Merge branch 'main' into renovate/yamldotnet-16.x

.claude/CLAUDE.md

@@ -1,24 +1,29 @@
 # Bitwarden Server - Claude Code Configuration
 
+## Project Context Files
+
+**Read these files before reviewing to ensure that you fully understand the project and contributing guidelines**
+
+1. @README.md
+2. @CONTRIBUTING.md
+3. @.github/PULL_REQUEST_TEMPLATE.md
+
 ## Critical Rules
 
-- **NEVER** edit: `/bin/`, `/obj/`, `/.git/`, `/.vs/`, `/packages/` which are generated files
 - **NEVER** use code regions: If complexity suggests regions, refactor for better readability
+
 - **NEVER** compromise zero-knowledge principles: User vault data must remain encrypted and inaccessible to Bitwarden
+
 - **NEVER** log or expose sensitive data: No PII, passwords, keys, or vault data in logs or error messages
+
 - **ALWAYS** use secure communication channels: Enforce confidentiality, integrity, and authenticity
+
 - **ALWAYS** encrypt sensitive data: All vault data must be encrypted at rest, in transit, and in use
+
 - **ALWAYS** prioritize cryptographic integrity and data protection
+
 - **ALWAYS** add unit tests (with mocking) for any new feature development
 
-## Project Context
-
-- **Architecture**: Feature and team-based organization
-- **Framework**: .NET 8.0, ASP.NET Core
-- **Database**: SQL Server primary, EF Core supports PostgreSQL, MySQL/MariaDB, SQLite
-- **Testing**: xUnit, NSubstitute
-- **Container**: Docker, Docker Compose, Kubernetes/Helm deployable
-
 ## Project Structure
 
 - **Source Code**: `/src/` - Services and core infrastructure
@@ -42,7 +47,7 @@
 - **Database update**: `pwsh dev/migrate.ps1`
 - **Generate OpenAPI**: `pwsh dev/generate_openapi_files.ps1`
 
-## Code Review Checklist
+## Development Workflow
 
 - Security impact assessed
 - xUnit tests added / updated

.editorconfig

@@ -123,3 +123,12 @@ csharp_style_namespace_declarations = file_scoped:warning
 # Switch expression
 dotnet_diagnostic.CS8509.severity = error # missing switch case for named enum value
 dotnet_diagnostic.CS8524.severity = none # missing switch case for unnamed enum value
+
+# CA2253: Named placeholders should nto be numeric values
+dotnet_diagnostic.CA2253.severity = suggestion
+
+# CA2254: Template should be a static expression
+dotnet_diagnostic.CA2254.severity = warning
+
+# CA1727: Use PascalCase for named placeholders
+dotnet_diagnostic.CA1727.severity = suggestion

.github/CODEOWNERS

@@ -36,6 +36,7 @@ util/Setup/** @bitwarden/dept-bre @bitwarden/team-platform-dev
 
 # UIF
 src/Core/MailTemplates/Mjml @bitwarden/team-ui-foundation # Teams are expected to own sub-directories of this project
+src/Core/MailTemplates/Mjml/.mjmlconfig # This change allows teams to add components within their own subdirectories without requiring a code review from UIF.
 
 # Auth team
 **/Auth @bitwarden/team-auth-dev
@@ -52,6 +53,11 @@ src/Core/IdentityServer @bitwarden/team-auth-dev
 
 # Dirt (Data Insights & Reporting) team
 **/Dirt @bitwarden/team-data-insights-and-reporting-dev
+src/Events @bitwarden/team-data-insights-and-reporting-dev
+src/EventsProcessor @bitwarden/team-data-insights-and-reporting-dev
+test/Events.IntegrationTest @bitwarden/team-data-insights-and-reporting-dev
+test/Events.Test @bitwarden/team-data-insights-and-reporting-dev
+test/EventsProcessor.Test @bitwarden/team-data-insights-and-reporting-dev
 
 # Vault team
 **/Vault @bitwarden/team-vault-dev
@@ -62,8 +68,6 @@ src/Core/IdentityServer @bitwarden/team-auth-dev
 bitwarden_license/src/Scim @bitwarden/team-admin-console-dev
 bitwarden_license/src/test/Scim.IntegrationTest @bitwarden/team-admin-console-dev
 bitwarden_license/src/test/Scim.ScimTest @bitwarden/team-admin-console-dev
-src/Events @bitwarden/team-admin-console-dev
-src/EventsProcessor @bitwarden/team-admin-console-dev
 
 # Billing team
 **/*billing* @bitwarden/team-billing-dev
@@ -96,6 +100,14 @@ src/Admin/Views/Tools @bitwarden/team-billing-dev
 # The PushType enum is expected to be editted by anyone without need for Platform review
 src/Core/Platform/Push/PushType.cs
 
+# SDK
+util/RustSdk @bitwarden/team-sdk-sme
+
 # Multiple owners - DO NOT REMOVE (BRE)
 **/packages.lock.json
 Directory.Build.props
+
+# Claude related files
+.claude/ @bitwarden/team-ai-sme
+.github/workflows/respond.yml @bitwarden/team-ai-sme
+.github/workflows/review-code.yml @bitwarden/team-ai-sme

.github/ISSUE_TEMPLATE/bw-lite.yml

@@ -1,6 +1,6 @@
-name: Bitwarden Unified Deployment Bug Report
+name: Bitwarden lite Deployment Bug Report
 description: File a bug report
-labels: [bug, bw-unified-deploy]
+labels: [bug, bw-lite-deploy]
 body:
   - type: markdown
     attributes:
@@ -70,15 +70,6 @@ body:
         mariadb:10
         # Postgres Example
         postgres:14
-  - type: textarea
-    id: epic-label
-    attributes:
-      label: Issue-Link
-      description: Link to our pinned issue, tracking all Bitwarden Unified
-      value: |
-        https://github.com/bitwarden/server/issues/2480
-    validations:
-      required: true
   - type: checkboxes
     id: issue-tracking-info
     attributes:

.github/renovate.json5

@@ -2,6 +2,7 @@
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   extends: ["github>bitwarden/renovate-config"], // Extends our default configuration for pinned dependencies
   enabledManagers: [
+    "cargo",
     "dockerfile",
     "docker-compose",
     "github-actions",
@@ -9,32 +10,7 @@
     "nuget",
   ],
   packageRules: [
-    {
-      groupName: "dockerfile minor",
-      matchManagers: ["dockerfile"],
-      matchUpdateTypes: ["minor"],
-    },
-    {
-      groupName: "docker-compose minor",
-      matchManagers: ["docker-compose"],
-      matchUpdateTypes: ["minor"],
-    },
-    {
-      groupName: "github-action minor",
-      matchManagers: ["github-actions"],
-      matchUpdateTypes: ["minor"],
-      addLabels: ["hold"],
-    },
-    {
-      // For any Microsoft.Extensions.* and Microsoft.AspNetCore.* packages, we want to create PRs for patch updates.
-      // This overrides the default that ignores patch updates for nuget dependencies.
-      matchPackageNames: [
-          "/^Microsoft\\.Extensions\\./",
-          "/^Microsoft\\.AspNetCore\\./",
-      ],
-      matchUpdateTypes: ["patch"],
-      dependencyDashboardApproval: false,
-    },
+    // ==================== Team Ownership Rules ====================
     {
       matchManagers: ["dockerfile", "docker-compose"],
       commitMessagePrefix: "[deps] BRE:",
@@ -53,11 +29,11 @@
     },
     {
       matchPackageNames: [
-        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
         "DuoUniversal",
         "Fido2.AspNet",
         "Duende.IdentityServer",
         "Microsoft.AspNetCore.Authentication.JwtBearer",
+        "Microsoft.Extensions.Caching.Cosmos",
         "Microsoft.Extensions.Identity.Stores",
         "Otp.NET",
         "Sustainsys.Saml2.AspNetCore2",
@@ -80,11 +56,7 @@
         "Microsoft.AspNetCore.Mvc.Testing",
         "Newtonsoft.Json",
         "NSubstitute",
-        "Sentry.Serilog",
-        "Serilog.AspNetCore",
-        "Serilog.Extensions.Logging",
         "Serilog.Extensions.Logging.File",
-        "Serilog.Sinks.SyslogMessages",
         "Stripe.net",
         "Swashbuckle.AspNetCore",
         "Swashbuckle.AspNetCore.SwaggerGen",
@@ -95,11 +67,6 @@
       commitMessagePrefix: "[deps] Billing:",
       reviewers: ["team:team-billing-dev"],
     },
-    {
-      matchPackageNames: ["/^Microsoft\\.EntityFrameworkCore\\./", "/^dotnet-ef/"],
-      groupName: "EntityFrameworkCore",
-      description: "Group EntityFrameworkCore to exclude them from the dotnet monorepo preset",
-    },
     {
       matchPackageNames: [
         "Dapper",
@@ -131,6 +98,7 @@
         "AspNetCoreRateLimit",
         "AspNetCoreRateLimit.Redis",
         "Azure.Data.Tables",
+        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
         "Azure.Messaging.EventGrid",
         "Azure.Messaging.ServiceBus",
         "Azure.Storage.Blobs",
@@ -146,7 +114,6 @@
         "Microsoft.Extensions.DependencyInjection",
         "Microsoft.Extensions.Logging",
         "Microsoft.Extensions.Logging.Console",
-        "Microsoft.Extensions.Caching.Cosmos",
         "Microsoft.Extensions.Caching.SqlServer",
         "Microsoft.Extensions.Caching.StackExchangeRedis",
         "Quartz",
@@ -155,6 +122,12 @@
       commitMessagePrefix: "[deps] Platform:",
       reviewers: ["team:team-platform-dev"],
     },
+    {
+      matchUpdateTypes: ["lockFileMaintenance"],
+      description: "Platform owns lock file maintenance",
+      commitMessagePrefix: "[deps] Platform:",
+      reviewers: ["team:team-platform-dev"],
+    },
     {
       matchPackageNames: [
         "AutoMapper.Extensions.Microsoft.DependencyInjection",
@@ -184,6 +157,73 @@
       commitMessagePrefix: "[deps] Vault:",
       reviewers: ["team:team-vault-dev"],
     },
+
+    // ==================== Grouping Rules ====================
+    // These come after any specific team assignment rules to ensure
+    // that grouping is not overridden by subsequent rule definitions.
+    {
+      groupName: "cargo minor",
+      matchManagers: ["cargo"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "dockerfile minor",
+      matchManagers: ["dockerfile"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "docker-compose minor",
+      matchManagers: ["docker-compose"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "github-action minor",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["minor"],
+      addLabels: ["hold"],
+    },
+    {
+      matchPackageNames: ["/^Microsoft\\.EntityFrameworkCore\\./", "/^dotnet-ef/"],
+      groupName: "EntityFrameworkCore",
+      description: "Group EntityFrameworkCore to exclude them from the dotnet monorepo preset",
+    },
+    {
+      matchPackageNames: ["https://github.com/bitwarden/sdk-internal.git"],
+      groupName: "sdk-internal",
+      dependencyDashboardApproval: true
+    },
+
+    // ==================== Dashboard Rules ====================
+    {
+      // For any Microsoft.Extensions.* and Microsoft.AspNetCore.* packages, we want to create PRs for patch updates.
+      // This overrides the default that ignores patch updates for nuget dependencies.
+      matchPackageNames: [
+          "/^Microsoft\\.Extensions\\./",
+          "/^Microsoft\\.AspNetCore\\./",
+      ],
+      matchUpdateTypes: ["patch"],
+      dependencyDashboardApproval: false,
+    },
+    {
+      // For the Platform-owned dependencies below, we have decided we will only be creating PRs
+      // for major updates, and sending minor (as well as patch, inherited from base config) to the dashboard.
+      // This rule comes AFTER grouping rules so that groups are respected while still
+      // sending minor/patch updates to the dependency dashboard for approval.
+      matchPackageNames: [
+        "AspNetCoreRateLimit",
+        "AspNetCoreRateLimit.Redis",
+        "Azure.Data.Tables",
+        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
+        "Azure.Messaging.EventGrid",
+        "Azure.Messaging.ServiceBus",
+        "Azure.Storage.Blobs",
+        "Azure.Storage.Queues",
+        "LaunchDarkly.ServerSdk",
+        "Quartz",
+      ],
+      matchUpdateTypes: ["minor"],
+      dependencyDashboardApproval: true,
+    },
   ],
   ignoreDeps: ["dotnet-sdk"],
 }

.github/workflows/_move_edd_db_scripts.yml

@@ -38,21 +38,22 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Check out branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          persist-credentials: false
 
       - name: Get script prefix
         id: prefix
-        run: echo "prefix=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+        run: echo "prefix=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
 
       - name: Check if any files in DB transition or finalization directories
         id: check-script-existence
         run: |
           if [ -f util/Migrator/DbScripts_transition/* -o -f util/Migrator/DbScripts_finalization/* ]; then
-            echo "copy_edd_scripts=true" >> $GITHUB_OUTPUT
+            echo "copy_edd_scripts=true" >> "$GITHUB_OUTPUT"
           else
-            echo "copy_edd_scripts=false" >> $GITHUB_OUTPUT
+            echo "copy_edd_scripts=false" >> "$GITHUB_OUTPUT"
           fi
 
   move-scripts:
@@ -67,20 +68,21 @@ jobs:
     if: ${{ needs.setup.outputs.copy_edd_scripts == 'true' }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
+          persist-credentials: true
 
       - name: Generate branch name
         id: branch_name
         env:
           PREFIX: ${{ needs.setup.outputs.migration_filename_prefix }}
-        run: echo "branch_name=move_edd_db_scripts_$PREFIX" >> $GITHUB_OUTPUT
+        run: echo "branch_name=move_edd_db_scripts_$PREFIX" >> "$GITHUB_OUTPUT"
 
       - name: "Create branch"
         env:
           BRANCH: ${{ steps.branch_name.outputs.branch_name }}
-        run: git switch -c $BRANCH
+        run: git switch -c "$BRANCH"
 
       - name: Move scripts and finalization database schema
         id: move-files
@@ -120,7 +122,7 @@ jobs:
 
           # sync finalization schema back to dbo, maintaining structure
           rsync -r "$src_dir/" "$dest_dir/"
-          rm -rf $src_dir/*
+          rm -rf "${src_dir}"/*
 
           # Replace any finalization references due to the move
           find ./src/Sql/dbo -name "*.sql" -type f -exec sed -i \
@@ -131,7 +133,7 @@ jobs:
             moved_files="$moved_files \n $file"
           done
 
-          echo "moved_files=$moved_files" >> $GITHUB_OUTPUT
+          echo "moved_files=$moved_files" >> "$GITHUB_OUTPUT"
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -162,18 +164,20 @@ jobs:
 
       - name: Commit and push changes
         id: commit
+        env:
+          BRANCH_NAME: ${{ steps.branch_name.outputs.branch_name }}
         run: |
           git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com"
           git config --local user.name "bitwarden-devops-bot"
           if [ -n "$(git status --porcelain)" ]; then
             git add .
             git commit -m "Move EDD database scripts" -a
-            git push -u origin ${{ steps.branch_name.outputs.branch_name }}
-            echo "pr_needed=true" >> $GITHUB_OUTPUT
+            git push -u origin "${BRANCH_NAME}"
+            echo "pr_needed=true" >> "$GITHUB_OUTPUT"
           else
             echo "No changes to commit!";
-            echo "pr_needed=false" >> $GITHUB_OUTPUT
-            echo "### :mega: No changes to commit! PR was ommited." >> $GITHUB_STEP_SUMMARY
+            echo "pr_needed=false" >> "$GITHUB_OUTPUT"
+            echo "### :mega: No changes to commit! PR was ommited." >> "$GITHUB_STEP_SUMMARY"
           fi
 
       - name: Create PR for ${{ steps.branch_name.outputs.branch_name }}
@@ -195,7 +199,7 @@ jobs:
               Files moved:
               $(echo -e "$MOVED_FILES")
               ")
-          echo "pr_url=${PR_URL}" >> $GITHUB_OUTPUT
+          echo "pr_url=${PR_URL}" >> "$GITHUB_OUTPUT"
 
       - name: Notify Slack about creation of PR
         if: ${{ steps.commit.outputs.pr_needed == 'true' }}

.github/workflows/build.yml

@@ -22,22 +22,23 @@ env:
 jobs:
   lint:
     name: Lint
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
 
       - name: Verify format
         run: dotnet format --verify-no-changes
 
   build-artifacts:
     name: Build Docker images
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     needs:
       - lint
     outputs:
@@ -45,6 +46,7 @@ jobs:
     permissions:
       security-events: write
       id-token: write
+    timeout-minutes: 45
     strategy:
       fail-fast: false
       matrix:
@@ -97,30 +99,31 @@ jobs:
         id: check-secrets
         run: |
           has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }}
-          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+          echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT"
 
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Check branch to publish
         env:
           PUBLISH_BRANCHES: "main,rc,hotfix-rc"
         id: publish-branch-check
         run: |
-          IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
+          IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES"
           if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
-            echo "is_publish_branch=true" >> $GITHUB_ENV
+            echo "is_publish_branch=true" >> "$GITHUB_ENV"
           else
-            echo "is_publish_branch=false" >> $GITHUB_ENV
+            echo "is_publish_branch=false" >> "$GITHUB_ENV"
           fi
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
 
       - name: Set up Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
@@ -157,7 +160,7 @@ jobs:
           ls -atlh ../../../
 
       - name: Upload project artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: ${{ matrix.dotnet }}
         with:
           name: ${{ matrix.project_name }}.zip
@@ -166,10 +169,10 @@ jobs:
 
       ########## Set up Docker ##########
       - name: Set up QEMU emulators
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       ########## ACRs ##########
       - name: Log in to Azure
@@ -182,13 +185,6 @@ jobs:
       - name: Log in to ACR - production subscription
         run: az acr login -n bitwardenprod
 
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
       ########## Generate image tag and build Docker image ##########
       - name: Generate Docker image tag
         id: tag
@@ -209,8 +205,8 @@ jobs:
             IMAGE_TAG=dev
           fi
 
-          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
-          echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
+          echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+          echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Set up project name
         id: setup
@@ -218,7 +214,7 @@ jobs:
           PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}')
           echo "Matrix name: ${{ matrix.project_name }}"
           echo "PROJECT_NAME: $PROJECT_NAME"
-          echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT
+          echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT"
 
       - name: Generate image tags(s)
         id: image-tags
@@ -228,12 +224,12 @@ jobs:
           SHA: ${{ github.sha }}
         run: |
           TAGS="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
-          echo "primary_tag=$TAGS" >> $GITHUB_OUTPUT
+          echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT"
           if [[ "${IMAGE_TAG}" == "dev" ]]; then
-            SHORT_SHA=$(git rev-parse --short ${SHA})
+            SHORT_SHA=$(git rev-parse --short "${SHA}")
             TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}"
           fi
-          echo "tags=$TAGS" >> $GITHUB_OUTPUT
+          echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
 
       - name: Build Docker image
         id: build-artifacts
@@ -247,12 +243,10 @@ jobs:
             linux/arm64
           push: true
           tags: ${{ steps.image-tags.outputs.tags }}
-          secrets: |
-            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
       - name: Install Cosign
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
-        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
 
       - name: Sign image with Cosign
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
@@ -260,23 +254,24 @@ jobs:
           DIGEST: ${{ steps.build-artifacts.outputs.digest }}
           TAGS: ${{ steps.image-tags.outputs.tags }}
         run: |
-          IFS="," read -a tags <<< "${TAGS}"
-          images=""
-          for tag in "${tags[@]}"; do
-            images+="${tag}@${DIGEST} "
+          IFS=',' read -r -a tags_array <<< "${TAGS}"
+          images=()
+          for tag in "${tags_array[@]}"; do
+            images+=("${tag}@${DIGEST}")
           done
-          cosign sign --yes ${images}
+          cosign sign --yes ${images[@]}
+          echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
 
       - name: Scan Docker image
         id: container-scan
-        uses: anchore/scan-action@2c901ab7378897c01b8efaa2d0c9bf519cc64b9e # v6.2.0
+        uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # v7.2.2
         with:
           image: ${{ steps.image-tags.outputs.primary_tag }}
           fail-build: false
           output-format: sarif
 
       - name: Upload Grype results to GitHub
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
           sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
@@ -287,19 +282,20 @@ jobs:
 
   upload:
     name: Upload
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     needs: build-artifacts
     permissions:
       id-token: write
       actions: read
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -309,7 +305,7 @@ jobs:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Log in to ACR - production subscription
-        run: az acr login -n $_AZ_REGISTRY --only-show-errors
+        run: az acr login -n "$_AZ_REGISTRY" --only-show-errors
 
       - name: Make Docker stubs
         if: |
@@ -332,26 +328,26 @@ jobs:
           STUB_OUTPUT=$(pwd)/docker-stub
 
           # Run setup
-          docker run -i --rm --name setup -v $STUB_OUTPUT/US:/bitwarden $SETUP_IMAGE \
+          docker run -i --rm --name setup -v "$STUB_OUTPUT/US:/bitwarden" "$SETUP_IMAGE" \
             /app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region US
-          docker run -i --rm --name setup -v $STUB_OUTPUT/EU:/bitwarden $SETUP_IMAGE \
+          docker run -i --rm --name setup -v "$STUB_OUTPUT/EU:/bitwarden" "$SETUP_IMAGE" \
             /app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region EU
 
-          sudo chown -R $(whoami):$(whoami) $STUB_OUTPUT
+          sudo chown -R "$(whoami):$(whoami)" "$STUB_OUTPUT"
 
           # Remove extra directories and files
-          rm -rf $STUB_OUTPUT/US/letsencrypt
-          rm -rf $STUB_OUTPUT/EU/letsencrypt
-          rm $STUB_OUTPUT/US/env/uid.env $STUB_OUTPUT/US/config.yml
-          rm $STUB_OUTPUT/EU/env/uid.env $STUB_OUTPUT/EU/config.yml
+          rm -rf "$STUB_OUTPUT/US/letsencrypt"
+          rm -rf "$STUB_OUTPUT/EU/letsencrypt"
+          rm "$STUB_OUTPUT/US/env/uid.env" "$STUB_OUTPUT/US/config.yml"
+          rm "$STUB_OUTPUT/EU/env/uid.env" "$STUB_OUTPUT/EU/config.yml"
 
           # Create uid environment files
-          touch $STUB_OUTPUT/US/env/uid.env
-          touch $STUB_OUTPUT/EU/env/uid.env
+          touch "$STUB_OUTPUT/US/env/uid.env"
+          touch "$STUB_OUTPUT/EU/env/uid.env"
 
           # Zip up the Docker stub files
-          cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../..
-          cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../..
+          cd docker-stub/US; zip -r ../../docker-stub-US.zip ./*; cd ../..
+          cd docker-stub/EU; zip -r ../../docker-stub-EU.zip ./*; cd ../..
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
@@ -360,7 +356,7 @@ jobs:
         if: |
           github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: docker-stub-US.zip
           path: docker-stub-US.zip
@@ -370,7 +366,7 @@ jobs:
         if: |
           github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: docker-stub-EU.zip
           path: docker-stub-EU.zip
@@ -382,21 +378,21 @@ jobs:
           pwsh ./generate_openapi_files.ps1
 
       - name: Upload Public API Swagger artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: swagger.json
           path: api.public.json
           if-no-files-found: error
 
       - name: Upload Internal API Swagger artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: internal.json
           path: api.json
           if-no-files-found: error
 
       - name: Upload Identity Swagger artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: identity.json
           path: identity.json
@@ -404,7 +400,7 @@ jobs:
 
   build-mssqlmigratorutility:
     name: Build MSSQL migrator utility
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     needs:
       - lint
     defaults:
@@ -420,12 +416,13 @@ jobs:
           - win-x64
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
 
       - name: Print environment
         run: |
@@ -441,7 +438,7 @@ jobs:
 
       - name: Upload project artifact for Windows
         if: ${{ contains(matrix.target, 'win') == true }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: MsSqlMigratorUtility-${{ matrix.target }}
           path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe
@@ -449,7 +446,7 @@ jobs:
 
       - name: Upload project artifact
         if: ${{ contains(matrix.target, 'win') == false }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: MsSqlMigratorUtility-${{ matrix.target }}
           path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
@@ -460,7 +457,7 @@ jobs:
     if: |
       github.event_name != 'pull_request'
       && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     needs:
       - build-artifacts
     permissions:
@@ -473,25 +470,34 @@ jobs:
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
-      - name: Trigger self-host build
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: self-host
+
+      - name: Trigger Bitwarden lite build
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: 'bitwarden',
               repo: 'self-host',
-              workflow_id: 'build-unified.yml',
+              workflow_id: 'build-bitwarden-lite.yml',
               ref: 'main',
               inputs: {
                 server_branch: process.env.GITHUB_REF
@@ -514,20 +520,29 @@ jobs:
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: devops
+
       - name: Trigger k8s deploy
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: 'bitwarden',

.github/workflows/cleanup-after-pr.yml

@@ -22,7 +22,7 @@ jobs:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Log in to Azure ACR
-        run: az acr login -n $_AZ_REGISTRY --only-show-errors
+        run: az acr login -n "$_AZ_REGISTRY" --only-show-errors
 
       ########## Remove Docker images ##########
       - name: Remove the Docker image from ACR
@@ -45,20 +45,20 @@ jobs:
               - Setup
               - Sso
         run: |
-          for SERVICE in $(echo "${{ env.SERVICES }}" | yq e ".services[]" - )
+          for SERVICE in $(echo "${SERVICES}" | yq e ".services[]" - )
           do
-            SERVICE_NAME=$(echo $SERVICE | awk '{print tolower($0)}')
+            SERVICE_NAME=$(echo "$SERVICE" | awk '{print tolower($0)}')
             IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g")  # slash safe branch name
 
             echo "[*] Checking if remote exists: $_AZ_REGISTRY/$SERVICE_NAME:$IMAGE_TAG"
             TAG_EXISTS=$(
-              az acr repository show-tags --name $_AZ_REGISTRY --repository $SERVICE_NAME \
-              | jq --arg $TAG "$IMAGE_TAG" -e '. | any(. == "$TAG")'
+              az acr repository show-tags --name "$_AZ_REGISTRY" --repository "$SERVICE_NAME" \
+              | jq --arg TAG "$IMAGE_TAG" -e '. | any(. == $TAG)'
             )
 
             if [[ "$TAG_EXISTS" == "true" ]]; then
               echo "[*] Tag exists. Removing tag"
-              az acr repository delete --name $_AZ_REGISTRY --image $SERVICE_NAME:$IMAGE_TAG --yes
+              az acr repository delete --name "$_AZ_REGISTRY" --image "$SERVICE_NAME:$IMAGE_TAG" --yes
             else
               echo "[*] Tag does not exist. No action needed"
             fi

.github/workflows/cleanup-rc-branch.yml

@@ -31,10 +31,12 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Checkout main
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: main
           token: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          persist-credentials: false
+          fetch-depth: 0
 
       - name: Check if a RC branch exists
         id: branch-check
@@ -43,11 +45,11 @@ jobs:
           rc_branch_check=$(git ls-remote --heads origin rc | wc -l)
 
           if [[ "${hotfix_rc_branch_check}" -gt 0 ]]; then
-            echo "hotfix-rc branch exists." | tee -a $GITHUB_STEP_SUMMARY
-            echo "name=hotfix-rc" >> $GITHUB_OUTPUT
+            echo "hotfix-rc branch exists." | tee -a "$GITHUB_STEP_SUMMARY"
+            echo "name=hotfix-rc" >> "$GITHUB_OUTPUT"
           elif [[ "${rc_branch_check}" -gt 0 ]]; then
-            echo "rc branch exists." | tee -a $GITHUB_STEP_SUMMARY
-            echo "name=rc" >> $GITHUB_OUTPUT
+            echo "rc branch exists." | tee -a "$GITHUB_STEP_SUMMARY"
+            echo "name=rc" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Delete RC branch
@@ -55,6 +57,6 @@ jobs:
           BRANCH_NAME: ${{ steps.branch-check.outputs.name }}
         run: |
           if ! [[ -z "$BRANCH_NAME" ]]; then
-            git push --quiet origin --delete $BRANCH_NAME
-            echo "Deleted $BRANCH_NAME branch." | tee -a $GITHUB_STEP_SUMMARY
+            git push --quiet origin --delete "$BRANCH_NAME"
+            echo "Deleted $BRANCH_NAME branch." | tee -a "$GITHUB_STEP_SUMMARY"
           fi

.github/workflows/code-references.yml

@@ -19,9 +19,9 @@ jobs:
         id: check-secret-access
         run: |
           if [ "${{ secrets.AZURE_CLIENT_ID }}" != '' ]; then
-            echo "available=true" >> $GITHUB_OUTPUT;
+            echo "available=true" >> "$GITHUB_OUTPUT";
           else
-            echo "available=false" >> $GITHUB_OUTPUT;
+            echo "available=false" >> "$GITHUB_OUTPUT";
           fi
 
   refs:
@@ -36,7 +36,9 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -57,7 +59,7 @@ jobs:
 
       - name: Collect
         id: collect
-        uses: launchdarkly/find-code-references@e3e9da201b87ada54eb4c550c14fb783385c5c8a # v2.13.0
+        uses: launchdarkly/find-code-references@89a7d362d1d4b3725fe0fe0ccd0dc69e3bdcba58 # v2.14.0
         with:
           accessToken: ${{ steps.get-kv-secrets.outputs.LD-ACCESS-TOKEN }}
           projKey: default
@@ -65,14 +67,14 @@ jobs:
 
       - name: Add label
         if: steps.collect.outputs.any-changed == 'true'
-        run: gh pr edit $PR_NUMBER --add-label feature-flag
+        run: gh pr edit "$PR_NUMBER" --add-label feature-flag
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
 
       - name: Remove label
         if: steps.collect.outputs.any-changed == 'false'
-        run: gh pr edit $PR_NUMBER --remove-label feature-flag
+        run: gh pr edit "$PR_NUMBER" --remove-label feature-flag
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}

.github/workflows/enforce-labels.yml

@@ -17,5 +17,5 @@ jobs:
       - name: Check for label
         run: |
           echo "PRs with the hold, needs-qa or ephemeral-environment labels cannot be merged"
-          echo "### :x: PRs with the hold, needs-qa or ephemeral-environment labels cannot be merged" >> $GITHUB_STEP_SUMMARY
+          echo "### :x: PRs with the hold, needs-qa or ephemeral-environment labels cannot be merged" >> "$GITHUB_STEP_SUMMARY"
           exit 1

