser,
+        User user)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        otherOrganizationUser.UserId = user.Id;
+
+        var otherOrgId = Guid.NewGuid();
+        var policyDetails = new PolicyDetails
+        {
+            OrganizationId = otherOrgId, // Different from organizationUser.OrganizationId
+            PolicyType = PolicyType.AutomaticUserConfirmation
+        };
+
+        var request = new AutomaticUserConfirmationPolicyEnforcementRequest(
+            organizationUser.OrganizationId,
+            [organizationUser, otherOrganizationUser],
+            user);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(new AutomaticUserConfirmationPolicyRequirement([policyDetails]));
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.IsCompliantAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<OtherOrganizationDoesNotAllowOtherMembership>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task IsCompliantAsync_WithPolicyDisabledUserIsAMemberOfAnotherOrgReturnsValid(
+        SutProvider<AutomaticUserConfirmationPolicyEnforcementValidator> sutProvider,
+        OrganizationUser organizationUser,
+        OrganizationUser otherOrgUser,
+        User user)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        otherOrgUser.UserId = user.Id;
+
+        var request = new AutomaticUserConfirmationPolicyEnforcementRequest(
+            organizationUser.OrganizationId,
+            [organizationUser, otherOrgUser],
+            user);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(new AutomaticUserConfirmationPolicyRequirement([]));
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.IsCompliantAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task IsCompliantAsync_WithPolicyEnabledUserIsAMemberOfAnotherOrg_ReturnsCannotBeMemberOfAnotherOrgError(
+        SutProvider<AutomaticUserConfirmationPolicyEnforcementValidator> sutProvider,
+        OrganizationUser organizationUser,
+        OrganizationUser otherOrgUser,
+        User user)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        otherOrgUser.UserId = user.Id;
+
+        var request = new AutomaticUserConfirmationPolicyEnforcementRequest(
+            organizationUser.OrganizationId,
+            [organizationUser, otherOrgUser],
+            user);
+
+        var policyDetails = new PolicyDetails
+        {
+            OrganizationId = organizationUser.OrganizationId,
+            PolicyType = PolicyType.AutomaticUserConfirmation
+        };
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(new AutomaticUserConfirmationPolicyRequirement([policyDetails]));
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.IsCompliantAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<UserCannotBelongToAnotherOrganization>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task IsCompliantAsync_WithPolicyEnabledAndChecksConditionsInCorrectOrder_ReturnsFirstFailure(
+        SutProvider<AutomaticUserConfirmationPolicyEnforcementValidator> sutProvider,
+        OrganizationUser organizationUser,
+        OrganizationUser otherOrgUser,
+        ProviderUser providerUser,
+        User user)
+    {
+        // Arrange
+        var policyDetails = new PolicyDetails
+        {
+            OrganizationId = organizationUser.OrganizationId,
+            PolicyType = PolicyType.AutomaticUserConfirmation,
+            OrganizationUserId = organizationUser.Id
+        };
+
+        var request = new AutomaticUserConfirmationPolicyEnforcementRequest(
+            organizationUser.OrganizationId,
+            [organizationUser, otherOrgUser],
+            user);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(new AutomaticUserConfirmationPolicyRequirement([policyDetails]));
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns([providerUser]);
+
+        // Act
+        var result = await sutProvider.Sut.IsCompliantAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<CurrentOrganizationUserIsNotPresentInRequest>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task IsCompliantAsync_WithPolicyIsEnabledNoOtherOrganizationsAndNotAProvider_ReturnsValid(
+        SutProvider<AutomaticUserConfirmationPolicyEnforcementValidator> sutProvider,
+        OrganizationUser organizationUser,
+        User user)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+
+        var request = new AutomaticUserConfirmationPolicyEnforcementRequest(
+            organizationUser.OrganizationId,
+            [organizationUser],
+            user);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(new AutomaticUserConfirmationPolicyRequirement([
+                new PolicyDetails
+                {
+                    OrganizationUserId = organizationUser.Id,
+                    OrganizationId = organizationUser.OrganizationId,
+                    PolicyType = PolicyType.AutomaticUserConfirmation,
+                }
+            ]));
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.IsCompliantAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task IsCompliantAsync_WithPolicyDisabledForCurrentAndOtherOrg_ReturnsValid(
+        SutProvider<AutomaticUserConfirmationPolicyEnforcementValidator> sutProvider,
+        OrganizationUser organizationUser,
+        OrganizationUser otherOrgUser,
+        User user)
+    {
+        // Arrange
+        otherOrgUser.UserId = organizationUser.UserId = user.Id;
+
+        var request = new AutomaticUserConfirmationPolicyEnforcementRequest(
+            organizationUser.OrganizationId,
+            [organizationUser],
+            user);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(new AutomaticUserConfirmationPolicyRequirement([]));
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.IsCompliantAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task IsCompliantAsync_WithPolicyDisabledForCurrentAndOtherOrgAndIsProvider_ReturnsValid(
+        SutProvider<AutomaticUserConfirmationPolicyEnforcementValidator> sutProvider,
+        OrganizationUser organizationUser,
+        OrganizationUser otherOrgUser,
+        ProviderUser providerUser,
+        User user)
+    {
+        // Arrange
+        providerUser.UserId = otherOrgUser.UserId = organizationUser.UserId = user.Id;
+
+        var request = new AutomaticUserConfirmationPolicyEnforcementRequest(
+            organizationUser.OrganizationId,
+            [organizationUser],
+            user);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(new AutomaticUserConfirmationPolicyRequirement([]));
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns([providerUser]);
+
+        // Act
+        var result = await sutProvider.Sut.IsCompliantAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+    }
+}

test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandlerTests.cs

@@ -21,52 +21,23 @@ namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyValidat
 public class AutomaticUserConfirmationPolicyEventHandlerTests
 {
     [Theory, BitAutoData]
-    public async Task ValidateAsync_EnablingPolicy_SingleOrgNotEnabled_ReturnsError(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+    public void RequiredPolicies_IncludesSingleOrg(
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
-        // Arrange
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns((Policy?)null);
-
         // Act
-        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+        var requiredPolicies = sutProvider.Sut.RequiredPolicies;
 
         // Assert
-        Assert.Contains("Single organization policy must be enabled", result, StringComparison.OrdinalIgnoreCase);
-    }
-
-    [Theory, BitAutoData]
-    public async Task ValidateAsync_EnablingPolicy_SingleOrgPolicyDisabled_ReturnsError(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg, false)] Policy singleOrgPolicy,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
-        // Act
-        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
-
-        // Assert
-        Assert.Contains("Single organization policy must be enabled", result, StringComparison.OrdinalIgnoreCase);
+        Assert.Contains(PolicyType.SingleOrg, requiredPolicies);
     }
 
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_UsersNotCompliantWithSingleOrg_ReturnsError(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         Guid nonCompliantUserId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var orgUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -85,10 +56,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Status = OrganizationUserStatusType.Confirmed
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([orgUser]);
@@ -107,13 +74,10 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_UserWithInvitedStatusInOtherOrg_ValidationPasses(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         Guid userId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var orgUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -121,7 +85,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
             UserId = userId,
-            Email = "test@email.com"
         };
 
         var otherOrgUser = new OrganizationUser
@@ -133,10 +96,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Email = orgUser.Email
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([orgUser]);
@@ -146,7 +105,7 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             .Returns([otherOrgUser]);
 
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         // Act
@@ -159,30 +118,37 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_ProviderUsersExist_ReturnsError(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        Guid userId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+        var orgUser = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = policyUpdate.OrganizationId,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = userId
+        };
 
         var providerUser = new ProviderUser
         {
             Id = Guid.NewGuid(),
             ProviderId = Guid.NewGuid(),
-            UserId = Guid.NewGuid(),
+            UserId = userId,
             Status = ProviderUserStatusType.Confirmed
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([orgUser]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([providerUser]);
 
         // Act
@@ -196,26 +162,18 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_AllValidationsPassed_ReturnsEmptyString(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var orgUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
             OrganizationId = policyUpdate.OrganizationId,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
-            UserId = Guid.NewGuid(),
-            Email = "user@example.com"
+            UserId = Guid.NewGuid()
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([orgUser]);
@@ -225,7 +183,7 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             .Returns([]);
 
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         // Act
@@ -249,9 +207,10 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
 
         // Assert
         Assert.True(string.IsNullOrEmpty(result));
-        await sutProvider.GetDependency<IPolicyRepository>()
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
             .DidNotReceive()
-            .GetByOrganizationIdTypeAsync(Arg.Any<Guid>(), Arg.Any<PolicyType>());
+            .GetManyDetailsByOrganizationAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
@@ -268,21 +227,18 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
 
         // Assert
         Assert.True(string.IsNullOrEmpty(result));
-        await sutProvider.GetDependency<IPolicyRepository>()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
             .DidNotReceive()
-            .GetByOrganizationIdTypeAsync(Arg.Any<Guid>(), Arg.Any<PolicyType>());
+            .GetManyDetailsByOrganizationAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_IncludesOwnersAndAdmins_InComplianceCheck(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         Guid nonCompliantOwnerId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var ownerUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -290,7 +246,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Type = OrganizationUserType.Owner,
             Status = OrganizationUserStatusType.Confirmed,
             UserId = nonCompliantOwnerId,
-            Email = "owner@example.com"
         };
 
         var otherOrgUser = new OrganizationUser
@@ -301,10 +256,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Status = OrganizationUserStatusType.Confirmed
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([ownerUser]);
@@ -323,12 +274,9 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_InvitedUsersExcluded_FromComplianceCheck(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var invitedUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -339,16 +287,12 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Email = "invited@example.com"
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([invitedUser]);
 
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         // Act
@@ -359,14 +303,11 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     }
 
     [Theory, BitAutoData]
-    public async Task ValidateAsync_EnablingPolicy_RevokedUsersExcluded_FromComplianceCheck(
+    public async Task ValidateAsync_EnablingPolicy_RevokedUsersIncluded_InComplianceCheck(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var revokedUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -374,38 +315,44 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Revoked,
             UserId = Guid.NewGuid(),
-            Email = "revoked@example.com"
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
+        var additionalOrgUser = new OrganizationUser
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = Guid.NewGuid(),
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Revoked,
+            UserId = revokedUser.UserId,
+        };
 
-        sutProvider.GetDependency<IOrganizationUserRepository>()
+        var orgUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        orgUserRepository
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([revokedUser]);
 
+        orgUserRepository.GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([additionalOrgUser]);
+
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         // Act
         var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
 
         // Assert
-        Assert.True(string.IsNullOrEmpty(result));
+        Assert.Contains("compliant with the Single organization policy", result, StringComparison.OrdinalIgnoreCase);
     }
 
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_AcceptedUsersIncluded_InComplianceCheck(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         Guid nonCompliantUserId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var acceptedUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -413,7 +360,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Accepted,
             UserId = nonCompliantUserId,
-            Email = "accepted@example.com"
         };
 
         var otherOrgUser = new OrganizationUser
@@ -424,10 +370,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Status = OrganizationUserStatusType.Confirmed
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([acceptedUser]);
@@ -443,186 +385,22 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
         Assert.Contains("compliant with the Single organization policy", result, StringComparison.OrdinalIgnoreCase);
     }
 
-    [Theory, BitAutoData]
-    public async Task ValidateAsync_EnablingPolicy_EmptyOrganization_ReturnsEmptyString(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns([]);
-
-        sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns([]);
-
-        // Act
-        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
-
-        // Assert
-        Assert.True(string.IsNullOrEmpty(result));
-    }
-
     [Theory, BitAutoData]
     public async Task ValidateAsync_WithSavePolicyModel_CallsValidateWithPolicyUpdate(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var savePolicyModel = new SavePolicyModel(policyUpdate);
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([]);
 
-        sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns([]);
-
         // Act
         var result = await sutProvider.Sut.ValidateAsync(savePolicyModel, null);
 
         // Assert
         Assert.True(string.IsNullOrEmpty(result));
     }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_EnablingPolicy_SetsUseAutomaticUserConfirmationToTrue(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        Organization organization,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        organization.Id = policyUpdate.OrganizationId;
-        organization.UseAutomaticUserConfirmation = false;
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns(organization);
-
-        // Act
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .Received(1)
-            .UpsertAsync(Arg.Is<Organization>(o =>
-                o.Id == organization.Id &&
-                o.UseAutomaticUserConfirmation == true &&
-                o.RevisionDate > DateTime.MinValue));
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_DisablingPolicy_SetsUseAutomaticUserConfirmationToFalse(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation, false)] PolicyUpdate policyUpdate,
-        Organization organization,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        organization.Id = policyUpdate.OrganizationId;
-        organization.UseAutomaticUserConfirmation = true;
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns(organization);
-
-        // Act
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .Received(1)
-            .UpsertAsync(Arg.Is<Organization>(o =>
-                o.Id == organization.Id &&
-                o.UseAutomaticUserConfirmation == false &&
-                o.RevisionDate > DateTime.MinValue));
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_OrganizationNotFound_DoesNotThrowException(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns((Organization?)null);
-
-        // Act
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .DidNotReceive()
-            .UpsertAsync(Arg.Any<Organization>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task ExecutePreUpsertSideEffectAsync_CallsOnSaveSideEffectsAsync(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.AutomaticUserConfirmation)] Policy currentPolicy,
-        Organization organization,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        organization.Id = policyUpdate.OrganizationId;
-        currentPolicy.OrganizationId = policyUpdate.OrganizationId;
-
-        var savePolicyModel = new SavePolicyModel(policyUpdate);
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns(organization);
-
-        // Act
-        await sutProvider.Sut.ExecutePreUpsertSideEffectAsync(savePolicyModel, currentPolicy);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .Received(1)
-            .UpsertAsync(Arg.Is<Organization>(o =>
-                o.Id == organization.Id &&
-                o.UseAutomaticUserConfirmation == policyUpdate.Enabled));
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_UpdatesRevisionDate(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        Organization organization,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        organization.Id = policyUpdate.OrganizationId;
-        var originalRevisionDate = DateTime.UtcNow.AddDays(-1);
-        organization.RevisionDate = originalRevisionDate;
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns(organization);
-
-        // Act
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .Received(1)
-            .UpsertAsync(Arg.Is<Organization>(o =>
-                o.Id == organization.Id &&
-                o.RevisionDate > originalRevisionDate));
-    }
 }

test/Core.Test/AdminConsole/OrganizationFeatures/Policies/SavePolicyCommandTests.cs

@@ -6,8 +6,11 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Implementations;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models;
 using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Platform.Push;
 using Bit.Core.Services;
 using Bit.Core.Test.AdminConsole.AutoFixture;
 using Bit.Test.Common.AutoFixture;
@@ -95,7 +98,8 @@ public class SavePolicyCommandTests
                 Substitute.For<IPolicyRepository>(),
                 [new FakeSingleOrgPolicyValidator(), new FakeSingleOrgPolicyValidator()],
                 Substitute.For<TimeProvider>(),
-                Substitute.For<IPostSavePolicySideEffect>()));
+                Substitute.For<IPostSavePolicySideEffect>(),
+                Substitute.For<IPushNotificationService>()));
         Assert.Contains("Duplicate PolicyValidator for SingleOrg policy", exception.Message);
     }
 
@@ -360,6 +364,103 @@ public class SavePolicyCommandTests
             .ExecuteSideEffectsAsync(default!, default!, default!);
     }
 
+    [Theory, BitAutoData]
+    public async Task VNextSaveAsync_SendsPushNotification(
+        [PolicyUpdate(PolicyType.SingleOrg)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg, false)] Policy currentPolicy)
+    {
+        // Arrange
+        var fakePolicyValidator = new FakeSingleOrgPolicyValidator();
+        fakePolicyValidator.ValidateAsyncMock(policyUpdate, null).Returns("");
+        var sutProvider = SutProviderFactory([fakePolicyValidator]);
+        var savePolicyModel = new SavePolicyModel(policyUpdate);
+
+        currentPolicy.OrganizationId = policyUpdate.OrganizationId;
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, policyUpdate.Type)
+            .Returns(currentPolicy);
+
+        ArrangeOrganization(sutProvider, policyUpdate);
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetManyByOrganizationIdAsync(policyUpdate.OrganizationId)
+            .Returns([currentPolicy]);
+
+        // Act
+        var result = await sutProvider.Sut.VNextSaveAsync(savePolicyModel);
+
+        // Assert
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1)
+            .PushAsync(Arg.Is<PushNotification<SyncPolicyPushNotification>>(p =>
+                p.Type == PushType.PolicyChanged &&
+                p.Target == NotificationTarget.Organization &&
+                p.TargetId == policyUpdate.OrganizationId &&
+                p.ExcludeCurrentContext == false &&
+                p.Payload.OrganizationId == policyUpdate.OrganizationId &&
+                p.Payload.Policy.Id == result.Id &&
+                p.Payload.Policy.Type == policyUpdate.Type &&
+                p.Payload.Policy.Enabled == policyUpdate.Enabled &&
+                p.Payload.Policy.Data == policyUpdate.Data));
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveAsync_SendsPushNotification([PolicyUpdate(PolicyType.SingleOrg)] PolicyUpdate policyUpdate)
+    {
+        var fakePolicyValidator = new FakeSingleOrgPolicyValidator();
+        fakePolicyValidator.ValidateAsyncMock(policyUpdate, null).Returns("");
+        var sutProvider = SutProviderFactory([fakePolicyValidator]);
+
+        ArrangeOrganization(sutProvider, policyUpdate);
+        sutProvider.GetDependency<IPolicyRepository>().GetManyByOrganizationIdAsync(policyUpdate.OrganizationId).Returns([]);
+
+        var result = await sutProvider.Sut.SaveAsync(policyUpdate);
+
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1)
+            .PushAsync(Arg.Is<PushNotification<SyncPolicyPushNotification>>(p =>
+                p.Type == PushType.PolicyChanged &&
+                p.Target == NotificationTarget.Organization &&
+                p.TargetId == policyUpdate.OrganizationId &&
+                p.ExcludeCurrentContext == false &&
+                p.Payload.OrganizationId == policyUpdate.OrganizationId &&
+                p.Payload.Policy.Id == result.Id &&
+                p.Payload.Policy.Type == policyUpdate.Type &&
+                p.Payload.Policy.Enabled == policyUpdate.Enabled &&
+                p.Payload.Policy.Data == policyUpdate.Data));
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveAsync_ExistingPolicy_SendsPushNotificationWithUpdatedPolicy(
+        [PolicyUpdate(PolicyType.SingleOrg)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg, false)] Policy currentPolicy)
+    {
+        var fakePolicyValidator = new FakeSingleOrgPolicyValidator();
+        fakePolicyValidator.ValidateAsyncMock(policyUpdate, null).Returns("");
+        var sutProvider = SutProviderFactory([fakePolicyValidator]);
+
+        currentPolicy.OrganizationId = policyUpdate.OrganizationId;
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, policyUpdate.Type)
+            .Returns(currentPolicy);
+
+        ArrangeOrganization(sutProvider, policyUpdate);
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetManyByOrganizationIdAsync(policyUpdate.OrganizationId)
+            .Returns([currentPolicy]);
+
+        var result = await sutProvider.Sut.SaveAsync(policyUpdate);
+
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1)
+            .PushAsync(Arg.Is<PushNotification<SyncPolicyPushNotification>>(p =>
+                p.Type == PushType.PolicyChanged &&
+                p.Target == NotificationTarget.Organization &&
+                p.TargetId == policyUpdate.OrganizationId &&
+                p.ExcludeCurrentContext == false &&
+                p.Payload.OrganizationId == policyUpdate.OrganizationId &&
+                p.Payload.Policy.Id == result.Id &&
+                p.Payload.Policy.Type == policyUpdate.Type &&
+                p.Payload.Policy.Enabled == policyUpdate.Enabled &&
+                p.Payload.Policy.Data == policyUpdate.Data));
+    }
+
     /// <summary>
     /// Returns a new SutProvider with the PolicyValidators registered in the Sut.
     /// </summary>

test/Core.Test/AdminConsole/Services/EventIntegrationHandlerTests.cs

@@ -1,4 +1,6 @@
-using System.Text.Json;
+#nullable enable
+
+using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
 using Bit.Core.AdminConsole.Repositories;
@@ -8,6 +10,7 @@ using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
@@ -36,12 +39,16 @@ public class EventIntegrationHandlerTests
     private SutProvider<EventIntegrationHandler<WebhookIntegrationConfigurationDetails>> GetSutProvider(
         List<OrganizationIntegrationConfigurationDetails> configurations)
     {
-        var configurationCache = Substitute.For<IIntegrationConfigurationDetailsCache>();
-        configurationCache.GetConfigurationDetails(Arg.Any<Guid>(),
-            IntegrationType.Webhook, Arg.Any<EventType>()).Returns(configurations);
+        var cache = Substitute.For<IFusionCache>();
+        cache.GetOrSetAsync(
+            key: Arg.Any<string>(),
+            factory: Arg.Any<Func<object, CancellationToken, Task<List<OrganizationIntegrationConfigurationDetails>>>>(),
+            options: Arg.Any<FusionCacheEntryOptions>(),
+            tags: Arg.Any<IEnumerable<string>>()
+        ).Returns(configurations);
 
         return new SutProvider<EventIntegrationHandler<WebhookIntegrationConfigurationDetails>>()
-            .SetDependency(configurationCache)
+            .SetDependency(cache)
             .SetDependency(_eventIntegrationPublisher)
             .SetDependency(IntegrationType.Webhook)
             .SetDependency(_logger)
@@ -173,6 +180,37 @@ public class EventIntegrationHandlerTests
         Assert.Null(context.ActingUser);
     }
 
+    [Theory, BitAutoData]
+    public async Task BuildContextAsync_ActingUserFactory_CallsOrganizationUserRepository(EventMessage eventMessage, OrganizationUserUserDetails actingUser)
+    {
+        var sutProvider = GetSutProvider(OneConfiguration(_templateWithActingUser));
+        var cache = sutProvider.GetDependency<IFusionCache>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        eventMessage.OrganizationId ??= Guid.NewGuid();
+        eventMessage.ActingUserId ??= Guid.NewGuid();
+        organizationUserRepository.GetDetailsByOrganizationIdUserIdAsync(
+            eventMessage.OrganizationId.Value,
+            eventMessage.ActingUserId.Value).Returns(actingUser);
+
+        // Capture the factory function passed to the cache
+        Func<FusionCacheFactoryExecutionContext<OrganizationUserUserDetails?>, CancellationToken, Task<OrganizationUserUserDetails?>>? capturedFactory = null;
+        cache.GetOrSetAsync(
+            key: Arg.Any<string>(),
+            factory: Arg.Do<Func<FusionCacheFactoryExecutionContext<OrganizationUserUserDetails?>, CancellationToken, Task<OrganizationUserUserDetails?>>>(f => capturedFactory = f)
+        ).Returns(actingUser);
+
+        await sutProvider.Sut.BuildContextAsync(eventMessage, _templateWithActingUser);
+
+        Assert.NotNull(capturedFactory);
+        var result = await capturedFactory(null!, CancellationToken.None);
+
+        await organizationUserRepository.Received(1).GetDetailsByOrganizationIdUserIdAsync(
+            eventMessage.OrganizationId.Value,
+            eventMessage.ActingUserId.Value);
+        Assert.Equal(actingUser, result);
+    }
+
     [Theory, BitAutoData]
     public async Task BuildContextAsync_GroupIdPresent_UsesCache(EventMessage eventMessage, Group group)
     {
@@ -211,6 +249,32 @@ public class EventIntegrationHandlerTests
         Assert.Null(context.Group);
     }
 
+    [Theory, BitAutoData]
+    public async Task BuildContextAsync_GroupFactory_CallsGroupRepository(EventMessage eventMessage, Group group)
+    {
+        var sutProvider = GetSutProvider(OneConfiguration(_templateWithGroup));
+        var cache = sutProvider.GetDependency<IFusionCache>();
+        var groupRepository = sutProvider.GetDependency<IGroupRepository>();
+
+        eventMessage.GroupId ??= Guid.NewGuid();
+        groupRepository.GetByIdAsync(eventMessage.GroupId.Value).Returns(group);
+
+        // Capture the factory function passed to the cache
+        Func<FusionCacheFactoryExecutionContext<Group?>, CancellationToken, Task<Group?>>? capturedFactory = null;
+        cache.GetOrSetAsync(
+            key: Arg.Any<string>(),
+            factory: Arg.Do<Func<FusionCacheFactoryExecutionContext<Group?>, CancellationToken, Task<Group?>>>(f => capturedFactory = f)
+        ).Returns(group);
+
+        await sutProvider.Sut.BuildContextAsync(eventMessage, _templateWithGroup);
+
+        Assert.NotNull(capturedFactory);
+        var result = await capturedFactory(null!, CancellationToken.None);
+
+        await groupRepository.Received(1).GetByIdAsync(eventMessage.GroupId.Value);
+        Assert.Equal(group, result);
+    }
+
     [Theory, BitAutoData]
     public async Task BuildContextAsync_OrganizationIdPresent_UsesCache(EventMessage eventMessage, Organization organization)
     {
@@ -250,6 +314,32 @@ public class EventIntegrationHandlerTests
         Assert.Null(context.Organization);
     }
 
+    [Theory, BitAutoData]
+    public async Task BuildContextAsync_OrganizationFactory_CallsOrganizationRepository(EventMessage eventMessage, Organization organization)
+    {
+        var sutProvider = GetSutProvider(OneConfiguration(_templateWithOrganization));
+        var cache = sutProvider.GetDependency<IFusionCache>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+
+        eventMessage.OrganizationId ??= Guid.NewGuid();
+        organizationRepository.GetByIdAsync(eventMessage.OrganizationId.Value).Returns(organization);
+
+        // Capture the factory function passed to the cache
+        Func<FusionCacheFactoryExecutionContext<Organization?>, CancellationToken, Task<Organization?>>? capturedFactory = null;
+        cache.GetOrSetAsync(
+            key: Arg.Any<string>(),
+            factory: Arg.Do<Func<FusionCacheFactoryExecutionContext<Organization?>, CancellationToken, Task<Organization?>>>(f => capturedFactory = f)
+        ).Returns(organization);
+
+        await sutProvider.Sut.BuildContextAsync(eventMessage, _templateWithOrganization);
+
+        Assert.NotNull(capturedFactory);
+        var result = await capturedFactory(null!, CancellationToken.None);
+
+        await organizationRepository.Received(1).GetByIdAsync(eventMessage.OrganizationId.Value);
+        Assert.Equal(organization, result);
+    }
+
     [Theory, BitAutoData]
     public async Task BuildContextAsync_UserIdPresent_UsesCache(EventMessage eventMessage, OrganizationUserUserDetails userDetails)
     {
@@ -313,6 +403,38 @@ public class EventIntegrationHandlerTests
         Assert.Null(context.User);
     }
 
+
+    [Theory, BitAutoData]
+    public async Task BuildContextAsync_UserFactory_CallsOrganizationUserRepository(EventMessage eventMessage, OrganizationUserUserDetails userDetails)
+    {
+        var sutProvider = GetSutProvider(OneConfiguration(_templateWithUser));
+        var cache = sutProvider.GetDependency<IFusionCache>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        eventMessage.OrganizationId ??= Guid.NewGuid();
+        eventMessage.UserId ??= Guid.NewGuid();
+        organizationUserRepository.GetDetailsByOrganizationIdUserIdAsync(
+            eventMessage.OrganizationId.Value,
+            eventMessage.UserId.Value).Returns(userDetails);
+
+        // Capture the factory function passed to the cache
+        Func<FusionCacheFactoryExecutionContext<OrganizationUserUserDetails?>, CancellationToken, Task<OrganizationUserUserDetails?>>? capturedFactory = null;
+        cache.GetOrSetAsync(
+            key: Arg.Any<string>(),
+            factory: Arg.Do<Func<FusionCacheFactoryExecutionContext<OrganizationUserUserDetails?>, CancellationToken, Task<OrganizationUserUserDetails?>>>(f => capturedFactory = f)
+        ).Returns(userDetails);
+
+        await sutProvider.Sut.BuildContextAsync(eventMessage, _templateWithUser);
+
+        Assert.NotNull(capturedFactory);
+        var result = await capturedFactory(null!, CancellationToken.None);
+
+        await organizationUserRepository.Received(1).GetDetailsByOrganizationIdUserIdAsync(
+            eventMessage.OrganizationId.Value,
+            eventMessage.UserId.Value);
+        Assert.Equal(userDetails, result);
+    }
+
     [Theory, BitAutoData]
     public async Task BuildContextAsync_NoSpecialTokens_DoesNotCallAnyCache(EventMessage eventMessage)
     {
@@ -344,6 +466,12 @@ public class EventIntegrationHandlerTests
     public async Task HandleEventAsync_BaseTemplateNoConfigurations_DoesNothing(EventMessage eventMessage)
     {
         var sutProvider = GetSutProvider(NoConfigurations());
+        var cache = sutProvider.GetDependency<IFusionCache>();
+        cache.GetOrSetAsync<List<OrganizationIntegrationConfigurationDetails>>(
+            Arg.Any<string>(),
+            Arg.Any<Func<object, CancellationToken, Task<List<OrganizationIntegrationConfigurationDetails>>>>(),
+            Arg.Any<FusionCacheEntryOptions>()
+        ).Returns(NoConfigurations());
 
         await sutProvider.Sut.HandleEventAsync(eventMessage);
         Assert.Empty(_eventIntegrationPublisher.ReceivedCalls());
@@ -362,8 +490,8 @@ public class EventIntegrationHandlerTests
     [Theory, BitAutoData]
     public async Task HandleEventAsync_BaseTemplateOneConfiguration_PublishesIntegrationMessage(EventMessage eventMessage)
     {
-        var sutProvider = GetSutProvider(OneConfiguration(_templateBase));
         eventMessage.OrganizationId = _organizationId;
+        var sutProvider = GetSutProvider(OneConfiguration(_templateBase));
 
         await sutProvider.Sut.HandleEventAsync(eventMessage);
 
