@bitwarden/cli 2023.8.2 → 2023.9.1

package/build/bw.js

@@ -20,7 +20,7 @@ module.exports = require("url");
 /***/ 147:
 /***/ ((module) => {
 
-module.exports = JSON.parse('{"name":"@bitwarden/cli","description":"A secure and free password manager for all of your devices.","version":"2023.8.2","keywords":["bitwarden","password","vault","password manager","cli"],"author":"Bitwarden Inc. <hello@bitwarden.com> (https://bitwarden.com)","homepage":"https://bitwarden.com","repository":{"type":"git","url":"https://github.com/bitwarden/clients"},"license":"GPL-3.0-only","scripts":{"clean":"rimraf dist","build":"webpack","build:debug":"npm run build && node --inspect ./build/bw.js","build:watch":"webpack --watch","build:prod":"cross-env NODE_ENV=production webpack","build:prod:watch":"cross-env NODE_ENV=production webpack --watch","package":"npm run package:win && npm run package:mac && npm run package:lin","package:win":"pkg . --targets win-x64 --output ./dist/windows/bw.exe","package:mac":"pkg . --targets macos-x64 --output ./dist/macos/bw","package:lin":"pkg . --targets linux-x64 --output ./dist/linux/bw","debug":"node --inspect ./build/bw.js","dist":"npm run build:prod && npm run clean && npm run package","dist:win":"npm run build:prod && npm run clean && npm run package:win","dist:mac":"npm run build:prod && npm run clean && npm run package:mac","dist:lin":"npm run build:prod && npm run clean && npm run package:lin","publish:npm":"npm run build:prod && npm publish --access public","test":"jest","test:watch":"jest --watch","test:watch:all":"jest --watchAll"},"bin":{"bw":"build/bw.js"},"pkg":{"assets":["./build/**/*","../../node_modules/argon2/**/*"]},"dependencies":{"@koa/multer":"3.0.2","@koa/router":"12.0.0","argon2":"0.30.3","big-integer":"1.6.51","browser-hrtime":"1.1.8","chalk":"4.1.2","commander":"7.2.0","form-data":"4.0.0","https-proxy-agent":"5.0.1","inquirer":"8.2.5","jsdom":"22.1.0","jszip":"3.10.1","koa":"2.14.2","koa-bodyparser":"4.4.0","koa-json":"2.0.2","lowdb":"1.0.0","lunr":"2.3.9","multer":"1.4.5-lts.1","node-fetch":"2.6.11","node-forge":"1.3.1","open":"8.4.2","papaparse":"5.4.1","proper-lockfile":"4.1.2","rxjs":"7.8.1","tldts":"6.0.5","zxcvbn":"4.4.2"}}');
+module.exports = JSON.parse('{"name":"@bitwarden/cli","description":"A secure and free password manager for all of your devices.","version":"2023.9.1","keywords":["bitwarden","password","vault","password manager","cli"],"author":"Bitwarden Inc. <hello@bitwarden.com> (https://bitwarden.com)","homepage":"https://bitwarden.com","repository":{"type":"git","url":"https://github.com/bitwarden/clients"},"license":"GPL-3.0-only","scripts":{"clean":"rimraf dist","build":"webpack","build:debug":"npm run build && node --inspect ./build/bw.js","build:watch":"webpack --watch","build:prod":"cross-env NODE_ENV=production webpack","build:prod:watch":"cross-env NODE_ENV=production webpack --watch","package":"npm run package:win && npm run package:mac && npm run package:lin","package:win":"pkg . --targets win-x64 --output ./dist/windows/bw.exe","package:mac":"pkg . --targets macos-x64 --output ./dist/macos/bw","package:lin":"pkg . --targets linux-x64 --output ./dist/linux/bw","debug":"node --inspect ./build/bw.js","dist":"npm run build:prod && npm run clean && npm run package","dist:win":"npm run build:prod && npm run clean && npm run package:win","dist:mac":"npm run build:prod && npm run clean && npm run package:mac","dist:lin":"npm run build:prod && npm run clean && npm run package:lin","publish:npm":"npm run build:prod && npm publish --access public","test":"jest","test:watch":"jest --watch","test:watch:all":"jest --watchAll"},"bin":{"bw":"build/bw.js"},"pkg":{"assets":["./build/**/*","../../node_modules/argon2/**/*"]},"dependencies":{"@koa/multer":"3.0.2","@koa/router":"12.0.0","argon2":"0.31.0","big-integer":"1.6.51","browser-hrtime":"1.1.8","chalk":"4.1.2","commander":"7.2.0","form-data":"4.0.0","https-proxy-agent":"5.0.1","inquirer":"8.2.6","jsdom":"22.1.0","jszip":"3.10.1","koa":"2.14.2","koa-bodyparser":"4.4.1","koa-json":"2.0.2","lowdb":"1.0.0","lunr":"2.3.9","multer":"1.4.5-lts.1","node-fetch":"2.6.12","node-forge":"1.3.1","open":"8.4.2","papaparse":"5.4.1","proper-lockfile":"4.1.2","rxjs":"7.8.1","tldts":"6.0.14","zxcvbn":"4.4.2"}}');
 
 /***/ })
 
@@ -1462,6 +1462,7 @@ utils_Utils.global = null;
 // Transpiled version of /\p{Emoji_Presentation}/gu using https://mothereff.in/regexpu. Used for compatability in older browsers.
 utils_Utils.regexpEmojiPresentation = /(?:[\u231A\u231B\u23E9-\u23EC\u23F0\u23F3\u25FD\u25FE\u2614\u2615\u2648-\u2653\u267F\u2693\u26A1\u26AA\u26AB\u26BD\u26BE\u26C4\u26C5\u26CE\u26D4\u26EA\u26F2\u26F3\u26F5\u26FA\u26FD\u2705\u270A\u270B\u2728\u274C\u274E\u2753-\u2755\u2757\u2795-\u2797\u27B0\u27BF\u2B1B\u2B1C\u2B50\u2B55]|\uD83C[\uDC04\uDCCF\uDD8E\uDD91-\uDD9A\uDDE6-\uDDFF\uDE01\uDE1A\uDE2F\uDE32-\uDE36\uDE38-\uDE3A\uDE50\uDE51\uDF00-\uDF20\uDF2D-\uDF35\uDF37-\uDF7C\uDF7E-\uDF93\uDFA0-\uDFCA\uDFCF-\uDFD3\uDFE0-\uDFF0\uDFF4\uDFF8-\uDFFF]|\uD83D[\uDC00-\uDC3E\uDC40\uDC42-\uDCFC\uDCFF-\uDD3D\uDD4B-\uDD4E\uDD50-\uDD67\uDD7A\uDD95\uDD96\uDDA4\uDDFB-\uDE4F\uDE80-\uDEC5\uDECC\uDED0-\uDED2\uDED5-\uDED7\uDEEB\uDEEC\uDEF4-\uDEFC\uDFE0-\uDFEB]|\uD83E[\uDD0C-\uDD3A\uDD3C-\uDD45\uDD47-\uDD78\uDD7A-\uDDCB\uDDCD-\uDDFF\uDE70-\uDE74\uDE78-\uDE7A\uDE80-\uDE86\uDE90-\uDEA8\uDEB0-\uDEB6\uDEC0-\uDEC2\uDED0-\uDED6])/g;
 utils_Utils.validHosts = ["localhost"];
+utils_Utils.originalMinimumPasswordLength = 8;
 utils_Utils.minimumPasswordLength = 12;
 utils_Utils.DomainMatchBlacklist = new Map([
     ["google.com", new Set(["script.google.com"])],
@@ -1472,7 +1473,7 @@ utils_Utils.init();
 
 
 function canAccessVaultTab(org) {
-    return org.canViewAssignedCollections || org.canViewAllCollections || org.canManageGroups;
+    return org.canViewAssignedCollections || org.canViewAllCollections;
 }
 function canAccessSettingsTab(org) {
     return (org.isOwner ||
@@ -2202,19 +2203,6 @@ var SecureNoteType;
     SecureNoteType[SecureNoteType["Generic"] = 0] = "Generic";
 })(SecureNoteType || (SecureNoteType = {}));
 
-;// CONCATENATED MODULE: ../../libs/common/src/enums/state-version.enum.ts
-var StateVersion;
-(function (StateVersion) {
-    StateVersion[StateVersion["One"] = 1] = "One";
-    StateVersion[StateVersion["Two"] = 2] = "Two";
-    StateVersion[StateVersion["Three"] = 3] = "Three";
-    StateVersion[StateVersion["Four"] = 4] = "Four";
-    StateVersion[StateVersion["Five"] = 5] = "Five";
-    StateVersion[StateVersion["Six"] = 6] = "Six";
-    StateVersion[StateVersion["Seven"] = 7] = "Seven";
-    StateVersion[StateVersion["Latest"] = 7] = "Latest";
-})(StateVersion || (StateVersion = {}));
-
 ;// CONCATENATED MODULE: ../../libs/common/src/enums/storage-location.enum.ts
 var StorageLocation;
 (function (StorageLocation) {
@@ -2266,7 +2254,6 @@ var UriMatchType;
 
 
 
-
 
 
 