.github/workflows/ephemeral-environment.yml

@@ -16,5 +16,5 @@ jobs:
     with:
       project: server
       pull_request_number: ${{ github.event.number }}
-      sync_environment: true
+      sync_environment: false
     secrets: inherit

.github/workflows/load-test.yml

@@ -63,13 +63,15 @@ jobs:
 
       # Datadog agent for collecting OTEL metrics from k6
       - name: Start Datadog agent
+        env:
+          DD_API_KEY: ${{ steps.get-kv-secrets.outputs.DD-API-KEY }}
         run: |
           docker run --detach \
             --name datadog-agent \
             -p 4317:4317 \
             -p 5555:5555 \
             -e DD_SITE=us3.datadoghq.com \
-            -e DD_API_KEY=${{ steps.get-kv-secrets.outputs.DD-API-KEY }} \
+            -e DD_API_KEY="${DD_API_KEY}" \
             -e DD_DOGSTATSD_NON_LOCAL_TRAFFIC=1 \
             -e DD_OTLP_CONFIG_RECEIVER_PROTOCOLS_GRPC_ENDPOINT=0.0.0.0:4317 \
             -e DD_HEALTH_PORT=5555 \
@@ -85,7 +87,7 @@ jobs:
             datadog/agent:7-full@sha256:7ea933dec3b8baa8c19683b1c3f6f801dbf3291f748d9ed59234accdaac4e479
 
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -93,7 +95,7 @@ jobs:
         uses: grafana/setup-k6-action@ffe7d7290dfa715e48c2ccc924d068444c94bde2 # v1.1.0
 
       - name: Run k6 tests
-        uses: grafana/run-k6-action@c6b79182b9b666aa4f630f4a6be9158ead62536e # v1.2.0
+        uses: grafana/run-k6-action@a15e2072ede004e8d46141e33d7f7dad8ad08d9d # v1.3.1
         continue-on-error: false
         env:
           K6_OTEL_METRIC_PREFIX: k6_

.github/workflows/protect-files.yml

@@ -31,9 +31,10 @@ jobs:
             label: "DB-migrations-changed"
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 2
+          persist-credentials: false
 
       - name: Check for file changes
         id: check-changes
@@ -43,9 +44,9 @@ jobs:
           for file in $MODIFIED_FILES
           do
             if [[ $file == *"${{ matrix.path }}"* ]]; then
-              echo "changes_detected=true" >> $GITHUB_OUTPUT
+              echo "changes_detected=true" >> "$GITHUB_OUTPUT"
               break
-            else echo "changes_detected=false" >> $GITHUB_OUTPUT
+            else echo "changes_detected=false" >> "$GITHUB_OUTPUT"
             fi
           done
 

.github/workflows/publish.yml

@@ -36,21 +36,23 @@ jobs:
     steps:
       - name: Version output
         id: version-output
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
-          if [[ "${{ inputs.version }}" == "latest" || "${{ inputs.version }}" == "" ]]; then
+          if [[ "${INPUT_VERSION}" == "latest" || "${INPUT_VERSION}" == "" ]]; then
             VERSION=$(curl  "https://api.github.com/repos/bitwarden/server/releases" | jq -c '.[] | select(.tag_name) | .tag_name' | head -1 | grep -ohE '20[0-9]{2}\.([1-9]|1[0-2])\.[0-9]+')
             echo "Latest Released Version: $VERSION"
-            echo "version=$VERSION" >> $GITHUB_OUTPUT
+            echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           else
-            echo "Release Version: ${{ inputs.version }}"
-            echo "version=${{ inputs.version }}" >> $GITHUB_OUTPUT
+            echo "Release Version: ${INPUT_VERSION}"
+            echo "version=${INPUT_VERSION}" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Get branch name
         id: branch
         run: |
-          BRANCH_NAME=$(basename ${{ github.ref }})
-          echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+          BRANCH_NAME=$(basename "${GITHUB_REF}")
+          echo "branch-name=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
 
       - name: Create GitHub deployment
         uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.7
@@ -89,7 +91,6 @@ jobs:
           - project_name: Nginx
           - project_name: Notifications
           - project_name: Scim
-          - project_name: Server
           - project_name: Setup
           - project_name: Sso
     steps:
@@ -104,7 +105,10 @@ jobs:
           echo "Github Release Option: $RELEASE_OPTION"
 
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up project name
         id: setup
@@ -112,7 +116,7 @@ jobs:
           PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}')
           echo "Matrix name: ${{ matrix.project_name }}"
           echo "PROJECT_NAME: $PROJECT_NAME"
-          echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT
+          echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT"
 
       ########## ACR PROD ##########
       - name: Log in to Azure
@@ -123,16 +127,16 @@ jobs:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Log in to Azure ACR
-        run: az acr login -n $_AZ_REGISTRY --only-show-errors
+        run: az acr login -n "$_AZ_REGISTRY" --only-show-errors
 
       - name: Pull latest project image
         env:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
         run: |
           if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
-            docker pull $_AZ_REGISTRY/$PROJECT_NAME:latest
+            docker pull "$_AZ_REGISTRY/$PROJECT_NAME:latest"
           else
-            docker pull $_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME
+            docker pull "$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME"
           fi
 
       - name: Tag version and latest
@@ -140,10 +144,10 @@ jobs:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
         run: |
           if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
-            docker tag $_AZ_REGISTRY/$PROJECT_NAME:latest $_AZ_REGISTRY/$PROJECT_NAME:dryrun
+            docker tag "$_AZ_REGISTRY/$PROJECT_NAME:latest" "$_AZ_REGISTRY/$PROJECT_NAME:dryrun"
           else
-            docker tag $_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME $_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION
-            docker tag $_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME $_AZ_REGISTRY/$PROJECT_NAME:latest
+            docker tag "$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" "$_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION"
+            docker tag "$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" "$_AZ_REGISTRY/$PROJECT_NAME:latest"
           fi
 
       - name: Push version and latest image
@@ -151,10 +155,10 @@ jobs:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
         run: |
           if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
-            docker push $_AZ_REGISTRY/$PROJECT_NAME:dryrun
+            docker push "$_AZ_REGISTRY/$PROJECT_NAME:dryrun"
           else
-            docker push $_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION
-            docker push $_AZ_REGISTRY/$PROJECT_NAME:latest
+            docker push "$_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION"
+            docker push "$_AZ_REGISTRY/$PROJECT_NAME:latest"
           fi
 
       - name: Log out of Docker

.github/workflows/release.yml

@@ -39,7 +39,10 @@ jobs:
           fi
 
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Check release version
         id: version
@@ -52,8 +55,8 @@ jobs:
       - name: Get branch name
         id: branch
         run: |
-          BRANCH_NAME=$(basename ${{ github.ref }})
-          echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+          BRANCH_NAME=$(basename "${GITHUB_REF}")
+          echo "branch-name=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
 
   release:
     name: Create GitHub release
@@ -86,7 +89,7 @@ jobs:
 
       - name: Create release
         if: ${{ inputs.release_type != 'Dry Run' }}
-        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
+        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
         with:
           artifacts: "docker-stub-US.zip,
             docker-stub-EU.zip,

.github/workflows/repository-management.yml

@@ -22,9 +22,7 @@ on:
         required: false
         type: string
 
-permissions:
-  pull-requests: write
-  contents: write
+permissions: {}
 
 jobs:
   setup:
@@ -32,6 +30,7 @@ jobs:
     runs-on: ubuntu-24.04
     outputs:
       branch: ${{ steps.set-branch.outputs.branch }}
+    permissions: {}
     steps:
       - name: Set branch
         id: set-branch
@@ -46,7 +45,7 @@ jobs:
             BRANCH="hotfix-rc"
           fi
 
-          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"
 
   bump_version:
     name: Bump Version
@@ -84,17 +83,19 @@ jobs:
           version: ${{ inputs.version_number_override }}
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write
 
       - name: Check out branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: main
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: true
 
       - name: Configure Git
         run: |
@@ -110,7 +111,7 @@ jobs:
         id: current-version
         run: |
           CURRENT_VERSION=$(xmllint -xpath "/Project/PropertyGroup/Version/text()" Directory.Build.props)
-          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Verify input version
         if: ${{ inputs.version_number_override != '' }}
@@ -120,16 +121,15 @@ jobs:
         run: |
           # Error if version has not changed.
           if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
-            echo "Specified override version is the same as the current version." >> $GITHUB_STEP_SUMMARY
+            echo "Specified override version is the same as the current version." >> "$GITHUB_STEP_SUMMARY"
             exit 1
           fi
 
           # Check if version is newer.
-          printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V
-          if [ $? -eq 0 ]; then
+          if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then
             echo "Version is newer than the current version."
           else
-            echo "Version is older than the current version." >> $GITHUB_STEP_SUMMARY
+            echo "Version is older than the current version." >> "$GITHUB_STEP_SUMMARY"
             exit 1
           fi
 
@@ -160,15 +160,20 @@ jobs:
         id: set-final-version-output
         env:
           VERSION: ${{ inputs.version_number_override }}
+          BUMP_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-version-override.outcome }}
+          BUMP_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-version-automatic.outcome }}
+          CALCULATE_NEXT_VERSION: ${{ steps.calculate-next-version.outputs.version }}
         run: |
-          if [[ "${{ steps.bump-version-override.outcome }}" = "success" ]]; then
-            echo "version=$VERSION" >> $GITHUB_OUTPUT
-          elif [[ "${{ steps.bump-version-automatic.outcome }}" = "success" ]]; then
-            echo "version=${{ steps.calculate-next-version.outputs.version }}" >> $GITHUB_OUTPUT
+          if [[ "${BUMP_VERSION_OVERRIDE_OUTCOME}" = "success" ]]; then
+            echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          elif [[ "${BUMP_VERSION_AUTOMATIC_OUTCOME}" = "success" ]]; then
+            echo "version=${CALCULATE_NEXT_VERSION}" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Commit files
-        run: git commit -m "Bumped version to ${{ steps.set-final-version-output.outputs.version }}" -a
+        env:
+          FINAL_VERSION: ${{ steps.set-final-version-output.outputs.version }}
+        run: git commit -m "Bumped version to $FINAL_VERSION" -a
 
       - name: Push changes
         run: git push
@@ -202,24 +207,27 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write
 
       - name: Check out target ref
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ inputs.target_ref }}
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: true
+          fetch-depth: 0
 
       - name: Check if ${{ needs.setup.outputs.branch }} branch exists
         env:
           BRANCH_NAME: ${{ needs.setup.outputs.branch }}
         run: |
-          if [[ $(git ls-remote --heads origin $BRANCH_NAME) ]]; then
-            echo "$BRANCH_NAME already exists! Please delete $BRANCH_NAME before running again." >> $GITHUB_STEP_SUMMARY
+          if [[ $(git ls-remote --heads origin "$BRANCH_NAME") ]]; then
+            echo "$BRANCH_NAME already exists! Please delete $BRANCH_NAME before running again." >> "$GITHUB_STEP_SUMMARY"
             exit 1
           fi
 
@@ -227,16 +235,11 @@ jobs:
         env:
           BRANCH_NAME: ${{ needs.setup.outputs.branch }}
         run: |
-          git switch --quiet --create $BRANCH_NAME
-          git push --quiet --set-upstream origin $BRANCH_NAME
+          git switch --quiet --create "$BRANCH_NAME"
+          git push --quiet --set-upstream origin "$BRANCH_NAME"
 
   move_edd_db_scripts:
     name: Move EDD database scripts
     needs: cut_branch
-    permissions:
-      actions: read
-      contents: write
-      id-token: write
-      pull-requests: write
+    permissions: {}
     uses: ./.github/workflows/_move_edd_db_scripts.yml
-    secrets: inherit

.github/workflows/respond.yml

@@ -0,0 +1,28 @@
+name: Respond
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+permissions: {}
+
+jobs:
+  respond:
+    name: Respond
+    uses: bitwarden/gh-actions/.github/workflows/_respond.yml@main
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+    permissions:
+      actions: read
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write

.github/workflows/review-code.yml

@@ -1,109 +1,21 @@
-name: Review code
+name: Code Review
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [opened, labeled]
 
 permissions: {}
 
 jobs:
   review:
     name: Review
-    runs-on: ubuntu-24.04
+    uses: bitwarden/gh-actions/.github/workflows/_review-code.yml@main
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
     permissions:
+      actions: read
       contents: read
       id-token: write
       pull-requests: write
-
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Check for Vault team changes
-        id: check_changes
-        run: |
-          # Ensure we have the base branch
-          git fetch origin ${{ github.base_ref }}
-
-          echo "Comparing changes between origin/${{ github.base_ref }} and HEAD"
-          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
-
-          if [ -z "$CHANGED_FILES" ]; then
-            echo "Zero files changed"
-            echo "vault_team_changes=false" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          # Handle variations in spacing and multiple teams
-          VAULT_PATTERNS=$(grep -E "@bitwarden/team-vault-dev(\s|$)" .github/CODEOWNERS 2>/dev/null | awk '{print $1}')
-
-          if [ -z "$VAULT_PATTERNS" ]; then
-            echo "⚠️ No patterns found for @bitwarden/team-vault-dev in CODEOWNERS"
-            echo "vault_team_changes=false" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          vault_team_changes=false
-          for pattern in $VAULT_PATTERNS; do
-            echo "Checking pattern: $pattern"
-
-            # Handle **/directory patterns
-            if [[ "$pattern" == "**/"* ]]; then
-              # Remove the **/ prefix
-              dir_pattern="${pattern#\*\*/}"
-              # Check if any file contains this directory in its path
-              if echo "$CHANGED_FILES" | grep -qE "(^|/)${dir_pattern}(/|$)"; then
-                vault_team_changes=true
-                echo "✅ Found files matching pattern: $pattern"
-                echo "$CHANGED_FILES" | grep -E "(^|/)${dir_pattern}(/|$)" | sed 's/^/  - /'
-                break
-              fi
-            else
-              # Handle other patterns (shouldn't happen based on your CODEOWNERS)
-              if echo "$CHANGED_FILES" | grep -q "$pattern"; then
-                vault_team_changes=true
-                echo "✅ Found files matching pattern: $pattern"
-                echo "$CHANGED_FILES" | grep "$pattern" | sed 's/^/  - /'
-                break
-              fi
-            fi
-          done
-
-          echo "vault_team_changes=$vault_team_changes" >> $GITHUB_OUTPUT
-
-          if [ "$vault_team_changes" = "true" ]; then
-            echo ""
-            echo "✅ Vault team changes detected - proceeding with review"
-          else
-            echo ""
-            echo "❌  No Vault team changes detected - skipping review"
-          fi
-
-      - name: Review with Claude Code
-        if: steps.check_changes.outputs.vault_team_changes == 'true'
-        uses: anthropics/claude-code-action@a5528eec7426a4f0c9c1ac96018daa53ebd05bc4 # v1.0.7
-        with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          track_progress: true
-          prompt: |
-            REPO: ${{ github.repository }}
-            PR NUMBER: ${{ github.event.pull_request.number }}
-            TITLE: ${{ github.event.pull_request.title }}
-            BODY: ${{ github.event.pull_request.body }}
-            AUTHOR: ${{ github.event.pull_request.user.login }}
-
-            Please review this pull request with a focus on:
-            - Code quality and best practices
-            - Potential bugs or issues
-            - Security implications
-            - Performance considerations
-
-            Note: The PR branch is already checked out in the current working directory.
-
-            Provide detailed feedback using inline comments for specific issues.
-
-          claude_args: |
-            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"

.github/workflows/stale-bot.yml

@@ -15,7 +15,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Check
-        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
         with:
           stale-issue-label: "needs-reply"
           stale-pr-label: "needs-changes"

.github/workflows/test-database.yml

@@ -44,10 +44,12 @@ jobs:
       checks: write
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
 
       - name: Restore tools
         run: dotnet tool restore
@@ -60,7 +62,7 @@ jobs:
           docker compose --profile mssql --profile postgres --profile mysql up -d
         shell: pwsh
 
-      - name: Add MariaDB for unified
+      - name: Add MariaDB for Bitwarden lite
         # Use a different port than MySQL
         run: |
           docker run --detach --name mariadb --env MARIADB_ROOT_PASSWORD=mariadb-password -p 4306:3306 mariadb:10
@@ -131,7 +133,7 @@ jobs:
           # Default Sqlite
           BW_TEST_DATABASES__3__TYPE: "Sqlite"
           BW_TEST_DATABASES__3__CONNECTIONSTRING: "Data Source=${{ runner.temp }}/test.db"
-          # Unified MariaDB
+          # Bitwarden lite MariaDB
           BW_TEST_DATABASES__4__TYPE: "MySql"
           BW_TEST_DATABASES__4__CONNECTIONSTRING: "server=localhost;port=4306;uid=root;pwd=mariadb-password;database=vault_dev;Allow User Variables=true"
         run: dotnet test --logger "trx;LogFileName=infrastructure-test-results.trx" /p:CoverletOutputFormatter="cobertura" --collect:"XPlat Code Coverage"
@@ -139,31 +141,31 @@ jobs:
 
       - name: Print MySQL Logs
         if: failure()
-        run: 'docker logs $(docker ps --quiet --filter "name=mysql")'
+        run: 'docker logs "$(docker ps --quiet --filter "name=mysql")"'
 
       - name: Print MariaDB Logs
         if: failure()
-        run: 'docker logs $(docker ps --quiet --filter "name=mariadb")'
+        run: 'docker logs "$(docker ps --quiet --filter "name=mariadb")"'
 
       - name: Print Postgres Logs
         if: failure()
-        run: 'docker logs $(docker ps --quiet --filter "name=postgres")'
+        run: 'docker logs "$(docker ps --quiet --filter "name=postgres")"'
 
       - name: Print MSSQL Logs
         if: failure()
-        run: 'docker logs $(docker ps --quiet --filter "name=mssql")'
+        run: 'docker logs "$(docker ps --quiet --filter "name=mssql")"'
 
       - name: Report test results
-        uses: dorny/test-reporter@890a17cecf52a379fc869ab770a71657660be727 # v2.1.0
+        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
         with:
           name: Test Results
-          path: "**/*-test-results.trx"
+          path: "./**/*-test-results.trx"
           reporter: dotnet-trx
           fail-on-error: true
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
 
       - name: Docker Compose down
         if: always()
@@ -176,10 +178,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
 
       - name: Print environment
         run: |
@@ -193,7 +197,7 @@ jobs:
         shell: pwsh
 
       - name: Upload DACPAC
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: sql.dacpac
           path: Sql.dacpac
@@ -219,7 +223,7 @@ jobs:
         shell: pwsh
 
       - name: Report validation results
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: report.xml
           path: |
@@ -258,3 +262,26 @@ jobs:
         working-directory: "dev"
         run: docker compose down
         shell: pwsh
+
+  validate-migration-naming:
+    name: Validate new migration naming and order
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Validate new migrations for pull request
+        if: github.event_name == 'pull_request'
+        run: |
+          git fetch origin main:main
+          pwsh dev/verify_migrations.ps1 -BaseRef main
+        shell: pwsh
+
+      - name: Validate new migrations for push
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: pwsh dev/verify_migrations.ps1 -BaseRef HEAD~1
+        shell: pwsh

.github/workflows/test.yml

@@ -27,10 +27,20 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+
+      - name: Install rust
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable
+        with:
+          toolchain: stable
+
+      - name: Cache cargo registry
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
 
       - name: Print environment
         run: |
@@ -49,7 +59,7 @@ jobs:
         run: dotnet test ./bitwarden_license/test --configuration Debug --logger "trx;LogFileName=bw-test-results.trx" /p:CoverletOutputFormatter="cobertura" --collect:"XPlat Code Coverage"
 
       - name: Report test results
-        uses: dorny/test-reporter@890a17cecf52a379fc869ab770a71657660be727 # v2.1.0
+        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
         with:
           name: Test Results
@@ -58,4 +68,4 @@ jobs:
           fail-on-error: true
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2

.gitignore

@@ -215,6 +215,9 @@ bitwarden_license/src/Sso/wwwroot/assets
 **/**.swp
 .mono
 src/Core/MailTemplates/Mjml/out
+src/Core/MailTemplates/Mjml/out-hbs
+NativeMethods.g.cs
+util/RustSdk/rust/target
 
 src/Admin/Admin.zip
 src/Api/Api.zip
@@ -231,3 +234,7 @@ bitwarden_license/src/Sso/Sso.zip
 /identity.json
 /api.json
 /api.public.json
+.serena/
+
+# Serena
+.serena/

Directory.Build.props

@@ -3,12 +3,10 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.10.0</Version>
+    <Version>2025.12.2</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
-    <IncludeSourceRevisionInInformationalVersion>false</IncludeSourceRevisionInInformationalVersion>
-    
     <IsTestProject Condition="'$(IsTestProject)' == '' and ($(MSBuildProjectName.EndsWith('.Test')) or $(MSBuildProjectName.EndsWith('.IntegrationTest')))">true</IsTestProject>
     <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' == 'true'">annotations</Nullable>
     <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' != 'true'">enable</Nullable>
@@ -18,7 +16,7 @@
   
   <PropertyGroup>
     
-    <MicrosoftNetTestSdkVersion>17.8.0</MicrosoftNetTestSdkVersion>
+    <MicrosoftNetTestSdkVersion>18.0.1</MicrosoftNetTestSdkVersion>
     
     <XUnitVersion>2.6.6</XUnitVersion>
     
@@ -32,19 +30,4 @@
     
     <AutoFixtureAutoNSubstituteVersion>4.18.1</AutoFixtureAutoNSubstituteVersion>
   </PropertyGroup>
-
-  
-  <Target Name="SetSourceRevisionId" BeforeTargets="CoreGenerateAssemblyInfo">
-    <Exec Command="git describe --long --always --dirty --exclude=* --abbrev=8" ConsoleToMSBuild="True" IgnoreExitCode="False">
-      <Output PropertyName="SourceRevisionId" TaskParameter="ConsoleOutput" />
-    </Exec>
-  </Target>
-  <Target Name="WriteRevision" AfterTargets="SetSourceRevisionId">
-    <ItemGroup>
-      <AssemblyAttribute Include="System.Reflection.AssemblyMetadataAttribute">
-        <_Parameter1>GitHash</_Parameter1>
-        <_Parameter2>$(SourceRevisionId)</_Parameter2>
-      </AssemblyAttribute>
-    </ItemGroup>
-  </Target>
 </Project>

