@bitwarden/sdk-internal 0.2.0-main.7 → 0.2.0-main.700

package/bitwarden_wasm_internal.d.ts

@@ -1,5 +1,3740 @@
 /* tslint:disable */
 /* eslint-disable */
+
+import { Tagged } from "type-fest";
+
+/**
+ * A string that **MUST** be a valid UUID.
+ *
+ * Never create or cast to this type directly, use the `uuid<T>()` function instead.
+ */
+export type Uuid = unknown;
+
+/**
+ * RFC3339 compliant date-time string.
+ * @typeParam T - Not used in JavaScript.
+ */
+export type DateTime<T = unknown> = string;
+
+/**
+ * UTC date-time string. Not used in JavaScript.
+ */
+export type Utc = unknown;
+
+/**
+ * An integer that is known not to equal zero.
+ */
+export type NonZeroU32 = number;
+
+export interface AccountCryptographyInitializationError extends Error {
+  name: "AccountCryptographyInitializationError";
+  variant:
+    | "WrongUserKeyType"
+    | "WrongUserKey"
+    | "CorruptData"
+    | "TamperedData"
+    | "KeyStoreAlreadyInitialized"
+    | "GenericCrypto";
+}
+
+export function isAccountCryptographyInitializationError(
+  error: any,
+): error is AccountCryptographyInitializationError;
+
+export interface AcquireCookieError extends Error {
+  name: "AcquireCookieError";
+  variant:
+    | "Cancelled"
+    | "UnsupportedConfiguration"
+    | "CookieNameMismatch"
+    | "RepositoryGetError"
+    | "RepositorySaveError";
+}
+
+export function isAcquireCookieError(error: any): error is AcquireCookieError;
+
+export interface AlreadyRunningError extends Error {
+  name: "AlreadyRunningError";
+}
+
+export function isAlreadyRunningError(error: any): error is AlreadyRunningError;
+
+export interface CallError extends Error {
+  name: "CallError";
+}
+
+export function isCallError(error: any): error is CallError;
+
+export interface ChannelError extends Error {
+  name: "ChannelError";
+}
+
+export function isChannelError(error: any): error is ChannelError;
+
+export interface CipherDeleteAttachmentError extends Error {
+  name: "CipherDeleteAttachmentError";
+  variant: "Api" | "Repository" | "MissingField" | "VaultParse";
+}
+
+export function isCipherDeleteAttachmentError(error: any): error is CipherDeleteAttachmentError;
+
+export interface CipherError extends Error {
+  name: "CipherError";
+  variant:
+    | "MissingField"
+    | "Crypto"
+    | "Decrypt"
+    | "Encrypt"
+    | "AttachmentsWithoutKeys"
+    | "OrganizationAlreadySet"
+    | "Repository"
+    | "Chrono"
+    | "SerdeJson"
+    | "Api";
+}
+
+export function isCipherError(error: any): error is CipherError;
+
+export interface CipherRiskError extends Error {
+  name: "CipherRiskError";
+  variant: "Reqwest";
+}
+
+export function isCipherRiskError(error: any): error is CipherRiskError;
+
+export interface CollectionDecryptError extends Error {
+  name: "CollectionDecryptError";
+  variant: "Crypto";
+}
+
+export function isCollectionDecryptError(error: any): error is CollectionDecryptError;
+
+export interface CreateCipherAdminError extends Error {
+  name: "CreateCipherAdminError";
+  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "NotAuthenticated";
+}
+
+export function isCreateCipherAdminError(error: any): error is CreateCipherAdminError;
+
+export interface CreateCipherError extends Error {
+  name: "CreateCipherError";
+  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "NotAuthenticated" | "Repository";
+}
+
+export function isCreateCipherError(error: any): error is CreateCipherError;
+
+export interface CreateFolderError extends Error {
+  name: "CreateFolderError";
+  variant: "Crypto" | "Api" | "VaultParse" | "MissingField" | "Repository";
+}
+
+export function isCreateFolderError(error: any): error is CreateFolderError;
+
+export interface CreateSendError extends Error {
+  name: "CreateSendError";
+  variant: "Api" | "Crypto" | "EmptyEmailList" | "MissingField" | "Repository" | "SendParse";
+}
+
+export function isCreateSendError(error: any): error is CreateSendError;
+
+export interface CryptoClientError extends Error {
+  name: "CryptoClientError";
+  variant:
+    | "NotAuthenticated"
+    | "Crypto"
+    | "InvalidKdfSettings"
+    | "PasswordProtectedKeyEnvelope"
+    | "InvalidPrfInput"
+    | "InvalidUpgradeToken"
+    | "UpgradeTokenRequired"
+    | "InvalidKeyType";
+}
+
+export function isCryptoClientError(error: any): error is CryptoClientError;
+
+export interface CryptoError extends Error {
+  name: "CryptoError";
+  variant:
+    | "Decrypt"
+    | "InvalidKey"
+    | "KeyDecrypt"
+    | "InvalidKeyLen"
+    | "InvalidUtf8String"
+    | "MissingKey"
+    | "MissingField"
+    | "MissingKeyId"
+    | "KeyOperationNotSupported"
+    | "ReadOnlyKeyStore"
+    | "InvalidKeyStoreOperation"
+    | "InsufficientKdfParameters"
+    | "EncString"
+    | "Rsa"
+    | "Fingerprint"
+    | "Argon"
+    | "ZeroNumber"
+    | "OperationNotSupported"
+    | "WrongKeyType"
+    | "WrongCoseKeyId"
+    | "InvalidNonceLength"
+    | "InvalidPadding"
+    | "Signature"
+    | "Encoding";
+}
+
+export function isCryptoError(error: any): error is CryptoError;
+
+export interface DatabaseError extends Error {
+  name: "DatabaseError";
+  variant: "UnsupportedConfiguration" | "ThreadBoundRunner" | "Serialization" | "JS" | "Internal";
+}
+
+export function isDatabaseError(error: any): error is DatabaseError;
+
+export interface DecryptError extends Error {
+  name: "DecryptError";
+  variant: "Crypto";
+}
+
+export function isDecryptError(error: any): error is DecryptError;
+
+export interface DecryptFileError extends Error {
+  name: "DecryptFileError";
+  variant: "Decrypt" | "Io";
+}
+
+export function isDecryptFileError(error: any): error is DecryptFileError;
+
+export interface DeleteAttachmentAdminError extends Error {
+  name: "DeleteAttachmentAdminError";
+  variant: "Api";
+}
+
+export function isDeleteAttachmentAdminError(error: any): error is DeleteAttachmentAdminError;
+
+export interface DeleteCipherAdminError extends Error {
+  name: "DeleteCipherAdminError";
+  variant: "Api";
+}
+
+export function isDeleteCipherAdminError(error: any): error is DeleteCipherAdminError;
+
+export interface DeleteCipherError extends Error {
+  name: "DeleteCipherError";
+  variant: "Api" | "Repository";
+}
+
+export function isDeleteCipherError(error: any): error is DeleteCipherError;
+
+export interface DeriveKeyConnectorError extends Error {
+  name: "DeriveKeyConnectorError";
+  variant: "WrongPassword" | "Crypto";
+}
+
+export function isDeriveKeyConnectorError(error: any): error is DeriveKeyConnectorError;
+
+export interface DeserializeError extends Error {
+  name: "DeserializeError";
+}
+
+export function isDeserializeError(error: any): error is DeserializeError;
+
+export interface EditCipherAdminError extends Error {
+  name: "EditCipherAdminError";
+  variant:
+    | "ItemNotFound"
+    | "Crypto"
+    | "Api"
+    | "VaultParse"
+    | "MissingField"
+    | "NotAuthenticated"
+    | "Repository"
+    | "Uuid"
+    | "Decrypt";
+}
+
+export function isEditCipherAdminError(error: any): error is EditCipherAdminError;
+
+export interface EditCipherError extends Error {
+  name: "EditCipherError";
+  variant:
+    | "ItemNotFound"
+    | "Crypto"
+    | "Api"
+    | "VaultParse"
+    | "MissingField"
+    | "NotAuthenticated"
+    | "Repository"
+    | "Uuid";
+}
+
+export function isEditCipherError(error: any): error is EditCipherError;
+
+export interface EditFolderError extends Error {
+  name: "EditFolderError";
+  variant:
+    | "ItemNotFound"
+    | "Crypto"
+    | "Api"
+    | "VaultParse"
+    | "MissingField"
+    | "Repository"
+    | "Uuid";
+}
+
+export function isEditFolderError(error: any): error is EditFolderError;
+
+export interface EditSendError extends Error {
+  name: "EditSendError";
+  variant:
+    | "ItemNotFound"
+    | "Crypto"
+    | "Api"
+    | "EmptyEmailList"
+    | "MissingField"
+    | "Repository"
+    | "Uuid"
+    | "SendParse"
+    | "IdMismatch";
+}
+
+export function isEditSendError(error: any): error is EditSendError;
+
+export interface EncryptError extends Error {
+  name: "EncryptError";
+  variant: "Crypto" | "MissingUserId";
+}
+
+export function isEncryptError(error: any): error is EncryptError;
+
+export interface EncryptFileError extends Error {
+  name: "EncryptFileError";
+  variant: "Encrypt" | "Io";
+}
+
+export function isEncryptFileError(error: any): error is EncryptFileError;
+
+export interface EncryptionSettingsError extends Error {
+  name: "EncryptionSettingsError";
+  variant:
+    | "Crypto"
+    | "CryptoInitialization"
+    | "MissingPrivateKey"
+    | "UserIdAlreadySet"
+    | "WrongPin"
+    | "UserKeyStateUpdateFailed"
+    | "UserKeyStateRetrievalFailed"
+    | "InvalidUpgradeToken"
+    | "KeyConnectorRetrievalFailed"
+    | "LocalUserDataKeyInitFailed"
+    | "LocalUserDataKeyLoadFailed";
+}
+
+export function isEncryptionSettingsError(error: any): error is EncryptionSettingsError;
+
+export interface EnrollAdminPasswordResetError extends Error {
+  name: "EnrollAdminPasswordResetError";
+  variant: "Crypto";
+}
+
+export function isEnrollAdminPasswordResetError(error: any): error is EnrollAdminPasswordResetError;
+
+export interface ExportError extends Error {
+  name: "ExportError";
+  variant:
+    | "MissingField"
+    | "NotAuthenticated"
+    | "Csv"
+    | "Cxf"
+    | "Json"
+    | "EncryptedJson"
+    | "BitwardenCrypto"
+    | "Cipher";
+}
+
+export function isExportError(error: any): error is ExportError;
+
+export interface GetCipherError extends Error {
+  name: "GetCipherError";
+  variant: "ItemNotFound" | "Crypto" | "Repository";
+}
+
+export function isGetCipherError(error: any): error is GetCipherError;
+
+export interface GetFolderError extends Error {
+  name: "GetFolderError";
+  variant: "ItemNotFound" | "Crypto" | "Repository";
+}
+
+export function isGetFolderError(error: any): error is GetFolderError;
+
+export interface GetOrganizationCiphersAdminError extends Error {
+  name: "GetOrganizationCiphersAdminError";
+  variant: "Crypto" | "VaultParse" | "Api";
+}
+
+export function isGetOrganizationCiphersAdminError(
+  error: any,
+): error is GetOrganizationCiphersAdminError;
+
+export interface GetSendError extends Error {
+  name: "GetSendError";
+  variant: "ItemNotFound" | "Crypto" | "MissingField" | "Repository";
+}
+
+export function isGetSendError(error: any): error is GetSendError;
+
+export interface KeyGenerationError extends Error {
+  name: "KeyGenerationError";
+  variant: "KeyGeneration" | "KeyConversion";
+}
+
+export function isKeyGenerationError(error: any): error is KeyGenerationError;
+
+export interface MakeKeysError extends Error {
+  name: "MakeKeysError";
+  variant:
+    | "AccountCryptographyInitialization"
+    | "MasterPasswordDerivation"
+    | "RequestModelCreation"
+    | "Crypto";
+}
+
+export function isMakeKeysError(error: any): error is MakeKeysError;
+
+export interface MasterPasswordError extends Error {
+  name: "MasterPasswordError";
+  variant:
+    | "EncryptionKeyMalformed"
+    | "KdfMalformed"
+    | "InvalidKdfConfiguration"
+    | "MissingField"
+    | "Crypto"
+    | "WrongPassword";
+}
+
+export function isMasterPasswordError(error: any): error is MasterPasswordError;
+
+export interface MigrateToKeyConnectorError extends Error {
+  name: "MigrateToKeyConnectorError";
+  variant: "UserKeyNotAvailable" | "CryptoError" | "ApiError" | "KeyConnectorApiError";
+}
+
+export function isMigrateToKeyConnectorError(error: any): error is MigrateToKeyConnectorError;
+
+export interface PasswordError extends Error {
+  name: "PasswordError";
+  variant: "NoCharacterSetEnabled" | "InvalidLength";
+}
+
+export function isPasswordError(error: any): error is PasswordError;
+
+export interface PasswordLoginError extends Error {
+  name: "PasswordLoginError";
+  variant: "InvalidUsernameOrPassword" | "PasswordAuthenticationDataDerivation" | "Unknown";
+}
+
+export function isPasswordLoginError(error: any): error is PasswordLoginError;
+
+export interface PasswordPreloginError extends Error {
+  name: "PasswordPreloginError";
+  variant: "Api" | "Unknown";
+}
+
+export function isPasswordPreloginError(error: any): error is PasswordPreloginError;
+
+export interface ReceiveError extends Error {
+  name: "ReceiveError";
+  variant: "Channel" | "Timeout" | "Cancelled";
+}
+
+export function isReceiveError(error: any): error is ReceiveError;
+
+export interface RegistrationError extends Error {
+  name: "RegistrationError";
+  variant: "KeyConnectorApi" | "Api" | "Crypto";
+}
+
+export function isRegistrationError(error: any): error is RegistrationError;
+
+export interface RequestError extends Error {
+  name: "RequestError";
+  variant: "Subscribe" | "Receive" | "Timeout" | "Send" | "Rpc";
+}
+
+export function isRequestError(error: any): error is RequestError;
+
+export interface RestoreCipherAdminError extends Error {
+  name: "RestoreCipherAdminError";
+  variant: "Api" | "VaultParse" | "Crypto";
+}
+
+export function isRestoreCipherAdminError(error: any): error is RestoreCipherAdminError;
+
+export interface RestoreCipherError extends Error {
+  name: "RestoreCipherError";
+  variant: "Api" | "VaultParse" | "Repository" | "Crypto";
+}
+
+export function isRestoreCipherError(error: any): error is RestoreCipherError;
+
+export interface RotateCryptographyStateError extends Error {
+  name: "RotateCryptographyStateError";
+  variant: "KeyMissing" | "InvalidData";
+}
+
+export function isRotateCryptographyStateError(error: any): error is RotateCryptographyStateError;
+
+export interface RotateUserKeysError extends Error {
+  name: "RotateUserKeysError";
+  variant:
+    | "ApiError"
+    | "CryptoError"
+    | "InvalidPublicKey"
+    | "UntrustedKeyError"
+    | "UnimplementedKeyRotationMethod";
+}
+
+export function isRotateUserKeysError(error: any): error is RotateUserKeysError;
+
+export interface ServerCommunicationConfigRepositoryError extends Error {
+  name: "ServerCommunicationConfigRepositoryError";
+  variant: "GetError" | "SaveError";
+}
+
+export function isServerCommunicationConfigRepositoryError(
+  error: any,
+): error is ServerCommunicationConfigRepositoryError;
+
+export interface SshKeyExportError extends Error {
+  name: "SshKeyExportError";
+  variant: "KeyConversion";
+}
+
+export function isSshKeyExportError(error: any): error is SshKeyExportError;
+
+export interface SshKeyImportError extends Error {
+  name: "SshKeyImportError";
+  variant: "Parsing" | "PasswordRequired" | "WrongPassword" | "UnsupportedKeyType";
+}
+
+export function isSshKeyImportError(error: any): error is SshKeyImportError;
+
+export interface StateRegistryError extends Error {
+  name: "StateRegistryError";
+  variant: "DatabaseAlreadyInitialized" | "DatabaseNotInitialized" | "Database";
+}
+
+export function isStateRegistryError(error: any): error is StateRegistryError;
+
+export interface StatefulCryptoError extends Error {
+  name: "StatefulCryptoError";
+  variant: "MissingSecurityState" | "WrongAccountCryptoVersion" | "Crypto";
+}
+
+export function isStatefulCryptoError(error: any): error is StatefulCryptoError;
+
+export interface SubscribeError extends Error {
+  name: "SubscribeError";
+  variant: "NotStarted";
+}
+
+export function isSubscribeError(error: any): error is SubscribeError;
+
+export interface SyncError extends Error {
+  name: "SyncError";
+  variant: "NetworkError" | "DataError";
+}
+
+export function isSyncError(error: any): error is SyncError;
+
+export interface TestError extends Error {
+  name: "TestError";
+}
+
+export function isTestError(error: any): error is TestError;
+
+export interface TotpError extends Error {
+  name: "TotpError";
+  variant: "InvalidOtpauth" | "MissingSecret" | "Crypto";
+}
+
+export function isTotpError(error: any): error is TotpError;
+
+export interface TypedReceiveError extends Error {
+  name: "TypedReceiveError";
+  variant: "Channel" | "Timeout" | "Cancelled" | "Typing";
+}
+
+export function isTypedReceiveError(error: any): error is TypedReceiveError;
+
+export interface UsernameError extends Error {
+  name: "UsernameError";
+  variant: "InvalidApiKey" | "Unknown" | "ResponseContent" | "Reqwest";
+}
+
+export function isUsernameError(error: any): error is UsernameError;
+
+export type UnsignedSharedKey = Tagged<string, "UnsignedSharedKey">;
+
+/**
+ * @deprecated Use PasswordManagerClient instead
+ */
+export type BitwardenClient = PasswordManagerClient;
+
+/**
+ * Platform API interface for acquiring SSO cookies.