@@ -2459,7 +2446,7 @@ class Organization {
         return this.isAdmin || this.permissions.deleteAnyCollection;
     }
     get canViewAllCollections() {
-        return this.canCreateNewCollections || this.canEditAnyCollection || this.canDeleteAnyCollection;
+        return this.canEditAnyCollection || this.canDeleteAnyCollection;
     }
     get canEditAssignedCollections() {
         return this.isManager || this.permissions.editAssignedCollections;
@@ -3893,12 +3880,29 @@ class AccountDecryptionOptions {
             return null;
         }
         const accountDecryptionOptions = new AccountDecryptionOptions();
-        accountDecryptionOptions.hasMasterPassword = response.hasMasterPassword;
-        if (response.trustedDeviceOption) {
-            accountDecryptionOptions.trustedDeviceOption = new TrustedDeviceUserDecryptionOption(response.trustedDeviceOption.hasAdminApproval, response.trustedDeviceOption.hasLoginApprovingDevice, response.trustedDeviceOption.hasManageResetPasswordPermission);
+        if (response.userDecryptionOptions) {
+            // If the response has userDecryptionOptions, this means it's on a post-TDE server version and can interrogate
+            // the new decryption options.
+            const responseOptions = response.userDecryptionOptions;
+            accountDecryptionOptions.hasMasterPassword = responseOptions.hasMasterPassword;
+            if (responseOptions.trustedDeviceOption) {
+                accountDecryptionOptions.trustedDeviceOption = new TrustedDeviceUserDecryptionOption(responseOptions.trustedDeviceOption.hasAdminApproval, responseOptions.trustedDeviceOption.hasLoginApprovingDevice, responseOptions.trustedDeviceOption.hasManageResetPasswordPermission);
+            }
+            if (responseOptions.keyConnectorOption) {
+                accountDecryptionOptions.keyConnectorOption = new KeyConnectorUserDecryptionOption(responseOptions.keyConnectorOption.keyConnectorUrl);
+            }
         }
-        if (response.keyConnectorOption) {
-            accountDecryptionOptions.keyConnectorOption = new KeyConnectorUserDecryptionOption(response.keyConnectorOption.keyConnectorUrl);
+        else {
+            // If the response does not have userDecryptionOptions, this means it's on a pre-TDE server version and so
+            // we must base our decryption options on the presence of the keyConnectorUrl.
+            // Note that the presence of keyConnectorUrl implies that the user does not have a master password, as in pre-TDE
+            // server versions, a master password short-circuited the addition of the keyConnectorUrl to the response.
+            // TODO: remove this check after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3537)
+            const usingKeyConnector = response.keyConnectorUrl != null;
+            accountDecryptionOptions.hasMasterPassword = !usingKeyConnector;
+            if (usingKeyConnector) {
+                accountDecryptionOptions.keyConnectorOption = new KeyConnectorUserDecryptionOption(response.keyConnectorUrl);
+            }
         }
         return accountDecryptionOptions;
     }
@@ -4240,7 +4244,7 @@ class LogInStrategy {
                     refreshToken: tokenResponse.refreshToken,
                 }),
                 keys: accountKeys,
-                decryptionOptions: AccountDecryptionOptions.fromResponse(tokenResponse.userDecryptionOptions),
+                decryptionOptions: AccountDecryptionOptions.fromResponse(tokenResponse),
                 adminAuthRequest: adminAuthRequest === null || adminAuthRequest === void 0 ? void 0 : adminAuthRequest.toJSON(),
             }));
         });
@@ -4552,23 +4556,56 @@ class SsoLogInStrategy extends LogInStrategy {
     }
     setMasterKey(tokenResponse) {
         return sso_login_strategy_awaiter(this, void 0, void 0, function* () {
-            // TODO: discuss how this is no longer true with TDE
-            // eventually we’ll need to support migration of existing TDE users to Key Connector
-            const newSsoUser = tokenResponse.key == null;
-            if (tokenResponse.keyConnectorUrl != null) {
-                if (!newSsoUser) {
-                    yield this.keyConnectorService.setMasterKeyFromUrl(tokenResponse.keyConnectorUrl);
+            // The only way we can be setting a master key at this point is if we are using Key Connector.
+            // First, check to make sure that we should do so based on the token response.
+            if (this.shouldSetMasterKeyFromKeyConnector(tokenResponse)) {
+                // If we're here, we know that the user should use Key Connector (they have a KeyConnectorUrl) and does not have a master password.
+                // We can now check the key on the token response to see whether they are a brand new user or an existing user.
+                // The presence of a masterKeyEncryptedUserKey indicates that the user has already been provisioned in Key Connector.
+                const newSsoUser = tokenResponse.key == null;
+                if (newSsoUser) {
+                    yield this.keyConnectorService.convertNewSsoUserToKeyConnector(tokenResponse, this.orgId);
                 }
                 else {
-                    yield this.keyConnectorService.convertNewSsoUserToKeyConnector(tokenResponse, this.orgId);
+                    const keyConnectorUrl = this.getKeyConnectorUrl(tokenResponse);
+                    yield this.keyConnectorService.setMasterKeyFromUrl(keyConnectorUrl);
                 }
             }
         });
     }
+    /**
+     * Determines if it is possible set the `masterKey` from Key Connector.
+     * @param tokenResponse
+     * @returns `true` if the master key can be set from Key Connector, `false` otherwise
+     */
+    shouldSetMasterKeyFromKeyConnector(tokenResponse) {
+        var _a;
+        const userDecryptionOptions = tokenResponse === null || tokenResponse === void 0 ? void 0 : tokenResponse.userDecryptionOptions;
+        if (userDecryptionOptions != null) {
+            const userHasMasterPassword = userDecryptionOptions.hasMasterPassword;
+            const userHasKeyConnectorUrl = ((_a = userDecryptionOptions.keyConnectorOption) === null || _a === void 0 ? void 0 : _a.keyConnectorUrl) != null;
+            // In order for us to set the master key from Key Connector, we need to have a Key Connector URL
+            // and the user must not have a master password.
+            return userHasKeyConnectorUrl && !userHasMasterPassword;
+        }
+        else {
+            // In pre-TDE versions of the server, the userDecryptionOptions will not be present.
+            // In this case, we can determine if the user has a master password and has a Key Connector URL by
+            // just checking the keyConnectorUrl property. This is because the server short-circuits on the response
+            // and will not pass back the URL in the response if the user has a master password.
+            // TODO: remove compatibility check after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3537)
+            return tokenResponse.keyConnectorUrl != null;
+        }
+    }
+    getKeyConnectorUrl(tokenResponse) {
+        var _a, _b;
+        // TODO: remove tokenResponse.keyConnectorUrl reference after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3537)
+        const userDecryptionOptions = tokenResponse === null || tokenResponse === void 0 ? void 0 : tokenResponse.userDecryptionOptions;
+        return ((_a = tokenResponse.keyConnectorUrl) !== null && _a !== void 0 ? _a : (_b = userDecryptionOptions === null || userDecryptionOptions === void 0 ? void 0 : userDecryptionOptions.keyConnectorOption) === null || _b === void 0 ? void 0 : _b.keyConnectorUrl);
+    }
     // TODO: future passkey login strategy will need to support setting user key (decrypting via TDE or admin approval request)
     // so might be worth moving this logic to a common place (base login strategy or a separate service?)
     setUserKey(tokenResponse) {
-        var _a;
         return sso_login_strategy_awaiter(this, void 0, void 0, function* () {
             const masterKeyEncryptedUserKey = tokenResponse.key;
             // Note: masterKeyEncryptedUserKey is undefined for SSO JIT provisioned users
@@ -4588,13 +4625,13 @@ class SsoLogInStrategy extends LogInStrategy {
                     yield this.trySetUserKeyWithDeviceKey(tokenResponse);
                 }
             }
-            else if (
-            // TODO: remove tokenResponse.keyConnectorUrl when it's deprecated
-            masterKeyEncryptedUserKey != null &&
-                (tokenResponse.keyConnectorUrl || ((_a = userDecryptionOptions === null || userDecryptionOptions === void 0 ? void 0 : userDecryptionOptions.keyConnectorOption) === null || _a === void 0 ? void 0 : _a.keyConnectorUrl))) {
+            else if (masterKeyEncryptedUserKey != null &&
+                this.getKeyConnectorUrl(tokenResponse) != null) {
                 // Key connector enabled for user
                 yield this.trySetUserKeyWithMasterKey();
             }
+            // Note: In the traditional SSO flow with MP without key connector, the lock component
+            // is responsible for deriving master key from MP entry and then decrypting the user key
         });
     }
     trySetUserKeyWithApprovedAdminRequestIfExists() {
@@ -4659,8 +4696,12 @@ class SsoLogInStrategy extends LogInStrategy {
     trySetUserKeyWithMasterKey() {
         return sso_login_strategy_awaiter(this, void 0, void 0, function* () {
             const masterKey = yield this.cryptoService.getMasterKey();
+            // There is a scenario in which the master key is not set here. That will occur if the user
+            // has a master password and is using Key Connector. In that case, we cannot set the master key
+            // because the user hasn't entered their master password yet.
+            // Instead, we'll return here and let the migration to Key Connector handle setting the master key.
             if (!masterKey) {
-                throw new Error("Master key not found");
+                return;
             }
             const userKey = yield this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
             yield this.cryptoService.setUserKey(userKey);
@@ -5138,7 +5179,7 @@ class DeviceTrustCryptoService {
     makeDeviceKey() {
         return device_trust_crypto_service_implementation_awaiter(this, void 0, void 0, function* () {
             // Create 512-bit device key
-            const randomBytes = yield this.cryptoFunctionService.randomBytes(64);
+            const randomBytes = yield this.cryptoFunctionService.aesGenerateKey(512);
             const deviceKey = new SymmetricCryptoKey(randomBytes);
             return deviceKey;
         });
@@ -5383,9 +5424,11 @@ class KeyConnectorService {
         });
     }
     convertNewSsoUserToKeyConnector(tokenResponse, orgId) {
+        var _a;
         return key_connector_service_awaiter(this, void 0, void 0, function* () {
-            const { kdf, kdfIterations, kdfMemory, kdfParallelism, keyConnectorUrl } = tokenResponse;
-            const password = yield this.cryptoFunctionService.randomBytes(64);
+            // TODO: Remove after tokenResponse.keyConnectorUrl is deprecated in 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3537)
+            const { kdf, kdfIterations, kdfMemory, kdfParallelism, keyConnectorUrl: legacyKeyConnectorUrl, userDecryptionOptions, } = tokenResponse;
+            const password = yield this.cryptoFunctionService.aesGenerateKey(512);
             const kdfConfig = new KdfConfig(kdfIterations, kdfMemory, kdfParallelism);
             const masterKey = yield this.cryptoService.makeMasterKey(utils_Utils.fromBufferToB64(password), yield this.tokenService.getEmail(), kdf, kdfConfig);
             const keyConnectorRequest = new KeyConnectorUserKeyRequest(masterKey.encKeyB64);
@@ -5395,6 +5438,7 @@ class KeyConnectorService {
             yield this.cryptoService.setMasterKeyEncryptedUserKey(userKey[1].encryptedString);
             const [pubKey, privKey] = yield this.cryptoService.makeKeyPair();
             try {
+                const keyConnectorUrl = legacyKeyConnectorUrl !== null && legacyKeyConnectorUrl !== void 0 ? legacyKeyConnectorUrl : (_a = userDecryptionOptions === null || userDecryptionOptions === void 0 ? void 0 : userDecryptionOptions.keyConnectorOption) === null || _a === void 0 ? void 0 : _a.keyConnectorUrl;
                 yield this.apiService.postUserKeyToKeyConnector(keyConnectorUrl, keyConnectorRequest);
             }
             catch (e) {
@@ -5677,7 +5721,7 @@ const TwoFactorProviders = {
         description: null,
         priority: 4,
         sort: 5,
-        premium: true,
+        premium: false,
     },
 };
 class TwoFactorService {
@@ -5977,7 +6021,6 @@ class GlobalState {
     constructor() {
         this.theme = ThemeType.System;
         this.window = new WindowState();
-        this.stateVersion = StateVersion.One;
         this.environmentUrls = new EnvironmentUrls();
     }
 }
@@ -6047,6 +6090,73 @@ class BroadcasterService {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/platform/models/response/server-config.response.ts
+
+class ServerConfigResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
+        this.featureStates = {};
+        if (response == null) {
+            return;
+        }
+        this.version = this.getResponseProperty("Version");
+        this.gitHash = this.getResponseProperty("GitHash");
+        this.server = new ThirdPartyServerConfigResponse(this.getResponseProperty("Server"));
+        this.environment = new EnvironmentServerConfigResponse(this.getResponseProperty("Environment"));
+        this.featureStates = this.getResponseProperty("FeatureStates");
+    }
+}
+class EnvironmentServerConfigResponse extends BaseResponse {
+    constructor(data = null) {
+        super(data);
+        if (data == null) {
+            return;
+        }
+        this.cloudRegion = this.getResponseProperty("CloudRegion");
+        this.vault = this.getResponseProperty("Vault");
+        this.api = this.getResponseProperty("Api");
+        this.identity = this.getResponseProperty("Identity");
+        this.notifications = this.getResponseProperty("Notifications");
+        this.sso = this.getResponseProperty("Sso");
+    }
+}
+class ThirdPartyServerConfigResponse extends BaseResponse {
+    constructor(data = null) {
+        super(data);
+        if (data == null) {
+            return;
+        }
+        this.name = this.getResponseProperty("Name");
+        this.url = this.getResponseProperty("Url");
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/services/config/config-api.service.ts
+var config_api_service_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+class ConfigApiService {
+    constructor(apiService, authService) {
+        this.apiService = apiService;
+        this.authService = authService;
+    }
+    get() {
+        return config_api_service_awaiter(this, void 0, void 0, function* () {
+            const authed = (yield this.authService.getAuthStatus()) !== AuthenticationStatus.LoggedOut;
+            const r = yield this.apiService.send("GET", "/config", null, authed, true);
+            return new ServerConfigResponse(r);
+        });
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/platform/services/container.service.ts
 class ContainerService {
     constructor(cryptoService, encryptService) {
@@ -14093,7 +14203,7 @@ class CryptoService {
             if (masterKey == null) {
                 throw new Error("No Master Key found.");
             }
-            const newUserKey = yield this.cryptoFunctionService.randomBytes(64);
+            const newUserKey = yield this.cryptoFunctionService.aesGenerateKey(512);
             return this.buildProtectedSymmetricKey(masterKey, newUserKey);
         });
     }
@@ -14305,7 +14415,7 @@ class CryptoService {
             if (key == null) {
                 throw new Error("No key provided");
             }
-            const newSymKey = yield this.cryptoFunctionService.randomBytes(64);
+            const newSymKey = yield this.cryptoFunctionService.aesGenerateKey(512);
             return this.buildProtectedSymmetricKey(key, newSymKey);
         });
     }
@@ -14391,7 +14501,7 @@ class CryptoService {
     }
     makeOrgKey() {
         return crypto_service_awaiter(this, void 0, void 0, function* () {
-            const shareKey = yield this.cryptoFunctionService.randomBytes(64);
+            const shareKey = yield this.cryptoFunctionService.aesGenerateKey(512);
             const publicKey = yield this.getPublicKey();
             const encShareKey = yield this.rsaEncrypt(shareKey, publicKey);
             return [encShareKey, new SymmetricCryptoKey(shareKey)];
@@ -14502,6 +14612,12 @@ class CryptoService {
             return new SymmetricCryptoKey(sendKey);
         });
     }
+    makeCipherKey() {
+        return crypto_service_awaiter(this, void 0, void 0, function* () {
+            const randomBytes = yield this.cryptoFunctionService.aesGenerateKey(512);
+            return new SymmetricCryptoKey(randomBytes);
+        });
+    }
     clearKeys(userId) {
         return crypto_service_awaiter(this, void 0, void 0, function* () {
             yield this.clearUserKey(true, userId);
@@ -14630,8 +14746,8 @@ class CryptoService {
      */
     initAccount() {
         return crypto_service_awaiter(this, void 0, void 0, function* () {
-            const randomBytes = yield this.cryptoFunctionService.randomBytes(64);
-            const userKey = new SymmetricCryptoKey(randomBytes);
+            const rawKey = yield this.cryptoFunctionService.aesGenerateKey(512);
+            const userKey = new SymmetricCryptoKey(rawKey);
             const [publicKey, privateKey] = yield this.makeKeyPair(userKey);
             yield this.setUserKey(userKey);
             yield this.stateService.setEncryptedPrivateKey(privateKey.encryptedString);
@@ -15215,7 +15331,7 @@ var environment_service_awaiter = (undefined && undefined.__awaiter) || function
 class environment_service_EnvironmentService {
     constructor(stateService) {
         this.stateService = stateService;
-        this.urlsSubject = new external_rxjs_namespaceObject.Subject();
+        this.urlsSubject = new external_rxjs_namespaceObject.ReplaySubject(1);
         this.urls = this.urlsSubject.asObservable();
         this.initialized = false;
         this.scimUrl = null;
@@ -15835,8 +15951,32 @@ class NoopMessagingService {
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/platform/services/state-migration.service.ts
-var state_migration_service_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+;// CONCATENATED MODULE: ../../libs/common/src/admin-console/models/data/provider.data.ts
+class ProviderData {
+    constructor(response) {
+        this.id = response.id;
+        this.name = response.name;
+        this.status = response.status;
+        this.type = response.type;
+        this.enabled = response.enabled;
+        this.userId = response.userId;
+        this.useEvents = response.useEvents;
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/enums/vault-timeout-action.enum.ts
+var VaultTimeoutAction;
+(function (VaultTimeoutAction) {
+    VaultTimeoutAction["Lock"] = "lock";
+    VaultTimeoutAction["LogOut"] = "logOut";
+})(VaultTimeoutAction || (VaultTimeoutAction = {}));
+
+;// CONCATENATED MODULE: ../../libs/common/src/models/data/event.data.ts
+class EventData {
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migration-builder.ts
+var migration_builder_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
@@ -15845,514 +15985,558 @@ var state_migration_service_awaiter = (undefined && undefined.__awaiter) || func
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-
-
-
-// Originally (before January 2022) storage was handled as a flat key/value pair store.
-// With the move to a typed object for state storage these keys should no longer be in use anywhere outside of this migration.
-const v1Keys = {
-    accessToken: "accessToken",
-    alwaysShowDock: "alwaysShowDock",
-    autoConfirmFingerprints: "autoConfirmFingerprints",
-    autoFillOnPageLoadDefault: "autoFillOnPageLoadDefault",
-    biometricAwaitingAcceptance: "biometricAwaitingAcceptance",
-    biometricFingerprintValidated: "biometricFingerprintValidated",
-    biometricText: "biometricText",
-    biometricUnlock: "biometric",
-    clearClipboard: "clearClipboardKey",
-    clientId: "apikey_clientId",
-    clientSecret: "apikey_clientSecret",
-    collapsedGroupings: "collapsedGroupings",
-    convertAccountToKeyConnector: "convertAccountToKeyConnector",
-    defaultUriMatch: "defaultUriMatch",
-    disableAddLoginNotification: "disableAddLoginNotification",
-    disableAutoBiometricsPrompt: "noAutoPromptBiometrics",
-    disableAutoTotpCopy: "disableAutoTotpCopy",
-    disableBadgeCounter: "disableBadgeCounter",
-    disableChangedPasswordNotification: "disableChangedPasswordNotification",
-    disableContextMenuItem: "disableContextMenuItem",
-    disableFavicon: "disableFavicon",
-    disableGa: "disableGa",
-    dontShowCardsCurrentTab: "dontShowCardsCurrentTab",
-    dontShowIdentitiesCurrentTab: "dontShowIdentitiesCurrentTab",
-    emailVerified: "emailVerified",
-    enableAlwaysOnTop: "enableAlwaysOnTopKey",
-    enableAutoFillOnPageLoad: "enableAutoFillOnPageLoad",
-    enableBiometric: "enabledBiometric",
-    enableBrowserIntegration: "enableBrowserIntegration",
-    enableBrowserIntegrationFingerprint: "enableBrowserIntegrationFingerprint",
-    enableCloseToTray: "enableCloseToTray",
-    enableFullWidth: "enableFullWidth",
-    enableMinimizeToTray: "enableMinimizeToTray",
-    enableStartToTray: "enableStartToTrayKey",
-    enableTray: "enableTray",
-    encKey: "encKey",
-    encOrgKeys: "encOrgKeys",
-    encPrivate: "encPrivateKey",
-    encProviderKeys: "encProviderKeys",
-    entityId: "entityId",
-    entityType: "entityType",
-    environmentUrls: "environmentUrls",
-    equivalentDomains: "equivalentDomains",
-    eventCollection: "eventCollection",
-    forcePasswordReset: "forcePasswordReset",
-    history: "generatedPasswordHistory",
-    installedVersion: "installedVersion",
-    kdf: "kdf",
-    kdfIterations: "kdfIterations",
-    key: "key",
-    keyHash: "keyHash",
-    lastActive: "lastActive",
-    localData: "sitesLocalData",
-    locale: "locale",
-    mainWindowSize: "mainWindowSize",
-    minimizeOnCopyToClipboard: "minimizeOnCopyToClipboardKey",
-    neverDomains: "neverDomains",
-    noAutoPromptBiometricsText: "noAutoPromptBiometricsText",
-    openAtLogin: "openAtLogin",
-    passwordGenerationOptions: "passwordGenerationOptions",
-    pinProtected: "pinProtectedKey",
-    protectedPin: "protectedPin",
-    refreshToken: "refreshToken",
-    ssoCodeVerifier: "ssoCodeVerifier",
-    ssoIdentifier: "ssoOrgIdentifier",
-    ssoState: "ssoState",
-    stamp: "securityStamp",
-    theme: "theme",
-    userEmail: "userEmail",
-    userId: "userId",
-    usesConnector: "usesKeyConnector",
-    vaultTimeoutAction: "vaultTimeoutAction",
-    vaultTimeout: "lockOption",
-    rememberedEmail: "rememberedEmail",
-};
-const v1KeyPrefixes = {
-    ciphers: "ciphers_",
-    collections: "collections_",
-    folders: "folders_",
-    lastSync: "lastSync_",
-    policies: "policies_",
-    twoFactorToken: "twoFactorToken_",
-    organizations: "organizations_",
-    providers: "providers_",
-    sends: "sends_",
-    settings: "settings_",
-};
-const keys = {
-    global: "global",
-    authenticatedAccounts: "authenticatedAccounts",
