@bitwarden/commercial-sdk-internal 0.1.0 → 0.2.0-hotfix.20260302

package/bitwarden_wasm_internal.d.ts

@@ -1,7 +1,5 @@
 /* tslint:disable */
 /* eslint-disable */
-export function set_log_level(level: LogLevel): void;
-export function init_sdk(log_level?: LogLevel | null): void;
 /**
  * Generate a new SSH key pair
  *
@@ -29,13 +27,7 @@ export function generate_ssh_key(key_algorithm: KeyAlgorithm): SshKeyView;
  * - `Err(UnsupportedKeyType)` if the key type is not supported
  */
 export function import_ssh_key(imported_key: string, password?: string | null): SshKeyView;
-/**
- * Registers a DiscoverHandler so that the client can respond to DiscoverRequests.
- */
-export function ipcRegisterDiscoverHandler(
-  ipc_client: IpcClient,
-  response: DiscoverResponse,
-): Promise<void>;
+export function init_sdk(log_level?: LogLevel | null): void;
 /**
  * Sends a DiscoverRequest to the specified destination and returns the response.
  */
@@ -44,6 +36,13 @@ export function ipcRequestDiscover(
   destination: Endpoint,
   abort_signal?: AbortSignal | null,
 ): Promise<DiscoverResponse>;
+/**
+ * Registers a DiscoverHandler so that the client can respond to DiscoverRequests.
+ */
+export function ipcRegisterDiscoverHandler(
+  ipc_client: IpcClient,
+  response: DiscoverResponse,
+): Promise<void>;
 export enum CardLinkedIdType {
   CardholderName = 300,
   ExpMonth = 301,
@@ -116,6 +115,12 @@ export enum LoginLinkedIdType {
   Username = 100,
   Password = 101,
 }
+export enum RsaError {
+  Decryption = 0,
+  Encryption = 1,
+  KeyParse = 2,
+  KeySerialize = 3,
+}
 export enum SecureNoteType {
   Generic = 0,
 }
@@ -153,6 +158,17 @@ export type Utc = unknown;
  */
 export type NonZeroU32 = number;
 
+/**
+ * @deprecated Use PasswordManagerClient instead
+ */
+export type BitwardenClient = PasswordManagerClient;
+
+export interface TestError extends Error {
+  name: "TestError";
+}
+
+export function isTestError(error: any): error is TestError;
+
 export interface Repository<T> {
   get(id: string): Promise<T | null>;
   list(): Promise<T[]>;
@@ -169,20 +185,115 @@ export interface TokenProvider {
  */
 export interface FeatureFlags extends Map<string, boolean> {}
 
+export interface IndexedDbConfiguration {
+  db_name: string;
+}
+
 export interface Repositories {
   cipher: Repository<Cipher> | null;
   folder: Repository<Folder> | null;
 }
 
-export interface IndexedDbConfiguration {
-  db_name: string;
+/**
+ * Credentials for getting a send access token using an email and OTP.
+ */
+export interface SendEmailOtpCredentials {
+  /**
+   * The email address to which the OTP will be sent.
+   */
+  email: string;
+  /**
+   * The one-time password (OTP) that the user has received via email.
+   */
+  otp: string;
 }
 
-export interface TestError extends Error {
-  name: "TestError";
+/**
+ * Credentials for sending an OTP to the user\'s email address.
+ * This is used when the send requires email verification with an OTP.
+ */
+export interface SendEmailCredentials {
+  /**
+   * The email address to which the OTP will be sent.
+   */
+  email: string;
 }
 
-export function isTestError(error: any): error is TestError;
+/**
+ * Credentials for sending password secured access requests.
+ * Clone auto implements the standard lib\'s Clone trait, allowing us to create copies of this
+ * struct.
+ */
+export interface SendPasswordCredentials {
+  /**
+   * A Base64-encoded hash of the password protecting the send.
+   */
+  passwordHashB64: string;
+}
+
+/**
+ * A request structure for requesting a send access token from the API.
+ */
+export interface SendAccessTokenRequest {
+  /**
+   * The id of the send for which the access token is requested.
+   */
+  sendId: string;
+  /**
+   * The optional send access credentials.
+   */
+  sendAccessCredentials?: SendAccessCredentials;
+}
+
+/**
+ * The credentials used for send access requests.
+ */
+export type SendAccessCredentials =
+  | SendPasswordCredentials
+  | SendEmailOtpCredentials
+  | SendEmailCredentials;
+
+/**
+ * Any unexpected error that occurs when making requests to identity. This could be
+ * local/transport/decoding failure from the HTTP client (DNS/TLS/connect/read timeout,
+ * connection reset, or JSON decode failure on a success response) or non-2xx response with an
+ * unexpected body or status. Used when decoding the server\'s error payload into
+ * `SendAccessTokenApiErrorResponse` fails, or for 5xx responses where no structured error is
+ * available.
+ */
+export type UnexpectedIdentityError = string;
+
+/**
+ * A send access token which can be used to access a send.
+ */
+export interface SendAccessTokenResponse {
+  /**
+   * The actual token string.
+   */
+  token: string;
+  /**
+   * The timestamp in milliseconds when the token expires.
+   */
+  expiresAt: number;
+}
+
+/**
+ * Represents errors that can occur when requesting a send access token.
+ * It includes expected and unexpected API errors.
+ */
+export type SendAccessTokenError =
+  | { kind: "unexpected"; data: UnexpectedIdentityError }
+  | { kind: "expected"; data: SendAccessTokenApiErrorResponse };
+
+/**
+ * Invalid request errors - typically due to missing parameters.
+ */
+export type SendAccessTokenInvalidRequestError =
+  | "send_id_required"
+  | "password_hash_b64_required"
+  | "email_required"
+  | "email_and_otp_required"
+  | "unknown";
 
 /**
  * Represents the possible, expected errors that can occur when requesting a send access token.
@@ -210,387 +321,439 @@ export type SendAccessTokenApiErrorResponse =
 export type SendAccessTokenInvalidGrantError =
   | "send_id_invalid"
   | "password_hash_b64_invalid"
-  | "email_invalid"
   | "otp_invalid"
   | "otp_generation_failed"
   | "unknown";
 
 /**
- * Invalid request errors - typically due to missing parameters.
+ * Request parameters for SSO JIT master password registration.
  */
-export type SendAccessTokenInvalidRequestError =
-  | "send_id_required"
-  | "password_hash_b64_required"
-  | "email_required"
-  | "email_and_otp_required_otp_sent"
-  | "unknown";
+export interface JitMasterPasswordRegistrationRequest {
+  /**
+   * Organization ID to enroll in
+   */
+  org_id: OrganizationId;
+  /**
+   * Organization\'s public key for encrypting the reset password key. This should be verified by
+   * the client and not verifying may compromise the security of the user\'s account.
+   */
+  org_public_key: B64;
+  /**
+   * Organization SSO identifier
+   */
+  organization_sso_identifier: string;
+  /**
+   * User ID for the account being initialized
+   */
+  user_id: UserId;
+  /**
+   * Salt for master password hashing, usually email
+   */
+  salt: string;
+  /**
+   * Master password for the account
+   */
+  master_password: string;
+  /**
+   * Optional hint for the master password
+   */
+  master_password_hint: string | undefined;
+  /**
+   * Should enroll user into admin password reset
+   */
+  reset_password_enroll: boolean;
+}
 
 /**
- * Any unexpected error that occurs when making requests to identity. This could be
- * local/transport/decoding failure from the HTTP client (DNS/TLS/connect/read timeout,
- * connection reset, or JSON decode failure on a success response) or non-2xx response with an
- * unexpected body or status. Used when decoding the server\'s error payload into
- * `SendAccessTokenApiErrorResponse` fails, or for 5xx responses where no structured error is
- * available.
+ * Request parameters for TDE (Trusted Device Encryption) registration.
  */
-export type UnexpectedIdentityError = string;
+export interface TdeRegistrationRequest {
+  /**
+   * Organization ID to enroll in
+   */
+  org_id: OrganizationId;
+  /**
+   * Organization\'s public key for encrypting the reset password key. This should be verified by
+   * the client and not verifying may compromise the security of the user\'s account.
+   */
+  org_public_key: B64;
+  /**
+   * User ID for the account being initialized
+   */
+  user_id: UserId;
+  /**
+   * Device identifier for TDE enrollment
+   */
+  device_identifier: string;
+  /**
+   * Whether to trust this device for TDE
+   */
+  trust_device: boolean;
+}
 
 /**
- * Represents errors that can occur when requesting a send access token.
- * It includes expected and unexpected API errors.
+ * Result of Key Connector registration process.
  */
-export type SendAccessTokenError =
-  | { kind: "unexpected"; data: UnexpectedIdentityError }
-  | { kind: "expected"; data: SendAccessTokenApiErrorResponse };
+export interface KeyConnectorRegistrationResult {
+  /**
+   * The account cryptographic state of the user.
+   */
+  account_cryptographic_state: WrappedAccountCryptographicState;
+  /**
+   * The key connector key used for unlocking.
+   */
+  key_connector_key: B64;
+  /**
+   * The encrypted user key, wrapped with the key connector key.
+   */
+  key_connector_key_wrapped_user_key: EncString;
+  /**
+   * The decrypted user key. This can be used to get the consuming client to an unlocked state.
+   */
+  user_key: B64;
+}
 
 /**
- * A send access token which can be used to access a send.
+ * Result of TDE registration process.
  */
-export interface SendAccessTokenResponse {
+export interface TdeRegistrationResponse {
   /**
-   * The actual token string.
+   * The account cryptographic state of the user
    */
-  token: string;
+  account_cryptographic_state: WrappedAccountCryptographicState;
   /**
-   * The timestamp in milliseconds when the token expires.
+   * The device key
    */
-  expiresAt: number;
+  device_key: B64;
+  /**
+   * The decrypted user key. This can be used to get the consuming client to an unlocked state.
+   */
+  user_key: B64;
 }
 
 /**
- * A request structure for requesting a send access token from the API.
+ * Result of JIT master password registration process.
  */
-export interface SendAccessTokenRequest {
+export interface JitMasterPasswordRegistrationResponse {
   /**
-   * The id of the send for which the access token is requested.
+   * The account cryptographic state of the user
    */
-  sendId: string;
+  account_cryptographic_state: WrappedAccountCryptographicState;
   /**
-   * The optional send access credentials.
+   * The master password unlock data
    */
-  sendAccessCredentials?: SendAccessCredentials;
+  master_password_unlock: MasterPasswordUnlockData;
+  /**
+   * The decrypted user key.
+   */
+  user_key: B64;
 }
 
-/**
- * The credentials used for send access requests.
- */
-export type SendAccessCredentials =
-  | SendPasswordCredentials
-  | SendEmailCredentials
-  | SendEmailOtpCredentials;
+export interface RegistrationError extends Error {
+  name: "RegistrationError";
+  variant: "KeyConnectorApi" | "Api" | "Crypto";
+}
+
+export function isRegistrationError(error: any): error is RegistrationError;
+
+export interface PasswordPreloginError extends Error {
+  name: "PasswordPreloginError";
+  variant: "Api" | "Unknown";
+}
+
+export function isPasswordPreloginError(error: any): error is PasswordPreloginError;
+
+export interface PasswordLoginError extends Error {
+  name: "PasswordLoginError";
+  variant: "InvalidUsernameOrPassword" | "PasswordAuthenticationDataDerivation" | "Unknown";
+}
+
+export function isPasswordLoginError(error: any): error is PasswordLoginError;
 
 /**
- * Credentials for getting a send access token using an email and OTP.
+ * Public SDK request model for logging in via password
  */
-export interface SendEmailOtpCredentials {
+export interface PasswordLoginRequest {
   /**
-   * The email address to which the OTP will be sent.
+   * Common login request fields
+   */
+  loginRequest: LoginRequest;
+  /**
+   * User\'s email address
    */
   email: string;
   /**
-   * The one-time password (OTP) that the user has received via email.
+   * User\'s master password
    */
-  otp: string;
+  password: string;
+  /**
+   * Prelogin data required for password authentication
+   * (e.g., KDF configuration for deriving the master key)
+   */
+  preloginResponse: PasswordPreloginResponse;
 }
 
 /**
- * Credentials for sending an OTP to the user\'s email address.
- * This is used when the send requires email verification with an OTP.
+ * Response containing the data required before password-based authentication
  */
-export interface SendEmailCredentials {
+export interface PasswordPreloginResponse {
   /**
-   * The email address to which the OTP will be sent.
+   * The Key Derivation Function (KDF) configuration for the user
    */
-  email: string;
+  kdf: Kdf;
+  /**
+   * The salt used in the KDF process
+   */
+  salt: string;
 }
 
 /**
- * Credentials for sending password secured access requests.
- * Clone auto implements the standard lib\'s Clone trait, allowing us to create copies of this
- * struct.
+ * The common bucket of login fields to be re-used across all login mechanisms
+ * (e.g., password, SSO, etc.). This will include handling client_id and 2FA.
  */
-export interface SendPasswordCredentials {
+export interface LoginRequest {
   /**
-   * A Base64-encoded hash of the password protecting the send.
+   * OAuth client identifier
    */
-  passwordHashB64: string;
+  clientId: string;
+  /**
+   * Device information for this login request
+   */
+  device: LoginDeviceRequest;
 }
 
 /**
- * NewType wrapper for `CollectionId`
+ * Common login response model used across different login methods.
  */
-export type CollectionId = Tagged<Uuid, "CollectionId">;
-
-export interface Collection {
-  id: CollectionId | undefined;
-  organizationId: OrganizationId;
-  name: EncString;
-  externalId: string | undefined;
-  hidePasswords: boolean;
-  readOnly: boolean;
-  manage: boolean;
-  defaultUserCollectionEmail: string | undefined;
-  type: CollectionType;
-}
-
-export interface CollectionView {
-  id: CollectionId | undefined;
-  organizationId: OrganizationId;
-  name: string;
-  externalId: string | undefined;
-  hidePasswords: boolean;
-  readOnly: boolean;
-  manage: boolean;
-  type: CollectionType;
-}
-
-/**
- * Type of collection
- */
-export type CollectionType = "SharedCollection" | "DefaultUserCollection";
-
-export interface CollectionDecryptError extends Error {
-  name: "CollectionDecryptError";
-  variant: "Crypto";
-}
-
-export function isCollectionDecryptError(error: any): error is CollectionDecryptError;
+export type LoginResponse = { Authenticated: LoginSuccessResponse };
 
 /**
- * State used for initializing the user cryptographic state.
+ * Device information for login requests.
+ * This is common across all login mechanisms and describes the device
+ * making the authentication request.
  */
-export interface InitUserCryptoRequest {
-  /**
-   * The user\'s ID.
-   */
-  userId: UserId | undefined;
-  /**
-   * The user\'s KDF parameters, as received from the prelogin request
-   */
-  kdfParams: Kdf;
-  /**
-   * The user\'s email address
-   */
-  email: string;
+export interface LoginDeviceRequest {
   /**
-   * The user\'s encrypted private key
+   * The type of device making the login request
+   * Note: today, we already have the DeviceType on the ApiConfigurations
+   * but we do not have the other device fields so we will accept the device data at login time
+   * for now. In the future, we might refactor the unauthN client to instantiate with full
+   * device info which would deprecate this struct. However, using the device_type here
+   * allows us to avoid any timing issues in scenarios where the device type could change
+   * between client instantiation and login (unlikely but possible).
    */
-  privateKey: EncString;
+  deviceType: DeviceType;
   /**
-   * The user\'s signing key
+   * Unique identifier for the device
    */
-  signingKey: EncString | undefined;
+  deviceIdentifier: string;
   /**
-   * The user\'s security state
+   * Human-readable name of the device
    */
-  securityState: SignedSecurityState | undefined;
+  deviceName: string;
   /**
-   * The initialization method to use
+   * Push notification token for the device (only for mobile devices)
    */
-  method: InitUserCryptoMethod;
+  devicePushToken: string | undefined;
 }
 
 /**
- * The crypto method used to initialize the user cryptographic state.
- */
-export type InitUserCryptoMethod =
-  | { password: { password: string; user_key: EncString } }
-  | { decryptedKey: { decrypted_user_key: string } }
-  | { pin: { pin: string; pin_protected_user_key: EncString } }
-  | { pinEnvelope: { pin: string; pin_protected_user_key_envelope: PasswordProtectedKeyEnvelope } }
-  | { authRequest: { request_private_key: B64; method: AuthRequestMethod } }
-  | {
-      deviceKey: {
-        device_key: string;
-        protected_device_private_key: EncString;
-        device_protected_user_key: UnsignedSharedKey;
-      };
-    }
-  | { keyConnector: { master_key: B64; user_key: EncString } };
-
-/**
- * Auth requests supports multiple initialization methods.
- */
-export type AuthRequestMethod =
-  | { userKey: { protected_user_key: UnsignedSharedKey } }
-  | { masterKey: { protected_master_key: UnsignedSharedKey; auth_request_key: EncString } };
-
-/**
- * Represents the request to initialize the user\'s organizational cryptographic state.
+ * SDK response model for a successful login.
+ * This is the model that will be exposed to consuming applications.
  */
-export interface InitOrgCryptoRequest {
+export interface LoginSuccessResponse {
   /**
-   * The encryption keys for all the organizations the user is a part of
+   * The access token string.
    */
-  organizationKeys: Map<OrganizationId, UnsignedSharedKey>;
-}
-
-/**
- * Response from the `update_kdf` function
- */
-export interface UpdateKdfResponse {
+  accessToken: string;
   /**
-   * The authentication data for the new KDF setting
+   * The duration in seconds until the token expires.
    */
-  masterPasswordAuthenticationData: MasterPasswordAuthenticationData;
+  expiresIn: number;
   /**
-   * The unlock data for the new KDF setting
+   * The timestamp in milliseconds when the token expires.
+   * We calculate this for more convenient token expiration handling.
    */
-  masterPasswordUnlockData: MasterPasswordUnlockData;
+  expiresAt: number;
   /**
-   * The authentication data for the KDF setting prior to the change
+   * The scope of the access token.
+   * OAuth 2.0 RFC reference: <https://datatracker.ietf.org/doc/html/rfc6749#section-3.3>
    */
-  oldMasterPasswordAuthenticationData: MasterPasswordAuthenticationData;
-}
-
-/**
- * Response from the `update_password` function
- */
-export interface UpdatePasswordResponse {
+  scope: string;
   /**
-   * Hash of the new password
+   * The type of the token.
+   * This will be \"Bearer\" for send access tokens.
+   * OAuth 2.0 RFC reference: <https://datatracker.ietf.org/doc/html/rfc6749#section-7.1>
    */
-  passwordHash: B64;
+  tokenType: string;
   /**
-   * User key, encrypted with the new password
+   * The optional refresh token string.
+   * This token can be used to obtain new access tokens when the current one expires.
    */
-  newKey: EncString;
-}
-
-/**
- * Request for deriving a pin protected user key
- */
-export interface EnrollPinResponse {
+  refreshToken: string | undefined;
   /**
-   * [UserKey] protected by PIN
+   * The user key wrapped user private key.
+   * Note: previously known as \"private_key\".
    */
-  pinProtectedUserKeyEnvelope: PasswordProtectedKeyEnvelope;
+  userKeyWrappedUserPrivateKey: string | undefined;
   /**
-   * PIN protected by [UserKey]
+   * Two-factor authentication token for future requests.
    */
-  userKeyEncryptedPin: EncString;
-}
-
-/**
- * Request for deriving a pin protected user key
- */
-export interface DerivePinKeyResponse {
+  twoFactorToken: string | undefined;
   /**
-   * [UserKey] protected by PIN
+   * Indicates whether an admin has reset the user\'s master password,
+   * requiring them to set a new password upon next login.
    */
-  pinProtectedUserKey: EncString;
+  forcePasswordReset: boolean | undefined;
   /**
-   * PIN protected by [UserKey]
+   * Indicates whether the user uses Key Connector and if the client should have a locally
+   * configured Key Connector URL in their environment.
+   * Note: This is currently only applicable for client_credential grant type logins and
+   * is only expected to be relevant for the CLI
    */
-  encryptedPin: EncString;
+  apiUseKeyConnector: boolean | undefined;
+  /**
+   * The user\'s decryption options for unlocking their vault.
+   */
+  userDecryptionOptions: UserDecryptionOptionsResponse;
+  /**
+   * If the user is subject to an organization master password policy,
+   * this field contains the requirements of that policy.
+   */
+  masterPasswordPolicy: MasterPasswordPolicyResponse | undefined;
 }
 