@@ -382,8 +510,8 @@ public class EventIntegrationHandlerTests
     [Theory, BitAutoData]
     public async Task HandleEventAsync_BaseTemplateTwoConfigurations_PublishesIntegrationMessages(EventMessage eventMessage)
     {
-        var sutProvider = GetSutProvider(TwoConfigurations(_templateBase));
         eventMessage.OrganizationId = _organizationId;
+        var sutProvider = GetSutProvider(TwoConfigurations(_templateBase));
 
         await sutProvider.Sut.HandleEventAsync(eventMessage);
 
@@ -405,6 +533,7 @@ public class EventIntegrationHandlerTests
     [Theory, BitAutoData]
     public async Task HandleEventAsync_FilterReturnsFalse_DoesNothing(EventMessage eventMessage)
     {
+        eventMessage.OrganizationId = _organizationId;
         var sutProvider = GetSutProvider(ValidFilterConfiguration());
         sutProvider.GetDependency<IIntegrationFilterService>().EvaluateFilterGroup(
             Arg.Any<IntegrationFilterGroup>(), Arg.Any<EventMessage>()).Returns(false);
@@ -416,10 +545,10 @@ public class EventIntegrationHandlerTests
     [Theory, BitAutoData]
     public async Task HandleEventAsync_FilterReturnsTrue_PublishesIntegrationMessage(EventMessage eventMessage)
     {
+        eventMessage.OrganizationId = _organizationId;
         var sutProvider = GetSutProvider(ValidFilterConfiguration());
         sutProvider.GetDependency<IIntegrationFilterService>().EvaluateFilterGroup(
             Arg.Any<IntegrationFilterGroup>(), Arg.Any<EventMessage>()).Returns(true);
-        eventMessage.OrganizationId = _organizationId;
 
         await sutProvider.Sut.HandleEventAsync(eventMessage);
 
@@ -435,6 +564,7 @@ public class EventIntegrationHandlerTests
     [Theory, BitAutoData]
     public async Task HandleEventAsync_InvalidFilter_LogsErrorDoesNothing(EventMessage eventMessage)
     {
+        eventMessage.OrganizationId = _organizationId;
         var sutProvider = GetSutProvider(InvalidFilterConfiguration());
 
         await sutProvider.Sut.HandleEventAsync(eventMessage);
@@ -444,12 +574,13 @@ public class EventIntegrationHandlerTests
             Arg.Any<EventId>(),
             Arg.Any<object>(),
             Arg.Any<JsonException>(),
-            Arg.Any<Func<object, Exception, string>>());
+            Arg.Any<Func<object, Exception?, string>>());
     }
 
     [Theory, BitAutoData]
     public async Task HandleManyEventsAsync_BaseTemplateNoConfigurations_DoesNothing(List<EventMessage> eventMessages)
     {
+        eventMessages.ForEach(e => e.OrganizationId = _organizationId);
         var sutProvider = GetSutProvider(NoConfigurations());
 
         await sutProvider.Sut.HandleManyEventsAsync(eventMessages);
@@ -459,13 +590,14 @@ public class EventIntegrationHandlerTests
     [Theory, BitAutoData]
     public async Task HandleManyEventsAsync_BaseTemplateOneConfiguration_PublishesIntegrationMessages(List<EventMessage> eventMessages)
     {
+        eventMessages.ForEach(e => e.OrganizationId = _organizationId);
         var sutProvider = GetSutProvider(OneConfiguration(_templateBase));
 
         await sutProvider.Sut.HandleManyEventsAsync(eventMessages);
 
         foreach (var eventMessage in eventMessages)
         {
-            var expectedMessage = EventIntegrationHandlerTests.ExpectedMessage(
+            var expectedMessage = ExpectedMessage(
                 $"Date: {eventMessage.Date}, Type: {eventMessage.Type}, UserId: {eventMessage.UserId}"
             );
             await _eventIntegrationPublisher.Received(1).PublishAsync(Arg.Is(
@@ -477,13 +609,14 @@ public class EventIntegrationHandlerTests
     public async Task HandleManyEventsAsync_BaseTemplateTwoConfigurations_PublishesIntegrationMessages(
         List<EventMessage> eventMessages)
     {
+        eventMessages.ForEach(e => e.OrganizationId = _organizationId);
         var sutProvider = GetSutProvider(TwoConfigurations(_templateBase));
 
         await sutProvider.Sut.HandleManyEventsAsync(eventMessages);
 
         foreach (var eventMessage in eventMessages)
         {
-            var expectedMessage = EventIntegrationHandlerTests.ExpectedMessage(
+            var expectedMessage = ExpectedMessage(
                 $"Date: {eventMessage.Date}, Type: {eventMessage.Type}, UserId: {eventMessage.UserId}"
             );
             await _eventIntegrationPublisher.Received(1).PublishAsync(Arg.Is(AssertHelper.AssertPropertyEqual(
@@ -494,4 +627,84 @@ public class EventIntegrationHandlerTests
                 expectedMessage, new[] { "MessageId", "OrganizationId" })));
         }
     }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_CapturedFactories_CallConfigurationRepository(EventMessage eventMessage)
+    {
+        eventMessage.OrganizationId = _organizationId;
+        var sutProvider = GetSutProvider(NoConfigurations());
+        var cache = sutProvider.GetDependency<IFusionCache>();
+        var configurationRepository = sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>();
+
+        var configs = OneConfiguration(_templateBase);
+
+        configurationRepository.GetManyByEventTypeOrganizationIdIntegrationType(eventType: eventMessage.Type, organizationId: _organizationId, integrationType: IntegrationType.Webhook).Returns(configs);
+
+        // Capture the factory function - there will be 1 call that returns both specific and wildcard matches
+        Func<FusionCacheFactoryExecutionContext<List<OrganizationIntegrationConfigurationDetails>>, CancellationToken, Task<List<OrganizationIntegrationConfigurationDetails>>>? capturedFactory = null;
+        cache.GetOrSetAsync(
+            key: Arg.Any<string>(),
+            factory: Arg.Do<Func<FusionCacheFactoryExecutionContext<List<OrganizationIntegrationConfigurationDetails>>, CancellationToken, Task<List<OrganizationIntegrationConfigurationDetails>>>>(f
+                => capturedFactory = f),
+            options: Arg.Any<FusionCacheEntryOptions>(),
+            tags: Arg.Any<IEnumerable<string>>()
+        ).Returns(new List<OrganizationIntegrationConfigurationDetails>());
+
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+
+        // Verify factory was captured
+        Assert.NotNull(capturedFactory);
+
+        // Execute the captured factory to trigger repository call
+        await capturedFactory(null!, CancellationToken.None);
+
+        await configurationRepository.Received(1).GetManyByEventTypeOrganizationIdIntegrationType(eventType: eventMessage.Type, organizationId: _organizationId, integrationType: IntegrationType.Webhook);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_ConfigurationCacheOptions_SetsDurationToConstant(EventMessage eventMessage)
+    {
+        eventMessage.OrganizationId = _organizationId;
+        var sutProvider = GetSutProvider(NoConfigurations());
+        var cache = sutProvider.GetDependency<IFusionCache>();
+
+        FusionCacheEntryOptions? capturedOption = null;
+        cache.GetOrSetAsync(
+            key: Arg.Any<string>(),
+            factory: Arg.Any<Func<FusionCacheFactoryExecutionContext<List<OrganizationIntegrationConfigurationDetails>>, CancellationToken, Task<List<OrganizationIntegrationConfigurationDetails>>>>(),
+            options: Arg.Do<FusionCacheEntryOptions>(opt => capturedOption = opt),
+            tags: Arg.Any<IEnumerable<string>?>()
+        ).Returns(new List<OrganizationIntegrationConfigurationDetails>());
+
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+
+        Assert.NotNull(capturedOption);
+        Assert.Equal(EventIntegrationsCacheConstants.DurationForOrganizationIntegrationConfigurationDetails,
+                     capturedOption.Duration);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_ConfigurationCache_AddsOrganizationIntegrationTag(EventMessage eventMessage)
+    {
+        eventMessage.OrganizationId = _organizationId;
+        var sutProvider = GetSutProvider(NoConfigurations());
+        var cache = sutProvider.GetDependency<IFusionCache>();
+
+        IEnumerable<string>? capturedTags = null;
+        cache.GetOrSetAsync(
+            key: Arg.Any<string>(),
+            factory: Arg.Any<Func<FusionCacheFactoryExecutionContext<List<OrganizationIntegrationConfigurationDetails>>, CancellationToken, Task<List<OrganizationIntegrationConfigurationDetails>>>>(),
+            options: Arg.Any<FusionCacheEntryOptions>(),
+            tags: Arg.Do<IEnumerable<string>>(t => capturedTags = t)
+        ).Returns(new List<OrganizationIntegrationConfigurationDetails>());
+
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+
+        var expectedTag = EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+            _organizationId,
+            IntegrationType.Webhook
+        );
+        Assert.NotNull(capturedTags);
+        Assert.Contains(expectedTag, capturedTags);
+    }
 }

test/Core.Test/AdminConsole/Services/IntegrationConfigurationDetailsCacheServiceTests.cs

@@ -1,173 +0,0 @@
-#nullable enable
-
-using System.Text.Json;
-using Bit.Core.Enums;
-using Bit.Core.Models.Data.Organizations;
-using Bit.Core.Repositories;
-using Bit.Core.Services;
-using Bit.Test.Common.AutoFixture;
-using Bit.Test.Common.AutoFixture.Attributes;
-using Microsoft.Extensions.Logging;
-using NSubstitute;
-using NSubstitute.ExceptionExtensions;
-using Xunit;
-
-namespace Bit.Core.Test.Services;
-
-[SutProviderCustomize]
-public class IntegrationConfigurationDetailsCacheServiceTests
-{
-    private SutProvider<IntegrationConfigurationDetailsCacheService> GetSutProvider(
-        List<OrganizationIntegrationConfigurationDetails> configurations)
-    {
-        var configurationRepository = Substitute.For<IOrganizationIntegrationConfigurationRepository>();
-        configurationRepository.GetAllConfigurationDetailsAsync().Returns(configurations);
-
-        return new SutProvider<IntegrationConfigurationDetailsCacheService>()
-            .SetDependency(configurationRepository)
-            .Create();
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetConfigurationDetails_SpecificKeyExists_ReturnsExpectedList(OrganizationIntegrationConfigurationDetails config)
-    {
-        config.EventType = EventType.Cipher_Created;
-        var sutProvider = GetSutProvider([config]);
-        await sutProvider.Sut.RefreshAsync();
-        var result = sutProvider.Sut.GetConfigurationDetails(
-            config.OrganizationId,
-            config.IntegrationType,
-            EventType.Cipher_Created);
-        Assert.Single(result);
-        Assert.Same(config, result[0]);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetConfigurationDetails_AllEventsKeyExists_ReturnsExpectedList(OrganizationIntegrationConfigurationDetails config)
-    {
-        config.EventType = null;
-        var sutProvider = GetSutProvider([config]);
-        await sutProvider.Sut.RefreshAsync();
-        var result = sutProvider.Sut.GetConfigurationDetails(
-            config.OrganizationId,
-            config.IntegrationType,
-            EventType.Cipher_Created);
-        Assert.Single(result);
-        Assert.Same(config, result[0]);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetConfigurationDetails_BothSpecificAndAllEventsKeyExists_ReturnsExpectedList(
-        OrganizationIntegrationConfigurationDetails specificConfig,
-        OrganizationIntegrationConfigurationDetails allKeysConfig
-        )
-    {
-        specificConfig.EventType = EventType.Cipher_Created;
-        allKeysConfig.EventType = null;
-        allKeysConfig.OrganizationId = specificConfig.OrganizationId;
-        allKeysConfig.IntegrationType = specificConfig.IntegrationType;
-
-        var sutProvider = GetSutProvider([specificConfig, allKeysConfig]);
-        await sutProvider.Sut.RefreshAsync();
-        var result = sutProvider.Sut.GetConfigurationDetails(
-            specificConfig.OrganizationId,
-            specificConfig.IntegrationType,
-            EventType.Cipher_Created);
-        Assert.Equal(2, result.Count);
-        Assert.Contains(result, r => r.Template == specificConfig.Template);
-        Assert.Contains(result, r => r.Template == allKeysConfig.Template);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetConfigurationDetails_KeyMissing_ReturnsEmptyList(OrganizationIntegrationConfigurationDetails config)
-    {
-        var sutProvider = GetSutProvider([config]);
-        await sutProvider.Sut.RefreshAsync();
-        var result = sutProvider.Sut.GetConfigurationDetails(
-            Guid.NewGuid(),
-            config.IntegrationType,
-            config.EventType ?? EventType.Cipher_Created);
-        Assert.Empty(result);
-    }
-
-
-
-    [Theory, BitAutoData]
-    public async Task GetConfigurationDetails_ReturnsCachedValue_EvenIfRepositoryChanges(OrganizationIntegrationConfigurationDetails config)
-    {
-        var sutProvider = GetSutProvider([config]);
-        await sutProvider.Sut.RefreshAsync();
-
-        var newConfig = JsonSerializer.Deserialize<OrganizationIntegrationConfigurationDetails>(JsonSerializer.Serialize(config));
-        Assert.NotNull(newConfig);
-        newConfig.Template = "Changed";
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().GetAllConfigurationDetailsAsync()
-            .Returns([newConfig]);
-
-        var result = sutProvider.Sut.GetConfigurationDetails(
-            config.OrganizationId,
-            config.IntegrationType,
-            config.EventType ?? EventType.Cipher_Created);
-        Assert.Single(result);
-        Assert.NotEqual("Changed", result[0].Template); // should not yet pick up change from repository
-
-        await sutProvider.Sut.RefreshAsync();  // Pick up changes
-
-        result = sutProvider.Sut.GetConfigurationDetails(
-            config.OrganizationId,
-            config.IntegrationType,
-            config.EventType ?? EventType.Cipher_Created);
-        Assert.Single(result);
-        Assert.Equal("Changed", result[0].Template); // Should have the new value
-    }
-
-    [Theory, BitAutoData]
-    public async Task RefreshAsync_GroupsByCompositeKey(OrganizationIntegrationConfigurationDetails config1)
-    {
-        var config2 = JsonSerializer.Deserialize<OrganizationIntegrationConfigurationDetails>(
-            JsonSerializer.Serialize(config1))!;
-        config2.Template = "Another";
-
-        var sutProvider = GetSutProvider([config1, config2]);
-        await sutProvider.Sut.RefreshAsync();
-
-        var results = sutProvider.Sut.GetConfigurationDetails(
-            config1.OrganizationId,
-            config1.IntegrationType,
-            config1.EventType ?? EventType.Cipher_Created);
-
-        Assert.Equal(2, results.Count);
-        Assert.Contains(results, r => r.Template == config1.Template);
-        Assert.Contains(results, r => r.Template == config2.Template);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RefreshAsync_LogsInformationOnSuccess(OrganizationIntegrationConfigurationDetails config)
-    {
-        var sutProvider = GetSutProvider([config]);
-        await sutProvider.Sut.RefreshAsync();
-
-        sutProvider.GetDependency<ILogger<IntegrationConfigurationDetailsCacheService>>().Received().Log(
-            LogLevel.Information,
-            Arg.Any<EventId>(),
-            Arg.Is<object>(o => o.ToString()!.Contains("Refreshed successfully")),
-            null,
-            Arg.Any<Func<object, Exception?, string>>());
-    }
-
-    [Fact]
-    public async Task RefreshAsync_OnException_LogsError()
-    {
-        var sutProvider = GetSutProvider([]);
-        sutProvider.GetDependency<IOrganizationIntegrationConfigurationRepository>().GetAllConfigurationDetailsAsync()
-            .Throws(new Exception("Database failure"));
-        await sutProvider.Sut.RefreshAsync();
-
-        sutProvider.GetDependency<ILogger<IntegrationConfigurationDetailsCacheService>>().Received(1).Log(
-            LogLevel.Error,
-            Arg.Any<EventId>(),
-            Arg.Is<object>(o => o.ToString()!.Contains("Refresh failed")),
-            Arg.Any<Exception>(),
-            Arg.Any<Func<object, Exception?, string>>());
-    }
-}

test/Core.Test/AdminConsole/Services/OrganizationIntegrationConfigurationValidatorTests.cs

@@ -0,0 +1,244 @@
+using System.Text.Json;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Enums;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.Services;
+
+public class OrganizationIntegrationConfigurationValidatorTests
+{
+    private readonly OrganizationIntegrationConfigurationValidator _sut = new();
+
+    [Fact]
+    public void ValidateConfiguration_CloudBillingSyncIntegration_ReturnsFalse()
+    {
+        var configuration = new OrganizationIntegrationConfiguration
+        {
+            Configuration = "{}",
+            Template = "template"
+        };
+
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.CloudBillingSync, configuration));
+    }
+
+    [Theory]
+    [InlineData(null)]
+    [InlineData("")]
+    [InlineData("    ")]
+    public void ValidateConfiguration_EmptyTemplate_ReturnsFalse(string? template)
+    {
+        var config1 = new OrganizationIntegrationConfiguration
+        {
+            Configuration = JsonSerializer.Serialize(new SlackIntegrationConfiguration(ChannelId: "C12345")),
+            Template = template
+        };
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Slack, config1));
+
+        var config2 = new OrganizationIntegrationConfiguration
+        {
+            Configuration = JsonSerializer.Serialize(new WebhookIntegrationConfiguration(Uri: new Uri("https://example.com"))),
+            Template = template
+        };
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Webhook, config2));
+    }
+
+    [Theory]
+    [InlineData("")]
+    [InlineData("    ")]
+    public void ValidateConfiguration_EmptyNonNullConfiguration_ReturnsFalse(string? config)
+    {
+        var config1 = new OrganizationIntegrationConfiguration
+        {
+            Configuration = config,
+            Template = "template"
+        };
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Hec, config1));
+
+        var config2 = new OrganizationIntegrationConfiguration
+        {
+            Configuration = config,
+            Template = "template"
+        };
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Datadog, config2));
+
+        var config3 = new OrganizationIntegrationConfiguration
+        {
+            Configuration = config,
+            Template = "template"
+        };
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Teams, config3));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_NullConfiguration_ReturnsTrue()
+    {
+        var config1 = new OrganizationIntegrationConfiguration
+        {
+            Configuration = null,
+            Template = "template"
+        };
+        Assert.True(_sut.ValidateConfiguration(IntegrationType.Hec, config1));
+
+        var config2 = new OrganizationIntegrationConfiguration
+        {
+            Configuration = null,
+            Template = "template"
+        };
+        Assert.True(_sut.ValidateConfiguration(IntegrationType.Datadog, config2));
+
+        var config3 = new OrganizationIntegrationConfiguration
+        {
+            Configuration = null,
+            Template = "template"
+        };
+        Assert.True(_sut.ValidateConfiguration(IntegrationType.Teams, config3));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_InvalidJsonConfiguration_ReturnsFalse()
+    {
+        var config = new OrganizationIntegrationConfiguration
+        {
+            Configuration = "{not valid json}",
+            Template = "template"
+        };
+
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Slack, config));
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Webhook, config));
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Hec, config));
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Datadog, config));
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Teams, config));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_InvalidJsonFilters_ReturnsFalse()
+    {
+        var configuration = new OrganizationIntegrationConfiguration
+        {
+            Configuration = JsonSerializer.Serialize(new WebhookIntegrationConfiguration(Uri: new Uri("https://example.com"))),
+            Template = "template",
+            Filters = "{Not valid json}"
+        };
+
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Webhook, configuration));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_ScimIntegration_ReturnsFalse()
+    {
+        var configuration = new OrganizationIntegrationConfiguration
+        {
+            Configuration = "{}",
+            Template = "template"
+        };
+
+        Assert.False(_sut.ValidateConfiguration(IntegrationType.Scim, configuration));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_ValidSlackConfiguration_ReturnsTrue()
+    {
+        var configuration = new OrganizationIntegrationConfiguration
+        {
+            Configuration = JsonSerializer.Serialize(new SlackIntegrationConfiguration(ChannelId: "C12345")),
+            Template = "template"
+        };
+
+        Assert.True(_sut.ValidateConfiguration(IntegrationType.Slack, configuration));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_ValidSlackConfigurationWithFilters_ReturnsTrue()
+    {
+        var configuration = new OrganizationIntegrationConfiguration
+        {
+            Configuration = JsonSerializer.Serialize(new SlackIntegrationConfiguration("C12345")),
+            Template = "template",
+            Filters = JsonSerializer.Serialize(new IntegrationFilterGroup()
+            {
+                AndOperator = true,
+                Rules = [
+                    new IntegrationFilterRule()
+                    {
+                        Operation = IntegrationFilterOperation.Equals,
+                        Property = "CollectionId",
+                        Value = Guid.NewGuid()
+                    }
+                ],
+                Groups = []
+            })
+        };
+
+        Assert.True(_sut.ValidateConfiguration(IntegrationType.Slack, configuration));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_ValidNoAuthWebhookConfiguration_ReturnsTrue()
+    {
+        var configuration = new OrganizationIntegrationConfiguration
+        {
+            Configuration = JsonSerializer.Serialize(new WebhookIntegrationConfiguration(Uri: new Uri("https://localhost"))),
+            Template = "template"
+        };
+
+        Assert.True(_sut.ValidateConfiguration(IntegrationType.Webhook, configuration));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_ValidWebhookConfiguration_ReturnsTrue()
+    {
+        var configuration = new OrganizationIntegrationConfiguration
+        {
+            Configuration = JsonSerializer.Serialize(new WebhookIntegrationConfiguration(
+                Uri: new Uri("https://localhost"),
+                Scheme: "Bearer",
+                Token: "AUTH-TOKEN")),
+            Template = "template"
+        };
+
+        Assert.True(_sut.ValidateConfiguration(IntegrationType.Webhook, configuration));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_ValidWebhookConfigurationWithFilters_ReturnsTrue()
+    {
+        var configuration = new OrganizationIntegrationConfiguration
+        {
+            Configuration = JsonSerializer.Serialize(new WebhookIntegrationConfiguration(
+                Uri: new Uri("https://example.com"),
+                Scheme: "Bearer",
+                Token: "AUTH-TOKEN")),
+            Template = "template",
+            Filters = JsonSerializer.Serialize(new IntegrationFilterGroup()
+            {
+                AndOperator = true,
+                Rules = [
+                    new IntegrationFilterRule()
+                    {
+                        Operation = IntegrationFilterOperation.Equals,
+                        Property = "CollectionId",
+                        Value = Guid.NewGuid()
+                    }
+                ],
+                Groups = []
+            })
+        };
+
+        Assert.True(_sut.ValidateConfiguration(IntegrationType.Webhook, configuration));
+    }
+
+    [Fact]
+    public void ValidateConfiguration_UnknownIntegrationType_ReturnsFalse()
+    {
+        var unknownType = (IntegrationType)999;
+        var configuration = new OrganizationIntegrationConfiguration
+        {
+            Configuration = "{}",
+            Template = "template"
+        };
+
+        Assert.False(_sut.ValidateConfiguration(unknownType, configuration));
+    }
+}

test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs

@@ -9,6 +9,7 @@ using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -1142,7 +1143,7 @@ public class OrganizationServiceTests
             .GetByIdentifierAsync(Arg.Is<string>(id => id == organization.Identifier));
         await stripeAdapter
             .Received(1)
-            .CustomerUpdateAsync(
+            .UpdateCustomerAsync(
                 Arg.Is<string>(id => id == organization.GatewayCustomerId),
                 Arg.Is<CustomerUpdateOptions>(options => options.Email == requestOptionsReturned.Email
                                                          && options.Description == requestOptionsReturned.Description
@@ -1182,7 +1183,7 @@ public class OrganizationServiceTests
             .GetByIdentifierAsync(Arg.Is<string>(id => id == organization.Identifier));
         await stripeAdapter
             .DidNotReceiveWithAnyArgs()
-            .CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
+            .UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
         await organizationRepository
             .Received(1)
             .ReplaceAsync(Arg.Is<Organization>(org => org == organization));

test/Core.Test/Auth/Entities/AuthRequestTests.cs

@@ -0,0 +1,224 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+using Xunit;
+
+namespace Bit.Core.Test.Auth.Entities;
+
+public class AuthRequestTests
+{
+    [Fact]
+    public void IsValidForAuthentication_WithValidRequest_ReturnsTrue()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var accessCode = "test-access-code";
+        var authRequest = new AuthRequest
+        {
+            UserId = userId,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            ResponseDate = DateTime.UtcNow,
+            Approved = true,
+            CreationDate = DateTime.UtcNow,
+            AuthenticationDate = null,
+            AccessCode = accessCode
+        };
+
+        // Act
+        var result = authRequest.IsValidForAuthentication(userId, accessCode);
+
+        // Assert
+        Assert.True(result);
+    }
+
+    [Fact]
+    public void IsValidForAuthentication_WithWrongUserId_ReturnsFalse()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var differentUserId = Guid.NewGuid();
+        var accessCode = "test-access-code";
+        var authRequest = new AuthRequest
+        {
+            UserId = userId,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            ResponseDate = DateTime.UtcNow,
+            Approved = true,
+            CreationDate = DateTime.UtcNow,
+            AuthenticationDate = null,
+            AccessCode = accessCode
+        };
+
+        // Act
+        var result = authRequest.IsValidForAuthentication(differentUserId, accessCode);
+
+        // Assert
+        Assert.False(result, "Auth request should not validate for a different user");
+    }
+
+    [Fact]
+    public void IsValidForAuthentication_WithWrongAccessCode_ReturnsFalse()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var authRequest = new AuthRequest
+        {
+            UserId = userId,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            ResponseDate = DateTime.UtcNow,
+            Approved = true,
+            CreationDate = DateTime.UtcNow,
+            AuthenticationDate = null,
+            AccessCode = "correct-code"
+        };
+
+        // Act
+        var result = authRequest.IsValidForAuthentication(userId, "wrong-code");
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Fact]
+    public void IsValidForAuthentication_WithoutResponseDate_ReturnsFalse()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var accessCode = "test-access-code";
+        var authRequest = new AuthRequest
+        {
+            UserId = userId,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            ResponseDate = null, // Not responded to
+            Approved = true,
+            CreationDate = DateTime.UtcNow,
+            AuthenticationDate = null,
+            AccessCode = accessCode
+        };
+
+        // Act
+        var result = authRequest.IsValidForAuthentication(userId, accessCode);
+
+        // Assert
+        Assert.False(result, "Unanswered auth requests should not be valid");
+    }
+
+    [Fact]
+    public void IsValidForAuthentication_WithApprovedFalse_ReturnsFalse()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var accessCode = "test-access-code";
+        var authRequest = new AuthRequest
+        {
+            UserId = userId,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            ResponseDate = DateTime.UtcNow,
+            Approved = false, // Denied
+            CreationDate = DateTime.UtcNow,
+            AuthenticationDate = null,
+            AccessCode = accessCode
+        };
+
+        // Act
+        var result = authRequest.IsValidForAuthentication(userId, accessCode);
+
+        // Assert
+        Assert.False(result, "Denied auth requests should not be valid");
+    }
+
+    [Fact]
+    public void IsValidForAuthentication_WithApprovedNull_ReturnsFalse()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var accessCode = "test-access-code";
+        var authRequest = new AuthRequest
+        {
+            UserId = userId,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            ResponseDate = DateTime.UtcNow,
+            Approved = null, // Pending
+            CreationDate = DateTime.UtcNow,
+            AuthenticationDate = null,
+            AccessCode = accessCode
+        };
+
+        // Act
+        var result = authRequest.IsValidForAuthentication(userId, accessCode);
+
+        // Assert
+        Assert.False(result, "Pending auth requests should not be valid");
+    }
+
+    [Fact]
+    public void IsValidForAuthentication_WithExpiredRequest_ReturnsFalse()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var accessCode = "test-access-code";
+        var authRequest = new AuthRequest
+        {
+            UserId = userId,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            ResponseDate = DateTime.UtcNow,
+            Approved = true,
+            CreationDate = DateTime.UtcNow.AddMinutes(-20), // Expired (15 min timeout)
+            AuthenticationDate = null,
+            AccessCode = accessCode
+        };
+
+        // Act
+        var result = authRequest.IsValidForAuthentication(userId, accessCode);
+
+        // Assert
+        Assert.False(result, "Expired auth requests should not be valid");
+    }
+
+    [Fact]
+    public void IsValidForAuthentication_WithWrongType_ReturnsFalse()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var accessCode = "test-access-code";
+        var authRequest = new AuthRequest
+        {
+            UserId = userId,
+            Type = AuthRequestType.Unlock, // Wrong type
+            ResponseDate = DateTime.UtcNow,
+            Approved = true,
+            CreationDate = DateTime.UtcNow,
+            AuthenticationDate = null,
+            AccessCode = accessCode
+        };
+
+        // Act
+        var result = authRequest.IsValidForAuthentication(userId, accessCode);
+
+        // Assert
+        Assert.False(result, "Only AuthenticateAndUnlock type should be valid");
+    }
+
+    [Fact]
+    public void IsValidForAuthentication_WithAlreadyUsed_ReturnsFalse()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var accessCode = "test-access-code";
+        var authRequest = new AuthRequest
+        {
+            UserId = userId,
+            Type = AuthRequestType.AuthenticateAndUnlock,
+            ResponseDate = DateTime.UtcNow,
+            Approved = true,
+            CreationDate = DateTime.UtcNow,
+            AuthenticationDate = DateTime.UtcNow, // Already used
+            AccessCode = accessCode
+        };
+
+        // Act
+        var result = authRequest.IsValidForAuthentication(userId, accessCode);
+
+        // Assert
+        Assert.False(result, "Auth requests should only be valid for one-time use");
+    }
+}

test/Core.Test/Auth/Services/SsoConfigServiceTests.cs

@@ -2,7 +2,6 @@
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
@@ -14,7 +13,6 @@ using Bit.Core.Auth.Services;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -342,26 +340,26 @@ public class SsoConfigServiceTests
 
         await sutProvider.Sut.SaveAsync(ssoConfig, organization);
 
