@bitwarden/sdk-internal 0.2.0-main.444 → 0.2.0-main.446

package/bitwarden_wasm_internal.d.ts

@@ -180,9 +180,8 @@ export interface TokenProvider {
   get_access_token(): Promise<string | undefined>;
 }
 
-export interface Repositories {
-  cipher: Repository<Cipher> | null;
-  folder: Repository<Folder> | null;
+export interface IndexedDbConfiguration {
+  db_name: string;
 }
 
 /**
@@ -190,8 +189,9 @@ export interface Repositories {
  */
 export interface FeatureFlags extends Map<string, boolean> {}
 
-export interface IndexedDbConfiguration {
-  db_name: string;
+export interface Repositories {
+  cipher: Repository<Cipher> | null;
+  folder: Repository<Folder> | null;
 }
 
 /**
@@ -206,27 +206,27 @@ export interface SendEmailCredentials {
 }
 
 /**
- * The credentials used for send access requests.
- */
-export type SendAccessCredentials =
-  | SendPasswordCredentials
-  | SendEmailOtpCredentials
-  | SendEmailCredentials;
-
-/**
- * A request structure for requesting a send access token from the API.
+ * Credentials for getting a send access token using an email and OTP.
  */
-export interface SendAccessTokenRequest {
+export interface SendEmailOtpCredentials {
   /**
-   * The id of the send for which the access token is requested.
+   * The email address to which the OTP will be sent.
    */
-  sendId: string;
+  email: string;
   /**
-   * The optional send access credentials.
+   * The one-time password (OTP) that the user has received via email.
    */
-  sendAccessCredentials?: SendAccessCredentials;
+  otp: string;
 }
 
+/**
+ * The credentials used for send access requests.
+ */
+export type SendAccessCredentials =
+  | SendPasswordCredentials
+  | SendEmailOtpCredentials
+  | SendEmailCredentials;
+
 /**
  * Credentials for sending password secured access requests.
  * Clone auto implements the standard lib\'s Clone trait, allowing us to create copies of this
@@ -240,29 +240,19 @@ export interface SendPasswordCredentials {
 }
 
 /**
- * Credentials for getting a send access token using an email and OTP.
+ * A request structure for requesting a send access token from the API.
  */
-export interface SendEmailOtpCredentials {
+export interface SendAccessTokenRequest {
   /**
-   * The email address to which the OTP will be sent.
+   * The id of the send for which the access token is requested.
    */
-  email: string;
+  sendId: string;
   /**
-   * The one-time password (OTP) that the user has received via email.
+   * The optional send access credentials.
    */
-  otp: string;
+  sendAccessCredentials?: SendAccessCredentials;
 }
 
-/**
- * Any unexpected error that occurs when making requests to identity. This could be
- * local/transport/decoding failure from the HTTP client (DNS/TLS/connect/read timeout,
- * connection reset, or JSON decode failure on a success response) or non-2xx response with an
- * unexpected body or status. Used when decoding the server\'s error payload into
- * `SendAccessTokenApiErrorResponse` fails, or for 5xx responses where no structured error is
- * available.
- */
-export type UnexpectedIdentityError = string;
-
 /**
  * A send access token which can be used to access a send.
  */
@@ -286,14 +276,14 @@ export type SendAccessTokenError =
   | { kind: "expected"; data: SendAccessTokenApiErrorResponse };
 
 /**
- * Invalid request errors - typically due to missing parameters.
+ * Any unexpected error that occurs when making requests to identity. This could be
+ * local/transport/decoding failure from the HTTP client (DNS/TLS/connect/read timeout,
+ * connection reset, or JSON decode failure on a success response) or non-2xx response with an
+ * unexpected body or status. Used when decoding the server\'s error payload into
+ * `SendAccessTokenApiErrorResponse` fails, or for 5xx responses where no structured error is
+ * available.
  */
-export type SendAccessTokenInvalidRequestError =
-  | "send_id_required"
-  | "password_hash_b64_required"
-  | "email_required"
-  | "email_and_otp_required_otp_sent"
-  | "unknown";
+export type UnexpectedIdentityError = string;
 
 /**
  * Invalid grant errors - typically due to invalid credentials.
@@ -306,6 +296,16 @@ export type SendAccessTokenInvalidGrantError =
   | "otp_generation_failed"
   | "unknown";
 
+/**
+ * Invalid request errors - typically due to missing parameters.
+ */
+export type SendAccessTokenInvalidRequestError =
+  | "send_id_required"
+  | "password_hash_b64_required"
+  | "email_required"
+  | "email_and_otp_required_otp_sent"
+  | "unknown";
+
 /**
  * Represents the possible, expected errors that can occur when requesting a send access token.
  */
@@ -326,6 +326,31 @@ export type SendAccessTokenApiErrorResponse =
   | { error: "invalid_scope"; error_description?: string }
   | { error: "invalid_target"; error_description?: string };
 
+/**
+ * Result of TDE registration process.
+ */
+export interface TdeRegistrationResponse {
+  /**
+   * The account cryptographic state of the user
+   */
+  account_cryptographic_state: WrappedAccountCryptographicState;
+  /**
+   * The device key
+   */
+  device_key: B64;
+  /**
+   * The decrypted user key. This can be used to get the consuming client to an unlocked state.
+   */
+  user_key: B64;
+}
+
+export interface RegistrationError extends Error {
+  name: "RegistrationError";
+  variant: "Api" | "Crypto";
+}
+
+export function isRegistrationError(error: any): error is RegistrationError;
+
 /**
  * Request parameters for TDE (Trusted Device Encryption) registration.
  */
@@ -353,61 +378,36 @@ export interface TdeRegistrationRequest {
   trust_device: boolean;
 }
 