+ *
+ * Platform clients implement this interface to handle cookie acquisition
+ * through browser redirects or other platform-specific mechanisms.
+ */
+export interface ServerCommunicationConfigPlatformApi {
+  /**
+   * Acquires cookies using the provided vault URL.
+   *
+   * This typically involves redirecting to an IdP login page and extracting
+   * cookies from the load balancer response. For sharded cookies, returns
+   * multiple entries with names like "CookieName-0", "CookieName-1", etc.
+   *
+   * @param vaultUrl The full vault URL (e.g., "https://vault.bitwarden.com" or "https://localhost:8000")
+   * @returns An array of AcquiredCookie objects, or undefined if acquisition failed or was cancelled
+   */
+  acquireCookies(vaultUrl: string): Promise<AcquiredCookie[] | undefined>;
+}
+
+/**
+ * Repository interface for storing server communication configuration.
+ *
+ * Implementations use StateProvider (or equivalent storage mechanism) to
+ * persist configuration across sessions. The hostname is typically the vault
+ * server's hostname (e.g., "vault.acme.com").
+ */
+export interface ServerCommunicationConfigRepository {
+  /**
+   * Retrieves the server communication configuration for a given hostname.
+   *
+   * @param hostname The server hostname (e.g., "vault.acme.com")
+   * @returns The configuration if it exists, undefined otherwise
+   */
+  get(hostname: string): Promise<ServerCommunicationConfig | undefined>;
+
+  /**
+   * Saves the server communication configuration for a given hostname.
+   *
+   * @param hostname The server hostname (e.g., "vault.acme.com")
+   * @param config The configuration to store
+   */
+  save(hostname: string, config: ServerCommunicationConfig): Promise<void>;
+}
+
+export interface IpcCommunicationBackendSender {
+  send(message: OutgoingMessage): Promise<void>;
+}
+
+export interface IpcSessionRepository {
+  get(endpoint: Endpoint): Promise<any | undefined>;
+  save(endpoint: Endpoint, session: any): Promise<void>;
+  remove(endpoint: Endpoint): Promise<void>;
+}
+
+export interface Repository<T> {
+  get(id: string): Promise<T | null>;
+  list(): Promise<T[]>;
+  set(id: string, value: T): Promise<void>;
+  setBulk(values: [string, T][]): Promise<void>;
+  remove(id: string): Promise<void>;
+  removeBulk(keys: string[]): Promise<void>;
+  removeAll(): Promise<void>;
+}
+
+export interface TokenProvider {
+  get_access_token(): Promise<string | undefined>;
+}
+
+export type DataEnvelope = Tagged<string, "DataEnvelope">;
+
+export type EncString = Tagged<string, "EncString">;
+
+export type PasswordProtectedKeyEnvelope = Tagged<string, "PasswordProtectedKeyEnvelope">;
+
+export type PublicKey = Tagged<string, "PublicKey">;
+
+export type SignedPublicKey = Tagged<string, "SignedPublicKey">;
+
+export type SignedSecurityState = string;
+
+export type SymmetricKeyEnvelope = Tagged<string, "SymmetricKeyEnvelope">;
+
+/**
+ * A cookie acquired from the platform
+ *
+ * Represents a single cookie name/value pair as received from the browser or HTTP client.
+ * For sharded cookies (AWS ALB pattern), each shard is a separate `AcquiredCookie` with
+ * its own name including the `-{N}` suffix (e.g., `AWSELBAuthSessionCookie-0`).
+ */
+export interface AcquiredCookie {
+  /**
+   * Cookie name
+   *
+   * For sharded cookies, this includes the shard suffix (e.g., `AWSELBAuthSessionCookie-0`)
+   * For unsharded cookies, this is the cookie name without any suffix.
+   */
+  name: string;
+  /**
+   * Cookie value
+   */
+  value: string;
+}
+
+/**
+ * A persisted organization encryption key.
+ *
+ * Stored in a Repository keyed by [`OrganizationId`].
+ * The `org_id` is included in the struct so it can be recovered from `Repository::list()`.
+ */
+export interface OrganizationSharedKey {
+  /**
+   * The organization this key belongs to.
+   */
+  org_id: OrganizationId;
+  /**
+   * The organization\'s shared encryption key.
+   */
+  key: UnsignedSharedKey;
+}
+
+/**
+ * A request structure for requesting a send access token from the API.
+ */
+export interface SendAccessTokenRequest {
+  /**
+   * The id of the send for which the access token is requested.
+   */
+  sendId: string;
+  /**
+   * The optional send access credentials.
+   */
+  sendAccessCredentials?: SendAccessCredentials;
+}
+
+/**
+ * A send access token which can be used to access a send.
+ */
+export interface SendAccessTokenResponse {
+  /**
+   * The actual token string.
+   */
+  token: string;
+  /**
+   * The timestamp in milliseconds when the token expires.
+   */
+  expiresAt: number;
+}
+
+/**
+ * A set of keys where a given `DownstreamKey` is protected by an encrypted public/private
+ * key-pair. The `DownstreamKey` is used to encrypt/decrypt data, while the public/private key-pair
+ * is used to rotate the `DownstreamKey`.
+ *
+ * The `PrivateKey` is protected by an `UpstreamKey`, such as a `DeviceKey`, or `PrfKey`,
+ * and the `PublicKey` is protected by the `DownstreamKey`. This setup allows:
+ *
+ *   - Access to `DownstreamKey` by knowing the `UpstreamKey`
+ *   - Rotation to a `NewDownstreamKey` by knowing the current `DownstreamKey`, without needing
+ *     access to the `UpstreamKey`
+ */
+export interface RotateableKeySet {
+  /**
+   * `DownstreamKey` protected by encapsulation key
+   */
+  encapsulatedDownstreamKey: UnsignedSharedKey;
+  /**
+   * Encapsulation key protected by `DownstreamKey`
+   */
+  encryptedEncapsulationKey: EncString;
+  /**
+   * Decapsulation key protected by `UpstreamKey`
+   */
+  encryptedDecapsulationKey: EncString;
+}
+
+/**
+ * A single log event captured by the Flight Recorder.
+ */
+export interface FlightRecorderEvent {
+  /**
+   * Unix timestamp in milliseconds.
+   */
+  timestamp: number;
+  /**
+   * Log level (e.g. \"DEBUG\", \"INFO\", \"WARN\", \"ERROR\").
+   */
+  level: string;
+  /**
+   * Target module path (e.g. \"bitwarden_core::client\").
+   */
+  target: string;
+  /**
+   * Primary log message.
+   */
+  message: string;
+  /**
+   * Structured fields from the tracing event.
+   */
+  fields: Record<string, string>;
+}
+
+/**
+ * Active feature flags for the SDK.
+ */
+export interface FeatureFlags extends Map<string, boolean> {}
+
+/**
+ * Any keys / cryptographic protection \"downstream\" from the account symmetric key (user key).
+ * Private keys are protected by the user key.
+ */
+export type WrappedAccountCryptographicState =
+  | { V1: { private_key: EncString } }
+  | {
+      V2: {
+        private_key: EncString;
+        signed_public_key: SignedPublicKey | undefined;
+        signing_key: EncString;
+        security_state: SignedSecurityState;
+      };
+    };
+
+/**
+ * Any unexpected error that occurs when making requests to identity. This could be
+ * local/transport/decoding failure from the HTTP client (DNS/TLS/connect/read timeout,
+ * connection reset, or JSON decode failure on a success response) or non-2xx response with an
+ * unexpected body or status. Used when decoding the server\'s error payload into
+ * `SendAccessTokenApiErrorResponse` fails, or for 5xx responses where no structured error is
+ * available.
+ */
+export type UnexpectedIdentityError = string;
+
+/**
+ * Auth requests supports multiple initialization methods.
+ */
+export type AuthRequestMethod =
+  | { userKey: { protected_user_key: UnsignedSharedKey } }
+  | { masterKey: { protected_master_key: UnsignedSharedKey; auth_request_key: EncString } };
+
+/**
+ * Available fields on a cipher and can be copied from a the list view in the UI.
+ */
+export type CopyableCipherFields =
+  | "LoginUsername"
+  | "LoginPassword"
+  | "LoginTotp"
+  | "CardNumber"
+  | "CardSecurityCode"
+  | "IdentityUsername"
+  | "IdentityEmail"
+  | "IdentityPhone"
+  | "IdentityAddress"
+  | "SshKey"
+  | "SecureNotes";
+
+/**
+ * Base64 encoded data
+ *
+ * Is indifferent about padding when decoding, but always produces padding when encoding.
+ */
+export type B64 = string;
+
+/**
+ * Basic client behavior settings. These settings specify the various targets and behavior of the
+ * Bitwarden Client. They are optional and uneditable once the client is initialized.
+ *
+ * Defaults to
+ *
+ * ```
+ * # use bitwarden_core::{ClientSettings, DeviceType};
+ * let settings = ClientSettings {
+ *     identity_url: \"https://identity.bitwarden.com\".to_string(),
+ *     api_url: \"https://api.bitwarden.com\".to_string(),
+ *     user_agent: \"Bitwarden Rust-SDK\".to_string(),
+ *     device_type: DeviceType::SDK,
+ *     bitwarden_client_version: None,
+ *     bitwarden_package_type: None,
+ *     device_identifier: None,
+ * };
+ * let default = ClientSettings::default();
+ * ```
+ */
+export interface ClientSettings {
+  /**
+   * The identity url of the targeted Bitwarden instance. Defaults to `https://identity.bitwarden.com`
+   */
+  identityUrl?: string;
+  /**
+   * The api url of the targeted Bitwarden instance. Defaults to `https://api.bitwarden.com`
+   */
+  apiUrl?: string;
+  /**
+   * The user_agent to sent to Bitwarden. Defaults to `Bitwarden Rust-SDK`
+   */
+  userAgent?: string;
+  /**
+   * Device type to send to Bitwarden. Defaults to SDK
+   */
+  deviceType?: DeviceType;
+  /**
+   * Device identifier to send to Bitwarden. Optional for now in transition period.
+   */
+  deviceIdentifier?: string | undefined;
+  /**
+   * Bitwarden Client Version to send to Bitwarden. Optional for now in transition period.
+   */
+  bitwardenClientVersion?: string | undefined;
+  /**
+   * Bitwarden Package Type to send to Bitwarden. We should evaluate this field to see if it
+   * should be optional later.
+   */
+  bitwardenPackageType?: string | undefined;
+}
+
+/**
+ * Bootstrap configuration for server communication
+ */
+export type BootstrapConfig =
+  | { type: "direct" }
+  | ({ type: "ssoCookieVendor" } & SsoCookieVendorConfig);
+
+/**
+ * Bootstrap configuration variant for [`SetCommunicationTypeRequest`]
+ */
+export type BootstrapConfigRequest =
+  | { type: "direct" }
+  | ({ type: "ssoCookieVendor" } & SsoCookieVendorConfigRequest);
+
+/**
+ * Common login response model used across different login methods.
+ */
+export type LoginResponse = { Authenticated: LoginSuccessResponse };
+
+/**
+ * Configures the email forwarding service to use.
+ * For instructions on how to configure each service, see the documentation:
+ * <https://bitwarden.com/help/generator/#username-types>
+ */
+export type ForwarderServiceType =
+  | { addyIo: { api_token: string; domain: string; base_url: string } }
+  | { duckDuckGo: { token: string } }
+  | { firefox: { api_token: string } }
+  | { fastmail: { api_token: string } }
+  | { forwardEmail: { api_token: string; domain: string } }
+  | { simpleLogin: { api_key: string; base_url: string } };
+
+/**
+ * Credentials for getting a send access token using an email and OTP.
+ */
+export interface SendEmailOtpCredentials {
+  /**
+   * The email address to which the OTP will be sent.
+   */
+  email: string;
+  /**
+   * The one-time password (OTP) that the user has received via email.
+   */
+  otp: string;
+}
+
+/**
+ * Credentials for sending an OTP to the user\'s email address.
+ * This is used when the send requires email verification with an OTP.
+ */
+export interface SendEmailCredentials {
+  /**
+   * The email address to which the OTP will be sent.
+   */
+  email: string;
+}
+
+/**
+ * Credentials for sending password secured access requests.
+ * Clone auto implements the standard lib\'s Clone trait, allowing us to create copies of this
+ * struct.
+ */
+export interface SendPasswordCredentials {
+  /**
+   * A Base64-encoded hash of the password protecting the send.
+   */
+  passwordHashB64: string;
+}
+
+/**
+ * Describes the source of an incoming IPC message with per-variant metadata.
+ *
+ * `Source` mirrors [`Endpoint`] but carries additional context about the sender
+ * that the application layer needs for security decisions (e.g., checking `origin`
+ * for web sources). Use [`From<Source> for Endpoint`] to convert a source into an
+ * addressable endpoint (dropping the metadata).
+ */
+export type Source =
+  | { Web: { tab_id: number; document_id: string; origin: string } }
+  | { BrowserForeground: { id: number } }
+  | { BrowserBackground: { id: HostId } }
+  | "DesktopRenderer"
+  | "DesktopMain";
+
+/**
+ * Device information for login requests.
+ * This is common across all login mechanisms and describes the device
+ * making the authentication request.
+ */
+export interface LoginDeviceRequest {
+  /**
+   * The type of device making the login request
+   * Note: today, we already have the DeviceType on the ApiConfigurations
+   * but we do not have the other device fields so we will accept the device data at login time
+   * for now. In the future, we might refactor the unauthN client to instantiate with full
+   * device info which would deprecate this struct. However, using the device_type here
+   * allows us to avoid any timing issues in scenarios where the device type could change
+   * between client instantiation and login (unlikely but possible).
+   */
+  deviceType: DeviceType;
+  /**
+   * Unique identifier for the device
+   */
+  deviceIdentifier: string;
+  /**
+   * Human-readable name of the device
+   */
+  deviceName: string;
+  /**
+   * Push notification token for the device (only for mobile devices)
+   */
+  devicePushToken: string | undefined;
+}
+
+/**
+ * File-based send content
+ */
+export interface SendFile {
+  /**
+   * The file\'s ID
+   */
+  id: string | undefined;
+  /**
+   * The encrypted file name
+   */
+  fileName: EncString;
+  /**
+   * The file size in bytes as a string
+   */
+  size: string | undefined;
+  /**
+   * Readable size, ex: \"4.2 KB\" or \"1.43 GB\
+   */
+  sizeName: string | undefined;
+}
+
+/**
+ * Holds both V1 and V2 user keys, each wrapped by the other.
+ */
+export interface V2UpgradeToken {
+  /**
+   * V1 user key encrypted with V2 key (Cose_Encrypt0_B64 format)
+   */
+  wrapped_user_key_1: EncString;
+  /**
+   * V2 user key encrypted with V1 key (Aes256Cbc_HmacSha256_B64 format)
+   */
+  wrapped_user_key_2: EncString;
+}
+
+/**
+ * IPC destination/source endpoint for SDK clients.
+ *
+ * Endpoints are categorized by their role in the connection topology:
+ * - **Host endpoints** ([`HostId`]): Connection hubs that can be addressed relationally or
+ *   specifically. ([`BrowserBackground`](Endpoint::BrowserBackground))
+ * - **Leaf endpoints**: Addressed by transport-assigned IDs. ([`Web`](Endpoint::Web),
+ *   [`BrowserForeground`](Endpoint::BrowserForeground))
+ * - **Singleton endpoints**: Exactly one instance globally, no ID needed.
+ *   ([`DesktopMain`](Endpoint::DesktopMain), [`DesktopRenderer`](Endpoint::DesktopRenderer))
+ */
+export type Endpoint =
+  | { Web: { tab_id: number; document_id: string } }
+  | { BrowserForeground: { id: number } }
+  | { BrowserBackground: { id: HostId } }
+  | "DesktopRenderer"
+  | "DesktopMain";
+
+/**
+ * Identifies a host endpoint, one that manages connections for other endpoints.
+ *
+ * Host endpoints can be addressed relationally (when the sender has a direct connection
+ * and there is only one from their perspective) or by a specific transport-assigned ID
+ * (when distinguishing between multiple instances).
+ */
+export type HostId = "Own" | { Id: number };
+
+/**
+ * Indicates the authentication strategy to use when accessing a Send
+ */
+export type AuthType = "Email" | "Password" | "None";
+
+/**
+ * Invalid grant errors - typically due to invalid credentials.
+ */
+export type SendAccessTokenInvalidGrantError =
+  | "send_id_invalid"
+  | "password_hash_b64_invalid"
+  | "unknown";
+
+/**
+ * Invalid request errors - typically due to missing parameters.
+ */
+export type SendAccessTokenInvalidRequestError =
+  | "send_id_required"
+  | "password_hash_b64_required"
+  | "email_required"
+  | "email_and_otp_required"
+  | "unknown";
+
+/**
+ * Key Derivation Function for Bitwarden Account
+ *
+ * In Bitwarden accounts can use multiple KDFs to derive their master key from their password. This
+ * Enum represents all the possible KDFs.
+ */
+export type Kdf =
+  | { pBKDF2: { iterations: NonZeroU32 } }
+  | { argon2id: { iterations: NonZeroU32; memory: NonZeroU32; parallelism: NonZeroU32 } };
+
+/**
+ * Login cipher data needed for risk evaluation.
+ */
+export interface CipherLoginDetails {
+  /**
+   * Cipher ID to identify which cipher in results.