-        await sutProvider.GetDependency<ISavePolicyCommand>().Received(1)
+        await sutProvider.GetDependency<IVNextSavePolicyCommand>().Received(1)
             .SaveAsync(
-                Arg.Is<PolicyUpdate>(t => t.Type == PolicyType.SingleOrg &&
-                    t.OrganizationId == organization.Id &&
-                    t.Enabled)
+                Arg.Is<SavePolicyModel>(t => t.PolicyUpdate.Type == PolicyType.SingleOrg &&
+                                             t.PolicyUpdate.OrganizationId == organization.Id &&
+                                             t.PolicyUpdate.Enabled)
             );
 
-        await sutProvider.GetDependency<ISavePolicyCommand>().Received(1)
+        await sutProvider.GetDependency<IVNextSavePolicyCommand>().Received(1)
             .SaveAsync(
-                Arg.Is<PolicyUpdate>(t => t.Type == PolicyType.ResetPassword &&
-                    t.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled &&
-                    t.OrganizationId == organization.Id &&
-                    t.Enabled)
+                Arg.Is<SavePolicyModel>(t => t.PolicyUpdate.Type == PolicyType.ResetPassword &&
+                                             t.PolicyUpdate.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled &&
+                                             t.PolicyUpdate.OrganizationId == organization.Id &&
+                                             t.PolicyUpdate.Enabled)
             );
 
-        await sutProvider.GetDependency<ISavePolicyCommand>().Received(1)
+        await sutProvider.GetDependency<IVNextSavePolicyCommand>().Received(1)
             .SaveAsync(
-                Arg.Is<PolicyUpdate>(t => t.Type == PolicyType.RequireSso &&
-                    t.OrganizationId == organization.Id &&
-                    t.Enabled)
+                Arg.Is<SavePolicyModel>(t => t.PolicyUpdate.Type == PolicyType.RequireSso &&
+                                             t.PolicyUpdate.OrganizationId == organization.Id &&
+                                             t.PolicyUpdate.Enabled)
             );
 
         await sutProvider.GetDependency<ISsoConfigRepository>().ReceivedWithAnyArgs()
@@ -369,7 +367,7 @@ public class SsoConfigServiceTests
     }
 
     [Theory, BitAutoData]
-    public async Task SaveAsync_Tde_WhenPolicyValidatorsRefactorEnabled_UsesVNextSavePolicyCommand(
+    public async Task SaveAsync_Tde_UsesVNextSavePolicyCommand(
         SutProvider<SsoConfigService> sutProvider, Organization organization)
     {
         var ssoConfig = new SsoConfig
@@ -383,10 +381,6 @@ public class SsoConfigServiceTests
             OrganizationId = organization.Id,
         };
 
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor)
-            .Returns(true);
-
         await sutProvider.Sut.SaveAsync(ssoConfig, organization);
 
         await sutProvider.GetDependency<IVNextSavePolicyCommand>()

test/Core.Test/Auth/UserFeatures/Registration/RegisterUserCommandTests.cs

@@ -1017,6 +1017,7 @@ public class RegisterUserCommandTests
     [Theory]
     [BitAutoData(PlanType.FamiliesAnnually)]
     [BitAutoData(PlanType.FamiliesAnnually2019)]
+    [BitAutoData(PlanType.FamiliesAnnually2025)]
     [BitAutoData(PlanType.Free)]
     public async Task SendWelcomeEmail_FamilyOrg_SendsFamilyWelcomeEmail(
         PlanType planType,
@@ -1381,4 +1382,90 @@ public class RegisterUserCommandTests
             .Received(1)
             .SendOrganizationUserWelcomeEmailAsync(user, organization.DisplayName());
     }
+
+    [Theory, BitAutoData]
+    public async Task RegisterSSOAutoProvisionedUserAsync_WithBlockedDomain_ThrowsException(
+        User user,
+        Organization organization,
+        SutProvider<RegisterUserCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = "user@blocked-domain.com";
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .HasVerifiedDomainWithBlockClaimedDomainPolicyAsync("blocked-domain.com", organization.Id)
+            .Returns(true);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.RegisterSSOAutoProvisionedUserAsync(user, organization));
+        Assert.Equal("This email address is claimed by an organization using Bitwarden.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RegisterSSOAutoProvisionedUserAsync_WithOwnClaimedDomain_Succeeds(
+        User user,
+        Organization organization,
+        SutProvider<RegisterUserCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = "user@company-domain.com";
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        // Domain is claimed by THIS organization, so it should be allowed
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .HasVerifiedDomainWithBlockClaimedDomainPolicyAsync("company-domain.com", organization.Id)
+            .Returns(false); // Not blocked because organization.Id is excluded
+
+        sutProvider.GetDependency<IUserService>()
+            .CreateUserAsync(user)
+            .Returns(IdentityResult.Success);
+
+        // Act
+        var result = await sutProvider.Sut.RegisterSSOAutoProvisionedUserAsync(user, organization);
+
+        // Assert
+        Assert.True(result.Succeeded);
+        await sutProvider.GetDependency<IUserService>()
+            .Received(1)
+            .CreateUserAsync(user);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RegisterSSOAutoProvisionedUserAsync_WithNonClaimedDomain_Succeeds(
+        User user,
+        Organization organization,
+        SutProvider<RegisterUserCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = "user@unclaimed-domain.com";
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .HasVerifiedDomainWithBlockClaimedDomainPolicyAsync("unclaimed-domain.com", organization.Id)
+            .Returns(false); // Domain is not claimed by any org
+
+        sutProvider.GetDependency<IUserService>()
+            .CreateUserAsync(user)
+            .Returns(IdentityResult.Success);
+
+        // Act
+        var result = await sutProvider.Sut.RegisterSSOAutoProvisionedUserAsync(user, organization);
+
+        // Assert
+        Assert.True(result.Succeeded);
+        await sutProvider.GetDependency<IUserService>()
+            .Received(1)
+            .CreateUserAsync(user);
+    }
 }

test/Core.Test/Auth/UserFeatures/Sso/UserSsoOrganizationIdentifierQueryTests.cs

@@ -0,0 +1,275 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Sso;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Auth.UserFeatures.Sso;
+
+[SutProviderCustomize]
+public class UserSsoOrganizationIdentifierQueryTests
+{
+    [Theory, BitAutoData]
+    public async Task GetSsoOrganizationIdentifierAsync_UserHasSingleConfirmedOrganization_ReturnsIdentifier(
+        SutProvider<UserSsoOrganizationIdentifierQuery> sutProvider,
+        Guid userId,
+        Organization organization,
+        OrganizationUser organizationUser)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+        organizationUser.Status = OrganizationUserStatusType.Confirmed;
+        organization.Identifier = "test-org-identifier";
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        // Act
+        var result = await sutProvider.Sut.GetSsoOrganizationIdentifierAsync(userId);
+
+        // Assert
+        Assert.Equal("test-org-identifier", result);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetManyByUserAsync(userId);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .GetByIdAsync(organization.Id);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetSsoOrganizationIdentifierAsync_UserHasNoOrganizations_ReturnsNull(
+        SutProvider<UserSsoOrganizationIdentifierQuery> sutProvider,
+        Guid userId)
+    {
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns(Array.Empty<OrganizationUser>());
+
+        // Act
+        var result = await sutProvider.Sut.GetSsoOrganizationIdentifierAsync(userId);
+
+        // Assert
+        Assert.Null(result);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetManyByUserAsync(userId);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .DidNotReceive()
+            .GetByIdAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetSsoOrganizationIdentifierAsync_UserHasMultipleConfirmedOrganizations_ReturnsNull(
+        SutProvider<UserSsoOrganizationIdentifierQuery> sutProvider,
+        Guid userId,
+        OrganizationUser organizationUser1,
+        OrganizationUser organizationUser2)
+    {
+        // Arrange
+        organizationUser1.UserId = userId;
+        organizationUser1.Status = OrganizationUserStatusType.Confirmed;
+        organizationUser2.UserId = userId;
+        organizationUser2.Status = OrganizationUserStatusType.Confirmed;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser1, organizationUser2]);
+
+        // Act
+        var result = await sutProvider.Sut.GetSsoOrganizationIdentifierAsync(userId);
+
+        // Assert
+        Assert.Null(result);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetManyByUserAsync(userId);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .DidNotReceive()
+            .GetByIdAsync(Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserStatusType.Invited)]
+    [BitAutoData(OrganizationUserStatusType.Accepted)]
+    [BitAutoData(OrganizationUserStatusType.Revoked)]
+    public async Task GetSsoOrganizationIdentifierAsync_UserHasOnlyInvitedOrganization_ReturnsNull(
+        OrganizationUserStatusType status,
+        SutProvider<UserSsoOrganizationIdentifierQuery> sutProvider,
+        Guid userId,
+        OrganizationUser organizationUser)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.Status = status;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        // Act
+        var result = await sutProvider.Sut.GetSsoOrganizationIdentifierAsync(userId);
+
+        // Assert
+        Assert.Null(result);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetManyByUserAsync(userId);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .DidNotReceive()
+            .GetByIdAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetSsoOrganizationIdentifierAsync_UserHasMixedStatusOrganizations_OnlyOneConfirmed_ReturnsIdentifier(
+        SutProvider<UserSsoOrganizationIdentifierQuery> sutProvider,
+        Guid userId,
+        Organization organization,
+        OrganizationUser confirmedOrgUser,
+        OrganizationUser invitedOrgUser,
+        OrganizationUser revokedOrgUser)
+    {
+        // Arrange
+        confirmedOrgUser.UserId = userId;
+        confirmedOrgUser.OrganizationId = organization.Id;
+        confirmedOrgUser.Status = OrganizationUserStatusType.Confirmed;
+
+        invitedOrgUser.UserId = userId;
+        invitedOrgUser.Status = OrganizationUserStatusType.Invited;
+
+        revokedOrgUser.UserId = userId;
+        revokedOrgUser.Status = OrganizationUserStatusType.Revoked;
+
+        organization.Identifier = "mixed-status-org";
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns(new[] { confirmedOrgUser, invitedOrgUser, revokedOrgUser });
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        // Act
+        var result = await sutProvider.Sut.GetSsoOrganizationIdentifierAsync(userId);
+
+        // Assert
+        Assert.Equal("mixed-status-org", result);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetManyByUserAsync(userId);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .GetByIdAsync(organization.Id);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetSsoOrganizationIdentifierAsync_OrganizationNotFound_ReturnsNull(
+        SutProvider<UserSsoOrganizationIdentifierQuery> sutProvider,
+        Guid userId,
+        OrganizationUser organizationUser)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.Status = OrganizationUserStatusType.Confirmed;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organizationUser.OrganizationId)
+            .Returns((Organization)null);
+
+        // Act
+        var result = await sutProvider.Sut.GetSsoOrganizationIdentifierAsync(userId);
+
+        // Assert
+        Assert.Null(result);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetManyByUserAsync(userId);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .GetByIdAsync(organizationUser.OrganizationId);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetSsoOrganizationIdentifierAsync_OrganizationIdentifierIsNull_ReturnsNull(
+        SutProvider<UserSsoOrganizationIdentifierQuery> sutProvider,
+        Guid userId,
+        Organization organization,
+        OrganizationUser organizationUser)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+        organizationUser.Status = OrganizationUserStatusType.Confirmed;
+        organization.Identifier = null;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns(new[] { organizationUser });
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        // Act
+        var result = await sutProvider.Sut.GetSsoOrganizationIdentifierAsync(userId);
+
+        // Assert
+        Assert.Null(result);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetManyByUserAsync(userId);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .GetByIdAsync(organization.Id);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetSsoOrganizationIdentifierAsync_OrganizationIdentifierIsEmpty_ReturnsEmpty(
+        SutProvider<UserSsoOrganizationIdentifierQuery> sutProvider,
+        Guid userId,
+        Organization organization,
+        OrganizationUser organizationUser)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+        organizationUser.Status = OrganizationUserStatusType.Confirmed;
+        organization.Identifier = string.Empty;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns(new[] { organizationUser });
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        // Act
+        var result = await sutProvider.Sut.GetSsoOrganizationIdentifierAsync(userId);
+
+        // Assert
+        Assert.Equal(string.Empty, result);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetManyByUserAsync(userId);
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .GetByIdAsync(organization.Id);
+    }
+}

test/Core.Test/Auth/UserFeatures/TwoFactorAuth/TwoFactorIsEnabledQueryTests.cs

@@ -1,10 +1,13 @@
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth;
+using Bit.Core.Billing.Premium.Queries;
 using Bit.Core.Entities;
+using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -404,6 +407,277 @@ public class TwoFactorIsEnabledQueryTests
             .GetCalculatedPremiumAsync(default);
     }
 
+    [Theory]
+    [BitAutoData((IEnumerable<Guid>)null)]
+    [BitAutoData([])]
+    public async Task TwoFactorIsEnabledAsync_WhenPremiumAccessQueryEnabled_WithNoUserIds_ReturnsEmpty(
+        IEnumerable<Guid> userIds,
+        SutProvider<TwoFactorIsEnabledQuery> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PremiumAccessQuery)
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.TwoFactorIsEnabledAsync(userIds);
+
+        // Assert
+        Assert.Empty(result);
+    }
+
+    [Theory]
+    [BitAutoData(TwoFactorProviderType.Duo)]
+    [BitAutoData(TwoFactorProviderType.YubiKey)]
+    public async Task TwoFactorIsEnabledAsync_WhenPremiumAccessQueryEnabled_WithMixedScenarios_ReturnsCorrectResults(
+        TwoFactorProviderType premiumProviderType,
+        SutProvider<TwoFactorIsEnabledQuery> sutProvider,
+        User user1,
+        User user2,
+        User user3)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PremiumAccessQuery)
+            .Returns(true);
+
+        var users = new List<User> { user1, user2, user3 };
+        var userIds = users.Select(u => u.Id).ToList();
+
+        // User 1: Non-premium provider → 2FA enabled
+        user1.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            { TwoFactorProviderType.Authenticator, new TwoFactorProvider { Enabled = true } }
+        });
+
+        // User 2: Premium provider + has premium → 2FA enabled
+        user2.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            { premiumProviderType, new TwoFactorProvider { Enabled = true } }
+        });
+
+        // User 3: Premium provider + no premium → 2FA disabled
+        user3.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            { premiumProviderType, new TwoFactorProvider { Enabled = true } }
+        });
+
+        var premiumStatus = new Dictionary<Guid, bool>
+        {
+            { user2.Id, true },
+            { user3.Id, false }
+        };
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(userIds)))
+            .Returns(users);
+
+        sutProvider.GetDependency<IHasPremiumAccessQuery>()
+            .HasPremiumAccessAsync(Arg.Is<IEnumerable<Guid>>(ids =>
+                ids.Count() == 2 && ids.Contains(user2.Id) && ids.Contains(user3.Id)))
+            .Returns(premiumStatus);
+
+        // Act
+        var result = await sutProvider.Sut.TwoFactorIsEnabledAsync(userIds);
+
+        // Assert
+        Assert.Contains(result, res => res.userId == user1.Id && res.twoFactorIsEnabled == true);  // Non-premium provider
+        Assert.Contains(result, res => res.userId == user2.Id && res.twoFactorIsEnabled == true);  // Premium + has premium
+        Assert.Contains(result, res => res.userId == user3.Id && res.twoFactorIsEnabled == false); // Premium + no premium
+    }
+
+    [Theory]
+    [BitAutoData(TwoFactorProviderType.Duo)]
+    [BitAutoData(TwoFactorProviderType.YubiKey)]
+    public async Task TwoFactorIsEnabledAsync_WhenPremiumAccessQueryEnabled_OnlyChecksPremiumAccessForUsersWhoNeedIt(
+        TwoFactorProviderType premiumProviderType,
+        SutProvider<TwoFactorIsEnabledQuery> sutProvider,
+        User user1,
+        User user2,
+        User user3)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PremiumAccessQuery)
+            .Returns(true);
+
+        var users = new List<User> { user1, user2, user3 };
+        var userIds = users.Select(u => u.Id).ToList();
+
+        // User 1: Has non-premium provider - should NOT trigger premium check
+        user1.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            { TwoFactorProviderType.Authenticator, new TwoFactorProvider { Enabled = true } }
+        });
+
+        // User 2 & 3: Have only premium providers - SHOULD trigger premium check
+        user2.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            { premiumProviderType, new TwoFactorProvider { Enabled = true } }
+        });
+        user3.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            { premiumProviderType, new TwoFactorProvider { Enabled = true } }
+        });
+
+        var premiumStatus = new Dictionary<Guid, bool>
+        {
+            { user2.Id, true },
+            { user3.Id, false }
+        };
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(userIds)))
+            .Returns(users);
+
+        sutProvider.GetDependency<IHasPremiumAccessQuery>()
+            .HasPremiumAccessAsync(Arg.Is<IEnumerable<Guid>>(ids =>
+                ids.Count() == 2 && ids.Contains(user2.Id) && ids.Contains(user3.Id)))
+            .Returns(premiumStatus);
+
+        // Act
+        var result = await sutProvider.Sut.TwoFactorIsEnabledAsync(userIds);
+
+        // Assert - Verify optimization: premium checked ONLY for users 2 and 3 (not user 1)
+        await sutProvider.GetDependency<IHasPremiumAccessQuery>()
+            .Received(1)
+            .HasPremiumAccessAsync(Arg.Is<IEnumerable<Guid>>(ids =>
+                ids.Count() == 2 && ids.Contains(user2.Id) && ids.Contains(user3.Id)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task TwoFactorIsEnabledAsync_WhenPremiumAccessQueryEnabled_WithNoUserIds_ReturnsAllTwoFactorDisabled(
+        SutProvider<TwoFactorIsEnabledQuery> sutProvider,
+        List<OrganizationUserUserDetails> users)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PremiumAccessQuery)
+            .Returns(true);
+
+        foreach (var user in users)
+        {
+            user.UserId = null;
+        }
+
+        // Act
+        var result = await sutProvider.Sut.TwoFactorIsEnabledAsync(users);
+
+        // Assert
+        foreach (var user in users)
+        {
+            Assert.Contains(result, res => res.user.Equals(user) && res.twoFactorIsEnabled == false);
+        }
+
+        // No UserIds were supplied so no calls to the UserRepository should have been made
+        await sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .GetManyAsync(default);
+    }
+
+    [Theory]
+    [BitAutoData(TwoFactorProviderType.Authenticator, true)]  // Non-premium provider
+    [BitAutoData(TwoFactorProviderType.Duo, true)]            // Premium provider with premium access
+    [BitAutoData(TwoFactorProviderType.YubiKey, false)]       // Premium provider without premium access
+    public async Task TwoFactorIsEnabledAsync_WhenPremiumAccessQueryEnabled_SingleUser_VariousScenarios(
+        TwoFactorProviderType providerType,
+        bool hasPremiumAccess,
+        SutProvider<TwoFactorIsEnabledQuery> sutProvider,
+        User user)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PremiumAccessQuery)
+            .Returns(true);
+
+        user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            { providerType, new TwoFactorProvider { Enabled = true } }
+        });
+
+        sutProvider.GetDependency<IHasPremiumAccessQuery>()
+            .HasPremiumAccessAsync(user.Id)
+            .Returns(hasPremiumAccess);
+
+        // Act
+        var result = await sutProvider.Sut.TwoFactorIsEnabledAsync(user);
+
+        // Assert
+        var requiresPremium = TwoFactorProvider.RequiresPremium(providerType);
+        var expectedResult = !requiresPremium || hasPremiumAccess;
+        Assert.Equal(expectedResult, result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task TwoFactorIsEnabledAsync_WhenPremiumAccessQueryEnabled_WithNoEnabledProviders_ReturnsFalse(
+        SutProvider<TwoFactorIsEnabledQuery> sutProvider,
+        User user)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PremiumAccessQuery)
+            .Returns(true);
+
+        user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+        {
+            { TwoFactorProviderType.Email, new TwoFactorProvider { Enabled = false } }
+        });
+
+        // Act
+        var result = await sutProvider.Sut.TwoFactorIsEnabledAsync(user);
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task TwoFactorIsEnabledAsync_WhenPremiumAccessQueryEnabled_WithNullProviders_ReturnsFalse(
+        SutProvider<TwoFactorIsEnabledQuery> sutProvider,
+        User user)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PremiumAccessQuery)
+            .Returns(true);
+
+        user.TwoFactorProviders = null;
+
+        // Act
+        var result = await sutProvider.Sut.TwoFactorIsEnabledAsync(user);
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task TwoFactorIsEnabledAsync_WhenPremiumAccessQueryEnabled_UserNotFound_ThrowsNotFoundException(
+        SutProvider<TwoFactorIsEnabledQuery> sutProvider,
+        Guid userId)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PremiumAccessQuery)
+            .Returns(true);
+
+        var testUser = new TestTwoFactorProviderUser
+        {
+            Id = userId,
+            TwoFactorProviders = null
+        };
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByIdAsync(userId)
+            .Returns((User)null);
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(
+            async () => await sutProvider.Sut.TwoFactorIsEnabledAsync(testUser));
+    }
+
     private class TestTwoFactorProviderUser : ITwoFactorProvidersUser
     {
         public Guid? Id { get; set; }
@@ -418,10 +692,5 @@ public class TwoFactorIsEnabledQueryTests
         {
             return Id;
         }
-
-        public bool GetPremium()
-        {
-            return Premium;
-        }
     }
 }

test/Core.Test/Billing/Extensions/InvoiceExtensionsTests.cs

@@ -1,4 +1,5 @@
-using Bit.Core.Billing.Extensions;
+using System.Globalization;
+using Bit.Core.Billing.Extensions;
 using Stripe;
 using Xunit;
 
@@ -356,9 +357,18 @@ public class InvoiceExtensionsTests
     [Fact]
     public void FormatForProvider_ComplexScenario_HandlesAllLineTypes()
     {
-        // Arrange
-        var lineItems = new StripeList<InvoiceLineItem>();
-        lineItems.Data = new List<InvoiceLineItem>
+        // Set culture to en-US to ensure consistent decimal formatting in tests
+        // This ensures tests pass on all machines regardless of system locale
+        var originalCulture = Thread.CurrentThread.CurrentCulture;
+        var originalUICulture = Thread.CurrentThread.CurrentUICulture;
+        try
+        {
+            Thread.CurrentThread.CurrentCulture = new CultureInfo("en-US");
+            Thread.CurrentThread.CurrentUICulture = new CultureInfo("en-US");
+
+            // Arrange
+            var lineItems = new StripeList<InvoiceLineItem>();
+            lineItems.Data = new List<InvoiceLineItem>
         {
             new InvoiceLineItem
             {
@@ -372,23 +382,29 @@ public class InvoiceExtensionsTests
             new InvoiceLineItem { Description = "Custom Service", Quantity = 2, Amount = 2000 }
         };
 
-        var invoice = new Invoice
+            var invoice = new Invoice
+            {
+                Lines = lineItems,
+                TotalTaxes = [new InvoiceTotalTax { Amount = 200 }] // Additional $2.00 tax
+            };
+            var subscription = new Subscription();
+
+            // Act
+            var result = invoice.FormatForProvider(subscription);
+
+            // Assert
+            Assert.Equal(5, result.Count);
+            Assert.Equal("5 × Manage service provider (at $6.00 / month)", result[0]);
+            Assert.Equal("10 × Manage service provider (at $4.00 / month)", result[1]);
+            Assert.Equal("1 × Tax (at $8.00 / month)", result[2]);
+            Assert.Equal("Custom Service", result[3]);
+            Assert.Equal("1 × Tax (at $2.00 / month)", result[4]);
+        }
+        finally
         {
-            Lines = lineItems,
-            TotalTaxes = [new InvoiceTotalTax { Amount = 200 }] // Additional $2.00 tax
-        };
-        var subscription = new Subscription();
-
-        // Act
-        var result = invoice.FormatForProvider(subscription);
-
-        // Assert
-        Assert.Equal(5, result.Count);
-        Assert.Equal("5 × Manage service provider (at $6.00 / month)", result[0]);
-        Assert.Equal("10 × Manage service provider (at $4.00 / month)", result[1]);
-        Assert.Equal("1 × Tax (at $8.00 / month)", result[2]);
-        Assert.Equal("Custom Service", result[3]);
-        Assert.Equal("1 × Tax (at $2.00 / month)", result[4]);
+            Thread.CurrentThread.CurrentCulture = originalCulture;
+            Thread.CurrentThread.CurrentUICulture = originalUICulture;
+        }
     }
 
     #endregion

test/Core.Test/Billing/Models/Business/OrganizationLicenseTests.cs

@@ -213,7 +213,8 @@ If you believe you need to change the version for a valid reason, please discuss
             LimitCollectionDeletion = true,
             AllowAdminAccessToAllCollectionItems = true,
             UseOrganizationDomains = true,
-            UseAdminSponsoredFamilies = false
+            UseAdminSponsoredFamilies = false,
+            UsePhishingBlocker = false,
         };
     }
 

test/Core.Test/Billing/Organizations/Commands/PreviewOrganizationTaxCommandTests.cs

@@ -4,7 +4,7 @@ using Bit.Core.Billing.Organizations.Commands;
 using Bit.Core.Billing.Organizations.Models;
 using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Pricing;
-using Bit.Core.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Test.Billing.Mocks.Plans;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
@@ -58,7 +58,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 5500
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(purchase, billingAddress);
 
@@ -68,7 +68,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(55.00m, total);
 
         // Verify the correct Stripe API call for sponsored subscription
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&
@@ -116,7 +116,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 8250
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(purchase, billingAddress);
 
@@ -126,7 +126,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(82.50m, total);
 
         // Verify the correct Stripe API call for standalone secrets manager
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "CA" &&
@@ -179,7 +179,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 12200
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(purchase, billingAddress);
 
@@ -189,7 +189,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(122.00m, total);
 
         // Verify the correct Stripe API call for comprehensive purchase with storage and service accounts
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "GB" &&
@@ -240,7 +240,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 3300
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(purchase, billingAddress);
 
@@ -250,7 +250,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(33.00m, total);
 
         // Verify the correct Stripe API call for Families tier (non-seat-based plan)
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&
@@ -292,7 +292,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 2700
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(purchase, billingAddress);
 
@@ -302,7 +302,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(27.00m, total);
 
         // Verify the correct Stripe API call for business use in non-US country (tax exempt reverse)
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "DE" &&
@@ -345,7 +345,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 12100
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(purchase, billingAddress);
 
@@ -355,7 +355,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(121.00m, total);
 
         // Verify the correct Stripe API call for Spanish NIF that adds both Spanish NIF and EU VAT tax IDs
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "ES" &&
@@ -405,7 +405,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 1320
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, planChange, billingAddress);
 
@@ -415,7 +415,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(13.20m, total);
 
         // Verify the correct Stripe API call for free organization upgrade to Teams
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&
@@ -458,7 +458,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 4400
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, planChange, billingAddress);
 