-export interface RegistrationError extends Error {
-  name: "RegistrationError";
-  variant: "Api" | "Crypto";
-}
-
-export function isRegistrationError(error: any): error is RegistrationError;
-
 /**
- * Result of TDE registration process.
+ * NewType wrapper for `CollectionId`
  */
-export interface TdeRegistrationResponse {
-  /**
-   * The account cryptographic state of the user
-   */
-  account_cryptographic_state: WrappedAccountCryptographicState;
-  /**
-   * The device key
-   */
-  device_key: B64;
-  /**
-   * The decrypted user key. This can be used to get the consuming client to an unlocked state.
-   */
-  user_key: B64;
-}
+export type CollectionId = Tagged<Uuid, "CollectionId">;
 
 /**
- * NewType wrapper for `CollectionId`
+ * Type of collection
  */
-export type CollectionId = Tagged<Uuid, "CollectionId">;
+export type CollectionType = "SharedCollection" | "DefaultUserCollection";
 
-export interface Collection {
+export interface CollectionView {
   id: CollectionId | undefined;
   organizationId: OrganizationId;
-  name: EncString;
+  name: string;
   externalId: string | undefined;
   hidePasswords: boolean;
   readOnly: boolean;
   manage: boolean;
-  defaultUserCollectionEmail: string | undefined;
   type: CollectionType;
 }
 
-/**
- * Type of collection
- */
-export type CollectionType = "SharedCollection" | "DefaultUserCollection";
-
-export interface CollectionView {
+export interface Collection {
   id: CollectionId | undefined;
   organizationId: OrganizationId;
-  name: string;
+  name: EncString;
   externalId: string | undefined;
   hidePasswords: boolean;
   readOnly: boolean;
   manage: boolean;
+  defaultUserCollectionEmail: string | undefined;
   type: CollectionType;
 }
 
@@ -432,6 +432,15 @@ export interface MasterPasswordError extends Error {
 
 export function isMasterPasswordError(error: any): error is MasterPasswordError;
 
+/**
+ * Represents the data required to authenticate with the master password.
+ */
+export interface MasterPasswordAuthenticationData {
+  kdf: Kdf;
+  salt: string;
+  masterPasswordAuthenticationHash: B64;
+}
+
 /**
  * Represents the data required to unlock with the master password.
  */
@@ -450,15 +459,6 @@ export interface MasterPasswordUnlockData {
   salt: string;
 }
 
-/**
- * Represents the data required to authenticate with the master password.
- */
-export interface MasterPasswordAuthenticationData {
-  kdf: Kdf;
-  salt: string;
-  masterPasswordAuthenticationHash: B64;
-}
-
 /**
  * Any keys / cryptographic protection \"downstream\" from the account symmetric key (user key).
  * Private keys are protected by the user key.
@@ -490,43 +490,97 @@ export function isAccountCryptographyInitializationError(
 ): error is AccountCryptographyInitializationError;
 
 /**
- * Request for deriving a pin protected user key
+ * Response for the `make_keys_for_user_crypto_v2`, containing a set of keys for a user
  */
-export interface DerivePinKeyResponse {
+export interface UserCryptoV2KeysResponse {
   /**
-   * [UserKey] protected by PIN
+   * User key
    */
-  pinProtectedUserKey: EncString;
+  userKey: B64;
   /**
-   * PIN protected by [UserKey]
+   * Wrapped private key
    */
-  encryptedPin: EncString;
+  privateKey: EncString;
+  /**
+   * Public key
+   */
+  publicKey: B64;
+  /**
+   * The user\'s public key, signed by the signing key
+   */
+  signedPublicKey: SignedPublicKey;
+  /**
+   * Signing key, encrypted with the user\'s symmetric key
+   */
+  signingKey: EncString;
+  /**
+   * Base64 encoded verifying key
+   */
+  verifyingKey: B64;
+  /**
+   * The user\'s signed security state
+   */
+  securityState: SignedSecurityState;
+  /**
+   * The security state\'s version
+   */
+  securityVersion: number;
 }
 
 /**
- * Response from the `make_update_password` function
+ * Response from the `update_kdf` function
  */
-export interface UpdatePasswordResponse {
+export interface UpdateKdfResponse {
   /**
-   * Hash of the new password
+   * The authentication data for the new KDF setting
    */
-  passwordHash: B64;
+  masterPasswordAuthenticationData: MasterPasswordAuthenticationData;
   /**
-   * User key, encrypted with the new password
+   * The unlock data for the new KDF setting
    */
-  newKey: EncString;
+  masterPasswordUnlockData: MasterPasswordUnlockData;
+  /**
+   * The authentication data for the KDF setting prior to the change
+   */
+  oldMasterPasswordAuthenticationData: MasterPasswordAuthenticationData;
 }
 