README.md

@@ -58,6 +58,42 @@ Invoke-RestMethod -OutFile bitwarden.ps1 `
 .\bitwarden.ps1 -start
 ```
 
+## Production Container Images
+
+<details>
+<summary><b>View Current Production Image Hashes</b> (click to expand)</summary>
+<br>
+
+### US Production Cluster
+
+| Service | Image Hash |
+|---------|------------|
+| **Admin** | ![admin](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.admin&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **API** | ![api](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.api&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Billing** | ![billing](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.billing&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Events** | ![events](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.events&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **EventsProcessor** | ![eventsprocessor](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.eventsprocessor&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Identity** | ![identity](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.identity&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Notifications** | ![notifications](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.notifications&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SCIM** | ![scim](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.scim&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SSO** | ![sso](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.sso&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+
+### EU Production Cluster
+
+| Service | Image Hash |
+|---------|------------|
+| **Admin** | ![admin](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.admin&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **API** | ![api](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.api&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Billing** | ![billing](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.billing&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Events** | ![events](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.events&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **EventsProcessor** | ![eventsprocessor](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.eventsprocessor&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Identity** | ![identity](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.identity&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Notifications** | ![notifications](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.notifications&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SCIM** | ![scim](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.scim&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SSO** | ![sso](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.sso&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+
+</details>
+
 ## We're Hiring!
 
 Interested in contributing in a big way? Consider joining our team! We're hiring for many positions. Please take a look at our [Careers page](https://bitwarden.com/careers/) to see what opportunities are currently open as well as what it's like to work at Bitwarden.

bitwarden-server.sln

@@ -133,8 +133,11 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Seeder", "util\Seeder\Seede
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DbSeederUtility", "util\DbSeederUtility\DbSeederUtility.csproj", "{17A89266-260A-4A03-81AE-C0468C6EE06E}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "RustSdk", "util\RustSdk\RustSdk.csproj", "{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}"
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharedWeb.Test", "test\SharedWeb.Test\SharedWeb.Test.csproj", "{AD59537D-5259-4B7A-948F-0CF58E80B359}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SSO.Test", "bitwarden_license\test\SSO.Test\SSO.Test.csproj", "{7D98784C-C253-43FB-9873-25B65C6250D6}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -339,10 +342,18 @@ Global
 		{17A89266-260A-4A03-81AE-C0468C6EE06E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{17A89266-260A-4A03-81AE-C0468C6EE06E}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{17A89266-260A-4A03-81AE-C0468C6EE06E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}.Release|Any CPU.Build.0 = Release|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Release|Any CPU.Build.0 = Release|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -397,7 +408,9 @@ Global
 		{3631BA42-6731-4118-A917-DAA43C5032B9} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
 		{9A612EBA-1C0E-42B8-982B-62F0EE81000A} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84E}
 		{17A89266-260A-4A03-81AE-C0468C6EE06E} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84E}
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84E}
 		{AD59537D-5259-4B7A-948F-0CF58E80B359} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
+		{7D98784C-C253-43FB-9873-25B65C6250D6} = {287CFF34-BBDB-4BC4-AF88-1E19A5A4679B}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {E01CBF68-2E20-425F-9EDB-E0A6510CA92F}

bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs

@@ -113,7 +113,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
                 await _providerBillingService.CreateCustomerForClientOrganization(provider, organization);
             }
 
-            var customer = await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
+            var customer = await _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
             {
                 Description = string.Empty,
                 Email = organization.BillingEmail,
@@ -138,7 +138,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
 
             subscriptionCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
 
-            var subscription = await _stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
+            var subscription = await _stripeAdapter.CreateSubscriptionAsync(subscriptionCreateOptions);
 
             organization.GatewaySubscriptionId = subscription.Id;
             organization.Status = OrganizationStatusType.Created;
@@ -148,22 +148,29 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
         }
         else if (organization.IsStripeEnabled())
         {
-            var subscription = await _stripeAdapter.SubscriptionGetAsync(organization.GatewaySubscriptionId);
+            var subscription = await _stripeAdapter.GetSubscriptionAsync(organization.GatewaySubscriptionId, new SubscriptionGetOptions
+            {
+                Expand = ["customer"]
+            });
             if (subscription.Status is StripeConstants.SubscriptionStatus.Canceled or StripeConstants.SubscriptionStatus.IncompleteExpired)
             {
                 return;
             }
 
-            await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
+            await _stripeAdapter.UpdateCustomerAsync(subscription.CustomerId, new CustomerUpdateOptions
             {
-                Coupon = string.Empty,
                 Email = organization.BillingEmail
             });
 
-            await _stripeAdapter.SubscriptionUpdateAsync(organization.GatewaySubscriptionId, new SubscriptionUpdateOptions
+            if (subscription.Customer.Discount?.Coupon != null)
+            {
+                await _stripeAdapter.DeleteCustomerDiscountAsync(subscription.CustomerId);
+            }
+
+            await _stripeAdapter.UpdateSubscriptionAsync(organization.GatewaySubscriptionId, new SubscriptionUpdateOptions
             {
                 CollectionMethod = StripeConstants.CollectionMethod.SendInvoice,
-                DaysUntilDue = 30
+                DaysUntilDue = 30,
             });
 
             await _subscriberService.RemovePaymentSource(organization);

bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs

@@ -9,12 +9,16 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -35,8 +39,9 @@ public class ProviderService : IProviderService
 {
     private static readonly PlanType[] _resellerDisallowedOrganizationTypes = [
         PlanType.Free,
-        PlanType.FamiliesAnnually,
-        PlanType.FamiliesAnnually2019
+        PlanType.FamiliesAnnually2025,
+        PlanType.FamiliesAnnually2019,
+        PlanType.FamiliesAnnually
     ];
 
     private readonly IDataProtector _dataProtector;
@@ -58,6 +63,7 @@ public class ProviderService : IProviderService
     private readonly IProviderBillingService _providerBillingService;
     private readonly IPricingClient _pricingClient;
     private readonly IProviderClientOrganizationSignUpCommand _providerClientOrganizationSignUpCommand;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
 
     public ProviderService(IProviderRepository providerRepository, IProviderUserRepository providerUserRepository,
         IProviderOrganizationRepository providerOrganizationRepository, IUserRepository userRepository,
@@ -67,7 +73,8 @@ public class ProviderService : IProviderService
         ICurrentContext currentContext, IStripeAdapter stripeAdapter, IFeatureService featureService,
         IDataProtectorTokenFactory<ProviderDeleteTokenable> providerDeleteTokenDataFactory,
         IApplicationCacheService applicationCacheService, IProviderBillingService providerBillingService, IPricingClient pricingClient,
-        IProviderClientOrganizationSignUpCommand providerClientOrganizationSignUpCommand)
+        IProviderClientOrganizationSignUpCommand providerClientOrganizationSignUpCommand,
+        IPolicyRequirementQuery policyRequirementQuery)
     {
         _providerRepository = providerRepository;
         _providerUserRepository = providerUserRepository;
@@ -88,6 +95,7 @@ public class ProviderService : IProviderService
         _providerBillingService = providerBillingService;
         _pricingClient = pricingClient;
         _providerClientOrganizationSignUpCommand = providerClientOrganizationSignUpCommand;
+        _policyRequirementQuery = policyRequirementQuery;
     }
 
     public async Task<Provider> CompleteSetupAsync(Provider provider, Guid ownerUserId, string token, string key, TokenizedPaymentMethod paymentMethod, BillingAddress billingAddress)
@@ -115,6 +123,18 @@ public class ProviderService : IProviderService
             throw new BadRequestException("Invalid owner.");
         }
 
+        if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+        {
+            var organizationAutoConfirmPolicyRequirement = await _policyRequirementQuery
+                .GetAsync<AutomaticUserConfirmationPolicyRequirement>(ownerUserId);
+
+            if (organizationAutoConfirmPolicyRequirement
+                .CannotCreateProvider())
+            {
+                throw new BadRequestException(new UserCannotJoinProvider().Message);
+            }
+        }
+
         var customer = await _providerBillingService.SetupCustomer(provider, paymentMethod, billingAddress);
         provider.GatewayCustomerId = customer.Id;
         var subscription = await _providerBillingService.SetupSubscription(provider);
@@ -247,6 +267,18 @@ public class ProviderService : IProviderService
             throw new BadRequestException("User email does not match invite.");
         }
 
+        if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+        {
+            var organizationAutoConfirmPolicyRequirement = await _policyRequirementQuery
+                .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id);
+
+            if (organizationAutoConfirmPolicyRequirement
+                .CannotJoinProvider())
+            {
+                throw new BadRequestException(new UserCannotJoinProvider().Message);
+            }
+        }
+
         providerUser.Status = ProviderUserStatusType.Accepted;
         providerUser.UserId = user.Id;
         providerUser.Email = null;
@@ -292,6 +324,19 @@ public class ProviderService : IProviderService
                     throw new BadRequestException("Invalid user.");
                 }
 
+                if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+                {
+                    var organizationAutoConfirmPolicyRequirement = await _policyRequirementQuery
+                        .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id);
+
+                    if (organizationAutoConfirmPolicyRequirement
+                        .CannotJoinProvider())
+                    {
+                        result.Add(Tuple.Create(providerUser, new UserCannotJoinProvider().Message));
+                        continue;
+                    }
+                }
+
                 providerUser.Status = ProviderUserStatusType.Confirmed;
                 providerUser.Key = keys[providerUser.Id];
                 providerUser.Email = null;
@@ -426,7 +471,7 @@ public class ProviderService : IProviderService
 
         if (!string.IsNullOrEmpty(organization.GatewayCustomerId))
         {
-            await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
+            await _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
             {
                 Email = provider.BillingEmail
             });
@@ -486,7 +531,7 @@ public class ProviderService : IProviderService
 
     private async Task<SubscriptionItem> GetSubscriptionItemAsync(string subscriptionId, string oldPlanId)
     {
-        var subscriptionDetails = await _stripeAdapter.SubscriptionGetAsync(subscriptionId);
+        var subscriptionDetails = await _stripeAdapter.GetSubscriptionAsync(subscriptionId);
         return subscriptionDetails.Items.Data.FirstOrDefault(item => item.Price.Id == oldPlanId);
     }
 
@@ -496,7 +541,7 @@ public class ProviderService : IProviderService
         {
             if (subscriptionItem.Price.Id != extractedPlanType)
             {
-                await _stripeAdapter.SubscriptionUpdateAsync(subscriptionItem.Subscription,
+                await _stripeAdapter.UpdateSubscriptionAsync(subscriptionItem.Subscription,
                     new Stripe.SubscriptionUpdateOptions
                     {
                         Items = new List<Stripe.SubscriptionItemOptions>

bitwarden_license/src/Commercial.Core/Billing/Providers/Queries/GetProviderWarningsQuery.cs

@@ -4,7 +4,6 @@ using Bit.Core.Billing.Providers.Models;
 using Bit.Core.Billing.Providers.Queries;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
-using Bit.Core.Services;
 using Stripe;
 using Stripe.Tax;
 
@@ -76,8 +75,8 @@ public class GetProviderWarningsQuery(
 
         // Get active and scheduled registrations
         var registrations = (await Task.WhenAll(
-                stripeAdapter.TaxRegistrationsListAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Active }),
-                stripeAdapter.TaxRegistrationsListAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Scheduled })))
+                stripeAdapter.ListTaxRegistrationsAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Active }),
+                stripeAdapter.ListTaxRegistrationsAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Scheduled })))
             .SelectMany(registrations => registrations.Data);
 
         // Find the matching registration for the customer

bitwarden_license/src/Commercial.Core/Billing/Providers/Services/BusinessUnitConverter.cs

@@ -101,7 +101,7 @@ public class BusinessUnitConverter(
         providerUser.Status = ProviderUserStatusType.Confirmed;
 
         // Stripe requires that we clear all the custom fields from the invoice settings if we want to replace them.
-        await stripeAdapter.CustomerUpdateAsync(subscription.CustomerId, new CustomerUpdateOptions
+        await stripeAdapter.UpdateCustomerAsync(subscription.CustomerId, new CustomerUpdateOptions
         {
             InvoiceSettings = new CustomerInvoiceSettingsOptions
             {
@@ -116,7 +116,7 @@ public class BusinessUnitConverter(
             ["convertedFrom"] = organization.Id.ToString()
         };
 
-        var updateCustomer = stripeAdapter.CustomerUpdateAsync(subscription.CustomerId, new CustomerUpdateOptions
+        var updateCustomer = stripeAdapter.UpdateCustomerAsync(subscription.CustomerId, new CustomerUpdateOptions
         {
             InvoiceSettings = new CustomerInvoiceSettingsOptions
             {
@@ -148,7 +148,7 @@ public class BusinessUnitConverter(
 
         // Replace the existing password manager price with the new business unit price.
         var updateSubscription =
-            stripeAdapter.SubscriptionUpdateAsync(subscription.Id,
+            stripeAdapter.UpdateSubscriptionAsync(subscription.Id,
                 new SubscriptionUpdateOptions
                 {
                     Items = [

bitwarden_license/src/Commercial.Core/Billing/Providers/Services/ProviderBillingService.cs

@@ -61,11 +61,11 @@ public class ProviderBillingService(
         Organization organization,
         string key)
     {
-        await stripeAdapter.SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await stripeAdapter.UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
             new SubscriptionUpdateOptions { CancelAtPeriodEnd = false });
 
         var subscription =
-            await stripeAdapter.SubscriptionCancelAsync(organization.GatewaySubscriptionId,
+            await stripeAdapter.CancelSubscriptionAsync(organization.GatewaySubscriptionId,
                 new SubscriptionCancelOptions
                 {
                     CancellationDetails = new SubscriptionCancellationDetailsOptions
@@ -83,7 +83,7 @@ public class ProviderBillingService(
 
         if (!wasTrialing && subscription.LatestInvoice.Status == InvoiceStatus.Draft)
         {
-            await stripeAdapter.InvoiceFinalizeInvoiceAsync(subscription.LatestInvoiceId,
+            await stripeAdapter.FinalizeInvoiceAsync(subscription.LatestInvoiceId,
                 new InvoiceFinalizeOptions { AutoAdvance = true });
         }
 
@@ -138,7 +138,7 @@ public class ProviderBillingService(
 
         if (clientCustomer.Balance != 0)
         {
-            await stripeAdapter.CustomerBalanceTransactionCreate(provider.GatewayCustomerId,
+            await stripeAdapter.CreateCustomerBalanceTransactionAsync(provider.GatewayCustomerId,
                 new CustomerBalanceTransactionCreateOptions
                 {
                     Amount = clientCustomer.Balance,
@@ -187,7 +187,7 @@ public class ProviderBillingService(
             ]
         };
 
-        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId, updateOptions);
+        await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId, updateOptions);
 
         // Refactor later to ?ChangeClientPlanCommand? (ProviderPlanId, ProviderId, OrganizationId)
         // 1. Retrieve PlanType and PlanName for ProviderPlan
@@ -275,7 +275,7 @@ public class ProviderBillingService(
             customerCreateOptions.TaxExempt = TaxExempt.Reverse;
         }
 
-        var customer = await stripeAdapter.CustomerCreateAsync(customerCreateOptions);
+        var customer = await stripeAdapter.CreateCustomerAsync(customerCreateOptions);
 
         organization.GatewayCustomerId = customer.Id;
 
@@ -481,7 +481,6 @@ public class ProviderBillingService(
                 City = billingAddress.City,
                 State = billingAddress.State
             },
-            Coupon = !string.IsNullOrEmpty(provider.DiscountId) ? provider.DiscountId : null,
             Description = provider.DisplayBusinessName(),
             Email = provider.BillingEmail,
             InvoiceSettings = new CustomerInvoiceSettingsOptions
@@ -526,7 +525,7 @@ public class ProviderBillingService(
             case TokenizablePaymentMethodType.BankAccount:
                 {
                     var setupIntent =
-                        (await stripeAdapter.SetupIntentList(new SetupIntentListOptions
+                        (await stripeAdapter.ListSetupIntentsAsync(new SetupIntentListOptions
                         {
                             PaymentMethod = paymentMethod.Token
                         }))
@@ -559,7 +558,7 @@ public class ProviderBillingService(
 
         try
         {
-            return await stripeAdapter.CustomerCreateAsync(options);
+            return await stripeAdapter.CreateCustomerAsync(options);
         }
         catch (StripeException stripeException) when (stripeException.StripeError?.Code == ErrorCodes.TaxIdInvalid)
         {
@@ -581,7 +580,7 @@ public class ProviderBillingService(
                 case TokenizablePaymentMethodType.BankAccount:
                     {
                         var setupIntentId = await setupIntentCache.GetSetupIntentIdForSubscriber(provider.Id);
-                        await stripeAdapter.SetupIntentCancel(setupIntentId,
+                        await stripeAdapter.CancelSetupIntentAsync(setupIntentId,
                             new SetupIntentCancelOptions { CancellationReason = "abandoned" });
                         await setupIntentCache.RemoveSetupIntentForSubscriber(provider.Id);
                         break;
@@ -639,7 +638,7 @@ public class ProviderBillingService(
         var setupIntentId = await setupIntentCache.GetSetupIntentIdForSubscriber(provider.Id);
 
         var setupIntent = !string.IsNullOrEmpty(setupIntentId)
-            ? await stripeAdapter.SetupIntentGet(setupIntentId,
+            ? await stripeAdapter.GetSetupIntentAsync(setupIntentId,
                 new SetupIntentGetOptions { Expand = ["payment_method"] })
             : null;
 
@@ -663,6 +662,7 @@ public class ProviderBillingService(
                     : CollectionMethod.SendInvoice,
             Customer = customer.Id,
             DaysUntilDue = usePaymentMethod ? null : 30,
+            Discounts = !string.IsNullOrEmpty(provider.DiscountId) ? [new SubscriptionDiscountOptions { Coupon = provider.DiscountId }] : null,
             Items = subscriptionItemOptionsList,
             Metadata = new Dictionary<string, string> { { "providerId", provider.Id.ToString() } },
             OffSession = true,
@@ -671,10 +671,9 @@ public class ProviderBillingService(
             AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
         };
 
-
         try
         {
-            var subscription = await stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
+            var subscription = await stripeAdapter.CreateSubscriptionAsync(subscriptionCreateOptions);
 
             if (subscription is
                 {
@@ -709,7 +708,7 @@ public class ProviderBillingService(
             subscriberService.UpdatePaymentSource(provider, tokenizedPaymentSource),
             subscriberService.UpdateTaxInformation(provider, taxInformation));
 
-        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
             new SubscriptionUpdateOptions { CollectionMethod = CollectionMethod.ChargeAutomatically });
     }
 
@@ -792,11 +791,49 @@ public class ProviderBillingService(
 
         if (subscriptionItemOptionsList.Count > 0)
         {
-            await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+            await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
                 new SubscriptionUpdateOptions { Items = subscriptionItemOptionsList });
         }
     }
 
+    public async Task UpdateProviderNameAndEmail(Provider provider)
+    {
+        if (string.IsNullOrWhiteSpace(provider.GatewayCustomerId))
+        {
+            logger.LogWarning(
+                "Provider ({ProviderId}) has no Stripe customer to update",
+                provider.Id);
+            return;
+        }
+
+        var newDisplayName = provider.DisplayName();
+
+        // Provider.DisplayName() can return null - handle gracefully
+        if (string.IsNullOrWhiteSpace(newDisplayName))
+        {
+            logger.LogWarning(
+                "Provider ({ProviderId}) has no name to update in Stripe",
+                provider.Id);
+            return;
+        }
+
+        await stripeAdapter.UpdateCustomerAsync(provider.GatewayCustomerId,
+            new CustomerUpdateOptions
+            {
+                Email = provider.BillingEmail,
+                Description = newDisplayName,
+                InvoiceSettings = new CustomerInvoiceSettingsOptions
+                {
+                    CustomFields = [
+                        new CustomerInvoiceSettingsCustomFieldOptions
+                        {
+                            Name = provider.SubscriberType(),
+                            Value = newDisplayName
+                        }]
+                },
+            });
+    }
+
     private Func<int, Task> CurrySeatScalingUpdate(
         Provider provider,
         ProviderPlan providerPlan,
@@ -808,7 +845,7 @@ public class ProviderBillingService(
 
         var item = subscription.Items.First(item => item.Price.Id == priceId);
 
-        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId, new SubscriptionUpdateOptions
+        await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId, new SubscriptionUpdateOptions
         {
             Items =
             [

bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/SecretVersionRepository.cs

@@ -0,0 +1,94 @@
+using AutoMapper;
+using Bit.Core.SecretsManager.Repositories;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Bit.Infrastructure.EntityFramework.SecretsManager.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Commercial.Infrastructure.EntityFramework.SecretsManager.Repositories;
+
+public class SecretVersionRepository : Repository<Core.SecretsManager.Entities.SecretVersion, SecretVersion, Guid>, ISecretVersionRepository
+{
+    public SecretVersionRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
+        : base(serviceScopeFactory, mapper, db => db.SecretVersion)
+    { }
+
+    public override async Task<Core.SecretsManager.Entities.SecretVersion?> GetByIdAsync(Guid id)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var secretVersion = await dbContext.SecretVersion
+            .Where(sv => sv.Id == id)
+            .FirstOrDefaultAsync();
+        return Mapper.Map<Core.SecretsManager.Entities.SecretVersion>(secretVersion);
+    }
+
+    public async Task<IEnumerable<Core.SecretsManager.Entities.SecretVersion>> GetManyBySecretIdAsync(Guid secretId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var secretVersions = await dbContext.SecretVersion
+            .Where(sv => sv.SecretId == secretId)
+            .OrderByDescending(sv => sv.VersionDate)
+            .ToListAsync();
+        return Mapper.Map<List<Core.SecretsManager.Entities.SecretVersion>>(secretVersions);
+    }
+
+    public async Task<IEnumerable<Core.SecretsManager.Entities.SecretVersion>> GetManyByIdsAsync(IEnumerable<Guid> ids)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var versionIds = ids.ToList();
+        var secretVersions = await dbContext.SecretVersion
+            .Where(sv => versionIds.Contains(sv.Id))
+            .OrderByDescending(sv => sv.VersionDate)
+            .ToListAsync();
+        return Mapper.Map<List<Core.SecretsManager.Entities.SecretVersion>>(secretVersions);
+    }
+
+    public override async Task<Core.SecretsManager.Entities.SecretVersion> CreateAsync(Core.SecretsManager.Entities.SecretVersion secretVersion)
+    {
+        const int maxVersionsToKeep = 10;
+
+        await using var scope = ServiceScopeFactory.CreateAsyncScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        await using var transaction = await dbContext.Database.BeginTransactionAsync();
+
+        // Get the IDs of the most recent (maxVersionsToKeep - 1) versions to keep
+        var versionsToKeepIds = await dbContext.SecretVersion
+            .Where(sv => sv.SecretId == secretVersion.SecretId)
+            .OrderByDescending(sv => sv.VersionDate)
+            .Take(maxVersionsToKeep - 1)
+            .Select(sv => sv.Id)
+            .ToListAsync();
+
+        // Delete all versions for this secret that are not in the "keep" list
+        if (versionsToKeepIds.Any())
+        {
+            await dbContext.SecretVersion
+                .Where(sv => sv.SecretId == secretVersion.SecretId && !versionsToKeepIds.Contains(sv.Id))
+                .ExecuteDeleteAsync();
+        }
+
+        secretVersion.SetNewId();
+        var entity = Mapper.Map<SecretVersion>(secretVersion);
+
+        await dbContext.AddAsync(entity);
+        await dbContext.SaveChangesAsync();
+        await transaction.CommitAsync();
+
+        return secretVersion;
+    }
+
+    public async Task DeleteManyByIdAsync(IEnumerable<Guid> ids)
+    {
+        await using var scope = ServiceScopeFactory.CreateAsyncScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        var secretVersionIds = ids.ToList();
+        await dbContext.SecretVersion
+            .Where(sv => secretVersionIds.Contains(sv.Id))
+            .ExecuteDeleteAsync();
+    }
+}

bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/SecretsManagerEFServiceCollectionExtensions.cs

@@ -10,6 +10,7 @@ public static class SecretsManagerEfServiceCollectionExtensions
     {
         services.AddSingleton<IAccessPolicyRepository, AccessPolicyRepository>();
         services.AddSingleton<ISecretRepository, SecretRepository>();
+        services.AddSingleton<ISecretVersionRepository, SecretVersionRepository>();
         services.AddSingleton<IProjectRepository, ProjectRepository>();
         services.AddSingleton<IServiceAccountRepository, ServiceAccountRepository>();
     }

bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs

@@ -61,17 +61,15 @@ public class GroupsController : Controller
     [HttpGet("")]
     public async Task<IActionResult> Get(
         Guid organizationId,
-        [FromQuery] string filter,
-        [FromQuery] int? count,
-        [FromQuery] int? startIndex)
+        [FromQuery] GetGroupsQueryParamModel model)
     {
-        var groupsListQueryResult = await _getGroupsListQuery.GetGroupsListAsync(organizationId, filter, count, startIndex);
+        var groupsListQueryResult = await _getGroupsListQuery.GetGroupsListAsync(organizationId, model);
         var scimListResponseModel = new ScimListResponseModel<ScimGroupResponseModel>
         {
             Resources = groupsListQueryResult.groupList.Select(g => new ScimGroupResponseModel(g)).ToList(),
-            ItemsPerPage = count.GetValueOrDefault(groupsListQueryResult.groupList.Count()),
+            ItemsPerPage = model.Count,
             TotalResults = groupsListQueryResult.totalResults,
-            StartIndex = startIndex.GetValueOrDefault(1),
+            StartIndex = model.StartIndex,
         };
         return Ok(scimListResponseModel);
     }

bitwarden_license/src/Scim/Controllers/v2/UsersController.cs

@@ -3,6 +3,7 @@
 
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;

bitwarden_license/src/Scim/Groups/GetGroupsListQuery.cs

@@ -4,6 +4,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Scim.Groups.Interfaces;
+using Bit.Scim.Models;
 
 namespace Bit.Scim.Groups;
 
@@ -16,10 +17,16 @@ public class GetGroupsListQuery : IGetGroupsListQuery
         _groupRepository = groupRepository;
     }
 
-    public async Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(Guid organizationId, string filter, int? count, int? startIndex)
+    public async Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(
+        Guid organizationId, GetGroupsQueryParamModel groupQueryParams)
     {
         string nameFilter = null;
         string externalIdFilter = null;
+
+        int count = groupQueryParams.Count;
+        int startIndex = groupQueryParams.StartIndex;
+        string filter = groupQueryParams.Filter;
+
         if (!string.IsNullOrWhiteSpace(filter))
         {
             if (filter.StartsWith("displayName eq "))
@@ -53,11 +60,11 @@ public class GetGroupsListQuery : IGetGroupsListQuery
             }
             totalResults = groupList.Count;
         }
-        else if (string.IsNullOrWhiteSpace(filter) && startIndex.HasValue && count.HasValue)
+        else if (string.IsNullOrWhiteSpace(filter))
         {
             groupList = groups.OrderBy(g => g.Name)
-                .Skip(startIndex.Value - 1)
-                .Take(count.Value)
+                .Skip(startIndex - 1)
+                .Take(count)
                 .ToList();
             totalResults = groups.Count;
         }

bitwarden_license/src/Scim/Groups/Interfaces/IGetGroupsListQuery.cs

@@ -1,8 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Scim.Models;
 
 namespace Bit.Scim.Groups.Interfaces;
 
 public interface IGetGroupsListQuery
 {
-    Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(Guid organizationId, string filter, int? count, int? startIndex);
+    Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(Guid organizationId, GetGroupsQueryParamModel model);
 }

bitwarden_license/src/Scim/Models/GetGroupsQueryParamModel.cs

@@ -0,0 +1,14 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Scim.Models;
+
+public class GetGroupsQueryParamModel
+{
+    public string Filter { get; init; } = string.Empty;
+
+    [Range(1, int.MaxValue)]
+    public int Count { get; init; } = 50;
+
+    [Range(1, int.MaxValue)]
+    public int StartIndex { get; init; } = 1;
+}

bitwarden_license/src/Scim/Models/GetUsersQueryParamModel.cs

@@ -1,5 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 
+namespace Bit.Scim.Models;
+
 public class GetUsersQueryParamModel
 {
     public string Filter { get; init; } = string.Empty;

bitwarden_license/src/Scim/Program.cs

@@ -11,21 +11,8 @@ public class Program
             .ConfigureWebHostDefaults(webBuilder =>
             {
                 webBuilder.UseStartup<Startup>();
-                webBuilder.ConfigureLogging((hostingContext, logging) =>
-                    logging.AddSerilog(hostingContext, (e, globalSettings) =>
-                    {
-                        var context = e.Properties["SourceContext"].ToString();
-
-                        if (e.Properties.TryGetValue("RequestPath", out var requestPath) &&
-                            !string.IsNullOrWhiteSpace(requestPath?.ToString()) &&
-                            (context.Contains(".Server.Kestrel") || context.Contains(".Core.IISHttpServer")))
-                        {
-                            return false;
-                        }
-
-                        return e.Level >= globalSettings.MinLogLevel.ScimSettings.Default;
-                    }));
             })
+            .AddSerilogFileLogging()
             .Build()
             .Run();
     }

bitwarden_license/src/Scim/Startup.cs

@@ -94,11 +94,8 @@ public class Startup
     public void Configure(
         IApplicationBuilder app,
         IWebHostEnvironment env,
-        IHostApplicationLifetime appLifetime,
         GlobalSettings globalSettings)
     {
-        app.UseSerilog(env, appLifetime, globalSettings);
-
         // Add general security headers
         app.UseMiddleware<SecurityHeadersMiddleware>();
 

bitwarden_license/src/Scim/Users/GetUsersListQuery.cs

@@ -3,6 +3,7 @@
 
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
+using Bit.Scim.Models;
 using Bit.Scim.Users.Interfaces;
 
 namespace Bit.Scim.Users;

bitwarden_license/src/Scim/Users/Interfaces/IGetUsersListQuery.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Scim.Models;
 
 namespace Bit.Scim.Users.Interfaces;
 

bitwarden_license/src/Scim/Users/PatchUserCommand.cs

@@ -1,5 +1,5 @@
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;

bitwarden_license/src/Scim/Users/PostUserCommand.cs

@@ -8,6 +8,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.E
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.Utilities.Commands;
 using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
@@ -24,7 +25,7 @@ public class PostUserCommand(
     IOrganizationRepository organizationRepository,
     IOrganizationUserRepository organizationUserRepository,