@@ -468,7 +468,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(44.00m, total);
 
         // Verify the correct Stripe API call for free organization upgrade to Families (no SM for Families)
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "CA" &&
@@ -522,7 +522,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = new Customer { Discount = null }
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -534,7 +534,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 9900
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, planChange, billingAddress);
 
@@ -543,7 +543,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(9.00m, tax);
         Assert.Equal(99.00m, total);
 
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&
@@ -597,7 +597,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = new Customer { Discount = null }
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -609,7 +609,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 13200
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, planChange, billingAddress);
 
@@ -618,7 +618,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(12.00m, tax);
         Assert.Equal(132.00m, total);
 
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&
@@ -661,7 +661,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 8800
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, planChange, billingAddress);
 
@@ -671,7 +671,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(88.00m, total);
 
         // Verify the correct Stripe API call for free organization with SM to Enterprise
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "GB" &&
@@ -730,7 +730,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = new Customer { Discount = null }
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -738,7 +738,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 16500
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, planChange, billingAddress);
 
@@ -748,7 +748,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(165.00m, total);
 
         // Verify the correct Stripe API call for existing subscription upgrade
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "DE" &&
@@ -814,7 +814,7 @@ public class PreviewOrganizationTaxCommandTests
             }
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -822,7 +822,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 6600
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, planChange, billingAddress);
 
@@ -832,7 +832,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(66.00m, total);
 
         // Verify the correct Stripe API call preserves existing discount
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&
@@ -876,8 +876,8 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal("Organization does not have a subscription.", badRequest.Response);
 
         // Verify no Stripe API calls were made
-        await _stripeAdapter.DidNotReceive().InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>());
-        await _stripeAdapter.DidNotReceive().SubscriptionGetAsync(Arg.Any<string>(), Arg.Any<SubscriptionGetOptions>());
+        await _stripeAdapter.DidNotReceive().CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>());
+        await _stripeAdapter.DidNotReceive().GetSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionGetOptions>());
     }
 
     #endregion
@@ -919,7 +919,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = customer
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -927,7 +927,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 6600
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, update);
 
@@ -937,7 +937,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(66.00m, total);
 
         // Verify the correct Stripe API call for PM seats only
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&
@@ -984,7 +984,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = customer
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -992,7 +992,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 13200
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, update);
 
@@ -1002,7 +1002,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(132.00m, total);
 
         // Verify the correct Stripe API call for PM seats + storage
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "CA" &&
@@ -1051,7 +1051,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = customer
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -1059,7 +1059,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 8800
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, update);
 
@@ -1069,7 +1069,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(88.00m, total);
 
         // Verify the correct Stripe API call for SM seats only
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "DE" &&
@@ -1119,7 +1119,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = customer
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -1127,7 +1127,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 16500
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, update);
 
@@ -1137,7 +1137,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(165.00m, total);
 
         // Verify the correct Stripe API call for SM seats + service accounts with tax ID
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "GB" &&
@@ -1200,7 +1200,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = customer
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -1208,7 +1208,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 27500
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, update);
 
@@ -1218,7 +1218,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(275.00m, total);
 
         // Verify the correct Stripe API call for comprehensive update with discount and Spanish tax ID
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "ES" &&
@@ -1276,7 +1276,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = customer
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -1284,7 +1284,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 5500
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, update);
 
@@ -1294,7 +1294,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(55.00m, total);
 
         // Verify the correct Stripe API call for Families tier (personal usage, no business tax exemption)
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "AU" &&
@@ -1334,8 +1334,8 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal("Organization does not have a subscription.", badRequest.Response);
 
         // Verify no Stripe API calls were made
-        await _stripeAdapter.DidNotReceive().InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>());
-        await _stripeAdapter.DidNotReceive().SubscriptionGetAsync(Arg.Any<string>(), Arg.Any<SubscriptionGetOptions>());
+        await _stripeAdapter.DidNotReceive().CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>());
+        await _stripeAdapter.DidNotReceive().GetSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionGetOptions>());
     }
 
     [Fact]
@@ -1378,7 +1378,7 @@ public class PreviewOrganizationTaxCommandTests
             Customer = customer
         };
 
-        _stripeAdapter.SubscriptionGetAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
+        _stripeAdapter.GetSubscriptionAsync("sub_test123", Arg.Any<SubscriptionGetOptions>()).Returns(subscription);
 
         var invoice = new Invoice
         {
@@ -1386,7 +1386,7 @@ public class PreviewOrganizationTaxCommandTests
             Total = 3300
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(organization, update);
 
@@ -1396,7 +1396,7 @@ public class PreviewOrganizationTaxCommandTests
         Assert.Equal(33.00m, total);
 
         // Verify only PM seats are included (storage=0 excluded, SM seats=0 so entire SM excluded)
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&

test/Core.Test/Billing/Organizations/Commands/UpdateOrganizationLicenseCommandTests.cs

@@ -88,7 +88,7 @@ public class UpdateOrganizationLicenseCommandTests
                         "Hash", "Signature", "SignatureBytes", "InstallationId", "Expires",
                         "ExpirationWithoutGracePeriod", "Token", "LimitCollectionCreationDeletion",
                         "LimitCollectionCreation", "LimitCollectionDeletion", "AllowAdminAccessToAllCollectionItems",
-                        "UseOrganizationDomains", "UseAdminSponsoredFamilies", "UseAutomaticUserConfirmation") &&
+                        "UseOrganizationDomains", "UseAdminSponsoredFamilies", "UseAutomaticUserConfirmation", "UsePhishingBlocker") &&
                          // Same property but different name, use explicit mapping
                          org.ExpirationDate == license.Expires));
         }

test/Core.Test/Billing/Organizations/Queries/GetCloudOrganizationLicenseQueryTests.cs

@@ -8,7 +8,6 @@ using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Platform.Installations;
-using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture;
 using Bit.Core.Test.Billing.AutoFixture;
 using Bit.Test.Common.AutoFixture;
@@ -59,7 +58,7 @@ public class GetCloudOrganizationLicenseQueryTests
     {
         installation.Enabled = true;
         sutProvider.GetDependency<IInstallationRepository>().GetByIdAsync(installationId).Returns(installation);
-        sutProvider.GetDependency<IPaymentService>().GetSubscriptionAsync(organization).Returns(subInfo);
+        sutProvider.GetDependency<IStripePaymentService>().GetSubscriptionAsync(organization).Returns(subInfo);
         sutProvider.GetDependency<ILicensingService>().SignLicense(Arg.Any<ILicense>()).Returns(licenseSignature);
 
         var result = await sutProvider.Sut.GetLicenseAsync(organization, installationId);
@@ -80,7 +79,7 @@ public class GetCloudOrganizationLicenseQueryTests
     {
         installation.Enabled = true;
         sutProvider.GetDependency<IInstallationRepository>().GetByIdAsync(installationId).Returns(installation);
-        sutProvider.GetDependency<IPaymentService>().GetSubscriptionAsync(organization).Returns(subInfo);
+        sutProvider.GetDependency<IStripePaymentService>().GetSubscriptionAsync(organization).Returns(subInfo);
         sutProvider.GetDependency<ILicensingService>().SignLicense(Arg.Any<ILicense>()).Returns(licenseSignature);
         sutProvider.GetDependency<ILicensingService>()
             .CreateOrganizationTokenAsync(organization, installationId, subInfo)
@@ -119,7 +118,7 @@ public class GetCloudOrganizationLicenseQueryTests
         installation.Enabled = true;
         sutProvider.GetDependency<IInstallationRepository>().GetByIdAsync(installationId).Returns(installation);
         sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organization.Id).Returns(provider);
-        sutProvider.GetDependency<IPaymentService>().GetSubscriptionAsync(provider).Returns(subInfo);
+        sutProvider.GetDependency<IStripePaymentService>().GetSubscriptionAsync(provider).Returns(subInfo);
         sutProvider.GetDependency<ILicensingService>().SignLicense(Arg.Any<ILicense>()).Returns(licenseSignature);
 
         var result = await sutProvider.Sut.GetLicenseAsync(organization, installationId);

test/Core.Test/Billing/Organizations/Queries/GetOrganizationWarningsQueryTests.cs

@@ -8,7 +8,6 @@ using Bit.Core.Billing.Organizations.Queries;
 using Bit.Core.Billing.Payment.Queries;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -382,7 +381,7 @@ public class GetOrganizationWarningsQueryTests
 
         var dueDate = now.AddDays(-10);
 
-        sutProvider.GetDependency<IStripeAdapter>().InvoiceSearchAsync(Arg.Is<InvoiceSearchOptions>(options =>
+        sutProvider.GetDependency<IStripeAdapter>().SearchInvoiceAsync(Arg.Is<InvoiceSearchOptions>(options =>
             options.Query == $"subscription:'{subscriptionId}' status:'open'")).Returns([
             new Invoice { DueDate = dueDate, Created = dueDate.AddDays(-30) }
         ]);
@@ -542,7 +541,7 @@ public class GetOrganizationWarningsQueryTests
             .Returns(true);
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+            .ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = new List<Registration>
@@ -583,7 +582,7 @@ public class GetOrganizationWarningsQueryTests
             .Returns(true);
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+            .ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = new List<Registration>
@@ -635,7 +634,7 @@ public class GetOrganizationWarningsQueryTests
             .Returns(true);
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+            .ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = new List<Registration>
@@ -687,7 +686,7 @@ public class GetOrganizationWarningsQueryTests
             .Returns(true);
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+            .ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = new List<Registration>
@@ -739,7 +738,7 @@ public class GetOrganizationWarningsQueryTests
             .Returns(true);
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+            .ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = new List<Registration>
@@ -785,7 +784,7 @@ public class GetOrganizationWarningsQueryTests
             .Returns(true);
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+            .ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = new List<Registration>

test/Core.Test/Billing/Payment/Commands/UpdateBillingAddressCommandTests.cs

@@ -4,7 +4,6 @@ using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Payment.Commands;
 using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Services;
-using Bit.Core.Services;
 using Bit.Core.Test.Billing.Extensions;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
@@ -73,7 +72,7 @@ public class UpdateBillingAddressCommandTests
             }
         };
 
-        _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
             options.Address.Matches(input) &&
             options.HasExpansions("subscriptions")
         )).Returns(customer);
@@ -84,7 +83,7 @@ public class UpdateBillingAddressCommandTests
         var output = result.AsT0;
         Assert.Equivalent(input, output);
 
-        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await _stripeAdapter.Received(1).UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options => options.AutomaticTax.Enabled == true));
     }
 
@@ -131,7 +130,7 @@ public class UpdateBillingAddressCommandTests
             }
         };
 
-        _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
             options.Address.Matches(input) &&
             options.HasExpansions("subscriptions")
         )).Returns(customer);
@@ -144,7 +143,7 @@ public class UpdateBillingAddressCommandTests
 
         await _subscriberService.Received(1).CreateStripeCustomer(organization);
 
-        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await _stripeAdapter.Received(1).UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options => options.AutomaticTax.Enabled == true));
     }
 
@@ -192,7 +191,7 @@ public class UpdateBillingAddressCommandTests
             }
         };
 
-        _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
             options.Address.Matches(input) &&
             options.HasExpansions("subscriptions", "tax_ids") &&
             options.TaxExempt == TaxExempt.None
@@ -204,7 +203,7 @@ public class UpdateBillingAddressCommandTests
         var output = result.AsT0;
         Assert.Equivalent(input, output);
 
-        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await _stripeAdapter.Received(1).UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options => options.AutomaticTax.Enabled == true));
     }
 
@@ -260,7 +259,7 @@ public class UpdateBillingAddressCommandTests
             }
         };
 
-        _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
             options.Address.Matches(input) &&
             options.HasExpansions("subscriptions", "tax_ids") &&
             options.TaxExempt == TaxExempt.None
@@ -272,10 +271,10 @@ public class UpdateBillingAddressCommandTests
         var output = result.AsT0;
         Assert.Equivalent(input, output);
 
-        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await _stripeAdapter.Received(1).UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options => options.AutomaticTax.Enabled == true));
 
-        await _stripeAdapter.Received(1).TaxIdDeleteAsync(customer.Id, "tax_id_123");
+        await _stripeAdapter.Received(1).DeleteTaxIdAsync(customer.Id, "tax_id_123");
     }
 
     [Fact]
@@ -322,7 +321,7 @@ public class UpdateBillingAddressCommandTests
             }
         };
 
-        _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
             options.Address.Matches(input) &&
             options.HasExpansions("subscriptions", "tax_ids") &&
             options.TaxExempt == TaxExempt.Reverse
@@ -334,7 +333,7 @@ public class UpdateBillingAddressCommandTests
         var output = result.AsT0;
         Assert.Equivalent(input, output);
 
-        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await _stripeAdapter.Received(1).UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options => options.AutomaticTax.Enabled == true));
     }
 
@@ -384,14 +383,14 @@ public class UpdateBillingAddressCommandTests
             }
         };
 
-        _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
             options.Address.Matches(input) &&
             options.HasExpansions("subscriptions", "tax_ids") &&
             options.TaxExempt == TaxExempt.Reverse
         )).Returns(customer);
 
         _stripeAdapter
-            .TaxIdCreateAsync(customer.Id,
+            .CreateTaxIdAsync(customer.Id,
                 Arg.Is<TaxIdCreateOptions>(options => options.Type == TaxIdType.EUVAT))
             .Returns(new TaxId { Type = TaxIdType.EUVAT, Value = "ESA12345678" });
 
@@ -401,10 +400,10 @@ public class UpdateBillingAddressCommandTests
         var output = result.AsT0;
         Assert.Equivalent(input with { TaxId = new TaxID(TaxIdType.EUVAT, "ESA12345678") }, output);
 
-        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await _stripeAdapter.Received(1).UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options => options.AutomaticTax.Enabled == true));
 
-        await _stripeAdapter.Received(1).TaxIdCreateAsync(organization.GatewayCustomerId, Arg.Is<TaxIdCreateOptions>(
+        await _stripeAdapter.Received(1).CreateTaxIdAsync(organization.GatewayCustomerId, Arg.Is<TaxIdCreateOptions>(
             options => options.Type == TaxIdType.SpanishNIF &&
                        options.Value == input.TaxId.Value));
     }

test/Core.Test/Billing/Payment/Commands/UpdatePaymentMethodCommandTests.cs

@@ -4,7 +4,6 @@ using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Payment.Commands;
 using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Services;
-using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Test.Billing.Extensions;
 using Braintree;
@@ -82,7 +81,7 @@ public class UpdatePaymentMethodCommandTests
             Status = "requires_action"
         };
 
-        _stripeAdapter.SetupIntentList(Arg.Is<SetupIntentListOptions>(options =>
+        _stripeAdapter.ListSetupIntentsAsync(Arg.Is<SetupIntentListOptions>(options =>
             options.PaymentMethod == token && options.HasExpansions("data.payment_method"))).Returns([setupIntent]);
 
         var result = await _command.Run(organization,
@@ -144,7 +143,7 @@ public class UpdatePaymentMethodCommandTests
             Status = "requires_action"
         };
 
-        _stripeAdapter.SetupIntentList(Arg.Is<SetupIntentListOptions>(options =>
+        _stripeAdapter.ListSetupIntentsAsync(Arg.Is<SetupIntentListOptions>(options =>
             options.PaymentMethod == token && options.HasExpansions("data.payment_method"))).Returns([setupIntent]);
 
         var result = await _command.Run(organization,
@@ -213,7 +212,7 @@ public class UpdatePaymentMethodCommandTests
             Status = "requires_action"
         };
 
-        _stripeAdapter.SetupIntentList(Arg.Is<SetupIntentListOptions>(options =>
+        _stripeAdapter.ListSetupIntentsAsync(Arg.Is<SetupIntentListOptions>(options =>
             options.PaymentMethod == token && options.HasExpansions("data.payment_method"))).Returns([setupIntent]);
 
         var result = await _command.Run(organization,
@@ -232,7 +231,7 @@ public class UpdatePaymentMethodCommandTests
         Assert.Equal("https://example.com", maskedBankAccount.HostedVerificationUrl);
 
         await _setupIntentCache.Received(1).Set(organization.Id, setupIntent.Id);
-        await _stripeAdapter.Received(1).CustomerUpdateAsync(customer.Id, Arg.Is<CustomerUpdateOptions>(options =>
+        await _stripeAdapter.Received(1).UpdateCustomerAsync(customer.Id, Arg.Is<CustomerUpdateOptions>(options =>
             options.Metadata[MetadataKeys.BraintreeCustomerId] == string.Empty &&
             options.Metadata[MetadataKeys.RetiredBraintreeCustomerId] == "braintree_customer_id"));
     }
@@ -262,7 +261,7 @@ public class UpdatePaymentMethodCommandTests
         const string token = "TOKEN";
 
         _stripeAdapter
-            .PaymentMethodAttachAsync(token,
+            .AttachPaymentMethodAsync(token,
                 Arg.Is<PaymentMethodAttachOptions>(options => options.Customer == customer.Id))
             .Returns(new PaymentMethod
             {
@@ -291,7 +290,7 @@ public class UpdatePaymentMethodCommandTests
         Assert.Equal("9999", maskedCard.Last4);
         Assert.Equal("01/2028", maskedCard.Expiration);
 
-        await _stripeAdapter.Received(1).CustomerUpdateAsync(customer.Id,
+        await _stripeAdapter.Received(1).UpdateCustomerAsync(customer.Id,
             Arg.Is<CustomerUpdateOptions>(options => options.InvoiceSettings.DefaultPaymentMethod == token));
     }
 
@@ -315,7 +314,7 @@ public class UpdatePaymentMethodCommandTests
         const string token = "TOKEN";
 
         _stripeAdapter
-            .PaymentMethodAttachAsync(token,
+            .AttachPaymentMethodAsync(token,
                 Arg.Is<PaymentMethodAttachOptions>(options => options.Customer == customer.Id))
             .Returns(new PaymentMethod
             {
@@ -344,10 +343,10 @@ public class UpdatePaymentMethodCommandTests
         Assert.Equal("9999", maskedCard.Last4);
         Assert.Equal("01/2028", maskedCard.Expiration);
 
-        await _stripeAdapter.Received(1).CustomerUpdateAsync(customer.Id,
+        await _stripeAdapter.Received(1).UpdateCustomerAsync(customer.Id,
             Arg.Is<CustomerUpdateOptions>(options => options.InvoiceSettings.DefaultPaymentMethod == token));
 
-        await _stripeAdapter.Received(1).CustomerUpdateAsync(customer.Id,
+        await _stripeAdapter.Received(1).UpdateCustomerAsync(customer.Id,
             Arg.Is<CustomerUpdateOptions>(options => options.Address.Country == "US" && options.Address.PostalCode == "12345"));
     }
 
@@ -468,7 +467,7 @@ public class UpdatePaymentMethodCommandTests
         var maskedPayPalAccount = maskedPaymentMethod.AsT2;
         Assert.Equal("user@gmail.com", maskedPayPalAccount.Email);
 
-        await _stripeAdapter.Received(1).CustomerUpdateAsync(customer.Id,
+        await _stripeAdapter.Received(1).UpdateCustomerAsync(customer.Id,
             Arg.Is<CustomerUpdateOptions>(options =>
                 options.Metadata[MetadataKeys.BraintreeCustomerId] == "braintree_customer_id"));
     }

test/Core.Test/Billing/Payment/Queries/GetPaymentMethodQueryTests.cs

@@ -3,7 +3,6 @@ using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Payment.Queries;
 using Bit.Core.Billing.Services;
-using Bit.Core.Services;
 using Bit.Core.Test.Billing.Extensions;
 using Braintree;
 using Microsoft.Extensions.Logging;
@@ -166,7 +165,7 @@ public class GetPaymentMethodQueryTests
         _setupIntentCache.GetSetupIntentIdForSubscriber(organization.Id).Returns("seti_123");
 
         _stripeAdapter
-            .SetupIntentGet("seti_123",
+            .GetSetupIntentAsync("seti_123",
                 Arg.Is<SetupIntentGetOptions>(options => options.HasExpansions("payment_method"))).Returns(
                 new SetupIntent
                 {

test/Core.Test/Billing/Payment/Queries/HasPaymentMethodQueryTests.cs

@@ -3,7 +3,6 @@ using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Payment.Queries;
 using Bit.Core.Billing.Services;
-using Bit.Core.Services;
 using Bit.Core.Test.Billing.Extensions;
 using NSubstitute;
 using NSubstitute.ReturnsExtensions;
@@ -57,7 +56,7 @@ public class HasPaymentMethodQueryTests
         _setupIntentCache.GetSetupIntentIdForSubscriber(organization.Id).Returns("seti_123");
 
         _stripeAdapter
-            .SetupIntentGet("seti_123",
+            .GetSetupIntentAsync("seti_123",
                 Arg.Is<SetupIntentGetOptions>(options => options.HasExpansions("payment_method")))
             .Returns(new SetupIntent
             {
@@ -162,7 +161,7 @@ public class HasPaymentMethodQueryTests
         _setupIntentCache.GetSetupIntentIdForSubscriber(organization.Id).Returns("seti_123");
 
         _stripeAdapter
-            .SetupIntentGet("seti_123",
+            .GetSetupIntentAsync("seti_123",
                 Arg.Is<SetupIntentGetOptions>(options => options.HasExpansions("payment_method")))
             .Returns(new SetupIntent
             {
@@ -246,7 +245,7 @@ public class HasPaymentMethodQueryTests
         _setupIntentCache.GetSetupIntentIdForSubscriber(organization.Id).Returns("seti_123");
 
         _stripeAdapter
-            .SetupIntentGet("seti_123",
+            .GetSetupIntentAsync("seti_123",
                 Arg.Is<SetupIntentGetOptions>(options => options.HasExpansions("payment_method")))
             .Returns(new SetupIntent
             {

test/Core.Test/Billing/Premium/Commands/CreatePremiumCloudHostedSubscriptionCommandTests.cs

@@ -146,11 +146,11 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
         var mockSetupIntent = Substitute.For<SetupIntent>();
         mockSetupIntent.Id = "seti_123";
 
-        _stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
-        _stripeAdapter.SetupIntentList(Arg.Any<SetupIntentListOptions>()).Returns(Task.FromResult(new List<SetupIntent> { mockSetupIntent }));
+        _stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.ListSetupIntentsAsync(Arg.Any<SetupIntentListOptions>()).Returns(Task.FromResult(new List<SetupIntent> { mockSetupIntent }));
         _subscriberService.GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>()).Returns(mockCustomer);
 
         // Act
@@ -158,8 +158,8 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         // Assert
         Assert.True(result.IsT0);
-        await _stripeAdapter.Received(1).CustomerCreateAsync(Arg.Any<CustomerCreateOptions>());
-        await _stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+        await _stripeAdapter.Received(1).CreateCustomerAsync(Arg.Any<CustomerCreateOptions>());
+        await _stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
         await _userService.Received(1).SaveUserAsync(user);
         await _pushNotificationService.Received(1).PushSyncVaultAsync(user.Id);
     }
@@ -200,10 +200,10 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         var mockInvoice = Substitute.For<Invoice>();
 
-        _stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
         _subscriberService.GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>()).Returns(mockCustomer);
 
         // Act
@@ -211,8 +211,8 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         // Assert
         Assert.True(result.IsT0);
-        await _stripeAdapter.Received(1).CustomerCreateAsync(Arg.Any<CustomerCreateOptions>());
-        await _stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+        await _stripeAdapter.Received(1).CreateCustomerAsync(Arg.Any<CustomerCreateOptions>());
+        await _stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
         await _userService.Received(1).SaveUserAsync(user);
         await _pushNotificationService.Received(1).PushSyncVaultAsync(user.Id);
     }
@@ -243,10 +243,10 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         var mockInvoice = Substitute.For<Invoice>();
 
-        _stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
         _subscriberService.GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>()).Returns(mockCustomer);
         _subscriberService.CreateBraintreeCustomer(Arg.Any<User>(), Arg.Any<string>()).Returns("bt_customer_123");
 
@@ -255,8 +255,8 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         // Assert
         Assert.True(result.IsT0);
-        await _stripeAdapter.Received(1).CustomerCreateAsync(Arg.Any<CustomerCreateOptions>());
-        await _stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+        await _stripeAdapter.Received(1).CreateCustomerAsync(Arg.Any<CustomerCreateOptions>());
+        await _stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
         await _subscriberService.Received(1).CreateBraintreeCustomer(user, paymentMethod.Token);
         await _userService.Received(1).SaveUserAsync(user);
         await _pushNotificationService.Received(1).PushSyncVaultAsync(user.Id);
@@ -299,10 +299,10 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         var mockInvoice = Substitute.For<Invoice>();
 
-        _stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
         _subscriberService.GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>()).Returns(mockCustomer);
 
         // Act
@@ -356,8 +356,8 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
         // Mock that the user has a payment method (this is the key difference from the credit purchase case)
         _hasPaymentMethodQuery.Run(Arg.Any<User>()).Returns(true);
         _subscriberService.GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
 
         // Act
         var result = await _command.Run(user, paymentMethod, billingAddress, 0);
@@ -365,7 +365,7 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
         // Assert
         Assert.True(result.IsT0);
         await _subscriberService.Received(1).GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>());
-        await _stripeAdapter.DidNotReceive().CustomerCreateAsync(Arg.Any<CustomerCreateOptions>());
+        await _stripeAdapter.DidNotReceive().CreateCustomerAsync(Arg.Any<CustomerCreateOptions>());
         await _updatePaymentMethodCommand.DidNotReceive().Run(Arg.Any<User>(), Arg.Any<TokenizedPaymentMethod>(), Arg.Any<BillingAddress>());
     }
 
@@ -415,8 +415,8 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
         _updatePaymentMethodCommand.Run(Arg.Any<User>(), Arg.Any<TokenizedPaymentMethod>(), Arg.Any<BillingAddress>())
             .Returns(mockMaskedPaymentMethod);
         _subscriberService.GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
 
         // Act
         var result = await _command.Run(user, paymentMethod, billingAddress, 0);
@@ -428,9 +428,9 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
         // Verify GetCustomerOrThrow was called after updating payment method
         await _subscriberService.Received(1).GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>());
         // Verify no new customer was created
-        await _stripeAdapter.DidNotReceive().CustomerCreateAsync(Arg.Any<CustomerCreateOptions>());
+        await _stripeAdapter.DidNotReceive().CreateCustomerAsync(Arg.Any<CustomerCreateOptions>());
         // Verify subscription was created
-        await _stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+        await _stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
         // Verify user was updated correctly
         Assert.True(user.Premium);
         await _userService.Received(1).SaveUserAsync(user);
@@ -474,10 +474,10 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         var mockInvoice = Substitute.For<Invoice>();
 
-        _stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
         _subscriberService.CreateBraintreeCustomer(Arg.Any<User>(), Arg.Any<string>()).Returns("bt_customer_123");
 
         // Act
@@ -525,10 +525,10 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         var mockInvoice = Substitute.For<Invoice>();
 
-        _stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
         _subscriberService.GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>()).Returns(mockCustomer);
 
         // Act
@@ -577,10 +577,10 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         var mockInvoice = Substitute.For<Invoice>();
 
-        _stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
         _subscriberService.CreateBraintreeCustomer(Arg.Any<User>(), Arg.Any<string>()).Returns("bt_customer_123");
 
         // Act
@@ -628,13 +628,13 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
 
         var mockInvoice = Substitute.For<Invoice>();
 
-        _stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
         _subscriberService.GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>()).Returns(mockCustomer);
 
-        _stripeAdapter.SetupIntentList(Arg.Any<SetupIntentListOptions>())
+        _stripeAdapter.ListSetupIntentsAsync(Arg.Any<SetupIntentListOptions>())
             .Returns(Task.FromResult(new List<SetupIntent>())); // Empty list - no setup intent found
 
         // Act
@@ -681,8 +681,8 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
         var mockInvoice = Substitute.For<Invoice>();
 
         _subscriberService.GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
-        _stripeAdapter.InvoiceUpdateAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.UpdateInvoiceAsync(Arg.Any<string>(), Arg.Any<InvoiceUpdateOptions>()).Returns(mockInvoice);
 
         // Act
         var result = await _command.Run(user, paymentMethod, billingAddress, 0);
@@ -690,7 +690,7 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
         // Assert
         Assert.True(result.IsT0);
         await _subscriberService.Received(1).GetCustomerOrThrow(Arg.Any<User>(), Arg.Any<CustomerGetOptions>());
-        await _stripeAdapter.DidNotReceive().CustomerCreateAsync(Arg.Any<CustomerCreateOptions>());
+        await _stripeAdapter.DidNotReceive().CreateCustomerAsync(Arg.Any<CustomerCreateOptions>());
         Assert.True(user.Premium);
         Assert.Equal(mockSubscription.GetCurrentPeriodEnd(), user.PremiumExpirationDate);
     }
@@ -716,8 +716,8 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
         Assert.True(result.IsT3); // Assuming T3 is the Unhandled result
         Assert.IsType<BillingException>(result.AsT3.Exception);
         // Verify no customer was created or subscription attempted
-        await _stripeAdapter.DidNotReceive().CustomerCreateAsync(Arg.Any<CustomerCreateOptions>());
-        await _stripeAdapter.DidNotReceive().SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+        await _stripeAdapter.DidNotReceive().CreateCustomerAsync(Arg.Any<CustomerCreateOptions>());
+        await _stripeAdapter.DidNotReceive().CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
         await _userService.DidNotReceive().SaveUserAsync(Arg.Any<User>());
     }
 