 /**
- * Represents the request to initialize the user\'s organizational cryptographic state.
+ * Request for migrating an account from password to key connector.
  */
-export interface InitOrgCryptoRequest {
+export interface DeriveKeyConnectorRequest {
   /**
-   * The encryption keys for all the organizations the user is a part of
+   * Encrypted user key, used to validate the master key
    */
-  organizationKeys: Map<OrganizationId, UnsignedSharedKey>;
+  userKeyEncrypted: EncString;
+  /**
+   * The user\'s master password
+   */
+  password: string;
+  /**
+   * The KDF parameters used to derive the master key
+   */
+  kdf: Kdf;
+  /**
+   * The user\'s email address
+   */
+  email: string;
 }
 
+/**
+ * Auth requests supports multiple initialization methods.
+ */
+export type AuthRequestMethod =
+  | { userKey: { protected_user_key: UnsignedSharedKey } }
+  | { masterKey: { protected_master_key: UnsignedSharedKey; auth_request_key: EncString } };
+
+export interface DeriveKeyConnectorError extends Error {
+  name: "DeriveKeyConnectorError";
+  variant: "WrongPassword" | "Crypto";
+}
+
+export function isDeriveKeyConnectorError(error: any): error is DeriveKeyConnectorError;
+
 export interface MakeKeysError extends Error {
   name: "MakeKeysError";
   variant: "AccountCryptographyInitialization" | "RequestModelCreation" | "Crypto";
@@ -535,17 +589,17 @@ export interface MakeKeysError extends Error {
 export function isMakeKeysError(error: any): error is MakeKeysError;
 
 /**
- * Response from the `make_key_pair` function
+ * Request for deriving a pin protected user key
  */
-export interface MakeKeyPairResponse {
+export interface EnrollPinResponse {
   /**
-   * The user\'s public key
+   * [UserKey] protected by PIN
    */
-  userPublicKey: B64;
+  pinProtectedUserKeyEnvelope: PasswordProtectedKeyEnvelope;
   /**
-   * User\'s private key, encrypted with the user key
+   * PIN protected by [UserKey]
    */
-  userKeyEncryptedPrivateKey: EncString;
+  userKeyEncryptedPin: EncString;
 }
 
 /**
@@ -570,76 +624,17 @@ export type InitUserCryptoMethod =
 /**
  * Request for deriving a pin protected user key
  */
-export interface EnrollPinResponse {
+export interface DerivePinKeyResponse {
   /**
    * [UserKey] protected by PIN
    */
-  pinProtectedUserKeyEnvelope: PasswordProtectedKeyEnvelope;
+  pinProtectedUserKey: EncString;
   /**
    * PIN protected by [UserKey]
    */
-  userKeyEncryptedPin: EncString;
-}
-
-/**
- * Auth requests supports multiple initialization methods.
- */
-export type AuthRequestMethod =
-  | { userKey: { protected_user_key: UnsignedSharedKey } }
-  | { masterKey: { protected_master_key: UnsignedSharedKey; auth_request_key: EncString } };
-
-export interface EnrollAdminPasswordResetError extends Error {
-  name: "EnrollAdminPasswordResetError";
-  variant: "Crypto";
-}
-
-export function isEnrollAdminPasswordResetError(error: any): error is EnrollAdminPasswordResetError;
-
-/**
- * Response for the `make_keys_for_user_crypto_v2`, containing a set of keys for a user
- */
-export interface UserCryptoV2KeysResponse {
-  /**
-   * User key
-   */
-  userKey: B64;
-  /**
-   * Wrapped private key
-   */
-  privateKey: EncString;
-  /**
-   * Public key
-   */
-  publicKey: B64;
-  /**
-   * The user\'s public key, signed by the signing key
-   */
-  signedPublicKey: SignedPublicKey;
-  /**
-   * Signing key, encrypted with the user\'s symmetric key
-   */
-  signingKey: EncString;
-  /**
-   * Base64 encoded verifying key
-   */
-  verifyingKey: B64;
-  /**
-   * The user\'s signed security state
-   */
-  securityState: SignedSecurityState;
-  /**
-   * The security state\'s version
-   */
-  securityVersion: number;
-}
-
-export interface CryptoClientError extends Error {
-  name: "CryptoClientError";
-  variant: "NotAuthenticated" | "Crypto" | "InvalidKdfSettings" | "PasswordProtectedKeyEnvelope";
+  encryptedPin: EncString;
 }
 
-export function isCryptoClientError(error: any): error is CryptoClientError;
-
 /**
  * Response for `verify_asymmetric_keys`.
  */
@@ -654,53 +649,6 @@ export interface VerifyAsymmetricKeysResponse {
   validPrivateKey: boolean;
 }
 
-/**
- * Response from the `update_kdf` function
- */
-export interface UpdateKdfResponse {
-  /**
-   * The authentication data for the new KDF setting
-   */
-  masterPasswordAuthenticationData: MasterPasswordAuthenticationData;
-  /**
-   * The unlock data for the new KDF setting
-   */
-  masterPasswordUnlockData: MasterPasswordUnlockData;
-  /**
-   * The authentication data for the KDF setting prior to the change
-   */
-  oldMasterPasswordAuthenticationData: MasterPasswordAuthenticationData;
-}
-
-export interface DeriveKeyConnectorError extends Error {
-  name: "DeriveKeyConnectorError";
-  variant: "WrongPassword" | "Crypto";
-}
-
-export function isDeriveKeyConnectorError(error: any): error is DeriveKeyConnectorError;
-
-/**
- * Request for migrating an account from password to key connector.
- */
-export interface DeriveKeyConnectorRequest {
-  /**
-   * Encrypted user key, used to validate the master key
-   */
-  userKeyEncrypted: EncString;
-  /**
-   * The user\'s master password
-   */
-  password: string;
-  /**
-   * The KDF parameters used to derive the master key
-   */
-  kdf: Kdf;
-  /**
-   * The user\'s email address
-   */
-  email: string;
-}
-
 /**
  * Request for `verify_asymmetric_keys`.
  */
@@ -719,6 +667,13 @@ export interface VerifyAsymmetricKeysRequest {
   userKeyEncryptedPrivateKey: EncString;
 }
 