 /**
- * Request for migrating an account from password to key connector.
+ * SDK domain model for user decryption options.
+ * Provides the various methods available to unlock a user\'s vault.
  */
-export interface DeriveKeyConnectorRequest {
+export interface UserDecryptionOptionsResponse {
   /**
-   * Encrypted user key, used to validate the master key
+   * Master password unlock option. None if user doesn\'t have a master password.
    */
-  userKeyEncrypted: EncString;
+  masterPasswordUnlock?: MasterPasswordUnlockData;
   /**
-   * The user\'s master password
+   * Trusted Device decryption option.
    */
-  password: string;
+  trustedDeviceOption?: TrustedDeviceUserDecryptionOption;
   /**
-   * The KDF parameters used to derive the master key
+   * Key Connector decryption option.
+   * Mutually exclusive with Trusted Device option.
    */
-  kdf: Kdf;
+  keyConnectorOption?: KeyConnectorUserDecryptionOption;
   /**
-   * The user\'s email address
+   * WebAuthn PRF decryption option.
    */
-  email: string;
+  webauthnPrfOption?: WebAuthnPrfUserDecryptionOption;
 }
 
 /**
- * Response from the `make_key_pair` function
+ * SDK domain model for WebAuthn PRF user decryption option.
  */
-export interface MakeKeyPairResponse {
-  /**
-   * The user\'s public key
-   */
-  userPublicKey: B64;
+export interface WebAuthnPrfUserDecryptionOption {
   /**
-   * User\'s private key, encrypted with the user key
+   * PRF key encrypted private key
    */
-  userKeyEncryptedPrivateKey: EncString;
-}
-
-/**
- * Request for `verify_asymmetric_keys`.
- */
-export interface VerifyAsymmetricKeysRequest {
+  encryptedPrivateKey: EncString;
   /**
-   * The user\'s user key
+   * Public Key encrypted user key
    */
-  userKey: B64;
+  encryptedUserKey: UnsignedSharedKey;
   /**
-   * The user\'s public key
+   * Credential ID for this WebAuthn PRF credential.
+   * TODO: PM-32163 - can remove `Option<T>` after 3 releases from server v2026.1.1
    */
-  userPublicKey: B64;
+  credentialId: string | undefined;
   /**
-   * User\'s private key, encrypted with the user key
+   * Transport methods available for this credential (e.g., \"usb\", \"nfc\", \"ble\", \"internal\",
+   * \"hybrid\").
+   * TODO: PM-32163 - can remove `Option<T>` after 3 releases from server v2026.1.1
    */
-  userKeyEncryptedPrivateKey: EncString;
+  transports: string[] | undefined;
 }
 
 /**
- * Response for `verify_asymmetric_keys`.
+ * SDK domain model for Key Connector user decryption option.
  */
-export interface VerifyAsymmetricKeysResponse {
+export interface KeyConnectorUserDecryptionOption {
   /**
-   * Whether the user\'s private key was decryptable by the user key.
-   */
-  privateKeyDecryptable: boolean;
-  /**
-   * Whether the user\'s private key was a valid RSA key and matched the public key provided.
+   * URL of the Key Connector server to use for decryption.
    */
-  validPrivateKey: boolean;
+  keyConnectorUrl: string;
 }
 
 /**
- * Response for the `make_keys_for_user_crypto_v2`, containing a set of keys for a user
+ * SDK domain model for Trusted Device user decryption option.
  */
-export interface UserCryptoV2KeysResponse {
-  /**
-   * User key
-   */
-  userKey: B64;
-  /**
-   * Wrapped private key
-   */
-  privateKey: EncString;
+export interface TrustedDeviceUserDecryptionOption {
   /**
-   * Public key
+   * Whether the user has admin approval for device login.
    */
-  publicKey: B64;
+  hasAdminApproval: boolean;
   /**
-   * The user\'s public key, signed by the signing key
+   * Whether the user has a device that can approve logins.
    */
-  signedPublicKey: SignedPublicKey;
+  hasLoginApprovingDevice: boolean;
   /**
-   * Signing key, encrypted with the user\'s symmetric key
+   * Whether the user has permission to manage password reset for other users.
    */
-  signingKey: EncString;
+  hasManageResetPasswordPermission: boolean;
   /**
-   * Base64 encoded verifying key
+   * Whether the user is in TDE offboarding.
    */
-  verifyingKey: B64;
+  isTdeOffboarding: boolean;
   /**
-   * The user\'s signed security state
+   * The device key encrypted device private key. Only present if the device is trusted.
    */
-  securityState: SignedSecurityState;
+  encryptedPrivateKey?: EncString;
   /**
-   * The security state\'s version
+   * The device private key encrypted user key. Only present if the device is trusted.
    */
-  securityVersion: number;
+  encryptedUserKey?: UnsignedSharedKey;
+}
+
+export interface Collection {
+  id: CollectionId | undefined;
+  organizationId: OrganizationId;
+  name: EncString;
+  externalId: string | undefined;
+  hidePasswords: boolean;
+  readOnly: boolean;
+  manage: boolean;
+  defaultUserCollectionEmail: string | undefined;
+  type: CollectionType;
+}
+
+/**
+ * Type of collection
+ */
+export type CollectionType = "SharedCollection" | "DefaultUserCollection";
+
+export interface CollectionView {
+  id: CollectionId | undefined;
+  organizationId: OrganizationId;
+  name: string;
+  externalId: string | undefined;
+  hidePasswords: boolean;
+  readOnly: boolean;
+  manage: boolean;
+  type: CollectionType;
+}
+
+/**
+ * NewType wrapper for `CollectionId`
+ */
+export type CollectionId = Tagged<Uuid, "CollectionId">;
+
+export interface CollectionDecryptError extends Error {
+  name: "CollectionDecryptError";
+  variant: "Crypto";
 }
 
+export function isCollectionDecryptError(error: any): error is CollectionDecryptError;
+
+export type SignedSecurityState = string;
+
 /**
  * Represents the data required to unlock with the master password.
  */
@@ -609,6 +772,19 @@ export interface MasterPasswordUnlockData {
   salt: string;
 }
 
+export interface MasterPasswordError extends Error {
+  name: "MasterPasswordError";
+  variant:
+    | "EncryptionKeyMalformed"
+    | "KdfMalformed"
+    | "InvalidKdfConfiguration"
+    | "MissingField"
+    | "Crypto"
+    | "WrongPassword";
+}
+
+export function isMasterPasswordError(error: any): error is MasterPasswordError;
+
 /**
  * Represents the data required to authenticate with the master password.
  */
@@ -618,595 +794,1359 @@ export interface MasterPasswordAuthenticationData {
   masterPasswordAuthenticationHash: B64;
 }
 
-export type SignedSecurityState = string;
-
-/**
- * NewType wrapper for `UserId`
- */
-export type UserId = Tagged<Uuid, "UserId">;
-
-/**
- * NewType wrapper for `OrganizationId`
- */
-export type OrganizationId = Tagged<Uuid, "OrganizationId">;
-
 /**
- * A non-generic wrapper around `bitwarden-crypto`\'s `PasswordProtectedKeyEnvelope`.
+ * Any keys / cryptographic protection \"downstream\" from the account symmetric key (user key).
+ * Private keys are protected by the user key.
  */
-export type PasswordProtectedKeyEnvelope = Tagged<string, "PasswordProtectedKeyEnvelope">;
+export type WrappedAccountCryptographicState =
+  | { V1: { private_key: EncString } }
+  | {
+      V2: {
+        private_key: EncString;
+        signed_public_key: SignedPublicKey | undefined;
+        signing_key: EncString;
+        security_state: SignedSecurityState;
+      };
+    };
 
-export interface MasterPasswordError extends Error {
-  name: "MasterPasswordError";
+export interface AccountCryptographyInitializationError extends Error {
+  name: "AccountCryptographyInitializationError";
   variant:
-    | "EncryptionKeyMalformed"
-    | "KdfMalformed"
-    | "InvalidKdfConfiguration"
-    | "MissingField"
-    | "Crypto";
+    | "WrongUserKeyType"
+    | "WrongUserKey"
+    | "CorruptData"
+    | "TamperedData"
+    | "KeyStoreAlreadyInitialized"
+    | "GenericCrypto";
 }
 
-export function isMasterPasswordError(error: any): error is MasterPasswordError;
+export function isAccountCryptographyInitializationError(
+  error: any,
+): error is AccountCryptographyInitializationError;
 
-export interface DeriveKeyConnectorError extends Error {
-  name: "DeriveKeyConnectorError";
-  variant: "WrongPassword" | "Crypto";
+export interface RotateCryptographyStateError extends Error {
+  name: "RotateCryptographyStateError";
+  variant: "KeyMissing" | "InvalidData";
 }
 
-export function isDeriveKeyConnectorError(error: any): error is DeriveKeyConnectorError;
+export function isRotateCryptographyStateError(error: any): error is RotateCryptographyStateError;
 