+   */
+  id: CipherId;
+  /**
+   * The decrypted password to evaluate.
+   */
+  password: string;
+  /**
+   * Username or email (login ciphers only have one field).
+   */
+  username: string | undefined;
+}
+
+/**
+ * Minimal CardView only including the needed details for list views
+ */
+export interface CardListView {
+  /**
+   * The brand of the card, e.g. Visa, Mastercard, etc.
+   */
+  brand: string | undefined;
+}
+
+/**
+ * Minimal field view for list/search operations.
+ * Contains only the fields needed for search indexing.
+ */
+export interface FieldListView {
+  /**
+   * Only populated if the field has a name.
+   */
+  name: string | undefined;
+  /**
+   * Only populated for [FieldType::Text] fields.
+   */
+  value: string | undefined;
+  /**
+   * The field type.
+   */
+  type: FieldType;
+}
+
+/**
+ * NewType wrapper for `CipherId`
+ */
+export type CipherId = Tagged<Uuid, "CipherId">;
+
+/**
+ * NewType wrapper for `CollectionId`
+ */
+export type CollectionId = Tagged<Uuid, "CollectionId">;
+
+/**
+ * NewType wrapper for `FolderId`
+ */
+export type FolderId = Tagged<Uuid, "FolderId">;
+
+/**
+ * NewType wrapper for `OrganizationId`
+ */
+export type OrganizationId = Tagged<Uuid, "OrganizationId">;
+
+/**
+ * NewType wrapper for `SendId`
+ */
+export type SendId = Tagged<Uuid, "SendId">;
+
+/**
+ * NewType wrapper for `UserId`
+ */
+export type UserId = Tagged<Uuid, "UserId">;
+
+/**
+ * Options for configuring risk computation.
+ */
+export interface CipherRiskOptions {
+  /**
+   * Pre-computed password reuse map (password → count).
+   * If provided, enables reuse detection across ciphers.
+   */
+  passwordMap?: PasswordReuseMap | undefined;
+  /**
+   * Whether to check passwords against Have I Been Pwned API.
+   * When true, makes network requests to check for exposed passwords.
+   */
+  checkExposed?: boolean;
+  /**
+   * Optional HIBP API base URL override. When None, uses the production HIBP URL.
+   * Can be used for testing or alternative password breach checking services.
+   */
+  hibpBaseUrl?: string | undefined;
+}
+
+/**
+ * Passphrase generator request options.
+ */
+export interface PassphraseGeneratorRequest {
+  /**
+   * Number of words in the generated passphrase.
+   * This value must be between 3 and 20.
+   */
+  numWords: number;
+  /**
+   * Character separator between words in the generated passphrase. The value cannot be empty.
+   */
+  wordSeparator: string;
+  /**
+   * When set to true, capitalize the first letter of each word in the generated passphrase.
+   */
+  capitalize: boolean;
+  /**
+   * When set to true, include a number at the end of one of the words in the generated
+   * passphrase.
+   */
+  includeNumber: boolean;
+}
+
+/**
+ * Password generator request options.
+ */
+export interface PasswordGeneratorRequest {
+  /**
+   * Include lowercase characters (a-z).
+   */
+  lowercase: boolean;
+  /**
+   * Include uppercase characters (A-Z).
+   */
+  uppercase: boolean;
+  /**
+   * Include numbers (0-9).
+   */
+  numbers: boolean;
+  /**
+   * Include special characters: ! @ # $ % ^ & *
+   */
+  special: boolean;
+  /**
+   * The length of the generated password.
+   * Note that the password length must be greater than the sum of all the minimums.
+   */
+  length: number;
+  /**
+   * When set to true, the generated password will not contain ambiguous characters.
+   * The ambiguous characters are: I, O, l, 0, 1
+   */
+  avoidAmbiguous: boolean;
+  /**
+   * The minimum number of lowercase characters in the generated password.
+   * When set, the value must be between 1 and 9. This value is ignored if lowercase is false.
+   */
+  minLowercase: number | undefined;
+  /**
+   * The minimum number of uppercase characters in the generated password.
+   * When set, the value must be between 1 and 9. This value is ignored if uppercase is false.
+   */
+  minUppercase: number | undefined;
+  /**
+   * The minimum number of numbers in the generated password.
+   * When set, the value must be between 1 and 9. This value is ignored if numbers is false.
+   */
+  minNumber: number | undefined;
+  /**
+   * The minimum number of special characters in the generated password.
+   * When set, the value must be between 1 and 9. This value is ignored if special is false.
+   */
+  minSpecial: number | undefined;
+}
+
+/**
+ * Password reuse map wrapper for WASM compatibility.
+ */
+export type PasswordReuseMap = Record<string, number>;
+
+/**
+ * Public SDK request model for logging in via password
+ */
+export interface PasswordLoginRequest {
+  /**
+   * Common login request fields
+   */
+  loginRequest: LoginRequest;
+  /**
+   * User\'s email address
+   */
+  email: string;
+  /**
+   * User\'s master password
+   */
+  password: string;
+  /**
+   * Prelogin data required for password authentication
+   * (e.g., KDF configuration for deriving the master key)
+   */
+  preloginResponse: PasswordPreloginResponse;
+}
+
+/**
+ * Represents errors that can occur when requesting a send access token.
+ * It includes expected and unexpected API errors.
+ */
+export type SendAccessTokenError =
+  | { kind: "unexpected"; data: UnexpectedIdentityError }
+  | { kind: "expected"; data: SendAccessTokenApiErrorResponse };
+
+/**
+ * Represents the PIN envelope in memory, when ephemeral PIN unlock is used.
+ */
+export interface EphemeralPinEnvelopeState {
+  pin_envelope: PasswordProtectedKeyEnvelope;
+}
+
+/**
+ * Represents the data required to authenticate with the master password.
+ */
+export interface MasterPasswordAuthenticationData {
+  kdf: Kdf;
+  salt: string;
+  masterPasswordAuthenticationHash: B64;
+}
+
+/**
+ * Represents the data required to unlock with the master password.
+ */
+export interface MasterPasswordUnlockData {
+  /**
+   * The key derivation function used to derive the master key
+   */
+  kdf: Kdf;
+  /**
+   * The master key wrapped user key
+   */
+  masterKeyWrappedUserKey: EncString;
+  /**
+   * The salt used in the KDF, typically the user\'s email
+   */
+  salt: string;
+}
+
+/**
+ * Represents the decrypted symmetric user-key of a user. This is held in ephemeral state of the
+ * client.
+ */
+export interface UserKeyState {
+  decrypted_user_key: B64;
+}
+
+/**
+ * Represents the inner data of a cipher view.
+ */
+export type CipherViewType =
+  | { login: LoginView }
+  | { card: CardView }
+  | { identity: IdentityView }
+  | { secureNote: SecureNoteView }
+  | { sshKey: SshKeyView };
+
+/**
+ * Represents the local user data key, wrapped by user key.
+ * This key is used to encrypt local user data (e.g., password generator history).
+ */
+export interface LocalUserDataKeyState {
+  wrapped_key: EncString;
+}
+
+/**
+ * Represents the possible, expected errors that can occur when requesting a send access token.
+ */
+export type SendAccessTokenApiErrorResponse =
+  | {
+      error: "invalid_request";
+      error_description?: string;
+      send_access_error_type?: SendAccessTokenInvalidRequestError;
+    }
+  | {
+      error: "invalid_grant";
+      error_description?: string;
+      send_access_error_type?: SendAccessTokenInvalidGrantError;
+    }
+  | { error: "invalid_client"; error_description?: string }
+  | { error: "unauthorized_client"; error_description?: string }
+  | { error: "unsupported_grant_type"; error_description?: string }
+  | { error: "invalid_scope"; error_description?: string }
+  | { error: "invalid_target"; error_description?: string };
+
+/**
+ * Represents the request to initialize the user\'s organizational cryptographic state.
+ */
+export interface InitOrgCryptoRequest {
+  /**
+   * The encryption keys for all the organizations the user is a part of
+   */
+  organizationKeys: Map<OrganizationId, UnsignedSharedKey>;
+}
+
+/**
+ * Represents the result of decrypting a list of ciphers.
+ *
+ * This struct contains two vectors: `successes` and `failures`.
+ * `successes` contains the decrypted `CipherListView` objects,
+ * while `failures` contains the original `Cipher` objects that failed to decrypt.
+ */
+export interface DecryptCipherListResult {
+  /**
+   * The decrypted `CipherListView` objects.
+   */
+  successes: CipherListView[];
+  /**
+   * The original `Cipher` objects that failed to decrypt.
+   */
+  failures: Cipher[];
+}
+
+/**
+ * Represents the result of decrypting a list of ciphers.
+ *
+ * This struct contains two vectors: `successes` and `failures`.
+ * `successes` contains the decrypted `CipherView` objects,
+ * while `failures` contains the original `Cipher` objects that failed to decrypt.
+ */
+export interface DecryptCipherResult {
+  /**
+   * The decrypted `CipherView` objects.
+   */
+  successes: CipherView[];
+  /**
+   * The original `Cipher` objects that failed to decrypt.
+   */
+  failures: Cipher[];
+}
+
+/**
+ * Represents the result of fetching and decrypting all ciphers for an organization.
+ *
+ * Contains the encrypted ciphers from the API alongside their decrypted list views.
+ */
+export interface ListOrganizationCiphersResult {
+  /**
+   * All encrypted ciphers returned from the API.
+   */
+  ciphers: Cipher[];
+  /**
+   * Successfully decrypted `CipherListView` objects.
+   */
+  listViews: CipherListView[];
+}
+
+/**
+ * Request for `verify_asymmetric_keys`.
+ */
+export interface VerifyAsymmetricKeysRequest {
+  /**
+   * The user\'s user key
+   */
+  userKey: B64;
+  /**
+   * The user\'s public key
+   */
+  userPublicKey: B64;
+  /**
+   * User\'s private key, encrypted with the user key
+   */
+  userKeyEncryptedPrivateKey: EncString;
+}
+
+/**
+ * Request for deriving a pin protected user key
+ */
+export interface DerivePinKeyResponse {
+  /**
+   * [UserKey] protected by PIN
+   */
+  pinProtectedUserKey: EncString;
+  /**
+   * PIN protected by [UserKey]
+   */
+  encryptedPin: EncString;
+}
+
+/**
+ * Request for deriving a pin protected user key
+ */
+export interface EnrollPinResponse {
+  /**
+   * [UserKey] protected by PIN
+   */
+  pinProtectedUserKeyEnvelope: PasswordProtectedKeyEnvelope;
+  /**
+   * PIN protected by [UserKey]
+   */
+  userKeyEncryptedPin: EncString;
+}
+
+/**
+ * Request for migrating an account from password to key connector.
+ */
+export interface DeriveKeyConnectorRequest {
+  /**
+   * Encrypted user key, used to validate the master key
+   */
+  userKeyEncrypted: EncString;
+  /**
+   * The user\'s master password
+   */
+  password: string;
+  /**
+   * The KDF parameters used to derive the master key
+   */
+  kdf: Kdf;
+  /**
+   * The user\'s email address
+   */
+  email: string;
+}
+
+/**
+ * Request model for creating a new Send.
+ */
+export interface SendAddRequest {
+  /**
+   * The name of the Send.
+   */
+  name: string;
+  /**
+   * Optional notes visible to the sender.
+   */
+  notes: string | undefined;
+  /**
+   * The type and content of the Send.
+   */
+  viewType: SendViewType;
+  /**
+   * Maximum number of times the Send can be accessed.
+   */
+  maxAccessCount: number | undefined;
+  /**
+   * Whether the Send is disabled and cannot be accessed.
+   */
+  disabled: boolean;
+  /**
+   * Whether to hide the sender\'s email from recipients.
+   */
+  hideEmail: boolean;
+  /**
+   * Date and time when the Send will be permanently deleted.
+   */
+  deletionDate: DateTime<Utc>;
+  /**
+   * Optional date and time when the Send expires and can no longer be accessed.
+   */
+  expirationDate: DateTime<Utc> | undefined;
+  /**
+   * Authentication method for accessing this Send.
+   */
+  auth: SendAuthType;
+}
+
+/**
+ * Request model for editing an existing Send.
+ */
+export interface SendEditRequest {
+  /**
+   * The name of the Send.
+   */
+  name: string;
+  /**
+   * Optional notes visible to the sender.
+   */
+  notes: string | undefined;
+  /**
+   * The type and content of the Send.
+   */
+  viewType: SendViewType;
+  /**
+   * Maximum number of times the Send can be accessed.
+   */
+  maxAccessCount: number | undefined;
+  /**
+   * Whether the Send is disabled and cannot be accessed.
+   */
+  disabled: boolean;
+  /**
+   * Whether to hide the sender\'s email from recipients.
+   */
+  hideEmail: boolean;
+  /**
+   * Date and time when the Send will be permanently deleted.
+   */
+  deletionDate: DateTime<Utc>;
+  /**
+   * Optional date and time when the Send expires and can no longer be accessed.
+   */
+  expirationDate: DateTime<Utc> | undefined;
+  /**
+   * Authentication method for accessing this Send.
+   */
+  auth: SendAuthType;
+}
+
+/**
+ * Request parameters for SSO JIT master password registration.
+ */
+export interface JitMasterPasswordRegistrationRequest {
+  /**
+   * Organization ID to enroll in
+   */
+  org_id: OrganizationId;
+  /**
+   * Organization\'s public key for encrypting the reset password key. This should be verified by
+   * the client and not verifying may compromise the security of the user\'s account.
+   */
+  org_public_key: B64;
+  /**
+   * Organization SSO identifier
+   */
+  organization_sso_identifier: string;
+  /**
+   * User ID for the account being initialized
+   */
+  user_id: UserId;
+  /**
+   * Salt for master password hashing, usually email
+   */
+  salt: string;
+  /**
+   * Master password for the account
+   */
+  master_password: string;
+  /**
+   * Optional hint for the master password
+   */
+  master_password_hint: string | undefined;
+  /**
+   * Should enroll user into admin password reset
+   */
+  reset_password_enroll: boolean;
+}
+
+/**
+ * Request parameters for TDE (Trusted Device Encryption) registration.
+ */
+export interface TdeRegistrationRequest {
+  /**
+   * Organization ID to enroll in
+   */
+  org_id: OrganizationId;
+  /**
+   * Organization\'s public key for encrypting the reset password key. This should be verified by
+   * the client and not verifying may compromise the security of the user\'s account.
+   */
+  org_public_key: B64;
+  /**
+   * User ID for the account being initialized
+   */
+  user_id: UserId;
+  /**
+   * Device identifier for TDE enrollment
+   */
+  device_identifier: string;
+  /**
+   * Whether to trust this device for TDE
+   */
+  trust_device: boolean;
+}
+
+/**
+ * Request to add a cipher.
+ */
+export interface CipherCreateRequest {
+  organizationId: OrganizationId | undefined;
+  collectionIds: CollectionId[];
+  folderId: FolderId | undefined;
+  name: string;
+  notes: string | undefined;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  type: CipherViewType;
+  fields: FieldView[];
+}
+
+/**
+ * Request to add or edit a folder.
+ */
+export interface FolderAddEditRequest {
+  /**
+   * The new name of the folder.
+   */
+  name: string;
+}
+
+/**
+ * Request to edit a cipher.
+ */
+export interface CipherEditRequest {
+  id: CipherId;
+  organizationId: OrganizationId | undefined;
+  folderId: FolderId | undefined;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  name: string;
+  notes: string | undefined;
+  fields: FieldView[];
+  type: CipherViewType;
+  revisionDate: DateTime<Utc>;
+  archivedDate: DateTime<Utc> | undefined;
+  attachments: AttachmentView[];
+  key: EncString | undefined;
+}
+
+/**
+ * Request to set server communication configuration for a hostname
+ *
+ * This is the input type for
+ * [`ServerCommunicationConfigClient::set_communication_type`](crate::ServerCommunicationConfigClient::set_communication_type).
+ * Unlike [`ServerCommunicationConfig`], this type does not include acquired cookies,
+ * since cookies are managed separately via
+ * [`ServerCommunicationConfigClient::acquire_cookie`](crate::ServerCommunicationConfigClient::acquire_cookie).
+ */
+export interface SetCommunicationTypeRequest {
+  /**
+   * Bootstrap configuration determining how to establish server communication
+   */
+  bootstrap: BootstrapConfigRequest;
+}
+
+/**
+ * Response containing the data required before password-based authentication
+ */
+export interface PasswordPreloginResponse {
+  /**
+   * The Key Derivation Function (KDF) configuration for the user
+   */
+  kdf: Kdf;
+  /**
+   * The salt used in the KDF process
+   */
+  salt: string;
+}
+
+/**
+ * Response for `verify_asymmetric_keys`.
+ */
+export interface VerifyAsymmetricKeysResponse {
+  /**
+   * Whether the user\'s private key was decryptable by the user key.
+   */
+  privateKeyDecryptable: boolean;
+  /**
+   * Whether the user\'s private key was a valid RSA key and matched the public key provided.