-    activeUserId: "activeUserId",
-    tempAccountSettings: "tempAccountSettings",
-    accountActivity: "accountActivity",
-};
-const partialKeys = {
-    autoKey: "_masterkey_auto",
-    biometricKey: "_masterkey_biometric",
-    masterKey: "_masterkey",
+class MigrationBuilder {
+    /** Create a new MigrationBuilder with an empty buffer of migrations to perform.
+     *
+     * Add migrations to the buffer with {@link with} and {@link rollback}.
+     * @returns A new MigrationBuilder.
+     */
+    static create() {
+        return new MigrationBuilder([]);
+    }
+    constructor(migrations) {
+        this.migrations = migrations;
+    }
+    /** Add a migrator to the MigrationBuilder. Types are updated such that the chained MigrationBuilder must currently be
+     * at state version equal to the from version of the migrator. Return as MigrationBuilder<TTo> where TTo is the to
+     * version of the migrator, so that the next migrator can be chained.
+     *
+     * @param migrate A migrator class or a tuple of a migrator class, the from version, and the to version. A tuple is
+     * required to instantiate version numbers unless a default constructor is defined.
+     * @returns A new MigrationBuilder with the to version of the migrator as the current version.
+     */
+    with(...migrate) {
+        return this.addMigrator(migrate, "up");
+    }
+    /** Add a migrator to rollback on the MigrationBuilder's list of migrations. As with {@link with}, types of
+     * MigrationBuilder and Migrator must align. However, this time the migration is reversed so TCurrent of the
+     * MigrationBuilder must be equal to the to version of the migrator. Return as MigrationBuilder<TFrom> where TFrom
+     * is the from version of the migrator, so that the next migrator can be chained.
+     *
+     * @param migrate A migrator class or a tuple of a migrator class, the from version, and the to version. A tuple is
+     * required to instantiate version numbers unless a default constructor is defined.
+     * @returns A new MigrationBuilder with the from version of the migrator as the current version.
+     */
+    rollback(...migrate) {
+        if (migrate.length === 3) {
+            migrate = [migrate[0], migrate[2], migrate[1]];
+        }
+        return this.addMigrator(migrate, "down");
+    }
+    /** Execute the migrations as defined in the MigrationBuilder's migrator buffer */
+    migrate(helper) {
+        return this.migrations.reduce((promise, migrator) => promise.then(() => migration_builder_awaiter(this, void 0, void 0, function* () {
+            yield this.runMigrator(migrator.migrator, helper, migrator.direction);
+        })), Promise.resolve());
+    }
+    addMigrator(migrate, direction = "up") {
+        const newMigration = migrate.length === 1
+            ? { migrator: new migrate[0](), direction }
+            : { migrator: new migrate[0](migrate[1], migrate[2]), direction };
+        return new MigrationBuilder([...this.migrations, newMigration]);
+    }
+    runMigrator(migrator, helper, direction) {
+        return migration_builder_awaiter(this, void 0, void 0, function* () {
+            const shouldMigrate = yield migrator.shouldMigrate(helper, direction);
+            helper.info(`Migrator ${migrator.constructor.name} (to version ${migrator.toVersion}) should migrate: ${shouldMigrate} - ${direction}`);
+            if (shouldMigrate) {
+                const method = direction === "up" ? migrator.migrate : migrator.rollback;
+                yield method(helper);
+                helper.info(`Migrator ${migrator.constructor.name} (to version ${migrator.toVersion}) migrated - ${direction}`);
+                yield migrator.updateVersion(helper, direction);
+                helper.info(`Migrator ${migrator.constructor.name} (to version ${migrator.toVersion}) updated version - ${direction}`);
+            }
+        });
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migration-helper.ts
+var migration_helper_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
 };
-class StateMigrationService {
-    constructor(storageService, secureStorageService, stateFactory) {
+class MigrationHelper {
+    constructor(currentVersion, storageService, logService) {
+        this.currentVersion = currentVersion;
         this.storageService = storageService;
-        this.secureStorageService = secureStorageService;
-        this.stateFactory = stateFactory;
+        this.logService = logService;
+    }
+    get(key) {
+        return this.storageService.get(key);
     }
-    needsMigration() {
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            const currentStateVersion = yield this.getCurrentStateVersion();
-            return currentStateVersion == null || currentStateVersion < StateVersion.Latest;
+    set(key, value) {
+        this.logService.info(`Setting ${key}`);
+        return this.storageService.save(key, value);
+    }
+    info(message) {
+        this.logService.info(message);
+    }
+    getAccounts() {
+        var _a;
+        return migration_helper_awaiter(this, void 0, void 0, function* () {
+            const userIds = (_a = (yield this.get("authenticatedAccounts"))) !== null && _a !== void 0 ? _a : [];
+            return Promise.all(userIds.map((userId) => migration_helper_awaiter(this, void 0, void 0, function* () {
+                return ({
+                    userId,
+                    account: yield this.get(userId),
+                });
+            })));
         });
     }
-    migrate() {
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            let currentStateVersion = yield this.getCurrentStateVersion();
-            while (currentStateVersion < StateVersion.Latest) {
-                switch (currentStateVersion) {
-                    case StateVersion.One:
-                        yield this.migrateStateFrom1To2();
-                        break;
-                    case StateVersion.Two:
-                        yield this.migrateStateFrom2To3();
-                        break;
-                    case StateVersion.Three:
-                        yield this.migrateStateFrom3To4();
-                        break;
-                    case StateVersion.Four: {
-                        const authenticatedAccounts = yield this.getAuthenticatedAccounts();
-                        for (const account of authenticatedAccounts) {
-                            const migratedAccount = yield this.migrateAccountFrom4To5(account);
-                            yield this.set(account.profile.userId, migratedAccount);
-                        }
-                        yield this.setCurrentStateVersion(StateVersion.Five);
-                        break;
-                    }
-                    case StateVersion.Five: {
-                        const authenticatedAccounts = yield this.getAuthenticatedAccounts();
-                        for (const account of authenticatedAccounts) {
-                            const migratedAccount = yield this.migrateAccountFrom5To6(account);
-                            yield this.set(account.profile.userId, migratedAccount);
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrator.ts
+var migrator_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+const IRREVERSIBLE = new Error("Irreversible migration");
+class Migrator {
+    constructor(fromVersion, toVersion) {
+        this.fromVersion = fromVersion;
+        this.toVersion = toVersion;
+        if (fromVersion == null || toVersion == null) {
+            throw new Error("Invalid migration");
+        }
+        if (fromVersion > toVersion) {
+            throw new Error("Invalid migration");
+        }
+    }
+    shouldMigrate(helper, direction) {
+        const startVersion = direction === "up" ? this.fromVersion : this.toVersion;
+        return Promise.resolve(helper.currentVersion === startVersion);
+    }
+    updateVersion(helper, direction) {
+        return migrator_awaiter(this, void 0, void 0, function* () {
+            const endVersion = direction === "up" ? this.toVersion : this.fromVersion;
+            helper.currentVersion = endVersion;
+            yield helper.set("stateVersion", endVersion);
+        });
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrations/3-fix-premium.ts
+var _3_fix_premium_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+// eslint-disable-next-line import/no-restricted-paths -- Used for token decoding, which are valid for days. We want the latest
+
+
+class FixPremiumMigrator extends Migrator {
+    migrate(helper) {
+        return _3_fix_premium_awaiter(this, void 0, void 0, function* () {
+            const accounts = yield helper.getAccounts();
+            function fixPremium(userId, account) {
+                var _a, _b;
+                return _3_fix_premium_awaiter(this, void 0, void 0, function* () {
+                    if (((_a = account === null || account === void 0 ? void 0 : account.profile) === null || _a === void 0 ? void 0 : _a.hasPremiumPersonally) === null && ((_b = account.tokens) === null || _b === void 0 ? void 0 : _b.accessToken) != null) {
+                        let decodedToken;
+                        try {
+                            decodedToken = yield TokenService.decodeToken(account.tokens.accessToken);
                         }
-                        yield this.setCurrentStateVersion(StateVersion.Six);
-                        break;
-                    }
-                    case StateVersion.Six: {
-                        const authenticatedAccounts = yield this.getAuthenticatedAccounts();
-                        const globals = (yield this.getGlobals());
-                        for (const account of authenticatedAccounts) {
-                            const migratedAccount = yield this.migrateAccountFrom6To7(globals === null || globals === void 0 ? void 0 : globals.noAutoPromptBiometrics, account);
-                            yield this.set(account.profile.userId, migratedAccount);
+                        catch (_c) {
+                            return;
                         }
-                        if (globals) {
-                            delete globals.noAutoPromptBiometrics;
+                        if ((decodedToken === null || decodedToken === void 0 ? void 0 : decodedToken.premium) == null) {
+                            return;
                         }
-                        yield this.set(keys.global, globals);
-                        yield this.setCurrentStateVersion(StateVersion.Seven);
+                        account.profile.hasPremiumPersonally = decodedToken === null || decodedToken === void 0 ? void 0 : decodedToken.premium;
+                        return helper.set(userId, account);
                     }
-                }
-                currentStateVersion += 1;
+                });
             }
+            yield Promise.all(accounts.map(({ userId, account }) => fixPremium(userId, account)));
         });
     }
-    migrateStateFrom1To2() {
-        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p, _q, _r, _s, _t, _u, _v, _w, _x, _y, _z, _0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _13, _14, _15, _16, _17, _18, _19, _20, _21, _22;
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            const clearV1Keys = (clearingUserId) => state_migration_service_awaiter(this, void 0, void 0, function* () {
-                for (const key in v1Keys) {
-                    if (key == null) {
-                        continue;
-                    }
-                    yield this.set(v1Keys[key], null);
-                }
-                if (clearingUserId != null) {
-                    for (const keyPrefix in v1KeyPrefixes) {
-                        if (keyPrefix == null) {
-                            continue;
-                        }
-                        yield this.set(v1KeyPrefixes[keyPrefix] + userId, null);
+    rollback(helper) {
+        throw IRREVERSIBLE;
+    }
+    // Override is necessary because default implementation assumes `stateVersion` at the root, but for this version
+    // it is nested inside a global object.
+    updateVersion(helper, direction) {
+        return _3_fix_premium_awaiter(this, void 0, void 0, function* () {
+            const endVersion = direction === "up" ? this.toVersion : this.fromVersion;
+            helper.currentVersion = endVersion;
+            const global = (yield helper.get("global")) || {};
+            yield helper.set("global", Object.assign(Object.assign({}, global), { stateVersion: endVersion }));
+        });
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrations/4-remove-ever-been-unlocked.ts
+var _4_remove_ever_been_unlocked_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+class RemoveEverBeenUnlockedMigrator extends Migrator {
+    migrate(helper) {
+        return _4_remove_ever_been_unlocked_awaiter(this, void 0, void 0, function* () {
+            const accounts = yield helper.getAccounts();
+            function removeEverBeenUnlocked(userId, account) {
+                var _a;
+                return _4_remove_ever_been_unlocked_awaiter(this, void 0, void 0, function* () {
+                    if (((_a = account === null || account === void 0 ? void 0 : account.profile) === null || _a === void 0 ? void 0 : _a.everBeenUnlocked) != null) {
+                        delete account.profile.everBeenUnlocked;
+                        return helper.set(userId, account);
                     }
-                }
-            });
-            // Some processes, like biometrics, may have already defined a value before migrations are run.
-            // We don't want to null out those values if they don't exist in the old storage scheme (like for new installs)
-            // So, the OOO for migration is that we:
-            // 1. Check for an existing storage value from the old storage structure OR
-            // 2. Check for a value already set by processes that run before migration OR
-            // 3. Assign the default value
-            const globals = (_a = (yield this.get(keys.global))) !== null && _a !== void 0 ? _a : this.stateFactory.createGlobal(null);
-            globals.stateVersion = StateVersion.Two;
-            globals.environmentUrls =
-                (_b = (yield this.get(v1Keys.environmentUrls))) !== null && _b !== void 0 ? _b : globals.environmentUrls;
-            globals.locale = (_c = (yield this.get(v1Keys.locale))) !== null && _c !== void 0 ? _c : globals.locale;
-            globals.noAutoPromptBiometrics =
-                (_d = (yield this.get(v1Keys.disableAutoBiometricsPrompt))) !== null && _d !== void 0 ? _d : globals.noAutoPromptBiometrics;
-            globals.noAutoPromptBiometricsText =
-                (_e = (yield this.get(v1Keys.noAutoPromptBiometricsText))) !== null && _e !== void 0 ? _e : globals.noAutoPromptBiometricsText;
-            globals.ssoCodeVerifier =
-                (_f = (yield this.get(v1Keys.ssoCodeVerifier))) !== null && _f !== void 0 ? _f : globals.ssoCodeVerifier;
-            globals.ssoOrganizationIdentifier =
-                (_g = (yield this.get(v1Keys.ssoIdentifier))) !== null && _g !== void 0 ? _g : globals.ssoOrganizationIdentifier;
-            globals.ssoState = (_h = (yield this.get(v1Keys.ssoState))) !== null && _h !== void 0 ? _h : globals.ssoState;
-            globals.rememberedEmail =
-                (_j = (yield this.get(v1Keys.rememberedEmail))) !== null && _j !== void 0 ? _j : globals.rememberedEmail;
-            globals.theme = (_k = (yield this.get(v1Keys.theme))) !== null && _k !== void 0 ? _k : globals.theme;
-            globals.vaultTimeout = (_l = (yield this.get(v1Keys.vaultTimeout))) !== null && _l !== void 0 ? _l : globals.vaultTimeout;
-            globals.vaultTimeoutAction =
-                (_m = (yield this.get(v1Keys.vaultTimeoutAction))) !== null && _m !== void 0 ? _m : globals.vaultTimeoutAction;
-            globals.window = (_o = (yield this.get(v1Keys.mainWindowSize))) !== null && _o !== void 0 ? _o : globals.window;
-            globals.enableTray = (_p = (yield this.get(v1Keys.enableTray))) !== null && _p !== void 0 ? _p : globals.enableTray;
-            globals.enableMinimizeToTray =
-                (_q = (yield this.get(v1Keys.enableMinimizeToTray))) !== null && _q !== void 0 ? _q : globals.enableMinimizeToTray;
-            globals.enableCloseToTray =
-                (_r = (yield this.get(v1Keys.enableCloseToTray))) !== null && _r !== void 0 ? _r : globals.enableCloseToTray;
-            globals.enableStartToTray =
-                (_s = (yield this.get(v1Keys.enableStartToTray))) !== null && _s !== void 0 ? _s : globals.enableStartToTray;
-            globals.openAtLogin = (_t = (yield this.get(v1Keys.openAtLogin))) !== null && _t !== void 0 ? _t : globals.openAtLogin;
-            globals.alwaysShowDock =
-                (_u = (yield this.get(v1Keys.alwaysShowDock))) !== null && _u !== void 0 ? _u : globals.alwaysShowDock;
-            globals.enableBrowserIntegration =
-                (_v = (yield this.get(v1Keys.enableBrowserIntegration))) !== null && _v !== void 0 ? _v : globals.enableBrowserIntegration;
-            globals.enableBrowserIntegrationFingerprint =
-                (_w = (yield this.get(v1Keys.enableBrowserIntegrationFingerprint))) !== null && _w !== void 0 ? _w : globals.enableBrowserIntegrationFingerprint;
-            const userId = (_x = (yield this.get(v1Keys.userId))) !== null && _x !== void 0 ? _x : (yield this.get(v1Keys.entityId));
-            const defaultAccount = this.stateFactory.createAccount(null);
-            const accountSettings = {
-                autoConfirmFingerPrints: (_y = (yield this.get(v1Keys.autoConfirmFingerprints))) !== null && _y !== void 0 ? _y : defaultAccount.settings.autoConfirmFingerPrints,
-                autoFillOnPageLoadDefault: (_z = (yield this.get(v1Keys.autoFillOnPageLoadDefault))) !== null && _z !== void 0 ? _z : defaultAccount.settings.autoFillOnPageLoadDefault,
-                biometricUnlock: (_0 = (yield this.get(v1Keys.biometricUnlock))) !== null && _0 !== void 0 ? _0 : defaultAccount.settings.biometricUnlock,
-                clearClipboard: (_1 = (yield this.get(v1Keys.clearClipboard))) !== null && _1 !== void 0 ? _1 : defaultAccount.settings.clearClipboard,
-                defaultUriMatch: (_2 = (yield this.get(v1Keys.defaultUriMatch))) !== null && _2 !== void 0 ? _2 : defaultAccount.settings.defaultUriMatch,
-                disableAddLoginNotification: (_3 = (yield this.get(v1Keys.disableAddLoginNotification))) !== null && _3 !== void 0 ? _3 : defaultAccount.settings.disableAddLoginNotification,
-                disableAutoBiometricsPrompt: (_4 = (yield this.get(v1Keys.disableAutoBiometricsPrompt))) !== null && _4 !== void 0 ? _4 : defaultAccount.settings.disableAutoBiometricsPrompt,
-                disableAutoTotpCopy: (_5 = (yield this.get(v1Keys.disableAutoTotpCopy))) !== null && _5 !== void 0 ? _5 : defaultAccount.settings.disableAutoTotpCopy,
-                disableBadgeCounter: (_6 = (yield this.get(v1Keys.disableBadgeCounter))) !== null && _6 !== void 0 ? _6 : defaultAccount.settings.disableBadgeCounter,
-                disableChangedPasswordNotification: (_7 = (yield this.get(v1Keys.disableChangedPasswordNotification))) !== null && _7 !== void 0 ? _7 : defaultAccount.settings.disableChangedPasswordNotification,
-                disableContextMenuItem: (_8 = (yield this.get(v1Keys.disableContextMenuItem))) !== null && _8 !== void 0 ? _8 : defaultAccount.settings.disableContextMenuItem,
-                disableGa: (_9 = (yield this.get(v1Keys.disableGa))) !== null && _9 !== void 0 ? _9 : defaultAccount.settings.disableGa,
-                dontShowCardsCurrentTab: (_10 = (yield this.get(v1Keys.dontShowCardsCurrentTab))) !== null && _10 !== void 0 ? _10 : defaultAccount.settings.dontShowCardsCurrentTab,
-                dontShowIdentitiesCurrentTab: (_11 = (yield this.get(v1Keys.dontShowIdentitiesCurrentTab))) !== null && _11 !== void 0 ? _11 : defaultAccount.settings.dontShowIdentitiesCurrentTab,
-                enableAlwaysOnTop: (_12 = (yield this.get(v1Keys.enableAlwaysOnTop))) !== null && _12 !== void 0 ? _12 : defaultAccount.settings.enableAlwaysOnTop,
-                enableAutoFillOnPageLoad: (_13 = (yield this.get(v1Keys.enableAutoFillOnPageLoad))) !== null && _13 !== void 0 ? _13 : defaultAccount.settings.enableAutoFillOnPageLoad,
-                enableBiometric: (_14 = (yield this.get(v1Keys.enableBiometric))) !== null && _14 !== void 0 ? _14 : defaultAccount.settings.enableBiometric,
-                enableFullWidth: (_15 = (yield this.get(v1Keys.enableFullWidth))) !== null && _15 !== void 0 ? _15 : defaultAccount.settings.enableFullWidth,
-                environmentUrls: (_16 = globals.environmentUrls) !== null && _16 !== void 0 ? _16 : defaultAccount.settings.environmentUrls,
-                equivalentDomains: (_17 = (yield this.get(v1Keys.equivalentDomains))) !== null && _17 !== void 0 ? _17 : defaultAccount.settings.equivalentDomains,
-                minimizeOnCopyToClipboard: (_18 = (yield this.get(v1Keys.minimizeOnCopyToClipboard))) !== null && _18 !== void 0 ? _18 : defaultAccount.settings.minimizeOnCopyToClipboard,
-                neverDomains: (_19 = (yield this.get(v1Keys.neverDomains))) !== null && _19 !== void 0 ? _19 : defaultAccount.settings.neverDomains,
-                passwordGenerationOptions: (_20 = (yield this.get(v1Keys.passwordGenerationOptions))) !== null && _20 !== void 0 ? _20 : defaultAccount.settings.passwordGenerationOptions,
-                pinProtected: Object.assign(new EncryptionPair(), {
-                    decrypted: null,
-                    encrypted: yield this.get(v1Keys.pinProtected),
-                }),
-                protectedPin: yield this.get(v1Keys.protectedPin),
-                settings: userId == null
-                    ? null
-                    : yield this.get(v1KeyPrefixes.settings + userId),
-                vaultTimeout: (_21 = (yield this.get(v1Keys.vaultTimeout))) !== null && _21 !== void 0 ? _21 : defaultAccount.settings.vaultTimeout,
-                vaultTimeoutAction: (_22 = (yield this.get(v1Keys.vaultTimeoutAction))) !== null && _22 !== void 0 ? _22 : defaultAccount.settings.vaultTimeoutAction,
-            };
-            // (userId == null) = no logged in user (so no known userId) and we need to temporarily store account specific settings in state to migrate on first auth
-            // (userId != null) = we have a currently authed user (so known userId) with encrypted data and other key settings we can move, no need to temporarily store account settings
-            if (userId == null) {
-                yield this.set(keys.tempAccountSettings, accountSettings);
-                yield this.set(keys.global, globals);
-                yield this.set(keys.authenticatedAccounts, []);
-                yield this.set(keys.activeUserId, null);
-                yield clearV1Keys();
-                return;
-            }
-            globals.twoFactorToken = yield this.get(v1KeyPrefixes.twoFactorToken + userId);
-            yield this.set(keys.global, globals);
-            yield this.set(userId, {
-                data: {
-                    addEditCipherInfo: null,
-                    ciphers: {
-                        decrypted: null,
-                        encrypted: yield this.get(v1KeyPrefixes.ciphers + userId),
-                    },
-                    collapsedGroupings: null,
-                    collections: {
-                        decrypted: null,