+export interface EnrollAdminPasswordResetError extends Error {
+  name: "EnrollAdminPasswordResetError";
+  variant: "Crypto";
+}
+
+export function isEnrollAdminPasswordResetError(error: any): error is EnrollAdminPasswordResetError;
+
 /**
  * State used for initializing the user cryptographic state.
  */
@@ -747,15 +702,60 @@ export interface InitUserCryptoRequest {
 }
 
 /**
- * NewType wrapper for `UserId`
+ * Represents the request to initialize the user\'s organizational cryptographic state.
  */
-export type UserId = Tagged<Uuid, "UserId">;
+export interface InitOrgCryptoRequest {
+  /**
+   * The encryption keys for all the organizations the user is a part of
+   */
+  organizationKeys: Map<OrganizationId, UnsignedSharedKey>;
+}
+
+/**
+ * Response from the `make_update_password` function
+ */
+export interface UpdatePasswordResponse {
+  /**
+   * Hash of the new password
+   */
+  passwordHash: B64;
+  /**
+   * User key, encrypted with the new password
+   */
+  newKey: EncString;
+}
+
+/**
+ * Response from the `make_key_pair` function
+ */
+export interface MakeKeyPairResponse {
+  /**
+   * The user\'s public key
+   */
+  userPublicKey: B64;
+  /**
+   * User\'s private key, encrypted with the user key
+   */
+  userKeyEncryptedPrivateKey: EncString;
+}
+
+export interface CryptoClientError extends Error {
+  name: "CryptoClientError";
+  variant: "NotAuthenticated" | "Crypto" | "InvalidKdfSettings" | "PasswordProtectedKeyEnvelope";
+}
+
+export function isCryptoClientError(error: any): error is CryptoClientError;
 
 /**
  * NewType wrapper for `OrganizationId`
  */
 export type OrganizationId = Tagged<Uuid, "OrganizationId">;
 
+/**
+ * NewType wrapper for `UserId`
+ */
+export type UserId = Tagged<Uuid, "UserId">;
+
 export interface StatefulCryptoError extends Error {
   name: "StatefulCryptoError";
   variant: "MissingSecurityState" | "WrongAccountCryptoVersion" | "Crypto";
@@ -763,6 +763,35 @@ export interface StatefulCryptoError extends Error {
 
 export function isStatefulCryptoError(error: any): error is StatefulCryptoError;
 
+export type DeviceType =
+  | "Android"
+  | "iOS"
+  | "ChromeExtension"
+  | "FirefoxExtension"
+  | "OperaExtension"
+  | "EdgeExtension"
+  | "WindowsDesktop"
+  | "MacOsDesktop"
+  | "LinuxDesktop"
+  | "ChromeBrowser"
+  | "FirefoxBrowser"
+  | "OperaBrowser"
+  | "EdgeBrowser"
+  | "IEBrowser"
+  | "UnknownBrowser"
+  | "AndroidAmazon"
+  | "UWP"
+  | "SafariBrowser"
+  | "VivaldiBrowser"
+  | "VivaldiExtension"
+  | "SafariExtension"
+  | "SDK"
+  | "Server"
+  | "WindowsCLI"
+  | "MacOsCLI"
+  | "LinuxCLI"
+  | "DuckDuckGoBrowser";
+
 /**
  * Basic client behavior settings. These settings specify the various targets and behavior of the
  * Bitwarden Client. They are optional and uneditable once the client is initialized.
@@ -815,35 +844,6 @@ export interface ClientSettings {
   bitwardenPackageType?: string | undefined;
 }
 
-export type DeviceType =
-  | "Android"
-  | "iOS"
-  | "ChromeExtension"
-  | "FirefoxExtension"
-  | "OperaExtension"
-  | "EdgeExtension"
-  | "WindowsDesktop"
-  | "MacOsDesktop"
-  | "LinuxDesktop"
-  | "ChromeBrowser"
-  | "FirefoxBrowser"
-  | "OperaBrowser"
-  | "EdgeBrowser"
-  | "IEBrowser"
-  | "UnknownBrowser"
-  | "AndroidAmazon"
-  | "UWP"
-  | "SafariBrowser"
-  | "VivaldiBrowser"
-  | "VivaldiExtension"
-  | "SafariExtension"
-  | "SDK"
-  | "Server"
-  | "WindowsCLI"
-  | "MacOsCLI"
-  | "LinuxCLI"
-  | "DuckDuckGoBrowser";
-
 export interface EncryptionSettingsError extends Error {
   name: "EncryptionSettingsError";
   variant:
@@ -1079,14 +1079,6 @@ export interface PasswordError extends Error {
 
 export function isPasswordError(error: any): error is PasswordError;
 