+   */
+  validPrivateKey: boolean;
+}
+
+/**
+ * Response for the `make_keys_for_user_crypto_v2`, containing a set of keys for a user
+ */
+export interface UserCryptoV2KeysResponse {
+  /**
+   * User key
+   */
+  userKey: B64;
+  /**
+   * Wrapped private key
+   */
+  privateKey: EncString;
+  /**
+   * Public key
+   */
+  publicKey: B64;
+  /**
+   * The user\'s public key, signed by the signing key
+   */
+  signedPublicKey: SignedPublicKey;
+  /**
+   * Signing key, encrypted with the user\'s symmetric key
+   */
+  signingKey: EncString;
+  /**
+   * Base64 encoded verifying key
+   */
+  verifyingKey: B64;
+  /**
+   * The user\'s signed security state
+   */
+  securityState: SignedSecurityState;
+  /**
+   * The security state\'s version
+   */
+  securityVersion: number;
+}
+
+/**
+ * Response from the `make_key_pair` function
+ */
+export interface MakeKeyPairResponse {
+  /**
+   * The user\'s public key
+   */
+  userPublicKey: B64;
+  /**
+   * User\'s private key, encrypted with the user key
+   */
+  userKeyEncryptedPrivateKey: EncString;
+}
+
+/**
+ * Response from the `make_update_password` function
+ */
+export interface UpdatePasswordResponse {
+  /**
+   * Hash of the new password
+   */
+  passwordHash: B64;
+  /**
+   * User key, encrypted with the new password
+   */
+  newKey: EncString;
+}
+
+/**
+ * Response from the `update_kdf` function
+ */
+export interface UpdateKdfResponse {
+  /**
+   * The authentication data for the new KDF setting
+   */
+  masterPasswordAuthenticationData: MasterPasswordAuthenticationData;
+  /**
+   * The unlock data for the new KDF setting
+   */
+  masterPasswordUnlockData: MasterPasswordUnlockData;
+  /**
+   * The authentication data for the KDF setting prior to the change
+   */
+  oldMasterPasswordAuthenticationData: MasterPasswordAuthenticationData;
+}
+
+/**
+ * Result of JIT master password registration process.
+ */
+export interface JitMasterPasswordRegistrationResponse {
+  /**
+   * The account cryptographic state of the user
+   */
+  account_cryptographic_state: WrappedAccountCryptographicState;
+  /**
+   * The master password unlock data
+   */
+  master_password_unlock: MasterPasswordUnlockData;
+  /**
+   * The decrypted user key.
+   */
+  user_key: B64;
+}
+
+/**
+ * Result of Key Connector registration process.
+ */
+export interface KeyConnectorRegistrationResult {
+  /**
+   * The account cryptographic state of the user.
+   */
+  account_cryptographic_state: WrappedAccountCryptographicState;
+  /**
+   * The key connector key used for unlocking.
+   */
+  key_connector_key: B64;
+  /**
+   * The encrypted user key, wrapped with the key connector key.
+   */
+  key_connector_key_wrapped_user_key: EncString;
+  /**
+   * The decrypted user key. This can be used to get the consuming client to an unlocked state.
+   */
+  user_key: B64;
+}
+
+/**
+ * Result of TDE registration process.
+ */
+export interface TdeRegistrationResponse {
+  /**
+   * The account cryptographic state of the user
+   */
+  account_cryptographic_state: WrappedAccountCryptographicState;
+  /**
+   * The device key
+   */
+  device_key: B64;
+  /**
+   * The decrypted user key. This can be used to get the consuming client to an unlocked state.
+   */
+  user_key: B64;
+}
+
+/**
+ * Result of checking password exposure via HIBP API.
+ */
+export type ExposedPasswordResult =
+  | { type: "NotChecked" }
+  | { type: "Found"; value: number }
+  | { type: "Error"; value: string };
+
+/**
+ * Risk evaluation result for a single cipher.
+ */
+export interface CipherRiskResult {
+  /**
+   * Cipher ID matching the input CipherLoginDetails.
+   */
+  id: CipherId;
+  /**
+   * Password strength score from 0 (weakest) to 4 (strongest).
+   * Calculated using zxcvbn with cipher-specific context.
+   */
+  password_strength: number;
+  /**
+   * Result of checking password exposure via HIBP API.
+   * - `NotChecked`: check_exposed was false, or password was empty
+   * - `Found(n)`: Successfully checked, found in n breaches
+   * - `Error(msg)`: HIBP API request failed for this cipher with the given error message
+   */
+  exposed_result: ExposedPasswordResult;
+  /**
+   * Number of times this password appears in the provided password_map.
+   * None if not found or if no password_map was provided.
+   */
+  reuse_count: number | undefined;
+}
+
+/**
+ * SDK domain model for Key Connector user decryption option.
+ */
+export interface KeyConnectorUserDecryptionOption {
+  /**
+   * URL of the Key Connector server to use for decryption.
+   */
+  keyConnectorUrl: string;
+}
+
+/**
+ * SDK domain model for Trusted Device user decryption option.
+ */
+export interface TrustedDeviceUserDecryptionOption {
+  /**
+   * Whether the user has admin approval for device login.
+   */
+  hasAdminApproval: boolean;
+  /**
+   * Whether the user has a device that can approve logins.
+   */
+  hasLoginApprovingDevice: boolean;
+  /**
+   * Whether the user has permission to manage password reset for other users.
+   */
+  hasManageResetPasswordPermission: boolean;
+  /**
+   * Whether the user is in TDE offboarding.
+   */
+  isTdeOffboarding: boolean;
+  /**
+   * The device key encrypted device private key. Only present if the device is trusted.
+   */
+  encryptedPrivateKey?: EncString;
+  /**
+   * The device private key encrypted user key. Only present if the device is trusted.
+   */
+  encryptedUserKey?: UnsignedSharedKey;
+}
+
+/**
+ * SDK domain model for WebAuthn PRF user decryption option.
+ */
+export interface WebAuthnPrfUserDecryptionOption {
+  /**
+   * PRF key encrypted private key
+   */
+  encryptedPrivateKey: EncString;
+  /**
+   * Public Key encrypted user key
+   */
+  encryptedUserKey: UnsignedSharedKey;
+  /**
+   * Credential ID for this WebAuthn PRF credential.
+   * TODO: PM-32163 - can remove `Option<T>` after 3 releases from server v2026.1.1
+   */
+  credentialId: string | undefined;
+  /**
+   * Transport methods available for this credential (e.g., \"usb\", \"nfc\", \"ble\", \"internal\",
+   * \"hybrid\").
+   * TODO: PM-32163 - can remove `Option<T>` after 3 releases from server v2026.1.1
+   */
+  transports: string[] | undefined;
+}
+
+/**
+ * SDK domain model for master password policy requirements.
+ * Defines the complexity requirements for a user\'s master password
+ * when enforced by an organization policy.
+ */
+export interface MasterPasswordPolicyResponse {
+  /**
+   * The minimum complexity score required for the master password.
+   * Complexity is calculated based on password strength metrics.
+   */
+  minComplexity?: number;
+  /**
+   * The minimum length required for the master password.
+   */
+  minLength?: number;
+  /**
+   * Whether the master password must contain at least one lowercase letter.
+   */
+  requireLower?: boolean;
+  /**
+   * Whether the master password must contain at least one uppercase letter.
+   */
+  requireUpper?: boolean;
+  /**
+   * Whether the master password must contain at least one numeric digit.
+   */
+  requireNumbers?: boolean;
+  /**
+   * Whether the master password must contain at least one special character.
+   */
+  requireSpecial?: boolean;
+  /**
+   * Whether this policy should be enforced when the user logs in.
+   * If true, the user will be required to update their master password
+   * if it doesn\'t meet the policy requirements.
+   */
+  enforceOnLogin?: boolean;
+}
+
+/**
+ * SDK domain model for user decryption options.
+ * Provides the various methods available to unlock a user\'s vault.
+ */
+export interface UserDecryptionOptionsResponse {
+  /**
+   * Master password unlock option. None if user doesn\'t have a master password.
+   */
+  masterPasswordUnlock?: MasterPasswordUnlockData;
+  /**
+   * Trusted Device decryption option.
+   */
+  trustedDeviceOption?: TrustedDeviceUserDecryptionOption;
+  /**
+   * Key Connector decryption option.
+   * Mutually exclusive with Trusted Device option.
+   */
+  keyConnectorOption?: KeyConnectorUserDecryptionOption;
+  /**
+   * WebAuthn PRF decryption option.
+   */
+  webauthnPrfOption?: WebAuthnPrfUserDecryptionOption;
+}
+
+/**
+ * SDK response model for a successful login.
+ * This is the model that will be exposed to consuming applications.
+ */
+export interface LoginSuccessResponse {
+  /**
+   * The access token string.
+   */
+  accessToken: string;
+  /**
+   * The duration in seconds until the token expires.
+   */
+  expiresIn: number;
+  /**
+   * The timestamp in milliseconds when the token expires.
+   * We calculate this for more convenient token expiration handling.
+   */
+  expiresAt: number;
+  /**
+   * The scope of the access token.
+   * OAuth 2.0 RFC reference: <https://datatracker.ietf.org/doc/html/rfc6749#section-3.3>
+   */
+  scope: string;
+  /**
+   * The type of the token.
+   * This will be \"Bearer\" for send access tokens.
+   * OAuth 2.0 RFC reference: <https://datatracker.ietf.org/doc/html/rfc6749#section-7.1>
+   */
+  tokenType: string;
+  /**
+   * The optional refresh token string.
+   * This token can be used to obtain new access tokens when the current one expires.
+   */
+  refreshToken: string | undefined;
+  /**
+   * The user key wrapped user private key.
+   * Note: previously known as \"private_key\".
+   */
+  userKeyWrappedUserPrivateKey: string | undefined;
+  /**
+   * Two-factor authentication token for future requests.
+   */
+  twoFactorToken: string | undefined;
+  /**
+   * Indicates whether an admin has reset the user\'s master password,
+   * requiring them to set a new password upon next login.
+   */
+  forcePasswordReset: boolean | undefined;
+  /**
+   * Indicates whether the user uses Key Connector and if the client should have a locally
+   * configured Key Connector URL in their environment.
+   * Note: This is currently only applicable for client_credential grant type logins and
+   * is only expected to be relevant for the CLI
+   */
+  apiUseKeyConnector: boolean | undefined;
+  /**
+   * The user\'s decryption options for unlocking their vault.
+   */
+  userDecryptionOptions: UserDecryptionOptionsResponse;
+  /**
+   * If the user is subject to an organization master password policy,
+   * this field contains the requirements of that policy.
+   */
+  masterPasswordPolicy: MasterPasswordPolicyResponse | undefined;
+}
+
+/**
+ * SSO cookie vendor configuration
+ *
+ * This configuration is provided by the server.
+ */
+export interface SsoCookieVendorConfig {
+  /**
+   * Identity provider login URL for browser redirect during bootstrap
+   */
+  idpLoginUrl: string | undefined;
+  /**
+   * Cookie name (base name, without shard suffix)
+   */
+  cookieName: string | undefined;
+  /**
+   * Cookie domain for validation
+   */
+  cookieDomain: string | undefined;
+  /**
+   * Vault URL for cookie acquisition redirect
+   *
+   * This is the full vault URL (scheme + host + port) where the browser
+   * should be redirected for SSO cookie acquisition.
+   */
+  vaultUrl: string | undefined;
+  /**
+   * Acquired cookies
+   *
+   * For sharded cookies, this contains multiple entries with names like
+   * `AWSELBAuthSessionCookie-0`, `AWSELBAuthSessionCookie-1`, etc.
+   * For unsharded cookies, this contains a single entry with the base name.
+   */
+  cookieValue: AcquiredCookie[] | undefined;
+}
+
+/**
+ * SSO cookie vendor configuration for [`SetCommunicationTypeRequest`]
+ *
+ * Contains the server-provided configuration fields without acquired cookies.
+ */
+export interface SsoCookieVendorConfigRequest {
+  /**
+   * Identity provider login URL for browser redirect during bootstrap
+   */
+  idpLoginUrl: string | undefined;
+  /**
+   * Cookie name (base name, without shard suffix)
+   */
+  cookieName: string | undefined;
+  /**
+   * Cookie domain for validation
+   */
+  cookieDomain: string | undefined;
+  /**
+   * Vault URL for cookie acquisition redirect
+   *
+   * This is the full vault URL (scheme + host + port) where the browser
+   * should be redirected for SSO cookie acquisition.
+   */
+  vaultUrl: string | undefined;
+}
+
+/**
+ * Server communication configuration
+ */
+export interface ServerCommunicationConfig {
+  /**
+   * Bootstrap configuration determining how to establish server communication
+   */
+  bootstrap: BootstrapConfig;
+}
+
+/**
+ * State used for initializing the user cryptographic state.
+ */
+export interface InitUserCryptoRequest {
+  /**
+   * The user\'s ID.
+   */
+  userId: UserId | undefined;
+  /**
+   * The user\'s KDF parameters, as received from the prelogin request
+   */
+  kdfParams: Kdf;
+  /**
+   * The user\'s email address
+   */
+  email: string;
+  /**
+   * The user\'s account cryptographic state, containing their signature and
+   * public-key-encryption keys, along with the signed security state, protected by the user key
+   */
+  accountCryptographicState: WrappedAccountCryptographicState;
+  /**
+   * The method to decrypt the user\'s account symmetric key (user key)
+   */
+  method: InitUserCryptoMethod;
+  /**
+   * Optional V2 upgrade token for automatic key rotation from V1 to V2
+   */
+  upgradeToken?: V2UpgradeToken;
+}
+
+/**
+ * Temporary struct to hold metadata related to current account
+ *
+ * Eventually the SDK itself should have this state and we get rid of this struct.
+ */
+export interface Account {
+  id: Uuid;
+  email: string;
+  name: string | undefined;
+}
+
+/**
+ * Text-based send content
+ */
+export interface SendText {
+  text: EncString | undefined;
+  hidden: boolean;
+}
+
+/**
+ * The common bucket of login fields to be re-used across all login mechanisms
+ * (e.g., password, SSO, etc.). This will include handling client_id and 2FA.
+ */
+export interface LoginRequest {
+  /**
+   * OAuth client identifier
+   */
+  clientId: string;
+  /**
+   * Device information for this login request
+   */
+  device: LoginDeviceRequest;
+}
+
+/**
+ * The credentials used for send access requests.
+ */
+export type SendAccessCredentials =
+  | SendPasswordCredentials
+  | SendEmailOtpCredentials
+  | SendEmailCredentials;
+
+/**
+ * The crypto method used to initialize the user cryptographic state.
+ */
+export type InitUserCryptoMethod =
+  | { masterPasswordUnlock: { password: string; master_password_unlock: MasterPasswordUnlockData } }
+  | { clientManagedState: {} }
+  | { decryptedKey: { decrypted_user_key: string } }
+  | { pin: { pin: string; pin_protected_user_key: EncString } }
+  | { pinEnvelope: { pin: string; pin_protected_user_key_envelope: PasswordProtectedKeyEnvelope } }
+  | { authRequest: { request_private_key: B64; method: AuthRequestMethod } }
+  | {
+      deviceKey: {
+        device_key: string;
+        protected_device_private_key: EncString;
+        device_protected_user_key: UnsignedSharedKey;
+      };
+    }
+  | { keyConnector: { master_key: B64; user_key: EncString } }
+  | { keyConnectorUrl: { url: string; key_connector_key_wrapped_user_key: EncString } };
+
+/**
+ * The data necessary to re-share the user-key to a V1 emergency access membership. Note: The
+ * Public-key must be verified/trusted. Further, there is no sender authentication possible here.
+ */
+export interface V1EmergencyAccessMembership {
+  id: Uuid;
+  grantee_id: Uuid;
+  name: string;
+  public_key: PublicKey;
+}
+
+/**
+ * The data necessary to re-share the user-key to a V1 organization membership. Note: The
+ * Public-key must be verified/trusted. Further, there is no sender authentication possible here.
+ */
+export interface V1OrganizationMembership {
+  organization_id: Uuid;
+  name: string;
+  public_key: PublicKey;
+}
+
+/**
+ * The response to a discover/ping request.
+ */
+export interface DiscoverResponse {
+  /**
+   * The version of the client that responded to the discover request.
+   */
+  version: string;
+}
+
+/**
+ * The type of Send, either text or file
+ */
+export type SendType = "Text" | "File";
+
+/**
+ * The type of key / signature scheme used for signing and verifying.
+ */
+export type SignatureAlgorithm = "ed25519" | "mlDsa44";
+
+/**
+ * Type of collection
+ */
+export type CollectionType = "SharedCollection" | "DefaultUserCollection";
+
+/**
+ * Type-safe authentication method for a Send, including the authentication data.
+ * This ensures that password and email authentication are mutually exclusive.
+ */
+export type SendAuthType =
+  | { type: "none" }
+  | { type: "password"; password: string }
+  | { type: "emails"; emails: string[] };
+
+/**
+ * View model for decrypted Send type
+ */
+export type SendViewType = { File: SendFileView } | { Text: SendTextView };
+
+/**
+ * View model for decrypted SendFile
+ */
+export interface SendFileView {
+  /**
+   * The file\'s ID
+   */
+  id: string | undefined;
+  /**
+   * The file name
+   */
+  fileName: string;
+  /**
+   * The file size in bytes as a string
+   */
+  size: string | undefined;
+  /**
+   * Readable size, ex: \"4.2 KB\" or \"1.43 GB\
+   */
+  sizeName: string | undefined;
+}
+
+/**
+ * View model for decrypted SendText
+ */
+export interface SendTextView {
+  /**
+   * The text content of the send
+   */
+  text: string | undefined;
+  /**
+   * Whether the text is hidden-by-default (masked as ********).
+   */
+  hidden: boolean;
+}
+
+export interface AncestorMap {
+  ancestors: Map<CollectionId, string>;
+}
+
+export interface Attachment {
+  id: string | undefined;
+  url: string | undefined;
+  size: string | undefined;
+  /**
+   * Readable size, ex: \"4.2 KB\" or \"1.43 GB\
+   */
+  sizeName: string | undefined;
+  fileName: EncString | undefined;
+  key: EncString | undefined;
+}
+
+export interface AttachmentView {
+  id: string | undefined;
+  url: string | undefined;
+  size: string | undefined;
+  sizeName: string | undefined;
+  fileName: string | undefined;
+  key: EncString | undefined;
+  /**
+   * The decrypted attachmentkey in base64 format.