-                        encrypted: yield this.get(v1KeyPrefixes.collections + userId),
-                    },
-                    eventCollection: yield this.get(v1Keys.eventCollection),
-                    folders: {
-                        decrypted: null,
-                        encrypted: yield this.get(v1KeyPrefixes.folders + userId),
-                    },
-                    localData: null,
-                    organizations: yield this.get(v1KeyPrefixes.organizations + userId),
-                    passwordGenerationHistory: {
-                        decrypted: null,
-                        encrypted: yield this.get(v1Keys.history),
-                    },
-                    policies: {
-                        decrypted: null,
-                        encrypted: yield this.get(v1KeyPrefixes.policies + userId),
-                    },
-                    providers: yield this.get(v1KeyPrefixes.providers + userId),
-                    sends: {
-                        decrypted: null,
-                        encrypted: yield this.get(v1KeyPrefixes.sends + userId),
-                    },
-                },
-                keys: {
-                    apiKeyClientSecret: yield this.get(v1Keys.clientSecret),
-                    cryptoMasterKey: null,
-                    cryptoMasterKeyAuto: null,
-                    cryptoMasterKeyB64: null,
-                    cryptoMasterKeyBiometric: null,
-                    cryptoSymmetricKey: {
-                        encrypted: yield this.get(v1Keys.encKey),
-                        decrypted: null,
-                    },
-                    legacyEtmKey: null,
-                    organizationKeys: {
-                        decrypted: null,
-                        encrypted: yield this.get(v1Keys.encOrgKeys),
-                    },
-                    privateKey: {
-                        decrypted: null,
-                        encrypted: yield this.get(v1Keys.encPrivate),
-                    },
-                    providerKeys: {
-                        decrypted: null,
-                        encrypted: yield this.get(v1Keys.encProviderKeys),
-                    },
-                    publicKey: null,
-                },
-                profile: {
-                    apiKeyClientId: yield this.get(v1Keys.clientId),
-                    authenticationStatus: null,
-                    convertAccountToKeyConnector: yield this.get(v1Keys.convertAccountToKeyConnector),
-                    email: yield this.get(v1Keys.userEmail),
-                    emailVerified: yield this.get(v1Keys.emailVerified),
-                    entityId: null,
-                    entityType: null,
-                    everBeenUnlocked: null,
-                    forcePasswordReset: null,
-                    hasPremiumPersonally: null,
-                    kdfIterations: yield this.get(v1Keys.kdfIterations),
-                    kdfType: yield this.get(v1Keys.kdf),
-                    keyHash: yield this.get(v1Keys.keyHash),
-                    lastSync: null,
-                    userId: userId,
-                    usesKeyConnector: null,
-                },
-                settings: accountSettings,
-                tokens: {
-                    accessToken: yield this.get(v1Keys.accessToken),
-                    decodedToken: null,
-                    refreshToken: yield this.get(v1Keys.refreshToken),
-                    securityStamp: null,
-                },
-            });
-            yield this.set(keys.authenticatedAccounts, [userId]);
-            yield this.set(keys.activeUserId, userId);
-            const accountActivity = {
-                [userId]: yield this.get(v1Keys.lastActive),
-            };
-            accountActivity[userId] = yield this.get(v1Keys.lastActive);
-            yield this.set(keys.accountActivity, accountActivity);
-            yield clearV1Keys(userId);
-            if (yield this.secureStorageService.has(v1Keys.key, { keySuffix: "biometric" })) {
-                yield this.secureStorageService.save(`${userId}${partialKeys.biometricKey}`, yield this.secureStorageService.get(v1Keys.key, { keySuffix: "biometric" }), { keySuffix: "biometric" });
-                yield this.secureStorageService.remove(v1Keys.key, { keySuffix: "biometric" });
-            }
-            if (yield this.secureStorageService.has(v1Keys.key, { keySuffix: "auto" })) {
-                yield this.secureStorageService.save(`${userId}${partialKeys.autoKey}`, yield this.secureStorageService.get(v1Keys.key, { keySuffix: "auto" }), { keySuffix: "auto" });
-                yield this.secureStorageService.remove(v1Keys.key, { keySuffix: "auto" });
-            }
-            if (yield this.secureStorageService.has(v1Keys.key)) {
-                yield this.secureStorageService.save(`${userId}${partialKeys.masterKey}`, yield this.secureStorageService.get(v1Keys.key));
-                yield this.secureStorageService.remove(v1Keys.key);
+                });
             }
+            Promise.all(accounts.map(({ userId, account }) => removeEverBeenUnlocked(userId, account)));
         });
     }
-    migrateStateFrom2To3() {
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            const authenticatedUserIds = yield this.get(keys.authenticatedAccounts);
-            yield Promise.all(authenticatedUserIds.map((userId) => state_migration_service_awaiter(this, void 0, void 0, function* () {
-                var _a, _b;
-                const account = yield this.get(userId);
-                if (((_a = account === null || account === void 0 ? void 0 : account.profile) === null || _a === void 0 ? void 0 : _a.hasPremiumPersonally) === null &&
-                    ((_b = account.tokens) === null || _b === void 0 ? void 0 : _b.accessToken) != null) {
-                    const decodedToken = yield TokenService.decodeToken(account.tokens.accessToken);
-                    account.profile.hasPremiumPersonally = decodedToken.premium;
-                    yield this.set(userId, account);
-                }
-            })));
-            const globals = yield this.getGlobals();
-            globals.stateVersion = StateVersion.Three;
-            yield this.set(keys.global, globals);
+    rollback(helper) {
+        throw IRREVERSIBLE;
+    }
+    // Override is necessary because default implementation assumes `stateVersion` at the root, but for this version
+    // it is nested inside a global object.
+    updateVersion(helper, direction) {
+        return _4_remove_ever_been_unlocked_awaiter(this, void 0, void 0, function* () {
+            const endVersion = direction === "up" ? this.toVersion : this.fromVersion;
+            helper.currentVersion = endVersion;
+            const global = (yield helper.get("global")) || {};
+            yield helper.set("global", Object.assign(Object.assign({}, global), { stateVersion: endVersion }));
         });
     }
-    migrateStateFrom3To4() {
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            const authenticatedUserIds = yield this.get(keys.authenticatedAccounts);
-            yield Promise.all(authenticatedUserIds.map((userId) => state_migration_service_awaiter(this, void 0, void 0, function* () {
-                var _a;
-                const account = yield this.get(userId);
-                if (((_a = account === null || account === void 0 ? void 0 : account.profile) === null || _a === void 0 ? void 0 : _a.everBeenUnlocked) != null) {
-                    delete account.profile.everBeenUnlocked;
-                    return this.set(userId, account);
-                }
-            })));
-            const globals = yield this.getGlobals();
-            globals.stateVersion = StateVersion.Four;
-            yield this.set(keys.global, globals);
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrations/5-add-key-type-to-org-keys.ts
+var _5_add_key_type_to_org_keys_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+class AddKeyTypeToOrgKeysMigrator extends Migrator {
+    migrate(helper) {
+        return _5_add_key_type_to_org_keys_awaiter(this, void 0, void 0, function* () {
+            const accounts = yield helper.getAccounts();
+            function updateOrgKey(userId, account) {
+                var _a, _b;
+                return _5_add_key_type_to_org_keys_awaiter(this, void 0, void 0, function* () {
+                    const encryptedOrgKeys = (_b = (_a = account === null || account === void 0 ? void 0 : account.keys) === null || _a === void 0 ? void 0 : _a.organizationKeys) === null || _b === void 0 ? void 0 : _b.encrypted;
+                    if (encryptedOrgKeys == null) {
+                        return;
+                    }
+                    const newOrgKeys = {};
+                    Object.entries(encryptedOrgKeys).forEach(([orgId, encKey]) => {
+                        newOrgKeys[orgId] = {
+                            type: "organization",
+                            key: encKey,
+                        };
+                    });
+                    account.keys.organizationKeys.encrypted = newOrgKeys;
+                    yield helper.set(userId, account);
+                });
+            }
+            Promise.all(accounts.map(({ userId, account }) => updateOrgKey(userId, account)));
         });
     }
-    migrateAccountFrom4To5(account) {
-        var _a, _b;
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            const encryptedOrgKeys = (_b = (_a = account.keys) === null || _a === void 0 ? void 0 : _a.organizationKeys) === null || _b === void 0 ? void 0 : _b.encrypted;
-            if (encryptedOrgKeys != null) {
-                for (const [orgId, encKey] of Object.entries(encryptedOrgKeys)) {
-                    encryptedOrgKeys[orgId] = {
-                        type: "organization",
-                        key: encKey, // Account v4 does not reflect the current account model so we have to cast
-                    };
-                }
+    rollback(helper) {
+        return _5_add_key_type_to_org_keys_awaiter(this, void 0, void 0, function* () {
+            const accounts = yield helper.getAccounts();
+            function updateOrgKey(userId, account) {
+                var _a, _b;
+                return _5_add_key_type_to_org_keys_awaiter(this, void 0, void 0, function* () {
+                    const encryptedOrgKeys = (_b = (_a = account === null || account === void 0 ? void 0 : account.keys) === null || _a === void 0 ? void 0 : _a.organizationKeys) === null || _b === void 0 ? void 0 : _b.encrypted;
+                    if (encryptedOrgKeys == null) {
+                        return;
+                    }
+                    const newOrgKeys = {};
+                    Object.entries(encryptedOrgKeys).forEach(([orgId, encKey]) => {
+                        newOrgKeys[orgId] = encKey.key;
+                    });
+                    account.keys.organizationKeys.encrypted = newOrgKeys;
+                    yield helper.set(userId, account);
+                });
             }
-            return account;
+            Promise.all(accounts.map(({ userId, account }) => _5_add_key_type_to_org_keys_awaiter(this, void 0, void 0, function* () { return updateOrgKey(userId, account); })));
         });
     }
-    migrateAccountFrom5To6(account) {
-        var _a;
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            (_a = account.keys) === null || _a === void 0 ? true : delete _a.legacyEtmKey;
-            return account;
+    // Override is necessary because default implementation assumes `stateVersion` at the root, but for this version
+    // it is nested inside a global object.
+    updateVersion(helper, direction) {
+        return _5_add_key_type_to_org_keys_awaiter(this, void 0, void 0, function* () {
+            const endVersion = direction === "up" ? this.toVersion : this.fromVersion;
+            helper.currentVersion = endVersion;
+            const global = (yield helper.get("global")) || {};
+            yield helper.set("global", Object.assign(Object.assign({}, global), { stateVersion: endVersion }));
         });
     }
-    migrateAccountFrom6To7(globalSetting, account) {
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            if (globalSetting) {
-                account.settings = Object.assign({}, account.settings, { disableAutoBiometricsPrompt: true });
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrations/6-remove-legacy-etm-key.ts
+var _6_remove_legacy_etm_key_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+class RemoveLegacyEtmKeyMigrator extends Migrator {
+    migrate(helper) {
+        return _6_remove_legacy_etm_key_awaiter(this, void 0, void 0, function* () {
+            const accounts = yield helper.getAccounts();
+            function updateAccount(userId, account) {
+                var _a;
+                return _6_remove_legacy_etm_key_awaiter(this, void 0, void 0, function* () {
+                    if ((_a = account === null || account === void 0 ? void 0 : account.keys) === null || _a === void 0 ? void 0 : _a.legacyEtmKey) {
+                        delete account.keys.legacyEtmKey;
+                        yield helper.set(userId, account);
+                    }
+                });
             }
-            return account;
+            yield Promise.all(accounts.map(({ userId, account }) => updateAccount(userId, account)));
         });
     }
-    get options() {
-        return { htmlStorageLocation: HtmlStorageLocation.Local };
+    rollback(helper) {
+        return _6_remove_legacy_etm_key_awaiter(this, void 0, void 0, function* () {
+            throw IRREVERSIBLE;
+        });
     }
-    get(key) {
-        return this.storageService.get(key, this.options);
+    // Override is necessary because default implementation assumes `stateVersion` at the root, but for this version
+    // it is nested inside a global object.
+    updateVersion(helper, direction) {
+        return _6_remove_legacy_etm_key_awaiter(this, void 0, void 0, function* () {
+            const endVersion = direction === "up" ? this.toVersion : this.fromVersion;
+            helper.currentVersion = endVersion;
+            const global = (yield helper.get("global")) || {};
+            yield helper.set("global", Object.assign(Object.assign({}, global), { stateVersion: endVersion }));
+        });
     }
-    set(key, value) {
-        if (value == null) {
-            return this.storageService.remove(key, this.options);
-        }
-        return this.storageService.save(key, value, this.options);
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrations/7-move-biometric-auto-prompt-to-account.ts
+var _7_move_biometric_auto_prompt_to_account_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+class MoveBiometricAutoPromptToAccount extends Migrator {
+    migrate(helper) {
+        var _a;
+        return _7_move_biometric_auto_prompt_to_account_awaiter(this, void 0, void 0, function* () {
+            const global = yield helper.get("global");
+            const noAutoPromptBiometrics = (_a = global === null || global === void 0 ? void 0 : global.noAutoPromptBiometrics) !== null && _a !== void 0 ? _a : false;
+            const accounts = yield helper.getAccounts();
+            function updateAccount(userId, account) {
+                var _a;
+                return _7_move_biometric_auto_prompt_to_account_awaiter(this, void 0, void 0, function* () {
+                    if (account == null) {
+                        return;
+                    }
+                    if (noAutoPromptBiometrics) {
+                        account.settings = Object.assign((_a = account === null || account === void 0 ? void 0 : account.settings) !== null && _a !== void 0 ? _a : {}, {
+                            disableAutoBiometricsPrompt: true,
+                        });
+                        yield helper.set(userId, account);
+                    }
+                });
+            }
+            delete global.noAutoPromptBiometrics;
+            yield Promise.all([
+                ...accounts.map(({ userId, account }) => updateAccount(userId, account)),
+                helper.set("global", global),
+            ]);
+        });
     }
-    getGlobals() {
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            return yield this.get(keys.global);
+    rollback(helper) {
+        return _7_move_biometric_auto_prompt_to_account_awaiter(this, void 0, void 0, function* () {
+            throw IRREVERSIBLE;
         });
     }
-    getCurrentStateVersion() {
-        var _a, _b;
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            return (_b = (_a = (yield this.getGlobals())) === null || _a === void 0 ? void 0 : _a.stateVersion) !== null && _b !== void 0 ? _b : StateVersion.One;
+    // Override is necessary because default implementation assumes `stateVersion` at the root, but for this version
+    // it is nested inside a global object.
+    updateVersion(helper, direction) {
+        return _7_move_biometric_auto_prompt_to_account_awaiter(this, void 0, void 0, function* () {
+            const endVersion = direction === "up" ? this.toVersion : this.fromVersion;
+            helper.currentVersion = endVersion;
+            const global = (yield helper.get("global")) || {};
+            yield helper.set("global", Object.assign(Object.assign({}, global), { stateVersion: endVersion }));
         });
     }
-    setCurrentStateVersion(newVersion) {
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            const globals = yield this.getGlobals();
-            globals.stateVersion = newVersion;
-            yield this.set(keys.global, globals);
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrations/8-move-state-version.ts
+var _8_move_state_version_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+class MoveStateVersionMigrator extends Migrator {
+    migrate(helper) {
+        return _8_move_state_version_awaiter(this, void 0, void 0, function* () {
+            const global = yield helper.get("global");
+            if (global.stateVersion) {
+                yield helper.set("stateVersion", global.stateVersion);
+                delete global.stateVersion;
+                yield helper.set("global", global);
+            }
+            else {
+                throw new Error("Migration failed, state version not found");
+            }
         });
     }
-    getAuthenticatedAccounts() {
-        return state_migration_service_awaiter(this, void 0, void 0, function* () {
-            const authenticatedUserIds = yield this.get(keys.authenticatedAccounts);
-            return Promise.all(authenticatedUserIds.map((id) => this.get(id)));
+    rollback(helper) {
+        return _8_move_state_version_awaiter(this, void 0, void 0, function* () {
+            const version = yield helper.get("stateVersion");
+            const global = yield helper.get("global");
+            yield helper.set("global", Object.assign(Object.assign({}, global), { stateVersion: version }));
+            yield helper.set("stateVersion", undefined);
+        });
+    }
+    // Override is necessary because default implementation assumes `stateVersion` at the root, but this migration moves
+    // it from a `global` object to root.This makes for unique rollback versioning.
+    updateVersion(helper, direction) {
+        return _8_move_state_version_awaiter(this, void 0, void 0, function* () {
+            const endVersion = direction === "up" ? this.toVersion : this.fromVersion;
+            helper.currentVersion = endVersion;
+            if (direction === "up") {
+                yield helper.set("stateVersion", endVersion);
+            }
+            else {
+                const global = (yield helper.get("global")) || {};
+                yield helper.set("global", Object.assign(Object.assign({}, global), { stateVersion: endVersion }));
+            }
         });
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/admin-console/models/data/provider.data.ts
-class ProviderData {
-    constructor(response) {
-        this.id = response.id;
-        this.name = response.name;
-        this.status = response.status;
-        this.type = response.type;
-        this.enabled = response.enabled;
-        this.userId = response.userId;
-        this.useEvents = response.useEvents;
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrations/min-version.ts
+var min_version_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+function minVersionError(current) {
+    return `Your local data is too old to be migrated. Your current state version is ${current}, but minimum version is ${MIN_VERSION}.`;
+}
+class MinVersionMigrator extends Migrator {
+    constructor() {
+        super(0, MIN_VERSION);
+    }
+    // Overrides the default implementation to catch any version that may be passed in.
+    shouldMigrate(helper) {
+        return Promise.resolve(helper.currentVersion < MIN_VERSION);
+    }
+    migrate(helper) {
+        return min_version_awaiter(this, void 0, void 0, function* () {
+            if (helper.currentVersion < MIN_VERSION) {
+                throw new Error(minVersionError(helper.currentVersion));
+            }
+        });
+    }
+    rollback(helper) {
+        return min_version_awaiter(this, void 0, void 0, function* () {
+            throw IRREVERSIBLE;
+        });
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/enums/vault-timeout-action.enum.ts
-var VaultTimeoutAction;
-(function (VaultTimeoutAction) {
-    VaultTimeoutAction["Lock"] = "lock";
-    VaultTimeoutAction["LogOut"] = "logOut";
-})(VaultTimeoutAction || (VaultTimeoutAction = {}));
-
-;// CONCATENATED MODULE: ../../libs/common/src/models/data/event.data.ts
-class EventData {
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrate.ts
+var migrate_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+
+
+
+
+
+
+
+const MIN_VERSION = 2;
+const CURRENT_VERSION = 8;
+function migrate(storageService, logService) {
+    return migrate_awaiter(this, void 0, void 0, function* () {
+        const migrationHelper = new MigrationHelper(yield currentVersion(storageService, logService), storageService, logService);
+        if (migrationHelper.currentVersion < 0) {
+            // Cannot determine state, assuming empty so we don't repeatedly apply a migration.
+            yield storageService.save("stateVersion", CURRENT_VERSION);
+            return;
+        }
+        MigrationBuilder.create()
+            .with(MinVersionMigrator)
+            .with(FixPremiumMigrator, 2, 3)
+            .with(RemoveEverBeenUnlockedMigrator, 3, 4)
+            .with(AddKeyTypeToOrgKeysMigrator, 4, 5)
+            .with(RemoveLegacyEtmKeyMigrator, 5, 6)
+            .with(MoveBiometricAutoPromptToAccount, 6, 7)
+            .with(MoveStateVersionMigrator, 7, CURRENT_VERSION)
+            .migrate(migrationHelper);
+    });
+}
+function currentVersion(storageService, logService) {
+    var _a;
+    return migrate_awaiter(this, void 0, void 0, function* () {
+        let state = yield storageService.get("stateVersion");
+        if (state == null) {
+            // Pre v8
+            state = (_a = (yield storageService.get("global"))) === null || _a === void 0 ? void 0 : _a.stateVersion;
+        }
+        if (state == null) {
+            logService.info("No state version found, assuming empty state.");
+            return -1;
+        }
+        logService.info(`State version: ${state}`);
+        return state;
+    });
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/index.ts
+
+
 ;// CONCATENATED MODULE: ../../libs/common/src/admin-console/models/domain/password-generator-policy-options.ts
 