     IOrganizationService organizationService,
-    IPaymentService paymentService,
+    IStripePaymentService paymentService,
     IScimContext scimContext,
     IFeatureService featureService,
     IInviteOrganizationUsersCommand inviteOrganizationUsersCommand,

bitwarden_license/src/Scim/appsettings.Development.json

@@ -30,6 +30,7 @@
     },
     "storage": {
       "connectionString": "UseDevelopmentStorage=true"
-    }
+    },
+    "pricingUri": "https://billingpricing.qa.bitwarden.pw"
   }
 }

bitwarden_license/src/Scim/appsettings.json

@@ -30,9 +30,6 @@
       "connectionString": "SECRET",
       "applicationCacheTopicName": "SECRET"
     },
-    "sentry": {
-      "dsn": "SECRET"
-    },
     "notificationHub": {
       "connectionString": "SECRET",
       "hubName": "SECRET"

bitwarden_license/src/Sso/Controllers/AccountController.cs

@@ -1,7 +1,4 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using System.Security.Claims;
+using System.Security.Claims;
 using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
@@ -57,6 +54,7 @@ public class AccountController : Controller
     private readonly IDataProtectorTokenFactory<SsoTokenable> _dataProtector;
     private readonly IOrganizationDomainRepository _organizationDomainRepository;
     private readonly IRegisterUserCommand _registerUserCommand;
+    private readonly IFeatureService _featureService;
 
     public AccountController(
         IAuthenticationSchemeProvider schemeProvider,
@@ -77,7 +75,8 @@ public class AccountController : Controller
         Core.Services.IEventService eventService,
         IDataProtectorTokenFactory<SsoTokenable> dataProtector,
         IOrganizationDomainRepository organizationDomainRepository,
-        IRegisterUserCommand registerUserCommand)
+        IRegisterUserCommand registerUserCommand,
+        IFeatureService featureService)
     {
         _schemeProvider = schemeProvider;
         _clientStore = clientStore;
@@ -98,10 +97,11 @@ public class AccountController : Controller
         _dataProtector = dataProtector;
         _organizationDomainRepository = organizationDomainRepository;
         _registerUserCommand = registerUserCommand;
+        _featureService = featureService;
     }
 
     [HttpGet]
-    public async Task<IActionResult> PreValidate(string domainHint)
+    public async Task<IActionResult> PreValidateAsync(string domainHint)
     {
         try
         {
@@ -160,10 +160,12 @@ public class AccountController : Controller
     }
 
     [HttpGet]
-    public async Task<IActionResult> Login(string returnUrl)
+    public async Task<IActionResult> LoginAsync(string returnUrl)
     {
         var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
 
+        // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
         if (!context.Parameters.AllKeys.Contains("domain_hint") ||
             string.IsNullOrWhiteSpace(context.Parameters["domain_hint"]))
         {
@@ -179,6 +181,7 @@ public class AccountController : Controller
 
         var domainHint = context.Parameters["domain_hint"];
         var organization = await _organizationRepository.GetByIdentifierAsync(domainHint);
+#nullable restore
 
         if (organization == null)
         {
@@ -198,12 +201,15 @@ public class AccountController : Controller
             returnUrl,
             state = context.Parameters["state"],
             userIdentifier = context.Parameters["session_state"],
+            ssoToken
         });
     }
 
     [HttpGet]
-    public IActionResult ExternalChallenge(string scheme, string returnUrl, string state, string userIdentifier)
+    public IActionResult ExternalChallenge(string scheme, string returnUrl, string state, string userIdentifier, string ssoToken)
     {
+        ValidateSchemeAgainstSsoToken(scheme, ssoToken);
+
         if (string.IsNullOrEmpty(returnUrl))
         {
             returnUrl = "~/";
@@ -232,40 +238,101 @@ public class AccountController : Controller
         return Challenge(props, scheme);
     }
 
+    /// <summary>
+    /// Validates the scheme (organization ID) against the organization ID found in the ssoToken.
+    /// </summary>
+    /// <param name="scheme">The authentication scheme (organization ID) to validate.</param>
+    /// <param name="ssoToken">The SSO token to validate against.</param>
+    /// <exception cref="Exception">Thrown if the scheme (organization ID) does not match the organization ID found in the ssoToken.</exception>
+    private void ValidateSchemeAgainstSsoToken(string scheme, string ssoToken)
+    {
+        SsoTokenable tokenable;
+
+        try
+        {
+            tokenable = _dataProtector.Unprotect(ssoToken);
+        }
+        catch
+        {
+            throw new Exception(_i18nService.T("InvalidSsoToken"));
+        }
+
+        if (!Guid.TryParse(scheme, out var schemeOrgId) || tokenable.OrganizationId != schemeOrgId)
+        {
+            throw new Exception(_i18nService.T("SsoOrganizationIdMismatch"));
+        }
+    }
+
     [HttpGet]
     public async Task<IActionResult> ExternalCallback()
     {
+        // Feature flag (PM-24579): Prevent SSO on existing non-compliant users.
+        var preventOrgUserLoginIfStatusInvalid =
+            _featureService.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers);
+
         // Read external identity from the temporary cookie
         var result = await HttpContext.AuthenticateAsync(
             AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme);
-        if (result?.Succeeded != true)
-        {
-            throw new Exception(_i18nService.T("ExternalAuthenticationError"));
-        }
 
-        // Debugging
-        var externalClaims = result.Principal.Claims.Select(c => $"{c.Type}: {c.Value}");
-        _logger.LogDebug("External claims: {@claims}", externalClaims);
+        if (preventOrgUserLoginIfStatusInvalid)
+        {
+            if (!result.Succeeded)
+            {
+                throw new Exception(_i18nService.T("ExternalAuthenticationError"));
+            }
+        }
+        else
+        {
+            if (result?.Succeeded != true)
+            {
+                throw new Exception(_i18nService.T("ExternalAuthenticationError"));
+            }
+        }
 
         // See if the user has logged in with this SSO provider before and has already been provisioned.
         // This is signified by the user existing in the User table and the SSOUser table for the SSO provider they're using.
-        var (user, provider, providerUserId, claims, ssoConfigData) = await FindUserFromExternalProviderAsync(result);
+        var (possibleSsoLinkedUser, provider, providerUserId, claims, ssoConfigData) = await FindUserFromExternalProviderAsync(result);
+
+        // We will look these up as required (lazy resolution) to avoid multiple DB hits.
+        Organization? organization = null;
+        OrganizationUser? orgUser = null;
 
         // The user has not authenticated with this SSO provider before.
         // They could have an existing Bitwarden account in the User table though.
-        if (user == null)
+        if (possibleSsoLinkedUser == null)
         {
+            // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
             // If we're manually linking to SSO, the user's external identifier will be passed as query string parameter.
-            var userIdentifier = result.Properties.Items.Keys.Contains("user_identifier") ?
-                result.Properties.Items["user_identifier"] : null;
-            user = await AutoProvisionUserAsync(provider, providerUserId, claims, userIdentifier, ssoConfigData);
+            var userIdentifier = result.Properties.Items.Keys.Contains("user_identifier")
+                ? result.Properties.Items["user_identifier"]
+                : null;
+
+            var (resolvedUser, foundOrganization, foundOrCreatedOrgUser) =
+                await CreateUserAndOrgUserConditionallyAsync(
+                    provider,
+                    providerUserId,
+                    claims,
+                    userIdentifier,
+                    ssoConfigData);
+#nullable restore
+
+            possibleSsoLinkedUser = resolvedUser;
+
+            if (preventOrgUserLoginIfStatusInvalid)
+            {
+                organization = foundOrganization;
+                orgUser = foundOrCreatedOrgUser;
+            }
         }
 
-        // Either the user already authenticated with the SSO provider, or we've just provisioned them.
-        // Either way, we have associated the SSO login with a Bitwarden user.
-        // We will now sign the Bitwarden user in.
-        if (user != null)
+        if (preventOrgUserLoginIfStatusInvalid)
         {
+            User resolvedSsoLinkedUser = possibleSsoLinkedUser
+                                                  ?? throw new Exception(_i18nService.T("UserShouldBeFound"));
+
+            await PreventOrgUserLoginIfStatusInvalidAsync(organization, provider, orgUser, resolvedSsoLinkedUser);
+
             // This allows us to collect any additional claims or properties
             // for the specific protocols used and store them in the local auth cookie.
             // this is typically used to store data needed for signout from those protocols.
@@ -278,19 +345,52 @@ public class AccountController : Controller
             ProcessLoginCallback(result, additionalLocalClaims, localSignInProps);
 
             // Issue authentication cookie for user
-            await HttpContext.SignInAsync(new IdentityServerUser(user.Id.ToString())
+            await HttpContext.SignInAsync(
+                new IdentityServerUser(resolvedSsoLinkedUser.Id.ToString())
+                {
+                    DisplayName = resolvedSsoLinkedUser.Email,
+                    IdentityProvider = provider,
+                    AdditionalClaims = additionalLocalClaims.ToArray()
+                }, localSignInProps);
+        }
+        else
+        {
+            // PM-24579: remove this else block with feature flag removal.
+            // Either the user already authenticated with the SSO provider, or we've just provisioned them.
+            // Either way, we have associated the SSO login with a Bitwarden user.
+            // We will now sign the Bitwarden user in.
+            if (possibleSsoLinkedUser != null)
             {
-                DisplayName = user.Email,
-                IdentityProvider = provider,
-                AdditionalClaims = additionalLocalClaims.ToArray()
-            }, localSignInProps);
+                // This allows us to collect any additional claims or properties
+                // for the specific protocols used and store them in the local auth cookie.
+                // this is typically used to store data needed for signout from those protocols.
+                var additionalLocalClaims = new List<Claim>();
+                var localSignInProps = new AuthenticationProperties
+                {
+                    IsPersistent = true,
+                    ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(1)
+                };
+                ProcessLoginCallback(result, additionalLocalClaims, localSignInProps);
+
+                // Issue authentication cookie for user
+                await HttpContext.SignInAsync(
+                    new IdentityServerUser(possibleSsoLinkedUser.Id.ToString())
+                    {
+                        DisplayName = possibleSsoLinkedUser.Email,
+                        IdentityProvider = provider,
+                        AdditionalClaims = additionalLocalClaims.ToArray()
+                    }, localSignInProps);
+            }
         }
 
         // Delete temporary cookie used during external authentication
         await HttpContext.SignOutAsync(AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme);
 
+        // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
         // Retrieve return URL
         var returnUrl = result.Properties.Items["return_url"] ?? "~/";
+#nullable restore
 
         // Check if external login is in the context of an OIDC request
         var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
@@ -309,8 +409,10 @@ public class AccountController : Controller
         return Redirect(returnUrl);
     }
 
+    // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
     [HttpGet]
-    public async Task<IActionResult> Logout(string logoutId)
+    public async Task<IActionResult> LogoutAsync(string logoutId)
     {
         // Build a model so the logged out page knows what to display
         var (updatedLogoutId, redirectUri, externalAuthenticationScheme) = await GetLoggedOutDataAsync(logoutId);
@@ -333,6 +435,7 @@ public class AccountController : Controller
             // This triggers a redirect to the external provider for sign-out
             return SignOut(new AuthenticationProperties { RedirectUri = url }, externalAuthenticationScheme);
         }
+
         if (redirectUri != null)
         {
             return View("Redirect", new RedirectViewModel { RedirectUrl = redirectUri });
@@ -342,14 +445,22 @@ public class AccountController : Controller
             return Redirect("~/");
         }
     }
+#nullable restore
 
     /// <summary>
     /// Attempts to map the external identity to a Bitwarden user, through the SsoUser table, which holds the `externalId`.
     /// The claims on the external identity are used to determine an `externalId`, and that is used to find the appropriate `SsoUser` and `User` records.
     /// </summary>
-    private async Task<(User user, string provider, string providerUserId, IEnumerable<Claim> claims, SsoConfigurationData config)>
-        FindUserFromExternalProviderAsync(AuthenticateResult result)
+    private async Task<(
+        User? possibleSsoUser,
+        string provider,
+        string providerUserId,
+        IEnumerable<Claim> claims,
+        SsoConfigurationData config
+    )> FindUserFromExternalProviderAsync(AuthenticateResult result)
     {
+        // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
         var provider = result.Properties.Items["scheme"];
         var orgId = new Guid(provider);
         var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(orgId);
@@ -374,9 +485,10 @@ public class AccountController : Controller
         // Ensure the NameIdentifier used is not a transient name ID, if so, we need a different attribute
         //  for the user identifier.
         static bool nameIdIsNotTransient(Claim c) => c.Type == ClaimTypes.NameIdentifier
-            && (c.Properties == null
-            || !c.Properties.TryGetValue(SamlPropertyKeys.ClaimFormat, out var claimFormat)
-            || claimFormat != SamlNameIdFormats.Transient);
+                                                     && (c.Properties == null
+                                                         || !c.Properties.TryGetValue(SamlPropertyKeys.ClaimFormat,
+                                                             out var claimFormat)
+                                                         || claimFormat != SamlNameIdFormats.Transient);
 
         // Try to determine the unique id of the external user (issued by the provider)
         // the most common claim type for that are the sub claim and the NameIdentifier
@@ -391,6 +503,7 @@ public class AccountController : Controller
                           externalUser.FindFirst("upn") ??
                           externalUser.FindFirst("eppn") ??
                           throw new Exception(_i18nService.T("UnknownUserId"));
+#nullable restore
 
         // Remove the user id claim so we don't include it as an extra claim if/when we provision the user
         var claims = externalUser.Claims.ToList();
@@ -399,13 +512,15 @@ public class AccountController : Controller
         // find external user
         var providerUserId = userIdClaim.Value;
 
-        var user = await _userRepository.GetBySsoUserAsync(providerUserId, orgId);
+        var possibleSsoUser = await _userRepository.GetBySsoUserAsync(providerUserId, orgId);
 
-        return (user, provider, providerUserId, claims, ssoConfigData);
+        return (possibleSsoUser, provider, providerUserId, claims, ssoConfigData);
     }
 
     /// <summary>
-    /// Provision an SSO-linked Bitwarden user.
+    /// This function seeks to set up the org user record or create a new user record based on the conditions
+    /// below.
+    ///
     /// This handles three different scenarios:
     /// 1. Creating an SsoUser link for an existing User and OrganizationUser
     ///     - User is a member of the organization, but hasn't authenticated with the org's SSO provider before.
@@ -418,77 +533,100 @@ public class AccountController : Controller
     /// <param name="providerUserId">The external identity provider's user identifier.</param>
     /// <param name="claims">The claims from the external IdP.</param>
     /// <param name="userIdentifier">The user identifier used for manual SSO linking.</param>
-    /// <param name="config">The SSO configuration for the organization.</param>
-    /// <returns>The User to sign in.</returns>
+    /// <param name="ssoConfigData">The SSO configuration for the organization.</param>
+    /// <returns>Guaranteed to return the user to sign in as well as the found organization and org user.</returns>
     /// <exception cref="Exception">An exception if the user cannot be provisioned as requested.</exception>
-    private async Task<User> AutoProvisionUserAsync(string provider, string providerUserId,
-        IEnumerable<Claim> claims, string userIdentifier, SsoConfigurationData config)
+    private async Task<(User resolvedUser, Organization foundOrganization, OrganizationUser foundOrgUser)> CreateUserAndOrgUserConditionallyAsync(
+            string provider,
+            string providerUserId,
+            IEnumerable<Claim> claims,
+            string userIdentifier,
+            SsoConfigurationData ssoConfigData
+        )
     {
-        var name = GetName(claims, config.GetAdditionalNameClaimTypes());
-        var email = GetEmailAddress(claims, config.GetAdditionalEmailClaimTypes());
-        if (string.IsNullOrWhiteSpace(email) && providerUserId.Contains("@"))
-        {
-            email = providerUserId;
-        }
+        // Try to get the email from the claims as we don't know if we have a user record yet.
+        var name = GetName(claims, ssoConfigData.GetAdditionalNameClaimTypes());
+        var email = TryGetEmailAddress(claims, ssoConfigData, providerUserId);
 
-        if (!Guid.TryParse(provider, out var orgId))
-        {
-            // TODO: support non-org (server-wide) SSO in the future?
-            throw new Exception(_i18nService.T("SSOProviderIsNotAnOrgId", provider));
-        }
-
-        User existingUser = null;
+        User? possibleExistingUser;
         if (string.IsNullOrWhiteSpace(userIdentifier))
         {
             if (string.IsNullOrWhiteSpace(email))
             {
                 throw new Exception(_i18nService.T("CannotFindEmailClaim"));
             }
-            existingUser = await _userRepository.GetByEmailAsync(email);
+
+            possibleExistingUser = await _userRepository.GetByEmailAsync(email);
         }
         else
         {
-            existingUser = await GetUserFromManualLinkingData(userIdentifier);
+            possibleExistingUser = await GetUserFromManualLinkingDataAsync(userIdentifier);
         }
 
-        // Try to find the OrganizationUser if it exists.
-        var (organization, orgUser) = await FindOrganizationUser(existingUser, email, orgId);
+        // Find the org (we error if we can't find an org because no org is not valid)
+        var organization = await GetOrganizationByProviderAsync(provider);
+
+        // Try to find an org user (null org user possible and valid here)
+        var possibleOrgUser = await GetOrganizationUserByUserAndOrgIdOrEmailAsync(possibleExistingUser, organization.Id, email);
 
         //----------------------------------------------------
         // Scenario 1: We've found the user in the User table
         //----------------------------------------------------
-        if (existingUser != null)
+        if (possibleExistingUser != null)
         {
-            if (existingUser.UsesKeyConnector &&
-                (orgUser == null || orgUser.Status == OrganizationUserStatusType.Invited))
+            User guaranteedExistingUser = possibleExistingUser;
+
+            if (guaranteedExistingUser.UsesKeyConnector &&
+                (possibleOrgUser == null || possibleOrgUser.Status == OrganizationUserStatusType.Invited))
             {
                 throw new Exception(_i18nService.T("UserAlreadyExistsKeyConnector"));
             }
 
-            // If the user already exists in Bitwarden, we require that the user already be in the org,
-            // and that they are either Accepted or Confirmed.
-            if (orgUser == null)
+            OrganizationUser guaranteedOrgUser = possibleOrgUser ?? throw new Exception(_i18nService.T("UserAlreadyExistsInviteProcess"));
+
+            /*
+             * ----------------------------------------------------
+             *              Critical Code Check Here
+             *
+             * We want to ensure a user is not in the invited state
+             * explicitly. User's in the invited state should not
+             * be able to authenticate via SSO.
+             *
+             * See internal doc called "Added Context for SSO Login
+             * Flows" for further details.
+             * ----------------------------------------------------
+             */
+            if (guaranteedOrgUser.Status == OrganizationUserStatusType.Invited)
             {
-                // Org User is not created - no invite has been sent
-                throw new Exception(_i18nService.T("UserAlreadyExistsInviteProcess"));
+                // Org User is invited – must accept via email first
+                throw new Exception(
+                    _i18nService.T("AcceptInviteBeforeUsingSSO", organization.DisplayName()));
             }
 
-            EnsureOrgUserStatusAllowed(orgUser.Status, organization.DisplayName(),
-                allowedStatuses: [OrganizationUserStatusType.Accepted, OrganizationUserStatusType.Confirmed]);
-
+            // If the user already exists in Bitwarden, we require that the user already be in the org,
+            // and that they are either Accepted or Confirmed.
+            EnforceAllowedOrgUserStatus(
+                guaranteedOrgUser.Status,
+                allowedStatuses: [
+                    OrganizationUserStatusType.Accepted,
+                    OrganizationUserStatusType.Confirmed
+                ],
+                organization.DisplayName());
 
             // Since we're in the auto-provisioning logic, this means that the user exists, but they have not
             // authenticated with the org's SSO provider before now (otherwise we wouldn't be auto-provisioning them).
             // We've verified that the user is Accepted or Confnirmed, so we can create an SsoUser link and proceed
             // with authentication.
-            await CreateSsoUserRecord(providerUserId, existingUser.Id, orgId, orgUser);
-            return existingUser;
+            await CreateSsoUserRecordAsync(providerUserId, guaranteedExistingUser.Id, organization.Id, guaranteedOrgUser);
+
+            return (guaranteedExistingUser, organization, guaranteedOrgUser);
         }
 
         // Before any user creation - if Org User doesn't exist at this point - make sure there are enough seats to add one
-        if (orgUser == null && organization.Seats.HasValue)
+        if (possibleOrgUser == null && organization.Seats.HasValue)
         {
-            var occupiedSeats = await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+            var occupiedSeats =
+                await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
             var initialSeatCount = organization.Seats.Value;
             var availableSeats = initialSeatCount - occupiedSeats.Total;
             if (availableSeats < 1)
@@ -506,8 +644,10 @@ public class AccountController : Controller
                 {
                     if (organization.Seats.Value != initialSeatCount)
                     {
-                        await _organizationService.AdjustSeatsAsync(orgId, initialSeatCount - organization.Seats.Value);
+                        await _organizationService.AdjustSeatsAsync(organization.Id,
+                            initialSeatCount - organization.Seats.Value);
                     }
+
                     _logger.LogInformation(e, "SSO auto provisioning failed");
                     throw new Exception(_i18nService.T("NoSeatsAvailable", organization.DisplayName()));
                 }
@@ -515,40 +655,62 @@ public class AccountController : Controller
         }
 
         // If the email domain is verified, we can mark the email as verified
+        if (string.IsNullOrWhiteSpace(email))
+        {
+            throw new Exception(_i18nService.T("CannotFindEmailClaim"));
+        }
+
         var emailVerified = false;
         var emailDomain = CoreHelpers.GetEmailDomain(email);
         if (!string.IsNullOrWhiteSpace(emailDomain))
         {
-            var organizationDomain = await _organizationDomainRepository.GetDomainByOrgIdAndDomainNameAsync(orgId, emailDomain);
+            var organizationDomain =
+                await _organizationDomainRepository.GetDomainByOrgIdAndDomainNameAsync(organization.Id, emailDomain);
             emailVerified = organizationDomain?.VerifiedDate.HasValue ?? false;
         }
 
         //--------------------------------------------------
         // Scenarios 2 and 3: We need to register a new user
         //--------------------------------------------------
-        var user = new User
+        var newUser = new User
         {
             Name = name,
             Email = email,
             EmailVerified = emailVerified,
             ApiKey = CoreHelpers.SecureRandomString(30)
         };
-        await _registerUserCommand.RegisterUser(user);
+
+        /*
+            The feature flag is checked here so that we can send the new MJML welcome email templates.
+            The other organization invites flows have an OrganizationUser allowing the RegisterUserCommand the ability
+            to fetch the Organization. The old method RegisterUser(User) here does not have that context, so we need
+            to use a new method RegisterSSOAutoProvisionedUserAsync(User, Organization) to send the correct email.
+            [PM-28057]: Prefer RegisterSSOAutoProvisionedUserAsync for SSO auto-provisioned users.
+            TODO: Remove Feature flag: PM-28221
+        */
+        if (_featureService.IsEnabled(FeatureFlagKeys.MjmlWelcomeEmailTemplates))
+        {
+            await _registerUserCommand.RegisterSSOAutoProvisionedUserAsync(newUser, organization);
+        }
+        else
+        {
+            await _registerUserCommand.RegisterUser(newUser);
+        }
 
         // If the organization has 2fa policy enabled, make sure to default jit user 2fa to email
         var twoFactorPolicy =
-            await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.TwoFactorAuthentication);
+            await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.TwoFactorAuthentication);
         if (twoFactorPolicy != null && twoFactorPolicy.Enabled)
         {
-            user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+            newUser.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
             {
                 [TwoFactorProviderType.Email] = new TwoFactorProvider
                 {
-                    MetaData = new Dictionary<string, object> { ["Email"] = user.Email.ToLowerInvariant() },
+                    MetaData = new Dictionary<string, object> { ["Email"] = newUser.Email.ToLowerInvariant() },
                     Enabled = true
                 }
             });
-            await _userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.Email);
+            await _userService.UpdateTwoFactorProviderAsync(newUser, TwoFactorProviderType.Email);
         }
 
         //-----------------------------------------------------------------
@@ -556,17 +718,18 @@ public class AccountController : Controller
         // This means that an invitation was not sent for this user and we
         // need to establish their invited status now.
         //-----------------------------------------------------------------
-        if (orgUser == null)
+        if (possibleOrgUser == null)
         {
-            orgUser = new OrganizationUser
+            possibleOrgUser = new OrganizationUser
             {
-                OrganizationId = orgId,
-                UserId = user.Id,
+                OrganizationId = organization.Id,
+                UserId = newUser.Id,
                 Type = OrganizationUserType.User,
                 Status = OrganizationUserStatusType.Invited
             };
-            await _organizationUserRepository.CreateAsync(orgUser);
+            await _organizationUserRepository.CreateAsync(possibleOrgUser);
         }
+
         //-----------------------------------------------------------------
         // Scenario 3: There is already an existing OrganizationUser
         // That was established through an invitation. We just need to
@@ -574,24 +737,68 @@ public class AccountController : Controller
         //-----------------------------------------------------------------
         else
         {
-            orgUser.UserId = user.Id;
-            await _organizationUserRepository.ReplaceAsync(orgUser);
+            possibleOrgUser.UserId = newUser.Id;
+            await _organizationUserRepository.ReplaceAsync(possibleOrgUser);
         }
 
         // Create the SsoUser record to link the user to the SSO provider.
-        await CreateSsoUserRecord(providerUserId, user.Id, orgId, orgUser);
+        await CreateSsoUserRecordAsync(providerUserId, newUser.Id, organization.Id, possibleOrgUser);
 
-        return user;
+        return (newUser, organization, possibleOrgUser);
     }
 
-    private async Task<User> GetUserFromManualLinkingData(string userIdentifier)
+    /// <summary>
+    /// Validates an organization user is allowed to log in via SSO and blocks invalid statuses.
+    /// Lazily resolves the organization and organization user if not provided.
+    /// </summary>
+    /// <param name="organization">The target organization; if null, resolved from provider.</param>
+    /// <param name="provider">The SSO scheme provider value (organization id as a GUID string).</param>
+    /// <param name="orgUser">The organization-user record; if null, looked up by user/org or user email for invited users.</param>
+    /// <param name="user">The user attempting to sign in (existing or newly provisioned).</param>
+    /// <exception cref="Exception">Thrown if the organization cannot be resolved from provider;
+    /// the organization user cannot be found; or the organization user status is not allowed.</exception>
+    private async Task PreventOrgUserLoginIfStatusInvalidAsync(
+        Organization? organization,
+        string provider,
+        OrganizationUser? orgUser,
+        User user)
     {
-        User user = null;
+        // Lazily get organization if not already known
+        organization ??= await GetOrganizationByProviderAsync(provider);
+
+        // Lazily get the org user if not already known
+        orgUser ??= await GetOrganizationUserByUserAndOrgIdOrEmailAsync(
+            user,
+            organization.Id,
+            user.Email);
+
+        if (orgUser != null)
+        {
+            // Invited is allowed at this point because we know the user is trying to accept an org invite.
+            EnforceAllowedOrgUserStatus(
+                orgUser.Status,
+                allowedStatuses: [
+                    OrganizationUserStatusType.Invited,
+                    OrganizationUserStatusType.Accepted,
+                    OrganizationUserStatusType.Confirmed,
+                ],
+                organization.DisplayName());
+        }
+        else
+        {
+            throw new Exception(_i18nService.T("CouldNotFindOrganizationUser", user.Id, organization.Id));
+        }
+    }
+
+    private async Task<User?> GetUserFromManualLinkingDataAsync(string userIdentifier)
+    {
+        User? user = null;
         var split = userIdentifier.Split(",");
         if (split.Length < 2)
         {
             throw new Exception(_i18nService.T("InvalidUserIdentifier"));
         }
+
         var userId = split[0];
         var token = split[1];
 
@@ -611,64 +818,94 @@ public class AccountController : Controller
                 throw new Exception(_i18nService.T("UserIdAndTokenMismatch"));
             }
         }
+
         return user;
     }
 
-    private async Task<(Organization, OrganizationUser)> FindOrganizationUser(User existingUser, string email, Guid orgId)
+    /// <summary>
+    /// Tries to get the organization by the provider which is org id for us as we use the scheme
+    /// to identify organizations - not identity providers.
+    /// </summary>
+    /// <param name="provider">Org id string from SSO scheme property</param>
+    /// <exception cref="Exception">Errors if the provider string is not a valid org id guid or if the org cannot be found by the id.</exception>
+    private async Task<Organization> GetOrganizationByProviderAsync(string provider)
     {
-        OrganizationUser orgUser = null;
-        var organization = await _organizationRepository.GetByIdAsync(orgId);
+        if (!Guid.TryParse(provider, out var organizationId))
+        {
+            // TODO: support non-org (server-wide) SSO in the future?
+            throw new Exception(_i18nService.T("SSOProviderIsNotAnOrgId", provider));
+        }
+
+        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+
         if (organization == null)
         {
-            throw new Exception(_i18nService.T("CouldNotFindOrganization", orgId));
+            throw new Exception(_i18nService.T("CouldNotFindOrganization", organizationId));
         }
 
+        return organization;
+    }
+
+    /// <summary>
+    /// Attempts to get an <see cref="OrganizationUser"/> for a given organization
+    /// by first checking for an existing user relationship, and if none is found,
+    /// by looking up an invited user via their email address.
+    /// </summary>
+    /// <param name="user">The existing user entity to be looked up in OrganizationUsers table.</param>
+    /// <param name="organizationId">Organization id from the provider data.</param>
+    /// <param name="email">Email to use as a fallback in case of an invited user not in the Org Users
+    /// table yet.</param>
+    private async Task<OrganizationUser?> GetOrganizationUserByUserAndOrgIdOrEmailAsync(
+        User? user,
+        Guid organizationId,
+        string? email)
+    {
+        OrganizationUser? orgUser = null;
+
         // Try to find OrgUser via existing User Id.
         // This covers any OrganizationUser state after they have accepted an invite.
-        if (existingUser != null)
+        if (user != null)
         {
-            var orgUsersByUserId = await _organizationUserRepository.GetManyByUserAsync(existingUser.Id);
-            orgUser = orgUsersByUserId.SingleOrDefault(u => u.OrganizationId == orgId);
+            var orgUsersByUserId = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+            orgUser = orgUsersByUserId.SingleOrDefault(u => u.OrganizationId == organizationId);
         }
 
         // If no Org User found by Existing User Id - search all the organization's users via email.