+   *
+   * **TEMPORARY FIELD**: This field is a temporary workaround to provide
+   * decrypted attachment keys to the TypeScript client during the migration
+   * process. It will be removed once the encryption/decryption logic is
+   * fully migrated to the SDK.
+   *
+   * **Ticket**: <https://bitwarden.atlassian.net/browse/PM-23005>
+   *
+   * Do not rely on this field for long-term use.
+   */
+  decryptedKey: string | undefined;
+}
+
+export interface Card {
+  cardholderName: EncString | undefined;
+  expMonth: EncString | undefined;
+  expYear: EncString | undefined;
+  code: EncString | undefined;
+  brand: EncString | undefined;
+  number: EncString | undefined;
+}
+
+export interface CardView {
+  cardholderName: string | undefined;
+  expMonth: string | undefined;
+  expYear: string | undefined;
+  code: string | undefined;
+  brand: string | undefined;
+  number: string | undefined;
+}
+
+export interface Cipher {
+  id: CipherId | undefined;
+  organizationId: OrganizationId | undefined;
+  folderId: FolderId | undefined;
+  collectionIds: CollectionId[];
+  /**
+   * More recent ciphers uses individual encryption keys to encrypt the other fields of the
+   * Cipher.
+   */
+  key: EncString | undefined;
+  name: EncString;
+  notes: EncString | undefined;
+  type: CipherType;
+  login: Login | undefined;
+  identity: Identity | undefined;
+  card: Card | undefined;
+  secureNote: SecureNote | undefined;
+  sshKey: SshKey | undefined;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  organizationUseTotp: boolean;
+  edit: boolean;
+  permissions: CipherPermissions | undefined;
+  viewPassword: boolean;
+  localData: LocalData | undefined;
+  attachments: Attachment[] | undefined;
+  fields: Field[] | undefined;
+  passwordHistory: PasswordHistory[] | undefined;
+  creationDate: DateTime<Utc>;
+  deletedDate: DateTime<Utc> | undefined;
+  revisionDate: DateTime<Utc>;
+  archivedDate: DateTime<Utc> | undefined;
+  data: string | undefined;
+}
+
+export interface CipherListView {
+  id: CipherId | undefined;
+  organizationId: OrganizationId | undefined;
+  folderId: FolderId | undefined;
+  collectionIds: CollectionId[];
+  /**
+   * Temporary, required to support calculating TOTP from CipherListView.
+   */
+  key: EncString | undefined;
+  name: string;
+  subtitle: string;
+  type: CipherListViewType;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  organizationUseTotp: boolean;
+  edit: boolean;
+  permissions: CipherPermissions | undefined;
+  viewPassword: boolean;
+  /**
+   * The number of attachments
+   */
+  attachments: number;
+  /**
+   * Indicates if the cipher has old attachments that need to be re-uploaded
+   */
+  hasOldAttachments: boolean;
+  creationDate: DateTime<Utc>;
+  deletedDate: DateTime<Utc> | undefined;
+  revisionDate: DateTime<Utc>;
+  archivedDate: DateTime<Utc> | undefined;
+  /**
+   * Hints for the presentation layer for which fields can be copied.
+   */
+  copyableFields: CopyableCipherFields[];
+  localData: LocalDataView | undefined;
+  /**
+   * Decrypted cipher notes for search indexing.
+   */
+  notes: string | undefined;
+  /**
+   * Decrypted cipher fields for search indexing.
+   * Only includes name and value (for text fields only).
+   */
+  fields: FieldListView[] | undefined;
+  /**
+   * Decrypted attachment filenames for search indexing.
+   */
+  attachmentNames: string[] | undefined;
+}
+
+export interface CipherPermissions {
+  delete: boolean;
+  restore: boolean;
+}
+
+export interface CipherView {
+  id: CipherId | undefined;
+  organizationId: OrganizationId | undefined;
+  folderId: FolderId | undefined;
+  collectionIds: CollectionId[];
+  /**
+   * Temporary, required to support re-encrypting existing items.
+   */
+  key: EncString | undefined;
+  name: string;
+  notes: string | undefined;
+  type: CipherType;
+  login: LoginView | undefined;
+  identity: IdentityView | undefined;
+  card: CardView | undefined;
+  secureNote: SecureNoteView | undefined;
+  sshKey: SshKeyView | undefined;
+  favorite: boolean;
+  reprompt: CipherRepromptType;
+  organizationUseTotp: boolean;
+  edit: boolean;
+  permissions: CipherPermissions | undefined;
+  viewPassword: boolean;
+  localData: LocalDataView | undefined;
+  attachments: AttachmentView[] | undefined;
+  /**
+   * Attachments that failed to decrypt. Only present when there are decryption failures.
+   */
+  attachmentDecryptionFailures?: AttachmentView[];
+  fields: FieldView[] | undefined;
+  passwordHistory: PasswordHistoryView[] | undefined;
+  creationDate: DateTime<Utc>;
+  deletedDate: DateTime<Utc> | undefined;
+  revisionDate: DateTime<Utc>;
+  archivedDate: DateTime<Utc> | undefined;
+}
+
+export interface Collection {
+  id: CollectionId | undefined;
+  organizationId: OrganizationId;
+  name: EncString;
+  externalId: string | undefined;
+  hidePasswords: boolean;
+  readOnly: boolean;
+  manage: boolean;
+  defaultUserCollectionEmail: string | undefined;
+  type: CollectionType;
+}
+
+export interface CollectionView {
+  id: CollectionId | undefined;
+  organizationId: OrganizationId;
+  name: string;
+  externalId: string | undefined;
+  hidePasswords: boolean;
+  readOnly: boolean;
+  manage: boolean;
+  type: CollectionType;
+}
+
+export interface EncryptionContext {
+  /**
+   * The Id of the user that encrypted the cipher. It should always represent a UserId, even for
+   * Organization-owned ciphers
+   */
+  encryptedFor: UserId;
+  cipher: Cipher;
+}
+
+export interface Fido2Credential {
+  credentialId: EncString;
+  keyType: EncString;
+  keyAlgorithm: EncString;
+  keyCurve: EncString;
+  keyValue: EncString;
+  rpId: EncString;
+  userHandle: EncString | undefined;
+  userName: EncString | undefined;
+  counter: EncString;
+  rpName: EncString | undefined;
+  userDisplayName: EncString | undefined;
+  discoverable: EncString;
+  creationDate: DateTime<Utc>;
+}
+
+export interface Fido2CredentialFullView {
+  credentialId: string;
+  keyType: string;
+  keyAlgorithm: string;
+  keyCurve: string;
+  keyValue: string;
+  rpId: string;
+  userHandle: string | undefined;
+  userName: string | undefined;
+  counter: string;
+  rpName: string | undefined;
+  userDisplayName: string | undefined;
+  discoverable: string;
+  creationDate: DateTime<Utc>;
+}
+
+export interface Fido2CredentialListView {
+  credentialId: string;
+  rpId: string;
+  userHandle: string | undefined;
+  userName: string | undefined;
+  userDisplayName: string | undefined;
+  counter: string;
+}
+
+export interface Fido2CredentialNewView {
+  credentialId: string;
+  keyType: string;
+  keyAlgorithm: string;
+  keyCurve: string;
+  rpId: string;
+  userHandle: string | undefined;
+  userName: string | undefined;
+  counter: string;
+  rpName: string | undefined;
+  userDisplayName: string | undefined;
+  creationDate: DateTime<Utc>;
+}
+
+export interface Fido2CredentialView {
+  credentialId: string;
+  keyType: string;
+  keyAlgorithm: string;
+  keyCurve: string;
+  keyValue: EncString;
+  rpId: string;
+  userHandle: string | undefined;
+  userName: string | undefined;
+  counter: string;
+  rpName: string | undefined;
+  userDisplayName: string | undefined;
+  discoverable: string;
+  creationDate: DateTime<Utc>;
+}
+
+export interface Field {
+  name: EncString | undefined;
+  value: EncString | undefined;
+  type: FieldType;
+  linkedId: LinkedIdType | undefined;
+}
+
+export interface FieldView {
+  name: string | undefined;
+  value: string | undefined;
+  type: FieldType;
+  linkedId: LinkedIdType | undefined;
+}
+
+export interface Folder {
+  id: FolderId | undefined;
+  name: EncString;
+  revisionDate: DateTime<Utc>;
+}
+
+export interface FolderView {
+  id: FolderId | undefined;
+  name: string;
+  revisionDate: DateTime<Utc>;
+}
+
+export interface Identity {
+  title: EncString | undefined;
+  firstName: EncString | undefined;
+  middleName: EncString | undefined;
+  lastName: EncString | undefined;
+  address1: EncString | undefined;
+  address2: EncString | undefined;
+  address3: EncString | undefined;
+  city: EncString | undefined;
+  state: EncString | undefined;
+  postalCode: EncString | undefined;
+  country: EncString | undefined;
+  company: EncString | undefined;
+  email: EncString | undefined;
+  phone: EncString | undefined;
+  ssn: EncString | undefined;
+  username: EncString | undefined;
+  passportNumber: EncString | undefined;
+  licenseNumber: EncString | undefined;
+}
+
+export interface IdentityView {
+  title: string | undefined;
+  firstName: string | undefined;
+  middleName: string | undefined;
+  lastName: string | undefined;
+  address1: string | undefined;
+  address2: string | undefined;
+  address3: string | undefined;
+  city: string | undefined;
+  state: string | undefined;
+  postalCode: string | undefined;
+  country: string | undefined;
+  company: string | undefined;
+  email: string | undefined;
+  phone: string | undefined;
+  ssn: string | undefined;
+  username: string | undefined;
+  passportNumber: string | undefined;
+  licenseNumber: string | undefined;
+}
+
+export interface LocalData {
+  lastUsedDate: DateTime<Utc> | undefined;
+  lastLaunched: DateTime<Utc> | undefined;
+}
+
+export interface LocalDataView {
+  lastUsedDate: DateTime<Utc> | undefined;
+  lastLaunched: DateTime<Utc> | undefined;
+}
+
+export interface Login {
+  username: EncString | undefined;
+  password: EncString | undefined;
+  passwordRevisionDate: DateTime<Utc> | undefined;
+  uris: LoginUri[] | undefined;
+  totp: EncString | undefined;
+  autofillOnPageLoad: boolean | undefined;
+  fido2Credentials: Fido2Credential[] | undefined;
+}
+
+export interface LoginListView {
+  fido2Credentials: Fido2CredentialListView[] | undefined;
+  hasFido2: boolean;
+  username: string | undefined;
+  /**
+   * The TOTP key is not decrypted. Useable as is with [`crate::generate_totp_cipher_view`].
+   */
+  totp: EncString | undefined;
+  uris: LoginUriView[] | undefined;
+}
+
+export interface LoginUri {
+  uri: EncString | undefined;
+  match: UriMatchType | undefined;
+  uriChecksum: EncString | undefined;
+}
+
+export interface LoginUriView {
+  uri: string | undefined;
+  match: UriMatchType | undefined;
+  uriChecksum: string | undefined;
+}
+
+export interface LoginView {
+  username: string | undefined;
+  password: string | undefined;
+  passwordRevisionDate: DateTime<Utc> | undefined;
+  uris: LoginUriView[] | undefined;
+  totp: string | undefined;
+  autofillOnPageLoad: boolean | undefined;
+  fido2Credentials: Fido2Credential[] | undefined;
+}
+
+export interface PasswordChangeAndRotateUserKeysRequest {
+  old_password: string;
+  password: string;
+  hint: string | undefined;
+  trusted_emergency_access_public_keys: PublicKey[];
+  trusted_organization_public_keys: PublicKey[];
+}
+
+export interface PasswordHistory {
+  password: EncString;
+  lastUsedDate: DateTime<Utc>;
+}
+
+export interface PasswordHistoryView {
+  password: string;
+  lastUsedDate: DateTime<Utc>;
+}
+
+export interface Repositories {
+  cipher: Repository<Cipher> | null;
+  folder: Repository<Folder> | null;
+  user_key_state: Repository<UserKeyState> | null;
+  local_user_data_key_state: Repository<LocalUserDataKeyState> | null;
+  ephemeral_pin_envelope_state: Repository<EphemeralPinEnvelopeState> | null;
+  organization_shared_key: Repository<OrganizationSharedKey> | null;
+}
+
+export interface RotateUserKeysRequest {
+  key_rotation_method: KeyRotationMethod;
+  trusted_emergency_access_public_keys: PublicKey[];
+  trusted_organization_public_keys: PublicKey[];
+}
+
+export interface SecureNote {
+  type: SecureNoteType;
+}
+
+export interface SecureNoteView {
+  type: SecureNoteType;
+}
+
+export interface Send {
+  id: SendId | undefined;
+  accessId: string | undefined;
+  name: EncString;
+  notes: EncString | undefined;
+  key: EncString;
+  password: string | undefined;
+  type: SendType;
+  file: SendFile | undefined;
+  text: SendText | undefined;
+  maxAccessCount: number | undefined;
+  accessCount: number;
+  disabled: boolean;
+  hideEmail: boolean;
+  revisionDate: DateTime<Utc>;
+  deletionDate: DateTime<Utc>;
+  expirationDate: DateTime<Utc> | undefined;
+  /**
+   * Email addresses for OTP authentication (comma-separated).
+   *
+   * **Note**: Mutually exclusive with `password`. If both `password` and `emails` are
+   * set, password authentication takes precedence and email OTP is ignored.
+   */
+  emails: string | undefined;
+  authType: AuthType;
+}
+
+export interface SendListView {
+  id: SendId | undefined;
+  accessId: string | undefined;
+  name: string;
+  type: SendType;
+  disabled: boolean;
+  revisionDate: DateTime<Utc>;
+  deletionDate: DateTime<Utc>;
+  expirationDate: DateTime<Utc> | undefined;
+  authType: AuthType;
+}
+
+export interface SendView {
+  id: SendId | undefined;
+  accessId: string | undefined;
+  name: string;
+  notes: string | undefined;
+  /**
+   * Base64 encoded key
+   */
+  key: string | undefined;
+  /**
+   * Replace or add a password to an existing send. The SDK will always return None when
+   * decrypting a [Send]
+   * TODO: We should revisit this, one variant is to have `[Create, Update]SendView` DTOs.
+   */
+  newPassword: string | undefined;
+  /**
+   * Denote if an existing send has a password. The SDK will ignore this value when creating or
+   * updating sends.
+   */
+  hasPassword: boolean;
+  type: SendType;
+  file: SendFileView | undefined;
+  text: SendTextView | undefined;
+  maxAccessCount: number | undefined;
+  accessCount: number;
+  disabled: boolean;
+  hideEmail: boolean;
+  revisionDate: DateTime<Utc>;
+  deletionDate: DateTime<Utc>;
+  expirationDate: DateTime<Utc> | undefined;
+  /**
+   * Email addresses for OTP authentication.
+   * **Note**: Mutually exclusive with `new_password`. If both are set, only password
+   * authentication will be used. When creating or editing sends, use [crate::SendAuthType]
+   * to ensure mutual exclusivity at the type level.
+   */
+  emails: string[];
+  authType: AuthType;
+}
+
+export interface SshKey {
+  /**
+   * SSH private key (ed25519/rsa) in unencrypted openssh private key format [OpenSSH private key](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key)
+   */
+  privateKey: EncString;
+  /**
+   * SSH public key (ed25519/rsa) according to [RFC4253](https://datatracker.ietf.org/doc/html/rfc4253#section-6.6)
+   */
+  publicKey: EncString;
+  /**
+   * SSH fingerprint using SHA256 in the format: `SHA256:BASE64_ENCODED_FINGERPRINT`
+   */
+  fingerprint: EncString;
+}
+
+export interface SshKeyView {
+  /**
+   * SSH private key (ed25519/rsa) in unencrypted openssh private key format [OpenSSH private key](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key)
+   */
+  privateKey: string;
+  /**
+   * SSH public key (ed25519/rsa) according to [RFC4253](https://datatracker.ietf.org/doc/html/rfc4253#section-6.6)
+   */
+  publicKey: string;
+  /**
+   * SSH fingerprint using SHA256 in the format: `SHA256:BASE64_ENCODED_FINGERPRINT`
+   */
+  fingerprint: string;
+}
+
+export interface TotpResponse {
+  /**
+   * Generated TOTP code
+   */
+  code: string;
+  /**
+   * Time period
+   */
+  period: number;
+}
+
+export interface TrustDeviceResponse {
+  /**
+   * Base64 encoded device key
+   */
+  device_key: B64;
+  /**
+   * UserKey encrypted with DevicePublicKey
+   */
+  protected_user_key: UnsignedSharedKey;
+  /**
+   * DevicePrivateKey encrypted with [DeviceKey]
+   */
+  protected_device_private_key: EncString;
+  /**
+   * DevicePublicKey encrypted with [UserKey](super::UserKey)
+   */
+  protected_device_public_key: EncString;
+}
+
+export type AppendType = "random" | { websiteName: { website: string } };
+
+export type CipherListViewType =
+  | { login: LoginListView }
+  | "secureNote"
+  | { card: CardListView }
+  | "identity"
+  | "sshKey";
+
+export type DeviceType =
+  | "Android"
+  | "iOS"
+  | "ChromeExtension"
+  | "FirefoxExtension"
+  | "OperaExtension"
+  | "EdgeExtension"
+  | "WindowsDesktop"
+  | "MacOsDesktop"
+  | "LinuxDesktop"
+  | "ChromeBrowser"
+  | "FirefoxBrowser"
+  | "OperaBrowser"
+  | "EdgeBrowser"
+  | "IEBrowser"
+  | "UnknownBrowser"
+  | "AndroidAmazon"
+  | "UWP"
+  | "SafariBrowser"
+  | "VivaldiBrowser"
+  | "VivaldiExtension"
+  | "SafariExtension"
+  | "SDK"
+  | "Server"
+  | "WindowsCLI"
+  | "MacOsCLI"
+  | "LinuxCLI"
+  | "DuckDuckGoBrowser";
+
+export type ExportFormat = "Csv" | "Json" | { EncryptedJson: { password: string } };
+
+export type KeyAlgorithm = "Ed25519" | "Rsa3072" | "Rsa4096";
+
+export type KeyRotationMethod = { Password: { password: string } } | "KeyConnector" | "Tde";
+
+export type LinkedIdType = LoginLinkedIdType | CardLinkedIdType | IdentityLinkedIdType;
+
+export type PassphraseError = { InvalidNumWords: { minimum: number; maximum: number } };
+
+export type UsernameGeneratorRequest =
+  | { word: { capitalize: boolean; include_number: boolean } }
+  | { subaddress: { type: AppendType; email: string } }
+  | { catchall: { type: AppendType; domain: string } }
+  | { forwarded: { service: ForwarderServiceType; website: string | undefined } };
+
+export class AttachmentsClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  decrypt_buffer(
+    cipher: Cipher,
+    attachment: AttachmentView,
+    encrypted_buffer: Uint8Array,
+  ): Uint8Array;
+}
+
+/**
+ * Subclient containing auth functionality.