 class PasswordGeneratorPolicyOptions extends Domain {
@@ -17244,6 +17428,7 @@ class CipherData {
         this.creationDate = response.creationDate;
         this.deletedDate = response.deletedDate;
         this.reprompt = response.reprompt;
+        this.key = response.key;
         switch (this.type) {
             case CipherType.Login:
                 this.login = new LoginData(response.login);
@@ -18301,15 +18486,17 @@ var state_service_awaiter = (undefined && undefined.__awaiter) || function (this
 
 
 
-const state_service_keys = {
+
+const keys = {
     state: "state",
+    stateVersion: "stateVersion",
     global: "global",
     authenticatedAccounts: "authenticatedAccounts",
     activeUserId: "activeUserId",
     tempAccountSettings: "tempAccountSettings",
     accountActivity: "accountActivity",
 };
-const state_service_partialKeys = {
+const partialKeys = {
     userAutoKey: "_user_auto",
     userBiometricKey: "_user_biometric",
     autoKey: "_masterkey_auto",
@@ -18318,12 +18505,11 @@ const state_service_partialKeys = {
 };
 const DDG_SHARED_KEY = "DuckDuckGoSharedKey";
 class StateService {
-    constructor(storageService, secureStorageService, memoryStorageService, logService, stateMigrationService, stateFactory, useAccountCache = true) {
+    constructor(storageService, secureStorageService, memoryStorageService, logService, stateFactory, useAccountCache = true) {
         this.storageService = storageService;
         this.secureStorageService = secureStorageService;
         this.memoryStorageService = memoryStorageService;
         this.logService = logService;
-        this.stateMigrationService = stateMigrationService;
         this.stateFactory = stateFactory;
         this.useAccountCache = useAccountCache;
         this.accountsSubject = new external_rxjs_namespaceObject.BehaviorSubject({});
@@ -18358,9 +18544,7 @@ class StateService {
             if (this.hasBeenInited) {
                 return;
             }
-            if (yield this.stateMigrationService.needsMigration()) {
-                yield this.stateMigrationService.migrate();
-            }
+            yield migrate(this.storageService, this.logService);
             yield this.state().then((state) => state_service_awaiter(this, void 0, void 0, function* () {
                 if (state == null) {
                     yield this.setState(new State(this.createGlobals()));
@@ -18381,13 +18565,13 @@ class StateService {
             yield this.updateState((state) => state_service_awaiter(this, void 0, void 0, function* () {
                 var _a;
                 state.authenticatedAccounts =
-                    (_a = (yield this.storageService.get(state_service_keys.authenticatedAccounts))) !== null && _a !== void 0 ? _a : [];
+                    (_a = (yield this.storageService.get(keys.authenticatedAccounts))) !== null && _a !== void 0 ? _a : [];
                 for (const i in state.authenticatedAccounts) {
                     if (i != null) {
                         yield this.syncAccountFromDisk(state.authenticatedAccounts[i]);
                     }
                 }
-                const storedActiveUser = yield this.storageService.get(state_service_keys.activeUserId);
+                const storedActiveUser = yield this.storageService.get(keys.activeUserId);
                 if (storedActiveUser != null) {
                     state.activeUserId = storedActiveUser;
                 }
@@ -18418,7 +18602,7 @@ class StateService {
             account = yield this.setAccountEnvironment(account);
             yield this.updateState((state) => state_service_awaiter(this, void 0, void 0, function* () {
                 state.authenticatedAccounts.push(account.profile.userId);
-                yield this.storageService.save(state_service_keys.authenticatedAccounts, state.authenticatedAccounts);
+                yield this.storageService.save(keys.authenticatedAccounts, state.authenticatedAccounts);
                 state.accounts[account.profile.userId] = account;
                 return state;
             }));
@@ -18433,7 +18617,7 @@ class StateService {
             this.clearDecryptedDataForActiveUser();
             yield this.updateState((state) => state_service_awaiter(this, void 0, void 0, function* () {
                 state.activeUserId = userId;
-                yield this.storageService.save(state_service_keys.activeUserId, userId);
+                yield this.storageService.save(keys.activeUserId, userId);
                 this.activeAccountSubject.next(state.activeUserId);
                 return state;
             }));
@@ -18797,7 +18981,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return null;
             }
-            return yield this.secureStorageService.get(`${options.userId}${state_service_partialKeys.userAutoKey}`, options);
+            return yield this.secureStorageService.get(`${options.userId}${partialKeys.userAutoKey}`, options);
         });
     }
     /**
@@ -18809,7 +18993,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return;
             }
-            yield this.saveSecureStorageKey(state_service_partialKeys.userAutoKey, value, options);
+            yield this.saveSecureStorageKey(partialKeys.userAutoKey, value, options);
         });
     }
     /**
@@ -18821,7 +19005,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return null;
             }
-            return yield this.secureStorageService.get(`${options.userId}${state_service_partialKeys.userBiometricKey}`, options);
+            return yield this.secureStorageService.get(`${options.userId}${partialKeys.userBiometricKey}`, options);
         });
     }
     hasUserKeyBiometric(options) {
@@ -18830,7 +19014,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return false;
             }
-            return yield this.secureStorageService.has(`${options.userId}${state_service_partialKeys.userBiometricKey}`, options);
+            return yield this.secureStorageService.has(`${options.userId}${partialKeys.userBiometricKey}`, options);
         });
     }
     setUserKeyBiometric(value, options) {
@@ -18839,7 +19023,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return;
             }
-            yield this.saveSecureStorageKey(state_service_partialKeys.userBiometricKey, value, options);
+            yield this.saveSecureStorageKey(partialKeys.userBiometricKey, value, options);
         });
     }
     getPinKeyEncryptedUserKey(options) {
@@ -18877,7 +19061,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return null;
             }
-            return yield this.secureStorageService.get(`${options.userId}${state_service_partialKeys.autoKey}`, options);
+            return yield this.secureStorageService.get(`${options.userId}${partialKeys.autoKey}`, options);
         });
     }
     /**
@@ -18889,7 +19073,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return;
             }
-            yield this.saveSecureStorageKey(state_service_partialKeys.autoKey, value, options);
+            yield this.saveSecureStorageKey(partialKeys.autoKey, value, options);
         });
     }
     /**
@@ -18901,7 +19085,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return null;
             }
-            return yield this.secureStorageService.get(`${options === null || options === void 0 ? void 0 : options.userId}${state_service_partialKeys.masterKey}`, options);
+            return yield this.secureStorageService.get(`${options === null || options === void 0 ? void 0 : options.userId}${partialKeys.masterKey}`, options);
         });
     }
     /**
@@ -18913,7 +19097,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return;
             }
-            yield this.saveSecureStorageKey(state_service_partialKeys.masterKey, value, options);
+            yield this.saveSecureStorageKey(partialKeys.masterKey, value, options);
         });
     }
     /**
@@ -18925,7 +19109,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return null;
             }
-            return yield this.secureStorageService.get(`${options.userId}${state_service_partialKeys.biometricKey}`, options);
+            return yield this.secureStorageService.get(`${options.userId}${partialKeys.biometricKey}`, options);
         });
     }
     /**
@@ -18937,7 +19121,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return false;
             }
-            return yield this.secureStorageService.has(`${options.userId}${state_service_partialKeys.biometricKey}`, options);
+            return yield this.secureStorageService.has(`${options.userId}${partialKeys.biometricKey}`, options);
         });
     }
     /**
@@ -18949,7 +19133,7 @@ class StateService {
             if ((options === null || options === void 0 ? void 0 : options.userId) == null) {
                 return;
             }
-            yield this.saveSecureStorageKey(state_service_partialKeys.biometricKey, value, options);
+            yield this.saveSecureStorageKey(partialKeys.biometricKey, value, options);
         });
     }
     getDecryptedCiphers(options) {
@@ -19875,7 +20059,7 @@ class StateService {
     getLastActive(options) {
         return state_service_awaiter(this, void 0, void 0, function* () {
             options = this.reconcileOptions(options, yield this.defaultOnDiskOptions());
-            const accountActivity = yield this.storageService.get(state_service_keys.accountActivity, options);
+            const accountActivity = yield this.storageService.get(keys.accountActivity, options);
             if (accountActivity == null || Object.keys(accountActivity).length < 1) {
                 return null;
             }
@@ -19889,9 +20073,9 @@ class StateService {
             if (options.userId == null) {
                 return;
             }
-            const accountActivity = (_a = (yield this.storageService.get(state_service_keys.accountActivity, options))) !== null && _a !== void 0 ? _a : {};
+            const accountActivity = (_a = (yield this.storageService.get(keys.accountActivity, options))) !== null && _a !== void 0 ? _a : {};
             accountActivity[options.userId] = value;
-            yield this.storageService.save(state_service_keys.accountActivity, accountActivity, options);
+            yield this.storageService.save(keys.accountActivity, accountActivity, options);
         });
     }
     getLastSync(options) {
@@ -20316,19 +20500,6 @@ class StateService {
             yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultOnDiskLocalOptions()));
         });
     }
-    getStateVersion() {
-        var _a;
-        return state_service_awaiter(this, void 0, void 0, function* () {
-            return (_a = (yield this.getGlobals(yield this.defaultOnDiskLocalOptions())).stateVersion) !== null && _a !== void 0 ? _a : 1;
-        });
-    }
-    setStateVersion(value) {
-        return state_service_awaiter(this, void 0, void 0, function* () {
-            const globals = yield this.getGlobals(yield this.defaultOnDiskOptions());
-            globals.stateVersion = value;
-            yield this.saveGlobals(globals, yield this.defaultOnDiskOptions());
-        });
-    }
     getWindow() {
         return state_service_awaiter(this, void 0, void 0, function* () {
             const globals = yield this.getGlobals(yield this.defaultOnDiskOptions());
@@ -20405,7 +20576,10 @@ class StateService {
             if (this.useDisk && globals == null) {
                 globals = yield this.getGlobalsFromDisk(options);
             }
-            return globals !== null && globals !== void 0 ? globals : this.createGlobals();
+            if (globals == null) {
+                globals = this.createGlobals();
+            }
+            return globals;
         });
     }
     saveGlobals(globals, options) {
@@ -20422,7 +20596,7 @@ class StateService {
     }
     getGlobalsFromDisk(options) {
         return state_service_awaiter(this, void 0, void 0, function* () {
-            return yield this.storageService.get(state_service_keys.global, options);
+            return yield this.storageService.get(keys.global, options);
         });
     }
     saveGlobalsToMemory(globals) {
@@ -20436,10 +20610,10 @@ class StateService {
     saveGlobalsToDisk(globals, options) {
         return state_service_awaiter(this, void 0, void 0, function* () {
             if (options.useSecureStorage) {
-                yield this.secureStorageService.save(state_service_keys.global, globals, options);
+                yield this.secureStorageService.save(keys.global, globals, options);
             }
             else {
-                yield this.storageService.save(state_service_keys.global, globals, options);
+                yield this.storageService.save(keys.global, globals, options);
             }
         });
     }
@@ -20557,9 +20731,9 @@ class StateService {
             if ((storedAccount === null || storedAccount === void 0 ? void 0 : storedAccount.settings) != null) {
                 account.settings = storedAccount.settings;
             }
-            else if (yield this.storageService.has(state_service_keys.tempAccountSettings)) {
-                account.settings = yield this.storageService.get(state_service_keys.tempAccountSettings);
-                yield this.storageService.remove(state_service_keys.tempAccountSettings);
+            else if (yield this.storageService.has(keys.tempAccountSettings)) {
+                account.settings = yield this.storageService.get(keys.tempAccountSettings);
+                yield this.storageService.remove(keys.tempAccountSettings);
             }
             account.settings.environmentUrls = environmentUrls;
             account.settings.region = region;
@@ -20678,7 +20852,7 @@ class StateService {
     }
     getActiveUserIdFromStorage() {
         return state_service_awaiter(this, void 0, void 0, function* () {
-            return yield this.storageService.get(state_service_keys.activeUserId);
+            return yield this.storageService.get(keys.activeUserId);
         });
     }
     removeAccountFromLocalStorage(userId = null) {
@@ -20784,7 +20958,7 @@ class StateService {
             yield this.setLastActive(null, { userId: userId });
             yield this.updateState((state) => state_service_awaiter(this, void 0, void 0, function* () {
                 state.authenticatedAccounts = state.authenticatedAccounts.filter((id) => id !== userId);
-                yield this.storageService.save(state_service_keys.authenticatedAccounts, state.authenticatedAccounts);
+                yield this.storageService.save(keys.authenticatedAccounts, state.authenticatedAccounts);
                 return state;
             }));
         });
@@ -20835,7 +21009,7 @@ class StateService {
     }
     state() {
         return state_service_awaiter(this, void 0, void 0, function* () {
-            const state = yield this.memoryStorageService.get(state_service_keys.state, {
+            const state = yield this.memoryStorageService.get(keys.state, {
                 deserializer: (s) => State.fromJSON(s, this.accountDeserializer),
             });
             return state;
@@ -20843,7 +21017,7 @@ class StateService {
     }
     setState(state) {
         return state_service_awaiter(this, void 0, void 0, function* () {
-            yield this.memoryStorageService.save(state_service_keys.state, state);
+            yield this.memoryStorageService.save(keys.state, state);
         });
     }
     updateState(stateUpdater) {
@@ -22821,7 +22995,7 @@ class SendService {
             send.hideEmail = model.hideEmail;
             send.maxAccessCount = model.maxAccessCount;
             if (model.key == null) {
-                model.key = yield this.cryptoFunctionService.randomBytes(16);
+                model.key = yield this.cryptoFunctionService.aesGenerateKey(128);
                 model.cryptoKey = yield this.cryptoService.makeSendKey(model.key);
             }
             if (password != null) {
@@ -23000,6 +23174,57 @@ class SendService {
     }
 }
 
+;// CONCATENATED MODULE: external "semver"
+const external_semver_namespaceObject = require("semver");
+;// CONCATENATED MODULE: ../../libs/common/src/platform/misc/flags.ts
+function getFlags(envFlags) {
+    if (typeof envFlags === "string") {
+        return JSON.parse(envFlags);
+    }
+    else {
+        return envFlags;
+    }
+}
+/**
+ * Gets the value of a feature flag from environment.
+ * All flags default to "on" (true).
+ * Only use for shared code in `libs`, otherwise use the client-specific function.
+ * @param flag The name of the feature flag to check
+ * @returns The value of the flag
+ */
+function flagEnabled(flag) {
+    const flags = getFlags({"enableCipherKeyEncryption":false});
+    return flags[flag] == null || !!flags[flag];
+}
+/**
+ * Gets the value of a dev flag from environment.
+ * Will always return false unless in development.
+ * Only use for shared code in `libs`, otherwise use the client-specific function.
+ * @param flag The name of the dev flag to check
+ * @returns The value of the flag
+ */
+function devFlagEnabled(flag) {
+    if (process.env.ENV !== "development") {
+        return false;
+    }
+    const devFlags = getFlags(process.env.DEV_FLAGS);
+    return devFlags[flag] == null || !!devFlags[flag];
+}
+/**
+ * Gets the value of a dev flag from environment.
+ * Will always return false unless in development.
+ * @param flag The name of the dev flag to check
+ * @returns The value of the flag
+ * @throws Error if the flag is not enabled
+ */
+function devFlagValue(flag) {
+    if (!devFlagEnabled(flag)) {
+        throw new Error(`This method should not be called, it is protected by a disabled dev flag.`);
+    }
+    const devFlags = getFlags(process.env.DEV_FLAGS);
+    return devFlags[flag];
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/vault/models/domain/attachment.ts
 var attachment_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@@ -23547,6 +23772,8 @@ var cipher_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _a
 
 
 
+
+
 class Cipher extends Domain {
     constructor(obj, localData = null) {
         super();
@@ -23560,6 +23787,7 @@ class Cipher extends Domain {
             folderId: null,
             name: null,
             notes: null,
+            key: null,
         }, ["id", "organizationId", "folderId"]);
         this.type = obj.type;
         this.favorite = obj.favorite;
@@ -23612,9 +23840,16 @@ class Cipher extends Domain {
             this.passwordHistory = null;
         }
     }
+    // We are passing the organizationId into the EncString.decrypt() method here, but because the encKey will always be
+    // present and so the organizationId will not be used.
+    // We will refactor the EncString.decrypt() in https://bitwarden.atlassian.net/browse/PM-3762 to remove the dependency on the organizationId.
     decrypt(encKey) {
         return cipher_awaiter(this, void 0, void 0, function* () {
             const model = new CipherView(this);
+            if (this.key != null) {
+                const encryptService = utils_Utils.getContainerService().getEncryptService();
+                encKey = new SymmetricCryptoKey(yield encryptService.decryptToBytes(this.key, encKey));
+            }
             yield this.decryptObj(model, {
                 name: null,
                 notes: null,
@@ -23635,13 +23870,12 @@ class Cipher extends Domain {
                 default:
                     break;
             }
-            const orgId = this.organizationId;
             if (this.attachments != null && this.attachments.length > 0) {
                 const attachments = [];
                 yield this.attachments.reduce((promise, attachment) => {
                     return promise
                         .then(() => {
-                        return attachment.decrypt(orgId, encKey);
+                        return attachment.decrypt(this.organizationId, encKey);
                     })
                         .then((decAttachment) => {
                         attachments.push(decAttachment);
@@ -23654,7 +23888,7 @@ class Cipher extends Domain {
                 yield this.fields.reduce((promise, field) => {
                     return promise
                         .then(() => {
-                        return field.decrypt(orgId, encKey);
+                        return field.decrypt(this.organizationId, encKey);
                     })
                         .then((decField) => {
                         fields.push(decField);
@@ -23667,7 +23901,7 @@ class Cipher extends Domain {
                 yield this.passwordHistory.reduce((promise, ph) => {
                     return promise
                         .then(() => {
-                        return ph.decrypt(orgId, encKey);
+                        return ph.decrypt(this.organizationId, encKey);
                     })
                         .then((decPh) => {
                         passwordHistory.push(decPh);
@@ -23679,6 +23913,7 @@ class Cipher extends Domain {
         });
     }
     toCipherData() {
+        var _a;
         const c = new CipherData();
         c.id = this.id;
         c.organizationId = this.organizationId;
@@ -23693,6 +23928,7 @@ class Cipher extends Domain {
         c.creationDate = this.creationDate != null ? this.creationDate.toISOString() : null;
         c.deletedDate = this.deletedDate != null ? this.deletedDate.toISOString() : null;
         c.reprompt = this.reprompt;
+        c.key = (_a = this.key) === null || _a === void 0 ? void 0 : _a.encryptedString;
         this.buildDataModel(this, c, {
             name: null,
             notes: null,
@@ -23737,6 +23973,7 @@ class Cipher extends Domain {
         const attachments = (_a = obj.attachments) === null || _a === void 0 ? void 0 : _a.map((a) => Attachment.fromJSON(a));
         const fields = (_b = obj.fields) === null || _b === void 0 ? void 0 : _b.map((f) => Field.fromJSON(f));
         const passwordHistory = (_c = obj.passwordHistory) === null || _c === void 0 ? void 0 : _c.map((ph) => Password.fromJSON(ph));
+        const key = EncString.fromJSON(obj.key);
         Object.assign(domain, obj, {
             name,
             notes,
@@ -23745,6 +23982,7 @@ class Cipher extends Domain {
             attachments,
             fields,
             passwordHistory,
+            key,
         });
         switch (obj.type) {
             case CipherType.Card:
@@ -23983,6 +24221,7 @@ class AttachmentRequest {
 
 class CipherRequest {
     constructor(cipher) {
+        var _a;
         this.type = cipher.type;
         this.folderId = cipher.folderId;
         this.organizationId = cipher.organizationId;
@@ -23991,6 +24230,7 @@ class CipherRequest {
         this.favorite = cipher.favorite;
         this.lastKnownRevisionDate = cipher.revisionDate;
         this.reprompt = cipher.reprompt;
+        this.key = (_a = cipher.key) === null || _a === void 0 ? void 0 : _a.encryptedString;
         switch (this.type) {
             case CipherType.Login:
                 this.login = new LoginApi();
@@ -24211,8 +24451,13 @@ var cipher_service_awaiter = (undefined && undefined.__awaiter) || function (thi
 
