fix: add support for trusted two-factor device tokens in backup import and export

fix: refine typography styles for improved readability and consistency
fix: improve network status handling and probe logic
2026-06-20 21:00:41 +00:00 · 2026-06-13 17:45:01 +08:00 · 2026-06-13 17:20:25 +08:00 · 2026-06-13 17:05:30 +08:00 · 2026-06-13 16:38:25 +08:00 · 2026-06-13 16:38:25 +08:00
206 changed files with 45064 additions and 9404 deletions
@@ -0,0 +1,17 @@
+# CodeGraph data files
+# These are local to each machine and should not be committed
+
+# Database
+*.db
+*.db-wal
+*.db-shm
+
+# Cache
+cache/
+
+# Logs
+*.log
+
+# Hook markers
+.dirty
+*.pid
@@ -0,0 +1,70 @@
+name: "Bug Report"
+description: "Report a reproducible bug / 反馈可复现问题"
+title: "[Bug] "
+labels: ["bug", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting. Please provide enough detail so maintainers can reproduce quickly.
+        感谢反馈，请尽量提供可复现信息，方便快速定位。
+
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Pre-check / 提交前确认
+      options:
+        - label: I have searched existing issues and did not find a duplicate. / 我已搜索现有 issue，确认不是重复问题。
+          required: true
+        - label: I have read README and Project Wiki / 我已阅读 README 与 项目 Wiki。
+          required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: Version / 版本
+      description: "Which version of NodeWarden are you using? Please provide the exact version or commit hash."
+      placeholder: "1.0.0"
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce_steps
+    attributes:
+      label: Steps to Reproduce / 复现步骤
+      placeholder: |
+        1. Start service with ...
+        2. Open ...
+        3. Click ...
+        4. Observe ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior / 预期行为
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Behavior / 实际行为
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs and Screenshots / 日志与截图
+      description: "Please paste key logs (docker logs / browser console / network errors)."
+      render: shell
+    validations:
+      required: false
+
+  - type: textarea
+    id: extra
+    attributes:
+      label: Additional Context / 补充信息
+      description: "Any workaround, frequency, impact scope, etc."
@@ -0,0 +1,12 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Project Wiki/ 项目文档
+    url: https://github.com/shuaiplus/nodewarden/wiki
+    about: |
+      Please check the documentation for common questions and troubleshooting steps.
+      请先查看文档，常见问题和排查步骤可能已经覆盖了你的问题。
+  - name: Project Discussions / 讨论区
+    url: https://github.com/shuaiplus/nodewarden/discussions
+    about: |
+      For general questions, feature discussions, or if you're not sure which template to use, please post in the Discussions section.
+      如果你有一般性问题、功能讨论，或者不确定使用哪个模板，请在讨论区发帖。
@@ -0,0 +1,62 @@
+name: "Feature Request"
+description: "Suggest an improvement / 功能建议"
+title: "[Feature] "
+labels: ["enhancement", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Proposals with clear use-case and expected value are easier to evaluate.
+        说明清晰的使用场景和价值，有助于快速评估。
+
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Pre-check / 提交前确认
+      options:
+        - label: I have searched existing issues and this request is not duplicated. / 我已搜索现有 issue，确认不是重复建议。
+          required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem Statement / 现存问题
+      description: "What is difficult or missing today?"
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed Solution / 建议方案
+      description: "Describe your expected behavior, UI flow, API changes, etc."
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered / 备选方案
+      description: "Any alternatives or workarounds you've considered."
+    validations:
+      required: false
+
+  - type: textarea
+    id: impact
+    attributes:
+      label: Expected Impact / 预期价值
+      description: "Who benefits? Any performance/security/maintenance concerns?"
+    validations:
+      required: true
+
+  - type: input
+    id: scope
+    attributes:
+      label: Scope (Optional) / 影响范围（可选）
+      placeholder: "frontend / backend / docs / deployment"
+
+  - type: textarea
+    id: extra
+    attributes:
+      label: Additional Context / 补充信息
+      description: "Mockups, references, related links, etc."
@@ -0,0 +1,31 @@
+## Summary
+
+<!-- What changed and why? -->
+
+## Change Type
+
+- [ ] Bug fix
+- [ ] Feature
+- [ ] Compatibility update
+- [ ] Documentation
+- [ ] Refactor
+
+## Cross-File Checklist
+
+- [ ] I read `CONTRIBUTING.md`.
+- [ ] Schema changes, if any, updated both runtime schema and `migrations/0001_init.sql`.
+- [ ] Persistent data changes, if any, updated backup export/import or documented why backup is not needed.
+- [ ] User-facing text changes, if any, updated all locale files.
+- [ ] Bitwarden client compatibility was considered for sync/API shape changes.
+- [ ] No secrets, tokens, private deployment values, or real vault data are included.
+
+## Checks
+
+- [ ] `npx tsc -p tsconfig.json --noEmit`
+- [ ] `npx tsc -p webapp/tsconfig.json --noEmit`
+- [ ] `npm run i18n:validate`
+- [ ] `npm run build`
+
+## Notes
+
+<!-- Anything reviewers should pay special attention to? -->
@@ -67,7 +67,7 @@ class SecurityReport {
                guideStep1: '1. **开发人员**：使用上方表格中的 **位置** 列找到确切的文件和行号。',
                guideStep2: '2. **纠正**：遵循为每个规则提供的文档链接以提交修复。',
                guideStep3: '3. **可追溯性**：完整的原始 `.sarif` 数据已附加到此分支。下载并将其导入您的 IDE（例如 VS Code SARIF 查看器）进行本地分析。',
-                footer: '💡 *由 Antigravity AI 安全引擎生成。透明度是我们的承诺。*',
+                footer: '💡 *由 NodeWarden 安全工作流生成。透明度是我们的承诺。*',
                auditedIcon: '✅ **已审计**',
                noFiles: '未检索到文件。',
                trivyTitle: '🛡️ 容器配置安全 (Trivy)',
@@ -119,7 +119,7 @@ class SecurityReport {
                guideStep1: '1. **Developers**: Use the **Location** column in the tables above to find the exact file and line number.',
                guideStep2: '2. **Remediate**: Follow the documentation links provided for each rule to submit a fix.',
                guideStep3: '3. **Traceability**: Full raw `.sarif` data is attached to this branch. Download and import it into your IDE (e.g., VS Code SARIF Viewer) for local analysis.',
-                footer: '💡 *Generated by Antigravity AI Security Engine. Transparency is our commitment.*',
+                footer: '💡 *Generated by the NodeWarden security workflow. Transparency is our commitment.*',
                auditedIcon: '✅ **Audited**',
                noFiles: 'No files found.',
                trivyTitle: '🛡️ Container Config Security (Trivy)',
@@ -0,0 +1,51 @@
+name: Sync Bitwarden global domains
+
+on:
+  schedule:
+    - cron: "17 4 * * 1"
+  workflow_dispatch:
+    inputs:
+      bitwarden_ref:
+        description: "bitwarden/server ref to sync"
+        required: false
+        default: "main"
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  sync-global-domains:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Sync generated Bitwarden domains
+        run: npm run domains:sync -- --ref "${{ inputs.bitwarden_ref || 'main' }}"
+
+      - name: Verify custom domains were not touched
+        run: git diff --exit-code -- src/static/global_domains.custom.json
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          branch: chore/sync-bitwarden-global-domains
+          delete-branch: true
+          title: "chore: sync Bitwarden global domain rules"
+          commit-message: "chore: sync Bitwarden global domain rules"
+          body: |
+            Automated sync from bitwarden/server.
+
+            This PR only updates:
+            - `src/static/global_domains.bitwarden.json`
+            - `src/static/global_domains.bitwarden.meta.json`
+
+            `src/static/global_domains.custom.json` is intentionally left untouched.
+          add-paths: |
+            src/static/global_domains.bitwarden.json
+            src/static/global_domains.bitwarden.meta.json
@@ -4,6 +4,11 @@ on:
  schedule:
    - cron: "0 3 * * *"
  workflow_dispatch:
+    inputs:
+      target_commit:
+        description: 'Commit hash (leave blank to use latest commit)'
+        required: false
+        type: string

 permissions:
  contents: write
@@ -11,9 +16,8 @@ permissions:
 jobs:
  sync:
    runs-on: ubuntu-latest
-
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

@@ -22,13 +26,118 @@ jobs:
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

-      - name: Sync main from upstream
+      - name: Add upstream
        run: |
          git remote add upstream https://github.com/shuaiplus/NodeWarden.git || true
-          git fetch upstream
-          git checkout main
-          git merge upstream/main
+          git fetch upstream --tags