-export type UsernameGeneratorRequest =
-  | { word: { capitalize: boolean; include_number: boolean } }
-  | { subaddress: { type: AppendType; email: string } }
-  | { catchall: { type: AppendType; domain: string } }
-  | { forwarded: { service: ForwarderServiceType; website: string | undefined } };
-
-export type AppendType = "random" | { websiteName: { website: string } };
-
 export interface UsernameError extends Error {
   name: "UsernameError";
   variant: "InvalidApiKey" | "Unknown" | "ResponseContent" | "Reqwest";
@@ -1094,6 +1086,8 @@ export interface UsernameError extends Error {
 
 export function isUsernameError(error: any): error is UsernameError;
 
+export type AppendType = "random" | { websiteName: { website: string } };
+
 /**
  * Configures the email forwarding service to use.
  * For instructions on how to configure each service, see the documentation:
@@ -1107,6 +1101,12 @@ export type ForwarderServiceType =
   | { forwardEmail: { api_token: string; domain: string } }
   | { simpleLogin: { api_key: string; base_url: string } };
 
+export type UsernameGeneratorRequest =
+  | { word: { capitalize: boolean; include_number: boolean } }
+  | { subaddress: { type: AppendType; email: string } }
+  | { catchall: { type: AppendType; domain: string } }
+  | { forwarded: { service: ForwarderServiceType; website: string | undefined } };
+
 export interface ReceiveError extends Error {
   name: "ReceiveError";
   variant: "Channel" | "Timeout" | "Cancelled";
@@ -1168,13 +1168,6 @@ export type Endpoint =
   | "DesktopRenderer"
   | "DesktopMain";
 
-export interface SshKeyImportError extends Error {
-  name: "SshKeyImportError";
-  variant: "Parsing" | "PasswordRequired" | "WrongPassword" | "UnsupportedKeyType";
-}
-
-export function isSshKeyImportError(error: any): error is SshKeyImportError;
-
 export interface KeyGenerationError extends Error {
   name: "KeyGenerationError";
   variant: "KeyGeneration" | "KeyConversion";
@@ -1182,6 +1175,13 @@ export interface KeyGenerationError extends Error {
 
 export function isKeyGenerationError(error: any): error is KeyGenerationError;
 
+export interface SshKeyImportError extends Error {
+  name: "SshKeyImportError";
+  variant: "Parsing" | "PasswordRequired" | "WrongPassword" | "UnsupportedKeyType";
+}
+
+export function isSshKeyImportError(error: any): error is SshKeyImportError;
+
 export interface SshKeyExportError extends Error {
   name: "SshKeyExportError";
   variant: "KeyConversion";
@@ -1218,35 +1218,6 @@ export interface CipherRiskError extends Error {
 
 export function isCipherRiskError(error: any): error is CipherRiskError;
 
-/**
- * Options for configuring risk computation.
- */
-export interface CipherRiskOptions {
-  /**
-   * Pre-computed password reuse map (password → count).
-   * If provided, enables reuse detection across ciphers.
-   */
-  passwordMap?: PasswordReuseMap | undefined;
-  /**
-   * Whether to check passwords against Have I Been Pwned API.
-   * When true, makes network requests to check for exposed passwords.
-   */
-  checkExposed?: boolean;
-  /**
-   * Optional HIBP API base URL override. When None, uses the production HIBP URL.
-   * Can be used for testing or alternative password breach checking services.
-   */
-  hibpBaseUrl?: string | undefined;
-}
-
-/**
- * Result of checking password exposure via HIBP API.
- */
-export type ExposedPasswordResult =
-  | { type: "NotChecked" }
-  | { type: "Found"; value: number }
-  | { type: "Error"; value: string };
-
 /**
  * Risk evaluation result for a single cipher.
  */
@@ -1297,6 +1268,35 @@ export interface CipherLoginDetails {
  */
 export type PasswordReuseMap = Record<string, number>;
 
+/**
+ * Options for configuring risk computation.
+ */
+export interface CipherRiskOptions {
+  /**
+   * Pre-computed password reuse map (password → count).
+   * If provided, enables reuse detection across ciphers.
+   */
+  passwordMap?: PasswordReuseMap | undefined;
+  /**
+   * Whether to check passwords against Have I Been Pwned API.
+   * When true, makes network requests to check for exposed passwords.
+   */
+  checkExposed?: boolean;
+  /**
+   * Optional HIBP API base URL override. When None, uses the production HIBP URL.
+   * Can be used for testing or alternative password breach checking services.
+   */
+  hibpBaseUrl?: string | undefined;
+}
+
+/**
+ * Result of checking password exposure via HIBP API.
+ */
+export type ExposedPasswordResult =
+  | { type: "NotChecked" }
+  | { type: "Found"; value: number }
+  | { type: "Error"; value: string };
+
 export interface PasswordHistory {
   password: EncString;
   lastUsedDate: DateTime<Utc>;
@@ -1329,6 +1329,13 @@ export interface TotpResponse {
   period: number;
 }
 
+export interface DecryptError extends Error {
+  name: "DecryptError";
+  variant: "Crypto";
+}
+
+export function isDecryptError(error: any): error is DecryptError;
+
 export interface EncryptError extends Error {
   name: "EncryptError";
   variant: "Crypto" | "MissingUserId";
@@ -1336,13 +1343,18 @@ export interface EncryptError extends Error {
 
 export function isEncryptError(error: any): error is EncryptError;
 