+ */
+export class AuthClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Client for login functionality
+   */
+  login(client_settings: ClientSettings): LoginClient;
+  /**
+   * Client for initializing user account cryptography and unlock methods after JIT provisioning
+   */
+  registration(): RegistrationClient;
+  /**
+   * Client for send access functionality
+   */
+  send_access(): SendAccessClient;
+}
+
+export enum CardLinkedIdType {
+  CardholderName = 300,
+  ExpMonth = 301,
+  ExpYear = 302,
+  Code = 303,
+  Brand = 304,
+  Number = 305,
+}
+
+/**
+ * Client for performing admin operations on ciphers. Unlike the regular CiphersClient,
+ * this client uses the admin server API endpoints, and does not modify local state.
+ */
+export class CipherAdminClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Creates a new [Cipher] for an organization, using the admin server endpoints.
+   * Creates the Cipher on the server only, does not store it to local state.
+   */
+  create(request: CipherCreateRequest): Promise<CipherView>;
+  /**
+   * Deletes the Cipher with the matching CipherId from the server, using the admin endpoint.
+   * Affects server data only, does not modify local state.
+   */
+  delete(cipher_id: CipherId): Promise<void>;
+  /**
+   * Deletes an attachment from a cipher using the admin endpoint.
+   * Affects server data only, does not modify local state.
+   */
+  delete_attachment(cipher_id: CipherId, attachment_id: string): Promise<void>;
+  /**
+   * Deletes all Cipher objects with a matching CipherId from the server, using the admin
+   * endpoint. Affects server data only, does not modify local state.
+   */
+  delete_many(cipher_ids: CipherId[], organization_id: OrganizationId): Promise<void>;
+  /**
+   * Edit an existing [Cipher] and save it to the server.
+   */
+  edit(request: CipherEditRequest, original_cipher_view: CipherView): Promise<CipherView>;
+  list_org_ciphers(
+    org_id: OrganizationId,
+    include_member_items: boolean,
+  ): Promise<ListOrganizationCiphersResult>;
+  /**
+   * Restores a soft-deleted cipher on the server, using the admin endpoint.
+   */
+  restore(cipher_id: CipherId): Promise<CipherView>;
+  /**
+   * Restores multiple soft-deleted ciphers on the server.
+   */
+  restore_many(cipher_ids: CipherId[], org_id: OrganizationId): Promise<DecryptCipherListResult>;
+  /**
+   * Soft-deletes the Cipher with the matching CipherId from the server, using the admin
+   * endpoint. Affects server data only, does not modify local state.
+   */
+  soft_delete(cipher_id: CipherId): Promise<void>;
+  /**
+   * Soft-deletes all Cipher objects for the given CipherIds from the server, using the admin
+   * endpoint. Affects server data only, does not modify local state.
+   */
+  soft_delete_many(cipher_ids: CipherId[], organization_id: OrganizationId): Promise<void>;
+  /**
+   * Adds the cipher matched by [CipherId] to any number of collections on the server.
+   */
+  update_collection(cipher_id: CipherId, collection_ids: CollectionId[]): Promise<CipherView>;
+}
+
+export enum CipherRepromptType {
+  None = 0,
+  Password = 1,
+}
+
+/**
+ * Client for evaluating credential risk for login ciphers.
+ */
+export class CipherRiskClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Evaluate security risks for multiple login ciphers concurrently.
+   *
+   * For each cipher:
+   * 1. Calculates password strength (0-4) using zxcvbn with cipher-specific context
+   * 2. Optionally checks if the password has been exposed via Have I Been Pwned API
+   * 3. Counts how many times the password is reused in the provided `password_map`
+   *
+   * Returns a vector of `CipherRisk` results, one for each input cipher.
+   *
+   * ## HIBP Check Results (`exposed_result` field)
+   *
+   * The `exposed_result` field uses the `ExposedPasswordResult` enum with three possible states:
+   * - `NotChecked`: Password exposure check was not performed because:
+   *   - `check_exposed` option was `false`, or
+   *   - Password was empty
+   * - `Found(n)`: Successfully checked via HIBP API, password appears in `n` data breaches
+   * - `Error(msg)`: HIBP API request failed with error message `msg`
+   *
+   * # Errors
+   *
+   * This method only returns `Err` for internal logic failures. HIBP API errors are
+   * captured per-cipher in the `exposed_result` field as `ExposedPasswordResult::Error(msg)`.
+   */
+  compute_risk(
+    login_details: CipherLoginDetails[],
+    options: CipherRiskOptions,
+  ): Promise<CipherRiskResult[]>;
+  /**
+   * Build password reuse map for a list of login ciphers.
+   *
+   * Returns a map where keys are passwords and values are the number of times
+   * each password appears in the provided list. This map can be passed to `compute_risk()`
+   * to enable password reuse detection.
+   */
+  password_reuse_map(login_details: CipherLoginDetails[]): PasswordReuseMap;
+}
+
+export enum CipherType {
+  Login = 1,
+  SecureNote = 2,
+  Card = 3,
+  Identity = 4,
+  SshKey = 5,
+}
+
+export class CiphersClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Returns a new client for performing admin operations.
+   * Uses the admin server API endpoints and does not modify local state.
+   */
+  admin(): CipherAdminClient;
+  /**
+   * Creates a new [Cipher] and saves it to the server.
+   */
+  create(request: CipherCreateRequest): Promise<CipherView>;
+  decrypt(cipher: Cipher): Promise<CipherView>;
+  decrypt_fido2_credentials(cipher_view: CipherView): Fido2CredentialView[];
+  decrypt_fido2_private_key(cipher_view: CipherView): string;
+  decrypt_list(ciphers: Cipher[]): Promise<CipherListView[]>;
+  /**
+   * Decrypt full cipher list
+   * Returns both successfully fully decrypted ciphers and any that failed to decrypt
+   */
+  decrypt_list_full_with_failures(ciphers: Cipher[]): Promise<DecryptCipherResult>;
+  /**
+   * Decrypt cipher list with failures
+   * Returns both successfully decrypted ciphers and any that failed to decrypt
+   */
+  decrypt_list_with_failures(ciphers: Cipher[]): Promise<DecryptCipherListResult>;
+  /**
+   * Deletes the [Cipher] with the matching [CipherId] from the server.
+   */
+  delete(cipher_id: CipherId): Promise<void>;
+  /**
+   * Deletes an attachment from a cipher, and updates the local repository with the new cipher
+   * data returned from the API.
+   */
+  delete_attachment(cipher_id: CipherId, attachment_id: string): Promise<Cipher>;
+  /**
+   * Deletes all [Cipher] objects with a matching [CipherId] from the server.
+   */
+  delete_many(cipher_ids: CipherId[], organization_id?: OrganizationId | null): Promise<void>;
+  /**
+   * Edit an existing [Cipher] and save it to the server.
+   */
+  edit(request: CipherEditRequest): Promise<CipherView>;
+  encrypt(cipher_view: CipherView): Promise<EncryptionContext>;
+  /**
+   * Encrypt a cipher with the provided key. This should only be used when rotating encryption
+   * keys in the Web client.
+   *
+   * Until key rotation is fully implemented in the SDK, this method must be provided the new
+   * symmetric key in base64 format. See PM-23084
+   *
+   * If the cipher has a CipherKey, it will be re-encrypted with the new key.
+   * If the cipher does not have a CipherKey and CipherKeyEncryption is enabled, one will be
+   * generated using the new key. Otherwise, the cipher's data will be encrypted with the new
+   * key directly.
+   */
+  encrypt_cipher_for_rotation(cipher_view: CipherView, new_key: B64): Promise<EncryptionContext>;
+  /**
+   * Encrypt a list of cipher views.
+   *
+   * This method attempts to encrypt all ciphers in the list. If any cipher
+   * fails to encrypt, the entire operation fails and an error is returned.
+   */
+  encrypt_list(cipher_views: CipherView[]): Promise<EncryptionContext[]>;
+  /**
+   * Get [Cipher] by ID from state and decrypt it to a [CipherView].
+   */
+  get(cipher_id: string): Promise<CipherView>;
+  /**
+   * Get all ciphers from state and decrypt them to full [CipherView], returning both
+   * successes and failures. This method will not fail when some ciphers fail to decrypt,
+   * allowing for graceful handling of corrupted or problematic cipher data.
+   */
+  get_all(): Promise<DecryptCipherResult>;
+  /**
+   * Get all ciphers from state and decrypt them to [crate::CipherListView], returning both
+   * successes and failures. This method will not fail when some ciphers fail to decrypt,
+   * allowing for graceful handling of corrupted or problematic cipher data.
+   */
+  list(): Promise<DecryptCipherListResult>;
+  move_to_organization(cipher_view: CipherView, organization_id: OrganizationId): CipherView;
+  /**
+   * Restores a soft-deleted cipher on the server.
+   */
+  restore(cipher_id: CipherId): Promise<CipherView>;
+  /**
+   * Restores multiple soft-deleted ciphers on the server.
+   */
+  restore_many(cipher_ids: CipherId[]): Promise<DecryptCipherListResult>;
+  /**
+   * Temporary method used to re-encrypt FIDO2 credentials for a cipher view.
+   * Necessary until the TS clients utilize the SDK entirely for FIDO2 credentials management.
+   * TS clients create decrypted FIDO2 credentials that need to be encrypted manually when
+   * encrypting the rest of the CipherView.
+   * TODO: Remove once TS passkey provider implementation uses SDK - PM-8313
+   */
+  set_fido2_credentials(
+    cipher_view: CipherView,
+    fido2_credentials: Fido2CredentialFullView[],
+  ): CipherView;
+  /**
+   * Moves a cipher into an organization, adds it to collections, and calls the share_cipher API.
+   */
+  share_cipher(
+    cipher_view: CipherView,
+    organization_id: OrganizationId,
+    collection_ids: CollectionId[],
+    original_cipher_view?: CipherView | null,
+  ): Promise<CipherView>;
+  /**
+   * Moves a group of ciphers into an organization, adds them to collections, and calls the
+   * share_ciphers API.
+   */
+  share_ciphers_bulk(
+    cipher_views: CipherView[],
+    organization_id: OrganizationId,
+    collection_ids: CollectionId[],
+  ): Promise<CipherView[]>;
+  /**
+   * Soft-deletes the [Cipher] with the matching [CipherId] from the server.
+   */
+  soft_delete(cipher_id: CipherId): Promise<void>;
+  /**
+   * Soft-deletes all [Cipher] objects for the given [CipherId]s from the server.
+   */
+  soft_delete_many(cipher_ids: CipherId[], organization_id?: OrganizationId | null): Promise<void>;
+  /**
+   * Adds the cipher matched by [CipherId] to any number of collections on the server.
+   */
+  update_collection(
+    cipher_id: CipherId,
+    collection_ids: CollectionId[],
+    is_admin: boolean,
+  ): Promise<CipherView>;
+}
+
+export class CollectionViewNodeItem {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  get_ancestors(): AncestorMap;
+  get_children(): CollectionView[];
+  get_item(): CollectionView;
+  get_parent(): CollectionView | undefined;
+}
+
+export class CollectionViewTree {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  get_flat_items(): CollectionViewNodeItem[];
+  get_item_for_view(collection_view: CollectionView): CollectionViewNodeItem | undefined;
+  get_root_items(): CollectionViewNodeItem[];
+}
+
+export class CollectionsClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  decrypt(collection: Collection): CollectionView;
+  decrypt_list(collections: Collection[]): CollectionView[];
+  /**
+   *
+   * Returns the vector of CollectionView objects in a tree structure based on its implemented
+   * path().
+   */
+  get_collection_tree(collections: CollectionView[]): CollectionViewTree;
+}
+
+/**
+ * A client for the crypto operations.
+ */
+export class CryptoClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * A stop gap-solution for decrypting with the local user data key, until the WASM client's
+   * password generator history encryption and email forwarders encryption is fully migrated to
+   * SDK.
+   */
+  decrypt_with_local_user_data_key(encrypted_plaintext: string): string;
+  /**
+   * A stop gap-solution for encrypting with the local user data key, until the WASM client's
+   * password generator history encryption and email forwarders encryption is fully migrated to
+   * SDK.
+   */
+  encrypt_with_local_user_data_key(plaintext: string): string;
+  /**
+   * Protects the current user key with the provided PIN. The result can be stored and later
+   * used to initialize another client instance by using the PIN and the PIN key with
+   * `initialize_user_crypto`.
+   */
+  enroll_pin(pin: string): EnrollPinResponse;
+  /**
+   * Protects the current user key with the provided PIN. The result can be stored and later
+   * used to initialize another client instance by using the PIN and the PIN key with
+   * `initialize_user_crypto`. The provided pin is encrypted with the user key.
+   */
+  enroll_pin_with_encrypted_pin(encrypted_pin: string): EnrollPinResponse;
+  /**
+   * Takes a raw key and returns the corresponding key id. This is used for the biometrics
+   * subsystem and should be removed after moving over biometric management to the SDK.
+   */
+  static get_key_id_for_symmetric_key(key: Uint8Array): Uint8Array | undefined;
+  /**
+   * ⚠️⚠️⚠️ HAZMAT WARNING: DO NOT USE THIS ⚠️⚠️⚠️
+   *
+   * Get the uses's decrypted encryption key. Note: It's very important
+   * to keep this key safe, as it can be used to decrypt all of the user's data. It is
+   * only permitted to use for a transition period where side effects such as biometrics
+   * and never-lock are set from within the client code.
+   */
+  get_user_encryption_key(): Promise<B64>;
+  /**
+   * Creates a rotated set of account keys for the current state
+   */
+  get_v2_rotated_account_keys(): UserCryptoV2KeysResponse;
+  /**
+   * Initialization method for the organization crypto. Needs to be called after
+   * `initialize_user_crypto` but before any other crypto operations.
+   */
+  initialize_org_crypto(req: InitOrgCryptoRequest): Promise<void>;
+  /**
+   * Initialization method for the user crypto. Needs to be called before any other crypto
+   * operations.
+   */
+  initialize_user_crypto(req: InitUserCryptoRequest): Promise<void>;
+  /**
+   * Generates a new key pair and encrypts the private key with the provided user key.
+   * Crypto initialization not required.
+   */
+  make_key_pair(user_key: B64): MakeKeyPairResponse;
+  /**
+   * Makes a new signing key pair and signs the public key for the user
+   */
+  make_keys_for_user_crypto_v2(): UserCryptoV2KeysResponse;
+  /**
+   * Create the data necessary to update the user's kdf settings. The user's encryption key is
+   * re-encrypted for the password under the new kdf settings. This returns the re-encrypted
+   * user key and the new password hash but does not update sdk state.
+   */
+  make_update_kdf(password: string, kdf: Kdf): Promise<UpdateKdfResponse>;
+  /**
+   * Decrypts a `PasswordProtectedKeyEnvelope`, returning the user key, if successful.
+   * This is a stop-gap solution, until initialization of the SDK is used.
+   */
+  unseal_password_protected_key_envelope(pin: string, envelope: string): Uint8Array;
+  /**
+   * Verifies a user's asymmetric keys by decrypting the private key with the provided user
+   * key. Returns if the private key is decryptable and if it is a valid matching key.
+   * Crypto initialization not required.
+   */
+  verify_asymmetric_keys(request: VerifyAsymmetricKeysRequest): VerifyAsymmetricKeysResponse;
+}
+
+export class ExporterClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Credential Exchange Format (CXF)
+   *
+   * *Warning:* Expect this API to be unstable, and it will change in the future.
+   *
+   * For use with Apple using [ASCredentialExportManager](https://developer.apple.com/documentation/authenticationservices/ascredentialexportmanager).
+   * Ideally, the input should be immediately serialized from [ASImportableAccount](https://developer.apple.com/documentation/authenticationservices/asimportableaccount).
+   */
+  export_cxf(account: Account, ciphers: Cipher[]): string;
+  export_organization_vault(
+    collections: Collection[],
+    ciphers: Cipher[],
+    format: ExportFormat,
+  ): string;
+  export_vault(folders: Folder[], ciphers: Cipher[], format: ExportFormat): Promise<string>;
+  /**
+   * Credential Exchange Format (CXF)
+   *
+   * *Warning:* Expect this API to be unstable, and it will change in the future.