         // This covers users who are Invited but haven't accepted their invite yet.
-        orgUser ??= await _organizationUserRepository.GetByOrganizationEmailAsync(orgId, email);
+        if (email != null)
+        {
+            orgUser ??= await _organizationUserRepository.GetByOrganizationEmailAsync(organizationId, email);
+        }
 
-        return (organization, orgUser);
+        return orgUser;
     }
 
-    private void EnsureOrgUserStatusAllowed(
-        OrganizationUserStatusType status,
-        string organizationDisplayName,
-        params OrganizationUserStatusType[] allowedStatuses)
+    private void EnforceAllowedOrgUserStatus(
+        OrganizationUserStatusType statusToCheckAgainst,
+        OrganizationUserStatusType[] allowedStatuses,
+        string organizationDisplayNameForLogging)
     {
         // if this status is one of the allowed ones, just return
-        if (allowedStatuses.Contains(status))
+        if (allowedStatuses.Contains(statusToCheckAgainst))
         {
             return;
         }
 
         // otherwise throw the appropriate exception
-        switch (status)
+        switch (statusToCheckAgainst)
         {
-            case OrganizationUserStatusType.Invited:
-                // Org User is invited – must accept via email first
-                throw new Exception(
-                    _i18nService.T("AcceptInviteBeforeUsingSSO", organizationDisplayName));
             case OrganizationUserStatusType.Revoked:
                 // Revoked users may not be (auto)‑provisioned
                 throw new Exception(
-                    _i18nService.T("OrganizationUserAccessRevoked", organizationDisplayName));
+                    _i18nService.T("OrganizationUserAccessRevoked", organizationDisplayNameForLogging));
             default:
                 // anything else is “unknown”
                 throw new Exception(
-                    _i18nService.T("OrganizationUserUnknownStatus", organizationDisplayName));
+                    _i18nService.T("OrganizationUserUnknownStatus", organizationDisplayNameForLogging));
         }
     }
 
-
-    private IActionResult InvalidJson(string errorMessageKey, Exception ex = null)
+    private IActionResult InvalidJson(string errorMessageKey, Exception? ex = null)
     {
         Response.StatusCode = ex == null ? 400 : 500;
         return Json(new ErrorResponseModel(_i18nService.T(errorMessageKey))
@@ -679,13 +916,13 @@ public class AccountController : Controller
         });
     }
 
-    private string GetEmailAddress(IEnumerable<Claim> claims, IEnumerable<string> additionalClaimTypes)
+    private string? TryGetEmailAddressFromClaims(IEnumerable<Claim> claims, IEnumerable<string> additionalClaimTypes)
     {
         var filteredClaims = claims.Where(c => !string.IsNullOrWhiteSpace(c.Value) && c.Value.Contains("@"));
 
         var email = filteredClaims.GetFirstMatch(additionalClaimTypes.ToArray()) ??
-            filteredClaims.GetFirstMatch(JwtClaimTypes.Email, ClaimTypes.Email,
-                SamlClaimTypes.Email, "mail", "emailaddress");
+                    filteredClaims.GetFirstMatch(JwtClaimTypes.Email, ClaimTypes.Email,
+                        SamlClaimTypes.Email, "mail", "emailaddress");
         if (!string.IsNullOrWhiteSpace(email))
         {
             return email;
@@ -701,13 +938,15 @@ public class AccountController : Controller
         return null;
     }
 
+    // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
     private string GetName(IEnumerable<Claim> claims, IEnumerable<string> additionalClaimTypes)
     {
         var filteredClaims = claims.Where(c => !string.IsNullOrWhiteSpace(c.Value));
 
         var name = filteredClaims.GetFirstMatch(additionalClaimTypes.ToArray()) ??
-            filteredClaims.GetFirstMatch(JwtClaimTypes.Name, ClaimTypes.Name,
-                SamlClaimTypes.DisplayName, SamlClaimTypes.CommonName, "displayname", "cn");
+                   filteredClaims.GetFirstMatch(JwtClaimTypes.Name, ClaimTypes.Name,
+                       SamlClaimTypes.DisplayName, SamlClaimTypes.CommonName, "displayname", "cn");
         if (!string.IsNullOrWhiteSpace(name))
         {
             return name;
@@ -724,8 +963,10 @@ public class AccountController : Controller
 
         return null;
     }
+#nullable restore
 
-    private async Task CreateSsoUserRecord(string providerUserId, Guid userId, Guid orgId, OrganizationUser orgUser)
+    private async Task CreateSsoUserRecordAsync(string providerUserId, Guid userId, Guid orgId,
+        OrganizationUser orgUser)
     {
         // Delete existing SsoUser (if any) - avoids error if providerId has changed and the sso link is stale
         var existingSsoUser = await _ssoUserRepository.GetByUserIdOrganizationIdAsync(orgId, userId);
@@ -740,15 +981,12 @@ public class AccountController : Controller
             await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_FirstSsoLogin);
         }
 
-        var ssoUser = new SsoUser
-        {
-            ExternalId = providerUserId,
-            UserId = userId,
-            OrganizationId = orgId,
-        };
+        var ssoUser = new SsoUser { ExternalId = providerUserId, UserId = userId, OrganizationId = orgId, };
         await _ssoUserRepository.CreateAsync(ssoUser);
     }
 
+    // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
     private void ProcessLoginCallback(AuthenticateResult externalResult,
         List<Claim> localClaims, AuthenticationProperties localSignInProps)
     {
@@ -769,18 +1007,6 @@ public class AccountController : Controller
         }
     }
 
-    private async Task<string> GetProviderAsync(string returnUrl)
-    {
-        var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
-        if (context?.IdP != null && await _schemeProvider.GetSchemeAsync(context.IdP) != null)
-        {
-            return context.IdP;
-        }
-        var schemes = await _schemeProvider.GetAllSchemesAsync();
-        var providers = schemes.Select(x => x.Name).ToList();
-        return providers.FirstOrDefault();
-    }
-
     private async Task<(string, string, string)> GetLoggedOutDataAsync(string logoutId)
     {
         // Get context information (client name, post logout redirect URI and iframe for federated signout)
@@ -811,10 +1037,31 @@ public class AccountController : Controller
 
         return (logoutId, logout?.PostLogoutRedirectUri, externalAuthenticationScheme);
     }
+#nullable restore
+
+    /**
+     * Tries to get a user's email from the claims and SSO configuration data or the provider user id if
+     * the claims email extraction returns null.
+     */
+    private string? TryGetEmailAddress(
+        IEnumerable<Claim> claims,
+        SsoConfigurationData config,
+        string providerUserId)
+    {
+        var email = TryGetEmailAddressFromClaims(claims, config.GetAdditionalEmailClaimTypes());
+
+        // If email isn't populated from claims and providerUserId has @, assume it is the email.
+        if (string.IsNullOrWhiteSpace(email) && providerUserId.Contains("@"))
+        {
+            email = providerUserId;
+        }
+
+        return email;
+    }
 
     public bool IsNativeClient(DIM.AuthorizationRequest context)
     {
         return !context.RedirectUri.StartsWith("https", StringComparison.Ordinal)
-           && !context.RedirectUri.StartsWith("http", StringComparison.Ordinal);
+               && !context.RedirectUri.StartsWith("http", StringComparison.Ordinal);
     }
 }

bitwarden_license/src/Sso/Program.cs

@@ -1,5 +1,4 @@
 using Bit.Core.Utilities;
-using Serilog;
 
 namespace Bit.Sso;
 
@@ -13,19 +12,8 @@ public class Program
             .ConfigureWebHostDefaults(webBuilder =>
             {
                 webBuilder.UseStartup<Startup>();
-                webBuilder.ConfigureLogging((hostingContext, logging) =>
-                logging.AddSerilog(hostingContext, (e, globalSettings) =>
-                {
-                    var context = e.Properties["SourceContext"].ToString();
-                    if (e.Properties.TryGetValue("RequestPath", out var requestPath) &&
-                        !string.IsNullOrWhiteSpace(requestPath?.ToString()) &&
-                        (context.Contains(".Server.Kestrel") || context.Contains(".Core.IISHttpServer")))
-                    {
-                        return false;
-                    }
-                    return e.Level >= globalSettings.MinLogLevel.SsoSettings.Default;
-                }));
             })
+            .AddSerilogFileLogging()
             .Build()
             .Run();
     }

bitwarden_license/src/Sso/Startup.cs

@@ -100,8 +100,6 @@ public class Startup
             IdentityModelEventSource.ShowPII = true;
         }
 
-        app.UseSerilog(env, appLifetime, globalSettings);
-
         // Add general security headers
         app.UseMiddleware<SecurityHeadersMiddleware>();
 
@@ -157,6 +155,6 @@ public class Startup
         app.UseEndpoints(endpoints => endpoints.MapDefaultControllerRoute());
 
         // Log startup
-        logger.LogInformation(Constants.BypassFiltersEventId, globalSettings.ProjectName + " started.");
+        logger.LogInformation(Constants.BypassFiltersEventId, "{Project} started.", globalSettings.ProjectName);
     }
 }

bitwarden_license/src/Sso/appsettings.Development.json

@@ -24,6 +24,13 @@
     "storage": {
       "connectionString": "UseDevelopmentStorage=true"
     },
-    "developmentDirectory": "../../../dev"
+    "developmentDirectory": "../../../dev",
+    "pricingUri": "https://billingpricing.qa.bitwarden.pw",
+    "mail": {
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
+    }
   }
 }

bitwarden_license/src/Sso/appsettings.json

@@ -13,7 +13,11 @@
     "mail": {
       "sendGridApiKey": "SECRET",
       "amazonConfigSetName": "Email",
-      "replyToEmail": "no-reply@bitwarden.com"
+      "replyToEmail": "no-reply@bitwarden.com",
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
     },
     "identityServer": {
       "certificateThumbprint": "SECRET"

bitwarden_license/src/Sso/package-lock.json

@@ -17,9 +17,9 @@
         "css-loader": "7.1.2",
         "expose-loader": "5.0.1",
         "mini-css-extract-plugin": "2.9.2",
-        "sass": "1.91.0",
+        "sass": "1.93.2",
         "sass-loader": "16.0.5",
-        "webpack": "5.101.3",
+        "webpack": "5.102.1",
         "webpack-cli": "5.1.4"
       }
     },
@@ -678,6 +678,7 @@
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -704,6 +705,7 @@
       "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
         "fast-uri": "^3.0.1",
@@ -746,6 +748,16 @@
         "ajv": "^8.8.2"
       }
     },
+    "node_modules/baseline-browser-mapping": {
+      "version": "2.8.18",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.8.18.tgz",
+      "integrity": "sha512-UYmTpOBwgPScZpS4A+YbapwWuBwasxvO/2IOHArSsAhL/+ZdmATBXTex3t+l2hXwLVYK382ibr/nKoY9GKe86w==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "baseline-browser-mapping": "dist/cli.js"
+      }
+    },
     "node_modules/bootstrap": {
       "version": "5.3.6",
       "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-5.3.6.tgz",
@@ -780,9 +792,9 @@
       }
     },
     "node_modules/browserslist": {
-      "version": "4.25.4",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.25.4.tgz",
-      "integrity": "sha512-4jYpcjabC606xJ3kw2QwGEZKX0Aw7sgQdZCvIK9dhVSPh76BKo+C+btT1RRofH7B+8iNpEbgGNVWiLki5q93yg==",
+      "version": "4.26.3",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.26.3.tgz",
+      "integrity": "sha512-lAUU+02RFBuCKQPj/P6NgjlbCnLBMp4UtgTx7vNHd3XSIJF87s9a5rA3aH2yw3GS9DqZAUbOtZdCCiZeVRqt0w==",
       "dev": true,
       "funding": [
         {
@@ -799,10 +811,12 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
-        "caniuse-lite": "^1.0.30001737",
-        "electron-to-chromium": "^1.5.211",
-        "node-releases": "^2.0.19",
+        "baseline-browser-mapping": "^2.8.9",
+        "caniuse-lite": "^1.0.30001746",
+        "electron-to-chromium": "^1.5.227",
+        "node-releases": "^2.0.21",
         "update-browserslist-db": "^1.1.3"
       },
       "bin": {
@@ -820,9 +834,9 @@
       "license": "MIT"
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001741",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001741.tgz",
-      "integrity": "sha512-QGUGitqsc8ARjLdgAfxETDhRbJ0REsP6O3I96TAth/mVjh2cYzN2u+3AzPP3aVSm2FehEItaJw1xd+IGBXWeSw==",
+      "version": "1.0.30001751",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001751.tgz",
+      "integrity": "sha512-A0QJhug0Ly64Ii3eIqHu5X51ebln3k4yTUkY1j8drqpWHVreg/VLijN48cZ1bYPiqOQuqpkIKnzr/Ul8V+p6Cw==",
       "dev": true,
       "funding": [
         {
@@ -974,9 +988,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.215",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.215.tgz",
-      "integrity": "sha512-TIvGp57UpeNetj/wV/xpFNpWGb0b/ROw372lHPx5Aafx02gjTBtWnEEcaSX3W2dLM3OSdGGyHX/cHl01JQsLaQ==",
+      "version": "1.5.237",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.237.tgz",
+      "integrity": "sha512-icUt1NvfhGLar5lSWH3tHNzablaA5js3HVHacQimfP8ViEBOQv+L7DKEuHdbTZ0SKCO1ogTJTIL1Gwk9S6Qvcg==",
       "dev": true,
       "license": "ISC"
     },
@@ -1527,9 +1541,9 @@
       "optional": true
     },
     "node_modules/node-releases": {
-      "version": "2.0.20",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.20.tgz",
-      "integrity": "sha512-7gK6zSXEH6neM212JgfYFXe+GmZQM+fia5SsusuBIUgnPheLFBmIPhtFoAQRj8/7wASYQnbDlHPVwY0BefoFgA==",
+      "version": "2.0.26",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.26.tgz",
+      "integrity": "sha512-S2M9YimhSjBSvYnlr5/+umAnPHE++ODwt5e2Ij6FoX45HA/s4vHdkDx1eax2pAPeAOqu4s9b7ppahsyEFdVqQA==",
       "dev": true,
       "license": "MIT"
     },
@@ -1653,6 +1667,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "nanoid": "^3.3.11",
         "picocolors": "^1.1.1",
@@ -1859,11 +1874,12 @@
       "license": "MIT"
     },
     "node_modules/sass": {
-      "version": "1.91.0",
-      "resolved": "https://registry.npmjs.org/sass/-/sass-1.91.0.tgz",
-      "integrity": "sha512-aFOZHGf+ur+bp1bCHZ+u8otKGh77ZtmFyXDo4tlYvT7PWql41Kwd8wdkPqhhT+h2879IVblcHFglIMofsFd1EA==",
+      "version": "1.93.2",
+      "resolved": "https://registry.npmjs.org/sass/-/sass-1.93.2.tgz",
+      "integrity": "sha512-t+YPtOQHpGW1QWsh1CHQ5cPIr9lbbGZLZnbihP/D/qZj/yuV68m8qarcV17nvkOX81BCrvzAlq2klCQFZghyTg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "chokidar": "^4.0.0",
         "immutable": "^5.0.2",
@@ -1921,9 +1937,9 @@
       }
     },
     "node_modules/schema-utils": {
-      "version": "4.3.2",
-      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.2.tgz",
-      "integrity": "sha512-Gn/JaSk/Mt9gYubxTtSn/QCV4em9mpAPiR1rqy/Ocu19u/G9J5WWdNoUT4SiV6mFC3y6cxyFcFwdzPM3FgxGAQ==",
+      "version": "4.3.3",
+      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.3.tgz",
+      "integrity": "sha512-eflK8wEtyOE6+hsaRVPxvUKYCpRgzLqDTb8krvAsRIwOGlHoSgYLgBXoubGgLd2fT41/OUYdb48v4k4WWHQurA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2060,9 +2076,9 @@
       }
     },
     "node_modules/tapable": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.3.tgz",
-      "integrity": "sha512-ZL6DDuAlRlLGghwcfmSn9sK3Hr6ArtyudlSAiCqQ6IfE+b+HHbydbYDIG15IfS5do+7XQQBdBiubF/cV2dnDzg==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz",
+      "integrity": "sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2201,11 +2217,12 @@
       }
     },
     "node_modules/webpack": {
-      "version": "5.101.3",
-      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.101.3.tgz",
-      "integrity": "sha512-7b0dTKR3Ed//AD/6kkx/o7duS8H3f1a4w3BYpIriX4BzIhjkn4teo05cptsxvLesHFKK5KObnadmCHBwGc+51A==",
+      "version": "5.102.1",
+      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.102.1.tgz",
+      "integrity": "sha512-7h/weGm9d/ywQ6qzJ+Xy+r9n/3qgp/thalBbpOi5i223dPXKi04IBtqPN9nTd+jBc7QKfvDbaBnFipYp4sJAUQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@types/eslint-scope": "^3.7.7",
         "@types/estree": "^1.0.8",
@@ -2215,7 +2232,7 @@
         "@webassemblyjs/wasm-parser": "^1.14.1",
         "acorn": "^8.15.0",
         "acorn-import-phases": "^1.0.3",
-        "browserslist": "^4.24.0",
+        "browserslist": "^4.26.3",
         "chrome-trace-event": "^1.0.2",
         "enhanced-resolve": "^5.17.3",
         "es-module-lexer": "^1.2.1",
@@ -2227,10 +2244,10 @@
         "loader-runner": "^4.2.0",
         "mime-types": "^2.1.27",
         "neo-async": "^2.6.2",
-        "schema-utils": "^4.3.2",
-        "tapable": "^2.1.1",
+        "schema-utils": "^4.3.3",
+        "tapable": "^2.3.0",
         "terser-webpack-plugin": "^5.3.11",
-        "watchpack": "^2.4.1",
+        "watchpack": "^2.4.4",
         "webpack-sources": "^3.3.3"
       },
       "bin": {
@@ -2255,6 +2272,7 @@
       "integrity": "sha512-pIDJHIEI9LR0yxHXQ+Qh95k2EvXpWzZ5l+d+jIo+RdSm9MiHfzazIxwwni/p7+x4eJZuvG1AJwgC4TNQ7NRgsg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@discoveryjs/json-ext": "^0.5.0",
         "@webpack-cli/configtest": "^2.1.1",

bitwarden_license/src/Sso/package.json

@@ -16,9 +16,9 @@
     "css-loader": "7.1.2",
     "expose-loader": "5.0.1",
     "mini-css-extract-plugin": "2.9.2",
-    "sass": "1.91.0",
+    "sass": "1.93.2",
     "sass-loader": "16.0.5",
-    "webpack": "5.101.3",
+    "webpack": "5.102.1",
     "webpack-cli": "5.1.4"
   }
 }

bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs

@@ -13,7 +13,7 @@ using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Utilities;
+using Bit.Core.Test.Billing.Mocks;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -131,7 +131,7 @@ public class RemoveOrganizationFromProviderCommandTests
                 Arg.Is<IEnumerable<string>>(emails => emails.FirstOrDefault() == "a@example.com"));
 
         await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs()
-            .CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
+            .UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
     }
 
     [Theory, BitAutoData]
@@ -156,18 +156,22 @@ public class RemoveOrganizationFromProviderCommandTests
             "b@example.com"
         ]);
 
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionGetAsync(organization.GatewaySubscriptionId)
-            .Returns(GetSubscription(organization.GatewaySubscriptionId));
+        sutProvider.GetDependency<IStripeAdapter>().GetSubscriptionAsync(organization.GatewaySubscriptionId, Arg.Is<SubscriptionGetOptions>(
+                options => options.Expand.Contains("customer")))
+            .Returns(GetSubscription(organization.GatewaySubscriptionId, organization.GatewayCustomerId));
 
         await sutProvider.Sut.RemoveOrganizationFromProvider(provider, providerOrganization, organization);
 
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        await stripeAdapter.Received(1).CustomerUpdateAsync(organization.GatewayCustomerId,
-            Arg.Is<CustomerUpdateOptions>(options =>
-                options.Coupon == string.Empty && options.Email == "a@example.com"));
+        await stripeAdapter.Received(1).UpdateCustomerAsync(organization.GatewayCustomerId,
+            Arg.Is<CustomerUpdateOptions>(options => options.Email == "a@example.com"));
 
-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).DeleteCustomerDiscountAsync(organization.GatewayCustomerId);
+
+        await stripeAdapter.Received(1).DeleteCustomerDiscountAsync(organization.GatewayCustomerId);
+
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(options =>
                 options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
                 options.DaysUntilDue == 30));
@@ -205,7 +209,7 @@ public class RemoveOrganizationFromProviderCommandTests
 
         organization.PlanType = PlanType.TeamsMonthly;
 
-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.TeamsMonthly).Returns(teamsMonthlyPlan);
 
@@ -224,7 +228,7 @@ public class RemoveOrganizationFromProviderCommandTests
 
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
             options.Description == string.Empty &&
             options.Email == organization.BillingEmail &&
             options.Expand[0] == "tax" &&
@@ -237,14 +241,14 @@ public class RemoveOrganizationFromProviderCommandTests
                 }
             });
 
-        stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
+        stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
         {
             Id = "subscription_id"
         });
 
         await sutProvider.Sut.RemoveOrganizationFromProvider(provider, providerOrganization, organization);
 
-        await stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(options =>
+        await stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(options =>
             options.Customer == organization.GatewayCustomerId &&
             options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
             options.DaysUntilDue == 30 &&
@@ -294,7 +298,7 @@ public class RemoveOrganizationFromProviderCommandTests
 
         organization.PlanType = PlanType.TeamsMonthly;
 
-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.TeamsMonthly).Returns(teamsMonthlyPlan);
 
@@ -313,7 +317,7 @@ public class RemoveOrganizationFromProviderCommandTests
 
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
             options.Description == string.Empty &&
             options.Email == organization.BillingEmail &&
             options.Expand[0] == "tax" &&
@@ -326,14 +330,14 @@ public class RemoveOrganizationFromProviderCommandTests
                 }
             });
 
-        stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
+        stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
         {
             Id = "subscription_id"
         });
 
         await sutProvider.Sut.RemoveOrganizationFromProvider(provider, providerOrganization, organization);
 
-        await stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(options =>
+        await stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(options =>
             options.Customer == organization.GatewayCustomerId &&
             options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
             options.DaysUntilDue == 30 &&
@@ -368,10 +372,21 @@ public class RemoveOrganizationFromProviderCommandTests
                 Arg.Is<IEnumerable<string>>(emails => emails.FirstOrDefault() == "a@example.com"));
     }
 
-    private static Subscription GetSubscription(string subscriptionId) =>
+    private static Subscription GetSubscription(string subscriptionId, string customerId) =>
         new()
         {
             Id = subscriptionId,
+            CustomerId = customerId,
+            Customer = new Customer
+            {
+                Discount = new Discount
+                {
+                    Coupon = new Coupon
+                    {
+                        Id = "coupon-id"
+                    }
+                }
+            },
             Status = StripeConstants.SubscriptionStatus.Active,
             Items = new StripeList<SubscriptionItem>
             {
@@ -403,7 +418,7 @@ public class RemoveOrganizationFromProviderCommandTests
         organization.PlanType = PlanType.TeamsMonthly;
         organization.Enabled = false; // Start with a disabled organization
 
-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.TeamsMonthly).Returns(teamsMonthlyPlan);
 
@@ -421,7 +436,7 @@ public class RemoveOrganizationFromProviderCommandTests
 
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Any<CustomerUpdateOptions>())
+        stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Any<CustomerUpdateOptions>())
             .Returns(new Customer
             {
                 Id = "customer_id",
@@ -431,7 +446,7 @@ public class RemoveOrganizationFromProviderCommandTests
                 }
             });
 
-        stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
+        stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
         {
             Id = "new_subscription_id"
         });

bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs

@@ -1,17 +1,23 @@
 using Bit.Commercial.Core.AdminConsole.Services;
 using Bit.Commercial.Core.Test.AdminConsole.AutoFixture;
+using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.Models.Data.Provider;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -20,6 +26,7 @@ using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture.OrganizationFixtures;
+using Bit.Core.Test.Billing.Mocks;
 using Bit.Core.Tokens;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
@@ -99,6 +106,57 @@ public class ProviderServiceTests
             .ReplaceAsync(Arg.Is<ProviderUser>(pu => pu.UserId == user.Id && pu.ProviderId == provider.Id && pu.Key == key));
     }
 
+    [Theory, BitAutoData]
+    public async Task CompleteSetupAsync_WithAutoConfirmEnabled_ThrowsUserCannotJoinProviderError(User user, Provider provider,
+        string key,
+        TokenizedPaymentMethod tokenizedPaymentMethod, BillingAddress billingAddress,
+        [ProviderUser] ProviderUser providerUser,
+        SutProvider<ProviderService> sutProvider)
+    {
+        providerUser.ProviderId = provider.Id;
+        providerUser.UserId = user.Id;
+        var userService = sutProvider.GetDependency<IUserService>();
+        userService.GetUserByIdAsync(user.Id).Returns(user);
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetByProviderUserAsync(provider.Id, user.Id).Returns(providerUser);
+
+        var dataProtectionProvider = DataProtectionProvider.Create("ApplicationName");
+        var protector = dataProtectionProvider.CreateProtector("ProviderServiceDataProtector");
+        sutProvider.GetDependency<IDataProtectionProvider>().CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+
+        var providerBillingService = sutProvider.GetDependency<IProviderBillingService>();
+
+        var customer = new Customer { Id = "customer_id" };
+        providerBillingService.SetupCustomer(provider, tokenizedPaymentMethod, billingAddress).Returns(customer);
+
+        var subscription = new Subscription { Id = "subscription_id" };
+        providerBillingService.SetupSubscription(provider).Returns(subscription);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyDetails = new List<PolicyDetails> { new() { OrganizationId = Guid.NewGuid(), IsProvider = false } };
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(policyRequirement);
+
+        sutProvider.Create();
+
+        var token = protector.Protect(
+            $"ProviderSetupInvite {provider.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.CompleteSetupAsync(provider, user.Id, token, key, tokenizedPaymentMethod,
+                billingAddress));
+
+        Assert.Equal(new UserCannotJoinProvider().Message, exception.Message);
+    }
+
     [Theory, BitAutoData]
     public async Task UpdateAsync_ProviderIdIsInvalid_Throws(Provider provider, SutProvider<ProviderService> sutProvider)
     {
@@ -578,6 +636,132 @@ public class ProviderServiceTests
         Assert.Equal(user.Id, pu.UserId);
     }
 
+    [Theory, BitAutoData]
+    public async Task AcceptUserAsync_WithAutoConfirmEnabledAndPolicyExists_Throws(
+        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser providerUser,
+        User user,
+        SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetByIdAsync(providerUser.Id)
+            .Returns(providerUser);
+
+        var protector = DataProtectionProvider
+            .Create("ApplicationName")
+            .CreateProtector("ProviderServiceDataProtector");
+
+        sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+
+        sutProvider.Create();
+
+        providerUser.Email = user.Email;
+        var token = protector.Protect($"ProviderUserInvite {providerUser.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyDetails = new List<PolicyDetails>
+        {
+            new() { OrganizationId = Guid.NewGuid(), IsProvider = false }
+        };
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(policyRequirement);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.AcceptUserAsync(providerUser.Id, user, token));
+
+        Assert.Equal(new UserCannotJoinProvider().Message, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task AcceptUserAsync_WithAutoConfirmEnabledButNoPolicyExists_Success(
+        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser providerUser,
+        User user,
+        SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetByIdAsync(providerUser.Id)
+            .Returns(providerUser);
+
+        var protector = DataProtectionProvider
+            .Create("ApplicationName")
+            .CreateProtector("ProviderServiceDataProtector");
+
+        sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+        sutProvider.Create();
+
+        providerUser.Email = user.Email;
+        var token = protector.Protect($"ProviderUserInvite {providerUser.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement([]);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(policyRequirement);
+
+        // Act
+        var pu = await sutProvider.Sut.AcceptUserAsync(providerUser.Id, user, token);
+
+        // Assert
+        Assert.Null(pu.Email);
+        Assert.Equal(ProviderUserStatusType.Accepted, pu.Status);
+        Assert.Equal(user.Id, pu.UserId);
+    }
+
+    [Theory, BitAutoData]
+    public async Task AcceptUserAsync_WithAutoConfirmDisabled_Success(
+        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser providerUser,
+        User user,
+        SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetByIdAsync(providerUser.Id)
+            .Returns(providerUser);
+
+        var protector = DataProtectionProvider
+            .Create("ApplicationName")
+            .CreateProtector("ProviderServiceDataProtector");
+
+        sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+        sutProvider.Create();
+
+        providerUser.Email = user.Email;
+        var token = protector.Protect($"ProviderUserInvite {providerUser.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(false);
+
+        // Act
+        var pu = await sutProvider.Sut.AcceptUserAsync(providerUser.Id, user, token);
+
+        // Assert
+        Assert.Null(pu.Email);
+        Assert.Equal(ProviderUserStatusType.Accepted, pu.Status);
+        Assert.Equal(user.Id, pu.UserId);
+
+        // Verify that policy check was never called when feature flag is disabled
+        await sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .DidNotReceive()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id);
+    }
+
     [Theory, BitAutoData]
     public async Task ConfirmUsersAsync_NoValid(
         [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser pu1,
@@ -624,13 +808,131 @@ public class ProviderServiceTests
         Assert.Equal("Invalid user.", result[2].Item2);
     }
 
+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmEnabledAndPolicyExists_ReturnsError(
+        [ProviderUser(ProviderUserStatusType.Accepted)] ProviderUser pu1, User u1,
+        Provider provider, User confirmingUser, SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        pu1.ProviderId = provider.Id;
+        pu1.UserId = u1.Id;
+        var providerUsers = new[] { pu1 };
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetManyAsync([]).ReturnsForAnyArgs(providerUsers);
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([u1]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyDetails = new List<PolicyDetails>
+        {
+            new() { OrganizationId = Guid.NewGuid(), IsProvider = false }
+        };
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(u1.Id)
+            .Returns(policyRequirement);
+
+        var dict = providerUsers.ToDictionary(pu => pu.Id, _ => "key");
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(pu1.ProviderId, dict, confirmingUser.Id);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal(new UserCannotJoinProvider().Message, result[0].Item2);
+
+        // Verify user was not confirmed
+        await providerUserRepository.DidNotReceive().ReplaceAsync(Arg.Any<ProviderUser>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmEnabledButNoPolicyExists_Success(
+        [ProviderUser(ProviderUserStatusType.Accepted)] ProviderUser pu1, User u1,
+        Provider provider, User confirmingUser, SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        pu1.ProviderId = provider.Id;
+        pu1.UserId = u1.Id;
+        var providerUsers = new[] { pu1 };
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetManyAsync([]).ReturnsForAnyArgs(providerUsers);
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([u1]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(new List<PolicyDetails>());
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(u1.Id)
+            .Returns(policyRequirement);
+
+        var dict = providerUsers.ToDictionary(pu => pu.Id, _ => "key");
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(pu1.ProviderId, dict, confirmingUser.Id);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal("", result[0].Item2);
+
+        // Verify user was confirmed
+        await providerUserRepository.Received(1).ReplaceAsync(Arg.Is<ProviderUser>(pu =>
+            pu.Status == ProviderUserStatusType.Confirmed));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmDisabled_Success(
+        [ProviderUser(ProviderUserStatusType.Accepted)] ProviderUser pu1, User u1,
+        Provider provider, User confirmingUser, SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        pu1.ProviderId = provider.Id;
+        pu1.UserId = u1.Id;
+        var providerUsers = new[] { pu1 };
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetManyAsync([]).ReturnsForAnyArgs(providerUsers);
+
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([u1]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(false);
+
+        var dict = providerUsers.ToDictionary(pu => pu.Id, _ => "key");
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(pu1.ProviderId, dict, confirmingUser.Id);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal("", result[0].Item2);
+
+        // Verify user was confirmed
+        await providerUserRepository.Received(1).ReplaceAsync(Arg.Is<ProviderUser>(pu =>
+            pu.Status == ProviderUserStatusType.Confirmed));
+
+        // Verify that policy check was never called when feature flag is disabled
+        await sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .DidNotReceive()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(Arg.Any<Guid>());
+    }
+
     [Theory, BitAutoData]
     public async Task SaveUserAsync_UserIdIsInvalid_Throws(ProviderUser providerUser,
         SutProvider<ProviderService> sutProvider)
     {
-        providerUser.Id = default;
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveUserAsync(providerUser, default));
+        providerUser.Id = Guid.Empty;
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.SaveUserAsync(providerUser, Guid.Empty));
         Assert.Equal("Invite the user first.", exception.Message);
     }
 
@@ -756,7 +1058,7 @@ public class ProviderServiceTests
         await organizationRepository.Received(1)
             .ReplaceAsync(Arg.Is<Organization>(org => org.BillingEmail == provider.BillingEmail));
 
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateCustomerAsync(
             organization.GatewayCustomerId,
             Arg.Is<CustomerUpdateOptions>(options => options.Email == provider.BillingEmail));
 
@@ -811,12 +1113,12 @@ public class ProviderServiceTests
         organization.Plan = "Enterprise (Monthly)";
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
-            .Returns(StaticStore.GetPlan(organization.PlanType));