@@ -767,8 +767,8 @@ public class CreatePremiumCloudHostedSubscriptionCommandTests
             ]
         };
 
-        _stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
+        _stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>()).Returns(mockCustomer);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(mockSubscription);
 
         // Act
         var result = await _command.Run(user, paymentMethod, billingAddress, additionalStorage);

test/Core.Test/Billing/Premium/Commands/PreviewPremiumTaxCommandTests.cs

@@ -1,7 +1,7 @@
 using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Premium.Commands;
 using Bit.Core.Billing.Pricing;
-using Bit.Core.Services;
+using Bit.Core.Billing.Services;
 using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Stripe;
@@ -50,7 +50,7 @@ public class PreviewPremiumTaxCommandTests
             Total = 3300
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(0, billingAddress);
 
@@ -59,7 +59,7 @@ public class PreviewPremiumTaxCommandTests
         Assert.Equal(3.00m, tax);
         Assert.Equal(33.00m, total);
 
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&
@@ -84,7 +84,7 @@ public class PreviewPremiumTaxCommandTests
             Total = 5500
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(5, billingAddress);
 
@@ -93,7 +93,7 @@ public class PreviewPremiumTaxCommandTests
         Assert.Equal(5.00m, tax);
         Assert.Equal(55.00m, total);
 
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "CA" &&
@@ -120,7 +120,7 @@ public class PreviewPremiumTaxCommandTests
             Total = 2750
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(0, billingAddress);
 
@@ -129,7 +129,7 @@ public class PreviewPremiumTaxCommandTests
         Assert.Equal(2.50m, tax);
         Assert.Equal(27.50m, total);
 
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "GB" &&
@@ -154,7 +154,7 @@ public class PreviewPremiumTaxCommandTests
             Total = 8800
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(20, billingAddress);
 
@@ -163,7 +163,7 @@ public class PreviewPremiumTaxCommandTests
         Assert.Equal(8.00m, tax);
         Assert.Equal(88.00m, total);
 
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "DE" &&
@@ -190,7 +190,7 @@ public class PreviewPremiumTaxCommandTests
             Total = 4950
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(10, billingAddress);
 
@@ -199,7 +199,7 @@ public class PreviewPremiumTaxCommandTests
         Assert.Equal(4.50m, tax);
         Assert.Equal(49.50m, total);
 
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "AU" &&
@@ -226,7 +226,7 @@ public class PreviewPremiumTaxCommandTests
             Total = 3000
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(0, billingAddress);
 
@@ -235,7 +235,7 @@ public class PreviewPremiumTaxCommandTests
         Assert.Equal(0.00m, tax);
         Assert.Equal(30.00m, total);
 
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "US" &&
@@ -260,7 +260,7 @@ public class PreviewPremiumTaxCommandTests
             Total = 6600
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(-5, billingAddress);
 
@@ -269,7 +269,7 @@ public class PreviewPremiumTaxCommandTests
         Assert.Equal(6.00m, tax);
         Assert.Equal(66.00m, total);
 
-        await _stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
+        await _stripeAdapter.Received(1).CreateInvoicePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
             options.AutomaticTax.Enabled == true &&
             options.Currency == "usd" &&
             options.CustomerDetails.Address.Country == "FR" &&
@@ -295,7 +295,7 @@ public class PreviewPremiumTaxCommandTests
             Total = 3123 // $31.23
         };
 
-        _stripeAdapter.InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
+        _stripeAdapter.CreateInvoicePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>()).Returns(invoice);
 
         var result = await _command.Run(0, billingAddress);
 

test/Core.Test/Billing/Premium/Queries/HasPremiumAccessQueryTests.cs

@@ -0,0 +1,234 @@
+using Bit.Core.Billing.Premium.Models;
+using Bit.Core.Billing.Premium.Queries;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Billing.Premium.Queries;
+
+[SutProviderCustomize]
+public class HasPremiumAccessQueryTests
+{
+    [Theory, BitAutoData]
+    public async Task HasPremiumAccessAsync_WhenUserHasPersonalPremium_ReturnsTrue(
+        UserPremiumAccess user,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        user.PersonalPremium = true;
+        user.OrganizationPremium = false;
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessAsync(user.Id)
+            .Returns(user);
+
+        // Act
+        var result = await sutProvider.Sut.HasPremiumAccessAsync(user.Id);
+
+        // Assert
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumAccessAsync_WhenUserHasNoPersonalPremiumButHasOrgPremium_ReturnsTrue(
+        UserPremiumAccess user,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        user.PersonalPremium = false;
+        user.OrganizationPremium = true; // Has org premium
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessAsync(user.Id)
+            .Returns(user);
+
+        // Act
+        var result = await sutProvider.Sut.HasPremiumAccessAsync(user.Id);
+
+        // Assert
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumAccessAsync_WhenUserHasNoPersonalPremiumAndNoOrgPremium_ReturnsFalse(
+        UserPremiumAccess user,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        user.PersonalPremium = false;
+        user.OrganizationPremium = false;
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessAsync(user.Id)
+            .Returns(user);
+
+        // Act
+        var result = await sutProvider.Sut.HasPremiumAccessAsync(user.Id);
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumAccessAsync_WhenUserNotFound_ThrowsNotFoundException(
+        Guid userId,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessAsync(userId)
+            .Returns((UserPremiumAccess?)null);
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.HasPremiumAccessAsync(userId));
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumFromOrganizationAsync_WhenUserHasNoOrganizations_ReturnsFalse(
+        UserPremiumAccess user,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        user.PersonalPremium = false;
+        user.OrganizationPremium = false; // No premium from anywhere
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessAsync(user.Id)
+            .Returns(user);
+
+        // Act
+        var result = await sutProvider.Sut.HasPremiumFromOrganizationAsync(user.Id);
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumFromOrganizationAsync_WhenUserHasPremiumFromOrg_ReturnsTrue(
+        UserPremiumAccess user,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        user.PersonalPremium = false; // No personal premium
+        user.OrganizationPremium = true; // But has premium from org
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessAsync(user.Id)
+            .Returns(user);
+
+        // Act
+        var result = await sutProvider.Sut.HasPremiumFromOrganizationAsync(user.Id);
+
+        // Assert
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumFromOrganizationAsync_WhenUserHasOnlyPersonalPremium_ReturnsFalse(
+        UserPremiumAccess user,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        user.PersonalPremium = true; // Has personal premium
+        user.OrganizationPremium = false; // Not in any org that grants premium
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessAsync(user.Id)
+            .Returns(user);
+
+        // Act
+        var result = await sutProvider.Sut.HasPremiumFromOrganizationAsync(user.Id);
+
+        // Assert
+        Assert.False(result); // Should return false because user is not in an org that grants premium
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumFromOrganizationAsync_WhenUserHasBothPersonalAndOrgPremium_ReturnsTrue(
+        UserPremiumAccess user,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        user.PersonalPremium = true; // Has personal premium
+        user.OrganizationPremium = true; // Also in an org that grants premium
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessAsync(user.Id)
+            .Returns(user);
+
+        // Act
+        var result = await sutProvider.Sut.HasPremiumFromOrganizationAsync(user.Id);
+
+        // Assert
+        Assert.True(result); // Should return true because user IS in an org that grants premium (regardless of personal premium)
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumFromOrganizationAsync_WhenUserNotFound_ThrowsNotFoundException(
+        Guid userId,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessAsync(userId)
+            .Returns((UserPremiumAccess?)null);
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(
+            () => sutProvider.Sut.HasPremiumFromOrganizationAsync(userId));
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumAccessAsync_Bulk_WhenEmptyList_ReturnsEmptyDictionary(
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        var userIds = new List<Guid>();
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessByIdsAsync(userIds)
+            .Returns(new List<UserPremiumAccess>());
+
+        // Act
+        var result = await sutProvider.Sut.HasPremiumAccessAsync(userIds);
+
+        // Assert
+        Assert.Empty(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasPremiumAccessAsync_Bulk_ReturnsCorrectStatus(
+        UserPremiumAccess user1,
+        UserPremiumAccess user2,
+        UserPremiumAccess user3,
+        SutProvider<HasPremiumAccessQuery> sutProvider)
+    {
+        // Arrange
+        user1.PersonalPremium = true;
+        user1.OrganizationPremium = false;
+        user2.PersonalPremium = false;
+        user2.OrganizationPremium = false;
+        user3.PersonalPremium = false;
+        user3.OrganizationPremium = true;
+
+        var users = new List<UserPremiumAccess> { user1, user2, user3 };
+        var userIds = users.Select(u => u.Id).ToList();
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetPremiumAccessByIdsAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(userIds)))
+            .Returns(users);
+
+        // Act
+        var result = await sutProvider.Sut.HasPremiumAccessAsync(userIds);
+
+        // Assert
+        Assert.Equal(3, result.Count);
+        Assert.True(result[user1.Id]);  // Personal premium
+        Assert.False(result[user2.Id]); // No premium
+        Assert.True(result[user3.Id]);  // Organization premium
+    }
+}

test/Core.Test/Billing/Services/OrganizationBillingServiceTests.cs

@@ -1,5 +1,4 @@
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.Billing;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Models.Sales;
@@ -10,7 +9,6 @@ using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Test.Billing.Mocks;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -179,7 +177,7 @@ public class OrganizationBillingServiceTests
 
         SubscriptionCreateOptions capturedOptions = null;
         sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionCreateAsync(Arg.Do<SubscriptionCreateOptions>(options => capturedOptions = options))
+            .CreateSubscriptionAsync(Arg.Do<SubscriptionCreateOptions>(options => capturedOptions = options))
             .Returns(new Subscription
             {
                 Id = "sub_test123",
@@ -196,7 +194,7 @@ public class OrganizationBillingServiceTests
         // Assert
         await sutProvider.GetDependency<IStripeAdapter>()
             .Received(1)
-            .SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+            .CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
 
         Assert.NotNull(capturedOptions);
         Assert.Equal(7, capturedOptions.TrialPeriodDays);
@@ -255,7 +253,7 @@ public class OrganizationBillingServiceTests
 
         SubscriptionCreateOptions capturedOptions = null;
         sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionCreateAsync(Arg.Do<SubscriptionCreateOptions>(options => capturedOptions = options))
+            .CreateSubscriptionAsync(Arg.Do<SubscriptionCreateOptions>(options => capturedOptions = options))
             .Returns(new Subscription
             {
                 Id = "sub_test123",
@@ -272,7 +270,7 @@ public class OrganizationBillingServiceTests
         // Assert
         await sutProvider.GetDependency<IStripeAdapter>()
             .Received(1)
-            .SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+            .CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
 
         Assert.NotNull(capturedOptions);
         Assert.Equal(0, capturedOptions.TrialPeriodDays);
@@ -329,7 +327,7 @@ public class OrganizationBillingServiceTests
 
         SubscriptionCreateOptions capturedOptions = null;
         sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionCreateAsync(Arg.Do<SubscriptionCreateOptions>(options => capturedOptions = options))
+            .CreateSubscriptionAsync(Arg.Do<SubscriptionCreateOptions>(options => capturedOptions = options))
             .Returns(new Subscription
             {
                 Id = "sub_test123",
@@ -346,7 +344,7 @@ public class OrganizationBillingServiceTests
         // Assert
         await sutProvider.GetDependency<IStripeAdapter>()
             .Received(1)
-            .SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+            .CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
 
         Assert.NotNull(capturedOptions);
         Assert.Equal(7, capturedOptions.TrialPeriodDays);
@@ -364,7 +362,7 @@ public class OrganizationBillingServiceTests
 
         CustomerUpdateOptions capturedOptions = null;
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerUpdateAsync(
+            .UpdateCustomerAsync(
                 Arg.Is<string>(id => id == organization.GatewayCustomerId),
                 Arg.Do<CustomerUpdateOptions>(options => capturedOptions = options))
             .Returns(new Customer());
@@ -375,7 +373,7 @@ public class OrganizationBillingServiceTests
         // Assert
         await sutProvider.GetDependency<IStripeAdapter>()
             .Received(1)
-            .CustomerUpdateAsync(
+            .UpdateCustomerAsync(
                 organization.GatewayCustomerId,
                 Arg.Any<CustomerUpdateOptions>());
 
@@ -392,16 +390,17 @@ public class OrganizationBillingServiceTests
     }
 
     [Theory, BitAutoData]
-    public async Task UpdateOrganizationNameAndEmail_WhenNameIsLong_TruncatesTo30Characters(
+    public async Task UpdateOrganizationNameAndEmail_WhenNameIsLong_UsesFullName(
         Organization organization,
         SutProvider<OrganizationBillingService> sutProvider)
     {
         // Arrange
-        organization.Name = "This is a very long organization name that exceeds thirty characters";
+        var longName = "This is a very long organization name that exceeds thirty characters";
+        organization.Name = longName;
 
         CustomerUpdateOptions capturedOptions = null;
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerUpdateAsync(
+            .UpdateCustomerAsync(
                 Arg.Is<string>(id => id == organization.GatewayCustomerId),
                 Arg.Do<CustomerUpdateOptions>(options => capturedOptions = options))
             .Returns(new Customer());
@@ -412,7 +411,7 @@ public class OrganizationBillingServiceTests
         // Assert
         await sutProvider.GetDependency<IStripeAdapter>()
             .Received(1)
-            .CustomerUpdateAsync(
+            .UpdateCustomerAsync(
                 organization.GatewayCustomerId,
                 Arg.Any<CustomerUpdateOptions>());
 
@@ -421,14 +420,11 @@ public class OrganizationBillingServiceTests
         Assert.NotNull(capturedOptions.InvoiceSettings.CustomFields);
 
         var customField = capturedOptions.InvoiceSettings.CustomFields.First();
-        Assert.Equal(30, customField.Value.Length);
-
-        var expectedCustomFieldDisplayName = "This is a very long organizati";
-        Assert.Equal(expectedCustomFieldDisplayName, customField.Value);
+        Assert.Equal(longName, customField.Value);
     }
 
     [Theory, BitAutoData]
-    public async Task UpdateOrganizationNameAndEmail_WhenGatewayCustomerIdIsNull_ThrowsBillingException(
+    public async Task UpdateOrganizationNameAndEmail_WhenGatewayCustomerIdIsNull_LogsWarningAndReturns(
         Organization organization,
         SutProvider<OrganizationBillingService> sutProvider)
     {
@@ -436,15 +432,93 @@ public class OrganizationBillingServiceTests
         organization.GatewayCustomerId = null;
         organization.Name = "Test Organization";
         organization.BillingEmail = "billing@example.com";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        // Act & Assert
-        var exception = await Assert.ThrowsAsync<BillingException>(
-            () => sutProvider.Sut.UpdateOrganizationNameAndEmail(organization));
+        // Act
+        await sutProvider.Sut.UpdateOrganizationNameAndEmail(organization);
 
-        Assert.Contains("Cannot update an organization in Stripe without a GatewayCustomerId.", exception.Response);
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
 
-        await sutProvider.GetDependency<IStripeAdapter>()
-            .DidNotReceiveWithAnyArgs()
-            .CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
+    [Theory, BitAutoData]
+    public async Task UpdateOrganizationNameAndEmail_WhenGatewayCustomerIdIsEmpty_LogsWarningAndReturns(
+        Organization organization,
+        SutProvider<OrganizationBillingService> sutProvider)
+    {
+        // Arrange
+        organization.GatewayCustomerId = "";
+        organization.Name = "Test Organization";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateOrganizationNameAndEmail(organization);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateOrganizationNameAndEmail_WhenNameIsNull_LogsWarningAndReturns(
+        Organization organization,
+        SutProvider<OrganizationBillingService> sutProvider)
+    {
+        // Arrange
+        organization.Name = null;
+        organization.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateOrganizationNameAndEmail(organization);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateOrganizationNameAndEmail_WhenNameIsEmpty_LogsWarningAndReturns(
+        Organization organization,
+        SutProvider<OrganizationBillingService> sutProvider)
+    {
+        // Arrange
+        organization.Name = "";
+        organization.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateOrganizationNameAndEmail(organization);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateOrganizationNameAndEmail_WhenBillingEmailIsNull_UpdatesWithNull(
+        Organization organization,
+        SutProvider<OrganizationBillingService> sutProvider)
+    {
+        // Arrange
+        organization.Name = "Test Organization";
+        organization.BillingEmail = null;
+        organization.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateOrganizationNameAndEmail(organization);
+
+        // Assert
+        await stripeAdapter.Received(1).UpdateCustomerAsync(
+            organization.GatewayCustomerId,
+            Arg.Is<CustomerUpdateOptions>(options =>
+                options.Email == null &&
+                options.Description == organization.Name));
     }
 }

test/Core.Test/Billing/Services/PaymentHistoryServiceTests.cs

@@ -1,9 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Implementations;
 using Bit.Core.Entities;
 using Bit.Core.Models.BitStripe;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using NSubstitute;
 using Stripe;
 using Xunit;
@@ -19,7 +19,7 @@ public class PaymentHistoryServiceTests
         var subscriber = new Organization { GatewayCustomerId = "cus_id", GatewaySubscriptionId = "sub_id" };
         var invoices = new List<Invoice> { new() { Id = "in_id" } };
         var stripeAdapter = Substitute.For<IStripeAdapter>();
-        stripeAdapter.InvoiceListAsync(Arg.Any<StripeInvoiceListOptions>()).Returns(invoices);
+        stripeAdapter.ListInvoicesAsync(Arg.Any<StripeInvoiceListOptions>()).Returns(invoices);
         var transactionRepository = Substitute.For<ITransactionRepository>();
         var paymentHistoryService = new PaymentHistoryService(stripeAdapter, transactionRepository);
 
@@ -29,7 +29,7 @@ public class PaymentHistoryServiceTests
         // Assert
         Assert.NotEmpty(result);
         Assert.Single(result);
-        await stripeAdapter.Received(1).InvoiceListAsync(Arg.Any<StripeInvoiceListOptions>());
+        await stripeAdapter.Received(1).ListInvoicesAsync(Arg.Any<StripeInvoiceListOptions>());
     }
 
     [Fact]

test/Core.Test/Billing/Services/StripePaymentServiceTests.cs

@@ -0,0 +1,411 @@
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Services;
+using Bit.Core.Billing.Services.Implementations;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Stripe;
+using Xunit;
+
+namespace Bit.Core.Test.Services;
+
+[SutProviderCustomize]
+public class StripePaymentServiceTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task GetSubscriptionAsync_WithCustomerDiscount_ReturnsDiscountFromCustomer(
+        SutProvider<StripePaymentService> sutProvider,
+        User subscriber)
+    {
+        // Arrange
+        subscriber.Gateway = GatewayType.Stripe;
+        subscriber.GatewayCustomerId = "cus_test123";
+        subscriber.GatewaySubscriptionId = "sub_test123";
+
+        var customerDiscount = new Discount
+        {
+            Coupon = new Coupon
+            {
+                Id = StripeConstants.CouponIDs.Milestone2SubscriptionDiscount,
+                PercentOff = 20m,
+                AmountOff = 1400
+            },
+            End = null
+        };
+
+        var subscription = new Subscription
+        {
+            Id = "sub_test123",
+            Status = "active",
+            CollectionMethod = "charge_automatically",
+            Customer = new Customer
+            {
+                Discount = customerDiscount
+            },
+            Discounts = new List<Discount>(), // Empty list
+            Items = new StripeList<SubscriptionItem> { Data = [] }
+        };
+
+        sutProvider.GetDependency<IStripeAdapter>()
+            .GetSubscriptionAsync(
+                subscriber.GatewaySubscriptionId,
+                Arg.Any<SubscriptionGetOptions>())
+            .Returns(subscription);
+
+        // Act
+        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
+
+        // Assert
+        Assert.NotNull(result.CustomerDiscount);
+        Assert.Equal(StripeConstants.CouponIDs.Milestone2SubscriptionDiscount, result.CustomerDiscount.Id);
+        Assert.Equal(20m, result.CustomerDiscount.PercentOff);
+        Assert.Equal(14.00m, result.CustomerDiscount.AmountOff); // Converted from cents
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetSubscriptionAsync_WithoutCustomerDiscount_FallsBackToSubscriptionDiscounts(
+        SutProvider<StripePaymentService> sutProvider,
+        User subscriber)
+    {
+        // Arrange
+        subscriber.Gateway = GatewayType.Stripe;
+        subscriber.GatewayCustomerId = "cus_test123";
+        subscriber.GatewaySubscriptionId = "sub_test123";
+
+        var subscriptionDiscount = new Discount
+        {
+            Coupon = new Coupon
+            {
+                Id = StripeConstants.CouponIDs.Milestone2SubscriptionDiscount,
+                PercentOff = 15m,
+                AmountOff = null
+            },
+            End = null
+        };
+
+        var subscription = new Subscription
+        {
+            Id = "sub_test123",
+            Status = "active",
+            CollectionMethod = "charge_automatically",
+            Customer = new Customer
+            {
+                Discount = null // No customer discount
+            },
+            Discounts = new List<Discount> { subscriptionDiscount },
+            Items = new StripeList<SubscriptionItem> { Data = [] }
+        };
+
+        sutProvider.GetDependency<IStripeAdapter>()
+            .GetSubscriptionAsync(
+                subscriber.GatewaySubscriptionId,
+                Arg.Any<SubscriptionGetOptions>())
+            .Returns(subscription);
+
+        // Act
+        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
+
+        // Assert - Should use subscription discount as fallback
+        Assert.NotNull(result.CustomerDiscount);
+        Assert.Equal(StripeConstants.CouponIDs.Milestone2SubscriptionDiscount, result.CustomerDiscount.Id);
+        Assert.Equal(15m, result.CustomerDiscount.PercentOff);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetSubscriptionAsync_WithBothDiscounts_PrefersCustomerDiscount(
+        SutProvider<StripePaymentService> sutProvider,
+        User subscriber)
+    {
+        // Arrange
+        subscriber.Gateway = GatewayType.Stripe;
+        subscriber.GatewayCustomerId = "cus_test123";
+        subscriber.GatewaySubscriptionId = "sub_test123";
+
+        var customerDiscount = new Discount
+        {
+            Coupon = new Coupon
+            {
+                Id = StripeConstants.CouponIDs.Milestone2SubscriptionDiscount,
+                PercentOff = 25m
+            },
+            End = null
+        };
+
+        var subscriptionDiscount = new Discount
+        {
+            Coupon = new Coupon
+            {
+                Id = "different-coupon-id",
+                PercentOff = 10m
+            },
+            End = null
+        };
+
+        var subscription = new Subscription
+        {
+            Id = "sub_test123",
+            Status = "active",
+            CollectionMethod = "charge_automatically",
+            Customer = new Customer
+            {
+                Discount = customerDiscount // Should prefer this
+            },
+            Discounts = new List<Discount> { subscriptionDiscount },
+            Items = new StripeList<SubscriptionItem> { Data = [] }
+        };
+
+        sutProvider.GetDependency<IStripeAdapter>()
+            .GetSubscriptionAsync(
+                subscriber.GatewaySubscriptionId,
+                Arg.Any<SubscriptionGetOptions>())
+            .Returns(subscription);
+
+        // Act
+        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
+
+        // Assert - Should prefer customer discount over subscription discount
+        Assert.NotNull(result.CustomerDiscount);
+        Assert.Equal(StripeConstants.CouponIDs.Milestone2SubscriptionDiscount, result.CustomerDiscount.Id);
+        Assert.Equal(25m, result.CustomerDiscount.PercentOff);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetSubscriptionAsync_WithNoDiscounts_ReturnsNullDiscount(
+        SutProvider<StripePaymentService> sutProvider,
+        User subscriber)
+    {
+        // Arrange
+        subscriber.Gateway = GatewayType.Stripe;
+        subscriber.GatewayCustomerId = "cus_test123";
+        subscriber.GatewaySubscriptionId = "sub_test123";
+
+        var subscription = new Subscription
+        {
+            Id = "sub_test123",
+            Status = "active",
+            CollectionMethod = "charge_automatically",
+            Customer = new Customer
+            {
+                Discount = null
+            },
+            Discounts = new List<Discount>(), // Empty list, no discounts
+            Items = new StripeList<SubscriptionItem> { Data = [] }
+        };
+
+        sutProvider.GetDependency<IStripeAdapter>()
+            .GetSubscriptionAsync(
+                subscriber.GatewaySubscriptionId,
+                Arg.Any<SubscriptionGetOptions>())
+            .Returns(subscription);
+
+        // Act
+        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
+
+        // Assert
+        Assert.Null(result.CustomerDiscount);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetSubscriptionAsync_WithMultipleSubscriptionDiscounts_SelectsFirstDiscount(
+        SutProvider<StripePaymentService> sutProvider,
+        User subscriber)
+    {
+        // Arrange - Multiple subscription-level discounts, no customer discount
+        subscriber.Gateway = GatewayType.Stripe;
+        subscriber.GatewayCustomerId = "cus_test123";
+        subscriber.GatewaySubscriptionId = "sub_test123";
+
+        var firstDiscount = new Discount
+        {
+            Coupon = new Coupon
+            {
+                Id = "coupon-10-percent",
+                PercentOff = 10m
+            },
+            End = null
+        };
+
+        var secondDiscount = new Discount
+        {
+            Coupon = new Coupon
+            {
+                Id = "coupon-20-percent",
+                PercentOff = 20m
+            },
+            End = null
+        };
+
+        var subscription = new Subscription
+        {
+            Id = "sub_test123",
+            Status = "active",
+            CollectionMethod = "charge_automatically",
+            Customer = new Customer
+            {
+                Discount = null // No customer discount
+            },
+            // Multiple subscription discounts - FirstOrDefault() should select the first one
+            Discounts = new List<Discount> { firstDiscount, secondDiscount },
+            Items = new StripeList<SubscriptionItem> { Data = [] }
+        };
+
+        sutProvider.GetDependency<IStripeAdapter>()
+            .GetSubscriptionAsync(
+                subscriber.GatewaySubscriptionId,
+                Arg.Any<SubscriptionGetOptions>())
+            .Returns(subscription);
+
+        // Act
+        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
+
+        // Assert - Should select the first discount from the list (FirstOrDefault() behavior)
+        Assert.NotNull(result.CustomerDiscount);
+        Assert.Equal("coupon-10-percent", result.CustomerDiscount.Id);
+        Assert.Equal(10m, result.CustomerDiscount.PercentOff);
+        // Verify the second discount was not selected
+        Assert.NotEqual("coupon-20-percent", result.CustomerDiscount.Id);
+        Assert.NotEqual(20m, result.CustomerDiscount.PercentOff);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetSubscriptionAsync_WithNullCustomer_HandlesGracefully(
+        SutProvider<StripePaymentService> sutProvider,
+        User subscriber)
+    {
+        // Arrange - Subscription with null Customer (defensive null check scenario)
+        subscriber.Gateway = GatewayType.Stripe;
+        subscriber.GatewayCustomerId = "cus_test123";
+        subscriber.GatewaySubscriptionId = "sub_test123";
+
+        var subscription = new Subscription
+        {
+            Id = "sub_test123",
+            Status = "active",
+            CollectionMethod = "charge_automatically",
+            Customer = null, // Customer not expanded or null
+            Discounts = new List<Discount>(), // Empty discounts
+            Items = new StripeList<SubscriptionItem> { Data = [] }
+        };
+
+        sutProvider.GetDependency<IStripeAdapter>()
+            .GetSubscriptionAsync(
+                subscriber.GatewaySubscriptionId,
+                Arg.Any<SubscriptionGetOptions>())
+            .Returns(subscription);
+
+        // Act
+        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
+
+        // Assert - Should handle null Customer gracefully without throwing NullReferenceException
+        Assert.Null(result.CustomerDiscount);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetSubscriptionAsync_WithNullDiscounts_HandlesGracefully(
+        SutProvider<StripePaymentService> sutProvider,
+        User subscriber)
+    {
+        // Arrange - Subscription with null Discounts (defensive null check scenario)
+        subscriber.Gateway = GatewayType.Stripe;
+        subscriber.GatewayCustomerId = "cus_test123";
+        subscriber.GatewaySubscriptionId = "sub_test123";
+
+        var subscription = new Subscription
+        {
+            Id = "sub_test123",
+            Status = "active",
+            CollectionMethod = "charge_automatically",
+            Customer = new Customer
+            {
+                Discount = null // No customer discount
+            },
+            Discounts = null, // Discounts not expanded or null
+            Items = new StripeList<SubscriptionItem> { Data = [] }
+        };
+
+        sutProvider.GetDependency<IStripeAdapter>()
+            .GetSubscriptionAsync(
+                subscriber.GatewaySubscriptionId,
+                Arg.Any<SubscriptionGetOptions>())
+            .Returns(subscription);
+
+        // Act
+        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
+
+        // Assert - Should handle null Discounts gracefully without throwing NullReferenceException
+        Assert.Null(result.CustomerDiscount);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetSubscriptionAsync_VerifiesCorrectExpandOptions(
+        SutProvider<StripePaymentService> sutProvider,
+        User subscriber)
+    {
+        // Arrange
+        subscriber.Gateway = GatewayType.Stripe;
+        subscriber.GatewayCustomerId = "cus_test123";
+        subscriber.GatewaySubscriptionId = "sub_test123";
+
+        var subscription = new Subscription
+        {
+            Id = "sub_test123",
+            Status = "active",
+            CollectionMethod = "charge_automatically",
+            Customer = new Customer { Discount = null },
+            Discounts = new List<Discount>(), // Empty list
+            Items = new StripeList<SubscriptionItem> { Data = [] }
+        };
+
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+        stripeAdapter
+            .GetSubscriptionAsync(
+                Arg.Any<string>(),
+                Arg.Any<SubscriptionGetOptions>())
+            .Returns(subscription);
+
+        // Act
+        await sutProvider.Sut.GetSubscriptionAsync(subscriber);
+
+        // Assert - Verify expand options are correct
+        await stripeAdapter.Received(1).GetSubscriptionAsync(
+            subscriber.GatewaySubscriptionId,
+            Arg.Is<SubscriptionGetOptions>(o =>
+                o.Expand.Contains("customer.discount.coupon.applies_to") &&
+                o.Expand.Contains("discounts.coupon.applies_to") &&
+                o.Expand.Contains("test_clock")));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetSubscriptionAsync_WithEmptyGatewaySubscriptionId_ReturnsEmptySubscriptionInfo(
+        SutProvider<StripePaymentService> sutProvider,
+        User subscriber)
+    {
+        // Arrange
+        subscriber.GatewaySubscriptionId = null;
+
+        // Act
+        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.Null(result.Subscription);
+        Assert.Null(result.CustomerDiscount);
+        Assert.Null(result.UpcomingInvoice);
+
+        // Verify no Stripe API calls were made
+        await sutProvider.GetDependency<IStripeAdapter>()
+            .DidNotReceive()
+            .GetSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionGetOptions>());
+    }
+}

test/Core.Test/Billing/Services/SubscriberServiceTests.cs

@@ -3,10 +3,10 @@ using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Implementations;
 using Bit.Core.Billing.Tax.Models;
 using Bit.Core.Enums;
-using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -44,7 +44,7 @@ public class SubscriberServiceTests
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
         stripeAdapter
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .Returns(subscription);
 
         await ThrowsBillingExceptionAsync(() =>
@@ -52,11 +52,11 @@ public class SubscriberServiceTests
 
         await stripeAdapter
             .DidNotReceiveWithAnyArgs()
-            .SubscriptionUpdateAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
+            .UpdateSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
 
         await stripeAdapter
             .DidNotReceiveWithAnyArgs()
-            .SubscriptionCancelAsync(Arg.Any<string>(), Arg.Any<SubscriptionCancelOptions>());
+            .CancelSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionCancelOptions>());
     }
 