-export interface EnrollAdminPasswordResetError extends Error {
-  name: "EnrollAdminPasswordResetError";
-  variant: "Crypto";
+/**
+ * Response for `verify_asymmetric_keys`.
+ */
+export interface VerifyAsymmetricKeysResponse {
+  /**
+   * Whether the user\'s private key was decryptable by the user key.
+   */
+  privateKeyDecryptable: boolean;
+  /**
+   * Whether the user\'s private key was a valid RSA key and matched the public key provided.
+   */
+  validPrivateKey: boolean;
+}
+
+/**
+ * Represents the request to initialize the user\'s organizational cryptographic state.
+ */
+export interface InitOrgCryptoRequest {
+  /**
+   * The encryption keys for all the organizations the user is a part of
+   */
+  organizationKeys: Map<OrganizationId, UnsignedSharedKey>;
+}
+
+/**
+ * Response from the `make_key_pair` function
+ */
+export interface MakeKeyPairResponse {
+  /**
+   * The user\'s public key
+   */
+  userPublicKey: B64;
+  /**
+   * User\'s private key, encrypted with the user key
+   */
+  userKeyEncryptedPrivateKey: EncString;
+}
+
+/**
+ * Response from the `make_update_password` function
+ */
+export interface UpdatePasswordResponse {
+  /**
+   * Hash of the new password
+   */
+  passwordHash: B64;
+  /**
+   * User key, encrypted with the new password
+   */
+  newKey: EncString;
+}
+
+/**
+ * Request for deriving a pin protected user key
+ */
+export interface DerivePinKeyResponse {
+  /**
+   * [UserKey] protected by PIN
+   */
+  pinProtectedUserKey: EncString;
+  /**
+   * PIN protected by [UserKey]
+   */
+  encryptedPin: EncString;
+}
+
+/**
+ * Auth requests supports multiple initialization methods.
+ */
+export type AuthRequestMethod =
+  | { userKey: { protected_user_key: UnsignedSharedKey } }
+  | { masterKey: { protected_master_key: UnsignedSharedKey; auth_request_key: EncString } };
+
+/**
+ * State used for initializing the user cryptographic state.
+ */
+export interface InitUserCryptoRequest {
+  /**
+   * The user\'s ID.
+   */
+  userId: UserId | undefined;
+  /**
+   * The user\'s KDF parameters, as received from the prelogin request
+   */
+  kdfParams: Kdf;
+  /**
+   * The user\'s email address
+   */
+  email: string;
+  /**
+   * The user\'s account cryptographic state, containing their signature and
+   * public-key-encryption keys, along with the signed security state, protected by the user key
+   */
+  accountCryptographicState: WrappedAccountCryptographicState;
+  /**
+   * The method to decrypt the user\'s account symmetric key (user key)
+   */
+  method: InitUserCryptoMethod;
+}
+
+/**
+ * The crypto method used to initialize the user cryptographic state.
+ */
+export type InitUserCryptoMethod =
+  | { masterPasswordUnlock: { password: string; master_password_unlock: MasterPasswordUnlockData } }
+  | { decryptedKey: { decrypted_user_key: string } }
+  | { pin: { pin: string; pin_protected_user_key: EncString } }
+  | { pinEnvelope: { pin: string; pin_protected_user_key_envelope: PasswordProtectedKeyEnvelope } }
+  | { authRequest: { request_private_key: B64; method: AuthRequestMethod } }
+  | {
+      deviceKey: {
+        device_key: string;
+        protected_device_private_key: EncString;
+        device_protected_user_key: UnsignedSharedKey;
+      };
+    }
+  | { keyConnector: { master_key: B64; user_key: EncString } };
+
+/**
+ * Response for the `make_keys_for_user_crypto_v2`, containing a set of keys for a user
+ */
+export interface UserCryptoV2KeysResponse {
+  /**
+   * User key
+   */
+  userKey: B64;
+  /**
+   * Wrapped private key
+   */
+  privateKey: EncString;
+  /**
+   * Public key
+   */
+  publicKey: B64;
+  /**
+   * The user\'s public key, signed by the signing key
+   */
+  signedPublicKey: SignedPublicKey;
+  /**
+   * Signing key, encrypted with the user\'s symmetric key
+   */
+  signingKey: EncString;
+  /**
+   * Base64 encoded verifying key
+   */
+  verifyingKey: B64;
+  /**
+   * The user\'s signed security state
+   */
+  securityState: SignedSecurityState;
+  /**
+   * The security state\'s version
+   */
+  securityVersion: number;
+}
+
+/**
+ * Request for deriving a pin protected user key
+ */
+export interface EnrollPinResponse {
+  /**
+   * [UserKey] protected by PIN
+   */
+  pinProtectedUserKeyEnvelope: PasswordProtectedKeyEnvelope;
+  /**
+   * PIN protected by [UserKey]
+   */
+  userKeyEncryptedPin: EncString;
+}
+
+export interface EnrollAdminPasswordResetError extends Error {
+  name: "EnrollAdminPasswordResetError";
+  variant: "Crypto";
+}
+
+export function isEnrollAdminPasswordResetError(error: any): error is EnrollAdminPasswordResetError;
+
+export interface MakeKeysError extends Error {
+  name: "MakeKeysError";
+  variant:
+    | "AccountCryptographyInitialization"
+    | "MasterPasswordDerivation"
+    | "RequestModelCreation"
+    | "Crypto";
+}
+
+export function isMakeKeysError(error: any): error is MakeKeysError;
+
+/**
+ * Request for migrating an account from password to key connector.
+ */
+export interface DeriveKeyConnectorRequest {
+  /**
+   * Encrypted user key, used to validate the master key
+   */
+  userKeyEncrypted: EncString;
+  /**
+   * The user\'s master password
+   */
+  password: string;
+  /**
+   * The KDF parameters used to derive the master key
+   */
+  kdf: Kdf;
+  /**
+   * The user\'s email address
+   */
+  email: string;
+}
+
+export interface DeriveKeyConnectorError extends Error {
+  name: "DeriveKeyConnectorError";
+  variant: "WrongPassword" | "Crypto";
+}
+
+export function isDeriveKeyConnectorError(error: any): error is DeriveKeyConnectorError;
+
+/**
+ * Request for `verify_asymmetric_keys`.
+ */
+export interface VerifyAsymmetricKeysRequest {
+  /**
+   * The user\'s user key
+   */
+  userKey: B64;
+  /**
+   * The user\'s public key
+   */
+  userPublicKey: B64;
+  /**
+   * User\'s private key, encrypted with the user key
+   */
+  userKeyEncryptedPrivateKey: EncString;
+}
+
+export interface CryptoClientError extends Error {
+  name: "CryptoClientError";
+  variant:
+    | "NotAuthenticated"
+    | "Crypto"
+    | "InvalidKdfSettings"
+    | "PasswordProtectedKeyEnvelope"
+    | "InvalidPrfInput";
+}
+
+export function isCryptoClientError(error: any): error is CryptoClientError;
+
+/**
+ * Response from the `update_kdf` function
+ */
+export interface UpdateKdfResponse {
+  /**
+   * The authentication data for the new KDF setting
+   */
+  masterPasswordAuthenticationData: MasterPasswordAuthenticationData;
+  /**
+   * The unlock data for the new KDF setting
+   */
+  masterPasswordUnlockData: MasterPasswordUnlockData;
+  /**
+   * The authentication data for the KDF setting prior to the change
+   */
+  oldMasterPasswordAuthenticationData: MasterPasswordAuthenticationData;
+}
+
+/**
+ * NewType wrapper for `UserId`
+ */
+export type UserId = Tagged<Uuid, "UserId">;
+
+/**
+ * NewType wrapper for `OrganizationId`
+ */
+export type OrganizationId = Tagged<Uuid, "OrganizationId">;
+
+export interface StatefulCryptoError extends Error {
+  name: "StatefulCryptoError";
+  variant: "MissingSecurityState" | "WrongAccountCryptoVersion" | "Crypto";
+}
+
+export function isStatefulCryptoError(error: any): error is StatefulCryptoError;
+
+/**
+ * Basic client behavior settings. These settings specify the various targets and behavior of the
+ * Bitwarden Client. They are optional and uneditable once the client is initialized.
+ *
+ * Defaults to
+ *
+ * ```
+ * # use bitwarden_core::{ClientSettings, DeviceType};
+ * let settings = ClientSettings {
+ *     identity_url: \"https://identity.bitwarden.com\".to_string(),
+ *     api_url: \"https://api.bitwarden.com\".to_string(),
+ *     user_agent: \"Bitwarden Rust-SDK\".to_string(),
+ *     device_type: DeviceType::SDK,
+ *     bitwarden_client_version: None,
+ *     bitwarden_package_type: None,
+ *     device_identifier: None,
+ * };
+ * let default = ClientSettings::default();
+ * ```
+ */
+export interface ClientSettings {
+  /**
+   * The identity url of the targeted Bitwarden instance. Defaults to `https://identity.bitwarden.com`
+   */
+  identityUrl?: string;
+  /**
+   * The api url of the targeted Bitwarden instance. Defaults to `https://api.bitwarden.com`
+   */
+  apiUrl?: string;
+  /**
+   * The user_agent to sent to Bitwarden. Defaults to `Bitwarden Rust-SDK`
+   */
+  userAgent?: string;
+  /**
+   * Device type to send to Bitwarden. Defaults to SDK
+   */
+  deviceType?: DeviceType;
+  /**
+   * Device identifier to send to Bitwarden. Optional for now in transition period.
+   */
+  deviceIdentifier?: string | undefined;
+  /**
+   * Bitwarden Client Version to send to Bitwarden. Optional for now in transition period.
+   */
+  bitwardenClientVersion?: string | undefined;
+  /**
+   * Bitwarden Package Type to send to Bitwarden. We should evaluate this field to see if it
+   * should be optional later.
+   */
+  bitwardenPackageType?: string | undefined;
+}
+
+export type DeviceType =
+  | "Android"
+  | "iOS"
+  | "ChromeExtension"
+  | "FirefoxExtension"
+  | "OperaExtension"
+  | "EdgeExtension"
+  | "WindowsDesktop"
+  | "MacOsDesktop"
+  | "LinuxDesktop"
+  | "ChromeBrowser"
+  | "FirefoxBrowser"
+  | "OperaBrowser"
+  | "EdgeBrowser"
+  | "IEBrowser"
+  | "UnknownBrowser"
+  | "AndroidAmazon"
+  | "UWP"
+  | "SafariBrowser"
+  | "VivaldiBrowser"
+  | "VivaldiExtension"
+  | "SafariExtension"
+  | "SDK"
+  | "Server"
+  | "WindowsCLI"
+  | "MacOsCLI"
+  | "LinuxCLI"
+  | "DuckDuckGoBrowser";
+
+export interface EncryptionSettingsError extends Error {
+  name: "EncryptionSettingsError";
+  variant:
+    | "Crypto"
+    | "CryptoInitialization"
+    | "MissingPrivateKey"
+    | "UserIdAlreadySet"
+    | "WrongPin";
+}
+
+export function isEncryptionSettingsError(error: any): error is EncryptionSettingsError;
+
+export type UnsignedSharedKey = Tagged<string, "UnsignedSharedKey">;
+
+export type EncString = Tagged<string, "EncString">;
+
+export interface TrustDeviceResponse {
+  /**
+   * Base64 encoded device key
+   */
+  device_key: B64;
+  /**
+   * UserKey encrypted with DevicePublicKey
+   */
+  protected_user_key: UnsignedSharedKey;
+  /**
+   * DevicePrivateKey encrypted with [DeviceKey]
+   */
+  protected_device_private_key: EncString;
+  /**
+   * DevicePublicKey encrypted with [UserKey](super::UserKey)
+   */
+  protected_device_public_key: EncString;
+}
+
+export type SignedPublicKey = Tagged<string, "SignedPublicKey">;
+
+/**
+ * A set of keys where a given `DownstreamKey` is protected by an encrypted public/private
+ * key-pair. The `DownstreamKey` is used to encrypt/decrypt data, while the public/private key-pair
+ * is used to rotate the `DownstreamKey`.
+ *
+ * The `PrivateKey` is protected by an `UpstreamKey`, such as a `DeviceKey`, or `PrfKey`,
+ * and the `PublicKey` is protected by the `DownstreamKey`. This setup allows:
+ *
+ *   - Access to `DownstreamKey` by knowing the `UpstreamKey`
+ *   - Rotation to a `NewDownstreamKey` by knowing the current `DownstreamKey`, without needing
+ *     access to the `UpstreamKey`
+ */
+export interface RotateableKeySet {
+  /**
+   * `DownstreamKey` protected by encapsulation key
+   */
+  encapsulatedDownstreamKey: UnsignedSharedKey;
+  /**
+   * Encapsulation key protected by `DownstreamKey`
+   */
+  encryptedEncapsulationKey: EncString;
+  /**
+   * Decapsulation key protected by `UpstreamKey`
+   */
+  encryptedDecapsulationKey: EncString;
+}
+
+export type PublicKey = Tagged<string, "PublicKey">;
+
+/**
+ * Key Derivation Function for Bitwarden Account
+ *
+ * In Bitwarden accounts can use multiple KDFs to derive their master key from their password. This
+ * Enum represents all the possible KDFs.
+ */
+export type Kdf =
+  | { pBKDF2: { iterations: NonZeroU32 } }
+  | { argon2id: { iterations: NonZeroU32; memory: NonZeroU32; parallelism: NonZeroU32 } };
+
+export type DataEnvelope = Tagged<string, "DataEnvelope">;
+
+export type PasswordProtectedKeyEnvelope = Tagged<string, "PasswordProtectedKeyEnvelope">;
+
+export interface CryptoError extends Error {
+  name: "CryptoError";
+  variant:
+    | "Decrypt"
+    | "InvalidKey"
+    | "KeyDecrypt"
+    | "InvalidKeyLen"
+    | "InvalidUtf8String"
+    | "MissingKey"
+    | "MissingField"
+    | "MissingKeyId"
+    | "KeyOperationNotSupported"
+    | "ReadOnlyKeyStore"
+    | "InvalidKeyStoreOperation"
+    | "InsufficientKdfParameters"
+    | "EncString"
+    | "Rsa"
+    | "Fingerprint"
+    | "Argon"
+    | "ZeroNumber"
+    | "OperationNotSupported"
+    | "WrongKeyType"
+    | "WrongCoseKeyId"
+    | "InvalidNonceLength"
+    | "InvalidPadding"
+    | "Signature"
+    | "Encoding";
+}
+
+export function isCryptoError(error: any): error is CryptoError;
+
+/**
+ * The type of key / signature scheme used for signing and verifying.
+ */
+export type SignatureAlgorithm = "ed25519";
+
+/**
+ * Base64 encoded data
+ *
+ * Is indifferent about padding when decoding, but always produces padding when encoding.
+ */
+export type B64 = string;
+
+export type ExportFormat = "Csv" | "Json" | { EncryptedJson: { password: string } };
+
+/**
+ * Temporary struct to hold metadata related to current account
+ *
+ * Eventually the SDK itself should have this state and we get rid of this struct.
+ */
+export interface Account {
+  id: Uuid;
+  email: string;
+  name: string | undefined;
+}
+
+export interface ExportError extends Error {
+  name: "ExportError";
+  variant:
+    | "MissingField"
+    | "NotAuthenticated"
+    | "Csv"
+    | "Cxf"
+    | "Json"
+    | "EncryptedJson"
+    | "BitwardenCrypto"
+    | "Cipher";
+}
+
+export function isExportError(error: any): error is ExportError;
+
+export type PassphraseError = { InvalidNumWords: { minimum: number; maximum: number } };
+
+/**
+ * Passphrase generator request options.
+ */
+export interface PassphraseGeneratorRequest {
+  /**
+   * Number of words in the generated passphrase.
+   * This value must be between 3 and 20.
+   */
+  numWords: number;
+  /**
+   * Character separator between words in the generated passphrase. The value cannot be empty.
+   */
+  wordSeparator: string;
+  /**
+   * When set to true, capitalize the first letter of each word in the generated passphrase.
+   */
+  capitalize: boolean;
+  /**
+   * When set to true, include a number at the end of one of the words in the generated
+   * passphrase.
+   */
+  includeNumber: boolean;
+}
+
+export interface PasswordError extends Error {
+  name: "PasswordError";
+  variant: "NoCharacterSetEnabled" | "InvalidLength";
+}
+
+export function isPasswordError(error: any): error is PasswordError;
+
+/**
+ * Password generator request options.
+ */
+export interface PasswordGeneratorRequest {
+  /**
+   * Include lowercase characters (a-z).
+   */
+  lowercase: boolean;
+  /**
+   * Include uppercase characters (A-Z).
+   */
+  uppercase: boolean;
+  /**
+   * Include numbers (0-9).
+   */
+  numbers: boolean;
+  /**
+   * Include special characters: ! @ # $ % ^ & *
+   */
+  special: boolean;
+  /**
+   * The length of the generated password.
+   * Note that the password length must be greater than the sum of all the minimums.
+   */
+  length: number;
+  /**
+   * When set to true, the generated password will not contain ambiguous characters.
+   * The ambiguous characters are: I, O, l, 0, 1
+   */
+  avoidAmbiguous: boolean;
+  /**
+   * The minimum number of lowercase characters in the generated password.
+   * When set, the value must be between 1 and 9. This value is ignored if lowercase is false.
+   */
+  minLowercase: number | undefined;
+  /**
+   * The minimum number of uppercase characters in the generated password.
+   * When set, the value must be between 1 and 9. This value is ignored if uppercase is false.
+   */
+  minUppercase: number | undefined;
+  /**
+   * The minimum number of numbers in the generated password.
+   * When set, the value must be between 1 and 9. This value is ignored if numbers is false.
+   */
+  minNumber: number | undefined;
+  /**
+   * The minimum number of special characters in the generated password.
+   * When set, the value must be between 1 and 9. This value is ignored if special is false.
+   */
+  minSpecial: number | undefined;
 }
 
-export function isEnrollAdminPasswordResetError(error: any): error is EnrollAdminPasswordResetError;
+export interface UsernameError extends Error {
+  name: "UsernameError";
+  variant: "InvalidApiKey" | "Unknown" | "ResponseContent" | "Reqwest";
+}
 
-export interface CryptoClientError extends Error {
-  name: "CryptoClientError";
-  variant: "NotAuthenticated" | "Crypto" | "InvalidKdfSettings" | "PasswordProtectedKeyEnvelope";
+export function isUsernameError(error: any): error is UsernameError;
+
+export type AppendType = "random" | { websiteName: { website: string } };
+
+/**
+ * Configures the email forwarding service to use.
+ * For instructions on how to configure each service, see the documentation:
+ * <https://bitwarden.com/help/generator/#username-types>
+ */
+export type ForwarderServiceType =
+  | { addyIo: { api_token: string; domain: string; base_url: string } }
+  | { duckDuckGo: { token: string } }
+  | { firefox: { api_token: string } }
+  | { fastmail: { api_token: string } }
+  | { forwardEmail: { api_token: string; domain: string } }
+  | { simpleLogin: { api_key: string; base_url: string } };
+
+export type UsernameGeneratorRequest =
+  | { word: { capitalize: boolean; include_number: boolean } }
+  | { subaddress: { type: AppendType; email: string } }
+  | { catchall: { type: AppendType; domain: string } }
+  | { forwarded: { service: ForwarderServiceType; website: string | undefined } };
+
+export interface TypedReceiveError extends Error {
+  name: "TypedReceiveError";
+  variant: "Channel" | "Timeout" | "Cancelled" | "Typing";
 }
 
-export function isCryptoClientError(error: any): error is CryptoClientError;
+export function isTypedReceiveError(error: any): error is TypedReceiveError;
 
-export interface StatefulCryptoError extends Error {
-  name: "StatefulCryptoError";
-  variant: "MissingSecurityState" | "WrongAccountCryptoVersion" | "Crypto";
+export interface ReceiveError extends Error {
+  name: "ReceiveError";
+  variant: "Channel" | "Timeout" | "Cancelled";
 }
 
-export function isStatefulCryptoError(error: any): error is StatefulCryptoError;
+export function isReceiveError(error: any): error is ReceiveError;
 
-export interface EncryptionSettingsError extends Error {
-  name: "EncryptionSettingsError";
+export interface RequestError extends Error {
+  name: "RequestError";
+  variant: "Subscribe" | "Receive" | "Timeout" | "Send" | "Rpc";
+}
+
+export function isRequestError(error: any): error is RequestError;
+
+export interface SubscribeError extends Error {
+  name: "SubscribeError";
+  variant: "NotStarted";
+}
+
+export function isSubscribeError(error: any): error is SubscribeError;
+
+export interface IpcCommunicationBackendSender {
+  send(message: OutgoingMessage): Promise<void>;
+}
+
+export interface ChannelError extends Error {
+  name: "ChannelError";
+}
+
+export function isChannelError(error: any): error is ChannelError;
+
+export interface DeserializeError extends Error {
+  name: "DeserializeError";
+}
+
+export function isDeserializeError(error: any): error is DeserializeError;
+
+export interface IpcSessionRepository {
+  get(endpoint: Endpoint): Promise<any | undefined>;
+  save(endpoint: Endpoint, session: any): Promise<void>;
+  remove(endpoint: Endpoint): Promise<void>;
+}
+
+export interface DiscoverResponse {
+  version: string;
+}
+
+export type Endpoint =
+  | { Web: { id: number } }
+  | "BrowserForeground"
+  | "BrowserBackground"
+  | "DesktopRenderer"
+  | "DesktopMain";
+
+/**
+ * SDK domain model for master password policy requirements.
+ * Defines the complexity requirements for a user\'s master password
+ * when enforced by an organization policy.
+ */
+export interface MasterPasswordPolicyResponse {
+  /**
+   * The minimum complexity score required for the master password.
+   * Complexity is calculated based on password strength metrics.
+   */
+  minComplexity?: number;
+  /**
+   * The minimum length required for the master password.
+   */
+  minLength?: number;
+  /**
+   * Whether the master password must contain at least one lowercase letter.
+   */
+  requireLower?: boolean;
+  /**
+   * Whether the master password must contain at least one uppercase letter.
+   */
+  requireUpper?: boolean;
+  /**
+   * Whether the master password must contain at least one numeric digit.
+   */
+  requireNumbers?: boolean;
+  /**
+   * Whether the master password must contain at least one special character.
+   */
+  requireSpecial?: boolean;
+  /**
+   * Whether this policy should be enforced when the user logs in.
+   * If true, the user will be required to update their master password
+   * if it doesn\'t meet the policy requirements.
+   */
+  enforceOnLogin?: boolean;
+}
+
+export interface ServerCommunicationConfigRepositoryError extends Error {
+  name: "ServerCommunicationConfigRepositoryError";
+  variant: "GetError" | "SaveError";
+}
+
+export function isServerCommunicationConfigRepositoryError(
+  error: any,
+): error is ServerCommunicationConfigRepositoryError;
+
+/**
+ * A cookie acquired from the platform
+ *
+ * Represents a single cookie name/value pair as received from the browser or HTTP client.
+ * For sharded cookies (AWS ALB pattern), each shard is a separate `AcquiredCookie` with
+ * its own name including the `-{N}` suffix (e.g., `AWSELBAuthSessionCookie-0`).
+ */
+export interface AcquiredCookie {
+  /**
+   * Cookie name
+   *
+   * For sharded cookies, this includes the shard suffix (e.g., `AWSELBAuthSessionCookie-0`)
+   * For unsharded cookies, this is the cookie name without any suffix.
+   */
+  name: string;
+  /**
+   * Cookie value
+   */
+  value: string;
+}
+
+export interface AcquireCookieError extends Error {
+  name: "AcquireCookieError";
   variant:
-    | "Crypto"
-    | "InvalidPrivateKey"
-    | "InvalidSigningKey"
-    | "InvalidSecurityState"
-    | "MissingPrivateKey"
-    | "UserIdAlreadySet"
-    | "WrongPin";
+    | "Cancelled"
+    | "UnsupportedConfiguration"
+    | "CookieNameMismatch"
+    | "RepositoryGetError"
+    | "RepositorySaveError";
 }
 
-export function isEncryptionSettingsError(error: any): error is EncryptionSettingsError;
+export function isAcquireCookieError(error: any): error is AcquireCookieError;
 
-export type DeviceType =
-  | "Android"
-  | "iOS"
-  | "ChromeExtension"
-  | "FirefoxExtension"
-  | "OperaExtension"
-  | "EdgeExtension"
-  | "WindowsDesktop"
-  | "MacOsDesktop"
-  | "LinuxDesktop"
-  | "ChromeBrowser"
-  | "FirefoxBrowser"
-  | "OperaBrowser"
-  | "EdgeBrowser"
-  | "IEBrowser"
-  | "UnknownBrowser"
-  | "AndroidAmazon"
-  | "UWP"
-  | "SafariBrowser"
-  | "VivaldiBrowser"
-  | "VivaldiExtension"
-  | "SafariExtension"
-  | "SDK"
-  | "Server"
-  | "WindowsCLI"
-  | "MacOsCLI"
-  | "LinuxCLI";
+/**
+ * Repository interface for storing server communication configuration.
+ *
+ * Implementations use StateProvider (or equivalent storage mechanism) to
+ * persist configuration across sessions. The hostname is typically the vault
+ * server's hostname (e.g., "vault.acme.com").
+ */
+export interface ServerCommunicationConfigRepository {
+  /**
+   * Retrieves the server communication configuration for a given hostname.
+   *
+   * @param hostname The server hostname (e.g., "vault.acme.com")
+   * @returns The configuration if it exists, undefined otherwise
+   */
+  get(hostname: string): Promise<ServerCommunicationConfig | undefined>;
+
+  /**
+   * Saves the server communication configuration for a given hostname.
+   *
+   * @param hostname The server hostname (e.g., "vault.acme.com")
+   * @param config The configuration to store
+   */
+  save(hostname: string, config: ServerCommunicationConfig): Promise<void>;
+}
 