-      - name: Push synced main
+      - name: Resolve target commit
+        id: resolve
        run: |
-          git push origin main
+          TRIGGER="${{ github.event_name }}"
+          MANUAL_INPUT="${{ github.event.inputs.target_commit }}"
+
+          if [ "$TRIGGER" = "schedule" ]; then
+            # Auto mode: resolve latest upstream release tag
+            LATEST_TAG=$(curl -s https://api.github.com/repos/shuaiplus/NodeWarden/releases/latest | jq -r .tag_name)
+            if [ "$LATEST_TAG" = "null" ] || [ -z "$LATEST_TAG" ]; then
+              echo "No release found in upstream."
+              exit 1
+            fi
+            TARGET_SHA=$(git rev-list -n 1 "$LATEST_TAG" 2>/dev/null)
+            if [ -z "$TARGET_SHA" ]; then
+              echo "Tag '$LATEST_TAG' not found after fetch."
+              exit 1
+            fi
+            echo "mode=auto" >> $GITHUB_OUTPUT
+            echo "latest_tag=$LATEST_TAG" >> $GITHUB_OUTPUT
+            echo "target_sha=$TARGET_SHA" >> $GITHUB_OUTPUT
+            echo "Auto mode — latest release: $LATEST_TAG ($TARGET_SHA)"
+
+          elif [ -n "$MANUAL_INPUT" ]; then
+            # Manual mode: use provided commit hash or tag
+            TARGET_SHA=$(git rev-parse "$MANUAL_INPUT" 2>/dev/null)
+            if [ -z "$TARGET_SHA" ]; then
+              echo "Cannot resolve '$MANUAL_INPUT' to a commit."
+              exit 1
+            fi
+            echo "mode=manual" >> $GITHUB_OUTPUT
+            echo "target_sha=$TARGET_SHA" >> $GITHUB_OUTPUT
+            echo "Manual mode — target: $MANUAL_INPUT ($TARGET_SHA)"
+
+          else
+            # Manual mode, blank input: use latest commit on upstream/main
+            TARGET_SHA=$(git rev-parse upstream/main)
+            echo "mode=manual" >> $GITHUB_OUTPUT
+            echo "target_sha=$TARGET_SHA" >> $GITHUB_OUTPUT
+            echo "Manual mode — latest commit: $TARGET_SHA"
+          fi
+
+      - name: Check if update is needed
+        id: check
+        run: |
+          TARGET_SHA="${{ steps.resolve.outputs.target_sha }}"
+          MODE="${{ steps.resolve.outputs.mode }}"
+
+          if [ "$MODE" = "manual" ]; then
+            # Manual: skip only if HEAD is exactly this commit
+            CURRENT_SHA=$(git rev-parse HEAD)
+            if [ "$CURRENT_SHA" = "$TARGET_SHA" ]; then
+              echo "Already at $TARGET_SHA — skipping."
+              echo "needs_update=false" >> $GITHUB_OUTPUT
+            else
+              echo "Switching to $TARGET_SHA"
+              echo "needs_update=true" >> $GITHUB_OUTPUT
+            fi
+          else
+            # Auto: skip if target is already in ancestry
+            if git merge-base --is-ancestor "$TARGET_SHA" HEAD 2>/dev/null; then
+              echo "Already up to date with $TARGET_SHA — skipping."
+              echo "needs_update=false" >> $GITHUB_OUTPUT
+            else
+              echo "Update needed — target: $TARGET_SHA"
+              echo "needs_update=true" >> $GITHUB_OUTPUT
+            fi
+          fi
+
+      - name: Apply update
+        if: steps.check.outputs.needs_update == 'true'
+        run: |
+          TARGET_SHA="${{ steps.resolve.outputs.target_sha }}"
+          MODE="${{ steps.resolve.outputs.mode }}"
+          git checkout main
+          if [ "$MODE" = "manual" ]; then
+            # Hard reset allows both upgrade and rollback
+            git reset --hard "$TARGET_SHA"
+          else
+            git merge "$TARGET_SHA" --no-edit
+          fi
+
+      - name: Restore workflow file
+        if: steps.check.outputs.needs_update == 'true'
+        run: |
+          # Always keep our own workflow file, never let upstream overwrite it
+          git checkout HEAD@{1} -- .github/workflows/sync-upstream.yml 2>/dev/null || true
+          if ! git diff --cached --quiet; then
+            git commit -m "chore: restore sync-upstream workflow after sync"
+          fi
+
+      - name: Push
+        if: steps.check.outputs.needs_update == 'true'
+        run: |
+          if [ "${{ steps.resolve.outputs.mode }}" = "manual" ]; then
+            git push origin main --force
+          else
+            git push origin main
+          fi
+
+      - name: Summary
+        run: |
+          if [ "${{ steps.check.outputs.needs_update }}" = "true" ]; then
+            echo "### Synced successfully" >> $GITHUB_STEP_SUMMARY
+            echo "- **Mode:** ${{ steps.resolve.outputs.mode }}" >> $GITHUB_STEP_SUMMARY
+            echo "- **Tag:** ${{ steps.resolve.outputs.latest_tag || 'N/A (manual)' }}" >> $GITHUB_STEP_SUMMARY
+            echo "- **Commit:** \`${{ steps.resolve.outputs.target_sha }}\`" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "### Nothing to update" >> $GITHUB_STEP_SUMMARY
+          fi
@@ -26,7 +26,7 @@ Thumbs.db
 # Logs
 *.log
 npm-debug.log*
-
+.vite-tailwind.err
 # Environment
 .env
 .env.local
@@ -40,3 +40,24 @@ npm-debug.log*

 tmp/
 .tmp/
+.tmp-bitwarden-clients/
+
+nodewarden.wiki/
+wiki/
+AGENTS.md
+settings.json
+.claude/
+NodeWarden-compat/
+.codex-upstream/
+.codex-upstream/bitwarden-server/
+.codex-upstream/bitwarden-clients/
+.codex-upstream/bitwarden-web/
+.codex-upstream/bitwarden-browser/
+
+.reasonix/
+
+# Compatibility analysis documents
+BITWARDEN_COMPATIBILITY_ANALYSIS.md
+.mcp.json
+opencode.jsonc
+.cursor/
@@ -0,0 +1,133 @@
+# Contributing to NodeWarden
+
+Thanks for taking the time to improve NodeWarden.
+
+NodeWarden is a Bitwarden-compatible server with a custom web vault, Cloudflare
+Workers/D1 storage, attachment storage, imports/exports, and scheduled backups.
+Small changes can affect official clients, backups, migrations, or locale files,
+so please keep changes focused and check the related parts of the project.
+
+## Before Opening an Issue
+
+For bug reports, include enough detail for someone else to reproduce the problem:
+
+- The client or browser you used.
+- The page, API route, or action that failed.
+- Screenshots, logs, or the exact error message.
+- Whether the problem happened after sync, import, export, restore, upgrade, or
+  a fresh deployment.
+
+Please do not report NodeWarden-specific problems to the official Bitwarden
+team. This project is independent from Bitwarden.
+
+## Pull Request Guidelines
+
+Keep pull requests small enough to review. A good PR should explain:
+
+- What changed and why.
+- What user-facing behavior changed.
+- Which related areas were checked.
+- Which commands were run before submitting.
+
+Avoid mixing unrelated refactors with feature or bug-fix work. If a cleanup is
+needed before the real fix, mention that clearly in the PR.
+
+## Areas That Need Extra Care
+
+Some parts of the codebase are deliberately connected. When changing one of
+these areas, check the related files before calling the work complete.
+
+### Database Changes
+
+Runtime schema lives in `src/services/storage-schema.ts`. The initial D1 schema
+lives in `migrations/0001_init.sql`.
+
+If you add or change a table, column, or index:
+
+- Update both schema files.
+- Bump `STORAGE_SCHEMA_VERSION` in `src/services/storage.ts`.
+- Decide whether the data should be included in instance backup.
+
+### Backup And Restore
+
+Backup export and restore are whitelist-based. This protects old backups from
+breaking when fields are removed and prevents transient or secret runtime data
+from being exported by accident.
+
+When adding persistent data, check:
+
+- `src/services/backup-archive.ts`
+- `src/services/backup-import.ts`
+- `webapp/src/lib/api/backup.ts`
+
+Do not export runtime lock rows such as `backup.runner.lock.v1`. Do not import
+retired sensitive fields such as `users.api_key`.
+
+### Secrets And Provider Settings
+
+Provider credentials must not be stored or exported as plain config JSON. Follow
+the encrypted settings pattern in `src/services/backup-settings-crypto.ts`, or
+document a replacement design before changing it.
+
+### Bitwarden Client Compatibility
+
+Official Bitwarden clients may send or expect fields that are not used directly
+by the web vault. Cipher and sync changes should preserve unknown client fields
+unless they are known-invalid or server-owned.
+
+Check these files when changing vault item shape or sync behavior:
+
+- `src/handlers/ciphers.ts`
+- `src/handlers/sync.ts`
+- `src/services/storage-cipher-repo.ts`
+
+### Domain Rules
+
+Equivalent-domain settings store both client/UI rule state and derived active
+groups. Do not remove `equivalent_domains`, `custom_equivalent_domains`, or
+`excluded_global_equivalent_domains` as duplicates without a migration and
+compatibility plan.
+
+### Accounts And Passwords
+
+`users.master_password_hash` is for server-side login verification. It is not the
+vault decryption key. Password changes, key material, `securityStamp`, and
+refresh-token revocation must stay aligned.
+
+Password hints are reminders, not recovery secrets. They must never contain the
+master password, recovery codes, API keys, or anything that directly unlocks the
+vault.
+
+### i18n
+
+Locale files are complete standalone bundles. When adding or changing user-facing
+text, keep every locale in sync and run the validation script.
+
+For new locales, update:
+
+- `webapp/src/lib/i18n.ts`
+- `webapp/src/lib/i18n/locales/*`
+- `scripts/i18n-utils.cjs`
+
+## Recommended Checks
+
+For most backend or shared changes:
+
+```sh
+npx tsc -p tsconfig.json --noEmit
+npm run build
+```
+
+For webapp text or locale changes:
+
+```sh
+npm run i18n:validate
+npx tsc -p webapp/tsconfig.json --noEmit
+npm run build
+```
+
+For documentation-only changes:
+
+```sh
+git diff --check
+```
@@ -0,0 +1,19 @@
+<svg width="960" height="180" viewBox="0 0 1240 220" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <g transform="translate(0 30) scale(0.276)">
+    <path d="M370.5 93C481.785 93 572 181.2 572 290C572 329.877 559.879 366.986 539.046 398H1.68164C0.576599 391.834 0 385.484 0 379C0 323.617 42.0774 278.061 96.0078 272.558C92.7712 263.989 91 254.701 91 245C91 201.922 125.922 167 169 167C182.365 167 194.945 170.362 205.94 176.286C242.437 125.895 302.539 93 370.5 93Z" fill="#F6821F"/>
+    <path fill-rule="evenodd" clip-rule="evenodd" d="M76.6568 1.00686C72.7796 172.923 85.5495 291.119 127.869 379.459C170.188 467.799 242.092 526.353 356.665 578.892C469.877 526.354 540.929 467.802 582.746 379.461C624.564 291.12 637.181 172.923 633.35 1.00686H76.6568ZM523.796 342.933C554.479 275.533 565.347 188.379 566.419 63.9394L566.422 63.432H361.661V503.786L362.405 503.364C442.602 457.962 493.101 410.36 523.796 342.933Z" fill="#116FF9"/>
+    <path d="M588.465 215C664.976 215 727 277.233 727 354C727 369.378 724.509 384.172 719.913 398H363V333.553C375.721 307.751 402.287 290 433 290C443.483 290 453.482 292.068 462.613 295.818C484.559 248.11 532.658 215 588.465 215Z" fill="#FD9C33"/>
+  </g>
+  <g transform="translate(225 50) scale(0.112)" fill="#116FF9">
+    <path d="M238.439 995.188H0V209.944C0 111.788 76.3004 53.1675 156.688 53.1675C220.726 53.1675 276.589 74.9799 309.289 126.784L633.566 640.737V74.9799H872.005V860.224C872.005 958.379 795.704 1015.64 715.317 1015.64C652.641 1015.64 595.416 993.824 562.716 942.02L238.439 428.067V995.188Z"/>
+    <path d="M1389.81 1015.64C1177.26 1015.64 1015.12 852.044 1015.12 653.007C1015.12 455.332 1177.26 291.74 1389.81 291.74C1602.36 291.74 1764.5 455.332 1764.5 653.007C1764.5 852.044 1602.36 1015.64 1389.81 1015.64ZM1389.81 785.244C1467.47 785.244 1519.25 725.26 1519.25 654.37C1519.25 582.117 1467.47 522.133 1389.81 522.133C1312.15 522.133 1260.37 582.117 1260.37 654.37C1260.37 725.26 1312.15 785.244 1389.81 785.244Z"/>
+    <path d="M2221.42 1015.64C2008.87 1015.64 1846.73 853.407 1846.73 655.733C1846.73 437.61 1991.16 293.103 2207.79 293.103C2258.21 293.103 2308.62 308.099 2350.86 331.275V0H2596.11V655.733C2596.11 864.314 2439.42 1015.64 2221.42 1015.64ZM2221.42 785.244C2299.08 785.244 2350.86 726.623 2350.86 654.37C2350.86 583.48 2299.08 523.496 2221.42 523.496C2143.76 523.496 2091.98 583.48 2091.98 654.37C2091.98 726.623 2143.76 785.244 2221.42 785.244Z"/>
+    <path d="M3086.45 1014.27C2868.45 1014.27 2704.95 869.767 2704.95 646.19C2704.95 449.879 2852.1 286.287 3067.38 286.287C3290.83 286.287 3414.82 452.606 3414.82 635.284V696.631H2940.66C2957.01 764.795 3008.79 805.693 3083.73 805.693C3149.13 805.693 3200.9 770.248 3225.43 717.08L3413.45 811.146C3354.87 937.93 3239.05 1014.27 3086.45 1014.27ZM2951.56 569.847H3170.93C3160.03 531.676 3121.88 496.231 3064.65 496.231C3006.06 496.231 2966.55 530.312 2951.56 569.847Z"/>
+    <path d="M3604.95 845.228L3441.45 74.9799H3693.51L3812.05 704.811L3915.6 246.752C3945.58 111.788 4009.62 54.5308 4107.72 54.5308C4205.82 54.5308 4269.85 111.788 4299.83 246.752L4403.38 704.811L4521.92 74.9799H4773.98L4610.48 845.228C4587.32 955.653 4513.74 1017 4414.28 1017C4324.35 1017 4243.97 957.016 4220.8 856.134L4107.72 358.54L3994.63 856.134C3971.46 957.016 3891.08 1017 3801.15 1017C3701.69 1017 3628.11 955.653 3604.95 845.228Z"/>
+    <path d="M5121.11 1015.64C4922.19 1015.64 4787.3 852.044 4787.3 653.007C4787.3 455.332 4949.44 291.74 5161.99 291.74C5379.99 291.74 5536.68 444.426 5536.68 653.007V995.188H5305.05V944.747C5261.45 989.735 5200.14 1015.64 5121.11 1015.64ZM5161.99 785.244C5239.65 785.244 5291.43 725.26 5291.43 654.37C5291.43 582.117 5239.65 522.133 5161.99 522.133C5084.33 522.133 5032.55 582.117 5032.55 654.37C5032.55 725.26 5084.33 785.244 5161.99 785.244Z"/>
+    <path d="M5918.02 995.188H5672.77V617.562C5672.77 436.247 5776.32 291.74 5998.41 291.74C6044.73 291.74 6095.15 299.92 6129.21 314.916V550.761C6096.51 533.039 6055.63 523.496 6021.57 523.496C5957.53 523.496 5918.02 560.304 5918.02 625.741V995.188Z"/>
+    <path d="M6565.74 1015.64C6353.19 1015.64 6191.05 853.407 6191.05 655.733C6191.05 437.61 6335.48 293.103 6552.12 293.103C6602.53 293.103 6652.94 308.099 6695.18 331.275V0H6940.43V655.733C6940.43 864.314 6783.74 1015.64 6565.74 1015.64ZM6565.74 785.244C6643.41 785.244 6695.18 726.623 6695.18 654.37C6695.18 583.48 6643.41 523.496 6565.74 523.496C6488.08 523.496 6436.31 583.48 6436.31 654.37C6436.31 726.623 6488.08 785.244 6565.74 785.244Z"/>
+    <path d="M7430.78 1014.27C7212.77 1014.27 7049.27 869.767 7049.27 646.19C7049.27 449.879 7196.42 286.287 7411.7 286.287C7635.15 286.287 7759.14 452.606 7759.14 635.284V696.631H7284.99C7301.34 764.795 7353.11 805.693 7428.05 805.693C7493.45 805.693 7545.23 770.248 7569.75 717.08L7757.78 811.146C7699.19 937.93 7583.38 1014.27 7430.78 1014.27ZM7295.89 569.847H7515.25C7504.35 531.676 7466.2 496.231 7408.98 496.231C7350.39 496.231 7310.88 530.312 7295.89 569.847Z"/>
+    <path d="M8250.76 531.676C8160.84 531.676 8126.77 603.929 8126.77 689.815V995.188H7881.52V659.823C7881.52 459.422 7998.7 293.103 8250.76 293.103C8502.82 293.103 8620 459.422 8620 659.823V995.188H8374.75V689.815C8374.75 603.929 8340.69 531.676 8250.76 531.676Z"/>
+  </g>
+</svg>
@@ -1,19 +1,27 @@
 <p align="center">
-  <img src="./NodeWarden.png" alt="NodeWarden Logo" />
+  <img src="./NodeWarden.svg" alt="NodeWarden Logo" />
 </p>