+            .Returns(MockPlans.Get(organization.PlanType));
 
         var expectedPlanType = PlanType.EnterpriseMonthly2020;
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(expectedPlanType)
-            .Returns(StaticStore.GetPlan(expectedPlanType));
+            .Returns(MockPlans.Get(expectedPlanType));
 
         var expectedPlanId = "2020-enterprise-org-seat-monthly";
 
@@ -827,9 +1129,9 @@ public class ProviderServiceTests
 
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
         var subscriptionItem = GetSubscription(organization.GatewaySubscriptionId);
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionGetAsync(organization.GatewaySubscriptionId)
+        sutProvider.GetDependency<IStripeAdapter>().GetSubscriptionAsync(organization.GatewaySubscriptionId)
             .Returns(GetSubscription(organization.GatewaySubscriptionId));
-        await sutProvider.GetDependency<IStripeAdapter>().SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().UpdateSubscriptionAsync(
             organization.GatewaySubscriptionId, SubscriptionUpdateRequest(expectedPlanId, subscriptionItem));
 
         await sutProvider.Sut.AddOrganization(provider.Id, organization.Id, key);

bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Queries/GetProviderWarningsQueryTests.cs

@@ -3,7 +3,6 @@ using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -63,7 +62,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration> { Data = [] });
 
         var response = await sutProvider.Sut.Run(provider);
@@ -95,7 +94,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration> { Data = [] });
 
         var response = await sutProvider.Sut.Run(provider);
@@ -129,7 +128,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(false);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration> { Data = [] });
 
         var response = await sutProvider.Sut.Run(provider);
@@ -163,7 +162,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration> { Data = [] });
 
         var response = await sutProvider.Sut.Run(provider);
@@ -224,7 +223,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = [new Registration { Country = "GB" }]
@@ -257,7 +256,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = [new Registration { Country = "CA" }]
@@ -296,7 +295,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = [new Registration { Country = "CA" }]
@@ -338,7 +337,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = [new Registration { Country = "CA" }]
@@ -383,7 +382,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = [new Registration { Country = "CA" }]
@@ -428,7 +427,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = [new Registration { Country = "CA" }]
@@ -461,7 +460,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Active))
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Active))
             .Returns(new StripeList<Registration>
             {
                 Data = [
@@ -470,7 +469,7 @@ public class GetProviderWarningsQueryTests
                     new Registration { Country = "FR" }
                 ]
             });
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Scheduled))
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Scheduled))
             .Returns(new StripeList<Registration> { Data = [] });
 
         var response = await sutProvider.Sut.Run(provider);
@@ -505,7 +504,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = [new Registration { Country = "CA" }]
@@ -543,7 +542,7 @@ public class GetProviderWarningsQueryTests
             });
 
         sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
             .Returns(new StripeList<Registration>
             {
                 Data = [new Registration { Country = "US" }]

bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/BusinessUnitConverterTests.cs

@@ -18,6 +18,7 @@ using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Bit.Core.Test.Billing.Mocks;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.DataProtection;
@@ -72,7 +73,7 @@ public class BusinessUnitConverterTests
     {
         organization.PlanType = PlanType.EnterpriseAnnually2020;
 
-        var enterpriseAnnually2020 = StaticStore.GetPlan(PlanType.EnterpriseAnnually2020);
+        var enterpriseAnnually2020 = MockPlans.Get(PlanType.EnterpriseAnnually2020);
 
         var subscription = new Subscription
         {
@@ -134,7 +135,7 @@ public class BusinessUnitConverterTests
         _pricingClient.GetPlanOrThrow(PlanType.EnterpriseAnnually2020)
             .Returns(enterpriseAnnually2020);
 
-        var enterpriseAnnually = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
+        var enterpriseAnnually = MockPlans.Get(PlanType.EnterpriseAnnually);
 
         _pricingClient.GetPlanOrThrow(PlanType.EnterpriseAnnually)
             .Returns(enterpriseAnnually);
@@ -143,11 +144,11 @@ public class BusinessUnitConverterTests
 
         await businessUnitConverter.FinalizeConversion(organization, userId, token, providerKey, organizationKey);
 
-        await _stripeAdapter.Received(2).CustomerUpdateAsync(subscription.CustomerId, Arg.Any<CustomerUpdateOptions>());
+        await _stripeAdapter.Received(2).UpdateCustomerAsync(subscription.CustomerId, Arg.Any<CustomerUpdateOptions>());
 
         var updatedPriceId = ProviderPriceAdapter.GetActivePriceId(provider, enterpriseAnnually.Type);
 
-        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(subscription.Id, Arg.Is<SubscriptionUpdateOptions>(
+        await _stripeAdapter.Received(1).UpdateSubscriptionAsync(subscription.Id, Arg.Is<SubscriptionUpdateOptions>(
             arguments =>
                 arguments.Items.Count == 2 &&
                 arguments.Items[0].Id == "subscription_item_id" &&
@@ -242,7 +243,7 @@ public class BusinessUnitConverterTests
             argument.Status == ProviderStatusType.Pending &&
             argument.Type == ProviderType.BusinessUnit)).Returns(provider);
 
-        var plan = StaticStore.GetPlan(organization.PlanType);
+        var plan = MockPlans.Get(organization.PlanType);
 
         _pricingClient.GetPlanOrThrow(organization.PlanType).Returns(plan);
 

bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/ProviderBillingServiceTests.cs

@@ -20,9 +20,8 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Settings;
-using Bit.Core.Utilities;
+using Bit.Core.Test.Billing.Mocks;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Braintree;
@@ -85,7 +84,7 @@ public class ProviderBillingServiceTests
 
         // Assert
         await providerPlanRepository.Received(0).ReplaceAsync(Arg.Any<ProviderPlan>());
-        await stripeAdapter.Received(0).SubscriptionUpdateAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
+        await stripeAdapter.Received(0).UpdateSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
     }
 
     [Theory, BitAutoData]
@@ -113,7 +112,7 @@ public class ProviderBillingServiceTests
 
         // Assert
         await providerPlanRepository.Received(0).ReplaceAsync(Arg.Any<ProviderPlan>());
-        await stripeAdapter.Received(0).SubscriptionUpdateAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
+        await stripeAdapter.Received(0).UpdateSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
     }
 
     [Theory, BitAutoData]
@@ -140,7 +139,7 @@ public class ProviderBillingServiceTests
             .Returns(existingPlan);
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(existingPlan.PlanType)
-            .Returns(StaticStore.GetPlan(existingPlan.PlanType));
+            .Returns(MockPlans.Get(existingPlan.PlanType));
 
         sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider)
             .Returns(new Subscription
@@ -155,7 +154,7 @@ public class ProviderBillingServiceTests
                             Id = "si_ent_annual",
                             Price = new Price
                             {
-                                Id = StaticStore.GetPlan(PlanType.EnterpriseAnnually).PasswordManager
+                                Id = MockPlans.Get(PlanType.EnterpriseAnnually).PasswordManager
                                     .StripeProviderPortalSeatPlanId
                             },
                             Quantity = 10
@@ -168,7 +167,7 @@ public class ProviderBillingServiceTests
             new ChangeProviderPlanCommand(provider, providerPlanId, PlanType.EnterpriseMonthly);
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(command.NewPlan)
-            .Returns(StaticStore.GetPlan(command.NewPlan));
+            .Returns(MockPlans.Get(command.NewPlan));
 
         // Act
         await sutProvider.Sut.ChangePlan(command);
@@ -180,14 +179,14 @@ public class ProviderBillingServiceTests
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
         await stripeAdapter.Received(1)
-            .SubscriptionUpdateAsync(
+            .UpdateSubscriptionAsync(
                 Arg.Is(provider.GatewaySubscriptionId),
                 Arg.Is<SubscriptionUpdateOptions>(p =>
                     p.Items.Count(si => si.Id == "si_ent_annual" && si.Deleted == true) == 1));
 
-        var newPlanCfg = StaticStore.GetPlan(command.NewPlan);
+        var newPlanCfg = MockPlans.Get(command.NewPlan);
         await stripeAdapter.Received(1)
-            .SubscriptionUpdateAsync(
+            .UpdateSubscriptionAsync(
                 Arg.Is(provider.GatewaySubscriptionId),
                 Arg.Is<SubscriptionUpdateOptions>(p =>
                     p.Items.Count(si =>
@@ -268,7 +267,7 @@ public class ProviderBillingServiceTests
                 CloudRegion = "US"
             });
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(
                 options =>
                     options.Address.Country == providerCustomer.Address.Country &&
                     options.Address.PostalCode == providerCustomer.Address.PostalCode &&
@@ -288,7 +287,7 @@ public class ProviderBillingServiceTests
 
         await sutProvider.Sut.CreateCustomerForClientOrganization(provider, organization);
 
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(
             options =>
                 options.Address.Country == providerCustomer.Address.Country &&
                 options.Address.PostalCode == providerCustomer.Address.PostalCode &&
@@ -349,7 +348,7 @@ public class ProviderBillingServiceTests
                 CloudRegion = "US"
             });
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(
                 options =>
                     options.Address.Country == providerCustomer.Address.Country &&
                     options.Address.PostalCode == providerCustomer.Address.PostalCode &&
@@ -370,7 +369,7 @@ public class ProviderBillingServiceTests
 
         await sutProvider.Sut.CreateCustomerForClientOrganization(provider, organization);
 
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(
             options =>
                 options.Address.Country == providerCustomer.Address.Country &&
                 options.Address.PostalCode == providerCustomer.Address.PostalCode &&
@@ -491,7 +490,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
@@ -514,7 +513,7 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
 
         // 50 seats currently assigned with a seat minimum of 100
-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);
 
         sutProvider.GetDependency<IProviderOrganizationRepository>().GetManyDetailsByProviderAsync(provider.Id).Returns(
         [
@@ -535,7 +534,7 @@ public class ProviderBillingServiceTests
         await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, 10);
 
         // 50 assigned seats + 10 seat scale up = 60 seats, well below the 100 minimum
-        await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs().SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs().UpdateSubscriptionAsync(
             Arg.Any<string>(),
             Arg.Any<SubscriptionUpdateOptions>());
 
@@ -573,7 +572,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         var providerPlan = providerPlans.First();
@@ -598,7 +597,7 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
 
         // 95 seats currently assigned with a seat minimum of 100
-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);
 
         sutProvider.GetDependency<IProviderOrganizationRepository>().GetManyDetailsByProviderAsync(provider.Id).Returns(
         [
@@ -619,7 +618,7 @@ public class ProviderBillingServiceTests
         await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, 10);
 
         // 95 current + 10 seat scale = 105 seats, 5 above the minimum
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateSubscriptionAsync(
             provider.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(
                 options =>
@@ -661,7 +660,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         var providerPlan = providerPlans.First();
@@ -686,7 +685,7 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
 
         // 110 seats currently assigned with a seat minimum of 100
-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);
 
         sutProvider.GetDependency<IProviderOrganizationRepository>().GetManyDetailsByProviderAsync(provider.Id).Returns(
         [
@@ -707,7 +706,7 @@ public class ProviderBillingServiceTests
         await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, 10);
 
         // 110 current + 10 seat scale up = 120 seats
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateSubscriptionAsync(
             provider.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(
                 options =>
@@ -749,7 +748,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         var providerPlan = providerPlans.First();
@@ -774,7 +773,7 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
 
         // 110 seats currently assigned with a seat minimum of 100
-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);
 
         sutProvider.GetDependency<IProviderOrganizationRepository>().GetManyDetailsByProviderAsync(provider.Id).Returns(
         [
@@ -795,7 +794,7 @@ public class ProviderBillingServiceTests
         await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, -30);
 
         // 110 seats - 30 scale down seats = 80 seats, below the 100 seat minimum.
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateSubscriptionAsync(
             provider.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(
                 options =>
@@ -827,13 +826,13 @@ public class ProviderBillingServiceTests
             }
         ]);
 
-        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(planType).Returns(StaticStore.GetPlan(planType));
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(planType).Returns(MockPlans.Get(planType));
 
         sutProvider.GetDependency<IProviderOrganizationRepository>().GetManyDetailsByProviderAsync(provider.Id).Returns(
         [
             new ProviderOrganizationOrganizationDetails
             {
-                Plan = StaticStore.GetPlan(planType).Name,
+                Plan = MockPlans.Get(planType).Name,
                 Status = OrganizationStatusType.Managed,
                 Seats = 5
             }
@@ -865,13 +864,13 @@ public class ProviderBillingServiceTests
             }
         ]);
 
-        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(planType).Returns(StaticStore.GetPlan(planType));
+        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(planType).Returns(MockPlans.Get(planType));
 
         sutProvider.GetDependency<IProviderOrganizationRepository>().GetManyDetailsByProviderAsync(provider.Id).Returns(
         [
             new ProviderOrganizationOrganizationDetails
             {
-                Plan = StaticStore.GetPlan(planType).Name,
+                Plan = MockPlans.Get(planType).Name,
                 Status = OrganizationStatusType.Managed,
                 Seats = 15
             }
@@ -914,12 +913,12 @@ public class ProviderBillingServiceTests
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.BankAccount, Token = "token" };
 
-        stripeAdapter.SetupIntentList(Arg.Is<SetupIntentListOptions>(options =>
+        stripeAdapter.ListSetupIntentsAsync(Arg.Is<SetupIntentListOptions>(options =>
             options.PaymentMethod == tokenizedPaymentMethod.Token)).Returns([
             new SetupIntent { Id = "setup_intent_id" }
         ]);
 
-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                 o.Address.Country == billingAddress.Country &&
                 o.Address.PostalCode == billingAddress.PostalCode &&
                 o.Address.Line1 == billingAddress.Line1 &&
@@ -942,7 +941,7 @@ public class ProviderBillingServiceTests
 
         await sutProvider.GetDependency<ISetupIntentCache>().Received(1).Set(provider.Id, "setup_intent_id");
 
-        await stripeAdapter.Received(1).SetupIntentCancel("setup_intent_id", Arg.Is<SetupIntentCancelOptions>(options =>
+        await stripeAdapter.Received(1).CancelSetupIntentAsync("setup_intent_id", Arg.Is<SetupIntentCancelOptions>(options =>
             options.CancellationReason == "abandoned"));
 
         await sutProvider.GetDependency<ISetupIntentCache>().Received(1).RemoveSetupIntentForSubscriber(provider.Id);
@@ -964,7 +963,7 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<ISubscriberService>().CreateBraintreeCustomer(provider, tokenizedPaymentMethod.Token)
             .Returns("braintree_customer_id");
 
-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                 o.Address.Country == billingAddress.Country &&
                 o.Address.PostalCode == billingAddress.PostalCode &&
                 o.Address.Line1 == billingAddress.Line1 &&
@@ -1007,12 +1006,12 @@ public class ProviderBillingServiceTests
 
         var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.BankAccount, Token = "token" };
 
-        stripeAdapter.SetupIntentList(Arg.Is<SetupIntentListOptions>(options =>
+        stripeAdapter.ListSetupIntentsAsync(Arg.Is<SetupIntentListOptions>(options =>
             options.PaymentMethod == tokenizedPaymentMethod.Token)).Returns([
             new SetupIntent { Id = "setup_intent_id" }
         ]);
 
-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                 o.Address.Country == billingAddress.Country &&
                 o.Address.PostalCode == billingAddress.PostalCode &&
                 o.Address.Line1 == billingAddress.Line1 &&
@@ -1058,7 +1057,7 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<ISubscriberService>().CreateBraintreeCustomer(provider, tokenizedPaymentMethod.Token)
             .Returns("braintree_customer_id");
 
-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                 o.Address.Country == billingAddress.Country &&
                 o.Address.PostalCode == billingAddress.PostalCode &&
                 o.Address.Line1 == billingAddress.Line1 &&
@@ -1100,7 +1099,7 @@ public class ProviderBillingServiceTests
 
         var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.Card, Token = "token" };
 
-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                 o.Address.Country == billingAddress.Country &&
                 o.Address.PostalCode == billingAddress.PostalCode &&
                 o.Address.Line1 == billingAddress.Line1 &&
@@ -1142,7 +1141,7 @@ public class ProviderBillingServiceTests
 
         var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.Card, Token = "token" };
 
-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                 o.Address.Country == billingAddress.Country &&
                 o.Address.PostalCode == billingAddress.PostalCode &&
                 o.Address.Line1 == billingAddress.Line1 &&
@@ -1178,7 +1177,7 @@ public class ProviderBillingServiceTests
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.Card, Token = "token" };
 
-        stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>())
+        stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>())
             .Throws(new StripeException("Invalid tax ID") { StripeError = new StripeError { Code = "tax_id_invalid" } });
 
         var actual = await Assert.ThrowsAsync<BadRequestException>(async () =>
@@ -1216,7 +1215,7 @@ public class ProviderBillingServiceTests
 
         await sutProvider.GetDependency<IStripeAdapter>()
             .DidNotReceiveWithAnyArgs()
-            .SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+            .CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
     }
 
     [Theory, BitAutoData]
@@ -1238,13 +1237,13 @@ public class ProviderBillingServiceTests
             .Returns(providerPlans);
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.EnterpriseMonthly)
-            .Returns(StaticStore.GetPlan(PlanType.EnterpriseMonthly));
+            .Returns(MockPlans.Get(PlanType.EnterpriseMonthly));
 
         await ThrowsBillingExceptionAsync(() => sutProvider.Sut.SetupSubscription(provider));
 
         await sutProvider.GetDependency<IStripeAdapter>()
             .DidNotReceiveWithAnyArgs()
-            .SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+            .CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
     }
 
     [Theory, BitAutoData]
@@ -1266,13 +1265,13 @@ public class ProviderBillingServiceTests
             .Returns(providerPlans);
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.TeamsMonthly)
-            .Returns(StaticStore.GetPlan(PlanType.TeamsMonthly));
+            .Returns(MockPlans.Get(PlanType.TeamsMonthly));
 
         await ThrowsBillingExceptionAsync(() => sutProvider.Sut.SetupSubscription(provider));
 
         await sutProvider.GetDependency<IStripeAdapter>()
             .DidNotReceiveWithAnyArgs()
-            .SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+            .CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
     }
 
     [Theory, BitAutoData]
@@ -1317,13 +1316,13 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
             .Returns(providerPlans);
 
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>())
             .Returns(
                 new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Incomplete });
 
@@ -1373,7 +1372,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
@@ -1381,7 +1380,7 @@ public class ProviderBillingServiceTests
 
         var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };
 
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
             sub =>
                 sub.AutomaticTax.Enabled == true &&
                 sub.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
@@ -1449,7 +1448,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
@@ -1458,7 +1457,7 @@ public class ProviderBillingServiceTests
         var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };
 
 
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
             sub =>
                 sub.AutomaticTax.Enabled == true &&
                 sub.CollectionMethod == StripeConstants.CollectionMethod.ChargeAutomatically &&
@@ -1525,7 +1524,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
@@ -1538,7 +1537,7 @@ public class ProviderBillingServiceTests
 
         sutProvider.GetDependency<ISetupIntentCache>().GetSetupIntentIdForSubscriber(provider.Id).Returns(setupIntentId);
 
-        sutProvider.GetDependency<IStripeAdapter>().SetupIntentGet(setupIntentId, Arg.Is<SetupIntentGetOptions>(options =>
+        sutProvider.GetDependency<IStripeAdapter>().GetSetupIntentAsync(setupIntentId, Arg.Is<SetupIntentGetOptions>(options =>
             options.Expand.Contains("payment_method"))).Returns(new SetupIntent
             {
                 Id = setupIntentId,
@@ -1553,7 +1552,7 @@ public class ProviderBillingServiceTests
                 }
             });
 
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
             sub =>
                 sub.AutomaticTax.Enabled == true &&
                 sub.CollectionMethod == StripeConstants.CollectionMethod.ChargeAutomatically &&
@@ -1626,7 +1625,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
@@ -1635,7 +1634,7 @@ public class ProviderBillingServiceTests
         var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };
 
 
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
             sub =>
                 sub.AutomaticTax.Enabled == true &&
                 sub.CollectionMethod == StripeConstants.CollectionMethod.ChargeAutomatically &&
@@ -1704,7 +1703,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
@@ -1713,7 +1712,7 @@ public class ProviderBillingServiceTests
         var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };
 
 
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
             sub =>
                 sub.AutomaticTax.Enabled == true &&
                 sub.CollectionMethod == StripeConstants.CollectionMethod.ChargeAutomatically &&
@@ -1772,8 +1771,8 @@ public class ProviderBillingServiceTests
         const string enterpriseLineItemId = "enterprise_line_item_id";
         const string teamsLineItemId = "teams_line_item_id";
 
-        var enterprisePriceId = StaticStore.GetPlan(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
-        var teamsPriceId = StaticStore.GetPlan(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var enterprisePriceId = MockPlans.Get(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var teamsPriceId = MockPlans.Get(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
 
         var subscription = new Subscription
         {
@@ -1806,7 +1805,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
@@ -1828,7 +1827,7 @@ public class ProviderBillingServiceTests
         await providerPlanRepository.Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
             providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly && providerPlan.SeatMinimum == 20 && providerPlan.PurchasedSeats == 5));
 
-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(
                 options =>
                     options.Items.Count == 2 &&
@@ -1852,8 +1851,8 @@ public class ProviderBillingServiceTests
         const string enterpriseLineItemId = "enterprise_line_item_id";
         const string teamsLineItemId = "teams_line_item_id";
 
-        var enterprisePriceId = StaticStore.GetPlan(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
-        var teamsPriceId = StaticStore.GetPlan(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var enterprisePriceId = MockPlans.Get(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var teamsPriceId = MockPlans.Get(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
 
         var subscription = new Subscription
         {
@@ -1886,7 +1885,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
@@ -1908,7 +1907,7 @@ public class ProviderBillingServiceTests
         await providerPlanRepository.Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
             providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly && providerPlan.SeatMinimum == 50));
 
-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(
                 options =>
                     options.Items.Count == 2 &&
@@ -1932,8 +1931,8 @@ public class ProviderBillingServiceTests
         const string enterpriseLineItemId = "enterprise_line_item_id";
         const string teamsLineItemId = "teams_line_item_id";
 
-        var enterprisePriceId = StaticStore.GetPlan(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
-        var teamsPriceId = StaticStore.GetPlan(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var enterprisePriceId = MockPlans.Get(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var teamsPriceId = MockPlans.Get(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
 
         var subscription = new Subscription
         {
@@ -1966,7 +1965,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
@@ -1989,7 +1988,7 @@ public class ProviderBillingServiceTests
             providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly && providerPlan.SeatMinimum == 60 && providerPlan.PurchasedSeats == 10));
 
         await stripeAdapter.DidNotReceiveWithAnyArgs()
-            .SubscriptionUpdateAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
+            .UpdateSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
     }
 
     [Theory, BitAutoData]
@@ -2006,8 +2005,8 @@ public class ProviderBillingServiceTests
         const string enterpriseLineItemId = "enterprise_line_item_id";
         const string teamsLineItemId = "teams_line_item_id";
 
-        var enterprisePriceId = StaticStore.GetPlan(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
-        var teamsPriceId = StaticStore.GetPlan(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var enterprisePriceId = MockPlans.Get(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var teamsPriceId = MockPlans.Get(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
 
         var subscription = new Subscription
         {
@@ -2040,7 +2039,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
@@ -2062,7 +2061,7 @@ public class ProviderBillingServiceTests
         await providerPlanRepository.Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
             providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly && providerPlan.SeatMinimum == 80 && providerPlan.PurchasedSeats == 0));
 
-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(
                 options =>
                     options.Items.Count == 2 &&
@@ -2086,8 +2085,8 @@ public class ProviderBillingServiceTests
         const string enterpriseLineItemId = "enterprise_line_item_id";
         const string teamsLineItemId = "teams_line_item_id";
 
-        var enterprisePriceId = StaticStore.GetPlan(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
-        var teamsPriceId = StaticStore.GetPlan(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var enterprisePriceId = MockPlans.Get(PlanType.EnterpriseMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
+        var teamsPriceId = MockPlans.Get(PlanType.TeamsMonthly).PasswordManager.StripeProviderPortalSeatPlanId;
 
         var subscription = new Subscription
         {
@@ -2120,7 +2119,7 @@ public class ProviderBillingServiceTests
         foreach (var plan in providerPlans)
         {
             sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(plan.PlanType)
-                .Returns(StaticStore.GetPlan(plan.PlanType));
+                .Returns(MockPlans.Get(plan.PlanType));
         }
 
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
@@ -2142,7 +2141,7 @@ public class ProviderBillingServiceTests
         await providerPlanRepository.DidNotReceive().ReplaceAsync(Arg.Is<ProviderPlan>(
             providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly));
 
-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
             Arg.Is<SubscriptionUpdateOptions>(
                 options =>
                     options.Items.Count == 1 &&
@@ -2151,4 +2150,151 @@ public class ProviderBillingServiceTests
     }
 
     #endregion
+
+    #region UpdateProviderNameAndEmail
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_NullGatewayCustomerId_LogsWarningAndReturns(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.GatewayCustomerId = null;
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_EmptyGatewayCustomerId_LogsWarningAndReturns(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.GatewayCustomerId = "";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_NullProviderName_LogsWarningAndReturns(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.Name = null;
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_EmptyProviderName_LogsWarningAndReturns(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.Name = "";
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_ValidProvider_CallsStripeWithCorrectParameters(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.Name = "Test Provider";
+        provider.BillingEmail = "billing@test.com";
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.Received(1).UpdateCustomerAsync(
+            provider.GatewayCustomerId,
+            Arg.Is<CustomerUpdateOptions>(options =>
+                options.Email == provider.BillingEmail &&
+                options.Description == provider.Name &&
+                options.InvoiceSettings.CustomFields.Count == 1 &&
+                options.InvoiceSettings.CustomFields[0].Name == "Provider" &&
+                options.InvoiceSettings.CustomFields[0].Value == provider.Name));
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_LongProviderName_UsesFullName(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        var longName = new string('A', 50); // 50 characters
+        provider.Name = longName;
+        provider.BillingEmail = "billing@test.com";
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.Received(1).UpdateCustomerAsync(
+            provider.GatewayCustomerId,
+            Arg.Is<CustomerUpdateOptions>(options =>
+                options.InvoiceSettings.CustomFields[0].Value == longName));
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_NullBillingEmail_UpdatesWithNull(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.Name = "Test Provider";
+        provider.BillingEmail = null;
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.Received(1).UpdateCustomerAsync(
+            provider.GatewayCustomerId,
+            Arg.Is<CustomerUpdateOptions>(options =>
+                options.Email == null &&
+                options.Description == provider.Name));
+    }
+
+    #endregion
 }

bitwarden_license/test/Commercial.Core.Test/SecretsManager/Queries/Projects/MaxProjectsQueryTests.cs

@@ -6,7 +6,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Settings;
-using Bit.Core.Utilities;
+using Bit.Core.Test.Billing.Mocks;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -69,7 +69,7 @@ public class MaxProjectsQueryTests
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
 
         sutProvider.GetDependency<IPricingClient>().GetPlan(organization.PlanType)
-            .Returns(StaticStore.GetPlan(organization.PlanType));
+            .Returns(MockPlans.Get(organization.PlanType));
 
         var (limit, overLimit) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1);
 
@@ -114,7 +114,7 @@ public class MaxProjectsQueryTests
             .Returns(projects);
 
         sutProvider.GetDependency<IPricingClient>().GetPlan(organization.PlanType)
-            .Returns(StaticStore.GetPlan(organization.PlanType));
+            .Returns(MockPlans.Get(organization.PlanType));
 
         var (max, overMax) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, projectsToAdd);
 

bitwarden_license/test/Commercial.Core.Test/SecretsManager/Repositories/SecretVersionRepositoryTests.cs

@@ -0,0 +1,130 @@
+using Bit.Core.SecretsManager.Entities;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Commercial.Core.Test.SecretsManager.Repositories;
+
+public class SecretVersionRepositoryTests
+{
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_EntityCreation_Success(SecretVersion secretVersion)
+    {
+        // Arrange & Act
+        secretVersion.SetNewId();
+
+        // Assert
+        Assert.NotEqual(Guid.Empty, secretVersion.Id);
+        Assert.NotEqual(Guid.Empty, secretVersion.SecretId);
+        Assert.NotNull(secretVersion.Value);
+        Assert.NotEqual(default, secretVersion.VersionDate);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_WithServiceAccountEditor_Success(SecretVersion secretVersion, Guid serviceAccountId)
+    {
+        // Arrange & Act
+        secretVersion.EditorServiceAccountId = serviceAccountId;
+        secretVersion.EditorOrganizationUserId = null;
+
+        // Assert
+        Assert.Equal(serviceAccountId, secretVersion.EditorServiceAccountId);
+        Assert.Null(secretVersion.EditorOrganizationUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_WithOrganizationUserEditor_Success(SecretVersion secretVersion, Guid organizationUserId)