 /**
- * Basic client behavior settings. These settings specify the various targets and behavior of the
- * Bitwarden Client. They are optional and uneditable once the client is initialized.
+ * Platform API interface for acquiring SSO cookies.
  *
- * Defaults to
+ * Platform clients implement this interface to handle cookie acquisition
+ * through browser redirects or other platform-specific mechanisms.
+ */
+export interface ServerCommunicationConfigPlatformApi {
+  /**
+   * Acquires cookies for the given hostname.
+   *
+   * This typically involves redirecting to an IdP login page and extracting
+   * cookies from the load balancer response. For sharded cookies, returns
+   * multiple entries with names like "CookieName-0", "CookieName-1", etc.
+   *
+   * @param hostname The server hostname (e.g., "vault.acme.com")
+   * @returns An array of AcquiredCookie objects, or undefined if acquisition failed or was cancelled
+   */
+  acquireCookies(hostname: string): Promise<AcquiredCookie[] | undefined>;
+}
+
+/**
+ * SSO cookie vendor configuration
  *
- * ```
- * # use bitwarden_core::{ClientSettings, DeviceType};
- * let settings = ClientSettings {
- *     identity_url: \"https://identity.bitwarden.com\".to_string(),
- *     api_url: \"https://api.bitwarden.com\".to_string(),
- *     user_agent: \"Bitwarden Rust-SDK\".to_string(),
- *     device_type: DeviceType::SDK,
- * };
- * let default = ClientSettings::default();
- * ```
+ * This configuration is provided by the server.
  */
-export interface ClientSettings {
+export interface SsoCookieVendorConfig {
   /**
-   * The identity url of the targeted Bitwarden instance. Defaults to `https://identity.bitwarden.com`
+   * Identity provider login URL for browser redirect during bootstrap
    */
-  identityUrl?: string;
+  idpLoginUrl: string | undefined;
   /**
-   * The api url of the targeted Bitwarden instance. Defaults to `https://api.bitwarden.com`
+   * Cookie name (base name, without shard suffix)
    */
-  apiUrl?: string;
+  cookieName: string | undefined;
   /**
-   * The user_agent to sent to Bitwarden. Defaults to `Bitwarden Rust-SDK`
+   * Cookie domain for validation
    */
-  userAgent?: string;
+  cookieDomain: string | undefined;
   /**
-   * Device type to send to Bitwarden. Defaults to SDK
+   * Acquired cookies
+   *
+   * For sharded cookies, this contains multiple entries with names like
+   * `AWSELBAuthSessionCookie-0`, `AWSELBAuthSessionCookie-1`, etc.
+   * For unsharded cookies, this contains a single entry with the base name.
    */
-  deviceType?: DeviceType;
+  cookieValue: AcquiredCookie[] | undefined;
+}
+
+/**
+ * Server communication configuration
+ */
+export interface ServerCommunicationConfig {
+  /**
+   * Bootstrap configuration determining how to establish server communication
+   */
+  bootstrap: BootstrapConfig;
+}
+
+/**
+ * Bootstrap configuration for server communication
+ */
+export type BootstrapConfig =
+  | { type: "direct" }
+  | ({ type: "ssoCookieVendor" } & SsoCookieVendorConfig);
+
+export interface KeyGenerationError extends Error {
+  name: "KeyGenerationError";
+  variant: "KeyGeneration" | "KeyConversion";
+}
+
+export function isKeyGenerationError(error: any): error is KeyGenerationError;
+
+export interface SshKeyImportError extends Error {
+  name: "SshKeyImportError";
+  variant: "Parsing" | "PasswordRequired" | "WrongPassword" | "UnsupportedKeyType";
+}
+
+export function isSshKeyImportError(error: any): error is SshKeyImportError;
+
+export interface SshKeyExportError extends Error {
+  name: "SshKeyExportError";
+  variant: "KeyConversion";
+}
+
+export function isSshKeyExportError(error: any): error is SshKeyExportError;
+
+export type KeyAlgorithm = "Ed25519" | "Rsa3072" | "Rsa4096";
+
+export interface DatabaseError extends Error {
+  name: "DatabaseError";
+  variant: "UnsupportedConfiguration" | "ThreadBoundRunner" | "Serialization" | "JS" | "Internal";
 }
 
-export type UnsignedSharedKey = Tagged<string, "UnsignedSharedKey">;
+export function isDatabaseError(error: any): error is DatabaseError;
 
-export type EncString = Tagged<string, "EncString">;
+export interface StateRegistryError extends Error {
+  name: "StateRegistryError";
+  variant: "DatabaseAlreadyInitialized" | "DatabaseNotInitialized" | "Database";
+}
 
-export type SignedPublicKey = Tagged<string, "SignedPublicKey">;
+export function isStateRegistryError(error: any): error is StateRegistryError;
 
-/**
- * The type of key / signature scheme used for signing and verifying.
- */
-export type SignatureAlgorithm = "ed25519";
+export interface CallError extends Error {
+  name: "CallError";
+}
 
-/**
- * Key Derivation Function for Bitwarden Account
- *
- * In Bitwarden accounts can use multiple KDFs to derive their master key from their password. This
- * Enum represents all the possible KDFs.
- */
-export type Kdf =
-  | { pBKDF2: { iterations: NonZeroU32 } }
-  | { argon2id: { iterations: NonZeroU32; memory: NonZeroU32; parallelism: NonZeroU32 } };
+export function isCallError(error: any): error is CallError;
 
-export interface CryptoError extends Error {
-  name: "CryptoError";
-  variant:
-    | "InvalidKey"
-    | "InvalidMac"
-    | "MacNotProvided"
-    | "KeyDecrypt"
-    | "InvalidKeyLen"
-    | "InvalidUtf8String"
-    | "MissingKey"
-    | "MissingField"
-    | "MissingKeyId"
-    | "ReadOnlyKeyStore"
-    | "InsufficientKdfParameters"
-    | "EncString"
-    | "Rsa"
-    | "Fingerprint"
-    | "Argon"
-    | "ZeroNumber"
-    | "OperationNotSupported"
-    | "WrongKeyType"
-    | "WrongCoseKeyId"
-    | "InvalidNonceLength"
-    | "InvalidPadding"
-    | "Signature"
-    | "Encoding";
+export interface RotateUserKeysRequest {
+  master_key_unlock_method: MasterkeyUnlockMethod;
+  trusted_emergency_access_public_keys: PublicKey[];
+  trusted_organization_public_keys: PublicKey[];
 }
 
-export function isCryptoError(error: any): error is CryptoError;
-
-/**
- * Base64 encoded data
- *
- * Is indifferent about padding when decoding, but always produces padding when encoding.
- */
-export type B64 = string;
+export type MasterkeyUnlockMethod =
+  | { Password: { old_password: string; password: string; hint: string | undefined } }
+  | "KeyConnector"
+  | "None";
 
-/**
- * Temporary struct to hold metadata related to current account
- *
- * Eventually the SDK itself should have this state and we get rid of this struct.
- */
-export interface Account {
-  id: Uuid;
-  email: string;
-  name: string | undefined;
+export interface RotateUserKeysError extends Error {
+  name: "RotateUserKeysError";
+  variant: "ApiError" | "CryptoError" | "InvalidPublicKey" | "UntrustedKeyError";
 }
 
-export type ExportFormat = "Csv" | "Json" | { EncryptedJson: { password: string } };
+export function isRotateUserKeysError(error: any): error is RotateUserKeysError;
 
-export interface ExportError extends Error {
-  name: "ExportError";
-  variant:
-    | "MissingField"
-    | "NotAuthenticated"
-    | "Csv"
-    | "Cxf"
-    | "Json"
-    | "EncryptedJson"
-    | "BitwardenCrypto"
-    | "Cipher";
+export interface SyncError extends Error {
+  name: "SyncError";
+  variant: "NetworkError" | "DataError";
 }
 
-export function isExportError(error: any): error is ExportError;
+export function isSyncError(error: any): error is SyncError;
 
-export type UsernameGeneratorRequest =
-  | { word: { capitalize: boolean; include_number: boolean } }
-  | { subaddress: { type: AppendType; email: string } }
-  | { catchall: { type: AppendType; domain: string } }
-  | { forwarded: { service: ForwarderServiceType; website: string | undefined } };
+export interface PrivateKeysParsingError extends Error {
+  name: "PrivateKeysParsingError";
+  variant: "MissingField" | "InvalidFormat";
+}
+
+export function isPrivateKeysParsingError(error: any): error is PrivateKeysParsingError;
 
 /**
- * Configures the email forwarding service to use.
- * For instructions on how to configure each service, see the documentation:
- * <https://bitwarden.com/help/generator/#username-types>
+ * The data necessary to re-share the user-key to a V1 emergency access membership. Note: The
+ * Public-key must be verified/trusted. Further, there is no sender authentication possible here.
  */
-export type ForwarderServiceType =
-  | { addyIo: { api_token: string; domain: string; base_url: string } }
-  | { duckDuckGo: { token: string } }
-  | { firefox: { api_token: string } }
-  | { fastmail: { api_token: string } }
-  | { forwardEmail: { api_token: string; domain: string } }
-  | { simpleLogin: { api_key: string; base_url: string } };
+export interface V1EmergencyAccessMembership {
+  id: Uuid;
+  name: string;
+  public_key: PublicKey;
+}
 
-export type AppendType = "random" | { websiteName: { website: string } };
+/**
+ * The data necessary to re-share the user-key to a V1 organization membership. Note: The
+ * Public-key must be verified/trusted. Further, there is no sender authentication possible here.
+ */
+export interface V1OrganizationMembership {
+  organization_id: Uuid;
+  name: string;
+  public_key: PublicKey;
+}
 
-export interface UsernameError extends Error {
-  name: "UsernameError";
-  variant: "InvalidApiKey" | "Unknown" | "ResponseContent" | "Reqwest";
+export interface CipherRiskError extends Error {
+  name: "CipherRiskError";
+  variant: "Reqwest";
 }
 
-export function isUsernameError(error: any): error is UsernameError;
+export function isCipherRiskError(error: any): error is CipherRiskError;
 
 /**
- * Password generator request options.
+ * Password reuse map wrapper for WASM compatibility.
  */
-export interface PasswordGeneratorRequest {
+export type PasswordReuseMap = Record<string, number>;
+
+/**
+ * Options for configuring risk computation.
+ */
+export interface CipherRiskOptions {
   /**
-   * Include lowercase characters (a-z).
+   * Pre-computed password reuse map (password → count).
+   * If provided, enables reuse detection across ciphers.
    */
-  lowercase: boolean;
+  passwordMap?: PasswordReuseMap | undefined;
   /**
-   * Include uppercase characters (A-Z).
+   * Whether to check passwords against Have I Been Pwned API.
+   * When true, makes network requests to check for exposed passwords.
    */
-  uppercase: boolean;
+  checkExposed?: boolean;
   /**
-   * Include numbers (0-9).
+   * Optional HIBP API base URL override. When None, uses the production HIBP URL.
+   * Can be used for testing or alternative password breach checking services.
    */
-  numbers: boolean;
+  hibpBaseUrl?: string | undefined;
+}
+
+/**
+ * Risk evaluation result for a single cipher.
+ */
+export interface CipherRiskResult {
   /**
-   * Include special characters: ! @ # $ % ^ & *
+   * Cipher ID matching the input CipherLoginDetails.
    */
-  special: boolean;
+  id: CipherId;
   /**
-   * The length of the generated password.
-   * Note that the password length must be greater than the sum of all the minimums.
+   * Password strength score from 0 (weakest) to 4 (strongest).
+   * Calculated using zxcvbn with cipher-specific context.
    */
-  length: number;
+  password_strength: number;
   /**
-   * When set to true, the generated password will not contain ambiguous characters.
-   * The ambiguous characters are: I, O, l, 0, 1
+   * Result of checking password exposure via HIBP API.
+   * - `NotChecked`: check_exposed was false, or password was empty
+   * - `Found(n)`: Successfully checked, found in n breaches
+   * - `Error(msg)`: HIBP API request failed for this cipher with the given error message
    */
-  avoidAmbiguous: boolean;
+  exposed_result: ExposedPasswordResult;
   /**
-   * The minimum number of lowercase characters in the generated password.
-   * When set, the value must be between 1 and 9. This value is ignored if lowercase is false.
+   * Number of times this password appears in the provided password_map.
+   * None if not found or if no password_map was provided.
    */
-  minLowercase: number | undefined;
+  reuse_count: number | undefined;
+}
+
+/**
+ * Result of checking password exposure via HIBP API.
+ */
+export type ExposedPasswordResult =
+  | { type: "NotChecked" }
+  | { type: "Found"; value: number }
+  | { type: "Error"; value: string };
+
+/**
+ * Login cipher data needed for risk evaluation.
+ */
+export interface CipherLoginDetails {
   /**
-   * The minimum number of uppercase characters in the generated password.
-   * When set, the value must be between 1 and 9. This value is ignored if uppercase is false.
+   * Cipher ID to identify which cipher in results.
    */
-  minUppercase: number | undefined;
+  id: CipherId;
   /**
-   * The minimum number of numbers in the generated password.
-   * When set, the value must be between 1 and 9. This value is ignored if numbers is false.
+   * The decrypted password to evaluate.
    */
-  minNumber: number | undefined;
+  password: string;
   /**
-   * The minimum number of special characters in the generated password.
-   * When set, the value must be between 1 and 9. This value is ignored if special is false.
+   * Username or email (login ciphers only have one field).
    */
-  minSpecial: number | undefined;
+  username: string | undefined;
 }
 
-export interface PasswordError extends Error {
-  name: "PasswordError";
-  variant: "NoCharacterSetEnabled" | "InvalidLength";
+export interface PasswordHistoryView {
+  password: string;
+  lastUsedDate: DateTime<Utc>;
 }
 
-export function isPasswordError(error: any): error is PasswordError;
+export interface PasswordHistory {
+  password: EncString;
+  lastUsedDate: DateTime<Utc>;
+}
 
-/**
- * Passphrase generator request options.
- */
-export interface PassphraseGeneratorRequest {
+export interface AncestorMap {
+  ancestors: Map<CollectionId, string>;
+}
+
+export interface TotpError extends Error {
+  name: "TotpError";
+  variant: "InvalidOtpauth" | "MissingSecret" | "Crypto";
+}
+
+export function isTotpError(error: any): error is TotpError;
+
+export interface TotpResponse {
   /**
-   * Number of words in the generated passphrase.
-   * This value must be between 3 and 20.
+   * Generated TOTP code
    */
-  numWords: number;
+  code: string;
   /**
-   * Character separator between words in the generated passphrase. The value cannot be empty.
+   * Time period
    */
-  wordSeparator: string;
+  period: number;
+}
+
+export interface DecryptError extends Error {
+  name: "DecryptError";
+  variant: "Crypto";
+}
+
+export function isDecryptError(error: any): error is DecryptError;
+
+export interface EncryptError extends Error {
+  name: "EncryptError";
+  variant: "Crypto" | "MissingUserId";
+}
+
+export function isEncryptError(error: any): error is EncryptError;
+
+export interface Attachment {
+  id: string | undefined;
+  url: string | undefined;
+  size: string | undefined;
   /**
-   * When set to true, capitalize the first letter of each word in the generated passphrase.
+   * Readable size, ex: \"4.2 KB\" or \"1.43 GB\
    */
-  capitalize: boolean;
+  sizeName: string | undefined;
+  fileName: EncString | undefined;
+  key: EncString | undefined;
+}
+
+export interface AttachmentView {
+  id: string | undefined;
+  url: string | undefined;
+  size: string | undefined;
+  sizeName: string | undefined;
+  fileName: string | undefined;
+  key: EncString | undefined;
   /**
-   * When set to true, include a number at the end of one of the words in the generated
-   * passphrase.
+   * The decrypted attachmentkey in base64 format.
+   *
+   * **TEMPORARY FIELD**: This field is a temporary workaround to provide
+   * decrypted attachment keys to the TypeScript client during the migration
+   * process. It will be removed once the encryption/decryption logic is
+   * fully migrated to the SDK.
+   *
+   * **Ticket**: <https://bitwarden.atlassian.net/browse/PM-23005>
+   *
+   * Do not rely on this field for long-term use.
    */
-  includeNumber: boolean;
+  decryptedKey: string | undefined;
 }
 
-export type PassphraseError = { InvalidNumWords: { minimum: number; maximum: number } };
-
-export interface DiscoverResponse {
-  version: string;
+export interface LocalDataView {
+  lastUsedDate: DateTime<Utc> | undefined;
+  lastLaunched: DateTime<Utc> | undefined;
 }
 
-export type Endpoint =
-  | { Web: { id: number } }
-  | "BrowserForeground"
-  | "BrowserBackground"
-  | "DesktopRenderer"
-  | "DesktopMain";
-
-export interface IpcCommunicationBackendSender {
-  send(message: OutgoingMessage): Promise<void>;
+export interface LocalData {
+  lastUsedDate: DateTime<Utc> | undefined;
+  lastLaunched: DateTime<Utc> | undefined;
 }
 
-export interface ChannelError extends Error {
-  name: "ChannelError";
+export interface SecureNoteView {
+  type: SecureNoteType;
 }
 
-export function isChannelError(error: any): error is ChannelError;
+export interface SecureNote {
+  type: SecureNoteType;
+}
 
-export interface DeserializeError extends Error {
-  name: "DeserializeError";
+export interface GetCipherError extends Error {
+  name: "GetCipherError";
+  variant: "ItemNotFound" | "Crypto" | "Repository";
 }
 
-export function isDeserializeError(error: any): error is DeserializeError;
+export function isGetCipherError(error: any): error is GetCipherError;
 
-export interface RequestError extends Error {
-  name: "RequestError";
-  variant: "Subscribe" | "Receive" | "Timeout" | "Send" | "Rpc";
+export interface EditCipherError extends Error {
+  name: "EditCipherError";
+  variant:
+    | "ItemNotFound"
+    | "Crypto"
+    | "Api"
+    | "VaultParse"
+    | "MissingField"
+    | "NotAuthenticated"
+    | "Repository"
+    | "Uuid";
 }
 
-export function isRequestError(error: any): error is RequestError;
+export function isEditCipherError(error: any): error is EditCipherError;
 
-export interface TypedReceiveError extends Error {
-  name: "TypedReceiveError";
-  variant: "Channel" | "Timeout" | "Cancelled" | "Typing";
+/**
+ * Request to edit a cipher.
+ */
+export interface CipherEditRequest {
+  id: CipherId;
+  organizationId: OrganizationId | undefined;
+  folderId: FolderId | undefined;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  name: string;
+  notes: string | undefined;
+  fields: FieldView[];
+  type: CipherViewType;
+  revisionDate: DateTime<Utc>;
+  archivedDate: DateTime<Utc> | undefined;
+  attachments: AttachmentView[];
+  key: EncString | undefined;
 }
 
-export function isTypedReceiveError(error: any): error is TypedReceiveError;
-
-export interface ReceiveError extends Error {
-  name: "ReceiveError";
-  variant: "Channel" | "Timeout" | "Cancelled";
+export interface GetOrganizationCiphersAdminError extends Error {
+  name: "GetOrganizationCiphersAdminError";
+  variant: "Crypto" | "VaultParse" | "Api";
 }
 