     [Theory, BitAutoData]
@@ -81,7 +81,7 @@ public class SubscriberServiceTests
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
         stripeAdapter
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .Returns(subscription);
 
         var offboardingSurveyResponse = new OffboardingSurveyResponse
@@ -95,12 +95,12 @@ public class SubscriberServiceTests
 
         await stripeAdapter
             .Received(1)
-            .SubscriptionUpdateAsync(subscriptionId, Arg.Is<SubscriptionUpdateOptions>(
+            .UpdateSubscriptionAsync(subscriptionId, Arg.Is<SubscriptionUpdateOptions>(
                 options => options.Metadata["cancellingUserId"] == userId.ToString()));
 
         await stripeAdapter
             .Received(1)
-            .SubscriptionCancelAsync(subscriptionId, Arg.Is<SubscriptionCancelOptions>(options =>
+            .CancelSubscriptionAsync(subscriptionId, Arg.Is<SubscriptionCancelOptions>(options =>
                 options.CancellationDetails.Comment == offboardingSurveyResponse.Feedback &&
                 options.CancellationDetails.Feedback == offboardingSurveyResponse.Reason));
     }
@@ -127,7 +127,7 @@ public class SubscriberServiceTests
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
         stripeAdapter
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .Returns(subscription);
 
         var offboardingSurveyResponse = new OffboardingSurveyResponse
@@ -141,11 +141,11 @@ public class SubscriberServiceTests
 
         await stripeAdapter
             .DidNotReceiveWithAnyArgs()
-            .SubscriptionUpdateAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
+            .UpdateSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
 
         await stripeAdapter
             .Received(1)
-            .SubscriptionCancelAsync(subscriptionId, Arg.Is<SubscriptionCancelOptions>(options =>
+            .CancelSubscriptionAsync(subscriptionId, Arg.Is<SubscriptionCancelOptions>(options =>
                 options.CancellationDetails.Comment == offboardingSurveyResponse.Feedback &&
                 options.CancellationDetails.Feedback == offboardingSurveyResponse.Reason));
     }
@@ -170,7 +170,7 @@ public class SubscriberServiceTests
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
         stripeAdapter
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .Returns(subscription);
 
         var offboardingSurveyResponse = new OffboardingSurveyResponse
@@ -184,7 +184,7 @@ public class SubscriberServiceTests
 
         await stripeAdapter
             .Received(1)
-            .SubscriptionUpdateAsync(subscriptionId, Arg.Is<SubscriptionUpdateOptions>(options =>
+            .UpdateSubscriptionAsync(subscriptionId, Arg.Is<SubscriptionUpdateOptions>(options =>
                 options.CancelAtPeriodEnd == true &&
                 options.CancellationDetails.Comment == offboardingSurveyResponse.Feedback &&
                 options.CancellationDetails.Feedback == offboardingSurveyResponse.Reason &&
@@ -192,7 +192,7 @@ public class SubscriberServiceTests
 
         await stripeAdapter
             .DidNotReceiveWithAnyArgs()
-            .SubscriptionCancelAsync(Arg.Any<string>(), Arg.Any<SubscriptionCancelOptions>());
+            .CancelSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionCancelOptions>());
     }
 
     #endregion
@@ -223,7 +223,7 @@ public class SubscriberServiceTests
         SutProvider<SubscriberService> sutProvider)
     {
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId)
+            .GetCustomerAsync(organization.GatewayCustomerId)
             .ReturnsNull();
 
         var customer = await sutProvider.Sut.GetCustomer(organization);
@@ -237,7 +237,7 @@ public class SubscriberServiceTests
         SutProvider<SubscriberService> sutProvider)
     {
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId)
+            .GetCustomerAsync(organization.GatewayCustomerId)
             .ThrowsAsync<StripeException>();
 
         var customer = await sutProvider.Sut.GetCustomer(organization);
@@ -253,7 +253,7 @@ public class SubscriberServiceTests
         var customer = new Customer();
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId)
+            .GetCustomerAsync(organization.GatewayCustomerId)
             .Returns(customer);
 
         var gotCustomer = await sutProvider.Sut.GetCustomer(organization);
@@ -287,7 +287,7 @@ public class SubscriberServiceTests
         SutProvider<SubscriberService> sutProvider)
     {
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId)
+            .GetCustomerAsync(organization.GatewayCustomerId)
             .ReturnsNull();
 
         await ThrowsBillingExceptionAsync(async () => await sutProvider.Sut.GetCustomerOrThrow(organization));
@@ -301,7 +301,7 @@ public class SubscriberServiceTests
         var stripeException = new StripeException();
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId)
+            .GetCustomerAsync(organization.GatewayCustomerId)
             .ThrowsAsync(stripeException);
 
         await ThrowsBillingExceptionAsync(
@@ -318,7 +318,7 @@ public class SubscriberServiceTests
         var customer = new Customer();
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId)
+            .GetCustomerAsync(organization.GatewayCustomerId)
             .Returns(customer);
 
         var gotCustomer = await sutProvider.Sut.GetCustomerOrThrow(organization);
@@ -328,157 +328,6 @@ public class SubscriberServiceTests
 
     #endregion
 
-    #region GetPaymentMethod
-
-    [Theory, BitAutoData]
-    public async Task GetPaymentMethod_NullSubscriber_ThrowsArgumentNullException(
-        SutProvider<SubscriberService> sutProvider) =>
-        await Assert.ThrowsAsync<ArgumentNullException>(() => sutProvider.Sut.GetPaymentSource(null));
-
-    [Theory, BitAutoData]
-    public async Task GetPaymentMethod_WithNegativeStripeAccountBalance_ReturnsCorrectAccountCreditAmount(Organization organization,
-        SutProvider<SubscriberService> sutProvider)
-    {
-        // Arrange
-        // Stripe reports balance in cents as a negative number for credit
-        const int stripeAccountBalance = -593; // $5.93 credit (negative cents)
-        const decimal creditAmount = 5.93M;    // Same value in dollars
-
-
-        var customer = new Customer
-        {
-            Balance = stripeAccountBalance,
-            Subscriptions = new StripeList<Subscription>()
-            {
-                Data =
-                [new Subscription { Id = organization.GatewaySubscriptionId, Status = "active" }]
-            },
-            InvoiceSettings = new CustomerInvoiceSettings
-            {
-                DefaultPaymentMethod = new PaymentMethod
-                {
-                    Type = StripeConstants.PaymentMethodTypes.USBankAccount,
-                    UsBankAccount = new PaymentMethodUsBankAccount { BankName = "Chase", Last4 = "9999" }
-                }
-            }
-        };
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(organization.GatewayCustomerId,
-                Arg.Is<CustomerGetOptions>(options => options.Expand.Contains("default_source") &&
-                                                      options.Expand.Contains("invoice_settings.default_payment_method")
-                                                      && options.Expand.Contains("subscriptions")
-                                                      && options.Expand.Contains("tax_ids")))
-            .Returns(customer);
-
-        // Act
-        var result = await sutProvider.Sut.GetPaymentMethod(organization);
-
-        // Assert
-        Assert.NotNull(result);
-        Assert.Equal(creditAmount, result.AccountCredit);
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerGetAsync(
-            organization.GatewayCustomerId,
-            Arg.Is<CustomerGetOptions>(options =>
-                options.Expand.Contains("default_source") &&
-                options.Expand.Contains("invoice_settings.default_payment_method") &&
-                options.Expand.Contains("subscriptions") &&
-                options.Expand.Contains("tax_ids")));
-
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetPaymentMethod_WithZeroStripeAccountBalance_ReturnsCorrectAccountCreditAmount(
-        Organization organization, SutProvider<SubscriberService> sutProvider)
-    {
-        // Arrange
-        const int stripeAccountBalance = 0;
-
-        var customer = new Customer
-        {
-            Balance = stripeAccountBalance,
-            Subscriptions = new StripeList<Subscription>()
-            {
-                Data =
-                [new Subscription { Id = organization.GatewaySubscriptionId, Status = "active" }]
-            },
-            InvoiceSettings = new CustomerInvoiceSettings
-            {
-                DefaultPaymentMethod = new PaymentMethod
-                {
-                    Type = StripeConstants.PaymentMethodTypes.USBankAccount,
-                    UsBankAccount = new PaymentMethodUsBankAccount { BankName = "Chase", Last4 = "9999" }
-                }
-            }
-        };
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(organization.GatewayCustomerId,
-                Arg.Is<CustomerGetOptions>(options => options.Expand.Contains("default_source") &&
-                                                      options.Expand.Contains("invoice_settings.default_payment_method")
-                                                      && options.Expand.Contains("subscriptions")
-                                                      && options.Expand.Contains("tax_ids")))
-            .Returns(customer);
-
-        // Act
-        var result = await sutProvider.Sut.GetPaymentMethod(organization);
-
-        // Assert
-        Assert.NotNull(result);
-        Assert.Equal(0, result.AccountCredit);
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerGetAsync(
-            organization.GatewayCustomerId,
-            Arg.Is<CustomerGetOptions>(options =>
-                options.Expand.Contains("default_source") &&
-                options.Expand.Contains("invoice_settings.default_payment_method") &&
-                options.Expand.Contains("subscriptions") &&
-                options.Expand.Contains("tax_ids")));
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetPaymentMethod_WithPositiveStripeAccountBalance_ReturnsCorrectAccountCreditAmount(
-        Organization organization, SutProvider<SubscriberService> sutProvider)
-    {
-        // Arrange
-        const int stripeAccountBalance = 593; // $5.93 charge balance
-        const decimal accountBalance = -5.93M;    // account balance
-        var customer = new Customer
-        {
-            Balance = stripeAccountBalance,
-            Subscriptions = new StripeList<Subscription>()
-            {
-                Data =
-                [new Subscription { Id = organization.GatewaySubscriptionId, Status = "active" }]
-            },
-            InvoiceSettings = new CustomerInvoiceSettings
-            {
-                DefaultPaymentMethod = new PaymentMethod
-                {
-                    Type = StripeConstants.PaymentMethodTypes.USBankAccount,
-                    UsBankAccount = new PaymentMethodUsBankAccount { BankName = "Chase", Last4 = "9999" }
-                }
-            }
-        };
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(organization.GatewayCustomerId,
-                Arg.Is<CustomerGetOptions>(options => options.Expand.Contains("default_source") &&
-                                                      options.Expand.Contains("invoice_settings.default_payment_method")
-                                                      && options.Expand.Contains("subscriptions")
-                                                      && options.Expand.Contains("tax_ids")))
-            .Returns(customer);
-
-        // Act
-        var result = await sutProvider.Sut.GetPaymentMethod(organization);
-
-        // Assert
-        Assert.NotNull(result);
-        Assert.Equal(accountBalance, result.AccountCredit);
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerGetAsync(
-            organization.GatewayCustomerId,
-            Arg.Is<CustomerGetOptions>(options =>
-                options.Expand.Contains("default_source") &&
-                options.Expand.Contains("invoice_settings.default_payment_method") &&
-                options.Expand.Contains("subscriptions") &&
-                options.Expand.Contains("tax_ids")));
-
-    }
-    #endregion
-
     #region GetPaymentSource
 
     [Theory, BitAutoData]
@@ -502,7 +351,7 @@ public class SubscriberServiceTests
             }
         };
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId,
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(
                     options => options.Expand.Contains("default_source") &&
                                options.Expand.Contains("invoice_settings.default_payment_method")))
@@ -539,7 +388,7 @@ public class SubscriberServiceTests
             }
         };
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId,
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(
                     options => options.Expand.Contains("default_source") &&
                                options.Expand.Contains("invoice_settings.default_payment_method")))
@@ -593,7 +442,7 @@ public class SubscriberServiceTests
             }
         };
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId,
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(
                     options => options.Expand.Contains("default_source") &&
                                options.Expand.Contains("invoice_settings.default_payment_method")))
@@ -629,7 +478,7 @@ public class SubscriberServiceTests
             }
         };
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId,
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(
                     options => options.Expand.Contains("default_source") &&
                                options.Expand.Contains("invoice_settings.default_payment_method")))
@@ -649,7 +498,7 @@ public class SubscriberServiceTests
     {
         var customer = new Customer { Id = provider.GatewayCustomerId };
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId,
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(options => options.Expand.Contains("default_source") &&
                                                       options.Expand.Contains(
                                                           "invoice_settings.default_payment_method")))
@@ -672,7 +521,7 @@ public class SubscriberServiceTests
 
         sutProvider.GetDependency<ISetupIntentCache>().GetSetupIntentIdForSubscriber(provider.Id).Returns(setupIntent.Id);
 
-        sutProvider.GetDependency<IStripeAdapter>().SetupIntentGet(setupIntent.Id,
+        sutProvider.GetDependency<IStripeAdapter>().GetSetupIntentAsync(setupIntent.Id,
             Arg.Is<SetupIntentGetOptions>(options => options.Expand.Contains("payment_method"))).Returns(setupIntent);
 
         var paymentMethod = await sutProvider.Sut.GetPaymentSource(provider);
@@ -692,7 +541,7 @@ public class SubscriberServiceTests
             DefaultSource = new BankAccount { Status = "verified", BankName = "Chase", Last4 = "9999" }
         };
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId,
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(options => options.Expand.Contains("default_source") &&
                                                       options.Expand.Contains(
                                                           "invoice_settings.default_payment_method")))
@@ -715,7 +564,7 @@ public class SubscriberServiceTests
             DefaultSource = new Card { Brand = "Visa", Last4 = "9999", ExpMonth = 9, ExpYear = 2028 }
         };
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId,
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(options => options.Expand.Contains("default_source") &&
                                                       options.Expand.Contains(
                                                           "invoice_settings.default_payment_method")))
@@ -747,7 +596,7 @@ public class SubscriberServiceTests
             }
         };
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId,
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(
                     options => options.Expand.Contains("default_source") &&
                                options.Expand.Contains("invoice_settings.default_payment_method")))
@@ -787,7 +636,7 @@ public class SubscriberServiceTests
         SutProvider<SubscriberService> sutProvider)
     {
         sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .ReturnsNull();
 
         var subscription = await sutProvider.Sut.GetSubscription(organization);
@@ -801,7 +650,7 @@ public class SubscriberServiceTests
         SutProvider<SubscriberService> sutProvider)
     {
         sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .ThrowsAsync<StripeException>();
 
         var subscription = await sutProvider.Sut.GetSubscription(organization);
@@ -817,7 +666,7 @@ public class SubscriberServiceTests
         var subscription = new Subscription();
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .Returns(subscription);
 
         var gotSubscription = await sutProvider.Sut.GetSubscription(organization);
@@ -849,7 +698,7 @@ public class SubscriberServiceTests
         SutProvider<SubscriberService> sutProvider)
     {
         sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .ReturnsNull();
 
         await ThrowsBillingExceptionAsync(async () => await sutProvider.Sut.GetSubscriptionOrThrow(organization));
@@ -863,7 +712,7 @@ public class SubscriberServiceTests
         var stripeException = new StripeException();
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .ThrowsAsync(stripeException);
 
         await ThrowsBillingExceptionAsync(
@@ -880,7 +729,7 @@ public class SubscriberServiceTests
         var subscription = new Subscription();
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(organization.GatewaySubscriptionId)
+            .GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .Returns(subscription);
 
         var gotSubscription = await sutProvider.Sut.GetSubscriptionOrThrow(organization);
@@ -889,65 +738,6 @@ public class SubscriberServiceTests
     }
     #endregion
 
-    #region GetTaxInformation
-
-    [Theory, BitAutoData]
-    public async Task GetTaxInformation_NullSubscriber_ThrowsArgumentNullException(
-        SutProvider<SubscriberService> sutProvider) =>
-        await Assert.ThrowsAsync<ArgumentNullException>(() => sutProvider.Sut.GetTaxInformation(null));
-
-    [Theory, BitAutoData]
-    public async Task GetTaxInformation_NullAddress_ReturnsNull(
-        Organization organization,
-        SutProvider<SubscriberService> sutProvider)
-    {
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
-            .Returns(new Customer());
-
-        var taxInformation = await sutProvider.Sut.GetTaxInformation(organization);
-
-        Assert.Null(taxInformation);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetTaxInformation_Success(
-        Organization organization,
-        SutProvider<SubscriberService> sutProvider)
-    {
-        var address = new Address
-        {
-            Country = "US",
-            PostalCode = "12345",
-            Line1 = "123 Example St.",
-            Line2 = "Unit 1",
-            City = "Example Town",
-            State = "NY"
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
-            .Returns(new Customer
-            {
-                Address = address,
-                TaxIds = new StripeList<TaxId>
-                {
-                    Data = [new TaxId { Value = "tax_id" }]
-                }
-            });
-
-        var taxInformation = await sutProvider.Sut.GetTaxInformation(organization);
-
-        Assert.NotNull(taxInformation);
-        Assert.Equal(address.Country, taxInformation.Country);
-        Assert.Equal(address.PostalCode, taxInformation.PostalCode);
-        Assert.Equal("tax_id", taxInformation.TaxId);
-        Assert.Equal(address.Line1, taxInformation.Line1);
-        Assert.Equal(address.Line2, taxInformation.Line2);
-        Assert.Equal(address.City, taxInformation.City);
-        Assert.Equal(address.State, taxInformation.State);
-    }
-
-    #endregion
-
     #region RemovePaymentMethod
     [Theory, BitAutoData]
     public async Task RemovePaymentMethod_NullSubscriber_ThrowsArgumentNullException(
@@ -970,7 +760,7 @@ public class SubscriberServiceTests
         };
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
+            .GetCustomerAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
             .Returns(stripeCustomer);
 
         var (braintreeGateway, customerGateway, paymentMethodGateway) = SetupBraintree(sutProvider.GetDependency<IBraintreeGateway>());
@@ -1005,7 +795,7 @@ public class SubscriberServiceTests
         };
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
+            .GetCustomerAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
             .Returns(stripeCustomer);
 
         var (_, customerGateway, paymentMethodGateway) = SetupBraintree(sutProvider.GetDependency<IBraintreeGateway>());
@@ -1042,7 +832,7 @@ public class SubscriberServiceTests
         };
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
+            .GetCustomerAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
             .Returns(stripeCustomer);
 
         var (_, customerGateway, paymentMethodGateway) = SetupBraintree(sutProvider.GetDependency<IBraintreeGateway>());
@@ -1097,7 +887,7 @@ public class SubscriberServiceTests
         };
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerGetAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
+            .GetCustomerAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
             .Returns(stripeCustomer);
 
         var (_, customerGateway, paymentMethodGateway) = SetupBraintree(sutProvider.GetDependency<IBraintreeGateway>());
@@ -1156,21 +946,21 @@ public class SubscriberServiceTests
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
         stripeAdapter
-            .CustomerGetAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
+            .GetCustomerAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
             .Returns(stripeCustomer);
 
         stripeAdapter
-            .PaymentMethodListAutoPagingAsync(Arg.Any<PaymentMethodListOptions>())
+            .ListPaymentMethodsAutoPagingAsync(Arg.Any<PaymentMethodListOptions>())
             .Returns(GetPaymentMethodsAsync(new List<PaymentMethod>()));
 
         await sutProvider.Sut.RemovePaymentSource(organization);
 
-        await stripeAdapter.Received(1).BankAccountDeleteAsync(stripeCustomer.Id, bankAccountId);
+        await stripeAdapter.Received(1).DeleteBankAccountAsync(stripeCustomer.Id, bankAccountId);
 
-        await stripeAdapter.Received(1).CardDeleteAsync(stripeCustomer.Id, cardId);
+        await stripeAdapter.Received(1).DeleteCardAsync(stripeCustomer.Id, cardId);
 
         await stripeAdapter.DidNotReceiveWithAnyArgs()
-            .PaymentMethodDetachAsync(Arg.Any<string>(), Arg.Any<PaymentMethodDetachOptions>());
+            .DetachPaymentMethodAsync(Arg.Any<string>(), Arg.Any<PaymentMethodDetachOptions>());
     }
 
     [Theory, BitAutoData]
@@ -1188,11 +978,11 @@ public class SubscriberServiceTests
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
         stripeAdapter
-            .CustomerGetAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
+            .GetCustomerAsync(organization.GatewayCustomerId, Arg.Any<CustomerGetOptions>())
             .Returns(stripeCustomer);
 
         stripeAdapter
-            .PaymentMethodListAutoPagingAsync(Arg.Any<PaymentMethodListOptions>())
+            .ListPaymentMethodsAutoPagingAsync(Arg.Any<PaymentMethodListOptions>())
             .Returns(GetPaymentMethodsAsync(new List<PaymentMethod>
             {
                 new ()
@@ -1207,15 +997,15 @@ public class SubscriberServiceTests
 
         await sutProvider.Sut.RemovePaymentSource(organization);
 
-        await stripeAdapter.DidNotReceiveWithAnyArgs().BankAccountDeleteAsync(Arg.Any<string>(), Arg.Any<string>());
+        await stripeAdapter.DidNotReceiveWithAnyArgs().DeleteBankAccountAsync(Arg.Any<string>(), Arg.Any<string>());
 
-        await stripeAdapter.DidNotReceiveWithAnyArgs().CardDeleteAsync(Arg.Any<string>(), Arg.Any<string>());
+        await stripeAdapter.DidNotReceiveWithAnyArgs().DeleteCardAsync(Arg.Any<string>(), Arg.Any<string>());
 
         await stripeAdapter.Received(1)
-            .PaymentMethodDetachAsync(bankAccountId);
+            .DetachPaymentMethodAsync(bankAccountId);
 
         await stripeAdapter.Received(1)
-            .PaymentMethodDetachAsync(cardId);
+            .DetachPaymentMethodAsync(cardId);
     }
 
     private static async IAsyncEnumerable<PaymentMethod> GetPaymentMethodsAsync(
@@ -1260,7 +1050,7 @@ public class SubscriberServiceTests
         Provider provider,
         SutProvider<SubscriberService> sutProvider)
     {
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId)
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId)
             .Returns(new Customer());
 
         await ThrowsBillingExceptionAsync(() =>
@@ -1272,7 +1062,7 @@ public class SubscriberServiceTests
         Provider provider,
         SutProvider<SubscriberService> sutProvider)
     {
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId)
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId)
             .Returns(new Customer());
 
         await ThrowsBillingExceptionAsync(() =>
@@ -1286,10 +1076,10 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId)
+        stripeAdapter.GetCustomerAsync(provider.GatewayCustomerId)
             .Returns(new Customer());
 
-        stripeAdapter.SetupIntentList(Arg.Is<SetupIntentListOptions>(options => options.PaymentMethod == "TOKEN"))
+        stripeAdapter.ListSetupIntentsAsync(Arg.Is<SetupIntentListOptions>(options => options.PaymentMethod == "TOKEN"))
             .Returns([new SetupIntent(), new SetupIntent()]);
 
         await ThrowsBillingExceptionAsync(() =>
@@ -1303,7 +1093,7 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        stripeAdapter.CustomerGetAsync(
+        stripeAdapter.GetCustomerAsync(
                 provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids")))
             .Returns(new Customer
@@ -1317,10 +1107,10 @@ public class SubscriberServiceTests
 
         var matchingSetupIntent = new SetupIntent { Id = "setup_intent_1" };
 
-        stripeAdapter.SetupIntentList(Arg.Is<SetupIntentListOptions>(options => options.PaymentMethod == "TOKEN"))
+        stripeAdapter.ListSetupIntentsAsync(Arg.Is<SetupIntentListOptions>(options => options.PaymentMethod == "TOKEN"))
             .Returns([matchingSetupIntent]);
 
-        stripeAdapter.CustomerListPaymentMethods(provider.GatewayCustomerId).Returns([
+        stripeAdapter.ListCustomerPaymentMethodsAsync(provider.GatewayCustomerId).Returns([
             new PaymentMethod { Id = "payment_method_1" }
         ]);
 
@@ -1329,12 +1119,12 @@ public class SubscriberServiceTests
 
         await sutProvider.GetDependency<ISetupIntentCache>().Received(1).Set(provider.Id, "setup_intent_1");
 
-        await stripeAdapter.DidNotReceive().SetupIntentCancel(Arg.Any<string>(),
+        await stripeAdapter.DidNotReceive().CancelSetupIntentAsync(Arg.Any<string>(),
             Arg.Any<SetupIntentCancelOptions>());
 
-        await stripeAdapter.Received(1).PaymentMethodDetachAsync("payment_method_1");
+        await stripeAdapter.Received(1).DetachPaymentMethodAsync("payment_method_1");
 
-        await stripeAdapter.Received(1).CustomerUpdateAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
+        await stripeAdapter.Received(1).UpdateCustomerAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
             options => options.Metadata[Core.Billing.Utilities.BraintreeCustomerIdKey] == null));
     }
 
@@ -1345,7 +1135,7 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        stripeAdapter.CustomerGetAsync(
+        stripeAdapter.GetCustomerAsync(
                 provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids"))
                 )
@@ -1358,22 +1148,22 @@ public class SubscriberServiceTests
                 }
             });
 
-        stripeAdapter.CustomerListPaymentMethods(provider.GatewayCustomerId).Returns([
+        stripeAdapter.ListCustomerPaymentMethodsAsync(provider.GatewayCustomerId).Returns([
             new PaymentMethod { Id = "payment_method_1" }
         ]);
 
         await sutProvider.Sut.UpdatePaymentSource(provider,
             new TokenizedPaymentSource(PaymentMethodType.Card, "TOKEN"));
 
-        await stripeAdapter.DidNotReceive().SetupIntentCancel(Arg.Any<string>(),
+        await stripeAdapter.DidNotReceive().CancelSetupIntentAsync(Arg.Any<string>(),
             Arg.Any<SetupIntentCancelOptions>());
 
-        await stripeAdapter.Received(1).PaymentMethodDetachAsync("payment_method_1");
+        await stripeAdapter.Received(1).DetachPaymentMethodAsync("payment_method_1");
 