+   *
+   * For use with Apple using [ASCredentialExportManager](https://developer.apple.com/documentation/authenticationservices/ascredentialexportmanager).
+   * Ideally, the input should be immediately serialized from [ASImportableAccount](https://developer.apple.com/documentation/authenticationservices/asimportableaccount).
+   */
+  import_cxf(payload: string): Cipher[];
+}
+
+/**
+ * Represents the type of a [FieldView].
+ */
+export enum FieldType {
+  /**
+   * Text field
+   */
+  Text = 0,
+  /**
+   * Hidden text field
+   */
+  Hidden = 1,
+  /**
+   * Boolean field
+   */
+  Boolean = 2,
+  /**
+   * Linked field
+   */
+  Linked = 3,
+}
+
+/**
+ * WASM client for reading Flight Recorder logs.
+ *
+ * The underlying buffer is global (initialized in [`init_sdk`](crate::init_sdk)),
+ * so this client is a stateless handle for WASM access.
+ */
+export class FlightRecorderClient {
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Get the current event count without reading event contents.
+   */
+  count(): number;
+  /**
+   * Create a new `FlightRecorderClient`.
+   */
+  constructor();
+  /**
+   * Read all events currently in the Flight Recorder buffer.
+   */
+  read(): FlightRecorderEvent[];
+}
+
+/**
+ * Wrapper for folder specific functionality.
+ */
+export class FoldersClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Create a new [Folder] and save it to the server.
+   */
+  create(request: FolderAddEditRequest): Promise<FolderView>;
+  /**
+   * Encrypt a [Folder] to [FolderView].
+   */
+  decrypt(folder: Folder): FolderView;
+  /**
+   * Decrypt a list of [Folder]s to a list of [FolderView]s.
+   */
+  decrypt_list(folders: Folder[]): FolderView[];
+  /**
+   * Edit the [Folder] and save it to the server.
+   */
+  edit(folder_id: FolderId, request: FolderAddEditRequest): Promise<FolderView>;
+  /**
+   * Encrypt a [FolderView] to a [Folder].
+   */
+  encrypt(folder_view: FolderView): Folder;
+  /**
+   * Get a specific [Folder] by its ID from state and decrypt it to a [FolderView].
+   */
+  get(folder_id: FolderId): Promise<FolderView>;
+  /**
+   * Get all folders from state and decrypt them to a list of [FolderView].
+   */
+  list(): Promise<FolderView[]>;
+}
+
+export class GeneratorClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Generates a random passphrase.
+   * A passphrase is a combination of random words separated by a character.
+   * An example of passphrase is `correct horse battery staple`.
+   *
+   * The number of words and their case, the word separator, and the inclusion of
+   * a number in the passphrase can be customized using the `input` parameter.
+   *
+   * # Examples
+   *
+   * ```
+   * use bitwarden_core::Client;
+   * use bitwarden_generators::{GeneratorClientsExt, PassphraseError, PassphraseGeneratorRequest};
+   *
+   * async fn test() -> Result<(), PassphraseError> {
+   *     let input = PassphraseGeneratorRequest {
+   *         num_words: 4,
+   *         ..Default::default()
+   *     };
+   *     let passphrase = Client::new(None).generator().passphrase(input).unwrap();
+   *     println!("{}", passphrase);
+   *     Ok(())
+   * }
+   * ```
+   */
+  passphrase(input: PassphraseGeneratorRequest): string;
+  /**
+   * Generates a random password.
+   *
+   * The character sets and password length can be customized using the `input` parameter.
+   *
+   * # Examples
+   *
+   * ```
+   * use bitwarden_core::Client;
+   * use bitwarden_generators::{GeneratorClientsExt, PassphraseError, PasswordGeneratorRequest};
+   *
+   * async fn test() -> Result<(), PassphraseError> {
+   *     let input = PasswordGeneratorRequest {
+   *         lowercase: true,
+   *         uppercase: true,
+   *         numbers: true,
+   *         length: 20,
+   *         ..Default::default()
+   *     };
+   *     let password = Client::new(None).generator().password(input).unwrap();
+   *     println!("{}", password);
+   *     Ok(())
+   * }
+   * ```
+   */
+  password(input: PasswordGeneratorRequest): string;
+}
+
+export enum IdentityLinkedIdType {
+  Title = 400,
+  MiddleName = 401,
+  Address1 = 402,
+  Address2 = 403,
+  Address3 = 404,
+  City = 405,
+  State = 406,
+  PostalCode = 407,
+  Country = 408,
+  Company = 409,
+  Email = 410,
+  Phone = 411,
+  Ssn = 412,
+  Username = 413,
+  PassportNumber = 414,
+  LicenseNumber = 415,
+  FirstName = 416,
+  LastName = 417,
+  FullName = 418,
+}
+
+/**
+ * An untyped IPC message received from another endpoint.
+ */
+export class IncomingMessage {
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Create an incoming IPC message from raw payload bytes.
+   */
+  constructor(payload: Uint8Array, destination: Endpoint, source: Source, topic?: string | null);
+  /**
+   * Try to parse the payload as JSON.
+   * @returns The parsed JSON value, or undefined if the payload is not valid JSON.
+   */
+  parse_payload_as_json(): any;
+  /**
+   * Destination endpoint that received this message.
+   */
+  destination: Endpoint;
+  /**
+   * Serialized payload bytes.
+   */
+  payload: Uint8Array;
+  /**
+   * Source that sent this message, with per-variant metadata.
+   */
+  source: Source;
+  /**
+   * Optional topic used for routing/dispatch.
+   */
+  get topic(): string | undefined;
+  /**
+   * Optional topic used for routing/dispatch.
+   */
+  set topic(value: string | null | undefined);
+}
+
+/**
+ * JavaScript wrapper around the IPC client. For more information, see the
+ * [`IpcClient`] trait documentation.
+ */
+export class IpcClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  isRunning(): boolean;
+  /**
+   * Create a new `IpcClient` instance with a client-managed session repository for saving
+   * sessions using State Provider.
+   */
+  static newWithClientManagedSessions(
+    communication_provider: IpcCommunicationBackend,
+    session_repository: IpcSessionRepository,
+  ): IpcClient;
+  /**
+   * Create a new `IpcClient` instance with an in-memory session repository for saving
+   * sessions within the SDK.
+   */
+  static newWithSdkInMemorySessions(communication_provider: IpcCommunicationBackend): IpcClient;
+  send(message: OutgoingMessage): Promise<void>;
+  start(abort_signal?: AbortSignal | null): Promise<void>;
+  subscribe(): Promise<IpcClientSubscription>;
+}
+
+/**
+ * JavaScript wrapper around the IPC client subscription. For more information, see the
+ * [IpcClientSubscription](crate::IpcClientSubscription) documentation.
+ */
+export class IpcClientSubscription {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  receive(abort_signal?: AbortSignal | null): Promise<IncomingMessage>;
+}
+
+/**
+ * JavaScript implementation of the `CommunicationBackend` trait for IPC communication.
+ */
+export class IpcCommunicationBackend {
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Creates a new instance of the JavaScript communication backend.
+   */
+  constructor(sender: IpcCommunicationBackendSender);
+  /**
+   * Used by JavaScript to provide an incoming message to the IPC framework.
+   */
+  receive(message: IncomingMessage): void;
+}
+
 export enum LogLevel {
   Trace = 0,
   Debug = 1,
@@ -7,224 +3742,675 @@ export enum LogLevel {
   Warn = 3,
   Error = 4,
 }
-export interface InitUserCryptoRequest {
+
+/**
+ * Client for authenticating Bitwarden users.
+ *
+ * Handles unauthenticated operations to obtain access tokens from the Identity API.
+ * After successful authentication, use the returned tokens to create an authenticated core client.
+ *
+ * # Lifecycle
+ *
+ * 1. Create `LoginClient` via `AuthClient`
+ * 2. Call login method
+ * 3. Use returned tokens with authenticated core client
+ *
+ * # Password Login Example
+ *
+ * ```rust,no_run
+ * # use bitwarden_auth::{AuthClient, login::login_via_password::PasswordLoginRequest};
+ * # use bitwarden_auth::login::models::{LoginRequest, LoginDeviceRequest, LoginResponse};
+ * # use bitwarden_core::{Client, ClientSettings, DeviceType};
+ * # async fn example(email: String, password: String) -> Result<(), Box<dyn std::error::Error>> {
+ * // Create auth client
+ * let client = Client::new(None);
+ * let auth_client = AuthClient::new(client);
+ *
+ * // Configure client settings and create login client
+ * let settings = ClientSettings {
+ *     identity_url: "https://identity.bitwarden.com".to_string(),
+ *     api_url: "https://api.bitwarden.com".to_string(),
+ *     user_agent: "MyApp/1.0".to_string(),
+ *     device_type: DeviceType::SDK,
+ *     device_identifier: None,
+ *     bitwarden_client_version: None,
+ *     bitwarden_package_type: None,
+ * };
+ * let login_client = auth_client.login(settings);
+ *
+ * // Get user's KDF config
+ * let prelogin = login_client.get_password_prelogin(email.clone()).await?;
+ *
+ * // Login with credentials
+ * let response = login_client.login_via_password(PasswordLoginRequest {
+ *     login_request: LoginRequest {
+ *         client_id: "connector".to_string(),
+ *         device: LoginDeviceRequest {
+ *             device_type: DeviceType::SDK,
+ *             device_identifier: "device-id".to_string(),
+ *             device_name: "My Device".to_string(),
+ *             device_push_token: None,
+ *         },
+ *     },
+ *     email,
+ *     password,
+ *     prelogin_response: prelogin,
+ * }).await?;
+ *
+ * // Use tokens from response for authenticated requests
+ * match response {
+ *     LoginResponse::Authenticated(success) => {
+ *         let access_token = success.access_token;
+ *         // Use access_token for authenticated requests
+ *     }
+ * }
+ * # Ok(())
+ * # }
+ * ```
+ */
+export class LoginClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Retrieves the data required before authenticating with a password.
+   * This includes the user's KDF configuration needed to properly derive the master key.
+   */
+  get_password_prelogin(email: string): Promise<PasswordPreloginResponse>;
+  /**
+   * Authenticates a user via email and master password.
+   *
+   * Derives the master password hash using KDF settings from prelogin, then sends
+   * the authentication request to obtain access tokens and vault keys.
+   */
+  login_via_password(request: PasswordLoginRequest): Promise<LoginResponse>;
+}
+
+export enum LoginLinkedIdType {
+  Username = 100,
+  Password = 101,
+}
+
+/**
+ * An untyped IPC message to be sent to another endpoint.
+ */
+export class OutgoingMessage {
+  free(): void;
+  [Symbol.dispose](): void;
   /**
-   * The user\'s KDF parameters, as received from the prelogin request
+   * Create an outgoing IPC message from raw payload bytes.
    */
-  kdfParams: Kdf;
+  constructor(payload: Uint8Array, destination: Endpoint, topic?: string | null);
   /**
-   * The user\'s email address
+   * Create a new message and encode the payload as JSON.
    */
-  email: string;
+  static new_json_payload(
+    payload: any,
+    destination: Endpoint,
+    topic?: string | null,
+  ): OutgoingMessage;
   /**
-   * The user\'s encrypted private key
+   * Destination endpoint for this message.
    */
-  privateKey: string;
+  destination: Endpoint;
   /**
-   * The initialization method to use
+   * Serialized payload bytes.
    */
-  method: InitUserCryptoMethod;
+  payload: Uint8Array;
+  /**
+   * Optional topic used for routing/dispatch.
+   */
+  get topic(): string | undefined;
+  /**
+   * Optional topic used for routing/dispatch.
+   */
+  set topic(value: string | null | undefined);
 }
 
-export type InitUserCryptoMethod =
-  | { password: { password: string; user_key: string } }
-  | { decryptedKey: { decrypted_user_key: string } }
-  | { pin: { pin: string; pin_protected_user_key: EncString } }
-  | { authRequest: { request_private_key: string; method: AuthRequestMethod } }
-  | {
-      deviceKey: {
-        device_key: string;
-        protected_device_private_key: EncString;
-        device_protected_user_key: AsymmetricEncString;
-      };
-    }
-  | { keyConnector: { master_key: string; user_key: string } };
-
-export type AuthRequestMethod =
-  | { userKey: { protected_user_key: AsymmetricEncString } }
-  | { masterKey: { protected_master_key: AsymmetricEncString; auth_request_key: EncString } };
-
-export interface InitOrgCryptoRequest {
+/**
+ * The main entry point for the Bitwarden SDK in WebAssembly environments
+ */
+export class PasswordManagerClient {
+  free(): void;
+  [Symbol.dispose](): void;
   /**
-   * The encryption keys for all the organizations the user is a part of
+   * Auth related operations.
+   */
+  auth(): AuthClient;
+  /**
+   * Crypto related operations.
+   */
+  crypto(): CryptoClient;
+  /**
+   * Test method, echoes back the input
+   */
+  echo(msg: string): string;
+  /**
+   * Exporter related operations.
+   */
+  exporters(): ExporterClient;
+  /**
+   * Constructs a specific client for generating passwords and passphrases
+   */
+  generator(): GeneratorClient;
+  /**
+   * Test method, calls http endpoint
+   */
+  http_get(url: string): Promise<string>;
+  /**
+   * Initialize a new instance of the SDK client
+   */
+  constructor(token_provider: any, settings?: ClientSettings | null);
+  /**
+   * Constructs a specific client for platform-specific functionality
+   */
+  platform(): PlatformClient;
+  /**
+   * Send related operations.
+   */
+  sends(): SendClient;
+  /**
+   * Test method, always throws an error
+   */
+  throw(msg: string): void;
+  /**
+   * User crypto management related operations.
+   */
+  user_crypto_management(): UserCryptoManagementClient;
+  /**
+   * Vault item related operations.
    */
-  organizationKeys: Map<Uuid, AsymmetricEncString>;
+  vault(): VaultClient;
+  /**
+   * Returns the current SDK version
+   */
+  version(): string;
 }
 
-export type DeviceType =
-  | "Android"
-  | "iOS"
-  | "ChromeExtension"
-  | "FirefoxExtension"
-  | "OperaExtension"
-  | "EdgeExtension"
-  | "WindowsDesktop"
-  | "MacOsDesktop"
-  | "LinuxDesktop"
-  | "ChromeBrowser"
-  | "FirefoxBrowser"
-  | "OperaBrowser"
-  | "EdgeBrowser"
-  | "IEBrowser"
-  | "UnknownBrowser"
-  | "AndroidAmazon"
-  | "UWP"
-  | "SafariBrowser"
-  | "VivaldiBrowser"
-  | "VivaldiExtension"
-  | "SafariExtension"
-  | "SDK"
-  | "Server"
-  | "WindowsCLI"
-  | "MacOsCLI"
-  | "LinuxCLI";
+export class PlatformClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Load feature flags into the client
+   */
+  load_flags(flags: FeatureFlags): Promise<void>;
+  state(): StateClient;
+}
 
 /**
- * Basic client behavior settings. These settings specify the various targets and behavior of the
- * Bitwarden Client. They are optional and uneditable once the client is initialized.
- *
- * Defaults to
- *
- * ```
- * # use bitwarden_core::{ClientSettings, DeviceType};
- * let settings = ClientSettings {
- *     identity_url: \"https://identity.bitwarden.com\".to_string(),
- *     api_url: \"https://api.bitwarden.com\".to_string(),
- *     user_agent: \"Bitwarden Rust-SDK\".to_string(),
- *     device_type: DeviceType::SDK,
- * };
- * let default = ClientSettings::default();
- * ```
+ * This module represents a stopgap solution to provide access to primitive crypto functions for JS
+ * clients. It is not intended to be used outside of the JS clients and this pattern should not be
+ * proliferated. It is necessary because we want to use SDK crypto prior to the SDK being fully
+ * responsible for state and keys.
  */
-export interface ClientSettings {
+export class PureCrypto {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
   /**
-   * The identity url of the targeted Bitwarden instance. Defaults to `https://identity.bitwarden.com`
+   * Decapsulates (decrypts) a symmetric key using an decapsulation-key/private-key in PKCS8
+   * DER format. Note: This is unsigned, so the sender's authenticity cannot be verified by the
+   * recipient.
    */
-  identityUrl?: string;
+  static decapsulate_key_unsigned(
+    encapsulated_key: string,
+    decapsulation_key: Uint8Array,
+  ): Uint8Array;
+  static decrypt_user_key_with_master_key(
+    encrypted_user_key: string,
+    master_key: Uint8Array,
+  ): Uint8Array;
+  static decrypt_user_key_with_master_password(
+    encrypted_user_key: string,
+    master_password: string,
+    email: string,
+    kdf: Kdf,
+  ): Uint8Array;
   /**
-   * The api url of the targeted Bitwarden instance. Defaults to `https://api.bitwarden.com`
+   * Derive output of the KDF for a [bitwarden_crypto::Kdf] configuration.
    */
-  apiUrl?: string;
+  static derive_kdf_material(password: Uint8Array, salt: Uint8Array, kdf: Kdf): Uint8Array;
   /**
-   * The user_agent to sent to Bitwarden. Defaults to `Bitwarden Rust-SDK`
+   * Encapsulates (encrypts) a symmetric key using an public-key/encapsulation-key
+   * in SPKI format, returning the encapsulated key as a string. Note: This is unsigned, so
+   * the sender's authenticity cannot be verified by the recipient.
    */
-  userAgent?: string;
+  static encapsulate_key_unsigned(shared_key: Uint8Array, encapsulation_key: Uint8Array): string;
+  static encrypt_user_key_with_master_password(
+    user_key: Uint8Array,
+    master_password: string,
+    email: string,
+    kdf: Kdf,
+  ): string;
   /**
-   * Device type to send to Bitwarden. Defaults to SDK
+   * Returns the algorithm used for the given verifying key.