-export function isReceiveError(error: any): error is ReceiveError;
+export function isGetOrganizationCiphersAdminError(
+  error: any,
+): error is GetOrganizationCiphersAdminError;
 
-export interface SubscribeError extends Error {
-  name: "SubscribeError";
-  variant: "NotStarted";
+export interface EditCipherAdminError extends Error {
+  name: "EditCipherAdminError";
+  variant:
+    | "ItemNotFound"
+    | "Crypto"
+    | "Api"
+    | "VaultParse"
+    | "MissingField"
+    | "NotAuthenticated"
+    | "Repository"
+    | "Uuid"
+    | "Decrypt";
 }
 
-export function isSubscribeError(error: any): error is SubscribeError;
-
-export type KeyAlgorithm = "Ed25519" | "Rsa3072" | "Rsa4096";
+export function isEditCipherAdminError(error: any): error is EditCipherAdminError;
 
-export interface SshKeyExportError extends Error {
-  name: "SshKeyExportError";
-  variant: "KeyConversion";
+export interface CreateCipherAdminError extends Error {
+  name: "CreateCipherAdminError";
+  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "NotAuthenticated";
 }
 
-export function isSshKeyExportError(error: any): error is SshKeyExportError;
+export function isCreateCipherAdminError(error: any): error is CreateCipherAdminError;
 
-export interface SshKeyImportError extends Error {
-  name: "SshKeyImportError";
-  variant: "Parsing" | "PasswordRequired" | "WrongPassword" | "UnsupportedKeyType";
+export interface DeleteCipherAdminError extends Error {
+  name: "DeleteCipherAdminError";
+  variant: "Api";
 }
 
-export function isSshKeyImportError(error: any): error is SshKeyImportError;
+export function isDeleteCipherAdminError(error: any): error is DeleteCipherAdminError;
 
-export interface KeyGenerationError extends Error {
-  name: "KeyGenerationError";
-  variant: "KeyGeneration" | "KeyConversion";
+export interface RestoreCipherAdminError extends Error {
+  name: "RestoreCipherAdminError";
+  variant: "Api" | "VaultParse" | "Crypto";
 }
 
-export function isKeyGenerationError(error: any): error is KeyGenerationError;
+export function isRestoreCipherAdminError(error: any): error is RestoreCipherAdminError;
 
-export interface DatabaseError extends Error {
-  name: "DatabaseError";
-  variant: "UnsupportedConfiguration" | "ThreadBoundRunner" | "Serialization" | "JS" | "Internal";
+/**
+ * Request to add a cipher.
+ */
+export interface CipherCreateRequest {
+  organizationId: OrganizationId | undefined;
+  collectionIds: CollectionId[];
+  folderId: FolderId | undefined;
+  name: string;
+  notes: string | undefined;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  type: CipherViewType;
+  fields: FieldView[];
 }
 
-export function isDatabaseError(error: any): error is DatabaseError;
+export interface CreateCipherError extends Error {
+  name: "CreateCipherError";
+  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "NotAuthenticated" | "Repository";
+}
 
-export interface StateRegistryError extends Error {
-  name: "StateRegistryError";
-  variant: "DatabaseAlreadyInitialized" | "DatabaseNotInitialized" | "Database";
+export function isCreateCipherError(error: any): error is CreateCipherError;
+
+export interface DeleteCipherError extends Error {
+  name: "DeleteCipherError";
+  variant: "Api" | "Repository";
 }
 
-export function isStateRegistryError(error: any): error is StateRegistryError;
+export function isDeleteCipherError(error: any): error is DeleteCipherError;
 
-export interface CallError extends Error {
-  name: "CallError";
+export interface RestoreCipherError extends Error {
+  name: "RestoreCipherError";
+  variant: "Api" | "VaultParse" | "Repository" | "Crypto";
 }
 
-export function isCallError(error: any): error is CallError;
+export function isRestoreCipherError(error: any): error is RestoreCipherError;
 
 /**
- * NewType wrapper for `CipherId`
+ * Represents the inner data of a cipher view.
  */
-export type CipherId = Tagged<Uuid, "CipherId">;
+export type CipherViewType =
+  | { login: LoginView }
+  | { card: CardView }
+  | { identity: IdentityView }
+  | { secureNote: SecureNoteView }
+  | { sshKey: SshKeyView };
 
-export interface EncryptionContext {
-  /**
-   * The Id of the user that encrypted the cipher. It should always represent a UserId, even for
-   * Organization-owned ciphers
-   */
-  encryptedFor: UserId;
-  cipher: Cipher;
+export interface EncryptFileError extends Error {
+  name: "EncryptFileError";
+  variant: "Encrypt" | "Io";
 }
 
-export interface Cipher {
-  id: CipherId | undefined;
-  organizationId: OrganizationId | undefined;
-  folderId: FolderId | undefined;
-  collectionIds: CollectionId[];
-  /**
-   * More recent ciphers uses individual encryption keys to encrypt the other fields of the
-   * Cipher.
-   */
-  key: EncString | undefined;
-  name: EncString;
-  notes: EncString | undefined;
-  type: CipherType;
-  login: Login | undefined;
-  identity: Identity | undefined;
-  card: Card | undefined;
-  secureNote: SecureNote | undefined;
-  sshKey: SshKey | undefined;
-  favorite: boolean;
-  reprompt: CipherRepromptType;
-  organizationUseTotp: boolean;
-  edit: boolean;
-  permissions: CipherPermissions | undefined;
-  viewPassword: boolean;
-  localData: LocalData | undefined;
-  attachments: Attachment[] | undefined;
-  fields: Field[] | undefined;
-  passwordHistory: PasswordHistory[] | undefined;
-  creationDate: DateTime<Utc>;
-  deletedDate: DateTime<Utc> | undefined;
-  revisionDate: DateTime<Utc>;
-  archivedDate: DateTime<Utc> | undefined;
-}
+export function isEncryptFileError(error: any): error is EncryptFileError;
 
-export interface CipherView {
-  id: CipherId | undefined;
-  organizationId: OrganizationId | undefined;
-  folderId: FolderId | undefined;
-  collectionIds: CollectionId[];
-  /**
-   * Temporary, required to support re-encrypting existing items.
-   */
-  key: EncString | undefined;
-  name: string;
-  notes: string | undefined;
-  type: CipherType;
-  login: LoginView | undefined;
-  identity: IdentityView | undefined;
-  card: CardView | undefined;
-  secureNote: SecureNoteView | undefined;
-  sshKey: SshKeyView | undefined;
-  favorite: boolean;
-  reprompt: CipherRepromptType;
-  organizationUseTotp: boolean;
-  edit: boolean;
-  permissions: CipherPermissions | undefined;
-  viewPassword: boolean;
-  localData: LocalDataView | undefined;
-  attachments: AttachmentView[] | undefined;
-  fields: FieldView[] | undefined;
-  passwordHistory: PasswordHistoryView[] | undefined;
-  creationDate: DateTime<Utc>;
-  deletedDate: DateTime<Utc> | undefined;
-  revisionDate: DateTime<Utc>;
-  archivedDate: DateTime<Utc> | undefined;
+export interface DecryptFileError extends Error {
+  name: "DecryptFileError";
+  variant: "Decrypt" | "Io";
 }
 
-export type CipherListViewType =
-  | { login: LoginListView }
-  | "secureNote"
-  | { card: CardListView }
-  | "identity"
-  | "sshKey";
+export function isDecryptFileError(error: any): error is DecryptFileError;
 
-/**
- * Available fields on a cipher and can be copied from a the list view in the UI.
- */
-export type CopyableCipherFields =
-  | "LoginUsername"
-  | "LoginPassword"
-  | "LoginTotp"
-  | "CardNumber"
-  | "CardSecurityCode"
-  | "IdentityUsername"
-  | "IdentityEmail"
-  | "IdentityPhone"
-  | "IdentityAddress"
-  | "SshKey"
-  | "SecureNotes";
+export interface CipherPermissions {
+  delete: boolean;
+  restore: boolean;
+}
 
-export interface CipherListView {
-  id: CipherId | undefined;
-  organizationId: OrganizationId | undefined;
-  folderId: FolderId | undefined;
-  collectionIds: CollectionId[];
-  /**
-   * Temporary, required to support calculating TOTP from CipherListView.
-   */
-  key: EncString | undefined;
-  name: string;
-  subtitle: string;
-  type: CipherListViewType;
-  favorite: boolean;
-  reprompt: CipherRepromptType;
-  organizationUseTotp: boolean;
-  edit: boolean;
-  permissions: CipherPermissions | undefined;
-  viewPassword: boolean;
-  /**
-   * The number of attachments
-   */
-  attachments: number;
-  /**
-   * Indicates if the cipher has old attachments that need to be re-uploaded
-   */
-  hasOldAttachments: boolean;
-  creationDate: DateTime<Utc>;
-  deletedDate: DateTime<Utc> | undefined;
-  revisionDate: DateTime<Utc>;
-  archivedDate: DateTime<Utc> | undefined;
-  /**
-   * Hints for the presentation layer for which fields can be copied.
-   */
-  copyableFields: CopyableCipherFields[];
-  localData: LocalDataView | undefined;
+export interface Card {
+  cardholderName: EncString | undefined;
+  expMonth: EncString | undefined;
+  expYear: EncString | undefined;
+  code: EncString | undefined;
+  brand: EncString | undefined;
+  number: EncString | undefined;
 }
 
 /**
- * Represents the result of decrypting a list of ciphers.
- *
- * This struct contains two vectors: `successes` and `failures`.
- * `successes` contains the decrypted `CipherListView` objects,
- * while `failures` contains the original `Cipher` objects that failed to decrypt.
+ * Minimal CardView only including the needed details for list views
  */
-export interface DecryptCipherListResult {
-  /**
-   * The decrypted `CipherListView` objects.
-   */
-  successes: CipherListView[];
+export interface CardListView {
   /**
-   * The original `Cipher` objects that failed to decrypt.
+   * The brand of the card, e.g. Visa, Mastercard, etc.
    */
-  failures: Cipher[];
+  brand: string | undefined;
+}
+
+export interface CardView {
+  cardholderName: string | undefined;
+  expMonth: string | undefined;
+  expYear: string | undefined;
+  code: string | undefined;
+  brand: string | undefined;
+  number: string | undefined;
 }
 
 export interface Field {
@@ -1223,58 +2163,36 @@ export interface FieldView {
   linkedId: LinkedIdType | undefined;
 }
 
-export type LinkedIdType = LoginLinkedIdType | CardLinkedIdType | IdentityLinkedIdType;
-
-export interface LoginUri {
-  uri: EncString | undefined;
-  match: UriMatchType | undefined;
-  uriChecksum: EncString | undefined;
-}
-
-export interface LoginUriView {
-  uri: string | undefined;
-  match: UriMatchType | undefined;
-  uriChecksum: string | undefined;
-}
-
-export interface Fido2Credential {
-  credentialId: EncString;
-  keyType: EncString;
-  keyAlgorithm: EncString;
-  keyCurve: EncString;
-  keyValue: EncString;
-  rpId: EncString;
-  userHandle: EncString | undefined;
-  userName: EncString | undefined;
-  counter: EncString;
-  rpName: EncString | undefined;
-  userDisplayName: EncString | undefined;
-  discoverable: EncString;
-  creationDate: DateTime<Utc>;
-}
-
-export interface Fido2CredentialListView {
-  credentialId: string;
-  rpId: string;
-  userHandle: string | undefined;
-  userName: string | undefined;
-  userDisplayName: string | undefined;
-  counter: string;
+/**
+ * Minimal field view for list/search operations.
+ * Contains only the fields needed for search indexing.
+ */
+export interface FieldListView {
+  /**
+   * Only populated if the field has a name.
+   */
+  name: string | undefined;
+  /**
+   * Only populated for [FieldType::Text] fields.
+   */
+  value: string | undefined;
+  /**
+   * The field type.
+   */
+  type: FieldType;
 }
 
-export interface Fido2CredentialView {
+export interface Fido2CredentialNewView {
   credentialId: string;
   keyType: string;
   keyAlgorithm: string;
   keyCurve: string;
-  keyValue: EncString;
   rpId: string;
   userHandle: string | undefined;
   userName: string | undefined;
   counter: string;
   rpName: string | undefined;
   userDisplayName: string | undefined;
-  discoverable: string;
   creationDate: DateTime<Utc>;
 }
 
@@ -1294,17 +2212,58 @@ export interface Fido2CredentialFullView {
   creationDate: DateTime<Utc>;
 }
 
-export interface Fido2CredentialNewView {
+export interface LoginUri {
+  uri: EncString | undefined;
+  match: UriMatchType | undefined;
+  uriChecksum: EncString | undefined;
+}
+
+export interface Fido2CredentialView {
   credentialId: string;
   keyType: string;
   keyAlgorithm: string;
   keyCurve: string;
+  keyValue: EncString;
   rpId: string;
   userHandle: string | undefined;
   userName: string | undefined;
   counter: string;
   rpName: string | undefined;
   userDisplayName: string | undefined;
+  discoverable: string;
+  creationDate: DateTime<Utc>;
+}
+
+export interface LoginListView {
+  fido2Credentials: Fido2CredentialListView[] | undefined;
+  hasFido2: boolean;
+  username: string | undefined;
+  /**
+   * The TOTP key is not decrypted. Useable as is with [`crate::generate_totp_cipher_view`].
+   */
+  totp: EncString | undefined;
+  uris: LoginUriView[] | undefined;
+}
+
+export interface LoginUriView {
+  uri: string | undefined;
+  match: UriMatchType | undefined;
+  uriChecksum: string | undefined;
+}
+
+export interface Fido2Credential {
+  credentialId: EncString;
+  keyType: EncString;
+  keyAlgorithm: EncString;
+  keyCurve: EncString;
+  keyValue: EncString;
+  rpId: EncString;
+  userHandle: EncString | undefined;
+  userName: EncString | undefined;
+  counter: EncString;
+  rpName: EncString | undefined;
+  userDisplayName: EncString | undefined;
+  discoverable: EncString;
   creationDate: DateTime<Utc>;
 }
 
@@ -1318,6 +2277,15 @@ export interface Login {
   fido2Credentials: Fido2Credential[] | undefined;
 }
 
+export interface Fido2CredentialListView {
+  credentialId: string;
+  rpId: string;
+  userHandle: string | undefined;
+  userName: string | undefined;
+  userDisplayName: string | undefined;
+  counter: string;
+}
+
 export interface LoginView {
   username: string | undefined;
   password: string | undefined;
@@ -1328,139 +2296,216 @@ export interface LoginView {
   fido2Credentials: Fido2Credential[] | undefined;
 }
 
-export interface LoginListView {
-  fido2Credentials: Fido2CredentialListView[] | undefined;
-  hasFido2: boolean;
-  username: string | undefined;
+export interface CipherView {
+  id: CipherId | undefined;
+  organizationId: OrganizationId | undefined;
+  folderId: FolderId | undefined;
+  collectionIds: CollectionId[];
   /**
-   * The TOTP key is not decrypted. Useable as is with [`crate::generate_totp_cipher_view`].
+   * Temporary, required to support re-encrypting existing items.
    */
-  totp: EncString | undefined;
-  uris: LoginUriView[] | undefined;
-}
-
-export interface SecureNote {
-  type: SecureNoteType;
-}
-
-export interface SecureNoteView {
-  type: SecureNoteType;
+  key: EncString | undefined;
+  name: string;
+  notes: string | undefined;
+  type: CipherType;
+  login: LoginView | undefined;
+  identity: IdentityView | undefined;
+  card: CardView | undefined;
+  secureNote: SecureNoteView | undefined;
+  sshKey: SshKeyView | undefined;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  organizationUseTotp: boolean;
+  edit: boolean;
+  permissions: CipherPermissions | undefined;
+  viewPassword: boolean;
+  localData: LocalDataView | undefined;
+  attachments: AttachmentView[] | undefined;
+  /**
+   * Attachments that failed to decrypt. Only present when there are decryption failures.
+   */
+  attachmentDecryptionFailures?: AttachmentView[];
+  fields: FieldView[] | undefined;
+  passwordHistory: PasswordHistoryView[] | undefined;
+  creationDate: DateTime<Utc>;
+  deletedDate: DateTime<Utc> | undefined;
+  revisionDate: DateTime<Utc>;
+  archivedDate: DateTime<Utc> | undefined;
 }
 
 /**
- * Request to add or edit a folder.
+ * Represents the result of decrypting a list of ciphers.
+ *
+ * This struct contains two vectors: `successes` and `failures`.
+ * `successes` contains the decrypted `CipherView` objects,
+ * while `failures` contains the original `Cipher` objects that failed to decrypt.
  */
-export interface FolderAddEditRequest {
+export interface DecryptCipherResult {
   /**
-   * The new name of the folder.
+   * The decrypted `CipherView` objects.
    */
-  name: string;
+  successes: CipherView[];
+  /**
+   * The original `Cipher` objects that failed to decrypt.
+   */
+  failures: Cipher[];
 }
 
 /**
- * NewType wrapper for `FolderId`
+ * Represents the result of decrypting a list of ciphers.
+ *
+ * This struct contains two vectors: `successes` and `failures`.
+ * `successes` contains the decrypted `CipherListView` objects,
+ * while `failures` contains the original `Cipher` objects that failed to decrypt.
  */
-export type FolderId = Tagged<Uuid, "FolderId">;
-
-export interface Folder {
-  id: FolderId | undefined;
-  name: EncString;
-  revisionDate: DateTime<Utc>;
-}
-
-export interface FolderView {
-  id: FolderId | undefined;
-  name: string;
-  revisionDate: DateTime<Utc>;
-}
-
-export interface AncestorMap {
-  ancestors: Map<CollectionId, string>;
-}
-
-export interface DecryptError extends Error {
-  name: "DecryptError";
-  variant: "Crypto";
-}
-
-export function isDecryptError(error: any): error is DecryptError;
-
-export interface EncryptError extends Error {
-  name: "EncryptError";
-  variant: "Crypto" | "MissingUserId";
-}
-
-export function isEncryptError(error: any): error is EncryptError;
-
-export interface TotpResponse {
+export interface DecryptCipherListResult {
   /**
-   * Generated TOTP code
+   * The decrypted `CipherListView` objects.
    */
-  code: string;
+  successes: CipherListView[];
   /**
-   * Time period
+   * The original `Cipher` objects that failed to decrypt.
    */
-  period: number;
-}
-
-export interface TotpError extends Error {
-  name: "TotpError";
-  variant: "InvalidOtpauth" | "MissingSecret" | "Crypto";
+  failures: Cipher[];
 }
 