 <p align="center">
-  运行在 Cloudflare Workers 上的第三方 Bitwarden 兼容服务端。
+  运行在 Cloudflare Workers 上的 Bitwarden 兼容服务端
 </p>

-[![Powered by Cloudflare](https://img.shields.io/badge/Powered%20by-Cloudflare-F38020?logo=cloudflare&logoColor=white)](https://workers.cloudflare.com/)
-[![License: LGPL-3.0](https://img.shields.io/badge/License-LGPL--3.0-2ea44f)](./LICENSE)
-[![Latest Release](https://img.shields.io/github/v/release/shuaiplus/NodeWarden?display_name=tag)](https://github.com/shuaiplus/NodeWarden/releases/latest)
-[![Sync Upstream](https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml/badge.svg)](https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml)
+<p align="center">
+  <a href="https://workers.cloudflare.com/"><img src="https://img.shields.io/badge/Powered%20by-Cloudflare-F38020?logo=cloudflare&logoColor=white" alt="Powered by Cloudflare" /></a>
+  <a href="./LICENSE"><img src="https://img.shields.io/badge/License-LGPL--3.0-2ea44f" alt="License: LGPL-3.0" /></a>
+  <a href="https://github.com/shuaiplus/NodeWarden/releases/latest"><img src="https://img.shields.io/github/v/release/shuaiplus/NodeWarden?display_name=tag" alt="Latest Release" /></a>
+  <a href="https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml"><img src="https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml/badge.svg" alt="Sync Upstream" /></a>
+</p>

-[更新日志](./RELEASE_NOTES.md) | [提交问题](https://github.com/shuaiplus/NodeWarden/issues/new/choose) | [最新发布](https://github.com/shuaiplus/NodeWarden/releases/latest)
+<p align="center">
+  <a href="https://t.me/NodeWarden_News">Telegram 频道</a> |
+  <a href="https://t.me/NodeWarden_Official">Telegram 群组</a>
+</p>

-English: [`README_EN.md`](./README_EN.md)
+<p align="center">
+  <a href="./README_EN.md">English</a> |
+  <a href="./CONTRIBUTING.md">贡献指南</a>
+</p>

 > **免责声明**  
 > 本项目仅供学习与交流使用，请定期备份你的密码库。  
@@ -26,16 +34,19 @@ English: [`README_EN.md`](./README_EN.md)
 | 能力 | Bitwarden | NodeWarden | 说明 |
 |---|---|---|---|
 | 网页密码库 | ✅ | ✅ | **原创Web Vault界面** |
+| **PWA 支持** | ⚠️ 基础 | ✅ | **可安装、离线使用、App快捷方式** |
+| **Web Vault 离线查看** | ❌ | ✅ | **网页端支持离线查看保险库** |
+| **Passkey 登录** | ✅ | ✅ | **支持WebAuthn/FIDO2无密码登录** |
 | 全量同步 `/api/sync` | ✅ | ✅ | 已针对官方客户端做兼容优化 |
 | 附件上传 / 下载 | ✅ | ✅ | Cloudflare R2 或 KV |
 | Send | ✅ | ✅ | 支持文本与文件 Send |
 | 导入 / 导出 | ✅ | ✅ | 支持 Bitwarden JSON / CSV / **ZIP 导入（包括附件）** |
-| **云端备份中心** | ❌ | ✅ | **支持 WebDAV / E3 定时备份** |
+| **云端备份中心** | ❌ | ✅ | **支持 WebDAV / S3 定时备份（OneDrive/Google Drive等）** |
 | 密码提示（网页端） | ⚠️ 有限 | ✅ | **无需发送邮件** |
 | TOTP / Steam TOTP | ✅ | ✅ | 含 `steam://` 支持 |
 | 多用户 | ✅ | ✅ | 支持邀请码注册 |
 | 组织 / 集合 / 成员权限 | ✅ | ❌ | 未实现 |
-| 登录 2FA | ✅ | ⚠️ 部分支持 | 当前仅支持用户级 TOTP |
+| 登录 2FA | ✅ | ⚠️ 部分支持 | 支持TOTP和Passkey（作为第二因素） |
 | SSO / SCIM / 企业目录 | ✅ | ❌ | 未实现 |

 ---
@@ -50,21 +61,33 @@ English: [`README_EN.md`](./README_EN.md)

 ---

-## 网页部署
+## 可视化快速部署

+1. Fork NodeWarden 仓库到自己的 GitHub 账号
+2. 进入 [Cloudflare Workers & Pages](https://dash.cloudflare.com/?to=/:account/workers-and-pages/create)
+3. 选择 Continue with GitHub 并选择你的仓库
+4. 构建命令填 `npm run build`，部署命令填 `npm run deploy`
+- 如果你打算用 KV 模式，把部署命令改成 `npm run deploy:kv`
+5. 等部署完成后，打开生成的 Workers 域名

-1. Fork 本仓库。若本项目对你有帮助，欢迎点个 Star。
-2. 打开 [Workers](https://dash.cloudflare.com/?to=/:account/workers-and-pages/create) ➜ `Continue with GitHub` ➜ 选择你 Fork 后的仓库（`NodeWarden`）➜ 下一步 ➜ （默认使用 R2 存储；若未开通，可用 KV 来代替，将**部署命令**改为 `npm run deploy:kv`）➜ 部署 ➜ 打开生成的链接
+- Workers 默认域名在部分网络环境不可直连。如需自定义域名，到 [Workers 设置](https://dash.cloudflare.com/?to=/:account/workers/services/view/nodewarden/production/settings)里添加。
+
+- 页面提示缺少 `JWT_SECRET` 时，到 Workers 设置里添加 Secret。正式环境至少使用 32 个字符以上的随机字符串，不要使用临时值或示例值。
+
+- 这套流程里，用户实际做的是把代码交给 Cloudflare 构建并部署。代码里的 `wrangler.toml` 或 `wrangler.kv.toml` 决定绑定名，Worker 第一次处理请求时会自动初始化 D1 schema，不需要用户上传 SQL。

-   | 储存 | 是否需绑卡 | 单个附件/Send文件上限 | 免费额度 |
-   |---|---|---|---|
-   | R2 | 需要 | 100 MB（软限制可更改） | 10 GB |
-   | KV | 不需要 | 25 MiB（Cloudflare限制） | 1 GB |

 > [!TIP] 
-> 同步方法（更新仓库）：
->- 手动：打开你 Fork 的 GitHub 仓库，看到顶部同步提示后，点击 `Sync fork` ➜ `Update branch`
->- 自动：进入你的 Fork 仓库 ➜ `Actions` ➜ `Sync upstream` ➜ `Enable workflow`，会在每天凌晨 3 点自动同步上游。
+> 默认R2与可选KV的区别：
+>   | 储存 | 是否需绑卡 | 单个附件/Send文件上限 | 免费额度 |
+>   |---|---|---|---|
+>   | R2 | 需要 | 100 MB（软限制可更改） | 10 GB |
+>   | KV | 不需要 | 25 MiB（Cloudflare限制） | 1 GB |
+
+
+## 更新方法：
+- 手动：打开你 Fork 的 GitHub 仓库，看到顶部同步提示后，点击 `Sync fork` ➜ `Update branch`
+- 自动：进入你的 Fork 仓库 ➜ `Actions` ➜ `Sync upstream` ➜ `Enable workflow`，会在每天凌晨 3 点自动同步上游。