 
 
+
+
+
+
+const CIPHER_KEY_ENC_MIN_SERVER_VER = new external_semver_namespaceObject.SemVer("2023.9.1");
 class CipherService {
-    constructor(cryptoService, settingsService, apiService, i18nService, searchService, stateService, encryptService, cipherFileUploadService) {
+    constructor(cryptoService, settingsService, apiService, i18nService, searchService, stateService, encryptService, cipherFileUploadService, configService) {
         this.cryptoService = cryptoService;
         this.settingsService = settingsService;
         this.apiService = apiService;
@@ -24221,6 +24466,7 @@ class CipherService {
         this.stateService = stateService;
         this.encryptService = encryptService;
         this.cipherFileUploadService = cipherFileUploadService;
+        this.configService = configService;
         this.sortedCiphersCache = new SortedCiphersCache(this.sortCiphersByLastUsed);
     }
     getDecryptedCipherCache() {
@@ -24247,56 +24493,17 @@ class CipherService {
             yield this.clearDecryptedCiphersState(userId);
         });
     }
-    encrypt(model, key, originalCipher = null) {
+    encrypt(model, keyForEncryption, keyForCipherKeyDecryption, originalCipher = null) {
+        var _a;
         return cipher_service_awaiter(this, void 0, void 0, function* () {
-            // Adjust password history
             if (model.id != null) {
                 if (originalCipher == null) {
                     originalCipher = yield this.get(model.id);
                 }
                 if (originalCipher != null) {
-                    const existingCipher = yield originalCipher.decrypt();
-                    model.passwordHistory = existingCipher.passwordHistory || [];
-                    if (model.type === CipherType.Login && existingCipher.type === CipherType.Login) {
-                        if (existingCipher.login.password != null &&
-                            existingCipher.login.password !== "" &&
-                            existingCipher.login.password !== model.login.password) {
-                            const ph = new PasswordHistoryView();
-                            ph.password = existingCipher.login.password;
-                            ph.lastUsedDate = model.login.passwordRevisionDate = new Date();
-                            model.passwordHistory.splice(0, 0, ph);
-                        }
-                        else {
-                            model.login.passwordRevisionDate = existingCipher.login.passwordRevisionDate;
-                        }
-                    }
-                    if (existingCipher.hasFields) {
-                        const existingHiddenFields = existingCipher.fields.filter((f) => f.type === FieldType.Hidden &&
-                            f.name != null &&
-                            f.name !== "" &&
-                            f.value != null &&
-                            f.value !== "");
-                        const hiddenFields = model.fields == null
-                            ? []
-                            : model.fields.filter((f) => f.type === FieldType.Hidden && f.name != null && f.name !== "");
-                        existingHiddenFields.forEach((ef) => {
-                            const matchedField = hiddenFields.find((f) => f.name === ef.name);
-                            if (matchedField == null || matchedField.value !== ef.value) {
-                                const ph = new PasswordHistoryView();
-                                ph.password = ef.name + ": " + ef.value;
-                                ph.lastUsedDate = new Date();
-                                model.passwordHistory.splice(0, 0, ph);
-                            }
-                        });
-                    }
-                }
-                if (model.passwordHistory != null && model.passwordHistory.length === 0) {
-                    model.passwordHistory = null;
-                }
-                else if (model.passwordHistory != null && model.passwordHistory.length > 5) {
-                    // only save last 5 history
-                    model.passwordHistory = model.passwordHistory.slice(0, 5);
+                    yield this.updateModelfromExistingCipher(model, originalCipher);
                 }
+                this.adjustPasswordHistoryLength(model);
             }
             const cipher = new Cipher();
             cipher.id = model.id;
@@ -24308,29 +24515,28 @@ class CipherService {
             cipher.revisionDate = model.revisionDate;
             cipher.reprompt = model.reprompt;
             cipher.edit = model.edit;
-            if (key == null && cipher.organizationId != null) {
-                key = yield this.cryptoService.getOrgKey(cipher.organizationId);
-                if (key == null) {
-                    throw new Error("Cannot encrypt cipher for organization. No key.");
+            if (yield this.getCipherKeyEncryptionEnabled()) {
+                cipher.key = (_a = originalCipher === null || originalCipher === void 0 ? void 0 : originalCipher.key) !== null && _a !== void 0 ? _a : null;
+                const userOrOrgKey = yield this.getKeyForCipherKeyDecryption(cipher);
+                // The keyForEncryption is only used for encrypting the cipher key, not the cipher itself, since cipher key encryption is enabled.
+                // If the caller has provided a key for cipher key encryption, use it. Otherwise, use the user or org key.
+                keyForEncryption || (keyForEncryption = userOrOrgKey);
+                // If the caller has provided a key for cipher key decryption, use it. Otherwise, use the user or org key.
+                keyForCipherKeyDecryption || (keyForCipherKeyDecryption = userOrOrgKey);
+                return this.encryptCipherWithCipherKey(model, cipher, keyForEncryption, keyForCipherKeyDecryption);
+            }
+            else {
+                if (keyForEncryption == null && cipher.organizationId != null) {
+                    keyForEncryption = yield this.cryptoService.getOrgKey(cipher.organizationId);
+                    if (keyForEncryption == null) {
+                        throw new Error("Cannot encrypt cipher for organization. No key.");
+                    }
                 }
+                // We want to ensure that the cipher key is null if cipher key encryption is disabled
+                // so that decryption uses the proper key.
+                cipher.key = null;
+                return this.encryptCipher(model, cipher, keyForEncryption);
             }
-            yield Promise.all([
-                this.encryptObjProperty(model, cipher, {
-                    name: null,
-                    notes: null,
-                }, key),
-                this.encryptCipherData(cipher, model, key),
-                this.encryptFields(model.fields, key).then((fields) => {
-                    cipher.fields = fields;
-                }),
-                this.encryptPasswordHistories(model.passwordHistory, key).then((ph) => {
-                    cipher.passwordHistory = ph;
-                }),
-                this.encryptAttachments(model.attachments, key).then((attachments) => {
-                    cipher.attachments = attachments;
-                }),
-            ]);
-            return cipher;
         });
     }
     encryptAttachments(attachmentsModel, key) {
@@ -24625,7 +24831,7 @@ class CipherService {
     createWithServer(cipher, orgAdmin) {
         return cipher_service_awaiter(this, void 0, void 0, function* () {
             let response;
-            if (orgAdmin) {
+            if (orgAdmin && cipher.organizationId != null) {
                 const request = new CipherCreateRequest(cipher);
                 response = yield this.apiService.postCipherAdmin(request);
             }
@@ -24674,7 +24880,7 @@ class CipherService {
             yield Promise.all(attachmentPromises);
             cipher.organizationId = organizationId;
             cipher.collectionIds = collectionIds;
-            const encCipher = yield this.encrypt(cipher);
+            const encCipher = yield this.encryptSharedCipher(cipher);
             const request = new CipherShareRequest(encCipher);
             const response = yield this.apiService.putShareCipher(cipher.id, request);
             const data = new CipherData(response, collectionIds);
@@ -24688,7 +24894,7 @@ class CipherService {
             for (const cipher of ciphers) {
                 cipher.organizationId = organizationId;
                 cipher.collectionIds = collectionIds;
-                promises.push(this.encrypt(cipher).then((c) => {
+                promises.push(this.encryptSharedCipher(cipher).then((c) => {
                     encCiphers.push(c);
                 }));
             }
@@ -24727,12 +24933,22 @@ class CipherService {
     }
     saveAttachmentRawWithServer(cipher, filename, data, admin = false) {
         return cipher_service_awaiter(this, void 0, void 0, function* () {
-            let encKey;
-            encKey = yield this.cryptoService.getOrgKey(cipher.organizationId);
-            encKey || (encKey = yield this.cryptoService.getUserKeyWithLegacySupport());
-            const dataEncKey = yield this.cryptoService.makeDataEncKey(encKey);
-            const encFileName = yield this.encryptService.encrypt(filename, encKey);
-            const encData = yield this.encryptService.encryptToBytes(data, dataEncKey[0]);
+            const encKey = yield this.getKeyForCipherKeyDecryption(cipher);
+            const cipherKeyEncryptionEnabled = yield this.getCipherKeyEncryptionEnabled();
+            const cipherEncKey = cipherKeyEncryptionEnabled && cipher.key != null
+                ? new SymmetricCryptoKey(yield this.encryptService.decryptToBytes(cipher.key, encKey))
+                : encKey;
+            //if cipher key encryption is disabled but the item has an individual key,
+            //then we rollback to using the user key as the main key of encryption of the item
+            //in order to keep item and it's attachments with the same encryption level
+            if (cipher.key != null && !cipherKeyEncryptionEnabled) {
+                const model = yield cipher.decrypt(yield this.getKeyForCipherKeyDecryption(cipher));
+                cipher = yield this.encrypt(model);
+                yield this.updateWithServer(cipher);
+            }
+            const encFileName = yield this.encryptService.encrypt(filename, cipherEncKey);
+            const dataEncKey = yield this.cryptoService.makeDataEncKey(cipherEncKey);
+            const encData = yield this.encryptService.encryptToBytes(new Uint8Array(data), dataEncKey[0]);
             const response = yield this.cipherFileUploadService.upload(cipher, encFileName, encData, admin, dataEncKey);
             const cData = new CipherData(response, cipher.collectionIds);
             if (!admin) {
@@ -25020,7 +25236,68 @@ class CipherService {
             yield this.restore(restores);
         });
     }
+    getKeyForCipherKeyDecryption(cipher) {
+        return cipher_service_awaiter(this, void 0, void 0, function* () {
+            return ((yield this.cryptoService.getOrgKey(cipher.organizationId)) ||
+                (yield this.cryptoService.getUserKeyWithLegacySupport()));
+        });
+    }
     // Helpers
+    // In the case of a cipher that is being shared with an organization, we want to decrypt the
+    // cipher key with the user's key and then re-encrypt it with the organization's key.
+    encryptSharedCipher(model) {
+        return cipher_service_awaiter(this, void 0, void 0, function* () {
+            const keyForCipherKeyDecryption = yield this.cryptoService.getUserKeyWithLegacySupport();
+            return yield this.encrypt(model, null, keyForCipherKeyDecryption);
+        });
+    }
+    updateModelfromExistingCipher(model, originalCipher) {
+        return cipher_service_awaiter(this, void 0, void 0, function* () {
+            const existingCipher = yield originalCipher.decrypt(yield this.getKeyForCipherKeyDecryption(originalCipher));
+            model.passwordHistory = existingCipher.passwordHistory || [];
+            if (model.type === CipherType.Login && existingCipher.type === CipherType.Login) {
+                if (existingCipher.login.password != null &&
+                    existingCipher.login.password !== "" &&
+                    existingCipher.login.password !== model.login.password) {
+                    const ph = new PasswordHistoryView();
+                    ph.password = existingCipher.login.password;
+                    ph.lastUsedDate = model.login.passwordRevisionDate = new Date();
+                    model.passwordHistory.splice(0, 0, ph);
+                }
+                else {
+                    model.login.passwordRevisionDate = existingCipher.login.passwordRevisionDate;
+                }
+            }
+            if (existingCipher.hasFields) {
+                const existingHiddenFields = existingCipher.fields.filter((f) => f.type === FieldType.Hidden &&
+                    f.name != null &&
+                    f.name !== "" &&
+                    f.value != null &&
+                    f.value !== "");
+                const hiddenFields = model.fields == null
+                    ? []
+                    : model.fields.filter((f) => f.type === FieldType.Hidden && f.name != null && f.name !== "");
+                existingHiddenFields.forEach((ef) => {
+                    const matchedField = hiddenFields.find((f) => f.name === ef.name);
+                    if (matchedField == null || matchedField.value !== ef.value) {
+                        const ph = new PasswordHistoryView();
+                        ph.password = ef.name + ": " + ef.value;
+                        ph.lastUsedDate = new Date();
+                        model.passwordHistory.splice(0, 0, ph);
+                    }
+                });
+            }
+        });
+    }
+    adjustPasswordHistoryLength(model) {
+        if (model.passwordHistory != null && model.passwordHistory.length === 0) {
+            model.passwordHistory = null;
+        }
+        else if (model.passwordHistory != null && model.passwordHistory.length > 5) {
+            // only save last 5 history
+            model.passwordHistory = model.passwordHistory.slice(0, 5);
+        }
+    }
     shareAttachmentWithServer(attachmentView, cipherId, organizationId) {
         return cipher_service_awaiter(this, void 0, void 0, function* () {
             const attachmentResponse = yield this.apiService.nativeFetch(new Request(attachmentView.url, { cache: "no-store" }));
@@ -25198,6 +25475,49 @@ class CipherService {
     clearSortedCiphers() {
         this.sortedCiphersCache.clear();
     }
+    encryptCipher(model, cipher, key) {
+        return cipher_service_awaiter(this, void 0, void 0, function* () {
+            yield Promise.all([
+                this.encryptObjProperty(model, cipher, {
+                    name: null,
+                    notes: null,
+                }, key),
+                this.encryptCipherData(cipher, model, key),
+                this.encryptFields(model.fields, key).then((fields) => {
+                    cipher.fields = fields;
+                }),
+                this.encryptPasswordHistories(model.passwordHistory, key).then((ph) => {
+                    cipher.passwordHistory = ph;
+                }),
+                this.encryptAttachments(model.attachments, key).then((attachments) => {
+                    cipher.attachments = attachments;
+                }),
+            ]);
+            return cipher;
+        });
+    }
+    encryptCipherWithCipherKey(model, cipher, keyForCipherKeyEncryption, keyForCipherKeyDecryption) {
+        return cipher_service_awaiter(this, void 0, void 0, function* () {
+            // First, we get the key for cipher key encryption, in its decrypted form
+            let decryptedCipherKey;
+            if (cipher.key == null) {
+                decryptedCipherKey = yield this.cryptoService.makeCipherKey();
+            }
+            else {
+                decryptedCipherKey = new SymmetricCryptoKey(yield this.encryptService.decryptToBytes(cipher.key, keyForCipherKeyDecryption));
+            }
+            // Then, we have to encrypt the cipher key with the proper key.
+            cipher.key = yield this.encryptService.encrypt(decryptedCipherKey.key, keyForCipherKeyEncryption);
+            // Finally, we can encrypt the cipher with the decrypted cipher key.
+            return this.encryptCipher(model, cipher, decryptedCipherKey);
+        });
+    }
+    getCipherKeyEncryptionEnabled() {
+        return cipher_service_awaiter(this, void 0, void 0, function* () {
+            return (flagEnabled("enableCipherKeyEncryption") &&
+                (yield (0,external_rxjs_namespaceObject.firstValueFrom)(this.configService.checkServerMeetsVersionRequirement$(CIPHER_KEY_ENC_MIN_SERVER_VER))));
+        });
+    }
 }
 cipher_service_decorate([
     sequentialize(() => "getAllDecrypted"),
@@ -26707,6 +27027,43 @@ class LoginExport {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/models/export/password-history.export.ts
+
+
+
+class PasswordHistoryExport {
+    static template() {
+        const req = new PasswordHistoryExport();
+        req.password = null;
+        req.lastUsedDate = null;
+        return req;
+    }
+    static toView(req, view = new PasswordHistoryView()) {
+        view.password = req.password;
+        view.lastUsedDate = req.lastUsedDate;
+        return view;
+    }
+    static toDomain(req, domain = new Password()) {
+        domain.password = req.password != null ? new EncString(req.password) : null;
+        domain.lastUsedDate = req.lastUsedDate;
+        return domain;
+    }
+    constructor(o) {
+        var _a;
+        this.lastUsedDate = null;
+        if (o == null) {
+            return;
+        }
+        if (o instanceof PasswordHistoryView) {
+            this.password = o.password;
+        }
+        else {
+            this.password = (_a = o.password) === null || _a === void 0 ? void 0 : _a.encryptedString;
+        }
+        this.lastUsedDate = o.lastUsedDate;
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/models/export/secure-note.export.ts
 
 
@@ -26744,7 +27101,14 @@ class SecureNoteExport {
 
 
 
+
 class CipherExport {
+    constructor() {
+        this.passwordHistory = null;
+        this.revisionDate = null;
+        this.creationDate = null;
+        this.deletedDate = null;
+    }
     static template() {
         const req = new CipherExport();
         req.organizationId = null;
@@ -26760,6 +27124,10 @@ class CipherExport {
         req.card = null;
         req.identity = null;
         req.reprompt = CipherRepromptType.None;
+        req.passwordHistory = [];
+        req.creationDate = null;
+        req.revisionDate = null;
+        req.deletedDate = null;
         return req;
     }
     static toView(req, view = new CipherView()) {
@@ -26794,6 +27162,12 @@ class CipherExport {
                 view.identity = IdentityExport.toView(req.identity);
                 break;
         }
+        if (req.passwordHistory != null) {
+            view.passwordHistory = req.passwordHistory.map((ph) => PasswordHistoryExport.toView(ph));
+        }
+        view.creationDate = req.creationDate;
+        view.revisionDate = req.revisionDate;
+        view.deletedDate = req.deletedDate;
         return view;
     }
     static toDomain(req, domain = new Cipher()) {
@@ -26807,6 +27181,7 @@ class CipherExport {
         domain.notes = req.notes != null ? new EncString(req.notes) : null;
         domain.favorite = req.favorite;
         domain.reprompt = (_a = req.reprompt) !== null && _a !== void 0 ? _a : CipherRepromptType.None;
+        domain.key = req.key != null ? new EncString(req.key) : null;
         if (req.fields != null) {
             domain.fields = req.fields.map((f) => FieldExport.toDomain(f));
         }
@@ -26824,11 +27199,17 @@ class CipherExport {
                 domain.identity = IdentityExport.toDomain(req.identity);
                 break;
         }
+        if (req.passwordHistory != null) {
+            domain.passwordHistory = req.passwordHistory.map((ph) => PasswordHistoryExport.toDomain(ph));
+        }
+        domain.creationDate = req.creationDate;
+        domain.revisionDate = req.revisionDate;
+        domain.deletedDate = req.deletedDate;
         return domain;
     }
     // Use build method instead of ctor so that we can control order of JSON stringify for pretty print
     build(o) {
-        var _a, _b;
+        var _a, _b, _c;
         this.organizationId = o.organizationId;
         this.folderId = o.folderId;
         this.type = o.type;
@@ -26840,6 +27221,7 @@ class CipherExport {
         else {
             this.name = (_a = o.name) === null || _a === void 0 ? void 0 : _a.encryptedString;
             this.notes = (_b = o.notes) === null || _b === void 0 ? void 0 : _b.encryptedString;
+            this.key = (_c = o.key) === null || _c === void 0 ? void 0 : _c.encryptedString;
         }
         this.favorite = o.favorite;
         if (o.fields != null) {
@@ -26864,6 +27246,17 @@ class CipherExport {
                 this.identity = new IdentityExport(o.identity);
                 break;
         }
+        if (o.passwordHistory != null) {
+            if (o instanceof CipherView) {
+                this.passwordHistory = o.passwordHistory.map((ph) => new PasswordHistoryExport(ph));
+            }
+            else {
+                this.passwordHistory = o.passwordHistory.map((ph) => new PasswordHistoryExport(ph));
+            }
+        }
+        this.creationDate = o.creationDate;
+        this.revisionDate = o.revisionDate;
+        this.deletedDate = o.deletedDate;
     }
 }
 