-export interface DecryptError extends Error {
-  name: "DecryptError";
-  variant: "Crypto";
+export interface Attachment {
+  id: string | undefined;
+  url: string | undefined;
+  size: string | undefined;
+  /**
+   * Readable size, ex: \"4.2 KB\" or \"1.43 GB\
+   */
+  sizeName: string | undefined;
+  fileName: EncString | undefined;
+  key: EncString | undefined;
 }
 
-export function isDecryptError(error: any): error is DecryptError;
-
 export interface AttachmentView {
   id: string | undefined;
   url: string | undefined;
@@ -1365,18 +1377,6 @@ export interface AttachmentView {
   decryptedKey: string | undefined;
 }
 
-export interface Attachment {
-  id: string | undefined;
-  url: string | undefined;
-  size: string | undefined;
-  /**
-   * Readable size, ex: \"4.2 KB\" or \"1.43 GB\
-   */
-  sizeName: string | undefined;
-  fileName: EncString | undefined;
-  key: EncString | undefined;
-}
-
 export interface LocalDataView {
   lastUsedDate: DateTime<Utc> | undefined;
   lastLaunched: DateTime<Utc> | undefined;
@@ -1402,21 +1402,6 @@ export interface GetCipherError extends Error {
 
 export function isGetCipherError(error: any): error is GetCipherError;
 
-export interface EditCipherError extends Error {
-  name: "EditCipherError";
-  variant:
-    | "ItemNotFound"
-    | "Crypto"
-    | "Api"
-    | "VaultParse"
-    | "MissingField"
-    | "NotAuthenticated"
-    | "Repository"
-    | "Uuid";
-}
-
-export function isEditCipherError(error: any): error is EditCipherError;
-
 /**
  * Request to edit a cipher.
  */
@@ -1436,12 +1421,20 @@ export interface CipherEditRequest {
   key: EncString | undefined;
 }
 
-export interface CreateCipherError extends Error {
-  name: "CreateCipherError";
-  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "NotAuthenticated" | "Repository";
+export interface EditCipherError extends Error {
+  name: "EditCipherError";
+  variant:
+    | "ItemNotFound"
+    | "Crypto"
+    | "Api"
+    | "VaultParse"
+    | "MissingField"
+    | "NotAuthenticated"
+    | "Repository"
+    | "Uuid";
 }
 
-export function isCreateCipherError(error: any): error is CreateCipherError;
+export function isEditCipherError(error: any): error is EditCipherError;
 
 /**
  * Request to add a cipher.
@@ -1457,6 +1450,13 @@ export interface CipherCreateRequest {
   fields: FieldView[];
 }
 
+export interface CreateCipherError extends Error {
+  name: "CreateCipherError";
+  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "NotAuthenticated" | "Repository";
+}
+
+export function isCreateCipherError(error: any): error is CreateCipherError;
+
 /**
  * Represents the inner data of a cipher view.
  */
@@ -1514,104 +1514,42 @@ export interface CardListView {
   brand: string | undefined;
 }
 
-export interface Field {
-  name: EncString | undefined;
-  value: EncString | undefined;
-  type: FieldType;
-  linkedId: LinkedIdType | undefined;
-}
-
-export interface FieldView {
-  name: string | undefined;
-  value: string | undefined;
-  type: FieldType;
-  linkedId: LinkedIdType | undefined;
-}
-
-export interface Fido2Credential {
-  credentialId: EncString;
-  keyType: EncString;
-  keyAlgorithm: EncString;
-  keyCurve: EncString;
-  keyValue: EncString;
-  rpId: EncString;
-  userHandle: EncString | undefined;
-  userName: EncString | undefined;
-  counter: EncString;
-  rpName: EncString | undefined;
-  userDisplayName: EncString | undefined;
-  discoverable: EncString;
-  creationDate: DateTime<Utc>;
-}
-
-export interface Login {
-  username: EncString | undefined;
-  password: EncString | undefined;
-  passwordRevisionDate: DateTime<Utc> | undefined;
-  uris: LoginUri[] | undefined;
-  totp: EncString | undefined;
-  autofillOnPageLoad: boolean | undefined;
-  fido2Credentials: Fido2Credential[] | undefined;
-}
-
-export interface LoginView {
-  username: string | undefined;
-  password: string | undefined;
-  passwordRevisionDate: DateTime<Utc> | undefined;
-  uris: LoginUriView[] | undefined;
-  totp: string | undefined;
-  autofillOnPageLoad: boolean | undefined;
-  fido2Credentials: Fido2Credential[] | undefined;
-}
-
-export interface LoginUri {
-  uri: EncString | undefined;
-  match: UriMatchType | undefined;
-  uriChecksum: EncString | undefined;
-}
-
-export interface Fido2CredentialFullView {
-  credentialId: string;
-  keyType: string;
-  keyAlgorithm: string;
-  keyCurve: string;
-  keyValue: string;
-  rpId: string;
-  userHandle: string | undefined;
-  userName: string | undefined;
-  counter: string;
-  rpName: string | undefined;
-  userDisplayName: string | undefined;
-  discoverable: string;
-  creationDate: DateTime<Utc>;
+export interface FieldView {
+  name: string | undefined;
+  value: string | undefined;
+  type: FieldType;
+  linkedId: LinkedIdType | undefined;
 }
 
-export interface LoginUriView {
-  uri: string | undefined;
-  match: UriMatchType | undefined;
-  uriChecksum: string | undefined;
+export interface Field {
+  name: EncString | undefined;
+  value: EncString | undefined;
+  type: FieldType;
+  linkedId: LinkedIdType | undefined;
 }
 