+    {
+        // Arrange & Act
+        secretVersion.EditorOrganizationUserId = organizationUserId;
+        secretVersion.EditorServiceAccountId = null;
+
+        // Assert
+        Assert.Equal(organizationUserId, secretVersion.EditorOrganizationUserId);
+        Assert.Null(secretVersion.EditorServiceAccountId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_NullableEditors_Success(SecretVersion secretVersion)
+    {
+        // Arrange & Act
+        secretVersion.EditorServiceAccountId = null;
+        secretVersion.EditorOrganizationUserId = null;
+
+        // Assert
+        Assert.Null(secretVersion.EditorServiceAccountId);
+        Assert.Null(secretVersion.EditorOrganizationUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_VersionDateSet_Success(SecretVersion secretVersion)
+    {
+        // Arrange
+        var versionDate = DateTime.UtcNow;
+
+        // Act
+        secretVersion.VersionDate = versionDate;
+
+        // Assert
+        Assert.Equal(versionDate, secretVersion.VersionDate);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_ValueEncrypted_Success(SecretVersion secretVersion, string encryptedValue)
+    {
+        // Arrange & Act
+        secretVersion.Value = encryptedValue;
+
+        // Assert
+        Assert.Equal(encryptedValue, secretVersion.Value);
+        Assert.NotEmpty(secretVersion.Value);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_MultipleVersions_DifferentIds(List<SecretVersion> secretVersions, Guid secretId)
+    {
+        // Arrange & Act
+        foreach (var version in secretVersions)
+        {
+            version.SecretId = secretId;
+            version.SetNewId();
+        }
+
+        // Assert
+        var distinctIds = secretVersions.Select(v => v.Id).Distinct();
+        Assert.Equal(secretVersions.Count, distinctIds.Count());
+        Assert.All(secretVersions, v => Assert.Equal(secretId, v.SecretId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_VersionDateOrdering_Success(SecretVersion version1, SecretVersion version2, SecretVersion version3, Guid secretId)
+    {
+        // Arrange
+        var now = DateTime.UtcNow;
+        version1.SecretId = secretId;
+        version1.VersionDate = now.AddDays(-2);
+
+        version2.SecretId = secretId;
+        version2.VersionDate = now.AddDays(-1);
+
+        version3.SecretId = secretId;
+        version3.VersionDate = now;
+
+        var versions = new List<SecretVersion> { version2, version3, version1 };
+
+        // Act
+        var orderedVersions = versions.OrderByDescending(v => v.VersionDate).ToList();
+
+        // Assert
+        Assert.Equal(version3.Id, orderedVersions[0].Id); // Most recent
+        Assert.Equal(version2.Id, orderedVersions[1].Id);
+        Assert.Equal(version1.Id, orderedVersions[2].Id); // Oldest
+    }
+}

bitwarden_license/test/SSO.Test/SSO.Test.csproj

@@ -0,0 +1,35 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net8.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
+      <PackageReference Include="xunit" Version="$(XUnitVersion)" />
+      <PackageReference Include="xunit.runner.visualstudio" Version="$(XUnitRunnerVisualStudioVersion)">
+        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        <PrivateAssets>all</PrivateAssets>
+      </PackageReference>
+      <PackageReference Include="coverlet.collector" Version="$(CoverletCollectorVersion)">
+        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        <PrivateAssets>all</PrivateAssets>
+      </PackageReference>
+      <PackageReference Include="NSubstitute" Version="$(NSubstituteVersion)" />
+    </ItemGroup>
+
+    <ItemGroup>
+        <Using Include="Xunit"/>
+    </ItemGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\..\src\Sso\Sso.csproj" />
+      <ProjectReference Include="..\..\..\test\Common\Common.csproj" />
+    </ItemGroup>
+
+</Project>

bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs

@@ -200,6 +200,38 @@ public class GroupsControllerTests : IClassFixture<ScimApplicationFactory>, IAsy
         AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
     }
 
+    [Fact]
+    public async Task GetList_SearchDisplayNameWithoutOptionalParameters_Success()
+    {
+        string filter = "displayName eq Test Group 2";
+        int? itemsPerPage = null;
+        int? startIndex = null;
+        var expectedResponse = new ScimListResponseModel<ScimGroupResponseModel>
+        {
+            ItemsPerPage = 50, //default value
+            TotalResults = 1,
+            StartIndex = 1, //default value
+            Resources = new List<ScimGroupResponseModel>
+            {
+                new ScimGroupResponseModel
+                {
+                    Id = ScimApplicationFactory.TestGroupId2,
+                    DisplayName = "Test Group 2",
+                    ExternalId = "B",
+                    Schemas = new List<string> { ScimConstants.Scim2SchemaGroup }
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaListResponse }
+        };
+
+        var context = await _factory.GroupsGetListAsync(ScimApplicationFactory.TestOrganizationId1, filter, itemsPerPage, startIndex);
+
+        Assert.Equal(StatusCodes.Status200OK, context.Response.StatusCode);
+
+        var responseModel = JsonSerializer.Deserialize<ScimListResponseModel<ScimGroupResponseModel>>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
+        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
+    }
+
     [Fact]
     public async Task Post_Success()
     {

bitwarden_license/test/Scim.IntegrationTest/appsettings.Development.json

@@ -0,0 +1,36 @@
+{
+  "globalSettings": {
+    "baseServiceUri": {
+      "vault": "https://localhost:8080",
+      "api": "http://localhost:4000",
+      "identity": "http://localhost:33656",
+      "admin": "http://localhost:62911",
+      "notifications": "http://localhost:61840",
+      "sso": "http://localhost:51822",
+      "internalNotifications": "http://localhost:61840",
+      "internalAdmin": "http://localhost:62911",
+      "internalIdentity": "http://localhost:33656",
+      "internalApi": "http://localhost:4000",
+      "internalVault": "https://localhost:8080",
+      "internalSso": "http://localhost:51822",
+      "internalScim": "http://localhost:44559"
+    },
+    "mail": {
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
+    },
+    "attachment": {
+      "connectionString": "UseDevelopmentStorage=true",
+      "baseUrl": "http://localhost:4000/attachments/"
+    },
+    "events": {
+      "connectionString": "UseDevelopmentStorage=true"
+    },
+    "storage": {
+      "connectionString": "UseDevelopmentStorage=true"
+    },
+    "pricingUri": "https://billingpricing.qa.bitwarden.pw"
+  }
+}

bitwarden_license/test/Scim.Test/Groups/GetGroupsListQueryTests.cs

@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Scim.Groups;
+using Bit.Scim.Models;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
@@ -24,7 +25,7 @@ public class GetGroupsListCommandTests
             .GetManyByOrganizationIdAsync(organizationId)
             .Returns(groups);
 
-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, null, count, startIndex);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Count = count, StartIndex = startIndex });
 
         AssertHelper.AssertPropertyEqual(groups.Skip(startIndex - 1).Take(count).ToList(), result.groupList);
         AssertHelper.AssertPropertyEqual(groups.Count, result.totalResults);
@@ -47,7 +48,7 @@ public class GetGroupsListCommandTests
             .GetManyByOrganizationIdAsync(organizationId)
             .Returns(groups);
 
-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });
 
         AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
         AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
@@ -67,7 +68,7 @@ public class GetGroupsListCommandTests
             .GetManyByOrganizationIdAsync(organizationId)
             .Returns(groups);
 
-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });
 
         AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
         AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
@@ -90,7 +91,7 @@ public class GetGroupsListCommandTests
             .GetManyByOrganizationIdAsync(organizationId)
             .Returns(groups);
 
-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });
 
         AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
         AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
@@ -112,7 +113,7 @@ public class GetGroupsListCommandTests
             .GetManyByOrganizationIdAsync(organizationId)
             .Returns(groups);
 
-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });
 
         AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
         AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);

bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandTests.cs

@@ -436,7 +436,7 @@ public class PatchGroupCommandTests
         await sutProvider.GetDependency<IGroupService>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
 
         // Assert: logging
-        sutProvider.GetDependency<ILogger<PatchGroupCommand>>().ReceivedWithAnyArgs().LogWarning(default);
+        sutProvider.GetDependency<ILogger<PatchGroupCommand>>().ReceivedWithAnyArgs().LogWarning("");
     }
 
     [Theory]

bitwarden_license/test/Scim.Test/Users/GetUsersListQueryTests.cs

@@ -1,5 +1,6 @@
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
+using Bit.Scim.Models;
 using Bit.Scim.Users;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;

bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs

@@ -1,6 +1,6 @@
 using System.Text.Json;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;

bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs

@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
@@ -36,7 +37,7 @@ public class PostUserCommandTests
 
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns(organization);
 
-        sutProvider.GetDependency<IPaymentService>().HasSecretsManagerStandalone(organization).Returns(true);
+        sutProvider.GetDependency<IStripePaymentService>().HasSecretsManagerStandalone(organization).Returns(true);
 
         sutProvider.GetDependency<IOrganizationService>()
             .InviteUserAsync(organizationId,

dev/docker-compose.yml

@@ -57,7 +57,6 @@ services:
 
   mysql:
     image: mysql:8.0
-    container_name: bw-mysql
     ports:
       - "3306:3306"
     command:
@@ -88,7 +87,6 @@ services:
 
   idp:
     image: kenchan0130/simplesamlphp:1.19.8
-    container_name: idp
     ports:
       - "8090:8080"
     environment:
@@ -101,8 +99,7 @@ services:
       - idp
 
   rabbitmq:
-    image: rabbitmq:4.1.3-management
-    container_name: rabbitmq
+    image: rabbitmq:4.2.0-management
     ports:
       - "5672:5672"
       - "15672:15672"
@@ -116,7 +113,6 @@ services:
 
   reverse-proxy:
     image: nginx:alpine
-    container_name: reverse-proxy
     volumes:
       - "./reverse-proxy.conf:/etc/nginx/conf.d/default.conf"
     ports:
@@ -126,7 +122,6 @@ services:
       - proxy
 
   service-bus:
-    container_name: service-bus
     image: mcr.microsoft.com/azure-messaging/servicebus-emulator:latest
     pull_policy: always
     volumes:
@@ -142,7 +137,6 @@ services:
 
   redis:
     image: redis:alpine
-    container_name: bw-redis
     ports:
       - "6379:6379"
     volumes:

dev/generate_openapi_files.ps1

@@ -18,11 +18,11 @@ if ($LASTEXITCODE -ne 0) {
 # Api internal & public
 Set-Location "../../src/Api"
 dotnet build
-dotnet swagger tofile --output "../../api.json" --host "https://api.bitwarden.com" "./bin/Debug/net8.0/Api.dll" "internal"
+dotnet swagger tofile --output "../../api.json" "./bin/Debug/net8.0/Api.dll" "internal"
 if ($LASTEXITCODE -ne 0) {
     exit $LASTEXITCODE
 }
-dotnet swagger tofile --output "../../api.public.json" --host "https://api.bitwarden.com" "./bin/Debug/net8.0/Api.dll" "public"
+dotnet swagger tofile --output "../../api.public.json" "./bin/Debug/net8.0/Api.dll" "public"
 if ($LASTEXITCODE -ne 0) {
     exit $LASTEXITCODE
 }

dev/secrets.json.example

@@ -33,6 +33,10 @@
       "id": "<your Installation Id>",
       "key": "<your Installation Key>"
     },
+    "events": {
+      "connectionString": "",
+      "queueName": "event"
+    },
     "licenseDirectory": "<full path to license directory>",
     "enableNewDeviceVerification": true,
     "enableEmailVerification": true

dev/servicebusemulator_config.json

@@ -3,22 +3,6 @@
     "Namespaces": [
       {
         "Name": "sbemulatorns",
-        "Queues": [
-          {
-            "Name": "queue.1",
-            "Properties": {
-              "DeadLetteringOnMessageExpiration": false,
-              "DefaultMessageTimeToLive": "PT1H",
-              "DuplicateDetectionHistoryTimeWindow": "PT20S",
-              "ForwardDeadLetteredMessagesTo": "",
-              "ForwardTo": "",
-              "LockDuration": "PT1M",
-              "MaxDeliveryCount": 3,
-              "RequiresDuplicateDetection": false,
-              "RequiresSession": false
-            }
-          }
-        ],
         "Topics": [
           {
             "Name": "event-logging",
@@ -37,6 +21,9 @@
               },
               {
                 "Name": "events-datadog-subscription"
+              },
+              {
+                "Name": "events-teams-subscription"
               }
             ]
           },
@@ -98,6 +85,20 @@
                     }
                   }
                 ]
+              },
+              {
+                "Name": "integration-teams-subscription",
+                "Rules": [
+                  {
+                    "Name": "teams-integration-filter",
+                    "Properties": {
+                      "FilterType": "Correlation",
+                      "CorrelationFilter": {
+                        "Label": "teams"
+                      }
+                    }
+                  }
+                ]
               }
             ]
           }

dev/verify_migrations.ps1

@@ -0,0 +1,132 @@
+#!/usr/bin/env pwsh
+
+<#
+.SYNOPSIS
+    Validates that new database migration files follow naming conventions and chronological order.
+
+.DESCRIPTION
+    This script validates migration files in util/Migrator/DbScripts/ to ensure:
+    1. New migrations follow the naming format: YYYY-MM-DD_NN_Description.sql
+    2. New migrations are chronologically ordered (filename sorts after existing migrations)
+    3. Dates use leading zeros (e.g., 2025-01-05, not 2025-1-5)
+    4. A 2-digit sequence number is included (e.g., _00, _01)
+
+.PARAMETER BaseRef
+    The base git reference to compare against (e.g., 'main', 'HEAD~1')
+
+.PARAMETER CurrentRef
+    The current git reference (defaults to 'HEAD')
+
+.EXAMPLE
+    # For pull requests - compare against main branch
+    .\verify_migrations.ps1 -BaseRef main
+
+.EXAMPLE
+    # For pushes - compare against previous commit
+    .\verify_migrations.ps1 -BaseRef HEAD~1
+#>
+
+param(
+    [Parameter(Mandatory = $true)]
+    [string]$BaseRef,
+
+    [Parameter(Mandatory = $false)]
+    [string]$CurrentRef = "HEAD"
+)
+
+# Use invariant culture for consistent string comparison
+[System.Threading.Thread]::CurrentThread.CurrentCulture = [System.Globalization.CultureInfo]::InvariantCulture
+
+$migrationPath = "util/Migrator/DbScripts"
+
+# Get list of migrations from base reference
+try {
+    $baseMigrations = git ls-tree -r --name-only $BaseRef -- "$migrationPath/*.sql" 2>$null | Sort-Object
+    if ($LASTEXITCODE -ne 0) {
+        Write-Host "Warning: Could not retrieve migrations from base reference '$BaseRef'"
+        $baseMigrations = @()
+    }
+}
+catch {
+    Write-Host "Warning: Could not retrieve migrations from base reference '$BaseRef'"
+    $baseMigrations = @()
+}
+
+# Get list of migrations from current reference
+$currentMigrations = git ls-tree -r --name-only $CurrentRef -- "$migrationPath/*.sql" | Sort-Object
+
+# Find added migrations
+$addedMigrations = $currentMigrations | Where-Object { $_ -notin $baseMigrations }
+
+if ($addedMigrations.Count -eq 0) {
+    Write-Host "No new migration files added."
+    exit 0
+}
+
+Write-Host "New migration files detected:"
+$addedMigrations | ForEach-Object { Write-Host "  $_" }
+Write-Host ""
+
+# Get the last migration from base reference
+if ($baseMigrations.Count -eq 0) {
+    Write-Host "No previous migrations found (initial commit?). Skipping validation."
+    exit 0
+}
+
+$lastBaseMigration = Split-Path -Leaf ($baseMigrations | Select-Object -Last 1)
+Write-Host "Last migration in base reference: $lastBaseMigration"
+Write-Host ""
+
+# Required format regex: YYYY-MM-DD_NN_Description.sql
+$formatRegex = '^[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}_.+\.sql$'
+
+$validationFailed = $false
+
+foreach ($migration in $addedMigrations) {
+    $migrationName = Split-Path -Leaf $migration
+
+    # Validate NEW migration filename format
+    if ($migrationName -notmatch $formatRegex) {
+        Write-Host "ERROR: Migration '$migrationName' does not match required format"
+        Write-Host "Required format: YYYY-MM-DD_NN_Description.sql"
+        Write-Host "  - YYYY: 4-digit year"
+        Write-Host "  - MM: 2-digit month with leading zero (01-12)"
+        Write-Host "  - DD: 2-digit day with leading zero (01-31)"
+        Write-Host "  - NN: 2-digit sequence number (00, 01, 02, etc.)"
+        Write-Host "Example: 2025-01-15_00_MyMigration.sql"
+        $validationFailed = $true
+        continue
+    }
+
+    # Compare migration name with last base migration (using ordinal string comparison)
+    if ([string]::CompareOrdinal($migrationName, $lastBaseMigration) -lt 0) {
+        Write-Host "ERROR: New migration '$migrationName' is not chronologically after '$lastBaseMigration'"
+        $validationFailed = $true
+    }
+    else {
+        Write-Host "OK: '$migrationName' is chronologically after '$lastBaseMigration'"
+    }
+}
+
+Write-Host ""
+
+if ($validationFailed) {
+    Write-Host "FAILED: One or more migrations are incorrectly named or not in chronological order"
+    Write-Host ""
+    Write-Host "All new migration files must:"
+    Write-Host "  1. Follow the naming format: YYYY-MM-DD_NN_Description.sql"
+    Write-Host "  2. Use leading zeros in dates (e.g., 2025-01-05, not 2025-1-5)"
+    Write-Host "  3. Include a 2-digit sequence number (e.g., _00, _01)"
+    Write-Host "  4. Have a filename that sorts after the last migration in base"
+    Write-Host ""
+    Write-Host "To fix this issue:"
+    Write-Host "  1. Locate your migration file(s) in util/Migrator/DbScripts/"
+    Write-Host "  2. Rename to follow format: YYYY-MM-DD_NN_Description.sql"
+    Write-Host "  3. Ensure the date is after $lastBaseMigration"
+    Write-Host ""
+    Write-Host "Example: 2025-01-15_00_AddNewFeature.sql"
+    exit 1
+}
+
+Write-Host "SUCCESS: All new migrations are correctly named and in chronological order"
+exit 0

global.json

@@ -5,6 +5,7 @@
   },
   "msbuild-sdks": {
     "Microsoft.Build.Traversal": "4.1.0",
-    "Microsoft.Build.Sql": "1.0.0"
+    "Microsoft.Build.Sql": "1.0.0",
+    "Bitwarden.Server.Sdk": "1.2.0"
   }
 }

src/Admin/AdminConsole/Controllers/OrganizationsController.cs

@@ -14,8 +14,10 @@ using Bit.Core.AdminConsole.Providers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Organizations.Services;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Models.OrganizationConnectionConfigs;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
@@ -41,7 +43,7 @@ public class OrganizationsController : Controller
     private readonly ICollectionRepository _collectionRepository;
     private readonly IGroupRepository _groupRepository;
     private readonly IPolicyRepository _policyRepository;
-    private readonly IPaymentService _paymentService;
+    private readonly IStripePaymentService _paymentService;
     private readonly IApplicationCacheService _applicationCacheService;
     private readonly GlobalSettings _globalSettings;
     private readonly IProviderRepository _providerRepository;
@@ -56,6 +58,7 @@ public class OrganizationsController : Controller
     private readonly IOrganizationInitiateDeleteCommand _organizationInitiateDeleteCommand;
     private readonly IPricingClient _pricingClient;
     private readonly IResendOrganizationInviteCommand _resendOrganizationInviteCommand;
+    private readonly IOrganizationBillingService _organizationBillingService;
 
     public OrganizationsController(
         IOrganizationRepository organizationRepository,
@@ -66,7 +69,7 @@ public class OrganizationsController : Controller
         ICollectionRepository collectionRepository,
         IGroupRepository groupRepository,
         IPolicyRepository policyRepository,
-        IPaymentService paymentService,
+        IStripePaymentService paymentService,
         IApplicationCacheService applicationCacheService,
         GlobalSettings globalSettings,
         IProviderRepository providerRepository,
@@ -80,7 +83,8 @@ public class OrganizationsController : Controller
         IProviderBillingService providerBillingService,
         IOrganizationInitiateDeleteCommand organizationInitiateDeleteCommand,
         IPricingClient pricingClient,
-        IResendOrganizationInviteCommand resendOrganizationInviteCommand)
+        IResendOrganizationInviteCommand resendOrganizationInviteCommand,
+        IOrganizationBillingService organizationBillingService)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -105,6 +109,7 @@ public class OrganizationsController : Controller
         _organizationInitiateDeleteCommand = organizationInitiateDeleteCommand;
         _pricingClient = pricingClient;
         _resendOrganizationInviteCommand = resendOrganizationInviteCommand;
+        _organizationBillingService = organizationBillingService;
     }
 
     [RequirePermission(Permission.Org_List_View)]
@@ -241,6 +246,8 @@ public class OrganizationsController : Controller
         var existingOrganizationData = new Organization
         {
             Id = organization.Id,
+            Name = organization.Name,
+            BillingEmail = organization.BillingEmail,
             Status = organization.Status,
             PlanType = organization.PlanType,
             Seats = organization.Seats
@@ -286,6 +293,22 @@ public class OrganizationsController : Controller
 
         await _applicationCacheService.UpsertOrganizationAbilityAsync(organization);
 
+        // Sync name/email changes to Stripe
+        if (existingOrganizationData.Name != organization.Name || existingOrganizationData.BillingEmail != organization.BillingEmail)
+        {
+            try
+            {
+                await _organizationBillingService.UpdateOrganizationNameAndEmail(organization);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex,
+                    "Failed to update Stripe customer for organization {OrganizationId}. Database was updated successfully.",
+                    organization.Id);
+                TempData["Warning"] = "Organization updated successfully, but Stripe customer name/email synchronization failed.";
+            }
+        }
+
         return RedirectToAction("Edit", new { id });
     }
 
@@ -472,6 +495,8 @@ public class OrganizationsController : Controller
             organization.UseRiskInsights = model.UseRiskInsights;
             organization.UseOrganizationDomains = model.UseOrganizationDomains;
             organization.UseAdminSponsoredFamilies = model.UseAdminSponsoredFamilies;
+            organization.UseAutomaticUserConfirmation = model.UseAutomaticUserConfirmation;
+            organization.UsePhishingBlocker = model.UsePhishingBlocker;
 
             //secrets
             organization.SmSeats = model.SmSeats;

src/Admin/AdminConsole/Controllers/ProvidersController.cs

@@ -56,6 +56,7 @@ public class ProvidersController : Controller
     private readonly IStripeAdapter _stripeAdapter;
     private readonly IAccessControlService _accessControlService;
     private readonly ISubscriberService _subscriberService;
+    private readonly ILogger<ProvidersController> _logger;
 
     public ProvidersController(IOrganizationRepository organizationRepository,
         IResellerClientOrganizationSignUpCommand resellerClientOrganizationSignUpCommand,
@@ -72,7 +73,8 @@ public class ProvidersController : Controller
         IPricingClient pricingClient,
         IStripeAdapter stripeAdapter,
         IAccessControlService accessControlService,
-        ISubscriberService subscriberService)
+        ISubscriberService subscriberService,
+        ILogger<ProvidersController> logger)
     {
         _organizationRepository = organizationRepository;
         _resellerClientOrganizationSignUpCommand = resellerClientOrganizationSignUpCommand;
@@ -92,6 +94,7 @@ public class ProvidersController : Controller
         _braintreeMerchantUrl = webHostEnvironment.GetBraintreeMerchantUrl();
         _braintreeMerchantId = globalSettings.Braintree.MerchantId;
         _subscriberService = subscriberService;
+        _logger = logger;
     }
 
     [RequirePermission(Permission.Provider_List_View)]
@@ -296,6 +299,9 @@ public class ProvidersController : Controller
 
         var originalProviderStatus = provider.Enabled;
 
+        // Capture original billing email before modifications for Stripe sync
+        var originalBillingEmail = provider.BillingEmail;
+
         model.ToProvider(provider);
 
         // validate the stripe ids to prevent saving a bad one
@@ -321,6 +327,22 @@ public class ProvidersController : Controller
         await _providerService.UpdateAsync(provider);
         await _applicationCacheService.UpsertProviderAbilityAsync(provider);
 
+        // Sync billing email changes to Stripe
+        if (!string.IsNullOrEmpty(provider.GatewayCustomerId) && originalBillingEmail != provider.BillingEmail)
+        {
+            try
+            {
+                await _providerBillingService.UpdateProviderNameAndEmail(provider);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex,
+                    "Failed to update Stripe customer for provider {ProviderId}. Database was updated successfully.",
+                    provider.Id);
+                TempData["Warning"] = "Provider updated successfully, but Stripe customer email synchronization failed.";
+            }
+        }
+
         if (!provider.IsBillable())
         {
             return RedirectToAction("Edit", new { id });
@@ -339,11 +361,11 @@ public class ProvidersController : Controller
                     ]);
                 await _providerBillingService.UpdateSeatMinimums(updateMspSeatMinimumsCommand);
 
-                var customer = await _stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId);
+                var customer = await _stripeAdapter.GetCustomerAsync(provider.GatewayCustomerId);
                 if (model.PayByInvoice != customer.ApprovedToPayByInvoice())
                 {
                     var approvedToPayByInvoice = model.PayByInvoice ? "1" : "0";
-                    await _stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
+                    await _stripeAdapter.UpdateCustomerAsync(customer.Id, new CustomerUpdateOptions
                     {
                         Metadata = new Dictionary<string, string>
                         {

src/Admin/AdminConsole/Models/OrganizationEditModel.cs

@@ -106,6 +106,9 @@ public class OrganizationEditModel : OrganizationViewModel
         SmServiceAccounts = org.SmServiceAccounts;
         MaxAutoscaleSmServiceAccounts = org.MaxAutoscaleSmServiceAccounts;
         UseOrganizationDomains = org.UseOrganizationDomains;
+        UseAutomaticUserConfirmation = org.UseAutomaticUserConfirmation;
+        UsePhishingBlocker = org.UsePhishingBlocker;
+
         _plans = plans;
     }
 
@@ -158,6 +161,8 @@ public class OrganizationEditModel : OrganizationViewModel
     public new bool UseSecretsManager { get; set; }
     [Display(Name = "Risk Insights")]
     public new bool UseRiskInsights { get; set; }
+    [Display(Name = "Phishing Blocker")]
+    public new bool UsePhishingBlocker { get; set; }
     [Display(Name = "Admin Sponsored Families")]
     public bool UseAdminSponsoredFamilies { get; set; }
     [Display(Name = "Self Host")]
@@ -192,6 +197,8 @@ public class OrganizationEditModel : OrganizationViewModel
     [Display(Name = "Use Organization Domains")]
     public bool UseOrganizationDomains { get; set; }
 
+    [Display(Name = "Automatic User Confirmation")]
+    public bool UseAutomaticUserConfirmation { get; set; }
     /**
      * Creates a Plan[] object for use in Javascript
      * This is mapped manually below to provide some type safety in case the plan objects change
@@ -231,6 +238,7 @@ public class OrganizationEditModel : OrganizationViewModel
                     LegacyYear = p.LegacyYear,
                     Disabled = p.Disabled,
                     SupportsSecretsManager = p.SupportsSecretsManager,
+                    AutomaticUserConfirmation = p.AutomaticUserConfirmation,
                     PasswordManager =
                         new
                         {
@@ -322,6 +330,7 @@ public class OrganizationEditModel : OrganizationViewModel
         existingOrganization.SmServiceAccounts = SmServiceAccounts;
         existingOrganization.MaxAutoscaleSmServiceAccounts = MaxAutoscaleSmServiceAccounts;
         existingOrganization.UseOrganizationDomains = UseOrganizationDomains;
+        existingOrganization.UsePhishingBlocker = UsePhishingBlocker;
         return existingOrganization;
     }
 }

src/Admin/AdminConsole/Models/OrganizationViewModel.cs

@@ -75,6 +75,7 @@ public class OrganizationViewModel
     public int OccupiedSmSeatsCount { get; set; }
     public bool UseSecretsManager => Organization.UseSecretsManager;
     public bool UseRiskInsights => Organization.UseRiskInsights;
+    public bool UsePhishingBlocker => Organization.UsePhishingBlocker;
     public IEnumerable<OrganizationUserUserDetails> OwnersDetails { get; set; }
     public IEnumerable<OrganizationUserUserDetails> AdminsDetails { get; set; }
 }

src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml

@@ -152,11 +152,19 @@
                     <input type="checkbox" class="form-check-input" asp-for="UseCustomPermissions" disabled='@(canEditPlan ? null : "disabled")'>
                     <label class="form-check-label" asp-for="UseCustomPermissions"></label>
                 </div>
-                @if(FeatureService.IsEnabled(FeatureFlagKeys.PM17772_AdminInitiatedSponsorships))
+                <div class="form-check">
+                    <input type="checkbox" class="form-check-input" asp-for="UseAdminSponsoredFamilies" disabled='@(canEditPlan ? null : "disabled")'>
+                    <label class="form-check-label" asp-for="UseAdminSponsoredFamilies"></label>
+                </div>
+                <div class="form-check">
+                    <input type="checkbox" class="form-check-input" asp-for="UsePhishingBlocker" disabled='@(canEditPlan ? null : "disabled")'>
+                    <label class="form-check-label" asp-for="UsePhishingBlocker"></label>
+                </div>
+                @if(FeatureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
                 {
                     <div class="form-check">
-                        <input type="checkbox" class="form-check-input" asp-for="UseAdminSponsoredFamilies" disabled='@(canEditPlan ? null : "disabled")'>
-                        <label class="form-check-label" asp-for="UseAdminSponsoredFamilies"></label>
+                        <input type="checkbox" class="form-check-input" asp-for="UseAutomaticUserConfirmation" disabled='@(canEditPlan ? null : "disabled")'>
+                        <label class="form-check-label" asp-for="UseAutomaticUserConfirmation"></label>
                     </div>
                 }
             </div>

src/Admin/Billing/Controllers/MigrateProvidersController.cs

@@ -1,83 +0,0 @@
-using Bit.Admin.Billing.Models;
-using Bit.Admin.Enums;
-using Bit.Admin.Utilities;
-using Bit.Core.Billing.Providers.Migration.Models;
-using Bit.Core.Billing.Providers.Migration.Services;
-using Bit.Core.Utilities;
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Mvc;
-
-namespace Bit.Admin.Billing.Controllers;
-
-[Authorize]
-[Route("migrate-providers")]
-[SelfHosted(NotSelfHostedOnly = true)]
-public class MigrateProvidersController(
-    IProviderMigrator providerMigrator) : Controller
-{
-    [HttpGet]
-    [RequirePermission(Permission.Tools_MigrateProviders)]
-    public IActionResult Index()
-    {
-        return View(new MigrateProvidersRequestModel());
-    }
-
-    [HttpPost]
-    [RequirePermission(Permission.Tools_MigrateProviders)]
-    [ValidateAntiForgeryToken]
-    public async Task<IActionResult> PostAsync(MigrateProvidersRequestModel request)
-    {
-        var providerIds = GetProviderIdsFromInput(request.ProviderIds);
-
-        if (providerIds.Count == 0)
-        {
-            return RedirectToAction("Index");
-        }
-
-        foreach (var providerId in providerIds)
-        {
-            await providerMigrator.Migrate(providerId);
-        }
-
-        return RedirectToAction("Results", new { ProviderIds = string.Join("\r\n", providerIds) });
-    }
-
-    [HttpGet("results")]
-    [RequirePermission(Permission.Tools_MigrateProviders)]
-    public async Task<IActionResult> ResultsAsync(MigrateProvidersRequestModel request)
-    {
-        var providerIds = GetProviderIdsFromInput(request.ProviderIds);
-
-        if (providerIds.Count == 0)
-        {
-            return View(Array.Empty<ProviderMigrationResult>());
-        }
-
-        var results = await Task.WhenAll(providerIds.Select(providerMigrator.GetResult));
-
-        return View(results);
-    }
-
-    [HttpGet("results/{providerId:guid}")]
-    [RequirePermission(Permission.Tools_MigrateProviders)]
-    public async Task<IActionResult> DetailsAsync([FromRoute] Guid providerId)
-    {
-        var result = await providerMigrator.GetResult(providerId);
-
-        if (result == null)
-        {
-            return RedirectToAction("Index");
-        }
-
-        return View(result);
-    }
-
-    private static List<Guid> GetProviderIdsFromInput(string text) => !string.IsNullOrEmpty(text)
-        ? text.Split(
-                ["\r\n", "\r", "\n"],
-                StringSplitOptions.TrimEntries
-            )
-            .Select(id => new Guid(id))
-            .ToList()
-        : [];
-}

src/Admin/Billing/Models/MigrateProvidersRequestModel.cs

@@ -1,13 +0,0 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using System.ComponentModel.DataAnnotations;
-
-namespace Bit.Admin.Billing.Models;
-
-public class MigrateProvidersRequestModel
-{
-    [Required]
-    [Display(Name = "Provider IDs")]
-    public string ProviderIds { get; set; }
-}

src/Admin/Billing/Views/MigrateProviders/Details.cshtml

@@ -1,39 +0,0 @@
-@using System.Text.Json
-@model Bit.Core.Billing.Providers.Migration.Models.ProviderMigrationResult
-@{
-    ViewData["Title"] = "Results";
-}
-
-<h1>Migrate Providers</h1>
-<h2>Migration Details: @Model.ProviderName</h2>
-<dl class="row">
-    <dt class="col-sm-4 col-lg-3">Id</dt>
-    <dd class="col-sm-8 col-lg-9"><code>@Model.ProviderId</code></dd>
-
-    <dt class="col-sm-4 col-lg-3">Result</dt>
-    <dd class="col-sm-8 col-lg-9">@Model.Result</dd>
-</dl>
-<h3>Client Organizations</h3>
-<div class="table-responsive">
-    <table class="table table-striped table-hover">
-        <thead>
-        <tr>
-            <th>ID</th>
-            <th>Name</th>
-            <th>Result</th>
-            <th>Previous State</th>
-        </tr>
-        </thead>
-        <tbody>
-        @foreach (var clientResult in Model.Clients)