@@ -90,10 +113,27 @@ npm run dev:kv

 ---

-## 云端备份说明
+## 主要特性

- 远程备份支持 **WebDAV** 与 **E3**
- 勾选“包含附件”后：
+### PWA 渐进式 Web 应用
+
+- ✅ **可安装到桌面** - 像原生应用一样运行
+- ✅ **离线使用** - Service Worker 缓存，离线也能查看密码
+- ✅ **App 快捷方式** - 快速启动保险库、TOTP代码
+- ✅ **后台解密** - Web Worker 处理解密，不阻塞UI
+
+### Passkey 无密码登录
+
+- ✅ **WebAuthn/FIDO2 支持** - 使用指纹、Face ID等登录
+- ✅ **PRF 密钥解锁** - Passkey 可直接解锁保险库
+- ✅ **官方客户端兼容** - Chromium系浏览器扩展可用Passkey登录
+- ✅ **多设备同步** - 支持iCloud、Google Password Manager等
+
+### 云端备份说明
+
+- 远程备份支持 **WebDAV** 与 **S3**
+- 支持 **OneDrive**（通过Koofr）、**Google Drive**（通过Koofr）、**Cloudflare R2**、**Backblaze B2** 等
+- 勾选”包含附件”后：
  - ZIP 内仍只包含 `db.json` 与 `manifest.json`
  - 真实附件单独存放在 `attachments/`
  - 后续备份会按稳定 blob 名复用已有附件，不会每次全量重传
@@ -1,41 +1,55 @@
 <p align="center">
-  <img src="./NodeWarden.png" alt="NodeWarden Logo" />
+  <img src="./NodeWarden.svg" alt="NodeWarden Logo" />
 </p>

 <p align="center">
-  A third-party Bitwarden-compatible server running on Cloudflare Workers.
+  Bitwarden-compatible server running on Cloudflare Workers
+
 </p>

-[![Powered by Cloudflare](https://img.shields.io/badge/Powered%20by-Cloudflare-F38020?logo=cloudflare&logoColor=white)](https://workers.cloudflare.com/)
-[![License: LGPL-3.0](https://img.shields.io/badge/License-LGPL--3.0-2ea44f)](./LICENSE)
-[![Latest Release](https://img.shields.io/github/v/release/shuaiplus/NodeWarden?display_name=tag)](https://github.com/shuaiplus/NodeWarden/releases/latest)
-[![Sync Upstream](https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml/badge.svg)](https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml)
+<p align="center">
+  <a href="https://workers.cloudflare.com/"><img src="https://img.shields.io/badge/Powered%20by-Cloudflare-F38020?logo=cloudflare&logoColor=white" alt="Powered by Cloudflare" /></a>
+  <a href="./LICENSE"><img src="https://img.shields.io/badge/License-LGPL--3.0-2ea44f" alt="License: LGPL-3.0" /></a>
+  <a href="https://github.com/shuaiplus/NodeWarden/releases/latest"><img src="https://img.shields.io/github/v/release/shuaiplus/NodeWarden?display_name=tag" alt="Latest Release" /></a>
+  <a href="https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml"><img src="https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml/badge.svg" alt="Sync Upstream" /></a>
+</p>

-[Release Notes](./RELEASE_NOTES.md) | [Report an Issue](https://github.com/shuaiplus/NodeWarden/issues/new/choose) | [Latest Release](https://github.com/shuaiplus/NodeWarden/releases/latest)
+<p align="center">
+  <a href="https://t.me/NodeWarden_News">Telegram Channel</a> |
+  <a href="https://t.me/NodeWarden_Official">Telegram Group</a>
+</p>

-English: [`README.md`](./README.md)
+<p align="center">
+  <a href="./README.md">中文说明</a> |
+  <a href="./CONTRIBUTING.md">Contributing</a>
+</p>

 > **Disclaimer**
-> This project is for learning and communication purposes only. Please back up your vault regularly.  
+>
+> This project is for learning and discussion purposes only. Please back up your vault regularly.
+>
 > This project is not affiliated with Bitwarden. Please do not report NodeWarden issues to the official Bitwarden team.

 ---

-## Feature Comparison with Official Bitwarden Server
+## Feature Comparison with the Official Bitwarden Server

 | Capability | Bitwarden | NodeWarden | Notes |
 |---|---|---|---|
 | Web Vault | ✅ | ✅ | **Original Web Vault interface** |
-| Full sync `/api/sync` | ✅ | ✅ | Optimized for official clients |
+| **PWA Support** | ⚠️ Basic | ✅ | **Installable, offline-capable, app shortcuts** |
+| **Web Vault Offline Access** | ❌ | ✅ | **Web client supports offline vault viewing** |
+| **Passkey Login** | ✅ | ✅ | **WebAuthn/FIDO2 passwordless login** |
+| Full sync `/api/sync` | ✅ | ✅ | Compatibility optimized for official clients |
 | Attachment upload / download | ✅ | ✅ | Cloudflare R2 or KV |
 | Send | ✅ | ✅ | Supports both text and file Sends |
 | Import / Export | ✅ | ✅ | Supports Bitwarden JSON / CSV / **ZIP import with attachments** |
-| **Cloud Backup Center** | ❌ | ✅ | **Supports scheduled backups with WebDAV / E3** |
+| **Cloud Backup Center** | ❌ | ✅ | **WebDAV / S3 scheduled backup (OneDrive/Google Drive etc.)** |
 | Password hint (web) | ⚠️ Limited | ✅ | **No email required** |
 | TOTP / Steam TOTP | ✅ | ✅ | Includes `steam://` support |
 | Multi-user | ✅ | ✅ | Invite-based registration |
 | Organizations / Collections / Member roles | ✅ | ❌ | Not implemented |
-| Login 2FA | ✅ | ⚠️ Partial | Currently only user-level TOTP |
+| Login 2FA | ✅ | ⚠️ Partial | TOTP and Passkey (as second factor) |
 | SSO / SCIM / Enterprise directory | ✅ | ❌ | Not implemented |

 ---
@@ -46,19 +60,20 @@ English: [`README.md`](./README.md)
 - ✅ Mobile app
 - ✅ Browser extension
 - ✅ Linux desktop client
- ⚠️ macOS desktop client not fully verified
+- ⚠️ macOS desktop client has not been fully verified yet

 ---

 ## Web Deploy

-1. Fork this repository. If this project helps you, please consider giving it a Star.
-2. Open [Workers](https://dash.cloudflare.com/?to=/:account/workers-and-pages/create) -> `Continue with GitHub` -> select your forked repository (`NodeWarden`) -> `Next` -> deploy.  
-   R2 is used by default. If R2 is unavailable for your account, you can use KV instead by changing the **deploy command** to `npm run deploy:kv`.
+1. Fork this repository. If this project helps you, consider giving it a Star.
+2. Open [Workers](https://dash.cloudflare.com/?to=/:account/workers-and-pages/create) -> `Continue with GitHub` -> select your forked repository (`NodeWarden`) -> continue.
+3. R2 is used by default. If R2 is not enabled on your account, you can use KV instead by changing the **deploy command** to `npm run deploy:kv`.
+4. Deploy and open the generated URL.

 | Storage | Card required | Single attachment / Send file limit | Free tier |
 |---|---|---|---|
-| R2 | Yes | 100 MB (soft limit, can be adjusted) | 10 GB |
+| R2 | Yes | 100 MB (soft limit, adjustable) | 10 GB |
 | KV | No | 25 MiB (Cloudflare limit) | 1 GB |