@@ -27227,12 +27620,15 @@ class VaultExportService {
                     if (exportData.ciphers != null && exportData.ciphers.length > 0) {
                         exportData.ciphers
                             .filter((c) => c.deletedDate === null)
-                            .forEach((c) => {
+                            .forEach((c) => vault_export_service_awaiter(this, void 0, void 0, function* () {
                             const cipher = new Cipher(new CipherData(c));
-                            exportPromises.push(cipher.decrypt().then((decCipher) => {
+                            exportPromises.push(this.cipherService
+                                .getKeyForCipherKeyDecryption(cipher)
+                                .then((key) => cipher.decrypt(key))
+                                .then((decCipher) => {
                                 decCiphers.push(decCipher);
                             }));
-                        });
+                        }));
                     }
                 }
                 return Promise.all(exportPromises);
@@ -27287,17 +27683,14 @@ class VaultExportService {
             const ciphers = [];
             const promises = [];
             promises.push(this.apiService.getCollections(organizationId).then((c) => {
-                const collectionPromises = [];
                 if (c != null && c.data != null && c.data.length > 0) {
                     c.data.forEach((r) => {
                         const collection = new Collection(new CollectionData(r));
                         collections.push(collection);
                     });
                 }
-                return Promise.all(collectionPromises);
             }));
             promises.push(this.apiService.getCiphersOrganization(organizationId).then((c) => {
-                const cipherPromises = [];
                 if (c != null && c.data != null && c.data.length > 0) {
                     c.data
                         .filter((item) => item.deletedDate === null)
@@ -27306,7 +27699,6 @@ class VaultExportService {
                         ciphers.push(cipher);
                     });
                 }
-                return Promise.all(cipherPromises);
             }));
             yield Promise.all(promises);
             const orgKey = yield this.cryptoService.getOrgKey(organizationId);
@@ -27802,6 +28194,9 @@ class base_importer_BaseImporter {
         if (cipher.fields != null && cipher.fields.length === 0) {
             cipher.fields = null;
         }
+        if (cipher.passwordHistory != null && cipher.passwordHistory.length === 0) {
+            cipher.passwordHistory = null;
+        }
     }
     processKvp(cipher, key, value, type = FieldType.Text) {
         if (this.isNullOrWhitespace(value)) {
@@ -28239,33 +28634,34 @@ var bitwarden_json_importer_awaiter = (undefined && undefined.__awaiter) || func
 
 
 class BitwardenJsonImporter extends base_importer_BaseImporter {
-    constructor(cryptoService, i18nService) {
+    constructor(cryptoService, i18nService, cipherService) {
         super();
         this.cryptoService = cryptoService;
         this.i18nService = i18nService;
+        this.cipherService = cipherService;
     }
     parse(data) {
         return bitwarden_json_importer_awaiter(this, void 0, void 0, function* () {
             this.result = new import_result_ImportResult();
-            this.results = JSON.parse(data);
-            if (this.results == null || this.results.items == null) {
+            const results = JSON.parse(data);
+            if (results == null || results.items == null) {
                 this.result.success = false;
                 return this.result;
             }
-            if (this.results.encrypted) {
-                yield this.parseEncrypted();
+            if (results.encrypted) {
+                yield this.parseEncrypted(results);
             }
             else {
-                this.parseDecrypted();
+                yield this.parseDecrypted(results);
             }
             return this.result;
         });
     }
-    parseEncrypted() {
+    parseEncrypted(results) {
         return bitwarden_json_importer_awaiter(this, void 0, void 0, function* () {
-            if (this.results.encKeyValidation_DO_NOT_EDIT != null) {
+            if (results.encKeyValidation_DO_NOT_EDIT != null) {
                 const orgKey = yield this.cryptoService.getOrgKey(this.organizationId);
-                const encKeyValidation = new EncString(this.results.encKeyValidation_DO_NOT_EDIT);
+                const encKeyValidation = new EncString(results.encKeyValidation_DO_NOT_EDIT);
                 const encKeyValidationDecrypt = yield this.cryptoService.decryptToUtf8(encKeyValidation, orgKey);
                 if (encKeyValidationDecrypt === null) {
                     this.result.success = false;
@@ -28273,29 +28669,10 @@ class BitwardenJsonImporter extends base_importer_BaseImporter {
                     return;
                 }
             }
-            const groupingsMap = new Map();
-            if (this.organization && this.results.collections != null) {
-                for (const c of this.results.collections) {
-                    const collection = CollectionWithIdExport.toDomain(c);
-                    if (collection != null) {
-                        collection.organizationId = this.organizationId;
-                        const view = yield collection.decrypt();
-                        groupingsMap.set(c.id, this.result.collections.length);
-                        this.result.collections.push(view);
-                    }
-                }
-            }
-            else if (!this.organization && this.results.folders != null) {
-                for (const f of this.results.folders) {
-                    const folder = FolderWithIdExport.toDomain(f);
-                    if (folder != null) {
-                        const view = yield folder.decrypt();
-                        groupingsMap.set(f.id, this.result.folders.length);
-                        this.result.folders.push(view);
-                    }
-                }
-            }
-            for (const c of this.results.items) {
+            const groupingsMap = this.organization
+                ? yield this.parseCollections(results)
+                : yield this.parseFolders(results);
+            for (const c of results.items) {
                 const cipher = CipherWithIdExport.toDomain(c);
                 // reset ids incase they were set for some reason
                 cipher.id = null;
@@ -28321,64 +28698,99 @@ class BitwardenJsonImporter extends base_importer_BaseImporter {
                         }
                     });
                 }
-                const view = yield cipher.decrypt();
+                const view = yield cipher.decrypt(yield this.cipherService.getKeyForCipherKeyDecryption(cipher));
                 this.cleanupCipher(view);
                 this.result.ciphers.push(view);
             }
             this.result.success = true;
         });
     }
-    parseDecrypted() {
-        const groupingsMap = new Map();
-        if (this.organization && this.results.collections != null) {
-            this.results.collections.forEach((c) => {
-                const collection = CollectionWithIdExport.toView(c);
-                if (collection != null) {
-                    collection.organizationId = null;
-                    groupingsMap.set(c.id, this.result.collections.length);
-                    this.result.collections.push(collection);
+    parseDecrypted(results) {
+        return bitwarden_json_importer_awaiter(this, void 0, void 0, function* () {
+            const groupingsMap = this.organization
+                ? yield this.parseCollections(results)
+                : yield this.parseFolders(results);
+            results.items.forEach((c) => {
+                const cipher = CipherWithIdExport.toView(c);
+                // reset ids incase they were set for some reason
+                cipher.id = null;
+                cipher.organizationId = null;
+                cipher.collectionIds = null;
+                // make sure password history is limited
+                if (cipher.passwordHistory != null && cipher.passwordHistory.length > 5) {
+                    cipher.passwordHistory = cipher.passwordHistory.slice(0, 5);
                 }
-            });
-        }
-        else if (!this.organization && this.results.folders != null) {
-            this.results.folders.forEach((f) => {
-                const folder = FolderWithIdExport.toView(f);
-                if (folder != null) {
-                    groupingsMap.set(f.id, this.result.folders.length);
-                    this.result.folders.push(folder);
+                if (!this.organization && c.folderId != null && groupingsMap.has(c.folderId)) {
+                    this.result.folderRelationships.push([
+                        this.result.ciphers.length,
+                        groupingsMap.get(c.folderId),
+                    ]);
                 }
+                else if (this.organization && c.collectionIds != null) {
+                    c.collectionIds.forEach((cId) => {
+                        if (groupingsMap.has(cId)) {
+                            this.result.collectionRelationships.push([
+                                this.result.ciphers.length,
+                                groupingsMap.get(cId),
+                            ]);
+                        }
+                    });
+                }
+                this.cleanupCipher(cipher);
+                this.result.ciphers.push(cipher);
             });
-        }
-        this.results.items.forEach((c) => {
-            const cipher = CipherWithIdExport.toView(c);
-            // reset ids incase they were set for some reason
-            cipher.id = null;
-            cipher.organizationId = null;
-            cipher.collectionIds = null;
-            // make sure password history is limited
-            if (cipher.passwordHistory != null && cipher.passwordHistory.length > 5) {
-                cipher.passwordHistory = cipher.passwordHistory.slice(0, 5);
-            }
-            if (!this.organization && c.folderId != null && groupingsMap.has(c.folderId)) {
-                this.result.folderRelationships.push([
-                    this.result.ciphers.length,
-                    groupingsMap.get(c.folderId),
-                ]);
+            this.result.success = true;
+        });
+    }
+    parseFolders(data) {
+        return bitwarden_json_importer_awaiter(this, void 0, void 0, function* () {
+            if (data.folders == null) {
+                return null;
             }
-            else if (this.organization && c.collectionIds != null) {
-                c.collectionIds.forEach((cId) => {
-                    if (groupingsMap.has(cId)) {
-                        this.result.collectionRelationships.push([
-                            this.result.ciphers.length,
-                            groupingsMap.get(cId),
-                        ]);
+            const groupingsMap = new Map();
+            for (const f of data.folders) {
+                let folderView;
+                if (data.encrypted) {
+                    const folder = FolderWithIdExport.toDomain(f);
+                    if (folder != null) {
+                        folderView = yield folder.decrypt();
                     }
-                });
+                }
+                else {
+                    folderView = FolderWithIdExport.toView(f);
+                }
+                if (folderView != null) {
+                    groupingsMap.set(f.id, this.result.folders.length);
+                    this.result.folders.push(folderView);
+                }
             }
-            this.cleanupCipher(cipher);
-            this.result.ciphers.push(cipher);
+            return groupingsMap;
+        });
+    }
+    parseCollections(data) {
+        return bitwarden_json_importer_awaiter(this, void 0, void 0, function* () {
+            if (data.collections == null) {
+                return null;
+            }
+            const groupingsMap = new Map();
+            for (const c of data.collections) {
+                let collectionView;
+                if (data.encrypted) {
+                    const collection = CollectionWithIdExport.toDomain(c);
+                    collection.organizationId = this.organizationId;
+                    collectionView = yield collection.decrypt();
+                }
+                else {
+                    collectionView = CollectionWithIdExport.toView(c);
+                    collectionView.organizationId = null;
+                }
+                if (collectionView != null) {
+                    groupingsMap.set(c.id, this.result.collections.length);
+                    this.result.collections.push(collectionView);
+                }
+            }
+            return groupingsMap;
         });
-        this.result.success = true;
     }
 }
 
@@ -28398,8 +28810,8 @@ var bitwarden_password_protected_importer_awaiter = (undefined && undefined.__aw
 
 
 class BitwardenPasswordProtectedImporter extends BitwardenJsonImporter {
-    constructor(cryptoService, i18nService, promptForPassword_callback) {
-        super(cryptoService, i18nService);
+    constructor(cryptoService, i18nService, cipherService, promptForPassword_callback) {
+        super(cryptoService, i18nService, cipherService);
         this.promptForPassword_callback = promptForPassword_callback;
     }
     parse(data) {
@@ -32366,6 +32778,97 @@ class PasswordWalletTxtImporter extends base_importer_BaseImporter {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/importer/src/importers/protonpass/types/protonpass-json-type.ts
+var ProtonPassItemState;
+(function (ProtonPassItemState) {
+    ProtonPassItemState[ProtonPassItemState["ACTIVE"] = 1] = "ACTIVE";
+    ProtonPassItemState[ProtonPassItemState["TRASHED"] = 2] = "TRASHED";
+})(ProtonPassItemState || (ProtonPassItemState = {}));
+
+;// CONCATENATED MODULE: ../../libs/importer/src/importers/protonpass/protonpass-json-importer.ts
+
+
+
+
+
+
+
+class ProtonPassJsonImporter extends base_importer_BaseImporter {
+    constructor(i18nService) {
+        super();
+        this.i18nService = i18nService;
+    }
+    parse(data) {
+        const result = new import_result_ImportResult();
+        const results = JSON.parse(data);
+        if (results == null || results.vaults == null) {
+            result.success = false;
+            return Promise.resolve(result);
+        }
+        if (results.encrypted) {
+            result.success = false;
+            result.errorMessage = this.i18nService.t("unsupportedEncryptedImport");
+            return Promise.resolve(result);
+        }
+        for (const [, vault] of Object.entries(results.vaults)) {
+            for (const item of vault.items) {
+                if (item.state == ProtonPassItemState.TRASHED) {
+                    continue;
+                }
+                this.processFolder(result, vault.name);
+                const cipher = this.initLoginCipher();
+                cipher.name = item.data.metadata.name;
+                cipher.notes = item.data.metadata.note;
+                switch (item.data.type) {
+                    case "login": {
+                        const loginContent = item.data.content;
+                        cipher.login.uris = this.makeUriArray(loginContent.urls);
+                        cipher.login.username = loginContent.username;
+                        cipher.login.password = loginContent.password;
+                        if (loginContent.totpUri != "") {
+                            cipher.login.totp = new URL(loginContent.totpUri).searchParams.get("secret");
+                        }
+                        for (const extraField of item.data.extraFields) {
+                            this.processKvp(cipher, extraField.fieldName, extraField.type == "totp" ? extraField.data.totpUri : extraField.data.content, extraField.type == "text" ? FieldType.Text : FieldType.Hidden);
+                        }
+                        break;
+                    }
+                    case "note":
+                        cipher.type = CipherType.SecureNote;
+                        cipher.secureNote = new SecureNoteView();
+                        cipher.secureNote.type = SecureNoteType.Generic;
+                        break;
+                    case "creditCard": {
+                        const creditCardContent = item.data.content;
+                        cipher.type = CipherType.Card;
+                        cipher.card = new CardView();
+                        cipher.card.cardholderName = creditCardContent.cardholderName;
+                        cipher.card.number = creditCardContent.number;
+                        cipher.card.brand = CardView.getCardBrandByPatterns(creditCardContent.number);
+                        cipher.card.code = creditCardContent.verificationNumber;
+                        if (!this.isNullOrWhitespace(creditCardContent.expirationDate)) {
+                            cipher.card.expMonth = creditCardContent.expirationDate.substring(0, 2);
+                            cipher.card.expMonth = cipher.card.expMonth.replace(/^0+/, "");
+                            cipher.card.expYear = creditCardContent.expirationDate.substring(2, 6);
+                        }
+                        if (!this.isNullOrWhitespace(creditCardContent.pin)) {
+                            this.processKvp(cipher, "PIN", creditCardContent.pin, FieldType.Hidden);
+                        }
+                        break;
+                    }
+                }
+                this.cleanupCipher(cipher);
+                result.ciphers.push(cipher);
+            }
+        }
+        if (this.organization) {
+            this.moveFoldersToCollections(result);
+        }
+        result.success = true;
+        return Promise.resolve(result);
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/importer/src/importers/psono/psono-json-importer.ts
 
 
@@ -32490,6 +32993,7 @@ class PsonoJsonImporter extends base_importer_BaseImporter {
         return cipher;
     }
     parseWebsiteLogins(entry, cipher) {
+        var _a;
         if (entry == null || entry.type != "website_password") {
             return;
         }
@@ -32498,7 +33002,7 @@ class PsonoJsonImporter extends base_importer_BaseImporter {
         cipher.login.username = entry.website_password_username;
         cipher.login.password = entry.website_password_password;
         cipher.login.uris = this.makeUriArray(entry.website_password_url);
-        this.processKvp(cipher, "website_password_auto_submit", entry.website_password_auto_submit.toString(), FieldType.Boolean);
+        this.processKvp(cipher, "website_password_auto_submit", (_a = entry.website_password_auto_submit) === null || _a === void 0 ? void 0 : _a.toString(), FieldType.Boolean);
         this.processKvp(cipher, "website_password_url_filter", entry.website_password_url_filter);
         this.importUnmappedFields(cipher, entry, this.WEBSITE_mappedValues);
     }
@@ -33276,6 +33780,7 @@ class ZohoVaultCsvImporter extends base_importer_BaseImporter {
 
 
 
+
 
 
 