-        {
-            <tr>
-                <td>@clientResult.OrganizationId</td>
-                <td>@clientResult.OrganizationName</td>
-                <td>@clientResult.Result</td>
-                <td><pre>@Html.Raw(JsonSerializer.Serialize(clientResult.PreviousState))</pre></td>
-            </tr>
-        }
-        </tbody>
-    </table>
-</div>

src/Admin/Billing/Views/MigrateProviders/Index.cshtml

@@ -1,46 +0,0 @@
-@model Bit.Admin.Billing.Models.MigrateProvidersRequestModel;
-@{
-    ViewData["Title"] = "Migrate Providers";
-}
-
-<h1>Migrate Providers</h1>
-<h2>Bulk Consolidated Billing Migration Tool</h2>
-<section>
-    <p>
-        This tool allows you to provide a list of IDs for Providers that you would like to migrate to Consolidated Billing.
-        Because of the expensive nature of the operation, you can only migrate 10 Providers at a time.
-    </p>
-    <p class="alert alert-warning">
-        Updates made through this tool are irreversible without manual intervention.
-    </p>
-    <p>Example Input (Please enter each Provider ID separated by a new line):</p>
-    <div class="card">
-        <div class="card-body">
-            <pre class="mb-0">f513affc-2290-4336-879e-21ec3ecf3e78
-f7a5cb0d-4b74-445c-8d8c-232d1d32bbe2
-bf82d3cf-0e21-4f39-b81b-ef52b2fc6a3a
-174e82fc-70c3-448d-9fe7-00bad2a3ab00
-22a4bbbf-58e3-4e4c-a86a-a0d7caf4ff14</pre>
-        </div>
-    </div>
-    <form method="post" asp-controller="MigrateProviders" asp-action="Post" class="mt-2">
-        <div asp-validation-summary="All" class="text-danger"></div>
-        <div class="mb-3">
-            <label class="form-label" asp-for="ProviderIds"></label>
-            <textarea rows="10" class="form-control" type="text" asp-for="ProviderIds"></textarea>
-        </div>
-        <div class="mb-3">
-            <input type="submit" value="Run" class="btn btn-primary"/>
-        </div>
-    </form>
-    <form method="get" asp-controller="MigrateProviders" asp-action="Results" class="mt-2">
-        <div asp-validation-summary="All" class="text-danger"></div>
-        <div class="mb-3">
-            <label class="form-label" asp-for="ProviderIds"></label>
-            <textarea rows="10" class="form-control" type="text" asp-for="ProviderIds"></textarea>
-        </div>
-        <div class="mb-3">
-            <input type="submit" value="See Previous Results" class="btn btn-primary"/>
-        </div>
-    </form>
-</section>

src/Admin/Billing/Views/MigrateProviders/Results.cshtml

@@ -1,28 +0,0 @@
-@model Bit.Core.Billing.Providers.Migration.Models.ProviderMigrationResult[]
-@{
-    ViewData["Title"] = "Results";
-}
-
-<h1>Migrate Providers</h1>
-<h2>Results</h2>
-<div class="table-responsive">
-    <table class="table table-striped table-hover">
-        <thead>
-            <tr>
-                <th>ID</th>
-                <th>Name</th>
-                <th>Result</th>
-            </tr>
-        </thead>
-        <tbody>
-            @foreach (var result in Model)
-            {
-                <tr>
-                    <td><a href="@Url.Action("Details", "MigrateProviders", new { providerId = result.ProviderId })">@result.ProviderId</a></td>
-                    <td>@result.ProviderName</td>
-                    <td>@result.Result</td>
-                </tr>
-            }
-        </tbody>
-    </table>
-</div>

src/Admin/Controllers/HomeController.cs

@@ -61,7 +61,7 @@ public class HomeController : Controller
         }
         catch (HttpRequestException e)
         {
-            _logger.LogError(e, $"Error encountered while sending GET request to {requestUri}");
+            _logger.LogError(e, "Error encountered while sending GET request to {RequestUri}", requestUri);
             return new JsonResult("Unable to fetch latest version") { StatusCode = StatusCodes.Status500InternalServerError };
         }
 
@@ -83,7 +83,7 @@ public class HomeController : Controller
         }
         catch (HttpRequestException e)
         {
-            _logger.LogError(e, $"Error encountered while sending GET request to {requestUri}");
+            _logger.LogError(e, "Error encountered while sending GET request to {RequestUri}", requestUri);
             return new JsonResult("Unable to fetch installed version") { StatusCode = StatusCodes.Status500InternalServerError };
         }
 

src/Admin/Controllers/ToolsController.cs

@@ -1,7 +1,6 @@
 // FIXME: Update this file to be null safe and then delete the line below
 #nullable disable
 
-using System.Text;
 using System.Text.Json;
 using Bit.Admin.Enums;
 using Bit.Admin.Models;
@@ -9,8 +8,8 @@ using Bit.Admin.Utilities;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Organizations.Queries;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
-using Bit.Core.Models.BitStripe;
 using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -33,7 +32,6 @@ public class ToolsController : Controller
     private readonly IInstallationRepository _installationRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IProviderUserRepository _providerUserRepository;
-    private readonly IPaymentService _paymentService;
     private readonly IStripeAdapter _stripeAdapter;
     private readonly IWebHostEnvironment _environment;
 
@@ -46,7 +44,6 @@ public class ToolsController : Controller
         IInstallationRepository installationRepository,
         IOrganizationUserRepository organizationUserRepository,
         IProviderUserRepository providerUserRepository,
-        IPaymentService paymentService,
         IStripeAdapter stripeAdapter,
         IWebHostEnvironment environment)
     {
@@ -58,7 +55,6 @@ public class ToolsController : Controller
         _installationRepository = installationRepository;
         _organizationUserRepository = organizationUserRepository;
         _providerUserRepository = providerUserRepository;
-        _paymentService = paymentService;
         _stripeAdapter = stripeAdapter;
         _environment = environment;
     }
@@ -341,138 +337,4 @@ public class ToolsController : Controller
             throw new Exception("No license to generate.");
         }
     }
-
-    [RequirePermission(Permission.Tools_ManageStripeSubscriptions)]
-    public async Task<IActionResult> StripeSubscriptions(StripeSubscriptionListOptions options)
-    {
-        options = options ?? new StripeSubscriptionListOptions();
-        options.Limit = 10;
-        options.Expand = new List<string>() { "data.customer", "data.latest_invoice" };
-        options.SelectAll = false;
-
-        var subscriptions = await _stripeAdapter.SubscriptionListAsync(options);
-
-        options.StartingAfter = subscriptions.LastOrDefault()?.Id;
-        options.EndingBefore = await StripeSubscriptionsGetHasPreviousPage(subscriptions, options) ?
-            subscriptions.FirstOrDefault()?.Id :
-            null;
-
-        var isProduction = _environment.IsProduction();
-        var model = new StripeSubscriptionsModel()
-        {
-            Items = subscriptions.Select(s => new StripeSubscriptionRowModel(s)).ToList(),
-            Prices = (await _stripeAdapter.PriceListAsync(new Stripe.PriceListOptions() { Limit = 100 })).Data,
-            TestClocks = isProduction ? new List<Stripe.TestHelpers.TestClock>() : await _stripeAdapter.TestClockListAsync(),
-            Filter = options
-        };
-        return View(model);
-    }
-
-    [HttpPost]
-    [RequirePermission(Permission.Tools_ManageStripeSubscriptions)]
-    public async Task<IActionResult> StripeSubscriptions([FromForm] StripeSubscriptionsModel model)
-    {
-        if (!ModelState.IsValid)
-        {
-            var isProduction = _environment.IsProduction();
-            model.Prices = (await _stripeAdapter.PriceListAsync(new Stripe.PriceListOptions() { Limit = 100 })).Data;
-            model.TestClocks = isProduction ? new List<Stripe.TestHelpers.TestClock>() : await _stripeAdapter.TestClockListAsync();
-            return View(model);
-        }
-
-        if (model.Action == StripeSubscriptionsAction.Export || model.Action == StripeSubscriptionsAction.BulkCancel)
-        {
-            var subscriptions = model.Filter.SelectAll ?
-                await _stripeAdapter.SubscriptionListAsync(model.Filter) :
-                model.Items.Where(x => x.Selected).Select(x => x.Subscription);
-
-            if (model.Action == StripeSubscriptionsAction.Export)
-            {
-                return StripeSubscriptionsExport(subscriptions);
-            }
-
-            if (model.Action == StripeSubscriptionsAction.BulkCancel)
-            {
-                await StripeSubscriptionsCancel(subscriptions);
-            }
-        }
-        else
-        {
-            if (model.Action == StripeSubscriptionsAction.PreviousPage || model.Action == StripeSubscriptionsAction.Search)
-            {
-                model.Filter.StartingAfter = null;
-            }
-
-            if (model.Action == StripeSubscriptionsAction.NextPage || model.Action == StripeSubscriptionsAction.Search)
-            {
-                if (!string.IsNullOrEmpty(model.Filter.StartingAfter))
-                {
-                    var subscription = await _stripeAdapter.SubscriptionGetAsync(model.Filter.StartingAfter);
-                    if (subscription.Status == "canceled")
-                    {
-                        model.Filter.StartingAfter = null;
-                    }
-                }
-                model.Filter.EndingBefore = null;
-            }
-        }
-
-
-        return RedirectToAction("StripeSubscriptions", model.Filter);
-    }
-
-    // This requires a redundant API call to Stripe because of the way they handle pagination.
-    // The StartingBefore value has to be inferred from the list we get, and isn't supplied by Stripe.
-    private async Task<bool> StripeSubscriptionsGetHasPreviousPage(List<Stripe.Subscription> subscriptions, StripeSubscriptionListOptions options)
-    {
-        var hasPreviousPage = false;
-        if (subscriptions.FirstOrDefault()?.Id != null)
-        {
-            var previousPageSearchOptions = new StripeSubscriptionListOptions()
-            {
-                EndingBefore = subscriptions.FirstOrDefault().Id,
-                Limit = 1,
-                Status = options.Status,
-                CurrentPeriodEndDate = options.CurrentPeriodEndDate,
-                CurrentPeriodEndRange = options.CurrentPeriodEndRange,
-                Price = options.Price
-            };
-            hasPreviousPage = (await _stripeAdapter.SubscriptionListAsync(previousPageSearchOptions)).Count > 0;
-        }
-        return hasPreviousPage;
-    }
-
-    private async Task StripeSubscriptionsCancel(IEnumerable<Stripe.Subscription> subscriptions)
-    {
-        foreach (var s in subscriptions)
-        {
-            await _stripeAdapter.SubscriptionCancelAsync(s.Id);
-            if (s.LatestInvoice?.Status == "open")
-            {
-                await _stripeAdapter.InvoiceVoidInvoiceAsync(s.LatestInvoiceId);
-            }
-        }
-    }
-
-    private FileResult StripeSubscriptionsExport(IEnumerable<Stripe.Subscription> subscriptions)
-    {
-        var fieldsToExport = subscriptions.Select(s => new
-        {
-            StripeId = s.Id,
-            CustomerEmail = s.Customer?.Email,
-            SubscriptionStatus = s.Status,
-            InvoiceDueDate = s.CurrentPeriodEnd,
-            SubscriptionProducts = s.Items?.Data.Select(p => p.Plan.Id)
-        });
-
-        var options = new JsonSerializerOptions
-        {
-            PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
-            WriteIndented = true
-        };
-
-        var result = System.Text.Json.JsonSerializer.Serialize(fieldsToExport, options);
-        var bytes = Encoding.UTF8.GetBytes(result);
-        return File(bytes, "application/json", "StripeSubscriptionsSearch.json");
-    }
 }

src/Admin/Controllers/UsersController.cs

@@ -5,6 +5,7 @@ using Bit.Admin.Models;
 using Bit.Admin.Services;
 using Bit.Admin.Utilities;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Services;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@@ -20,7 +21,7 @@ public class UsersController : Controller
 {
     private readonly IUserRepository _userRepository;
     private readonly ICipherRepository _cipherRepository;
-    private readonly IPaymentService _paymentService;
+    private readonly IStripePaymentService _paymentService;
     private readonly GlobalSettings _globalSettings;
     private readonly IAccessControlService _accessControlService;
     private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
@@ -30,7 +31,7 @@ public class UsersController : Controller
     public UsersController(
         IUserRepository userRepository,
         ICipherRepository cipherRepository,
-        IPaymentService paymentService,
+        IStripePaymentService paymentService,
         GlobalSettings globalSettings,
         IAccessControlService accessControlService,
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,

src/Admin/Dockerfile

@@ -1,7 +1,7 @@
 ###############################################
 #           Node.js build stage               #
 ###############################################
-FROM node:20-alpine3.21 AS node-build
+FROM --platform=$BUILDPLATFORM node:20-alpine3.21 AS node-build
 
 WORKDIR /app
 COPY src/Admin/package*.json ./

src/Admin/Enums/Permissions.cs

@@ -52,8 +52,6 @@ public enum Permission
     Tools_PromoteProviderServiceUser,
     Tools_GenerateLicenseFile,
     Tools_ManageTaxRates,
-    Tools_ManageStripeSubscriptions,
     Tools_CreateEditTransaction,
-    Tools_ProcessStripeEvents,
-    Tools_MigrateProviders
+    Tools_ProcessStripeEvents
 }

src/Admin/HostedServices/DatabaseMigrationHostedService.cs

@@ -19,7 +19,7 @@ public class DatabaseMigrationHostedService : IHostedService, IDisposable
     public virtual async Task StartAsync(CancellationToken cancellationToken)
     {
         // Wait 20 seconds to allow database to come online
-        await Task.Delay(20000);
+        await Task.Delay(20000, cancellationToken);
 
         var maxMigrationAttempts = 10;
         for (var i = 1; i <= maxMigrationAttempts; i++)
@@ -41,7 +41,7 @@ public class DatabaseMigrationHostedService : IHostedService, IDisposable
                 {
                     _logger.LogError(e,
                         "Database unavailable for migration. Trying again (attempt #{0})...", i + 1);
-                    await Task.Delay(20000);
+                    await Task.Delay(20000, cancellationToken);
                 }
             }
         }

src/Admin/Jobs/AliveJob.cs

@@ -22,7 +22,7 @@ public class AliveJob : BaseJob
     {
         _logger.LogInformation(Constants.BypassFiltersEventId, "Execute job task: Keep alive");
         var response = await _httpClient.GetAsync(_globalSettings.BaseServiceUri.Admin);
-        _logger.LogInformation(Constants.BypassFiltersEventId, "Finished job task: Keep alive, " +
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Finished job task: Keep alive, {StatusCode}",
             response.StatusCode);
     }
 }

src/Admin/Models/StripeSubscriptionsModel.cs

@@ -1,45 +0,0 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using System.ComponentModel.DataAnnotations;
-using Bit.Core.Models.BitStripe;
-
-namespace Bit.Admin.Models;
-
-public class StripeSubscriptionRowModel
-{
-    public Stripe.Subscription Subscription { get; set; }
-    public bool Selected { get; set; }
-
-    public StripeSubscriptionRowModel() { }
-    public StripeSubscriptionRowModel(Stripe.Subscription subscription)
-    {
-        Subscription = subscription;
-    }
-}
-
-public enum StripeSubscriptionsAction
-{
-    Search,
-    PreviousPage,
-    NextPage,
-    Export,
-    BulkCancel
-}
-
-public class StripeSubscriptionsModel : IValidatableObject
-{
-    public List<StripeSubscriptionRowModel> Items { get; set; }
-    public StripeSubscriptionsAction Action { get; set; } = StripeSubscriptionsAction.Search;
-    public string Message { get; set; }
-    public List<Stripe.Price> Prices { get; set; }
-    public List<Stripe.TestHelpers.TestClock> TestClocks { get; set; }
-    public StripeSubscriptionListOptions Filter { get; set; } = new StripeSubscriptionListOptions();
-    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
-    {
-        if (Action == StripeSubscriptionsAction.BulkCancel && Filter.Status != "unpaid")
-        {
-            yield return new ValidationResult("Bulk cancel is currently only supported for unpaid subscriptions");
-        }
-    }
-}

src/Admin/Program.cs

@@ -16,19 +16,8 @@ public class Program
                     o.Limits.MaxRequestLineSize = 20_000;
                 });
                 webBuilder.UseStartup<Startup>();
-                webBuilder.ConfigureLogging((hostingContext, logging) =>
-                logging.AddSerilog(hostingContext, (e, globalSettings) =>
-                {
-                    var context = e.Properties["SourceContext"].ToString();
-                    if (e.Properties.TryGetValue("RequestPath", out var requestPath) &&
-                        !string.IsNullOrWhiteSpace(requestPath?.ToString()) &&
-                        (context.Contains(".Server.Kestrel") || context.Contains(".Core.IISHttpServer")))
-                    {
-                        return false;
-                    }
-                    return e.Level >= globalSettings.MinLogLevel.AdminSettings.Default;
-                }));
             })
+            .AddSerilogFileLogging()
             .Build()
             .Run();
     }

src/Admin/Startup.cs

@@ -10,7 +10,6 @@ using Microsoft.AspNetCore.Mvc.Razor;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Bit.Admin.Services;
 using Bit.Core.Billing.Extensions;
-using Bit.Core.Billing.Providers.Migration;
 
 #if !OSS
 using Bit.Commercial.Core.Utilities;
@@ -92,7 +91,6 @@ public class Startup
         services.AddDistributedCache(globalSettings);
         services.AddBillingOperations();
         services.AddHttpClient();
-        services.AddProviderMigration();
 
 #if OSS
         services.AddOosServices();
@@ -134,11 +132,8 @@ public class Startup
     public void Configure(
         IApplicationBuilder app,
         IWebHostEnvironment env,
-        IHostApplicationLifetime appLifetime,
         GlobalSettings globalSettings)
     {
-        app.UseSerilog(env, appLifetime, globalSettings);
-
         // Add general security headers
         app.UseMiddleware<SecurityHeadersMiddleware>();
 

src/Admin/Utilities/RolePermissionMapping.cs

@@ -52,8 +52,7 @@ public static class RolePermissionMapping
                 Permission.Tools_PromoteAdmin,
                 Permission.Tools_PromoteProviderServiceUser,
                 Permission.Tools_GenerateLicenseFile,
-                Permission.Tools_ManageTaxRates,
-                Permission.Tools_ManageStripeSubscriptions
+                Permission.Tools_ManageTaxRates
             }
         },
         { "admin", new List<Permission>
@@ -105,7 +104,6 @@ public static class RolePermissionMapping
                 Permission.Tools_PromoteProviderServiceUser,
                 Permission.Tools_GenerateLicenseFile,
                 Permission.Tools_ManageTaxRates,
-                Permission.Tools_ManageStripeSubscriptions,
                 Permission.Tools_CreateEditTransaction
             }
         },
@@ -180,10 +178,8 @@ public static class RolePermissionMapping
                 Permission.Tools_ChargeBrainTreeCustomer,
                 Permission.Tools_GenerateLicenseFile,
                 Permission.Tools_ManageTaxRates,
-                Permission.Tools_ManageStripeSubscriptions,
                 Permission.Tools_CreateEditTransaction,
-                Permission.Tools_ProcessStripeEvents,
-                Permission.Tools_MigrateProviders
+                Permission.Tools_ProcessStripeEvents
             }
         },
         { "sales", new List<Permission>

src/Admin/Views/Shared/_Layout.cshtml

@@ -13,12 +13,10 @@
     var canPromoteAdmin = AccessControlService.UserHasPermission(Permission.Tools_PromoteAdmin);
     var canPromoteProviderServiceUser = AccessControlService.UserHasPermission(Permission.Tools_PromoteProviderServiceUser);
     var canGenerateLicense = AccessControlService.UserHasPermission(Permission.Tools_GenerateLicenseFile);
-    var canManageStripeSubscriptions = AccessControlService.UserHasPermission(Permission.Tools_ManageStripeSubscriptions);
     var canProcessStripeEvents = AccessControlService.UserHasPermission(Permission.Tools_ProcessStripeEvents);
-    var canMigrateProviders = AccessControlService.UserHasPermission(Permission.Tools_MigrateProviders);
 
     var canViewTools = canChargeBraintree || canCreateTransaction || canPromoteAdmin || canPromoteProviderServiceUser ||
-                        canGenerateLicense || canManageStripeSubscriptions;
+                        canGenerateLicense;
 }
 
 <!DOCTYPE html>
@@ -102,12 +100,6 @@
                                             <a class="dropdown-item" asp-controller="Tools" asp-action="GenerateLicense">
                                                 Generate License
                                             </a>
-                                        }
-                                        @if (canManageStripeSubscriptions)
-                                        {
-                                            <a class="dropdown-item" asp-controller="Tools" asp-action="StripeSubscriptions">
-                                                Manage Stripe Subscriptions
-                                            </a>
                                         }
                                          @if (canProcessStripeEvents)
                                         {
@@ -115,12 +107,6 @@
                                                 Process Stripe Events
                                             </a>
                                         }
-                                        @if (canMigrateProviders)
-                                        {
-                                            <a class="dropdown-item" asp-controller="MigrateProviders" asp-action="index">
-                                                Migrate Providers
-                                            </a>
-                                        }
                                     </ul>
                                 </li>
                             }

src/Admin/Views/Tools/StripeSubscriptions.cshtml

@@ -1,277 +0,0 @@
-@model StripeSubscriptionsModel
-@{
-    ViewData["Title"] = "Stripe Subscriptions";
-}
-
-@section Scripts {
-    <script>
-        function onRowSelect(selectingPage = false) {
-            let checkboxes = document.getElementsByClassName('row-check');
-            let checkedCheckboxCount = 0;
-            let bulkActions = document.getElementById('bulkActions');
-
-            let selectPage = document.getElementById('selectPage');
-            for(let i = 0; i < checkboxes.length; i++){
-                if((checkboxes[i].checked && !selectingPage) || selectingPage && selectPage.checked) {
-                    checkboxes[i].checked = true;
-                    checkedCheckboxCount += 1;
-                } else {
-                    checkboxes[i].checked = false;
-                }
-            }
-
-            if(checkedCheckboxCount > 0) {
-                bulkActions.classList.remove("d-none");
-            } else {
-                bulkActions.classList.add("d-none");
-            }
-
-            let selectAll = document.getElementById('selectAll');
-            if (checkedCheckboxCount === checkboxes.length) {
-                selectPage.checked = true;
-                selectAll.classList.remove("d-none");
-
-                let selectAllElement = document.getElementById('selectAllElement');
-                selectAllElement.classList.remove('d-none');
-
-                let selectedAllConfirmation = document.getElementById('selectedAllConfirmation');
-                selectedAllConfirmation.classList.add('d-none');
-            } else {
-                selectPage.checked = false;
-                selectAll.classList.add("d-none");
-                let selectAllInput = document.getElementById('selectAllInput');
-                selectAllInput.checked = false;
-            }
-        }
-
-        function onSelectAll() {
-            let selectAllInput = document.getElementById('selectAllInput');
-            selectAllInput.checked = true;
-
-            let selectAllElement = document.getElementById('selectAllElement');
-            selectAllElement.classList.add('d-none');
-
-            let selectedAllConfirmation = document.getElementById('selectedAllConfirmation');
-            selectedAllConfirmation.classList.remove('d-none');
-        }
-
-        function exportSelectedSubscriptions() {
-            let selectAll = document.getElementById('selectAll');
-            let httpRequest = new XMLHttpRequest();
-            httpRequest.open("POST");
-            httpRequest.send();
-        }
-
-        function cancelSelectedSubscriptions() {
-
-        }
-    </script>
-}
-
-<h2>Manage Stripe Subscriptions</h2>
-@if (!string.IsNullOrWhiteSpace(Model.Message))
-{
-    <div class="alert alert-success"></div>
-}
-<form method="post">
-    <div asp-validation-summary="All" class="alert alert-danger"></div>
-    <div class="row g-3">
-        <div class="col-md-6">
-            <label class="form-label" asp-for="Filter.Status">Status</label>
-            <select asp-for="Filter.Status" name="filter.Status" class="form-select">
-                <option asp-selected="Model.Filter.Status == null" value="all">All</option>
-                <option asp-selected='Model.Filter.Status == "active"' value="active">Active</option>
-                <option asp-selected='Model.Filter.Status == "unpaid"' value="unpaid">Unpaid</option>
-            </select>
-        </div>
-        <div class="col-md-6">
-            <label class="form-label" asp-for="Filter.CurrentPeriodEnd">Current Period End</label>
-            <div class="input-group">
-                <div class="input-group-text">
-                    <div class="form-check form-check-inline mb-0">
-                        <input type="radio" class="form-check-input" asp-for="Filter.CurrentPeriodEndRange" value="lt" id="beforeRadio">
-                        <label class="form-check-label me-2" for="beforeRadio">Before</label>
-                    </div>
-                    <div class="form-check form-check-inline mb-0">
-                        <input type="radio" class="form-check-input" asp-for="Filter.CurrentPeriodEndRange" value="gt" id="afterRadio">
-                        <label class="form-check-label" for="afterRadio">After</label>
-                    </div>
-                </div>
-                @{
-                    var date = @Model.Filter.CurrentPeriodEndDate.HasValue ? @Model.Filter.CurrentPeriodEndDate.Value.ToString("yyyy-MM-dd") : string.Empty;
-                }
-                <input type="date" class="form-control" asp-for="Filter.CurrentPeriodEndDate" name="filter.CurrentPeriodEndDate" value="@date">
-            </div>
-        </div>
-        <div class="col-md-6">
-            <label class="form-label" asp-for="Filter.Price">Price ID</label>
-            <select asp-for="Filter.Price" name="filter.Price" class="form-select">
-                <option asp-selected="Model.Filter.Price == null" value="@null">All</option>
-                @foreach (var price in Model.Prices)
-                {
-                    <option asp-selected='@(Model.Filter.Price == price.Id)' value="@price.Id">@price.Id</option>
-                }
-            </select>
-        </div>
-        <div class="col-md-6">
-            <label class="form-label" asp-for="Filter.TestClock">Test Clock</label>
-            <select asp-for="Filter.TestClock" name="filter.TestClock" class="form-select">
-                <option asp-selected="Model.Filter.TestClock == null" value="@null">All</option>
-                @foreach (var clock in Model.TestClocks)
-                {
-                    <option asp-selected='@(Model.Filter.TestClock == clock.Id)' value="@clock.Id">@clock.Name</option>
-                }
-            </select>
-        </div>
-        <div class="col-12 text-end">
-            <button type="submit" class="btn btn-primary" title="Search" name="action" asp-for="Action" value="@StripeSubscriptionsAction.Search">
-                <i class="fa fa-search"></i> Search
-            </button>
-        </div>
-    </div>
-    <hr/>
-    <input type="checkbox" class="d-none" name="filter.SelectAll" id="selectAllInput" asp-for="@Model.Filter.SelectAll">
-    <div class="text-center row d-flex justify-content-center">
-        <div id="selectAll" class="d-none col-8">
-            All @Model.Items.Count subscriptions on this page are selected.<br/>
-            <button type="button" id="selectAllElement" class="btn btn-link p-0 pb-1" onclick="onSelectAll()">Click here to select all subscriptions for this search.</button>
-            <span id="selectedAllConfirmation" class="d-none text-body-secondary">
-                <i class="fa fa-check"></i> All subscriptions for this search are selected.
-            </span>
-            <div class="alert alert-warning mt-2" role="alert">
-                Please be aware that bulk operations may take several minutes to complete.
-            </div>
-        </div>
-    </div>
-    <div class="table-responsive">
-        <table class="table table-striped table-hover align-middle">
-            <thead>
-            <tr>
-                <th>
-                    <div class="form-check">
-                        <input id="selectPage" class="form-check-input" type="checkbox" onchange="onRowSelect(true)">
-                    </div>
-                </th>
-                <th>Id</th>
-                <th>Customer Email</th>
-                <th>Status</th>
-                <th>Product Tier</th>
-                <th>Current Period End</th>
-            </tr>
-            </thead>
-            <tbody>
-            @if (!Model.Items.Any())
-            {
-                <tr>
-                    <td colspan="6">No results to list.</td>
-                </tr>
-            }
-            else
-            {
-                @for (var i = 0; i < Model.Items.Count; i++)
-                {
-                    <tr>
-                        <td>
-
-                            @{
-                                var i0 = i;
-                            }
-                            <input type="hidden" asp-for="@Model.Items[i0].Subscription.Id" value="@Model.Items[i].Subscription.Id">
-                            <input type="hidden" asp-for="@Model.Items[i0].Subscription.Status" value="@Model.Items[i].Subscription.Status">
-                            <input type="hidden" asp-for="@Model.Items[i0].Subscription.CurrentPeriodEnd" value="@Model.Items[i].Subscription.CurrentPeriodEnd">
-                            <input type="hidden" asp-for="@Model.Items[i0].Subscription.Customer.Email" value="@Model.Items[i].Subscription.Customer.Email">
-                            <input type="hidden" asp-for="@Model.Items[i0].Subscription.LatestInvoice.Status" value="@Model.Items[i].Subscription.LatestInvoice.Status">
-                            <input type="hidden" asp-for="@Model.Items[i0].Subscription.LatestInvoice.Id" value="@Model.Items[i].Subscription.LatestInvoice.Id">
-
-                            @for (var j = 0; j < Model.Items[i].Subscription.Items.Data.Count; j++)
-                            {
-                                var i1 = i;
-                                var j1 = j;
-                                <input
-                                    type="hidden"
-                                    asp-for="@Model.Items[i1].Subscription.Items.Data[j1].Plan.Id"
-                                    value="@Model.Items[i].Subscription.Items.Data[j].Plan.Id">
-                            }
-                            <div class="form-check">
-
-                                @{
-                                    var i2 = i;
-                                }
-                                <input class="form-check-input row-check mt-0" onchange="onRowSelect()" asp-for="@Model.Items[i2].Selected">
-                            </div>
-                        </td>
-                        <td>
-                            @Model.Items[i].Subscription.Id
-                        </td>
-                        <td>
-                            @Model.Items[i].Subscription.Customer?.Email
-                        </td>
-                        <td>
-                            @Model.Items[i].Subscription.Status
-                        </td>
-                        <td>
-                            @string.Join(",", Model.Items[i].Subscription.Items.Data.Select(product => product.Plan.Id).ToArray())
-                        </td>
-                        <td>
-                            @Model.Items[i].Subscription.CurrentPeriodEnd.ToShortDateString()
-                        </td>
-                    </tr>
-                }
-            }
-            </tbody>
-        </table>
-    </div>
-    <nav class="d-inline-flex align-items-center">
-        <ul class="pagination mb-0">
-            @if (!string.IsNullOrWhiteSpace(Model.Filter.EndingBefore))
-            {
-                <input type="hidden" asp-for="@Model.Filter.EndingBefore" value="@Model.Filter.EndingBefore">
-                <li class="page-item">
-                    <button
-                        type="submit"
-                        class="page-link"
-                        name="action"
-                        asp-for="Action"
-                        value="@StripeSubscriptionsAction.PreviousPage">
-                        Previous
-                    </button>
-                </li>
-            }
-            else
-            {
-                <li class="page-item disabled">
-                    <a class="page-link" href="#" tabindex="-1">Previous</a>
-                </li>
-            }
-            @if (!string.IsNullOrWhiteSpace(Model.Filter.StartingAfter))
-            {
-                <input type="hidden" asp-for="@Model.Filter.StartingAfter" value="@Model.Filter.StartingAfter">
-                <li class="page-item">
-                    <button class="page-link"
-                            type="submit"
-                            name="action"
-                            asp-for="Action"
-                            value="@StripeSubscriptionsAction.NextPage">
-                        Next
-                    </button>
-                </li>
-            }
-            else
-            {
-                <li class="page-item disabled">
-                    <a class="page-link" href="#" tabindex="-1">Next</a>
-                </li>
-            }
-        </ul>
-        <span id="bulkActions" class="d-none ms-3">
-            <span class="d-inline-flex gap-2">
-                <button type="submit" class="btn btn-primary" name="action" asp-for="Action" value="@StripeSubscriptionsAction.Export">
-                    Export
-                </button>
-                <button type="submit" class="btn btn-danger" name="action" asp-for="Action" value="@StripeSubscriptionsAction.BulkCancel">
-                    Bulk Cancel
-                </button>
-            </span>
-        </span>
-    </nav>
-</form>

src/Admin/appsettings.Development.json

@@ -27,6 +27,7 @@
     },
     "storage": {
       "connectionString": "UseDevelopmentStorage=true"
-    }
+    },
+    "pricingUri": "https://billingpricing.qa.bitwarden.pw"
   }
 }