 > [!TIP]
@@ -71,7 +86,6 @@ English: [`README.md`](./README.md)
 ```powershell
 git clone https://github.com/shuaiplus/NodeWarden.git
 cd NodeWarden
-
 npm install
 npx wrangler login

@@ -88,15 +102,32 @@ npm run dev:kv

 ---

-## Cloud Backup Notes
+## Key Features

- Remote backup supports **WebDAV** and **E3**
+### PWA Progressive Web App
+
+- ✅ **Install to desktop** - Runs like a native app
+- ✅ **Offline usage** - Service Worker caching, view passwords offline
+- ✅ **App shortcuts** - Quick launch vault, TOTP codes
+- ✅ **Background decryption** - Web Worker handles decryption without blocking UI
+
+### Passkey Passwordless Login
+
+- ✅ **WebAuthn/FIDO2 support** - Login with fingerprint, Face ID, etc.
+- ✅ **PRF key unlock** - Passkey can unlock vault directly
+- ✅ **Official client compatibility** - Chromium browser extension supports Passkey login
+- ✅ **Multi-device sync** - Supports iCloud, Google Password Manager, etc.
+
+### Cloud Backup Notes
+
+- Remote backup supports **WebDAV** and **S3**
+- Supports **OneDrive** (via Koofr), **Google Drive** (via Koofr), **Cloudflare R2**, **Backblaze B2**, etc.
 - When `Include attachments` is enabled:
  - the ZIP still contains only `db.json` and `manifest.json`
-  - real attachment files are stored separately under `attachments/`
-  - later backups reuse existing attachments by stable blob name instead of uploading everything again
+  - actual attachment files are stored separately under `attachments/`
+  - later backups reuse existing attachments by stable blob name instead of re-uploading everything every time
 - During remote restore:
-  - required attachment files are loaded from `attachments/`
+  - required attachment files are loaded from `attachments/` on demand
  - missing attachments are skipped safely
  - skipped attachments do not leave broken rows in the restored database

@@ -110,7 +141,7 @@ Current supported import sources include:
 - Bitwarden CSV
 - Bitwarden vault + attachments ZIP
 - NodeWarden JSON
- Multiple browser / password-manager formats visible in the web import selector
+- Multiple browser / password-manager formats available in the web import selector

 Current supported export formats include:

@@ -130,9 +161,9 @@ LGPL-3.0 License

 ## Credits

- [Bitwarden](https://bitwarden.com/) - original design and clients
- [Vaultwarden](https://github.com/dani-garcia/vaultwarden) - server implementation reference
- [Cloudflare Workers](https://workers.cloudflare.com/) - serverless platform
+- [Bitwarden](https://bitwarden.com/) - Original design and clients
+- [Vaultwarden](https://github.com/dani-garcia/vaultwarden) - Server implementation reference
+- [Cloudflare Workers](https://workers.cloudflare.com/) - Serverless platform

 ---

@@ -0,0 +1,785 @@
+# NodeWarden Passkey 登录研究记录
+
+记录日期：2026-06-09  
+研究范围：NodeWarden 自己的 server、web 登录/注册链路，以及官方 Bitwarden server、web、browser extension 对账户 passkey 登录的实现方式。
+
+## 结论先放前面
+
+NodeWarden 现在已经有完整的主密码注册、主密码登录、刷新 token、2FA、设备记录、官方客户端兼容的 `UserDecryptionOptions`，也支持 vault item 里的 `login.fido2Credentials` 字段。但它还没有“账户 passkey 登录”。现有 `src/utils/passkey.ts` 只有 base64url、challenge、clientData 解析这类工具函数，不能完成 FIDO2/WebAuthn 服务端注册和认证验证。
+
+要支持“自己的 web 用 passkey 登录”和“官方/自定义浏览器扩展也能 passkey 登录”，不能只加一个登录按钮。必须补齐四块：
+
+1. Server 端新增账户 WebAuthn credential 表、challenge/token 防重放机制、FIDO2 attestation/assertion 验证、`grant_type=webauthn`。
+2. Server 响应里按 Bitwarden 形状返回 PRF 解密材料：登录 token 响应用单个 `UserDecryptionOptions.WebAuthnPrfOption`，sync 响应用多个 `UserDecryption.WebAuthnPrfOptions`。
+3. NodeWarden web 新增 passkey 注册、管理、登录和 PRF 解锁 vault key 的客户端流程。
+4. 扩展兼容要跟官方 Bitwarden endpoint 和 response shape 对齐。官方 browser extension 当前只在 Chromium 系浏览器开放 passkey 登录，因为 Firefox/Safari 扩展环境还不能按官方代码需要的方式覆盖 RP ID。
+
+下面按代码链路展开。
+
+## 术语边界
+
+这里有三个容易混淆的东西，文档后面严格区分：
+
+- 账户 passkey 登录：用户不用主密码，使用 WebAuthn/passkey 完成账号认证，并且用 PRF 解开 vault user key。官方 Bitwarden 叫 `WebAuthnLogin`。
+- Vault item 里的 passkey：某个登录条目保存网站 passkey/FIDO2 credential 数据，对应 NodeWarden 的 `cipher.login.fido2Credentials`。这是“保险库保存别的网站 passkey”，不是“登录 NodeWarden 账号”。
+- WebAuthn 2FA：主密码登录之后用安全密钥做第二因素。官方旧 web repo 里主要是这一类，不等于 passkey 登录。
+
+## NodeWarden 现状
+
+### 路由和入口
+
+NodeWarden 后端是 Cloudflare Workers + D1。主入口 `src/index.ts` 初始化存储后进入 router。认证边界在：
+
+- `src/router-public.ts`：公开接口，包含 `/identity/connect/token`、`/identity/accounts/prelogin`、`/api/accounts/register`。
+- `src/router-authenticated.ts`：需要 access token 的接口，包含 profile、change password、TOTP、sync、vault、devices。
+- `src/handlers/identity.ts`：OAuth/token 兼容入口。
+- `src/handlers/accounts.ts`：注册、profile、密码变更、TOTP、API key 等账户接口。
+
+目前公开路由没有：
+
+- `GET /identity/accounts/webauthn/assertion-options`
+- `POST /identity/connect/token` 的 `grant_type=webauthn`
+- `POST /api/webauthn/attestation-options`
+- `POST /api/webauthn/assertion-options`
+- `GET/POST/PUT /api/webauthn`
+
+### 注册链路
+
+NodeWarden 自己 web 的注册入口在 `webapp/src/lib/api/auth.ts` 的 `registerAccount()`：
+
+- 使用邮箱作为 salt，用 PBKDF2 派生 master key。
+- 再用 PBKDF2(masterKey, password, 1) 得到 client master password hash。
+- 随机生成 64 字节 vault symmetric key。
+- 用 masterKey 经 HKDF 拆成 enc/mac，把 vault key 加密成 Bitwarden `Key`。
+- 生成 RSA-OAEP key pair，把 private key 用 vault symmetric key 加密。
+- POST `/api/accounts/register`，提交 `email`、`name`、`masterPasswordHash`、`key`、KDF 参数、invite code、`keys.publicKey`、`keys.encryptedPrivateKey`。
+
+后端 `src/handlers/accounts.ts` 的 `handleRegister()`：
+
+- 第一个用户自动成为 admin，后续用户需要 invite。
+- 校验 `JWT_SECRET`、邮箱、KDF 下限、加密字符串形状、公钥/私钥。
+- 不直接保存 client hash，而是 `AuthService.hashPasswordServer(masterPasswordHash, email)` 后保存到 `users.master_password_hash`。
+- 保存 `users.key`、`users.private_key`、`users.public_key`、KDF 参数、`security_stamp`。
+
+结论：账户 passkey 注册不是替代账号注册，而是“用户已登录后在安全设置里新增一个可登录 credential”。仍然需要已有 vault user key 来生成 PRF keyset。
+
+### 主密码登录链路
+
+NodeWarden 自己 web 的登录入口是 `webapp/src/lib/app-auth.ts` 的 `performPasswordLogin()`：
+
+- 先 `deriveLoginHashLocally()` 得到 masterKey 和 client hash。
+- 调 `loginWithPassword()` POST `/identity/connect/token`。
+- token 成功后 `completeLogin()` 用 `token.Key` 和本地 masterKey 解开 vault key。
+- 保存离线解锁记录。
+
+`webapp/src/lib/api/auth.ts` 也有 `deriveLoginHash()` 和 `getPreloginKdfConfig()` 会调用 `/identity/accounts/prelogin`，但当前 `performPasswordLogin()` 走的是本地 fallback iterations。passkey 登录不应复用这条 masterKey 路径，因为 passkey 登录没有主密码，拿不到 password-derived masterKey。
+
+后端 `src/handlers/identity.ts` 的 `handleToken()` 当前支持：
+
+- `grant_type=password`
+- `grant_type=client_credentials`
+- `grant_type=refresh_token`
+
+密码登录成功后会：
+
+- 验证 IP 登录频率和用户状态。
+- `AuthService.verifyPassword()` 验证 client hash。
+- 处理 TOTP 或 remember 2FA token。
+- 记录/更新 device。
+- 生成 access token 和 refresh token。
+- 返回 `Key`、`PrivateKey`、`AccountKeys`、KDF 参数、`UserDecryptionOptions`。
+
+### UserDecryptionOptions 和 sync
+
+NodeWarden 的 `src/utils/user-decryption.ts` 当前只构造主密码解锁：
+
+- `HasMasterPassword: true`
+- `MasterPasswordUnlock`
+- `TrustedDeviceOption: null`
+- `KeyConnectorOption: null`
+
+`src/types/index.ts` 的 sync 类型里预留了 `UserDecryption.WebAuthnPrfOption?: null`，但当前 `src/handlers/sync.ts` 实际只返回 `MasterPasswordUnlock`，没有账户 passkey PRF 解密选项。
+
+passkey 登录必须新增两类 shape：
+
+- 登录 token 响应：`UserDecryptionOptions.WebAuthnPrfOption`，只返回本次认证所用 credential 的 PRF 解密材料。
+- sync 响应：`UserDecryption.WebAuthnPrfOptions`，返回该用户所有已启用 PRF keyset 的 passkey 解密材料，供官方客户端锁定/解锁和 key rotation 使用。
+
+### 现有 passkey 相关代码
+
+NodeWarden 已支持 vault item 里的 FIDO2/passkey 字段：
+
+- `src/types/index.ts`：`CipherLogin.fido2Credentials`
+- `src/handlers/ciphers.ts`：读写 cipher 时保留/规范化 `fido2Credentials`
+- `webapp/src/lib/api/vault.ts`：加密/解密 vault item 内的 `fido2Credentials`
+- `webapp/src/lib/types.ts`：`CipherLoginPasskey`
+
+这部分是“保存网站 passkey”，不是账户登录。
+
+`src/utils/passkey.ts` 只有：
+
+- `bytesToBase64Url()`
+- `base64UrlToBytes()`
+- `randomChallenge()`
+- `parseClientDataJSON()`
+
+缺少的核心能力：
+
+- attestation verification
+- assertion verification
+- authenticator public key 格式处理
+- signature verification
+- sign counter 更新
+- userHandle 与 user id 绑定验证
+- origin/RP ID 验证
+- challenge 过期和防重放
+
+### 数据库和备份影响
+
+NodeWarden schema 在这些地方需要同步：
+
+- `migrations/0001_init.sql`
+- `src/services/storage-schema.ts`
+- `wrangler.toml` migrations
+- `src/services/backup-archive.ts`
+- `src/services/backup-import.ts`
+- `shared/backup-schema` 相关类型
+
+当前表里没有账户 passkey credential，也没有 WebAuthn challenge 表。`devices` 表保存设备 trust/key 信息，不适合混入 passkey credential，因为 WebAuthn credential 需要自己的 public key、credential id、counter、AAGUID、PRF keyset 等字段。
+
+## 官方 Bitwarden server 参考
+
+上游代码位置：
+
+- `.codex-upstream/bitwarden-server`
+- 研究时 HEAD：`574f3fd`
+
+官方 server 里也有两个 WebAuthn 概念：
+
+- 传统 WebAuthn 2FA：`TwoFactorController`、`WebAuthnTokenProvider`