-export function isTotpError(error: any): error is TotpError;
-
-export interface PasswordHistoryView {
-  password: string;
-  lastUsedDate: DateTime<Utc>;
-}
+export type CipherListViewType =
+  | { login: LoginListView }
+  | "secureNote"
+  | { card: CardListView }
+  | "identity"
+  | "sshKey";
 
-export interface PasswordHistory {
-  password: EncString;
-  lastUsedDate: DateTime<Utc>;
+export interface Cipher {
+  id: CipherId | undefined;
+  organizationId: OrganizationId | undefined;
+  folderId: FolderId | undefined;
+  collectionIds: CollectionId[];
+  /**
+   * More recent ciphers uses individual encryption keys to encrypt the other fields of the
+   * Cipher.
+   */
+  key: EncString | undefined;
+  name: EncString;
+  notes: EncString | undefined;
+  type: CipherType;
+  login: Login | undefined;
+  identity: Identity | undefined;
+  card: Card | undefined;
+  secureNote: SecureNote | undefined;
+  sshKey: SshKey | undefined;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  organizationUseTotp: boolean;
+  edit: boolean;
+  permissions: CipherPermissions | undefined;
+  viewPassword: boolean;
+  localData: LocalData | undefined;
+  attachments: Attachment[] | undefined;
+  fields: Field[] | undefined;
+  passwordHistory: PasswordHistory[] | undefined;
+  creationDate: DateTime<Utc>;
+  deletedDate: DateTime<Utc> | undefined;
+  revisionDate: DateTime<Utc>;
+  archivedDate: DateTime<Utc> | undefined;
+  data: string | undefined;
 }
 
-export interface GetFolderError extends Error {
-  name: "GetFolderError";
-  variant: "ItemNotFound" | "Crypto" | "Repository";
+export interface EncryptionContext {
+  /**
+   * The Id of the user that encrypted the cipher. It should always represent a UserId, even for
+   * Organization-owned ciphers
+   */
+  encryptedFor: UserId;
+  cipher: Cipher;
 }
 
-export function isGetFolderError(error: any): error is GetFolderError;
-
-export interface EditFolderError extends Error {
-  name: "EditFolderError";
+export interface CipherError extends Error {
+  name: "CipherError";
   variant:
-    | "ItemNotFound"
-    | "Crypto"
-    | "Api"
-    | "VaultParse"
     | "MissingField"
+    | "Crypto"
+    | "Decrypt"
+    | "Encrypt"
+    | "AttachmentsWithoutKeys"
+    | "OrganizationAlreadySet"
     | "Repository"
-    | "Uuid";
+    | "Chrono"
+    | "SerdeJson"
+    | "Api";
 }
 
-export function isEditFolderError(error: any): error is EditFolderError;
+export function isCipherError(error: any): error is CipherError;
 
-export interface CreateFolderError extends Error {
-  name: "CreateFolderError";
-  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "Repository";
-}
+/**
+ * NewType wrapper for `CipherId`
+ */
+export type CipherId = Tagged<Uuid, "CipherId">;
 
-export function isCreateFolderError(error: any): error is CreateFolderError;
+/**
+ * Available fields on a cipher and can be copied from a the list view in the UI.
+ */
+export type CopyableCipherFields =
+  | "LoginUsername"
+  | "LoginPassword"
+  | "LoginTotp"
+  | "CardNumber"
+  | "CardSecurityCode"
+  | "IdentityUsername"
+  | "IdentityEmail"
+  | "IdentityPhone"
+  | "IdentityAddress"
+  | "SshKey"
+  | "SecureNotes";
 
-export interface SshKeyView {
+export interface CipherListView {
+  id: CipherId | undefined;
+  organizationId: OrganizationId | undefined;
+  folderId: FolderId | undefined;
+  collectionIds: CollectionId[];
   /**
-   * SSH private key (ed25519/rsa) in unencrypted openssh private key format [OpenSSH private key](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key)
+   * Temporary, required to support calculating TOTP from CipherListView.
    */
-  privateKey: string;
+  key: EncString | undefined;
+  name: string;
+  subtitle: string;
+  type: CipherListViewType;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  organizationUseTotp: boolean;
+  edit: boolean;
+  permissions: CipherPermissions | undefined;
+  viewPassword: boolean;
   /**
-   * SSH public key (ed25519/rsa) according to [RFC4253](https://datatracker.ietf.org/doc/html/rfc4253#section-6.6)
+   * The number of attachments
    */
-  publicKey: string;
+  attachments: number;
   /**
-   * SSH fingerprint using SHA256 in the format: `SHA256:BASE64_ENCODED_FINGERPRINT`
+   * Indicates if the cipher has old attachments that need to be re-uploaded
    */
-  fingerprint: string;
+  hasOldAttachments: boolean;
+  creationDate: DateTime<Utc>;
+  deletedDate: DateTime<Utc> | undefined;
+  revisionDate: DateTime<Utc>;
+  archivedDate: DateTime<Utc> | undefined;
+  /**
+   * Hints for the presentation layer for which fields can be copied.
+   */
+  copyableFields: CopyableCipherFields[];
+  localData: LocalDataView | undefined;
+  /**
+   * Decrypted cipher notes for search indexing.
+   */
+  notes: string | undefined;
+  /**
+   * Decrypted cipher fields for search indexing.
+   * Only includes name and value (for text fields only).
+   */
+  fields: FieldListView[] | undefined;
+  /**
+   * Decrypted attachment filenames for search indexing.
+   */
+  attachmentNames: string[] | undefined;
 }
 
 export interface SshKey {
@@ -1478,14 +2523,19 @@ export interface SshKey {
   fingerprint: EncString;
 }
 
-export interface LocalDataView {
-  lastUsedDate: DateTime<Utc> | undefined;
-  lastLaunched: DateTime<Utc> | undefined;
-}
-
-export interface LocalData {
-  lastUsedDate: DateTime<Utc> | undefined;
-  lastLaunched: DateTime<Utc> | undefined;
+export interface SshKeyView {
+  /**
+   * SSH private key (ed25519/rsa) in unencrypted openssh private key format [OpenSSH private key](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key)
+   */
+  privateKey: string;
+  /**
+   * SSH public key (ed25519/rsa) according to [RFC4253](https://datatracker.ietf.org/doc/html/rfc4253#section-6.6)
+   */
+  publicKey: string;
+  /**
+   * SSH fingerprint using SHA256 in the format: `SHA256:BASE64_ENCODED_FINGERPRINT`
+   */
+  fingerprint: string;
 }
 
 export interface IdentityView {
@@ -1530,97 +2580,67 @@ export interface Identity {
   licenseNumber: EncString | undefined;
 }
 
-export interface CipherPermissions {
-  delete: boolean;
-  restore: boolean;
-}
-
-export interface CipherError extends Error {
-  name: "CipherError";
-  variant: "MissingField" | "Crypto" | "Encrypt" | "AttachmentsWithoutKeys";
-}
-
-export function isCipherError(error: any): error is CipherError;
+export type LinkedIdType = LoginLinkedIdType | CardLinkedIdType | IdentityLinkedIdType;
 
 /**
- * Minimal CardView only including the needed details for list views
+ * NewType wrapper for `FolderId`
  */
-export interface CardListView {
-  /**
-   * The brand of the card, e.g. Visa, Mastercard, etc.
-   */
-  brand: string | undefined;
-}
-
-export interface CardView {
-  cardholderName: string | undefined;
-  expMonth: string | undefined;
-  expYear: string | undefined;
-  code: string | undefined;
-  brand: string | undefined;
-  number: string | undefined;
-}
+export type FolderId = Tagged<Uuid, "FolderId">;
 
-export interface Card {
-  cardholderName: EncString | undefined;
-  expMonth: EncString | undefined;
-  expYear: EncString | undefined;
-  code: EncString | undefined;
-  brand: EncString | undefined;
-  number: EncString | undefined;
+export interface Folder {
+  id: FolderId | undefined;
+  name: EncString;
+  revisionDate: DateTime<Utc>;
 }
 
-export interface DecryptFileError extends Error {
-  name: "DecryptFileError";
-  variant: "Decrypt" | "Io";
+export interface FolderView {
+  id: FolderId | undefined;
+  name: string;
+  revisionDate: DateTime<Utc>;
 }
 
-export function isDecryptFileError(error: any): error is DecryptFileError;
-
-export interface EncryptFileError extends Error {
-  name: "EncryptFileError";
-  variant: "Encrypt" | "Io";
+export interface EditFolderError extends Error {
+  name: "EditFolderError";
+  variant:
+    | "ItemNotFound"
+    | "Crypto"
+    | "Api"
+    | "VaultParse"
+    | "MissingField"
+    | "Repository"
+    | "Uuid";
 }
 
-export function isEncryptFileError(error: any): error is EncryptFileError;
+export function isEditFolderError(error: any): error is EditFolderError;
 
-export interface AttachmentView {
-  id: string | undefined;
-  url: string | undefined;
-  size: string | undefined;
-  sizeName: string | undefined;
-  fileName: string | undefined;
-  key: EncString | undefined;
+/**
+ * Request to add or edit a folder.
+ */
+export interface FolderAddEditRequest {
   /**
-   * The decrypted attachmentkey in base64 format.
-   *
-   * **TEMPORARY FIELD**: This field is a temporary workaround to provide
-   * decrypted attachment keys to the TypeScript client during the migration
-   * process. It will be removed once the encryption/decryption logic is
-   * fully migrated to the SDK.
-   *
-   * **Ticket**: <https://bitwarden.atlassian.net/browse/PM-23005>
-   *
-   * Do not rely on this field for long-term use.
+   * The new name of the folder.
    */
-  decryptedKey: string | undefined;
+  name: string;
 }
 
-export interface Attachment {
-  id: string | undefined;
-  url: string | undefined;
-  size: string | undefined;
-  /**
-   * Readable size, ex: \"4.2 KB\" or \"1.43 GB\
-   */
-  sizeName: string | undefined;
-  fileName: EncString | undefined;
-  key: EncString | undefined;
+export interface CreateFolderError extends Error {
+  name: "CreateFolderError";
+  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "Repository";
+}
+
+export function isCreateFolderError(error: any): error is CreateFolderError;
+
+export interface GetFolderError extends Error {
+  name: "GetFolderError";
+  variant: "ItemNotFound" | "Crypto" | "Repository";
 }
 