-export interface Fido2CredentialNewView {
+export interface Fido2CredentialView {
   credentialId: string;
   keyType: string;
   keyAlgorithm: string;
   keyCurve: string;
+  keyValue: EncString;
   rpId: string;
   userHandle: string | undefined;
   userName: string | undefined;
   counter: string;
   rpName: string | undefined;
   userDisplayName: string | undefined;
+  discoverable: string;
   creationDate: DateTime<Utc>;
 }
 
-export interface Fido2CredentialView {
+export interface Fido2CredentialFullView {
   credentialId: string;
   keyType: string;
   keyAlgorithm: string;
   keyCurve: string;
-  keyValue: EncString;
+  keyValue: string;
   rpId: string;
   userHandle: string | undefined;
   userName: string | undefined;
@@ -1642,6 +1580,68 @@ export interface Fido2CredentialListView {
   counter: string;
 }
 
+export interface LoginUriView {
+  uri: string | undefined;
+  match: UriMatchType | undefined;
+  uriChecksum: string | undefined;
+}
+
+export interface Fido2Credential {
+  credentialId: EncString;
+  keyType: EncString;
+  keyAlgorithm: EncString;
+  keyCurve: EncString;
+  keyValue: EncString;
+  rpId: EncString;
+  userHandle: EncString | undefined;
+  userName: EncString | undefined;
+  counter: EncString;
+  rpName: EncString | undefined;
+  userDisplayName: EncString | undefined;
+  discoverable: EncString;
+  creationDate: DateTime<Utc>;
+}
+
+export interface LoginUri {
+  uri: EncString | undefined;
+  match: UriMatchType | undefined;
+  uriChecksum: EncString | undefined;
+}
+
+export interface Fido2CredentialNewView {
+  credentialId: string;
+  keyType: string;
+  keyAlgorithm: string;
+  keyCurve: string;
+  rpId: string;
+  userHandle: string | undefined;
+  userName: string | undefined;
+  counter: string;
+  rpName: string | undefined;
+  userDisplayName: string | undefined;
+  creationDate: DateTime<Utc>;
+}
+
+export interface LoginView {
+  username: string | undefined;
+  password: string | undefined;
+  passwordRevisionDate: DateTime<Utc> | undefined;
+  uris: LoginUriView[] | undefined;
+  totp: string | undefined;
+  autofillOnPageLoad: boolean | undefined;
+  fido2Credentials: Fido2Credential[] | undefined;
+}
+
+export interface Login {
+  username: EncString | undefined;
+  password: EncString | undefined;
+  passwordRevisionDate: DateTime<Utc> | undefined;
+  uris: LoginUri[] | undefined;
+  totp: EncString | undefined;
+  autofillOnPageLoad: boolean | undefined;
+  fido2Credentials: Fido2Credential[] | undefined;
+}
+
 export interface CipherView {
   id: CipherId | undefined;
   organizationId: OrganizationId | undefined;
@@ -1684,41 +1684,6 @@ export interface EncryptionContext {
   cipher: Cipher;
 }
 
-export interface Cipher {
-  id: CipherId | undefined;
-  organizationId: OrganizationId | undefined;
-  folderId: FolderId | undefined;
-  collectionIds: CollectionId[];
-  /**
-   * More recent ciphers uses individual encryption keys to encrypt the other fields of the
-   * Cipher.
-   */
-  key: EncString | undefined;
-  name: EncString;
-  notes: EncString | undefined;
-  type: CipherType;
-  login: Login | undefined;
-  identity: Identity | undefined;
-  card: Card | undefined;
-  secureNote: SecureNote | undefined;
-  sshKey: SshKey | undefined;
-  favorite: boolean;
-  reprompt: CipherRepromptType;
-  organizationUseTotp: boolean;
-  edit: boolean;
-  permissions: CipherPermissions | undefined;
-  viewPassword: boolean;
-  localData: LocalData | undefined;
-  attachments: Attachment[] | undefined;
-  fields: Field[] | undefined;
-  passwordHistory: PasswordHistory[] | undefined;
-  creationDate: DateTime<Utc>;
-  deletedDate: DateTime<Utc> | undefined;
-  revisionDate: DateTime<Utc>;
-  archivedDate: DateTime<Utc> | undefined;
-  data: string | undefined;
-}
-
 export interface CipherError extends Error {
   name: "CipherError";
   variant:
@@ -1737,6 +1702,11 @@ export interface CipherError extends Error {
 
 export function isCipherError(error: any): error is CipherError;
 
+/**
+ * NewType wrapper for `CipherId`
+ */
+export type CipherId = Tagged<Uuid, "CipherId">;
+
 export interface CipherListView {
   id: CipherId | undefined;
   organizationId: OrganizationId | undefined;
@@ -1774,26 +1744,40 @@ export interface CipherListView {
   localData: LocalDataView | undefined;
 }
 