+- 账户 passkey 登录：`WebAuthnLogin`
+
+本项目要参考的是后者。
+
+### 公开 passkey 登录入口
+
+`src/Identity/Controllers/AccountsController.cs`
+
+- `GET /accounts/webauthn/assertion-options`
+- 返回 `WebAuthnLoginAssertionOptionsResponseModel`
+- response 包含：
+  - `options`
+  - `token`
+- token 使用 `WebAuthnLoginAssertionOptionsTokenable`
+- scope 为 `Authentication`
+- token 生命周期约 17 分钟
+
+`src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs`
+
+- 新增 OAuth extension grant：`grant_type=webauthn`
+- 从 form 读取：
+  - `token`
+  - `deviceResponse`
+- 解开 token，校验 scope 必须是 `Authentication`
+- 反序列化 `AuthenticatorAssertionRawResponse`
+- 调用 `AssertWebAuthnLoginCredential`
+- 把成功认证的 credential 传给 `UserDecryptionOptionsBuilder.WithWebAuthnLoginCredential(credential)`
+- 之后走通用登录成功逻辑，返回 access/refresh token 和账号加密状态。
+
+`src/Identity/IdentityServer/ApiClient.cs`
+
+- official identity client 的 allowed grant types 包含 `WebAuthnGrantValidator.GrantType`。
+
+`TwoFactorAuthenticationValidator` 里有一个重要行为：FIDO2 user verification 已经被视为第二因素，所以 passkey 登录成功后官方不会再要求额外 2FA。NodeWarden 之后需要明确策略：要兼容官方客户端，应把 passkey 登录视作已满足 2FA，否则官方 `LoginViaWebAuthnComponent` 会显示“不支持 passkey 2FA”的错误。
+
+### 账户 passkey 管理接口
+
+`src/Api/Auth/Controllers/WebAuthnController.cs`
+
+官方 authenticated API：
+
+- `GET /webauthn`：列出账户 passkey credentials。
+- `POST /webauthn/attestation-options`：主密码/secret verification 后生成 credential create options 和 token。
+- `POST /webauthn/assertion-options`：主密码/secret verification 后生成 assertion options 和 token，用于给已有 credential 启用/更新 PRF keyset。
+- `POST /webauthn`：保存新 credential。
+- `PUT /webauthn`：更新 credential 的 PRF encryption keyset。
+- `POST /webauthn/{id}/delete`：删除 credential。
+
+官方创建 credential 时保存：
+
+- `name`
+- `token`
+- `deviceResponse`
+- `supportsPrf`
+- 可选 `encryptedUserKey`
+- 可选 `encryptedPublicKey`
+- 可选 `encryptedPrivateKey`
+
+官方最多允许 5 个账户 passkey credentials。
+
+### 官方 WebAuthnCredential 表
+
+`src/Core/Auth/Entities/WebAuthnCredential.cs`
+
+字段：
+
+- `Id`
+- `UserId`
+- `Name`
+- `PublicKey`
+- `CredentialId`
+- `Counter`
+- `Type`
+- `AaGuid`
+- `EncryptedUserKey`
+- `EncryptedPrivateKey`
+- `EncryptedPublicKey`
+- `SupportsPrf`
+- `CreationDate`
+- `RevisionDate`
+
+SQLite migration：`util/SqliteMigrations/Migrations/20231213032045_WebAuthnLoginCredentials.cs`
+
+表名是 `WebAuthnCredential`，对 `User` 做 cascade delete，并按 `UserId` 建索引。
+
+`GetPrfStatus()`：
+
+- `Unsupported`：`SupportsPrf` 为 false。
+- `Supported`：credential 支持 PRF，但还没有完整 encrypted keyset。
+- `Enabled`：`EncryptedUserKey`、`EncryptedPrivateKey`、`EncryptedPublicKey` 都存在。
+
+### 官方创建和认证策略
+
+`GetWebAuthnLoginCredentialCreateOptionsCommand.cs`
+
+- 使用 Fido2NetLib。
+- `user.id` 是用户 id bytes。
+- `user.name/displayName` 使用用户邮箱。
+- 排除当前用户已有 credential ids。
+- `residentKey: required`
+- `userVerification: required`
+- `attestation: none`
+
+`GetWebAuthnLoginCredentialAssertionOptionsCommand.cs`
+
+- `allowCredentials` 传空数组。
+- `userVerification: required`
+- 空 allow list 代表使用 discoverable credentials，也就是 passkey 登录页可以不先输入邮箱。
+
+`CreateWebAuthnLoginCredentialCommand.cs`
+
+- 限制每用户最多 5 个。
+- 检查 credential id 在该用户下不能重复。
+- FIDO `MakeNewCredentialAsync` 验证 attestation。
+- 保存 credential id/public key/counter/type/AAGUID/PRF keyset。
+
+`AssertWebAuthnLoginCredentialCommand.cs`
+
+- 先用 challenge cache 防重放。
+- 从 assertion response 的 `userHandle` 解析出 user id。
+- 加载该用户所有 WebAuthn credentials。
+- 用 credential id 找到记录。
+- FIDO `MakeAssertionAsync` 验证签名、challenge、origin、RP ID、user verification。
+- 成功后更新 counter。
+
+### 官方 PRF 解密协议
+
+`src/Core/Auth/Models/Api/Response/UserDecryptionOptions.cs`
+
+`WebAuthnPrfDecryptionOption` 字段：
+
+- `EncryptedPrivateKey`
+- `EncryptedUserKey`
+- `CredentialId`
+- `Transports`
+
+`src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs`
+
+- `WithWebAuthnLoginCredential()` 只在 credential 的 PRF status 是 `Enabled` 时加入 `WebAuthnPrfOption`。
+- 如果 credential 没有 PRF keyset，passkey 只能认证账号，不能解开 vault。
+
+`src/Api/Vault/Models/Response/SyncResponseModel.cs`
+
+- sync response 会把所有 enabled PRF credentials 放进 `UserDecryption.WebAuthnPrfOptions`。
+
+## 官方 Bitwarden web/browser client 参考
+
+上游代码位置：
+
+- `.codex-upstream/bitwarden-clients`
+- `.codex-upstream/bitwarden-browser`
+- 两者研究时 HEAD 都是 `825f9be`，browser repo 内容和 clients monorepo 对应。
+
+旧的 `.codex-upstream/bitwarden-web` 主要有 WebAuthn connector 和 2FA 设置页，没有现代账户 passkey 登录主流程。账户 passkey 登录应以 `bitwarden-clients` 为准。
+
+### 登录按钮可见性
+
+`libs/auth/src/angular/login/default-login-component.service.ts`
+
+- 默认只对 `ClientType.Web` 开启 passkey 登录。
+
+`apps/browser/src/auth/popup/login/extension-login-component.service.ts`
+
+- browser extension 覆盖逻辑：只对 Chromium 开启。
+- 注释说明 Firefox 和 Safari 不能在扩展里覆盖 relying party ID。
+- 官方代码引用了 W3C webextensions issue 238、Mozilla bug 1956484、Apple forum thread 774351。
+
+结论：NodeWarden 后端即使完全兼容官方 passkey API，官方扩展也只有 Chromium 系会显示 passkey 登录入口。
+
+### Passkey 登录页
+
+`libs/angular/src/auth/login-via-webauthn/login-via-webauthn.component.ts`
+
+流程：
+
+1. 进入 `/login-with-passkey` 后自动开始认证。
+2. 调 `webAuthnLoginService.getCredentialAssertionOptions()`。
+3. 调 `webAuthnLoginService.assertCredential(options)` 触发 `navigator.credentials.get()`。
+4. 调 `webAuthnLoginService.logIn(assertion)` 走 identity token grant。
+5. 如果 `authResult.requiresTwoFactor` 为 true，显示“客户端不支持 passkey 2FA”错误。
+6. 只有本地 `keyService.userKey$(authResult.userId)` 已经拿到 user key，才运行 login success handler。
+7. 成功路由：
+   - Web：`/vault`
+   - Browser：`/tabs/vault`
+   - Desktop：`/vault`
+
+Browser popout 下还会在成功后重新打开普通 popup 并关闭 popout。
+
+### 客户端 passkey 登录请求
+
+`libs/common/src/auth/services/webauthn-login/webauthn-login-api.service.ts`
+
+- GET `${identityUrl}/accounts/webauthn/assertion-options`
+- 如果 NodeWarden 的 identityUrl 是站点 origin + `/identity`，实际路径就是 `/identity/accounts/webauthn/assertion-options`。
+
+`libs/common/src/auth/services/webauthn-login/webauthn-login.service.ts`
+
+- `navigator.credentials.get({ publicKey: options })`
+- 会主动加 PRF extension：
+  - salt 是 `SHA-256("passwordless-login")`
+  - extension shape 是 `extensions.prf.eval.first`
+- 从 `credential.getClientExtensionResults().prf.results.first` 取 PRF 输出。
+- 用 `WebAuthnLoginPrfKeyService.createSymmetricKeyFromPrf()` 转成 PRF key。
+- 构造 `WebAuthnLoginAssertionResponseRequest`。
+- 明确检查 `deviceResponse.extensions` 里不能含 `prf`，避免把 PRF 输出泄漏给服务端。
+
+`libs/common/src/auth/services/webauthn-login/webauthn-login-prf-key.service.ts`
+
+- salt 常量：`passwordless-login`
+- 先 SHA-256。
+- 再用 HKDF expand 拆成 64 字节：
+  - `"enc"` 32 bytes
+  - `"mac"` 32 bytes
+
+`libs/common/src/auth/models/request/identity-token/webauthn-login-token.request.ts`
+
+form encoded token 请求字段：
+
+- `grant_type=webauthn`
+- `token=<server assertion options token>`
+- `deviceResponse=<JSON string>`
+- 还会带 common device request 字段。
+
+`libs/common/src/auth/services/webauthn-login/request/webauthn-login-assertion-response.request.ts`
+
+`deviceResponse` shape：
+
+- `id`
+- `rawId`
+- `type`
+- `extensions: {}`
+- `response.authenticatorData`
+- `response.signature`
+- `response.clientDataJSON`
+- `response.userHandle`
+
+全部二进制字段使用 base64url。
+
+### 客户端如何用 PRF 解 vault key
+
+`libs/auth/src/common/login-strategies/webauthn-login.strategy.ts`
+
+- `setMasterKey()` 是空实现，因为 passkey 登录没有主密码 masterKey。
+- `setUserKey()`：
+  - 如果 token response 有 `key`，保存为 master-key-encrypted user key，兼容主密码解锁。
+  - 如果 `userDecryptionOptions.webAuthnPrfOption` 存在，且本地 assertion 得到了 `prfKey`：
+    1. 用 PRF key unwrap `encryptedPrivateKey`。
+    2. 用 private key decapsulate `encryptedUserKey`。
+    3. 得到 user key，写入 `keyService`。
+
+核心约束：服务端永远看不到 PRF 输出。服务端只保存和返回被 PRF 相关密钥加密后的 keyset。
+
+### 官方 web 设置页注册 passkey
+
+`apps/web/src/app/auth/core/services/webauthn-login/webauthn-login-admin-api.service.ts`
+
+调用的 API：
+
+- `POST /webauthn/attestation-options`
+- `POST /webauthn/assertion-options`
+- `POST /webauthn`
+- `GET /webauthn`
+- `POST /webauthn/{id}/delete`
+- `PUT /webauthn`
+
+`apps/web/src/app/auth/core/services/webauthn-login/webauthn-login-admin.service.ts`
+
+创建流程：
+
+1. 用户做 secret verification。
+2. 请求 attestation options。
+3. `navigator.credentials.create({ publicKey: options })`，并带 `extensions.prf = {}`。
+4. 从 client extension results 判断 `supportsPrf`。
+5. 如果要用于 vault encryption，再立即做一次 `navigator.credentials.get()`：
+   - `allowCredentials` 锁定刚创建的 credential。
+   - 使用同一个 challenge、rpId、timeout、userVerification。
+   - 带 PRF eval salt。
+6. 用 PRF key 和当前 user key 创建 rotateable keyset。
+7. 保存 credential，带上 `encryptedUserKey`、`encryptedPublicKey`、`encryptedPrivateKey`。
+
+删除流程需要 secret verification。启用 encryption 的流程是对已有 credential 做 assertion，再创建并 PUT keyset。
+
+`apps/web/src/app/auth/core/enums/webauthn-login-credential-prf-status.enum.ts`
+
+- `Enabled = 0`