+export function isGetFolderError(error: any): error is GetFolderError;
+
 export class AttachmentsClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   decrypt_buffer(
     cipher: Cipher,
     attachment: AttachmentView,
@@ -1633,69 +2653,167 @@ export class AttachmentsClient {
 export class AuthClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
    * Client for send access functionality
    */
   send_access(): SendAccessClient;
+  /**
+   * Client for initializing user account cryptography and unlock methods after JIT provisioning
+   */
+  registration(): RegistrationClient;
+  /**
+   * Client for login functionality
+   */
+  login(client_settings: ClientSettings): LoginClient;
 }
 /**
- * The main entry point for the Bitwarden SDK in WebAssembly environments
+ * Client for performing admin operations on ciphers. Unlike the regular CiphersClient,
+ * this client uses the admin server API endpoints, and does not modify local state.
  */
-export class BitwardenClient {
+export class CipherAdminClient {
+  private constructor();
   free(): void;
+  [Symbol.dispose](): void;
+  list_org_ciphers(
+    org_id: OrganizationId,
+    include_member_items: boolean,
+  ): Promise<DecryptCipherListResult>;
   /**
-   * Initialize a new instance of the SDK client
-   */
-  constructor(token_provider: any, settings?: ClientSettings | null);
-  /**
-   * Test method, echoes back the input
+   * Adds the cipher matched by [CipherId] to any number of collections on the server.
    */
-  echo(msg: string): string;
+  update_collection(cipher_id: CipherId, collection_ids: CollectionId[]): Promise<CipherView>;
   /**
-   * Returns the current SDK version
+   * Edit an existing [Cipher] and save it to the server.
    */
-  version(): string;
+  edit(request: CipherEditRequest, original_cipher_view: CipherView): Promise<CipherView>;
   /**
-   * Test method, always throws an error
+   * Creates a new [Cipher] for an organization, using the admin server endpoints.
+   * Creates the Cipher on the server only, does not store it to local state.
    */
-  throw(msg: string): void;
+  create(request: CipherCreateRequest): Promise<CipherView>;
   /**
-   * Test method, calls http endpoint
+   * Deletes all Cipher objects with a matching CipherId from the server, using the admin
+   * endpoint. Affects server data only, does not modify local state.
    */
-  http_get(url: string): Promise<string>;
+  delete_many(cipher_ids: CipherId[], organization_id: OrganizationId): Promise<void>;
   /**
-   * Auth related operations.
+   * Soft-deletes the Cipher with the matching CipherId from the server, using the admin
+   * endpoint. Affects server data only, does not modify local state.
    */
-  auth(): AuthClient;
+  soft_delete(cipher_id: CipherId): Promise<void>;
   /**
-   * Bitwarden licensed operations.
+   * Soft-deletes all Cipher objects for the given CipherIds from the server, using the admin
+   * endpoint. Affects server data only, does not modify local state.
    */
-  commercial(): CommercialPasswordManagerClient;
+  soft_delete_many(cipher_ids: CipherId[], organization_id: OrganizationId): Promise<void>;
   /**
-   * Crypto related operations.
+   * Deletes the Cipher with the matching CipherId from the server, using the admin endpoint.
+   * Affects server data only, does not modify local state.
    */
-  crypto(): CryptoClient;
+  delete(cipher_id: CipherId): Promise<void>;
   /**
-   * Vault item related operations.
+   * Restores multiple soft-deleted ciphers on the server.
    */
-  vault(): VaultClient;
+  restore_many(cipher_ids: CipherId[], org_id: OrganizationId): Promise<DecryptCipherListResult>;
   /**
-   * Constructs a specific client for platform-specific functionality
+   * Restores a soft-deleted cipher on the server, using the admin endpoint.
    */
-  platform(): PlatformClient;
+  restore(cipher_id: CipherId): Promise<CipherView>;
+}
+/**
+ * Client for evaluating credential risk for login ciphers.
+ */
+export class CipherRiskClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
   /**
-   * Constructs a specific client for generating passwords and passphrases
+   * Evaluate security risks for multiple login ciphers concurrently.
+   *
+   * For each cipher:
+   * 1. Calculates password strength (0-4) using zxcvbn with cipher-specific context
+   * 2. Optionally checks if the password has been exposed via Have I Been Pwned API
+   * 3. Counts how many times the password is reused in the provided `password_map`
+   *
+   * Returns a vector of `CipherRisk` results, one for each input cipher.
+   *
+   * ## HIBP Check Results (`exposed_result` field)
+   *
+   * The `exposed_result` field uses the `ExposedPasswordResult` enum with three possible states:
+   * - `NotChecked`: Password exposure check was not performed because:
+   *   - `check_exposed` option was `false`, or
+   *   - Password was empty
+   * - `Found(n)`: Successfully checked via HIBP API, password appears in `n` data breaches
+   * - `Error(msg)`: HIBP API request failed with error message `msg`
+   *
+   * # Errors
+   *
+   * This method only returns `Err` for internal logic failures. HIBP API errors are
+   * captured per-cipher in the `exposed_result` field as `ExposedPasswordResult::Error(msg)`.
    */
-  generator(): GeneratorClient;
+  compute_risk(
+    login_details: CipherLoginDetails[],
+    options: CipherRiskOptions,
+  ): Promise<CipherRiskResult[]>;
   /**
-   * Exporter related operations.
+   * Build password reuse map for a list of login ciphers.
+   *
+   * Returns a map where keys are passwords and values are the number of times
+   * each password appears in the provided list. This map can be passed to `compute_risk()`
+   * to enable password reuse detection.
    */
-  exporters(): ExporterClient;
+  password_reuse_map(login_details: CipherLoginDetails[]): PasswordReuseMap;
 }
 export class CiphersClient {
   private constructor();
   free(): void;
-  encrypt(cipher_view: CipherView): EncryptionContext;
+  [Symbol.dispose](): void;
+  /**
+   * Moves a cipher into an organization, adds it to collections, and calls the share_cipher API.
+   */
+  share_cipher(
+    cipher_view: CipherView,
+    organization_id: OrganizationId,
+    collection_ids: CollectionId[],
+    original_cipher?: Cipher | null,
+  ): Promise<Cipher>;
+  /**
+   * Moves a group of ciphers into an organization, adds them to collections, and calls the
+   * share_ciphers API.
+   */
+  share_ciphers_bulk(
+    cipher_views: CipherView[],
+    organization_id: OrganizationId,
+    collection_ids: CollectionId[],
+  ): Promise<Cipher[]>;
+  decrypt_list(ciphers: Cipher[]): CipherListView[];
+  /**
+   * Encrypt a list of cipher views.
+   *
+   * This method attempts to encrypt all ciphers in the list. If any cipher
+   * fails to encrypt, the entire operation fails and an error is returned.
+   */
+  encrypt_list(cipher_views: CipherView[]): EncryptionContext[];
+  move_to_organization(cipher_view: CipherView, organization_id: OrganizationId): CipherView;
+  /**
+   * Temporary method used to re-encrypt FIDO2 credentials for a cipher view.
+   * Necessary until the TS clients utilize the SDK entirely for FIDO2 credentials management.
+   * TS clients create decrypted FIDO2 credentials that need to be encrypted manually when
+   * encrypting the rest of the CipherView.
+   * TODO: Remove once TS passkey provider implementation uses SDK - PM-8313
+   */
+  set_fido2_credentials(
+    cipher_view: CipherView,
+    fido2_credentials: Fido2CredentialFullView[],
+  ): CipherView;
+  decrypt_fido2_credentials(cipher_view: CipherView): Fido2CredentialView[];
+  decrypt_fido2_private_key(cipher_view: CipherView): string;
+  /**
+   * Decrypt cipher list with failures
+   * Returns both successfully decrypted ciphers and any that failed to decrypt
+   */
+  decrypt_list_with_failures(ciphers: Cipher[]): DecryptCipherListResult;
   /**
    * Encrypt a cipher with the provided key. This should only be used when rotating encryption
    * keys in the Web client.
@@ -1709,47 +2827,90 @@ export class CiphersClient {
    * key directly.
    */
   encrypt_cipher_for_rotation(cipher_view: CipherView, new_key: B64): EncryptionContext;
+  /**
+   * Decrypt full cipher list
+   * Returns both successfully fully decrypted ciphers and any that failed to decrypt
+   */
+  decrypt_list_full_with_failures(ciphers: Cipher[]): DecryptCipherResult;
+  /**
+   * Returns a new client for performing admin operations.
+   * Uses the admin server API endpoints and does not modify local state.
+   */
+  admin(): CipherAdminClient;
   decrypt(cipher: Cipher): CipherView;
-  decrypt_list(ciphers: Cipher[]): CipherListView[];
+  encrypt(cipher_view: CipherView): EncryptionContext;
   /**
-   * Decrypt cipher list with failures
-   * Returns both successfully decrypted ciphers and any that failed to decrypt
+   * Get [Cipher] by ID from state and decrypt it to a [CipherView].
    */
-  decrypt_list_with_failures(ciphers: Cipher[]): DecryptCipherListResult;
-  decrypt_fido2_credentials(cipher_view: CipherView): Fido2CredentialView[];
+  get(cipher_id: string): Promise<CipherView>;
   /**
-   * Temporary method used to re-encrypt FIDO2 credentials for a cipher view.
-   * Necessary until the TS clients utilize the SDK entirely for FIDO2 credentials management.
-   * TS clients create decrypted FIDO2 credentials that need to be encrypted manually when
-   * encrypting the rest of the CipherView.
-   * TODO: Remove once TS passkey provider implementation uses SDK - PM-8313
+   * Get all ciphers from state and decrypt them, returning both successes and failures.
+   * This method will not fail when some ciphers fail to decrypt, allowing for graceful
+   * handling of corrupted or problematic cipher data.
    */
-  set_fido2_credentials(
-    cipher_view: CipherView,
-    fido2_credentials: Fido2CredentialFullView[],
-  ): CipherView;
-  move_to_organization(cipher_view: CipherView, organization_id: OrganizationId): CipherView;
-  decrypt_fido2_private_key(cipher_view: CipherView): string;
+  list(): Promise<DecryptCipherListResult>;
+  /**
+   * Adds the cipher matched by [CipherId] to any number of collections on the server.
+   */
+  update_collection(
+    cipher_id: CipherId,
+    collection_ids: CollectionId[],
+    is_admin: boolean,
+  ): Promise<CipherView>;
+  /**
+   * Edit an existing [Cipher] and save it to the server.
+   */
+  edit(request: CipherEditRequest): Promise<CipherView>;
+  /**
+   * Creates a new [Cipher] and saves it to the server.
+   */
+  create(request: CipherCreateRequest): Promise<CipherView>;
+  /**
+   * Deletes all [Cipher] objects with a matching [CipherId] from the server.
+   */
+  delete_many(cipher_ids: CipherId[], organization_id?: OrganizationId | null): Promise<void>;
+  /**
+   * Soft-deletes the [Cipher] with the matching [CipherId] from the server.
+   */
+  soft_delete(cipher_id: CipherId): Promise<void>;
+  /**
+   * Soft-deletes all [Cipher] objects for the given [CipherId]s from the server.
+   */
+  soft_delete_many(cipher_ids: CipherId[], organization_id?: OrganizationId | null): Promise<void>;
+  /**
+   * Deletes the [Cipher] with the matching [CipherId] from the server.
+   */
+  delete(cipher_id: CipherId): Promise<void>;
+  /**
+   * Restores multiple soft-deleted ciphers on the server.
+   */
+  restore_many(cipher_ids: CipherId[]): Promise<DecryptCipherListResult>;
+  /**
+   * Restores a soft-deleted cipher on the server.
+   */
+  restore(cipher_id: CipherId): Promise<CipherView>;
 }
 export class CollectionViewNodeItem {
   private constructor();
   free(): void;
-  get_item(): CollectionView;
+  [Symbol.dispose](): void;
   get_parent(): CollectionView | undefined;
   get_children(): CollectionView[];
   get_ancestors(): AncestorMap;
+  get_item(): CollectionView;
 }
 export class CollectionViewTree {
   private constructor();
   free(): void;
-  get_item_for_view(collection_view: CollectionView): CollectionViewNodeItem | undefined;
-  get_root_items(): CollectionViewNodeItem[];
+  [Symbol.dispose](): void;
   get_flat_items(): CollectionViewNodeItem[];
+  get_root_items(): CollectionViewNodeItem[];
+  get_item_for_view(collection_view: CollectionView): CollectionViewNodeItem | undefined;
 }
 export class CollectionsClient {
   private constructor();
   free(): void;
-  decrypt(collection: Collection): CollectionView;
+  [Symbol.dispose](): void;
   decrypt_list(collections: Collection[]): CollectionView[];
   /**
    *
@@ -1757,6 +2918,7 @@ export class CollectionsClient {
    * path().
    */
   get_collection_tree(collections: CollectionView[]): CollectionViewTree;
+  decrypt(collection: Collection): CollectionView;
 }
 /**
  * Client for bitwarden licensed operations
@@ -1764,6 +2926,7 @@ export class CollectionsClient {
 export class CommercialPasswordManagerClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
    * Vault item operations
    */
@@ -1772,6 +2935,7 @@ export class CommercialPasswordManagerClient {
 export class CommercialVaultClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
 }
 /**
  * A client for the crypto operations.
@@ -1779,47 +2943,48 @@ export class CommercialVaultClient {
 export class CryptoClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
-   * Initialization method for the user crypto. Needs to be called before any other crypto
-   * operations.
+   * Protects the current user key with the provided PIN. The result can be stored and later
+   * used to initialize another client instance by using the PIN and the PIN key with
+   * `initialize_user_crypto`.
    */
-  initialize_user_crypto(req: InitUserCryptoRequest): Promise<void>;
+  enroll_pin(pin: string): EnrollPinResponse;
+  /**
+   * Generates a new key pair and encrypts the private key with the provided user key.
+   * Crypto initialization not required.
+   */
+  make_key_pair(user_key: B64): MakeKeyPairResponse;
+  /**
+   * Create the data necessary to update the user's kdf settings. The user's encryption key is
+   * re-encrypted for the password under the new kdf settings. This returns the re-encrypted
+   * user key and the new password hash but does not update sdk state.
+   */
+  make_update_kdf(password: string, kdf: Kdf): UpdateKdfResponse;
   /**
    * Initialization method for the organization crypto. Needs to be called after
    * `initialize_user_crypto` but before any other crypto operations.
    */
   initialize_org_crypto(req: InitOrgCryptoRequest): Promise<void>;
   /**
-   * Generates a new key pair and encrypts the private key with the provided user key.
-   * Crypto initialization not required.
+   * Initialization method for the user crypto. Needs to be called before any other crypto
+   * operations.
    */
-  make_key_pair(user_key: B64): MakeKeyPairResponse;
+  initialize_user_crypto(req: InitUserCryptoRequest): Promise<void>;
   /**
    * Verifies a user's asymmetric keys by decrypting the private key with the provided user
    * key. Returns if the private key is decryptable and if it is a valid matching key.
    * Crypto initialization not required.
    */
   verify_asymmetric_keys(request: VerifyAsymmetricKeysRequest): VerifyAsymmetricKeysResponse;
-  /**
-   * Makes a new signing key pair and signs the public key for the user
-   */
-  make_keys_for_user_crypto_v2(): UserCryptoV2KeysResponse;
   /**
    * Creates a rotated set of account keys for the current state
    */
   get_v2_rotated_account_keys(): UserCryptoV2KeysResponse;
   /**
-   * Create the data necessary to update the user's kdf settings. The user's encryption key is
-   * re-encrypted for the password under the new kdf settings. This returns the re-encrypted
-   * user key and the new password hash but does not update sdk state.
-   */
-  make_update_kdf(password: string, kdf: Kdf): UpdateKdfResponse;
-  /**
-   * Protects the current user key with the provided PIN. The result can be stored and later
-   * used to initialize another client instance by using the PIN and the PIN key with
-   * `initialize_user_crypto`.
+   * Makes a new signing key pair and signs the public key for the user
    */
-  enroll_pin(pin: string): EnrollPinResponse;
+  make_keys_for_user_crypto_v2(): UserCryptoV2KeysResponse;
   /**
    * Protects the current user key with the provided PIN. The result can be stored and later
    * used to initialize another client instance by using the PIN and the PIN key with
@@ -1830,20 +2995,12 @@ export class CryptoClient {
    * Decrypts a `PasswordProtectedKeyEnvelope`, returning the user key, if successful.
    * This is a stop-gap solution, until initialization of the SDK is used.
    */
-  unseal_password_protected_key_envelope(
-    pin: string,
-    envelope: PasswordProtectedKeyEnvelope,
-  ): Uint8Array;
+  unseal_password_protected_key_envelope(pin: string, envelope: string): Uint8Array;
 }
 export class ExporterClient {
   private constructor();
   free(): void;
-  export_vault(folders: Folder[], ciphers: Cipher[], format: ExportFormat): string;
-  export_organization_vault(
-    collections: Collection[],
-    ciphers: Cipher[],
-    format: ExportFormat,
-  ): string;
+  [Symbol.dispose](): void;
   /**
    * Credential Exchange Format (CXF)
    *
@@ -1862,6 +3019,12 @@ export class ExporterClient {
    * Ideally, the input should be immediately serialized from [ASImportableAccount](https://developer.apple.com/documentation/authenticationservices/asimportableaccount).
    */
   import_cxf(payload: string): Cipher[];
+  export_vault(folders: Folder[], ciphers: Cipher[], format: ExportFormat): string;
+  export_organization_vault(
+    collections: Collection[],
+    ciphers: Cipher[],
+    format: ExportFormat,
+  ): string;
 }
 /**
  * Wrapper for folder specific functionality.
@@ -1869,99 +3032,102 @@ export class ExporterClient {
 export class FoldersClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
-   * Encrypt a [FolderView] to a [Folder].
+   * Decrypt a list of [Folder]s to a list of [FolderView]s.
    */
-  encrypt(folder_view: FolderView): Folder;
+  decrypt_list(folders: Folder[]): FolderView[];
   /**
-   * Encrypt a [Folder] to [FolderView].
+   * Get a specific [Folder] by its ID from state and decrypt it to a [FolderView].
    */
-  decrypt(folder: Folder): FolderView;
+  get(folder_id: FolderId): Promise<FolderView>;
   /**
-   * Decrypt a list of [Folder]s to a list of [FolderView]s.
+   * Edit the [Folder] and save it to the server.
    */
-  decrypt_list(folders: Folder[]): FolderView[];
+  edit(folder_id: FolderId, request: FolderAddEditRequest): Promise<FolderView>;
   /**
    * Get all folders from state and decrypt them to a list of [FolderView].
    */
   list(): Promise<FolderView[]>;
-  /**
-   * Get a specific [Folder] by its ID from state and decrypt it to a [FolderView].
-   */
-  get(folder_id: FolderId): Promise<FolderView>;
   /**
    * Create a new [Folder] and save it to the server.
    */
   create(request: FolderAddEditRequest): Promise<FolderView>;
   /**
-   * Edit the [Folder] and save it to the server.
+   * Encrypt a [Folder] to [FolderView].
    */
-  edit(folder_id: FolderId, request: FolderAddEditRequest): Promise<FolderView>;
+  decrypt(folder: Folder): FolderView;
+  /**
+   * Encrypt a [FolderView] to a [Folder].
+   */
+  encrypt(folder_view: FolderView): Folder;
 }
 export class GeneratorClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
-   * Generates a random password.
+   * Generates a random passphrase.
+   * A passphrase is a combination of random words separated by a character.
+   * An example of passphrase is `correct horse battery staple`.
    *
-   * The character sets and password length can be customized using the `input` parameter.
+   * The number of words and their case, the word separator, and the inclusion of
+   * a number in the passphrase can be customized using the `input` parameter.
    *
    * # Examples
    *
    * ```
    * use bitwarden_core::Client;
-   * use bitwarden_generators::{GeneratorClientsExt, PassphraseError, PasswordGeneratorRequest};
+   * use bitwarden_generators::{GeneratorClientsExt, PassphraseError, PassphraseGeneratorRequest};
    *
    * async fn test() -> Result<(), PassphraseError> {
-   *     let input = PasswordGeneratorRequest {
-   *         lowercase: true,
-   *         uppercase: true,
-   *         numbers: true,
-   *         length: 20,
+   *     let input = PassphraseGeneratorRequest {
+   *         num_words: 4,
    *         ..Default::default()
    *     };
-   *     let password = Client::new(None).generator().password(input).unwrap();
-   *     println!("{}", password);
+   *     let passphrase = Client::new(None).generator().passphrase(input).unwrap();
+   *     println!("{}", passphrase);
    *     Ok(())
    * }
    * ```
    */
-  password(input: PasswordGeneratorRequest): string;
+  passphrase(input: PassphraseGeneratorRequest): string;
   /**
-   * Generates a random passphrase.
-   * A passphrase is a combination of random words separated by a character.
-   * An example of passphrase is `correct horse battery staple`.
+   * Generates a random password.
    *
-   * The number of words and their case, the word separator, and the inclusion of
-   * a number in the passphrase can be customized using the `input` parameter.
+   * The character sets and password length can be customized using the `input` parameter.
    *
    * # Examples
    *
    * ```
    * use bitwarden_core::Client;
-   * use bitwarden_generators::{GeneratorClientsExt, PassphraseError, PassphraseGeneratorRequest};
+   * use bitwarden_generators::{GeneratorClientsExt, PassphraseError, PasswordGeneratorRequest};
    *
    * async fn test() -> Result<(), PassphraseError> {
-   *     let input = PassphraseGeneratorRequest {
-   *         num_words: 4,
+   *     let input = PasswordGeneratorRequest {
+   *         lowercase: true,
+   *         uppercase: true,
+   *         numbers: true,
+   *         length: 20,
    *         ..Default::default()
    *     };
-   *     let passphrase = Client::new(None).generator().passphrase(input).unwrap();
-   *     println!("{}", passphrase);
+   *     let password = Client::new(None).generator().password(input).unwrap();
+   *     println!("{}", password);
    *     Ok(())
    * }
    * ```
    */
-  passphrase(input: PassphraseGeneratorRequest): string;
+  password(input: PasswordGeneratorRequest): string;
 }
 export class IncomingMessage {
   free(): void;
-  constructor(payload: Uint8Array, destination: Endpoint, source: Endpoint, topic?: string | null);
+  [Symbol.dispose](): void;
   /**
    * Try to parse the payload as JSON.
    * @returns The parsed JSON value, or undefined if the payload is not valid JSON.
    */
   parse_payload_as_json(): any;
+  constructor(payload: Uint8Array, destination: Endpoint, source: Endpoint, topic?: string | null);
   payload: Uint8Array;
   destination: Endpoint;