    */
-  deviceType?: DeviceType;
+  static key_algorithm_for_verifying_key(verifying_key: Uint8Array): SignatureAlgorithm;
+  static make_user_key_aes256_cbc_hmac(): Uint8Array;
+  static make_user_key_xchacha20_poly1305(): Uint8Array;
+  /**
+   * Generates a cryptographically secure random number between the given min and max
+   * (inclusive).
+   */
+  static random_number(min: number, max: number): number;
+  /**
+   * Decrypts data using RSAES-OAEP with SHA-1
+   * HAZMAT WARNING: Do not use outside of implementing cryptofunctionservice
+   */
+  static rsa_decrypt_data(encrypted_data: Uint8Array, private_key: Uint8Array): Uint8Array;
+  /**
+   * Encrypts data using RSAES-OAEP with SHA-1
+   * HAZMAT WARNING: Do not use outside of implementing cryptofunctionservice
+   */
+  static rsa_encrypt_data(plain_data: Uint8Array, public_key: Uint8Array): Uint8Array;
+  /**
+   * Given a decrypted private RSA key PKCS8 DER this
+   * returns the corresponding public RSA key in DER format.
+   * HAZMAT WARNING: Do not use outside of implementing cryptofunctionservice
+   */
+  static rsa_extract_public_key(private_key: Uint8Array): Uint8Array;
+  /**
+   * Generates a new RSA key pair and returns the private key
+   * HAZMAT WARNING: Do not use outside of implementing cryptofunctionservice
+   */
+  static rsa_generate_keypair(): Uint8Array;
+  /**
+   * DEPRECATED: Use `symmetric_decrypt_string` instead.
+   * Cleanup ticket: <https://bitwarden.atlassian.net/browse/PM-21247>
+   */
+  static symmetric_decrypt(enc_string: string, key: Uint8Array): string;
+  /**
+   * DEPRECATED: Use `symmetric_decrypt_filedata` instead.
+   * Cleanup ticket: <https://bitwarden.atlassian.net/browse/PM-21247>
+   */
+  static symmetric_decrypt_array_buffer(enc_bytes: Uint8Array, key: Uint8Array): Uint8Array;
+  static symmetric_decrypt_bytes(enc_string: string, key: Uint8Array): Uint8Array;
+  static symmetric_decrypt_filedata(enc_bytes: Uint8Array, key: Uint8Array): Uint8Array;
+  static symmetric_decrypt_string(enc_string: string, key: Uint8Array): string;
+  /**
+   * DEPRECATED: Only used by send keys
+   */
+  static symmetric_encrypt_bytes(plain: Uint8Array, key: Uint8Array): string;
+  static symmetric_encrypt_filedata(plain: Uint8Array, key: Uint8Array): Uint8Array;
+  static symmetric_encrypt_string(plain: string, key: Uint8Array): string;
+  /**
+   * Unwraps (decrypts) a wrapped PKCS8 DER encoded decapsulation (private) key using a symmetric
+   * wrapping key.
+   */
+  static unwrap_decapsulation_key(wrapped_key: string, wrapping_key: Uint8Array): Uint8Array;
+  /**
+   * Unwraps (decrypts) a wrapped SPKI DER encoded encapsulation (public) key using a symmetric
+   * wrapping key.
+   */
+  static unwrap_encapsulation_key(wrapped_key: string, wrapping_key: Uint8Array): Uint8Array;
+  /**
+   * Unwraps (decrypts) a wrapped symmetric key using a symmetric wrapping key, returning the
+   * unwrapped key as a serialized byte array.
+   */
+  static unwrap_symmetric_key(wrapped_key: string, wrapping_key: Uint8Array): Uint8Array;
+  /**
+   * For a given signing identity (verifying key), this function verifies that the signing
+   * identity claimed ownership of the public key. This is a one-sided claim and merely shows
+   * that the signing identity has the intent to receive messages encrypted to the public
+   * key.
+   */
+  static verify_and_unwrap_signed_public_key(
+    signed_public_key: Uint8Array,
+    verifying_key: Uint8Array,
+  ): Uint8Array;
+  /**
+   * Given a wrapped signing key and the symmetric key it is wrapped with, this returns
+   * the corresponding verifying key.
+   */
+  static verifying_key_for_signing_key(signing_key: string, wrapping_key: Uint8Array): Uint8Array;
+  /**
+   * Wraps (encrypts) a PKCS8 DER encoded decapsulation (private) key using a symmetric wrapping
+   * key,
+   */
+  static wrap_decapsulation_key(decapsulation_key: Uint8Array, wrapping_key: Uint8Array): string;
+  /**
+   * Wraps (encrypts) an SPKI DER encoded encapsulation (public) key using a symmetric wrapping
+   * key. Note: Usually, a public key is - by definition - public, so this should not be
+   * used. The specific use-case for this function is to enable rotateable key sets, where
+   * the "public key" is not public, with the intent of preventing the server from being able
+   * to overwrite the user key unlocked by the rotateable keyset.
+   */
+  static wrap_encapsulation_key(encapsulation_key: Uint8Array, wrapping_key: Uint8Array): string;
+  /**
+   * Wraps (encrypts) a symmetric key using a symmetric wrapping key, returning the wrapped key
+   * as an EncString.
+   */
+  static wrap_symmetric_key(key_to_be_wrapped: Uint8Array, wrapping_key: Uint8Array): string;
 }
 
-export type AsymmetricEncString = string;
-
-export type EncString = string;
-
 /**
- * Key Derivation Function for Bitwarden Account
- *
- * In Bitwarden accounts can use multiple KDFs to derive their master key from their password. This
- * Enum represents all the possible KDFs.
+ * Client for initializing a user account.
  */
-export type Kdf =
-  | { pBKDF2: { iterations: NonZeroU32 } }
-  | { argon2id: { iterations: NonZeroU32; memory: NonZeroU32; parallelism: NonZeroU32 } };
-
-export interface Folder {
-  id: Uuid | undefined;
-  name: EncString;
-  revisionDate: DateTime<Utc>;
+export class RegistrationClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Initializes a new cryptographic state for a user and posts it to the server;
+   * enrolls the user to master password unlock.
+   */
+  post_keys_for_jit_password_registration(
+    request: JitMasterPasswordRegistrationRequest,
+  ): Promise<JitMasterPasswordRegistrationResponse>;
+  /**
+   * Initializes a new cryptographic state for a user and posts it to the server; enrolls the
+   * user to key connector unlock.
+   */
+  post_keys_for_key_connector_registration(
+    key_connector_url: string,
+    sso_org_identifier: string,
+  ): Promise<KeyConnectorRegistrationResult>;
+  /**
+   * Initializes a new cryptographic state for a user and posts it to the server; enrolls in
+   * admin password reset and finally enrolls the user to TDE unlock.
+   */
+  post_keys_for_tde_registration(request: TdeRegistrationRequest): Promise<TdeRegistrationResponse>;
 }
 
-export interface FolderView {
-  id: Uuid | undefined;
-  name: string;
-  revisionDate: DateTime<Utc>;
+export enum RsaError {
+  Decryption = 0,
+  Encryption = 1,
+  KeyParse = 2,
+  KeySerialize = 3,
 }
 
-export type Uuid = string;
+export enum SecureNoteType {
+  Generic = 0,
+}
 
 /**
- * RFC3339 compliant date-time string.
- * @typeParam T - Not used in JavaScript.
+ * The `SendAccessClient` is used to interact with the Bitwarden API to get send access tokens.
  */
-export type DateTime<T = unknown> = string;
+export class SendAccessClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Requests a new send access token.
+   */
+  request_send_access_token(request: SendAccessTokenRequest): Promise<SendAccessTokenResponse>;
+}
 
-/**
- * UTC date-time string. Not used in JavaScript.
- */
-export type Utc = unknown;
+export class SendClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Create a new [Send] and save it to the server.
+   */
+  create(request: SendAddRequest): Promise<SendView>;
+  /**
+   * Edit the [Send] and save it to the server.
+   */
+  edit(send_id: SendId, request: SendEditRequest): Promise<SendView>;
+  /**
+   * Get a specific [Send] by its ID from state and decrypt it to a [SendView].
+   */
+  get(send_id: SendId): Promise<SendView>;
+  /**
+   * Get all sends from state and decrypt them to a list of [SendView].
+   */
+  list(): Promise<SendView[]>;
+}
 
 /**
- * An integer that is known not to equal zero.
+ * JavaScript wrapper for ServerCommunicationConfigClient
+ *
+ * This provides TypeScript access to the server communication configuration client,
+ * allowing clients to check bootstrap requirements and retrieve cookies for HTTP requests.
  */
-export type NonZeroU32 = number;
-
-export class BitwardenClient {
+export class ServerCommunicationConfigClient {
   free(): void;
+  [Symbol.dispose](): void;
   /**
-   * @param {ClientSettings | undefined} [settings]
-   * @param {LogLevel | undefined} [log_level]
+   * Acquires a cookie from the platform and saves it to the repository
+   *
+   * This method calls the platform API to trigger cookie acquisition (e.g., browser
+   * redirect to IdP), then validates and stores the acquired cookie in the repository.
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
+   *
+   * # Errors
+   *
+   * Returns an error if:
+   * - Cookie acquisition was cancelled by the user
+   * - Server configuration doesn't support SSO cookies (Direct bootstrap)
+   * - Acquired cookie name doesn't match expected name
+   * - Repository operations fail
    */
-  constructor(settings?: ClientSettings, log_level?: LogLevel);
+  acquireCookie(hostname: string): Promise<void>;
   /**
-   * Test method, echoes back the input
-   * @param {string} msg
-   * @returns {string}
+   * Returns all cookies that should be included in requests to this server
+   *
+   * Returns an array of [cookie_name, cookie_value] pairs.
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
    */
-  echo(msg: string): string;
+  cookies(hostname: string): Promise<any>;
   /**
-   * @returns {string}
+   * Retrieves the server communication configuration for a hostname
+   *
+   * If no configuration exists, returns a default Direct bootstrap configuration.
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
+   *
+   * # Errors
+   *
+   * Returns an error if the repository fails to retrieve the configuration.
    */
-  version(): string;
+  getConfig(hostname: string): Promise<ServerCommunicationConfig>;
   /**
-   * @param {string} msg
+   * Determines if cookie bootstrapping is needed for this hostname
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
    */
-  throw(msg: string): void;
+  needsBootstrap(hostname: string): Promise<boolean>;
   /**
-   * Test method, calls http endpoint
-   * @param {string} url
-   * @returns {Promise<string>}
+   * Creates a new ServerCommunicationConfigClient with a JavaScript repository and platform API
+   *
+   * The repository should be backed by StateProvider (or equivalent
+   * storage mechanism) for persistence.
+   *
+   * # Arguments
+   *
+   * * `repository` - JavaScript implementation of the repository interface
+   * * `platform_api` - JavaScript implementation of the platform API interface
    */
-  http_get(url: string): Promise<string>;
+  constructor(
+    repository: ServerCommunicationConfigRepository,
+    platform_api: ServerCommunicationConfigPlatformApi,
+  );
   /**
-   * @returns {ClientCrypto}
+   * Sets the server communication configuration for a hostname
+   *
+   * This method saves the provided communication configuration to the repository.
+   * Typically called when receiving the `/api/config` response from the server.
+   * Previously acquired cookies are preserved automatically.
+   *
+   * # Arguments
+   *
+   * * `hostname` - The server hostname (e.g., "vault.acme.com")
+   * * `request` - The server communication configuration to store
+   *
+   * # Errors
+   *
+   * Returns an error if the repository save operation fails
    */
-  crypto(): ClientCrypto;
+  setCommunicationType(hostname: string, request: SetCommunicationTypeRequest): Promise<void>;
+}
+
+export class StateClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  register_cipher_repository(cipher_repository: any): void;
+  register_client_managed_repositories(repositories: Repositories): void;
+  register_folder_repository(store: any): void;
+}
+
+export class TotpClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
   /**
-   * @returns {ClientVault}
+   * Generates a TOTP code from a provided key
+   *
+   * # Arguments
+   * - `key` - Can be:
+   *     - A base32 encoded string
+   *     - OTP Auth URI
+   *     - Steam URI
+   * - `time_ms` - Optional timestamp in milliseconds
    */
-  vault(): ClientVault;
+  generate_totp(key: string, time_ms?: number | null): TotpResponse;
+}
+
+export enum UriMatchType {
+  Domain = 0,
+  Host = 1,
+  StartsWith = 2,
+  Exact = 3,
+  RegularExpression = 4,
+  Never = 5,
 }
-export class ClientCrypto {
+
+/**
+ * Client for managing the cryptographic machinery of a user account, including key-rotation.
+ */
+export class UserCryptoManagementClient {
+  private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
-   * Initialization method for the user crypto. Needs to be called before any other crypto
-   * operations.
-   * @param {InitUserCryptoRequest} req
-   * @returns {Promise<void>}
+   * Fetches the emergency access public keys for V1 emergency access memberships for the user.
+   * These have to be trusted manually be the user before rotating.
    */
-  initialize_user_crypto(req: InitUserCryptoRequest): Promise<void>;
+  get_untrusted_emergency_access_public_keys(): Promise<V1EmergencyAccessMembership[]>;
   /**
-   * Initialization method for the organization crypto. Needs to be called after
-   * `initialize_user_crypto` but before any other crypto operations.
-   * @param {InitOrgCryptoRequest} req
-   * @returns {Promise<void>}
+   * Fetches the organization public keys for V1 organization memberships for the user for
+   * organizations for which reset password is enrolled.
+   * These have to be trusted manually be the user before rotating.
    */
-  initialize_org_crypto(req: InitOrgCryptoRequest): Promise<void>;
-}
-export class ClientFolders {
-  free(): void;
+  get_untrusted_organization_public_keys(): Promise<V1OrganizationMembership[]>;
   /**
-   * Decrypt folder
-   * @param {Folder} folder
-   * @returns {FolderView}
+   * Migrates an initialized account to Key Connector unlock.
+   *
+   * Requires the client to be unlocked so the current user key is available in memory.
    */
-  decrypt(folder: Folder): FolderView;
+  migrate_to_key_connector(key_connector_url: string): Promise<void>;
+  /**
+   * Combines a password change and user key rotation into a single request.
+   */
+  password_change_and_rotate_user_keys(
+    request: PasswordChangeAndRotateUserKeysRequest,
+  ): Promise<void>;
+  /**
+   * Rotates the user's encryption keys without a password change.
+   */
+  rotate_user_keys(request: RotateUserKeysRequest): Promise<void>;
 }
-export class ClientVault {
+
+export class VaultClient {
+  private constructor();
   free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Attachment related operations.
+   */
+  attachments(): AttachmentsClient;
+  /**
+   * Cipher risk evaluation operations.
+   */
+  cipher_risk(): CipherRiskClient;
+  /**
+   * Cipher related operations.
+   */
+  ciphers(): CiphersClient;
   /**
-   * @returns {ClientFolders}
+   * Collection related operations.
    */
-  folders(): ClientFolders;
+  collections(): CollectionsClient;
+  /**
+   * Folder related operations.
+   */
+  folders(): FoldersClient;
+  /**
+   * TOTP related operations.
+   */
+  totp(): TotpClient;
 }
+
+/**
+ * Generate a new SSH key pair
+ *
+ * # Arguments
+ * - `key_algorithm` - The algorithm to use for the key pair
+ *
+ * # Returns
+ * - `Ok(SshKey)` if the key was successfully generated
+ * - `Err(KeyGenerationError)` if the key could not be generated
+ */
+export function generate_ssh_key(key_algorithm: KeyAlgorithm): SshKeyView;
+
+/**
+ * Convert a PCKS8 or OpenSSH encrypted or unencrypted private key
+ * to an OpenSSH private key with public key and fingerprint
+ *
+ * # Arguments
+ * - `imported_key` - The private key to convert
+ * - `password` - The password to use for decrypting the key
+ *
+ * # Returns
+ * - `Ok(SshKey)` if the key was successfully coneverted
+ * - `Err(PasswordRequired)` if the key is encrypted and no password was provided
+ * - `Err(WrongPassword)` if the password provided is incorrect
+ * - `Err(ParsingError)` if the key could not be parsed
+ * - `Err(UnsupportedKeyType)` if the key type is not supported
+ */
+export function import_ssh_key(imported_key: string, password?: string | null): SshKeyView;
+
+/**
+ * Initialize the SDK. Must be called before using any other API.
+ * Only the first invocation has effect; subsequent calls are ignored.
+ *
+ * - `log_level`: Minimum level for console output. Defaults to `Info`.
+ * - `flight_recorder_level`: Minimum level for the flight recorder. Defaults to `Info`.
+ * - `flight_recorder_buffer_size`: Ring-buffer capacity for the flight recorder. Defaults to 1000.
+ *   Pass `0` to disable the flight recorder entirely.
+ */
+export function init_sdk(
+  log_level?: LogLevel | null,
+  flight_recorder_level?: LogLevel | null,
+  flight_recorder_buffer_size?: number | null,
+): void;
+
+/**
+ * Registers a DiscoverHandler so that the client can respond to DiscoverRequests.
+ */
+export function ipcRegisterDiscoverHandler(
+  ipc_client: IpcClient,
+  response: DiscoverResponse,
+): Promise<void>;
+
+/**
+ * Sends a DiscoverRequest to the specified destination and returns the response.
+ */
+export function ipcRequestDiscover(
+  ipc_client: IpcClient,
+  destination: Endpoint,
+  abort_signal?: AbortSignal | null,
+): Promise<DiscoverResponse>;