+- `Supported = 1`
+- `Unsupported = 2`
+
+## NodeWarden 应实现的协议形状
+
+### 公开登录流程
+
+目标兼容官方客户端和 NodeWarden 自己 web：
+
+1. `GET /identity/accounts/webauthn/assertion-options`
+   - 生成 discoverable credential assertion options。
+   - `allowCredentials: []`
+   - `userVerification: "required"`
+   - 返回 `{ options, token }`。
+   - token 绑定 challenge、scope=`Authentication`、RP ID、origin/audience、过期时间。
+
+2. Browser/web 调 `navigator.credentials.get()`。
+   - NodeWarden 自己 web 也要使用 PRF extension。
+   - PRF salt 必须和官方一致：`SHA-256("passwordless-login")`。
+
+3. `POST /identity/connect/token`
+   - 支持 `grant_type=webauthn`。
+   - 接收 `token`、`deviceResponse`、device fields。
+   - 解 token，校验 challenge/scope/过期。
+   - 验证 assertion。
+   - 从 `userHandle` 找到 user id。
+   - 从 credential id 找到 passkey record。
+   - 更新 counter。
+   - 记录/更新 device。
+   - 返回 access/refresh token、`AccountKeys`、`UserDecryptionOptions.WebAuthnPrfOption`。
+
+如果用户启用了 TOTP，建议为了官方兼容先遵循 Bitwarden：passkey 的 user verification 视作已满足第二因素。否则官方 passkey 登录页会进入 unsupported 2FA 错误状态。
+
+### 账户 passkey 管理流程
+
+建议对齐官方 API，同时在 NodeWarden 内部可挂到 `/api/webauthn`：
+
+- `GET /api/webauthn`
+- `POST /api/webauthn/attestation-options`
+- `POST /api/webauthn/assertion-options`
+- `POST /api/webauthn`
+- `PUT /api/webauthn`
+- `POST /api/webauthn/:id/delete`
+
+为了官方客户端兼容，可能还需要接受无 `/api` 前缀的 aliases：
+
+- `/webauthn`
+- `/webauthn/attestation-options`
+- `/webauthn/assertion-options`
+- `/webauthn/:id/delete`
+
+NodeWarden 自己 web 可以直接用 `/api/webauthn`，官方 web/browser 客户端会按它自己的 API base 组装 `/webauthn`。
+
+### 建议新增表
+
+按 NodeWarden 命名风格，建议用小写 snake_case：
+
+```sql
+CREATE TABLE IF NOT EXISTS webauthn_credentials (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  name TEXT NOT NULL,
+  public_key TEXT NOT NULL,
+  credential_id TEXT NOT NULL,
+  counter INTEGER NOT NULL DEFAULT 0,
+  type TEXT,
+  aa_guid TEXT,
+  transports TEXT,
+  encrypted_user_key TEXT,
+  encrypted_public_key TEXT,
+  encrypted_private_key TEXT,
+  supports_prf INTEGER NOT NULL DEFAULT 0,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+
+CREATE UNIQUE INDEX IF NOT EXISTS idx_webauthn_credentials_user_credential
+  ON webauthn_credentials(user_id, credential_id);
+
+CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user
+  ON webauthn_credentials(user_id);
+```
+
+如果要更严格防止同一个 credential id 被跨用户重复注册，也可以加全局 unique index `credential_id`。官方代码至少检查同用户唯一；实际安全上更建议全局唯一，因为 credential id 本身应该唯一标识 authenticator credential。
+
+PRF status 不必落库为枚举，可以由字段计算：
+
+- `supports_prf = 0` => `Unsupported`
+- `supports_prf = 1` 且三段 encrypted key 不全 => `Supported`
+- `supports_prf = 1` 且三段 encrypted key 全存在 => `Enabled`
+
+### Challenge/token 存储
+
+官方 server 用 protected token 携带 options，再用 challenge cache 防重放。NodeWarden 在 Workers/D1 里建议组合：
+
+- token：HMAC/JWT 样式，绑定 `scope`、`challenge`、`userId?`、`rpId`、`createdAt`、`expiresAt`。
+- D1 表或 KV：记录 challenge 是否使用过，至少字段 `challenge_hash`、`scope`、`user_id`、`expires_at`、`used_at`。
+- 登录 assertion options 是公开接口，不绑定 user id；create/update/delete 管理流程应绑定 user id。
+- 验证成功后立即 mark used。
+
+建议 scopes：
+
+- `Authentication`
+- `CreateCredential`
+- `UpdateKeySet`
+
+官方还有 `PrfRegistration` 语义，NodeWarden 可以用 `CreateCredential` 覆盖，只要 token 逻辑严谨即可。
+
+### 服务端 WebAuthn 验证库
+
+NodeWarden 当前没有 FIDO2/WebAuthn 服务端验证依赖。不要手写签名和 attestation 解析。
+
+候选：`@simplewebauthn/server`。官方文档当前说明它提供 `generateRegistrationOptions`、`verifyRegistrationResponse`、`generateAuthenticationOptions`、`verifyAuthenticationResponse`，并记录了 RP ID、origin、credential public key、counter、transports 等数据结构。文档地址：https://simplewebauthn.dev/docs/packages/server
+
+注意：NodeWarden 跑在 Cloudflare Workers，不是普通 Node server。正式选库前需要做一次构建/runtime 验证，确认包不会依赖 Workers 不支持的 Node API。这个验证属于实现阶段，不在本研究文档里写测试程序。
+
+## NodeWarden web 需要改的地方
+
+### 登录页
+
+当前登录 UI 在 `webapp/src/components/AuthViews.tsx`，状态和行为主要由 `webapp/src/App.tsx`、`webapp/src/lib/app-auth.ts` 管。
+
+新增：
+
+- 登录页增加“使用 passkey 登录”按钮。
+- 新增 `performPasskeyLogin()`：
+  1. GET `/identity/accounts/webauthn/assertion-options`
+  2. 转换 server options 里的 base64url challenge/user id/credential id 为 ArrayBuffer。
+  3. `navigator.credentials.get()`，带 PRF salt。
+  4. POST `/identity/connect/token`，`grant_type=webauthn`。
+  5. 从 response 的 `UserDecryptionOptions.WebAuthnPrfOption` 取 encrypted keyset。
+  6. 用本地 PRF key 解出 user key。
+  7. 构造 `SessionState` 并进入 app。
+
+不能复用 `completeLogin(token, email, masterKey, fallbackKdfIterations)`，因为它要求 masterKey。应新增 passkey 专用 complete 函数。
+
+### 设置页
+
+当前账户/安全相关 UI 在 `webapp/src/components/SettingsPage.tsx` 一带。
+
+新增：
+
+- Passkey 列表。
+- 新建 passkey dialog。
+- 删除 passkey。
+- 对支持 PRF 但未启用 encryption 的 passkey，提供“启用用于登录解锁”的操作。
+
+自己 web 的新建流程要和官方一致：
+
+1. 已登录状态下先验证主密码或现有 session secret。
+2. 请求 attestation options。
+3. `navigator.credentials.create()` 带 `extensions.prf = {}`。
+4. 如果用户希望这个 passkey 可直接解锁 vault，再对刚创建 credential 做一次 `navigator.credentials.get()` 获取 PRF 输出。
+5. 用 PRF key 加密/封装当前 user key，发送到 server 保存。
+
+### 客户端加密能力
+
+NodeWarden web 当前已经有：
+
+- PBKDF2
+- HKDF expand
+- Bitwarden EncString 加解密
+- RSA-OAEP private key 加密
+
+但 passkey PRF keyset 需要和官方策略对齐：
+
+- PRF key 是 64 字节 symmetric key，前 32 enc、后 32 mac。
+- `encryptedPrivateKey` 用 PRF key wrap 一个 decapsulation private key。
+- `encryptedUserKey` 用对应 public key encapsulate user key。
+- `encryptedPublicKey` 用于 key rotation。
+
+这里需要认真复用或补齐 NodeWarden 现有 crypto helper，避免做出和官方客户端无法互解的 keyset。
+
+## 扩展兼容要求
+
+### 官方 browser extension
+
+官方 extension passkey 登录入口在：
+
+- `apps/browser/src/auth/popup/login/extension-login-component.service.ts`
+- 只在 Chromium 开启。
+
+如果要官方/派生扩展能对 NodeWarden passkey 登录：
+
+- identity URL 必须能访问 `/accounts/webauthn/assertion-options`。
+- token URL 必须支持 `grant_type=webauthn`。
+- API URL 必须能访问 `/webauthn` 管理接口。
+- response 大小写和字段名要同时照顾 PascalCase/camelCase，NodeWarden 当前 token response 已经在一些字段上双写，这个风格应继续沿用。
+- passkey 登录成功时必须返回可解开 vault 的 `webAuthnPrfOption`，否则官方组件虽然认证成功，也不会进入可用 vault。
+
+### RP ID 和 origin
+
+自己的 web：
+
+- RP ID 通常是站点 host，例如 `vault.example.com`。
+- origin 是 `https://vault.example.com`。
+
+官方 browser extension：
+
+- 扩展页面 origin 是 `chrome-extension://...`。
+- 官方之所以只开 Chromium，是因为 Chromium extension 具备它需要的 RP ID 覆盖能力。
+- NodeWarden server 验证 assertion 时必须允许正确的 origin/RP ID 组合。这里不能简单只接受当前 request origin，否则扩展登录会失败。
+
+建议配置化：
+
+- `WEBAUTHN_RP_ID`
+- `WEBAUTHN_RP_NAME`
+- `WEBAUTHN_ALLOWED_ORIGINS`
+
+默认可以从 request URL 推导 web origin，但生产建议显式配置。
+
+## 安全约束
+
+- 所有账户 passkey 必须 `userVerification: required`。
+- 登录 assertion 使用 discoverable credential，`userHandle` 必须能解析成 user id 并和 credential 记录一致。
+- challenge 必须有过期时间和一次性使用标记。
+- PRF 输出绝不能传给 server，也不能写入日志。
+- token 里要绑定 scope，防止 attestation token 被拿去 authentication 用。
+- counter 要更新。遇到 counter 异常时至少记录 audit event，是否阻断要结合 multi-device passkey 现实处理。
+- 每用户 credential 数量限制建议沿用官方 5 个。
+- 删除/新增/启用 encryption 必须要求已登录用户二次验证。
+- 密码变更、user key rotation 后，所有 enabled PRF credentials 的 keyset 也要 rotation，否则 passkey 登录会解不开新 vault key。
+- 备份导出/导入必须包含账户 passkey 表，否则恢复后 passkey 登录会全部失效。
+- 审计日志建议新增：
+  - `auth.passkey.login.success`
+  - `auth.passkey.login.failed`
+  - `account.passkey.create`
+  - `account.passkey.delete`
+  - `account.passkey.encryption.enable`
+  - `account.passkey.rotate`
+
+## 建议实施顺序
+
+### 第一阶段：后端基础
+
+1. 新增 `webauthn_credentials` 和 challenge 表。
+2. 新增 storage repo。
+3. 接入 WebAuthn 服务端验证库。
+4. 实现 assertion options 和 `grant_type=webauthn`。
+5. token response 加 `WebAuthnPrfOption` shape。
+
+这阶段先能让“已有手工塞入的 enabled credential”完成登录验证，但还不做 UI。
+
+### 第二阶段：账户 passkey 管理 API
+
+1. 实现 `/api/webauthn` 和 `/webauthn` aliases。
+2. 实现 attestation options、save credential、list、delete、enable/update encryption。
+3. 加 audit event。
+4. 接入 backup export/import。
+5. sync response 加 `WebAuthnPrfOptions`。
+
+### 第三阶段：NodeWarden 自己 web
+
+1. 登录页 passkey 按钮和 `performPasskeyLogin()`。
+2. Passkey 设置页。
+3. PRF keyset 创建、保存、删除、启用 encryption。
+4. 浏览器能力判断和错误提示。
+
+### 第四阶段：扩展兼容
+
+1. 用官方 browser extension 的 Chromium passkey 登录流程校对 endpoint。
+2. 校对 `/config` 里 identity/api/web vault URL。
+3. 校对 RP ID、allowed origins。
+4. 必要时加兼容字段或 alias route。
+
+按用户要求，本阶段只需要代码跑通不报错；不在这里写可视化测试或测试程序。
+
+## 待实现清单
+
+- [ ] 设计并落库 `webauthn_credentials`。
+- [ ] 设计并落库 WebAuthn challenge/replay cache。
+- [ ] 选定并验证 Workers 可用的 WebAuthn server library。
+- [ ] `GET /identity/accounts/webauthn/assertion-options`。
+- [ ] `POST /identity/connect/token` 支持 `grant_type=webauthn`。
+- [ ] `UserDecryptionOptions.WebAuthnPrfOption`。
+- [ ] `UserDecryption.WebAuthnPrfOptions`。
+- [ ] `/api/webauthn` 管理接口。
+- [ ] `/webauthn` 官方客户端 alias。
+- [ ] NodeWarden web passkey 登录入口。
+- [ ] NodeWarden web passkey 管理页。
+- [ ] key rotation 时同步 rotate PRF keysets。
+- [ ] backup export/import 覆盖新表。
+- [ ] audit logs 覆盖 passkey 管理和登录。