   source: Endpoint;
@@ -1973,11 +3139,25 @@ export class IncomingMessage {
  * [IpcClient] documentation.
  */
 export class IpcClient {
+  private constructor();
   free(): void;
-  constructor(communication_provider: IpcCommunicationBackend);
-  start(): Promise<void>;
+  [Symbol.dispose](): void;
   isRunning(): Promise<boolean>;
+  /**
+   * Create a new `IpcClient` instance with an in-memory session repository for saving
+   * sessions within the SDK.
+   */
+  static newWithSdkInMemorySessions(communication_provider: IpcCommunicationBackend): IpcClient;
+  /**
+   * Create a new `IpcClient` instance with a client-managed session repository for saving
+   * sessions using State Provider.
+   */
+  static newWithClientManagedSessions(
+    communication_provider: IpcCommunicationBackend,
+    session_repository: IpcSessionRepository,
+  ): IpcClient;
   send(message: OutgoingMessage): Promise<void>;
+  start(): Promise<void>;
   subscribe(): Promise<IpcClientSubscription>;
 }
 /**
@@ -1987,6 +3167,7 @@ export class IpcClient {
 export class IpcClientSubscription {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   receive(abort_signal?: AbortSignal | null): Promise<IncomingMessage>;
 }
 /**
@@ -1994,6 +3175,7 @@ export class IpcClientSubscription {
  */
 export class IpcCommunicationBackend {
   free(): void;
+  [Symbol.dispose](): void;
   /**
    * Creates a new instance of the JavaScript communication backend.
    */
@@ -2003,9 +3185,91 @@ export class IpcCommunicationBackend {
    */
   receive(message: IncomingMessage): void;
 }
+/**
+ * Client for authenticating Bitwarden users.
+ *
+ * Handles unauthenticated operations to obtain access tokens from the Identity API.
+ * After successful authentication, use the returned tokens to create an authenticated core client.
+ *
+ * # Lifecycle
+ *
+ * 1. Create `LoginClient` via `AuthClient`
+ * 2. Call login method
+ * 3. Use returned tokens with authenticated core client
+ *
+ * # Password Login Example
+ *
+ * ```rust,no_run
+ * # use bitwarden_auth::{AuthClient, login::login_via_password::PasswordLoginRequest};
+ * # use bitwarden_auth::login::models::{LoginRequest, LoginDeviceRequest, LoginResponse};
+ * # use bitwarden_core::{Client, ClientSettings, DeviceType};
+ * # async fn example(email: String, password: String) -> Result<(), Box<dyn std::error::Error>> {
+ * // Create auth client
+ * let client = Client::new(None);
+ * let auth_client = AuthClient::new(client);
+ *
+ * // Configure client settings and create login client
+ * let settings = ClientSettings {
+ *     identity_url: "https://identity.bitwarden.com".to_string(),
+ *     api_url: "https://api.bitwarden.com".to_string(),
+ *     user_agent: "MyApp/1.0".to_string(),
+ *     device_type: DeviceType::SDK,
+ *     device_identifier: None,
+ *     bitwarden_client_version: None,
+ *     bitwarden_package_type: None,
+ * };
+ * let login_client = auth_client.login(settings);
+ *
+ * // Get user's KDF config
+ * let prelogin = login_client.get_password_prelogin(email.clone()).await?;
+ *
+ * // Login with credentials
+ * let response = login_client.login_via_password(PasswordLoginRequest {
+ *     login_request: LoginRequest {
+ *         client_id: "connector".to_string(),
+ *         device: LoginDeviceRequest {
+ *             device_type: DeviceType::SDK,
+ *             device_identifier: "device-id".to_string(),
+ *             device_name: "My Device".to_string(),
+ *             device_push_token: None,
+ *         },
+ *     },
+ *     email,
+ *     password,
+ *     prelogin_response: prelogin,
+ * }).await?;
+ *
+ * // Use tokens from response for authenticated requests
+ * match response {
+ *     LoginResponse::Authenticated(success) => {
+ *         let access_token = success.access_token;
+ *         // Use access_token for authenticated requests
+ *     }
+ * }
+ * # Ok(())
+ * # }
+ * ```
+ */
+export class LoginClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Retrieves the data required before authenticating with a password.
+   * This includes the user's KDF configuration needed to properly derive the master key.
+   */
+  get_password_prelogin(email: string): Promise<PasswordPreloginResponse>;
+  /**
+   * Authenticates a user via email and master password.
+   *
+   * Derives the master password hash using KDF settings from prelogin, then sends
+   * the authentication request to obtain access tokens and vault keys.
+   */
+  login_via_password(request: PasswordLoginRequest): Promise<LoginResponse>;
+}
 export class OutgoingMessage {
   free(): void;
-  constructor(payload: Uint8Array, destination: Endpoint, topic?: string | null);
+  [Symbol.dispose](): void;
   /**
    * Create a new message and encode the payload as JSON.
    */
@@ -2014,19 +3278,80 @@ export class OutgoingMessage {
     destination: Endpoint,
     topic?: string | null,
   ): OutgoingMessage;
+  constructor(payload: Uint8Array, destination: Endpoint, topic?: string | null);
   payload: Uint8Array;
   destination: Endpoint;
   get topic(): string | undefined;
   set topic(value: string | null | undefined);
 }
+/**
+ * The main entry point for the Bitwarden SDK in WebAssembly environments
+ */
+export class PasswordManagerClient {
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Bitwarden licensed operations.
+   */
+  commercial(): CommercialPasswordManagerClient;
+  /**
+   * User crypto management related operations.
+   */
+  user_crypto_management(): UserCryptoManagementClient;
+  /**
+   * Initialize a new instance of the SDK client
+   */
+  constructor(token_provider: any, settings?: ClientSettings | null);
+  /**
+   * Auth related operations.
+   */
+  auth(): AuthClient;
+  /**
+   * Test method, echoes back the input
+   */
+  echo(msg: string): string;
+  /**
+   * Test method, always throws an error
+   */
+  throw(msg: string): void;
+  /**
+   * Vault item related operations.
+   */
+  vault(): VaultClient;
+  /**
+   * Crypto related operations.
+   */
+  crypto(): CryptoClient;
+  /**
+   * Returns the current SDK version
+   */
+  version(): string;
+  /**
+   * Test method, calls http endpoint
+   */
+  http_get(url: string): Promise<string>;
+  /**
+   * Constructs a specific client for platform-specific functionality
+   */
+  platform(): PlatformClient;
+  /**
+   * Exporter related operations.
+   */
+  exporters(): ExporterClient;
+  /**
+   * Constructs a specific client for generating passwords and passphrases
+   */
+  generator(): GeneratorClient;
+}
 export class PlatformClient {
   private constructor();
   free(): void;
-  state(): StateClient;
+  [Symbol.dispose](): void;
   /**
    * Load feature flags into the client
    */
   load_flags(flags: FeatureFlags): void;
+  state(): StateClient;
 }
 /**
  * This module represents a stopgap solution to provide access to primitive crypto functions for JS
@@ -2037,80 +3362,72 @@ export class PlatformClient {
 export class PureCrypto {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
-   * DEPRECATED: Use `symmetric_decrypt_string` instead.
-   * Cleanup ticket: <https://bitwarden.atlassian.net/browse/PM-21247>
+   * Generates a cryptographically secure random number between the given min and max
+   * (inclusive).
    */
-  static symmetric_decrypt(enc_string: string, key: Uint8Array): string;
-  static symmetric_decrypt_string(enc_string: string, key: Uint8Array): string;
-  static symmetric_decrypt_bytes(enc_string: string, key: Uint8Array): Uint8Array;
+  static random_number(min: number, max: number): number;
   /**
-   * DEPRECATED: Use `symmetric_decrypt_filedata` instead.
-   * Cleanup ticket: <https://bitwarden.atlassian.net/browse/PM-21247>
+   * Decrypts data using RSAES-OAEP with SHA-1
+   * HAZMAT WARNING: Do not use outside of implementing cryptofunctionservice
    */
-  static symmetric_decrypt_array_buffer(enc_bytes: Uint8Array, key: Uint8Array): Uint8Array;
-  static symmetric_decrypt_filedata(enc_bytes: Uint8Array, key: Uint8Array): Uint8Array;
-  static symmetric_encrypt_string(plain: string, key: Uint8Array): string;
+  static rsa_decrypt_data(encrypted_data: Uint8Array, private_key: Uint8Array): Uint8Array;
   /**
-   * DEPRECATED: Only used by send keys
+   * Encrypts data using RSAES-OAEP with SHA-1
+   * HAZMAT WARNING: Do not use outside of implementing cryptofunctionservice
    */
-  static symmetric_encrypt_bytes(plain: Uint8Array, key: Uint8Array): string;
-  static symmetric_encrypt_filedata(plain: Uint8Array, key: Uint8Array): Uint8Array;
-  static decrypt_user_key_with_master_password(
-    encrypted_user_key: string,
-    master_password: string,
-    email: string,
-    kdf: Kdf,
-  ): Uint8Array;
-  static encrypt_user_key_with_master_password(
-    user_key: Uint8Array,
-    master_password: string,
-    email: string,
-    kdf: Kdf,
-  ): string;
-  static make_user_key_aes256_cbc_hmac(): Uint8Array;
-  static make_user_key_xchacha20_poly1305(): Uint8Array;
+  static rsa_encrypt_data(plain_data: Uint8Array, public_key: Uint8Array): Uint8Array;
+  /**
+   * DEPRECATED: Use `symmetric_decrypt_string` instead.
+   * Cleanup ticket: <https://bitwarden.atlassian.net/browse/PM-21247>
+   */
+  static symmetric_decrypt(enc_string: string, key: Uint8Array): string;
   /**
    * Wraps (encrypts) a symmetric key using a symmetric wrapping key, returning the wrapped key
    * as an EncString.
    */
   static wrap_symmetric_key(key_to_be_wrapped: Uint8Array, wrapping_key: Uint8Array): string;
+  /**
+   * Derive output of the KDF for a [bitwarden_crypto::Kdf] configuration.
+   */
+  static derive_kdf_material(password: Uint8Array, salt: Uint8Array, kdf: Kdf): Uint8Array;
+  /**
+   * Generates a new RSA key pair and returns the private key
+   * HAZMAT WARNING: Do not use outside of implementing cryptofunctionservice
+   */
+  static rsa_generate_keypair(): Uint8Array;
   /**
    * Unwraps (decrypts) a wrapped symmetric key using a symmetric wrapping key, returning the
    * unwrapped key as a serialized byte array.
    */
   static unwrap_symmetric_key(wrapped_key: string, wrapping_key: Uint8Array): Uint8Array;
   /**
-   * Wraps (encrypts) an SPKI DER encoded encapsulation (public) key using a symmetric wrapping
-   * key. Note: Usually, a public key is - by definition - public, so this should not be
-   * used. The specific use-case for this function is to enable rotateable key sets, where
-   * the "public key" is not public, with the intent of preventing the server from being able
-   * to overwrite the user key unlocked by the rotateable keyset.
-   */
-  static wrap_encapsulation_key(encapsulation_key: Uint8Array, wrapping_key: Uint8Array): string;
-  /**
-   * Unwraps (decrypts) a wrapped SPKI DER encoded encapsulation (public) key using a symmetric
-   * wrapping key.
+   * Given a decrypted private RSA key PKCS8 DER this
+   * returns the corresponding public RSA key in DER format.
+   * HAZMAT WARNING: Do not use outside of implementing cryptofunctionservice
    */
-  static unwrap_encapsulation_key(wrapped_key: string, wrapping_key: Uint8Array): Uint8Array;
+  static rsa_extract_public_key(private_key: Uint8Array): Uint8Array;
   /**
    * Wraps (encrypts) a PKCS8 DER encoded decapsulation (private) key using a symmetric wrapping
    * key,
    */
   static wrap_decapsulation_key(decapsulation_key: Uint8Array, wrapping_key: Uint8Array): string;
   /**
-   * Unwraps (decrypts) a wrapped PKCS8 DER encoded decapsulation (private) key using a symmetric
-   * wrapping key.
+   * Wraps (encrypts) an SPKI DER encoded encapsulation (public) key using a symmetric wrapping
+   * key. Note: Usually, a public key is - by definition - public, so this should not be
+   * used. The specific use-case for this function is to enable rotateable key sets, where
+   * the "public key" is not public, with the intent of preventing the server from being able
+   * to overwrite the user key unlocked by the rotateable keyset.
    */
-  static unwrap_decapsulation_key(wrapped_key: string, wrapping_key: Uint8Array): Uint8Array;
+  static wrap_encapsulation_key(encapsulation_key: Uint8Array, wrapping_key: Uint8Array): string;
+  static symmetric_decrypt_bytes(enc_string: string, key: Uint8Array): Uint8Array;
   /**
-   * Encapsulates (encrypts) a symmetric key using an asymmetric encapsulation key (public key)
-   * in SPKI format, returning the encapsulated key as a string. Note: This is unsigned, so
-   * the sender's authenticity cannot be verified by the recipient.
+   * DEPRECATED: Only used by send keys
    */
-  static encapsulate_key_unsigned(shared_key: Uint8Array, encapsulation_key: Uint8Array): string;
+  static symmetric_encrypt_bytes(plain: Uint8Array, key: Uint8Array): string;
   /**
-   * Decapsulates (decrypts) a symmetric key using an decapsulation key (private key) in PKCS8
+   * Decapsulates (decrypts) a symmetric key using an decapsulation-key/private-key in PKCS8
    * DER format. Note: This is unsigned, so the sender's authenticity cannot be verified by the
    * recipient.
    */
@@ -2118,15 +3435,46 @@ export class PureCrypto {
     encapsulated_key: string,
     decapsulation_key: Uint8Array,
   ): Uint8Array;
+  /**
+   * Encapsulates (encrypts) a symmetric key using an public-key/encapsulation-key
+   * in SPKI format, returning the encapsulated key as a string. Note: This is unsigned, so
+   * the sender's authenticity cannot be verified by the recipient.
+   */
+  static encapsulate_key_unsigned(shared_key: Uint8Array, encapsulation_key: Uint8Array): string;
+  static symmetric_decrypt_string(enc_string: string, key: Uint8Array): string;
+  static symmetric_encrypt_string(plain: string, key: Uint8Array): string;
+  /**
+   * Unwraps (decrypts) a wrapped PKCS8 DER encoded decapsulation (private) key using a symmetric
+   * wrapping key.
+   */
+  static unwrap_decapsulation_key(wrapped_key: string, wrapping_key: Uint8Array): Uint8Array;
+  /**
+   * Unwraps (decrypts) a wrapped SPKI DER encoded encapsulation (public) key using a symmetric
+   * wrapping key.
+   */
+  static unwrap_encapsulation_key(wrapped_key: string, wrapping_key: Uint8Array): Uint8Array;
+  static symmetric_decrypt_filedata(enc_bytes: Uint8Array, key: Uint8Array): Uint8Array;
+  static symmetric_encrypt_filedata(plain: Uint8Array, key: Uint8Array): Uint8Array;
+  static make_user_key_aes256_cbc_hmac(): Uint8Array;
   /**
    * Given a wrapped signing key and the symmetric key it is wrapped with, this returns
    * the corresponding verifying key.
    */
   static verifying_key_for_signing_key(signing_key: string, wrapping_key: Uint8Array): Uint8Array;
+  /**
+   * DEPRECATED: Use `symmetric_decrypt_filedata` instead.
+   * Cleanup ticket: <https://bitwarden.atlassian.net/browse/PM-21247>
+   */
+  static symmetric_decrypt_array_buffer(enc_bytes: Uint8Array, key: Uint8Array): Uint8Array;
   /**
    * Returns the algorithm used for the given verifying key.
    */
   static key_algorithm_for_verifying_key(verifying_key: Uint8Array): SignatureAlgorithm;
+  static decrypt_user_key_with_master_key(
+    encrypted_user_key: string,
+    master_key: Uint8Array,
+  ): Uint8Array;
+  static make_user_key_xchacha20_poly1305(): Uint8Array;
   /**
    * For a given signing identity (verifying key), this function verifies that the signing
    * identity claimed ownership of the public key. This is a one-sided claim and merely shows
@@ -2137,14 +3485,47 @@ export class PureCrypto {
     signed_public_key: Uint8Array,
     verifying_key: Uint8Array,
   ): Uint8Array;
-  /**
-   * Derive output of the KDF for a [bitwarden_crypto::Kdf] configuration.
-   */
-  static derive_kdf_material(password: Uint8Array, salt: Uint8Array, kdf: Kdf): Uint8Array;
-  static decrypt_user_key_with_master_key(
+  static decrypt_user_key_with_master_password(
     encrypted_user_key: string,
-    master_key: Uint8Array,
+    master_password: string,
+    email: string,
+    kdf: Kdf,
   ): Uint8Array;
+  static encrypt_user_key_with_master_password(
+    user_key: Uint8Array,
+    master_password: string,
+    email: string,
+    kdf: Kdf,
+  ): string;
+}
+/**
+ * Client for initializing a user account.
+ */
+export class RegistrationClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Initializes a new cryptographic state for a user and posts it to the server; enrolls in
+   * admin password reset and finally enrolls the user to TDE unlock.
+   */
+  post_keys_for_tde_registration(request: TdeRegistrationRequest): Promise<TdeRegistrationResponse>;
+  /**
+   * Initializes a new cryptographic state for a user and posts it to the server;
+   * enrolls the user to master password unlock.
+   */
+  post_keys_for_jit_password_registration(
+    request: JitMasterPasswordRegistrationRequest,
+  ): Promise<JitMasterPasswordRegistrationResponse>;
+  /**
+   * Initializes a new cryptographic state for a user and posts it to the server; enrolls the
+   * user to key connector unlock.
+   */
+  post_keys_for_key_connector_registration(
+    key_connector_url: string,
+    sso_org_identifier: string,
+    user_id: UserId,
+  ): Promise<KeyConnectorRegistrationResult>;
 }
 /**
  * The `SendAccessClient` is used to interact with the Bitwarden API to get send access tokens.
@@ -2152,25 +3533,120 @@ export class PureCrypto {
 export class SendAccessClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
    * Requests a new send access token.
    */
   request_send_access_token(request: SendAccessTokenRequest): Promise<SendAccessTokenResponse>;
 }
+/**
+ * JavaScript wrapper for ServerCommunicationConfigClient
+ *
+ * This provides TypeScript access to the server communication configuration client,
+ * allowing clients to check bootstrap requirements and retrieve cookies for HTTP requests.
+ */
+export class ServerCommunicationConfigClient {
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Retrieves the server communication configuration for a hostname
+   *
+   * If no configuration exists, returns a default Direct bootstrap configuration.
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
+   *
+   * # Errors
+   *
+   * Returns an error if the repository fails to retrieve the configuration.
+   */
+  getConfig(hostname: string): Promise<ServerCommunicationConfig>;
+  /**
+   * Acquires a cookie from the platform and saves it to the repository
+   *
+   * This method calls the platform API to trigger cookie acquisition (e.g., browser
+   * redirect to IdP), then validates and stores the acquired cookie in the repository.
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
+   *
+   * # Errors
+   *
+   * Returns an error if:
+   * - Cookie acquisition was cancelled by the user
+   * - Server configuration doesn't support SSO cookies (Direct bootstrap)
+   * - Acquired cookie name doesn't match expected name
+   * - Repository operations fail
+   */
+  acquireCookie(hostname: string): Promise<void>;
+  /**
+   * Determines if cookie bootstrapping is needed for this hostname
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
+   */
+  needsBootstrap(hostname: string): Promise<boolean>;
+  /**
+   * Sets the server communication configuration for a hostname
+   *
+   * This method saves the provided communication configuration to the repository.
+   * Typically called when receiving the `/api/config` response from the server.
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
+   * * `config` - The server communication configuration to store
+   *
+   * # Errors
+   *
+   * Returns an error if the repository save operation fails
+   */
+  setCommunicationType(hostname: string, config: ServerCommunicationConfig): Promise<void>;
+  /**
+   * Creates a new ServerCommunicationConfigClient with a JavaScript repository and platform API
+   *
+   * The repository should be backed by StateProvider (or equivalent
+   * storage mechanism) for persistence.
+   *
+   * # Arguments
+   *
+   * * `repository` - JavaScript implementation of the repository interface
+   * * `platform_api` - JavaScript implementation of the platform API interface
+   */
+  constructor(
+    repository: ServerCommunicationConfigRepository,
+    platform_api: ServerCommunicationConfigPlatformApi,
+  );
+  /**
+   * Returns all cookies that should be included in requests to this server
+   *
+   * Returns an array of [cookie_name, cookie_value] pairs.
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
+   */
+  cookies(hostname: string): Promise<any>;
+}
 export class StateClient {
   private constructor();
   free(): void;
-  register_cipher_repository(cipher_repository: any): void;
-  register_folder_repository(store: any): void;
-  register_client_managed_repositories(repositories: Repositories): void;
+  [Symbol.dispose](): void;
   /**
    * Initialize the database for SDK managed repositories.
    */
   initialize_state(configuration: IndexedDbConfiguration): Promise<void>;
+  register_cipher_repository(cipher_repository: any): void;
+  register_folder_repository(store: any): void;
+  register_client_managed_repositories(repositories: Repositories): void;
 }
 export class TotpClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
    * Generates a TOTP code from a provided key
    *
@@ -2183,27 +3659,54 @@ export class TotpClient {
    */
   generate_totp(key: string, time_ms?: number | null): TotpResponse;
 }
+/**
+ * Client for managing the cryptographic machinery of a user account, including key-rotation.
+ */
+export class UserCryptoManagementClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Rotates the user's encryption keys. The user must have a master-password.
+   */
+  rotate_user_keys(request: RotateUserKeysRequest): Promise<void>;
+  /**
+   * Fetches the organization public keys for V1 organization memberships for the user.
+   * These have to be trusted manually be the user before rotating.
+   */
+  get_untrusted_organization_public_keys(): Promise<V1OrganizationMembership[]>;
+  /**
+   * Fetches the emergency access public keys for V1 emergency access memberships for the user.
+   * These have to be trusted manually be the user before rotating.
+   */
+  get_untrusted_emergency_access_public_keys(): Promise<V1EmergencyAccessMembership[]>;
+}
 export class VaultClient {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
    * Attachment related operations.
    */
   attachments(): AttachmentsClient;
   /**
-   * Cipher related operations.
+   * Cipher risk evaluation operations.
    */
-  ciphers(): CiphersClient;
+  cipher_risk(): CipherRiskClient;
   /**
-   * Folder related operations.
+   * Collection related operations.
    */
-  folders(): FoldersClient;
+  collections(): CollectionsClient;
   /**
    * TOTP related operations.
    */
   totp(): TotpClient;
   /**
-   * Collection related operations.
+   * Cipher related operations.
    */
-  collections(): CollectionsClient;
+  ciphers(): CiphersClient;
+  /**
+   * Folder related operations.
+   */
+  folders(): FoldersClient;
 }