-        await stripeAdapter.Received(1).PaymentMethodAttachAsync("TOKEN", Arg.Is<PaymentMethodAttachOptions>(
+        await stripeAdapter.Received(1).AttachPaymentMethodAsync("TOKEN", Arg.Is<PaymentMethodAttachOptions>(
             options => options.Customer == provider.GatewayCustomerId));
 
-        await stripeAdapter.Received(1).CustomerUpdateAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
+        await stripeAdapter.Received(1).UpdateCustomerAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
             options =>
                 options.InvoiceSettings.DefaultPaymentMethod == "TOKEN" &&
                 options.Metadata[Core.Billing.Utilities.BraintreeCustomerIdKey] == null));
@@ -1386,7 +1176,7 @@ public class SubscriberServiceTests
     {
         const string braintreeCustomerId = "braintree_customer_id";
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId)
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId)
             .Returns(new Customer
             {
                 Id = provider.GatewayCustomerId,
@@ -1412,7 +1202,7 @@ public class SubscriberServiceTests
     {
         const string braintreeCustomerId = "braintree_customer_id";
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId)
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId)
             .Returns(new Customer
             {
                 Id = provider.GatewayCustomerId,
@@ -1450,7 +1240,7 @@ public class SubscriberServiceTests
     {
         const string braintreeCustomerId = "braintree_customer_id";
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(
                 provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids")))
             .Returns(new Customer
@@ -1504,7 +1294,7 @@ public class SubscriberServiceTests
     {
         const string braintreeCustomerId = "braintree_customer_id";
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(
                 provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids")))
             .Returns(new Customer
@@ -1573,7 +1363,7 @@ public class SubscriberServiceTests
     {
         const string braintreeCustomerId = "braintree_customer_id";
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId)
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(provider.GatewayCustomerId)
             .Returns(new Customer
             {
                 Id = provider.GatewayCustomerId
@@ -1605,7 +1395,7 @@ public class SubscriberServiceTests
                 new TokenizedPaymentSource(PaymentMethodType.PayPal, "TOKEN")));
 
         await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs()
-            .CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
+            .UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
     }
 
     [Theory, BitAutoData]
@@ -1615,7 +1405,7 @@ public class SubscriberServiceTests
     {
         const string braintreeCustomerId = "braintree_customer_id";
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(
+        sutProvider.GetDependency<IStripeAdapter>().GetCustomerAsync(
                 provider.GatewayCustomerId,
                 Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids")))
             .Returns(new Customer
@@ -1652,7 +1442,7 @@ public class SubscriberServiceTests
         await sutProvider.Sut.UpdatePaymentSource(provider,
             new TokenizedPaymentSource(PaymentMethodType.PayPal, "TOKEN"));
 
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerUpdateAsync(provider.GatewayCustomerId,
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateCustomerAsync(provider.GatewayCustomerId,
             Arg.Is<CustomerUpdateOptions>(
                 options => options.Metadata[Core.Billing.Utilities.BraintreeCustomerIdKey] == braintreeCustomerId));
     }
@@ -1683,7 +1473,7 @@ public class SubscriberServiceTests
 
         var customer = new Customer { Id = provider.GatewayCustomerId, TaxIds = new StripeList<TaxId> { Data = [new TaxId { Id = "tax_id_1", Type = "us_ein" }] } };
 
-        stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId, Arg.Is<CustomerGetOptions>(
+        stripeAdapter.GetCustomerAsync(provider.GatewayCustomerId, Arg.Is<CustomerGetOptions>(
             options => options.Expand.Contains("tax_ids"))).Returns(customer);
 
         var taxInformation = new TaxInformation(
@@ -1697,7 +1487,7 @@ public class SubscriberServiceTests
             "NY");
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerUpdateAsync(
+            .UpdateCustomerAsync(
                 Arg.Is<string>(p => p == provider.GatewayCustomerId),
                 Arg.Is<CustomerUpdateOptions>(options =>
                     options.Address.Country == "US" &&
@@ -1732,12 +1522,12 @@ public class SubscriberServiceTests
             });
 
         var subscription = new Subscription { Items = new StripeList<SubscriptionItem>() };
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionGetAsync(Arg.Any<string>())
+        sutProvider.GetDependency<IStripeAdapter>().GetSubscriptionAsync(Arg.Any<string>())
             .Returns(subscription);
 
         await sutProvider.Sut.UpdateTaxInformation(provider, taxInformation);
 
-        await stripeAdapter.Received(1).CustomerUpdateAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
+        await stripeAdapter.Received(1).UpdateCustomerAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
             options =>
                 options.Address.Country == taxInformation.Country &&
                 options.Address.PostalCode == taxInformation.PostalCode &&
@@ -1746,13 +1536,13 @@ public class SubscriberServiceTests
                 options.Address.City == taxInformation.City &&
                 options.Address.State == taxInformation.State));
 
-        await stripeAdapter.Received(1).TaxIdDeleteAsync(provider.GatewayCustomerId, "tax_id_1");
+        await stripeAdapter.Received(1).DeleteTaxIdAsync(provider.GatewayCustomerId, "tax_id_1");
 
-        await stripeAdapter.Received(1).TaxIdCreateAsync(provider.GatewayCustomerId, Arg.Is<TaxIdCreateOptions>(
+        await stripeAdapter.Received(1).CreateTaxIdAsync(provider.GatewayCustomerId, Arg.Is<TaxIdCreateOptions>(
             options => options.Type == "us_ein" &&
                        options.Value == taxInformation.TaxId));
 
-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options => options.AutomaticTax.Enabled == true));
     }
 
@@ -1765,7 +1555,7 @@ public class SubscriberServiceTests
 
         var customer = new Customer { Id = provider.GatewayCustomerId, TaxIds = new StripeList<TaxId> { Data = [new TaxId { Id = "tax_id_1", Type = "us_ein" }] } };
 
-        stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId, Arg.Is<CustomerGetOptions>(
+        stripeAdapter.GetCustomerAsync(provider.GatewayCustomerId, Arg.Is<CustomerGetOptions>(
             options => options.Expand.Contains("tax_ids"))).Returns(customer);
 
         var taxInformation = new TaxInformation(
@@ -1779,7 +1569,7 @@ public class SubscriberServiceTests
             "NY");
 
         sutProvider.GetDependency<IStripeAdapter>()
-            .CustomerUpdateAsync(
+            .UpdateCustomerAsync(
                 Arg.Is<string>(p => p == provider.GatewayCustomerId),
                 Arg.Is<CustomerUpdateOptions>(options =>
                     options.Address.Country == "CA" &&
@@ -1815,12 +1605,12 @@ public class SubscriberServiceTests
             });
 
         var subscription = new Subscription { Items = new StripeList<SubscriptionItem>() };
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionGetAsync(Arg.Any<string>())
+        sutProvider.GetDependency<IStripeAdapter>().GetSubscriptionAsync(Arg.Any<string>())
             .Returns(subscription);
 
         await sutProvider.Sut.UpdateTaxInformation(provider, taxInformation);
 
-        await stripeAdapter.Received(1).CustomerUpdateAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
+        await stripeAdapter.Received(1).UpdateCustomerAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
             options =>
                 options.Address.Country == taxInformation.Country &&
                 options.Address.PostalCode == taxInformation.PostalCode &&
@@ -1829,63 +1619,21 @@ public class SubscriberServiceTests
                 options.Address.City == taxInformation.City &&
                 options.Address.State == taxInformation.State));
 
-        await stripeAdapter.Received(1).TaxIdDeleteAsync(provider.GatewayCustomerId, "tax_id_1");
+        await stripeAdapter.Received(1).DeleteTaxIdAsync(provider.GatewayCustomerId, "tax_id_1");
 
-        await stripeAdapter.Received(1).TaxIdCreateAsync(provider.GatewayCustomerId, Arg.Is<TaxIdCreateOptions>(
+        await stripeAdapter.Received(1).CreateTaxIdAsync(provider.GatewayCustomerId, Arg.Is<TaxIdCreateOptions>(
             options => options.Type == "us_ein" &&
                        options.Value == taxInformation.TaxId));
 
-        await stripeAdapter.Received(1).CustomerUpdateAsync(provider.GatewayCustomerId,
+        await stripeAdapter.Received(1).UpdateCustomerAsync(provider.GatewayCustomerId,
             Arg.Is<CustomerUpdateOptions>(options => options.TaxExempt == StripeConstants.TaxExempt.Reverse));
 
-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options => options.AutomaticTax.Enabled == true));
     }
 
     #endregion
 
-    #region VerifyBankAccount
-
-    [Theory, BitAutoData]
-    public async Task VerifyBankAccount_NoSetupIntentId_ThrowsBillingException(
-        Provider provider,
-        SutProvider<SubscriberService> sutProvider) => await ThrowsBillingExceptionAsync(() => sutProvider.Sut.VerifyBankAccount(provider, ""));
-
-    [Theory, BitAutoData]
-    public async Task VerifyBankAccount_MakesCorrectInvocations(
-        Provider provider,
-        SutProvider<SubscriberService> sutProvider)
-    {
-        const string descriptorCode = "SM1234";
-
-        var setupIntent = new SetupIntent
-        {
-            Id = "setup_intent_id",
-            PaymentMethodId = "payment_method_id"
-        };
-
-        sutProvider.GetDependency<ISetupIntentCache>().GetSetupIntentIdForSubscriber(provider.Id).Returns(setupIntent.Id);
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-
-        stripeAdapter.SetupIntentGet(setupIntent.Id).Returns(setupIntent);
-
-        await sutProvider.Sut.VerifyBankAccount(provider, descriptorCode);
-
-        await stripeAdapter.Received(1).SetupIntentVerifyMicroDeposit(setupIntent.Id,
-            Arg.Is<SetupIntentVerifyMicrodepositsOptions>(
-                options => options.DescriptorCode == descriptorCode));
-
-        await stripeAdapter.Received(1).PaymentMethodAttachAsync(setupIntent.PaymentMethodId,
-            Arg.Is<PaymentMethodAttachOptions>(
-                options => options.Customer == provider.GatewayCustomerId));
-
-        await stripeAdapter.Received(1).CustomerUpdateAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
-            options => options.InvoiceSettings.DefaultPaymentMethod == setupIntent.PaymentMethodId));
-    }
-
-    #endregion
-
     #region IsValidGatewayCustomerIdAsync
 
     [Theory, BitAutoData]
@@ -1907,7 +1655,7 @@ public class SubscriberServiceTests
 
         Assert.True(result);
         await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs()
-            .CustomerGetAsync(Arg.Any<string>());
+            .GetCustomerAsync(Arg.Any<string>());
     }
 
     [Theory, BitAutoData]
@@ -1921,7 +1669,7 @@ public class SubscriberServiceTests
 
         Assert.True(result);
         await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs()
-            .CustomerGetAsync(Arg.Any<string>());
+            .GetCustomerAsync(Arg.Any<string>());
     }
 
     [Theory, BitAutoData]
@@ -1930,12 +1678,12 @@ public class SubscriberServiceTests
         SutProvider<SubscriberService> sutProvider)
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.CustomerGetAsync(organization.GatewayCustomerId).Returns(new Customer());
+        stripeAdapter.GetCustomerAsync(organization.GatewayCustomerId).Returns(new Customer());
 
         var result = await sutProvider.Sut.IsValidGatewayCustomerIdAsync(organization);
 
         Assert.True(result);
-        await stripeAdapter.Received(1).CustomerGetAsync(organization.GatewayCustomerId);
+        await stripeAdapter.Received(1).GetCustomerAsync(organization.GatewayCustomerId);
     }
 
     [Theory, BitAutoData]
@@ -1945,12 +1693,12 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         var stripeException = new StripeException { StripeError = new StripeError { Code = "resource_missing" } };
-        stripeAdapter.CustomerGetAsync(organization.GatewayCustomerId).Throws(stripeException);
+        stripeAdapter.GetCustomerAsync(organization.GatewayCustomerId).Throws(stripeException);
 
         var result = await sutProvider.Sut.IsValidGatewayCustomerIdAsync(organization);
 
         Assert.False(result);
-        await stripeAdapter.Received(1).CustomerGetAsync(organization.GatewayCustomerId);
+        await stripeAdapter.Received(1).GetCustomerAsync(organization.GatewayCustomerId);
     }
 
     #endregion
@@ -1976,7 +1724,7 @@ public class SubscriberServiceTests
 
         Assert.True(result);
         await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs()
-            .SubscriptionGetAsync(Arg.Any<string>());
+            .GetSubscriptionAsync(Arg.Any<string>());
     }
 
     [Theory, BitAutoData]
@@ -1990,7 +1738,7 @@ public class SubscriberServiceTests
 
         Assert.True(result);
         await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs()
-            .SubscriptionGetAsync(Arg.Any<string>());
+            .GetSubscriptionAsync(Arg.Any<string>());
     }
 
     [Theory, BitAutoData]
@@ -1999,12 +1747,12 @@ public class SubscriberServiceTests
         SutProvider<SubscriberService> sutProvider)
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.SubscriptionGetAsync(organization.GatewaySubscriptionId).Returns(new Subscription());
+        stripeAdapter.GetSubscriptionAsync(organization.GatewaySubscriptionId).Returns(new Subscription());
 
         var result = await sutProvider.Sut.IsValidGatewaySubscriptionIdAsync(organization);
 
         Assert.True(result);
-        await stripeAdapter.Received(1).SubscriptionGetAsync(organization.GatewaySubscriptionId);
+        await stripeAdapter.Received(1).GetSubscriptionAsync(organization.GatewaySubscriptionId);
     }
 
     [Theory, BitAutoData]
@@ -2014,12 +1762,12 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         var stripeException = new StripeException { StripeError = new StripeError { Code = "resource_missing" } };
-        stripeAdapter.SubscriptionGetAsync(organization.GatewaySubscriptionId).Throws(stripeException);
+        stripeAdapter.GetSubscriptionAsync(organization.GatewaySubscriptionId).Throws(stripeException);
 
         var result = await sutProvider.Sut.IsValidGatewaySubscriptionIdAsync(organization);
 
         Assert.False(result);
-        await stripeAdapter.Received(1).SubscriptionGetAsync(organization.GatewaySubscriptionId);
+        await stripeAdapter.Received(1).GetSubscriptionAsync(organization.GatewaySubscriptionId);
     }
 
     #endregion

test/Core.Test/Billing/Subscriptions/RestartSubscriptionCommandTests.cs

@@ -6,7 +6,6 @@ using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Subscriptions.Commands;
 using Bit.Core.Entities;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using NSubstitute;
 using Stripe;
 using Xunit;
@@ -98,13 +97,13 @@ public class RestartSubscriptionCommandTests
         };
 
         _subscriberService.GetSubscription(organization).Returns(existingSubscription);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(newSubscription);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(newSubscription);
 
         var result = await _command.Run(organization);
 
         Assert.True(result.IsT0);
 
-        await _stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Is((SubscriptionCreateOptions options) =>
+        await _stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Is((SubscriptionCreateOptions options) =>
             options.AutomaticTax.Enabled == true &&
             options.CollectionMethod == CollectionMethod.ChargeAutomatically &&
             options.Customer == "cus_123" &&
@@ -154,13 +153,13 @@ public class RestartSubscriptionCommandTests
         };
 
         _subscriberService.GetSubscription(provider).Returns(existingSubscription);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(newSubscription);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(newSubscription);
 
         var result = await _command.Run(provider);
 
         Assert.True(result.IsT0);
 
-        await _stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+        await _stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
 
         await _providerRepository.Received(1).ReplaceAsync(Arg.Is<Provider>(prov =>
             prov.Id == providerId &&
@@ -199,13 +198,13 @@ public class RestartSubscriptionCommandTests
         };
 
         _subscriberService.GetSubscription(user).Returns(existingSubscription);
-        _stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(newSubscription);
+        _stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(newSubscription);
 
         var result = await _command.Run(user);
 
         Assert.True(result.IsT0);
 
-        await _stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+        await _stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
 
         await _userRepository.Received(1).ReplaceAsync(Arg.Is<User>(u =>
             u.Id == userId &&

test/Core.Test/Context/CurrentContextTests.cs

@@ -107,30 +107,6 @@ public class CurrentContextTests
         Assert.Equal(deviceType, sutProvider.Sut.DeviceType);
     }
 
-    [Theory, BitAutoData]
-    public async Task BuildAsync_HttpContext_SetsCloudflareFlags(
-        SutProvider<CurrentContext> sutProvider)
-    {
-        var httpContext = new DefaultHttpContext();
-        var globalSettings = new Core.Settings.GlobalSettings();
-        sutProvider.Sut.BotScore = null;
-        // Arrange
-        var botScore = 85;
-        httpContext.Request.Headers["X-Cf-Bot-Score"] = botScore.ToString();
-        httpContext.Request.Headers["X-Cf-Worked-Proxied"] = "1";
-        httpContext.Request.Headers["X-Cf-Is-Bot"] = "1";
-        httpContext.Request.Headers["X-Cf-Maybe-Bot"] = "1";
-
-        // Act
-        await sutProvider.Sut.BuildAsync(httpContext, globalSettings);
-
-        // Assert
-        Assert.True(sutProvider.Sut.CloudflareWorkerProxied);
-        Assert.True(sutProvider.Sut.IsBot);
-        Assert.True(sutProvider.Sut.MaybeBot);
-        Assert.Equal(botScore, sutProvider.Sut.BotScore);
-    }
-
     [Theory, BitAutoData]
     public async Task BuildAsync_HttpContext_SetsClientVersion(
         SutProvider<CurrentContext> sutProvider)

test/Core.Test/KeyManagement/Queries/KeyConnectorConfirmationDetailsQueryTests.cs

@@ -0,0 +1,86 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Queries;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.KeyManagement.Queries;
+
+[SutProviderCustomize]
+public class KeyConnectorConfirmationDetailsQueryTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task Run_OrganizationNotFound_Throws(SutProvider<KeyConnectorConfirmationDetailsQuery> sutProvider,
+        Guid userId, string orgSsoIdentifier)
+    {
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Run(orgSsoIdentifier, userId));
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ReceivedWithAnyArgs(0)
+            .GetByOrganizationAsync(Arg.Any<Guid>(), Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Run_OrganizationNotKeyConnector_Throws(
+        SutProvider<KeyConnectorConfirmationDetailsQuery> sutProvider,
+        Guid userId, string orgSsoIdentifier, Organization org)
+    {
+        org.Identifier = orgSsoIdentifier;
+        org.UseKeyConnector = false;
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdentifierAsync(orgSsoIdentifier).Returns(org);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Run(orgSsoIdentifier, userId));
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ReceivedWithAnyArgs(0)
+            .GetByOrganizationAsync(Arg.Any<Guid>(), Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Run_OrganizationUserNotFound_Throws(SutProvider<KeyConnectorConfirmationDetailsQuery> sutProvider,
+        Guid userId, string orgSsoIdentifier
+        , Organization org)
+    {
+        org.Identifier = orgSsoIdentifier;
+        org.UseKeyConnector = true;
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdentifierAsync(orgSsoIdentifier).Returns(org);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(Arg.Any<Guid>(), Arg.Any<Guid>()).Returns(Task.FromResult<OrganizationUser>(null));
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Run(orgSsoIdentifier, userId));
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetByOrganizationAsync(org.Id, userId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Run_Success(SutProvider<KeyConnectorConfirmationDetailsQuery> sutProvider, Guid userId,
+        string orgSsoIdentifier
+        , Organization org, OrganizationUser orgUser)
+    {
+        org.Identifier = orgSsoIdentifier;
+        org.UseKeyConnector = true;
+        orgUser.OrganizationId = org.Id;
+        orgUser.UserId = userId;
+
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdentifierAsync(orgSsoIdentifier).Returns(org);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationAsync(org.Id, userId)
+            .Returns(orgUser);
+
+        var result = await sutProvider.Sut.Run(orgSsoIdentifier, userId);
+
+        Assert.Equal(org.Name, result.OrganizationName);
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .GetByOrganizationAsync(org.Id, userId);
+    }
+}

test/Core.Test/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CancelSponsorshipCommandTestsBase.cs

@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -12,7 +13,7 @@ public abstract class CancelSponsorshipCommandTestsBase : FamiliesForEnterpriseT
     protected async Task AssertRemovedSponsoredPaymentAsync<T>(Organization sponsoredOrg,
 OrganizationSponsorship sponsorship, SutProvider<T> sutProvider)
     {
-        await sutProvider.GetDependency<IPaymentService>().Received(1)
+        await sutProvider.GetDependency<IStripePaymentService>().Received(1)
             .RemoveOrganizationSponsorshipAsync(sponsoredOrg, sponsorship);
         await sutProvider.GetDependency<IOrganizationRepository>().Received(1).UpsertAsync(sponsoredOrg);
         if (sponsorship != null)
@@ -46,7 +47,7 @@ OrganizationSponsorship sponsorship, SutProvider<T> sutProvider)
 
     protected static async Task AssertDidNotRemoveSponsoredPaymentAsync<T>(SutProvider<T> sutProvider)
     {
-        await sutProvider.GetDependency<IPaymentService>().DidNotReceiveWithAnyArgs()
+        await sutProvider.GetDependency<IStripePaymentService>().DidNotReceiveWithAnyArgs()
             .RemoveOrganizationSponsorshipAsync(default, default);
         await sutProvider.GetDependency<IOrganizationRepository>().DidNotReceiveWithAnyArgs()
             .UpsertAsync(default);

test/Core.Test/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/SetUpSponsorshipCommandTests.cs

@@ -1,10 +1,10 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture.OrganizationSponsorshipFixtures;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -82,7 +82,7 @@ public class SetUpSponsorshipCommandTests : FamiliesForEnterpriseTestsBase
 
     private static async Task AssertDidNotSetUpAsync(SutProvider<SetUpSponsorshipCommand> sutProvider)
     {
-        await sutProvider.GetDependency<IPaymentService>()
+        await sutProvider.GetDependency<IStripePaymentService>()
             .DidNotReceiveWithAnyArgs()
             .SponsorOrganizationAsync(default, default);
         await sutProvider.GetDependency<IOrganizationRepository>()

test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/AddSecretsManagerSubscriptionCommandTests.cs

@@ -4,6 +4,7 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.StaticStore;
@@ -54,7 +55,7 @@ public class AddSecretsManagerSubscriptionCommandTests
                 c.AdditionalServiceAccounts == additionalServiceAccounts &&
                 c.AdditionalSeats == organization.Seats.GetValueOrDefault()));
 
-        await sutProvider.GetDependency<IPaymentService>().Received()
+        await sutProvider.GetDependency<IStripePaymentService>().Received()
             .AddSecretsManagerToSubscription(organization, plan, additionalSmSeats, additionalServiceAccounts);
 
         // TODO: call ReferenceEventService - see AC-1481
@@ -150,7 +151,7 @@ public class AddSecretsManagerSubscriptionCommandTests
 
     private static async Task VerifyDependencyNotCalledAsync(SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider)
     {
-        await sutProvider.GetDependency<IPaymentService>().DidNotReceive()
+        await sutProvider.GetDependency<IStripePaymentService>().DidNotReceive()
             .AddSecretsManagerToSubscription(Arg.Any<Organization>(), Arg.Any<Plan>(), Arg.Any<int>(), Arg.Any<int>());
 
         // TODO: call ReferenceEventService - see AC-1481

test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpdateSecretsManagerSubscriptionCommandTests.cs

@@ -1,5 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
@@ -86,9 +87,9 @@ public class UpdateSecretsManagerSubscriptionCommandTests
 
         await sutProvider.Sut.UpdateSubscriptionAsync(update);
 
-        await sutProvider.GetDependency<IPaymentService>().Received(1)
+        await sutProvider.GetDependency<IStripePaymentService>().Received(1)
             .AdjustSmSeatsAsync(organization, plan, update.SmSeatsExcludingBase);
-        await sutProvider.GetDependency<IPaymentService>().Received(1)
+        await sutProvider.GetDependency<IStripePaymentService>().Received(1)
             .AdjustServiceAccountsAsync(organization, plan, update.SmServiceAccountsExcludingBase);
 
         // TODO: call ReferenceEventService - see AC-1481
@@ -136,9 +137,9 @@ public class UpdateSecretsManagerSubscriptionCommandTests
 
         await sutProvider.Sut.UpdateSubscriptionAsync(update);
 
-        await sutProvider.GetDependency<IPaymentService>().Received(1)
+        await sutProvider.GetDependency<IStripePaymentService>().Received(1)
             .AdjustSmSeatsAsync(organization, plan, update.SmSeatsExcludingBase);
-        await sutProvider.GetDependency<IPaymentService>().Received(1)
+        await sutProvider.GetDependency<IStripePaymentService>().Received(1)
             .AdjustServiceAccountsAsync(organization, plan, update.SmServiceAccountsExcludingBase);
 
         // TODO: call ReferenceEventService - see AC-1481
@@ -258,7 +259,7 @@ public class UpdateSecretsManagerSubscriptionCommandTests
 
         await sutProvider.Sut.UpdateSubscriptionAsync(update);
 
-        await sutProvider.GetDependency<IPaymentService>().Received(1).AdjustServiceAccountsAsync(
+        await sutProvider.GetDependency<IStripePaymentService>().Received(1).AdjustServiceAccountsAsync(
             Arg.Is<Organization>(o => o.Id == organizationId),
             plan,
             expectedSmServiceAccountsExcludingBase);
@@ -779,9 +780,9 @@ public class UpdateSecretsManagerSubscriptionCommandTests
 
     private static async Task VerifyDependencyNotCalledAsync(SutProvider<UpdateSecretsManagerSubscriptionCommand> sutProvider)
     {
-        await sutProvider.GetDependency<IPaymentService>().DidNotReceive()
+        await sutProvider.GetDependency<IStripePaymentService>().DidNotReceive()
             .AdjustSmSeatsAsync(Arg.Any<Organization>(), Arg.Any<Plan>(), Arg.Any<int>());
-        await sutProvider.GetDependency<IPaymentService>().DidNotReceive()
+        await sutProvider.GetDependency<IStripePaymentService>().DidNotReceive()
             .AdjustServiceAccountsAsync(Arg.Any<Organization>(), Arg.Any<Plan>(), Arg.Any<int>());
         // TODO: call ReferenceEventService - see AC-1481
         await sutProvider.GetDependency<IMailService>().DidNotReceive()

test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/UpgradeOrganizationPlanCommandTests.cs

@@ -1,5 +1,6 @@
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
@@ -121,7 +122,7 @@ public class UpgradeOrganizationPlanCommandTests
                 Users = 1
             });
         await sutProvider.Sut.UpgradePlanAsync(organization.Id, organizationUpgrade);
-        await sutProvider.GetDependency<IPaymentService>().Received(1).AdjustSubscription(
+        await sutProvider.GetDependency<IStripePaymentService>().Received(1).AdjustSubscription(
             organization,
             MockPlans.Get(planType),
             organizationUpgrade.AdditionalSeats,

test/Core.Test/Services/SendGridMailDeliveryServiceTests.cs

@@ -74,7 +74,7 @@ public class SendGridMailDeliveryServiceTests : IDisposable
                 Assert.Equal(mailMessage.HtmlContent, msg.HtmlContent);
                 Assert.Equal(mailMessage.TextContent, msg.PlainTextContent);
 