-/**
- * Available fields on a cipher and can be copied from a the list view in the UI.
- */
-export type CopyableCipherFields =
-  | "LoginUsername"
-  | "LoginPassword"
-  | "LoginTotp"
-  | "CardNumber"
-  | "CardSecurityCode"
-  | "IdentityUsername"
-  | "IdentityEmail"
-  | "IdentityPhone"
-  | "IdentityAddress"
-  | "SshKey"
-  | "SecureNotes";
-
-/**
- * NewType wrapper for `CipherId`
- */
-export type CipherId = Tagged<Uuid, "CipherId">;
+export interface Cipher {
+  id: CipherId | undefined;
+  organizationId: OrganizationId | undefined;
+  folderId: FolderId | undefined;
+  collectionIds: CollectionId[];
+  /**
+   * More recent ciphers uses individual encryption keys to encrypt the other fields of the
+   * Cipher.
+   */
+  key: EncString | undefined;
+  name: EncString;
+  notes: EncString | undefined;
+  type: CipherType;
+  login: Login | undefined;
+  identity: Identity | undefined;
+  card: Card | undefined;
+  secureNote: SecureNote | undefined;
+  sshKey: SshKey | undefined;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  organizationUseTotp: boolean;
+  edit: boolean;
+  permissions: CipherPermissions | undefined;
+  viewPassword: boolean;
+  localData: LocalData | undefined;
+  attachments: Attachment[] | undefined;
+  fields: Field[] | undefined;
+  passwordHistory: PasswordHistory[] | undefined;
+  creationDate: DateTime<Utc>;
+  deletedDate: DateTime<Utc> | undefined;
+  revisionDate: DateTime<Utc>;
+  archivedDate: DateTime<Utc> | undefined;
+  data: string | undefined;
+}
 
 /**
  * Represents the result of decrypting a list of ciphers.
@@ -1813,6 +1797,22 @@ export interface DecryptCipherListResult {
   failures: Cipher[];
 }
 
+/**
+ * Available fields on a cipher and can be copied from a the list view in the UI.
+ */
+export type CopyableCipherFields =
+  | "LoginUsername"
+  | "LoginPassword"
+  | "LoginTotp"
+  | "CardNumber"
+  | "CardSecurityCode"
+  | "IdentityUsername"
+  | "IdentityEmail"
+  | "IdentityPhone"
+  | "IdentityAddress"
+  | "SshKey"
+  | "SecureNotes";
+
 export type CipherListViewType =
   | { login: LoginListView }
   | "secureNote"
@@ -1820,34 +1820,34 @@ export type CipherListViewType =
   | "identity"
   | "sshKey";
 
-export interface SshKey {
+export interface SshKeyView {
   /**
    * SSH private key (ed25519/rsa) in unencrypted openssh private key format [OpenSSH private key](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key)
    */
-  privateKey: EncString;
+  privateKey: string;
   /**
    * SSH public key (ed25519/rsa) according to [RFC4253](https://datatracker.ietf.org/doc/html/rfc4253#section-6.6)
    */
-  publicKey: EncString;
+  publicKey: string;
   /**
    * SSH fingerprint using SHA256 in the format: `SHA256:BASE64_ENCODED_FINGERPRINT`
    */
-  fingerprint: EncString;
+  fingerprint: string;
 }
 
-export interface SshKeyView {
+export interface SshKey {
   /**
    * SSH private key (ed25519/rsa) in unencrypted openssh private key format [OpenSSH private key](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key)
    */
-  privateKey: string;
+  privateKey: EncString;
   /**
    * SSH public key (ed25519/rsa) according to [RFC4253](https://datatracker.ietf.org/doc/html/rfc4253#section-6.6)
    */
-  publicKey: string;
+  publicKey: EncString;
   /**
    * SSH fingerprint using SHA256 in the format: `SHA256:BASE64_ENCODED_FINGERPRINT`
    */
-  fingerprint: string;
+  fingerprint: EncString;
 }
 
 export interface Identity {
@@ -1894,11 +1894,10 @@ export interface IdentityView {
 
 export type LinkedIdType = LoginLinkedIdType | CardLinkedIdType | IdentityLinkedIdType;
 
-export interface FolderView {
-  id: FolderId | undefined;
-  name: string;
-  revisionDate: DateTime<Utc>;
-}
+/**
+ * NewType wrapper for `FolderId`
+ */
+export type FolderId = Tagged<Uuid, "FolderId">;
 
 export interface Folder {
   id: FolderId | undefined;
@@ -1906,10 +1905,11 @@ export interface Folder {
   revisionDate: DateTime<Utc>;
 }
 
-/**
- * NewType wrapper for `FolderId`
- */
-export type FolderId = Tagged<Uuid, "FolderId">;
+export interface FolderView {
+  id: FolderId | undefined;
+  name: string;
+  revisionDate: DateTime<Utc>;
+}
 
 export interface EditFolderError extends Error {
   name: "EditFolderError";
@@ -1925,13 +1925,6 @@ export interface EditFolderError extends Error {
 
 export function isEditFolderError(error: any): error is EditFolderError;
 
-export interface CreateFolderError extends Error {
-  name: "CreateFolderError";
-  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "Repository";
-}
-
-export function isCreateFolderError(error: any): error is CreateFolderError;
-
 /**
  * Request to add or edit a folder.
  */
@@ -1942,6 +1935,13 @@ export interface FolderAddEditRequest {
   name: string;
 }
 
+export interface CreateFolderError extends Error {
+  name: "CreateFolderError";
+  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "Repository";
+}
+
+export function isCreateFolderError(error: any): error is CreateFolderError;
+
 export interface GetFolderError extends Error {
   name: "GetFolderError";
   variant: "ItemNotFound" | "Crypto" | "Repository";