@@ -33303,6 +33808,7 @@ const regularImportOptions = [
     // { id: "keeperjson", name: "Keeper (json)" },
     { id: "enpasscsv", name: "Enpass (csv)" },
     { id: "enpassjson", name: "Enpass (json)" },
+    { id: "protonpass", name: "ProtonPass (zip/json)" },
     { id: "safeincloudxml", name: "SafeInCloud (xml)" },
     { id: "pwsafexml", name: "Password Safe (xml)" },
     { id: "stickypasswordxml", name: "Sticky Password (xml)" },
@@ -33456,7 +33962,7 @@ class ImportService {
                 return new BitwardenCsvImporter();
             case "bitwardenjson":
             case "bitwardenpasswordprotected":
-                return new BitwardenPasswordProtectedImporter(this.cryptoService, this.i18nService, promptForPassword_callback);
+                return new BitwardenPasswordProtectedImporter(this.cryptoService, this.i18nService, this.cipherService, promptForPassword_callback);
             case "lastpasscsv":
             case "passboltcsv":
                 return new LastPassCsvImporter();
@@ -33572,6 +34078,8 @@ class ImportService {
                 return new PsonoJsonImporter();
             case "passkyjson":
                 return new PasskyJsonImporter();
+            case "protonpass":
+                return new ProtonPassJsonImporter(this.i18nService);
             default:
                 return null;
         }
@@ -33942,6 +34450,9 @@ class NodeCryptoFunctionService {
             });
         });
     }
+    aesGenerateKey(bitLength) {
+        return this.randomBytes(bitLength / 8);
+    }
     randomBytes(length) {
         return new Promise((resolve, reject) => {
             external_crypto_namespaceObject.randomBytes(length, (error, bytes) => {
@@ -33993,6 +34504,147 @@ class NodeCryptoFunctionService {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/platform/abstractions/config/server-config.ts
+const dayInMilliseconds = 24 * 3600 * 1000;
+const eighteenHoursInMilliseconds = 18 * 3600 * 1000;
+class ServerConfig {
+    constructor(serverConfigData) {
+        var _a, _b;
+        this.featureStates = {};
+        this.version = serverConfigData.version;
+        this.gitHash = serverConfigData.gitHash;
+        this.server = serverConfigData.server;
+        this.utcDate = new Date(serverConfigData.utcDate);
+        this.environment = serverConfigData.environment;
+        this.featureStates = serverConfigData.featureStates;
+        if (((_a = this.server) === null || _a === void 0 ? void 0 : _a.name) == null && ((_b = this.server) === null || _b === void 0 ? void 0 : _b.url) == null) {
+            this.server = null;
+        }
+    }
+    getAgeInMilliseconds() {
+        var _a;
+        return new Date().getTime() - ((_a = this.utcDate) === null || _a === void 0 ? void 0 : _a.getTime());
+    }
+    isValid() {
+        return this.getAgeInMilliseconds() <= dayInMilliseconds;
+    }
+    expiresSoon() {
+        return this.getAgeInMilliseconds() >= eighteenHoursInMilliseconds;
+    }
+    static fromJSON(obj) {
+        if (obj == null) {
+            return null;
+        }
+        return new ServerConfig(obj);
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/services/config/config.service.ts
+var config_service_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+
+
+
+
+const ONE_HOUR_IN_MILLISECONDS = 1000 * 3600;
+class ConfigService {
+    constructor(stateService, configApiService, authService, environmentService, logService, 
+    // Used to avoid duplicate subscriptions, e.g. in browser between the background and popup
+    subscribe = true) {
+        this.stateService = stateService;
+        this.configApiService = configApiService;
+        this.authService = authService;
+        this.environmentService = environmentService;
+        this.logService = logService;
+        this.subscribe = subscribe;
+        this.inited = false;
+        this._serverConfig = new external_rxjs_namespaceObject.ReplaySubject(1);
+        this.serverConfig$ = this._serverConfig.asObservable();
+        this._forceFetchConfig = new external_rxjs_namespaceObject.Subject();
+        this.refreshTimer$ = (0,external_rxjs_namespaceObject.timer)(ONE_HOUR_IN_MILLISECONDS, ONE_HOUR_IN_MILLISECONDS); // after 1 hour, then every hour
+        this.cloudRegion$ = this.serverConfig$.pipe((0,external_rxjs_namespaceObject.map)((config) => { var _a, _b; return (_b = (_a = config === null || config === void 0 ? void 0 : config.environment) === null || _a === void 0 ? void 0 : _a.cloudRegion) !== null && _b !== void 0 ? _b : Region.US; }));
+    }
+    init() {
+        if (!this.subscribe || this.inited) {
+            return;
+        }
+        const latestServerConfig$ = (0,external_rxjs_namespaceObject.defer)(() => this.configApiService.get()).pipe((0,external_rxjs_namespaceObject.map)((response) => new ServerConfigData(response)), (0,external_rxjs_namespaceObject.delayWhen)((data) => this.saveConfig(data)), (0,external_rxjs_namespaceObject.catchError)((e) => {
+            // fall back to stored ServerConfig (if any)
+            this.logService.error("Unable to fetch ServerConfig: " + (e === null || e === void 0 ? void 0 : e.message));
+            return this.stateService.getServerConfig();
+        }));
+        // If you need to fetch a new config when an event occurs, add an observable that emits on that event here
+        (0,external_rxjs_namespaceObject.merge)(this.refreshTimer$, // an overridable interval
+        this.environmentService.urls, // when environment URLs change (including when app is started)
+        this._forceFetchConfig // manual
+        )
+            .pipe((0,external_rxjs_namespaceObject.concatMap)(() => latestServerConfig$), (0,external_rxjs_namespaceObject.map)((data) => (data == null ? null : new ServerConfig(data))))
+            .subscribe((config) => this._serverConfig.next(config));
+        this.inited = true;
+    }
+    getFeatureFlag$(key, defaultValue) {
+        return this.serverConfig$.pipe((0,external_rxjs_namespaceObject.map)((serverConfig) => {
+            if ((serverConfig === null || serverConfig === void 0 ? void 0 : serverConfig.featureStates) == null || serverConfig.featureStates[key] == null) {
+                return defaultValue;
+            }
+            return serverConfig.featureStates[key];
+        }));
+    }
+    getFeatureFlag(key, defaultValue) {
+        return config_service_awaiter(this, void 0, void 0, function* () {
+            return yield (0,external_rxjs_namespaceObject.firstValueFrom)(this.getFeatureFlag$(key, defaultValue));
+        });
+    }
+    triggerServerConfigFetch() {
+        this._forceFetchConfig.next();
+    }
+    saveConfig(data) {
+        var _a;
+        return config_service_awaiter(this, void 0, void 0, function* () {
+            if ((yield this.authService.getAuthStatus()) === AuthenticationStatus.LoggedOut) {
+                return;
+            }
+            yield this.stateService.setServerConfig(data);
+            this.environmentService.setCloudWebVaultUrl((_a = data.environment) === null || _a === void 0 ? void 0 : _a.cloudRegion);
+        });
+    }
+    /**
+     * Verifies whether the server version meets the minimum required version
+     * @param minimumRequiredServerVersion The minimum version required
+     * @returns True if the server version is greater than or equal to the minimum required version
+     */
+    checkServerMeetsVersionRequirement$(minimumRequiredServerVersion) {
+        return this.serverConfig$.pipe((0,external_rxjs_namespaceObject.map)((serverConfig) => {
+            if (serverConfig == null) {
+                return false;
+            }
+            const serverVersion = new external_semver_namespaceObject.SemVer(serverConfig.version);
+            return serverVersion.compare(minimumRequiredServerVersion) >= 0;
+        }));
+    }
+}
+
+;// CONCATENATED MODULE: ./src/platform/services/cli-config.service.ts
+
+
+class CliConfigService extends ConfigService {
+    constructor() {
+        super(...arguments);
+        // The rxjs timer uses setTimeout/setInterval under the hood, which prevents the node process from exiting
+        // when the command is finished. Cli should never be alive long enough to use the timer, so we disable it.
+        this.refreshTimer$ = external_rxjs_namespaceObject.NEVER;
+    }
+}
+
 ;// CONCATENATED MODULE: external "child_process"
 const external_child_process_namespaceObject = require("child_process");
 ;// CONCATENATED MODULE: ./src/platform/services/cli-platform-utils.service.ts
@@ -34673,6 +35325,7 @@ class CipherResponse extends BaseResponse {
             this.passwordHistory = passwordHistory.map((h) => new PasswordHistoryResponse(h));
         }
         this.reprompt = this.getResponseProperty("Reprompt") || CipherRepromptType.None;
+        this.key = this.getResponseProperty("Key") || null;
     }
 }
 
@@ -37729,7 +38382,7 @@ class CliUtils {
             });
         });
     }
-    static extract1PuxContent(input) {
+    static extractZipContent(input, filepath) {
         return new Promise((resolve, reject) => {
             let p = null;
             if (input != null && input !== "") {
@@ -37749,7 +38402,7 @@ class CliUtils {
                     reject(err);
                 }
                 external_jszip_namespaceObject.loadAsync(data).then((zip) => {
-                    resolve(zip.file("export.data").async("string"));
+                    resolve(zip.file(filepath).async("string"));
                 }, (reason) => {
                     reject(reason);
                 });
@@ -37923,6 +38576,21 @@ class CliUtils {
     static convertBooleanOption(optionValue) {
         return optionValue || optionValue === "" ? true : false;
     }
+    static convertNumberOption(optionValue, defaultValue) {
+        try {
+            if (optionValue != null) {
+                const numVal = parseInt(optionValue);
+                return !Number.isNaN(numVal) ? numVal : defaultValue;
+            }
+            return defaultValue;
+        }
+        catch (_a) {
+            return defaultValue;
+        }
+    }
+    static convertStringOption(optionValue, defaultValue) {
+        return optionValue != null ? String(optionValue) : defaultValue;
+    }
 }
 
 ;// CONCATENATED MODULE: ./src/auth/commands/unlock.command.ts
@@ -38424,11 +39092,11 @@ class ShareCommand {
             if (cipher.organizationId != null) {
                 return Response.badRequest("This item already belongs to an organization.");
             }
-            const cipherView = yield cipher.decrypt();
+            const cipherView = yield cipher.decrypt(yield this.cipherService.getKeyForCipherKeyDecryption(cipher));
             try {
                 yield this.cipherService.shareWithServer(cipherView, organizationId, req);
                 const updatedCipher = yield this.cipherService.get(cipher.id);
-                const decCipher = yield updatedCipher.decrypt();
+                const decCipher = yield updatedCipher.decrypt(yield this.cipherService.getKeyForCipherKeyDecryption(updatedCipher));
                 const res = new cipher_response_CipherResponse(decCipher);
                 return Response.success(res);
             }
@@ -38480,6 +39148,9 @@ class GenerateCommand {
                 numWords: normalizedOptions.words,
                 capitalize: normalizedOptions.capitalize,
                 includeNumber: normalizedOptions.includeNumber,
+                minNumber: normalizedOptions.minNumber,
+                minSpecial: normalizedOptions.minSpecial,
+                ambiguous: normalizedOptions.ambiguous,
             };
             const enforcedOptions = (yield this.stateService.getIsAuthenticated())
                 ? (yield this.passwordGenerationService.enforcePasswordGeneratorPoliciesOnOptions(options))[0]
@@ -38498,10 +39169,13 @@ class generate_command_Options {
         this.special = CliUtils.convertBooleanOption(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.special);
         this.capitalize = CliUtils.convertBooleanOption(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.capitalize);
         this.includeNumber = CliUtils.convertBooleanOption(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.includeNumber);
-        this.length = (passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.length) != null ? parseInt(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.length, null) : 14;
+        this.ambiguous = CliUtils.convertBooleanOption(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.ambiguous);
+        this.length = CliUtils.convertNumberOption(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.length, 14);
         this.type = (passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.passphrase) ? "passphrase" : "password";
-        this.separator = (passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.separator) == null ? "-" : passedOptions.separator + "";
-        this.words = (passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.words) != null ? parseInt(passedOptions.words, null) : 3;
+        this.separator = CliUtils.convertStringOption(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.separator, "-");
+        this.words = CliUtils.convertNumberOption(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.words, 3);
+        this.minNumber = CliUtils.convertNumberOption(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.minNumber, 1);
+        this.minSpecial = CliUtils.convertNumberOption(passedOptions === null || passedOptions === void 0 ? void 0 : passedOptions.minSpecial, 1);
         if (!this.uppercase && !this.lowercase && !this.special && !this.number) {
             this.lowercase = true;
             this.uppercase = true;
@@ -39518,7 +40192,7 @@ class CreateCommand {
             try {
                 yield this.cipherService.createWithServer(cipher);
                 const newCipher = yield this.cipherService.get(cipher.id);
-                const decCipher = yield newCipher.decrypt();
+                const decCipher = yield newCipher.decrypt(yield this.cipherService.getKeyForCipherKeyDecryption(newCipher));
                 const res = new cipher_response_CipherResponse(decCipher);
                 return Response.success(res);
             }
@@ -39571,7 +40245,7 @@ class CreateCommand {
             try {
                 yield this.cipherService.saveAttachmentRawWithServer(cipher, fileName, new Uint8Array(fileBuf).buffer);
                 const updatedCipher = yield this.cipherService.get(cipher.id);
-                const decCipher = yield updatedCipher.decrypt();
+                const decCipher = yield updatedCipher.decrypt(yield this.cipherService.getKeyForCipherKeyDecryption(updatedCipher));
                 return Response.success(new cipher_response_CipherResponse(decCipher));
             }
             catch (e) {
@@ -39894,7 +40568,7 @@ class EditCommand {
             if (cipher == null) {
                 return Response.notFound();
             }
-            let cipherView = yield cipher.decrypt();
+            let cipherView = yield cipher.decrypt(yield this.cipherService.getKeyForCipherKeyDecryption(cipher));
             if (cipherView.isDeleted) {
                 return Response.badRequest("You may not edit a deleted item. Use the restore command first.");
             }
@@ -39903,7 +40577,7 @@ class EditCommand {
             try {
                 yield this.cipherService.updateWithServer(encCipher);
                 const updatedCipher = yield this.cipherService.get(cipher.id);
-                const decCipher = yield updatedCipher.decrypt();
+                const decCipher = yield updatedCipher.decrypt(yield this.cipherService.getKeyForCipherKeyDecryption(updatedCipher));
                 const res = new cipher_response_CipherResponse(decCipher);
                 return Response.success(res);
             }
@@ -39925,7 +40599,7 @@ class EditCommand {
             try {
                 yield this.cipherService.saveCollectionsWithServer(cipher);
                 const updatedCipher = yield this.cipherService.get(cipher.id);
-                const decCipher = yield updatedCipher.decrypt();
+                const decCipher = yield updatedCipher.decrypt(yield this.cipherService.getKeyForCipherKeyDecryption(updatedCipher));
                 const res = new cipher_response_CipherResponse(decCipher);
                 return Response.success(res);
             }
@@ -40142,7 +40816,7 @@ class GetCommand extends DownloadCommand {
             if (utils_Utils.isGuid(id)) {
                 const cipher = yield this.cipherService.get(id);
                 if (cipher != null) {
-                    decCipher = yield cipher.decrypt();
+                    decCipher = yield cipher.decrypt(yield this.cipherService.getKeyForCipherKeyDecryption(cipher));
                 }
             }
             else if (id.trim() !== "") {
@@ -41490,9 +42164,12 @@ class Program {
                 .option("-p, --passphrase", "Generate a passphrase.")
                 .option("--length <length>", "Length of the password.")
                 .option("--words <words>", "Number of words.")
+                .option("--minNumber <count>", "Minimum number of numeric characters.")
+                .option("--minSpecial <count>", "Minimum number of special characters.")
                 .option("--separator <separator>", "Word separator.")
                 .option("-c, --capitalize", "Title case passphrase.")
                 .option("--includeNumber", "Passphrase includes number.")
+                .option("--ambiguous", "Avoid ambiguous characters.")
                 .on("--help", () => {
                 writeLn("\n  Notes:");
                 writeLn("");
@@ -42206,7 +42883,10 @@ class ImportCommand {
             try {
                 let contents;
                 if (format === "1password1pux") {
-                    contents = yield CliUtils.extract1PuxContent(filepath);
+                    contents = yield CliUtils.extractZipContent(filepath, "export.data");
+                }
+                else if (format === "protonpass" && filepath.endsWith(".zip")) {
+                    contents = yield CliUtils.extractZipContent(filepath, "Proton Pass/data.json");
                 }
                 else {
                     contents = yield CliUtils.readFile(filepath);
@@ -42721,6 +43401,7 @@ var bw_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argum
 
 
 
+
 
 
 // Polyfills
@@ -42757,8 +43438,7 @@ class Main {
         this.storageService = new LowdbStorageService(this.logService, null, p, false, true);
         this.secureStorageService = new NodeEnvSecureStorageService(this.storageService, this.logService, () => this.cryptoService);
         this.memoryStorageService = new MemoryStorageService();
-        this.stateMigrationService = new StateMigrationService(this.storageService, this.secureStorageService, new StateFactory(GlobalState, Account));
-        this.stateService = new StateService(this.storageService, this.secureStorageService, this.memoryStorageService, this.logService, this.stateMigrationService, new StateFactory(GlobalState, Account));
+        this.stateService = new StateService(this.storageService, this.secureStorageService, this.memoryStorageService, this.logService, new StateFactory(GlobalState, Account));
         this.cryptoService = new CryptoService(this.cryptoFunctionService, this.encryptService, this.platformUtilsService, this.logService, this.stateService);
         this.appIdService = new AppIdService(this.storageService);
         this.tokenService = new TokenService(this.stateService);
@@ -42779,10 +43459,7 @@ class Main {
         this.cipherFileUploadService = new CipherFileUploadService(this.apiService, this.fileUploadService);
         this.sendApiService = this.sendApiService = new SendApiService(this.apiService, this.fileUploadService, this.sendService);
         this.searchService = new SearchService(this.logService, this.i18nService);
-        this.cipherService = new CipherService(this.cryptoService, this.settingsService, this.apiService, this.i18nService, this.searchService, this.stateService, this.encryptService, this.cipherFileUploadService);
         this.broadcasterService = new BroadcasterService();
-        this.folderService = new FolderService(this.cryptoService, this.i18nService, this.cipherService, this.stateService);
-        this.folderApiService = new FolderApiService(this.folderService, this.apiService);
         this.collectionService = new CollectionService(this.cryptoService, this.i18nService, this.stateService);
         this.providerService = new ProviderService(this.stateService);
         this.organizationService = new organization_service_OrganizationService(this.stateService);
@@ -42797,6 +43474,11 @@ class Main {
         this.deviceTrustCryptoService = new DeviceTrustCryptoService(this.cryptoFunctionService, this.cryptoService, this.encryptService, this.stateService, this.appIdService, this.devicesApiService, this.i18nService, this.platformUtilsService);
         this.authRequestCryptoService = new AuthRequestCryptoServiceImplementation(this.cryptoService);
         this.authService = new AuthService(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.keyConnectorService, this.environmentService, this.stateService, this.twoFactorService, this.i18nService, this.encryptService, this.passwordStrengthService, this.policyService, this.deviceTrustCryptoService, this.authRequestCryptoService);
+        this.configApiService = new ConfigApiService(this.apiService, this.authService);
+        this.configService = new CliConfigService(this.stateService, this.configApiService, this.authService, this.environmentService, this.logService, true);
+        this.cipherService = new CipherService(this.cryptoService, this.settingsService, this.apiService, this.i18nService, this.searchService, this.stateService, this.encryptService, this.cipherFileUploadService, this.configService);
+        this.folderService = new FolderService(this.cryptoService, this.i18nService, this.cipherService, this.stateService);
+        this.folderApiService = new FolderApiService(this.folderService, this.apiService);
         const lockedCallback = (userId) => bw_awaiter(this, void 0, void 0, function* () { return yield this.cryptoService.clearStoredUserKey(KeySuffixOptions.Auto); });
         this.userVerificationService = new UserVerificationService(this.stateService, this.cryptoService, this.i18nService, this.userVerificationApiService);
         this.vaultTimeoutSettingsService = new VaultTimeoutSettingsService(this.cryptoService, this.tokenService, this.policyService, this.stateService, this.userVerificationService);
@@ -42853,6 +43535,7 @@ class Main {
             const locale = yield this.stateService.getLocale();
             yield this.i18nService.init(locale);
             this.twoFactorService.init();
+            this.configService.init();
             const installedVersion = yield this.stateService.getInstalledVersion();
             const currentVersion = yield this.platformUtilsService.getApplicationVersion();
             if (installedVersion == null || installedVersion !== currentVersion) {