-                Assert.Contains("type:Cateogry", msg.Categories);
+                Assert.Contains("type:Category", msg.Categories);
                 Assert.Contains(msg.Categories, x => x.StartsWith("env:"));
                 Assert.Contains(msg.Categories, x => x.StartsWith("sender:"));
 

test/Core.Test/Services/StripePaymentServiceTests.cs

@@ -1,914 +0,0 @@
-using Bit.Core.Billing.Constants;
-using Bit.Core.Billing.Enums;
-using Bit.Core.Billing.Pricing;
-using Bit.Core.Billing.Tax.Requests;
-using Bit.Core.Entities;
-using Bit.Core.Enums;
-using Bit.Core.Services;
-using Bit.Core.Test.Billing.Mocks.Plans;
-using Bit.Test.Common.AutoFixture;
-using Bit.Test.Common.AutoFixture.Attributes;
-using NSubstitute;
-using Stripe;
-using Xunit;
-
-namespace Bit.Core.Test.Services;
-
-[SutProviderCustomize]
-public class StripePaymentServiceTests
-{
-    [Theory]
-    [BitAutoData]
-    public async Task
-        PreviewInvoiceAsync_ForOrganization_CalculatesSalesTaxCorrectlyForFamiliesWithoutAdditionalStorage(
-            SutProvider<StripePaymentService> sutProvider)
-    {
-        var familiesPlan = new FamiliesPlan();
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
-            .Returns(familiesPlan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager =
-                new OrganizationPasswordManagerRequestModel
-                {
-                    Plan = PlanType.FamiliesAnnually,
-                    AdditionalStorage = 0
-                },
-            TaxInformation = new TaxInformationRequestModel { Country = "FR", PostalCode = "12345" }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(p =>
-                p.Currency == "usd" &&
-                p.SubscriptionDetails.Items.Any(x =>
-                    x.Plan == familiesPlan.PasswordManager.StripePlanId &&
-                    x.Quantity == 1) &&
-                p.SubscriptionDetails.Items.Any(x =>
-                    x.Plan == familiesPlan.PasswordManager.StripeStoragePlanId &&
-                    x.Quantity == 0)))
-            .Returns(new Invoice
-            {
-                TotalExcludingTax = 4000,
-                TotalTaxes = [new InvoiceTotalTax { Amount = 800 }],
-                Total = 4800
-            });
-
-        var actual = await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        Assert.Equal(8M, actual.TaxAmount);
-        Assert.Equal(48M, actual.TotalAmount);
-        Assert.Equal(40M, actual.TaxableBaseAmount);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PreviewInvoiceAsync_ForOrganization_CalculatesSalesTaxCorrectlyForFamiliesWithAdditionalStorage(
-        SutProvider<StripePaymentService> sutProvider)
-    {
-        var familiesPlan = new FamiliesPlan();
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
-            .Returns(familiesPlan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager =
-                new OrganizationPasswordManagerRequestModel
-                {
-                    Plan = PlanType.FamiliesAnnually,
-                    AdditionalStorage = 1
-                },
-            TaxInformation = new TaxInformationRequestModel { Country = "FR", PostalCode = "12345" }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(p =>
-                p.Currency == "usd" &&
-                p.SubscriptionDetails.Items.Any(x =>
-                    x.Plan == familiesPlan.PasswordManager.StripePlanId &&
-                    x.Quantity == 1) &&
-                p.SubscriptionDetails.Items.Any(x =>
-                    x.Plan == familiesPlan.PasswordManager.StripeStoragePlanId &&
-                    x.Quantity == 1)))
-            .Returns(new Invoice { TotalExcludingTax = 4000, TotalTaxes = [new InvoiceTotalTax { Amount = 800 }], Total = 4800 });
-
-        var actual = await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        Assert.Equal(8M, actual.TaxAmount);
-        Assert.Equal(48M, actual.TotalAmount);
-        Assert.Equal(40M, actual.TaxableBaseAmount);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task
-        PreviewInvoiceAsync_ForOrganization_CalculatesSalesTaxCorrectlyForFamiliesForEnterpriseWithoutAdditionalStorage(
-            SutProvider<StripePaymentService> sutProvider)
-    {
-        var familiesPlan = new FamiliesPlan();
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
-            .Returns(familiesPlan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.FamiliesAnnually,
-                SponsoredPlan = PlanSponsorshipType.FamiliesForEnterprise,
-                AdditionalStorage = 0
-            },
-            TaxInformation = new TaxInformationRequestModel { Country = "FR", PostalCode = "12345" }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(p =>
-                p.Currency == "usd" &&
-                p.SubscriptionDetails.Items.Any(x =>
-                    x.Plan == "2021-family-for-enterprise-annually" &&
-                    x.Quantity == 1) &&
-                p.SubscriptionDetails.Items.Any(x =>
-                    x.Plan == familiesPlan.PasswordManager.StripeStoragePlanId &&
-                    x.Quantity == 0)))
-            .Returns(new Invoice { TotalExcludingTax = 0, TotalTaxes = [new InvoiceTotalTax { Amount = 0 }], Total = 0 });
-
-        var actual = await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        Assert.Equal(0M, actual.TaxAmount);
-        Assert.Equal(0M, actual.TotalAmount);
-        Assert.Equal(0M, actual.TaxableBaseAmount);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task
-        PreviewInvoiceAsync_ForOrganization_CalculatesSalesTaxCorrectlyForFamiliesForEnterpriseWithAdditionalStorage(
-            SutProvider<StripePaymentService> sutProvider)
-    {
-        var familiesPlan = new FamiliesPlan();
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
-            .Returns(familiesPlan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.FamiliesAnnually,
-                SponsoredPlan = PlanSponsorshipType.FamiliesForEnterprise,
-                AdditionalStorage = 1
-            },
-            TaxInformation = new TaxInformationRequestModel { Country = "FR", PostalCode = "12345" }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(p =>
-                p.Currency == "usd" &&
-                p.SubscriptionDetails.Items.Any(x =>
-                    x.Plan == "2021-family-for-enterprise-annually" &&
-                    x.Quantity == 1) &&
-                p.SubscriptionDetails.Items.Any(x =>
-                    x.Plan == familiesPlan.PasswordManager.StripeStoragePlanId &&
-                    x.Quantity == 1)))
-            .Returns(new Invoice { TotalExcludingTax = 400, TotalTaxes = [new InvoiceTotalTax { Amount = 8 }], Total = 408 });
-
-        var actual = await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        Assert.Equal(0.08M, actual.TaxAmount);
-        Assert.Equal(4.08M, actual.TotalAmount);
-        Assert.Equal(4M, actual.TaxableBaseAmount);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PreviewInvoiceAsync_USBased_PersonalUse_SetsAutomaticTaxEnabled(SutProvider<StripePaymentService> sutProvider)
-    {
-        // Arrange
-        var familiesPlan = new FamiliesPlan();
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
-            .Returns(familiesPlan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.FamiliesAnnually
-            },
-            TaxInformation = new TaxInformationRequestModel
-            {
-                Country = "US",
-                PostalCode = "12345"
-            }
-        };
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter
-            .InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>())
-            .Returns(new Invoice
-            {
-                TotalExcludingTax = 400,
-                TotalTaxes = [new InvoiceTotalTax { Amount = 8 }],
-                Total = 408
-            });
-
-        // Act
-        await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        // Assert
-        await stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
-            options.AutomaticTax.Enabled == true
-        ));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PreviewInvoiceAsync_USBased_BusinessUse_SetsAutomaticTaxEnabled(SutProvider<StripePaymentService> sutProvider)
-    {
-        // Arrange
-        var plan = new EnterprisePlan(true);
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.EnterpriseAnnually))
-            .Returns(plan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.EnterpriseAnnually
-            },
-            TaxInformation = new TaxInformationRequestModel
-            {
-                Country = "US",
-                PostalCode = "12345"
-            }
-        };
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter
-            .InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>())
-            .Returns(new Invoice
-            {
-                TotalExcludingTax = 400,
-                TotalTaxes = [new InvoiceTotalTax { Amount = 8 }],
-                Total = 408
-            });
-
-        // Act
-        await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        // Assert
-        await stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
-            options.AutomaticTax.Enabled == true
-        ));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PreviewInvoiceAsync_NonUSBased_PersonalUse_SetsAutomaticTaxEnabled(SutProvider<StripePaymentService> sutProvider)
-    {
-        // Arrange
-        var familiesPlan = new FamiliesPlan();
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
-            .Returns(familiesPlan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.FamiliesAnnually
-            },
-            TaxInformation = new TaxInformationRequestModel
-            {
-                Country = "FR",
-                PostalCode = "12345"
-            }
-        };
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter
-            .InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>())
-            .Returns(new Invoice
-            {
-                TotalExcludingTax = 400,
-                TotalTaxes = [new InvoiceTotalTax { Amount = 8 }],
-                Total = 408
-            });
-
-        // Act
-        await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        // Assert
-        await stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
-            options.AutomaticTax.Enabled == true
-        ));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PreviewInvoiceAsync_NonUSBased_BusinessUse_SetsAutomaticTaxEnabled(SutProvider<StripePaymentService> sutProvider)
-    {
-        // Arrange
-        var plan = new EnterprisePlan(true);
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.EnterpriseAnnually))
-            .Returns(plan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.EnterpriseAnnually
-            },
-            TaxInformation = new TaxInformationRequestModel
-            {
-                Country = "FR",
-                PostalCode = "12345"
-            }
-        };
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter
-            .InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>())
-            .Returns(new Invoice
-            {
-                TotalExcludingTax = 400,
-                TotalTaxes = [new InvoiceTotalTax { Amount = 8 }],
-                Total = 408
-            });
-
-        // Act
-        await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        // Assert
-        await stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
-            options.AutomaticTax.Enabled == true
-        ));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PreviewInvoiceAsync_USBased_PersonalUse_DoesNotSetTaxExempt(SutProvider<StripePaymentService> sutProvider)
-    {
-        // Arrange
-        var familiesPlan = new FamiliesPlan();
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
-            .Returns(familiesPlan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.FamiliesAnnually
-            },
-            TaxInformation = new TaxInformationRequestModel
-            {
-                Country = "US",
-                PostalCode = "12345"
-            }
-        };
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter
-            .InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>())
-            .Returns(new Invoice
-            {
-                TotalExcludingTax = 400,
-                TotalTaxes = [new InvoiceTotalTax { Amount = 8 }],
-                Total = 408
-            });
-
-        // Act
-        await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        // Assert
-        await stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
-            options.CustomerDetails.TaxExempt == null
-        ));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PreviewInvoiceAsync_USBased_BusinessUse_DoesNotSetTaxExempt(SutProvider<StripePaymentService> sutProvider)
-    {
-        // Arrange
-        var plan = new EnterprisePlan(true);
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.EnterpriseAnnually))
-            .Returns(plan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.EnterpriseAnnually
-            },
-            TaxInformation = new TaxInformationRequestModel
-            {
-                Country = "US",
-                PostalCode = "12345"
-            }
-        };
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter
-            .InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>())
-            .Returns(new Invoice
-            {
-                TotalExcludingTax = 400,
-                TotalTaxes = [new InvoiceTotalTax { Amount = 8 }],
-                Total = 408
-            });
-
-        // Act
-        await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        // Assert
-        await stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
-            options.CustomerDetails.TaxExempt == null
-        ));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PreviewInvoiceAsync_NonUSBased_PersonalUse_DoesNotSetTaxExempt(SutProvider<StripePaymentService> sutProvider)
-    {
-        // Arrange
-        var familiesPlan = new FamiliesPlan();
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
-            .Returns(familiesPlan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.FamiliesAnnually
-            },
-            TaxInformation = new TaxInformationRequestModel
-            {
-                Country = "FR",
-                PostalCode = "12345"
-            }
-        };
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter
-            .InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>())
-            .Returns(new Invoice
-            {
-                TotalExcludingTax = 400,
-                TotalTaxes = [new InvoiceTotalTax { Amount = 8 }],
-                Total = 408
-            });
-
-        // Act
-        await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        // Assert
-        await stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
-            options.CustomerDetails.TaxExempt == null
-        ));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PreviewInvoiceAsync_NonUSBased_BusinessUse_SetsTaxExemptReverse(SutProvider<StripePaymentService> sutProvider)
-    {
-        // Arrange
-        var plan = new EnterprisePlan(true);
-        sutProvider.GetDependency<IPricingClient>()
-            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.EnterpriseAnnually))
-            .Returns(plan);
-
-        var parameters = new PreviewOrganizationInvoiceRequestBody
-        {
-            PasswordManager = new OrganizationPasswordManagerRequestModel
-            {
-                Plan = PlanType.EnterpriseAnnually
-            },
-            TaxInformation = new TaxInformationRequestModel
-            {
-                Country = "FR",
-                PostalCode = "12345"
-            }
-        };
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter
-            .InvoiceCreatePreviewAsync(Arg.Any<InvoiceCreatePreviewOptions>())
-            .Returns(new Invoice
-            {
-                TotalExcludingTax = 400,
-                TotalTaxes = [new InvoiceTotalTax { Amount = 8 }],
-                Total = 408
-            });
-
-        // Act
-        await sutProvider.Sut.PreviewInvoiceAsync(parameters, null, null);
-
-        // Assert
-        await stripeAdapter.Received(1).InvoiceCreatePreviewAsync(Arg.Is<InvoiceCreatePreviewOptions>(options =>
-            options.CustomerDetails.TaxExempt == StripeConstants.TaxExempt.Reverse
-        ));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task GetSubscriptionAsync_WithCustomerDiscount_ReturnsDiscountFromCustomer(
-        SutProvider<StripePaymentService> sutProvider,
-        User subscriber)
-    {
-        // Arrange
-        subscriber.Gateway = GatewayType.Stripe;
-        subscriber.GatewayCustomerId = "cus_test123";
-        subscriber.GatewaySubscriptionId = "sub_test123";
-
-        var customerDiscount = new Discount
-        {
-            Coupon = new Coupon
-            {
-                Id = StripeConstants.CouponIDs.Milestone2SubscriptionDiscount,
-                PercentOff = 20m,
-                AmountOff = 1400
-            },
-            End = null
-        };
-
-        var subscription = new Subscription
-        {
-            Id = "sub_test123",
-            Status = "active",
-            CollectionMethod = "charge_automatically",
-            Customer = new Customer
-            {
-                Discount = customerDiscount
-            },
-            Discounts = new List<Discount>(), // Empty list
-            Items = new StripeList<SubscriptionItem> { Data = [] }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(
-                subscriber.GatewaySubscriptionId,
-                Arg.Any<SubscriptionGetOptions>())
-            .Returns(subscription);
-
-        // Act
-        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
-
-        // Assert
-        Assert.NotNull(result.CustomerDiscount);
-        Assert.Equal(StripeConstants.CouponIDs.Milestone2SubscriptionDiscount, result.CustomerDiscount.Id);
-        Assert.Equal(20m, result.CustomerDiscount.PercentOff);
-        Assert.Equal(14.00m, result.CustomerDiscount.AmountOff); // Converted from cents
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task GetSubscriptionAsync_WithoutCustomerDiscount_FallsBackToSubscriptionDiscounts(
-        SutProvider<StripePaymentService> sutProvider,
-        User subscriber)
-    {
-        // Arrange
-        subscriber.Gateway = GatewayType.Stripe;
-        subscriber.GatewayCustomerId = "cus_test123";
-        subscriber.GatewaySubscriptionId = "sub_test123";
-
-        var subscriptionDiscount = new Discount
-        {
-            Coupon = new Coupon
-            {
-                Id = StripeConstants.CouponIDs.Milestone2SubscriptionDiscount,
-                PercentOff = 15m,
-                AmountOff = null
-            },
-            End = null
-        };
-
-        var subscription = new Subscription
-        {
-            Id = "sub_test123",
-            Status = "active",
-            CollectionMethod = "charge_automatically",
-            Customer = new Customer
-            {
-                Discount = null // No customer discount
-            },
-            Discounts = new List<Discount> { subscriptionDiscount },
-            Items = new StripeList<SubscriptionItem> { Data = [] }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(
-                subscriber.GatewaySubscriptionId,
-                Arg.Any<SubscriptionGetOptions>())
-            .Returns(subscription);
-
-        // Act
-        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
-
-        // Assert - Should use subscription discount as fallback
-        Assert.NotNull(result.CustomerDiscount);
-        Assert.Equal(StripeConstants.CouponIDs.Milestone2SubscriptionDiscount, result.CustomerDiscount.Id);
-        Assert.Equal(15m, result.CustomerDiscount.PercentOff);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task GetSubscriptionAsync_WithBothDiscounts_PrefersCustomerDiscount(
-        SutProvider<StripePaymentService> sutProvider,
-        User subscriber)
-    {
-        // Arrange
-        subscriber.Gateway = GatewayType.Stripe;
-        subscriber.GatewayCustomerId = "cus_test123";
-        subscriber.GatewaySubscriptionId = "sub_test123";
-
-        var customerDiscount = new Discount
-        {
-            Coupon = new Coupon
-            {
-                Id = StripeConstants.CouponIDs.Milestone2SubscriptionDiscount,
-                PercentOff = 25m
-            },
-            End = null
-        };
-
-        var subscriptionDiscount = new Discount
-        {
-            Coupon = new Coupon
-            {
-                Id = "different-coupon-id",
-                PercentOff = 10m
-            },
-            End = null
-        };
-
-        var subscription = new Subscription
-        {
-            Id = "sub_test123",
-            Status = "active",
-            CollectionMethod = "charge_automatically",
-            Customer = new Customer
-            {
-                Discount = customerDiscount // Should prefer this
-            },
-            Discounts = new List<Discount> { subscriptionDiscount },
-            Items = new StripeList<SubscriptionItem> { Data = [] }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(
-                subscriber.GatewaySubscriptionId,
-                Arg.Any<SubscriptionGetOptions>())
-            .Returns(subscription);
-
-        // Act
-        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
-
-        // Assert - Should prefer customer discount over subscription discount
-        Assert.NotNull(result.CustomerDiscount);
-        Assert.Equal(StripeConstants.CouponIDs.Milestone2SubscriptionDiscount, result.CustomerDiscount.Id);
-        Assert.Equal(25m, result.CustomerDiscount.PercentOff);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task GetSubscriptionAsync_WithNoDiscounts_ReturnsNullDiscount(
-        SutProvider<StripePaymentService> sutProvider,
-        User subscriber)
-    {
-        // Arrange
-        subscriber.Gateway = GatewayType.Stripe;
-        subscriber.GatewayCustomerId = "cus_test123";
-        subscriber.GatewaySubscriptionId = "sub_test123";
-
-        var subscription = new Subscription
-        {
-            Id = "sub_test123",
-            Status = "active",
-            CollectionMethod = "charge_automatically",
-            Customer = new Customer
-            {
-                Discount = null
-            },
-            Discounts = new List<Discount>(), // Empty list, no discounts
-            Items = new StripeList<SubscriptionItem> { Data = [] }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(
-                subscriber.GatewaySubscriptionId,
-                Arg.Any<SubscriptionGetOptions>())
-            .Returns(subscription);
-
-        // Act
-        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
-
-        // Assert
-        Assert.Null(result.CustomerDiscount);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task GetSubscriptionAsync_WithMultipleSubscriptionDiscounts_SelectsFirstDiscount(
-        SutProvider<StripePaymentService> sutProvider,
-        User subscriber)
-    {
-        // Arrange - Multiple subscription-level discounts, no customer discount
-        subscriber.Gateway = GatewayType.Stripe;
-        subscriber.GatewayCustomerId = "cus_test123";
-        subscriber.GatewaySubscriptionId = "sub_test123";
-
-        var firstDiscount = new Discount
-        {
-            Coupon = new Coupon
-            {
-                Id = "coupon-10-percent",
-                PercentOff = 10m
-            },
-            End = null
-        };
-
-        var secondDiscount = new Discount
-        {
-            Coupon = new Coupon
-            {
-                Id = "coupon-20-percent",
-                PercentOff = 20m
-            },
-            End = null
-        };
-
-        var subscription = new Subscription
-        {
-            Id = "sub_test123",
-            Status = "active",
-            CollectionMethod = "charge_automatically",
-            Customer = new Customer
-            {
-                Discount = null // No customer discount
-            },
-            // Multiple subscription discounts - FirstOrDefault() should select the first one
-            Discounts = new List<Discount> { firstDiscount, secondDiscount },
-            Items = new StripeList<SubscriptionItem> { Data = [] }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(
-                subscriber.GatewaySubscriptionId,
-                Arg.Any<SubscriptionGetOptions>())
-            .Returns(subscription);
-
-        // Act
-        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
-
-        // Assert - Should select the first discount from the list (FirstOrDefault() behavior)
-        Assert.NotNull(result.CustomerDiscount);
-        Assert.Equal("coupon-10-percent", result.CustomerDiscount.Id);
-        Assert.Equal(10m, result.CustomerDiscount.PercentOff);
-        // Verify the second discount was not selected
-        Assert.NotEqual("coupon-20-percent", result.CustomerDiscount.Id);
-        Assert.NotEqual(20m, result.CustomerDiscount.PercentOff);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task GetSubscriptionAsync_WithNullCustomer_HandlesGracefully(
-        SutProvider<StripePaymentService> sutProvider,
-        User subscriber)
-    {
-        // Arrange - Subscription with null Customer (defensive null check scenario)
-        subscriber.Gateway = GatewayType.Stripe;
-        subscriber.GatewayCustomerId = "cus_test123";
-        subscriber.GatewaySubscriptionId = "sub_test123";
-
-        var subscription = new Subscription
-        {
-            Id = "sub_test123",
-            Status = "active",
-            CollectionMethod = "charge_automatically",
-            Customer = null, // Customer not expanded or null
-            Discounts = new List<Discount>(), // Empty discounts
-            Items = new StripeList<SubscriptionItem> { Data = [] }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(
-                subscriber.GatewaySubscriptionId,
-                Arg.Any<SubscriptionGetOptions>())
-            .Returns(subscription);
-
-        // Act
-        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
-
-        // Assert - Should handle null Customer gracefully without throwing NullReferenceException
-        Assert.Null(result.CustomerDiscount);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task GetSubscriptionAsync_WithNullDiscounts_HandlesGracefully(
-        SutProvider<StripePaymentService> sutProvider,
-        User subscriber)
-    {
-        // Arrange - Subscription with null Discounts (defensive null check scenario)
-        subscriber.Gateway = GatewayType.Stripe;
-        subscriber.GatewayCustomerId = "cus_test123";
-        subscriber.GatewaySubscriptionId = "sub_test123";
-
-        var subscription = new Subscription
-        {
-            Id = "sub_test123",
-            Status = "active",
-            CollectionMethod = "charge_automatically",
-            Customer = new Customer
-            {
-                Discount = null // No customer discount
-            },
-            Discounts = null, // Discounts not expanded or null
-            Items = new StripeList<SubscriptionItem> { Data = [] }
-        };
-
-        sutProvider.GetDependency<IStripeAdapter>()
-            .SubscriptionGetAsync(
-                subscriber.GatewaySubscriptionId,
-                Arg.Any<SubscriptionGetOptions>())
-            .Returns(subscription);
-
-        // Act
-        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
-
-        // Assert - Should handle null Discounts gracefully without throwing NullReferenceException
-        Assert.Null(result.CustomerDiscount);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task GetSubscriptionAsync_VerifiesCorrectExpandOptions(
-        SutProvider<StripePaymentService> sutProvider,
-        User subscriber)
-    {
-        // Arrange
-        subscriber.Gateway = GatewayType.Stripe;
-        subscriber.GatewayCustomerId = "cus_test123";
-        subscriber.GatewaySubscriptionId = "sub_test123";
-
-        var subscription = new Subscription
-        {
-            Id = "sub_test123",
-            Status = "active",
-            CollectionMethod = "charge_automatically",
-            Customer = new Customer { Discount = null },
-            Discounts = new List<Discount>(), // Empty list
-            Items = new StripeList<SubscriptionItem> { Data = [] }
-        };
-
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter
-            .SubscriptionGetAsync(
-                Arg.Any<string>(),
-                Arg.Any<SubscriptionGetOptions>())
-            .Returns(subscription);
-
-        // Act
-        await sutProvider.Sut.GetSubscriptionAsync(subscriber);
-
-        // Assert - Verify expand options are correct
-        await stripeAdapter.Received(1).SubscriptionGetAsync(
-            subscriber.GatewaySubscriptionId,
-            Arg.Is<SubscriptionGetOptions>(o =>
-                o.Expand.Contains("customer.discount.coupon.applies_to") &&
-                o.Expand.Contains("discounts.coupon.applies_to") &&
-                o.Expand.Contains("test_clock")));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task GetSubscriptionAsync_WithEmptyGatewaySubscriptionId_ReturnsEmptySubscriptionInfo(
-        SutProvider<StripePaymentService> sutProvider,
-        User subscriber)
-    {
-        // Arrange
-        subscriber.GatewaySubscriptionId = null;
-
-        // Act
-        var result = await sutProvider.Sut.GetSubscriptionAsync(subscriber);
-
-        // Assert
-        Assert.NotNull(result);
-        Assert.Null(result.Subscription);
-        Assert.Null(result.CustomerDiscount);
-        Assert.Null(result.UpcomingInvoice);
-
-        // Verify no Stripe API calls were made
-        await sutProvider.GetDependency<IStripeAdapter>()
-            .DidNotReceive()
-            .SubscriptionGetAsync(Arg.Any<string>(), Arg.Any<SubscriptionGetOptions>());
-    }
-}

test/Core.Test/Utilities/EventIntegrationsCacheConstantsTests.cs

@@ -1,4 +1,5 @@
-using Bit.Core.Utilities;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Xunit;
 
@@ -11,8 +12,12 @@ public class EventIntegrationsCacheConstantsTests
     {
         var expected = $"Group:{groupId:N}";
         var key = EventIntegrationsCacheConstants.BuildCacheKeyForGroup(groupId);
+        var keyWithDifferentGroup = EventIntegrationsCacheConstants.BuildCacheKeyForGroup(Guid.NewGuid());
+        var keyWithSameGroup = EventIntegrationsCacheConstants.BuildCacheKeyForGroup(groupId);
 
         Assert.Equal(expected, key);
+        Assert.NotEqual(key, keyWithDifferentGroup);
+        Assert.Equal(key, keyWithSameGroup);
     }
 
     [Theory, BitAutoData]
@@ -20,8 +25,55 @@ public class EventIntegrationsCacheConstantsTests
     {
         var expected = $"Organization:{orgId:N}";
         var key = EventIntegrationsCacheConstants.BuildCacheKeyForOrganization(orgId);
+        var keyWithDifferentOrg = EventIntegrationsCacheConstants.BuildCacheKeyForOrganization(Guid.NewGuid());
+        var keyWithSameOrg = EventIntegrationsCacheConstants.BuildCacheKeyForOrganization(orgId);
 
         Assert.Equal(expected, key);
+        Assert.NotEqual(key, keyWithDifferentOrg);
+        Assert.Equal(key, keyWithSameOrg);
+    }
+
+    [Theory, BitAutoData]
+    public void BuildCacheKeyForOrganizationIntegrationConfigurationDetails_ReturnsExpectedKey(Guid orgId)
+    {
+        var integrationType = IntegrationType.Hec;
+
+        var expectedWithEvent = $"OrganizationIntegrationConfigurationDetails:{orgId:N}:Hec:User_LoggedIn";
+        var keyWithEvent = EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+            orgId, integrationType, EventType.User_LoggedIn);
+        var keyWithDifferentEvent = EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+            orgId, integrationType, EventType.Cipher_Created);
+        var keyWithDifferentIntegration = EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+            orgId, IntegrationType.Webhook, EventType.User_LoggedIn);
+        var keyWithDifferentOrganization = EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+            Guid.NewGuid(), integrationType, EventType.User_LoggedIn);
+        var keyWithSameDetails = EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationIntegrationConfigurationDetails(
+            orgId, integrationType, EventType.User_LoggedIn);
+
+        Assert.Equal(expectedWithEvent, keyWithEvent);
+        Assert.NotEqual(keyWithEvent, keyWithDifferentEvent);
+        Assert.NotEqual(keyWithEvent, keyWithDifferentIntegration);
+        Assert.NotEqual(keyWithEvent, keyWithDifferentOrganization);
+        Assert.Equal(keyWithEvent, keyWithSameDetails);
+    }
+
+    [Theory, BitAutoData]
+    public void BuildCacheTagForOrganizationIntegration_ReturnsExpectedKey(Guid orgId)
+    {
+        var expected = $"OrganizationIntegration:{orgId:N}:Hec";
+        var tag = EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+            orgId, IntegrationType.Hec);
+        var tagWithDifferentOrganization = EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+            Guid.NewGuid(), IntegrationType.Hec);
+        var tagWithDifferentIntegrationType = EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+            orgId, IntegrationType.Webhook);
+        var tagWithSameDetails = EventIntegrationsCacheConstants.BuildCacheTagForOrganizationIntegration(
+            orgId, IntegrationType.Hec);
+
+        Assert.Equal(expected, tag);
+        Assert.NotEqual(tag, tagWithDifferentOrganization);
+        Assert.NotEqual(tag, tagWithDifferentIntegrationType);
+        Assert.Equal(tag, tagWithSameDetails);
     }
 
     [Theory, BitAutoData]
@@ -29,8 +81,14 @@ public class EventIntegrationsCacheConstantsTests
     {
         var expected = $"OrganizationUserUserDetails:{orgId:N}:{userId:N}";
         var key = EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationUser(orgId, userId);
+        var keyWithDifferentOrg = EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationUser(Guid.NewGuid(), userId);
+        var keyWithDifferentUser = EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationUser(orgId, Guid.NewGuid());
+        var keyWithSameDetails = EventIntegrationsCacheConstants.BuildCacheKeyForOrganizationUser(orgId, userId);
 
         Assert.Equal(expected, key);
+        Assert.NotEqual(key, keyWithDifferentOrg);
+        Assert.NotEqual(key, keyWithDifferentUser);
+        Assert.Equal(key, keyWithSameDetails);
     }
 
     [Fact]
@@ -38,4 +96,13 @@ public class EventIntegrationsCacheConstantsTests
     {
         Assert.Equal("EventIntegrations", EventIntegrationsCacheConstants.CacheName);
     }
+
+    [Fact]
+    public void DurationForOrganizationIntegrationConfigurationDetails_ReturnsExpected()
+    {
+        Assert.Equal(
+            TimeSpan.FromDays(1),
+            EventIntegrationsCacheConstants.DurationForOrganizationIntegrationConfigurationDetails
+        );
+    }
 }