+
+## 关键文件索引
+
+NodeWarden：
+
+- `src/router-public.ts`
+- `src/router-authenticated.ts`
+- `src/handlers/accounts.ts`
+- `src/handlers/identity.ts`
+- `src/handlers/sync.ts`
+- `src/services/auth.ts`
+- `src/services/storage-schema.ts`
+- `src/services/storage-user-repo.ts`
+- `src/services/storage-device-repo.ts`
+- `src/utils/passkey.ts`
+- `src/utils/user-decryption.ts`
+- `src/types/index.ts`
+- `webapp/src/lib/api/auth.ts`
+- `webapp/src/lib/app-auth.ts`
+- `webapp/src/components/AuthViews.tsx`
+- `webapp/src/components/SettingsPage.tsx`
+
+Bitwarden server：
+
+- `.codex-upstream/bitwarden-server/src/Identity/Controllers/AccountsController.cs`
+- `.codex-upstream/bitwarden-server/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs`
+- `.codex-upstream/bitwarden-server/src/Identity/IdentityServer/ApiClient.cs`
+- `.codex-upstream/bitwarden-server/src/Api/Auth/Controllers/WebAuthnController.cs`
+- `.codex-upstream/bitwarden-server/src/Core/Auth/Entities/WebAuthnCredential.cs`
+- `.codex-upstream/bitwarden-server/src/Core/Auth/UserFeatures/WebAuthnLogin/Implementations/GetWebAuthnLoginCredentialCreateOptionsCommand.cs`
+- `.codex-upstream/bitwarden-server/src/Core/Auth/UserFeatures/WebAuthnLogin/Implementations/GetWebAuthnLoginCredentialAssertionOptionsCommand.cs`
+- `.codex-upstream/bitwarden-server/src/Core/Auth/UserFeatures/WebAuthnLogin/Implementations/CreateWebAuthnLoginCredentialCommand.cs`
+- `.codex-upstream/bitwarden-server/src/Core/Auth/UserFeatures/WebAuthnLogin/Implementations/AssertWebAuthnLoginCredentialCommand.cs`
+- `.codex-upstream/bitwarden-server/src/Core/Auth/Models/Api/Response/UserDecryptionOptions.cs`
+- `.codex-upstream/bitwarden-server/util/SqliteMigrations/Migrations/20231213032045_WebAuthnLoginCredentials.cs`
+
+Bitwarden clients/browser：
+
+- `.codex-upstream/bitwarden-clients/libs/auth/src/angular/login/default-login-component.service.ts`
+- `.codex-upstream/bitwarden-clients/apps/browser/src/auth/popup/login/extension-login-component.service.ts`
+- `.codex-upstream/bitwarden-clients/libs/angular/src/auth/login-via-webauthn/login-via-webauthn.component.ts`
+- `.codex-upstream/bitwarden-clients/libs/common/src/auth/services/webauthn-login/webauthn-login-api.service.ts`
+- `.codex-upstream/bitwarden-clients/libs/common/src/auth/services/webauthn-login/webauthn-login.service.ts`
+- `.codex-upstream/bitwarden-clients/libs/common/src/auth/services/webauthn-login/webauthn-login-prf-key.service.ts`
+- `.codex-upstream/bitwarden-clients/libs/common/src/auth/models/request/identity-token/webauthn-login-token.request.ts`
+- `.codex-upstream/bitwarden-clients/libs/common/src/auth/services/webauthn-login/request/webauthn-login-response.request.ts`
+- `.codex-upstream/bitwarden-clients/libs/common/src/auth/services/webauthn-login/request/webauthn-login-assertion-response.request.ts`
+- `.codex-upstream/bitwarden-clients/libs/auth/src/common/login-strategies/webauthn-login.strategy.ts`
+- `.codex-upstream/bitwarden-clients/apps/web/src/app/auth/core/services/webauthn-login/webauthn-login-admin-api.service.ts`
+- `.codex-upstream/bitwarden-clients/apps/web/src/app/auth/core/services/webauthn-login/webauthn-login-admin.service.ts`
+- `.codex-upstream/bitwarden-clients/apps/web/src/app/auth/core/services/webauthn-login/request/save-credential.request.ts`
+- `.codex-upstream/bitwarden-clients/apps/web/src/app/auth/core/services/webauthn-login/request/enable-credential-encryption.request.ts`
+- `.codex-upstream/bitwarden-clients/apps/web/src/app/auth/core/services/webauthn-login/request/webauthn-login-attestation-response.request.ts`
+- `.codex-upstream/bitwarden-clients/apps/web/src/app/auth/core/enums/webauthn-login-credential-prf-status.enum.ts`
+- `.codex-upstream/bitwarden-clients/libs/common/src/auth/models/response/user-decryption-options/webauthn-prf-decryption-option.response.ts`
+- `.codex-upstream/bitwarden-clients/libs/auth/src/common/models/domain/user-decryption-options.ts`
+
@@ -1,8 +1,14 @@
 PRAGMA foreign_keys = ON;

 -- IMPORTANT:
-- Keep this file in sync with src/services/storage.ts (SCHEMA_STATEMENTS).
+-- This is the initial D1 schema. Keep it in sync with
+-- src/services/storage-schema.ts (SCHEMA_STATEMENTS).
 -- Any new table/column/index must be added to both places together.
+--
+-- WHEN CHANGING THIS:
+-- - Also bump STORAGE_SCHEMA_VERSION in src/services/storage.ts.
+-- - If the new table stores persistent data, update backup export/import.
+-- - Keep src/services/storage-schema.ts idempotent for existing installs.

 CREATE TABLE IF NOT EXISTS config (
  key TEXT PRIMARY KEY,
@@ -28,10 +34,20 @@ CREATE TABLE IF NOT EXISTS users (
  verify_devices INTEGER NOT NULL DEFAULT 1,
  totp_secret TEXT,
  totp_recovery_code TEXT,
+  api_key TEXT,
  created_at TEXT NOT NULL,
  updated_at TEXT NOT NULL
 );

+CREATE TABLE IF NOT EXISTS domain_settings (
+  user_id TEXT PRIMARY KEY,
+  equivalent_domains TEXT NOT NULL DEFAULT '[]',
+  custom_equivalent_domains TEXT NOT NULL DEFAULT '[]',
+  excluded_global_equivalent_domains TEXT NOT NULL DEFAULT '[]',
+  updated_at TEXT NOT NULL,
+  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+
 -- Per-user sync revision date
 CREATE TABLE IF NOT EXISTS user_revisions (
  user_id TEXT PRIMARY KEY,
@@ -59,6 +75,8 @@ CREATE TABLE IF NOT EXISTS ciphers (
 CREATE INDEX IF NOT EXISTS idx_ciphers_user_updated ON ciphers(user_id, updated_at);
 CREATE INDEX IF NOT EXISTS idx_ciphers_user_archived ON ciphers(user_id, archived_at);
 CREATE INDEX IF NOT EXISTS idx_ciphers_user_deleted ON ciphers(user_id, deleted_at);
+CREATE INDEX IF NOT EXISTS idx_ciphers_user_deleted_updated ON ciphers(user_id, deleted_at, updated_at);
+CREATE INDEX IF NOT EXISTS idx_ciphers_user_folder ON ciphers(user_id, folder_id);

 CREATE TABLE IF NOT EXISTS folders (
  id TEXT PRIMARY KEY,
@@ -106,11 +124,14 @@ CREATE TABLE IF NOT EXISTS sends (
 );
 CREATE INDEX IF NOT EXISTS idx_sends_user_updated ON sends(user_id, updated_at);
 CREATE INDEX IF NOT EXISTS idx_sends_user_deletion ON sends(user_id, deletion_date);
+CREATE INDEX IF NOT EXISTS idx_sends_user_updated_id ON sends(user_id, updated_at, id);

 CREATE TABLE IF NOT EXISTS refresh_tokens (
  token TEXT PRIMARY KEY,
  user_id TEXT NOT NULL,
  expires_at INTEGER NOT NULL,
+  device_identifier TEXT,
+  device_session_stamp TEXT,
  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
 );
 CREATE INDEX IF NOT EXISTS idx_refresh_tokens_user ON refresh_tokens(user_id);
@@ -133,6 +154,8 @@ CREATE TABLE IF NOT EXISTS audit_logs (
  id TEXT PRIMARY KEY,
  actor_user_id TEXT,
  action TEXT NOT NULL,
+  category TEXT NOT NULL DEFAULT 'system',
+  level TEXT NOT NULL DEFAULT 'info',
  target_type TEXT,
  target_id TEXT,
  metadata TEXT,
@@ -141,6 +164,8 @@ CREATE TABLE IF NOT EXISTS audit_logs (
 );
 CREATE INDEX IF NOT EXISTS idx_audit_logs_created_at ON audit_logs(created_at);
 CREATE INDEX IF NOT EXISTS idx_audit_logs_actor_created ON audit_logs(actor_user_id, created_at);
+CREATE INDEX IF NOT EXISTS idx_audit_logs_category_created ON audit_logs(category, created_at);
+CREATE INDEX IF NOT EXISTS idx_audit_logs_level_created ON audit_logs(level, created_at);

 CREATE TABLE IF NOT EXISTS devices (
  user_id TEXT NOT NULL,
@@ -151,12 +176,44 @@ CREATE TABLE IF NOT EXISTS devices (
  encrypted_user_key TEXT,
  encrypted_public_key TEXT,
  encrypted_private_key TEXT,
+  banned INTEGER NOT NULL DEFAULT 0,
+  banned_at TEXT,
+  device_note TEXT,
+  last_seen_at TEXT,
  created_at TEXT NOT NULL,
  updated_at TEXT NOT NULL,
  PRIMARY KEY (user_id, device_identifier),
  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
 );
 CREATE INDEX IF NOT EXISTS idx_devices_user_updated ON devices(user_id, updated_at);
+CREATE INDEX IF NOT EXISTS idx_devices_user_last_seen ON devices(user_id, last_seen_at);
+
+CREATE TABLE IF NOT EXISTS auth_requests (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  organization_id TEXT,
+  type INTEGER NOT NULL,
+  request_device_identifier TEXT NOT NULL,
+  request_device_type INTEGER NOT NULL,
+  request_ip_address TEXT,
+  request_country_name TEXT,
+  response_device_identifier TEXT,
+  access_code TEXT NOT NULL,
+  public_key TEXT NOT NULL,
+  key TEXT,
+  master_password_hash TEXT,
+  approved INTEGER,
+  creation_date TEXT NOT NULL,
+  response_date TEXT,
+  authentication_date TEXT,
+  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+CREATE INDEX IF NOT EXISTS idx_auth_requests_user_created
+  ON auth_requests(user_id, creation_date);
+CREATE INDEX IF NOT EXISTS idx_auth_requests_user_pending
+  ON auth_requests(user_id, approved, response_date, authentication_date, creation_date);
+CREATE INDEX IF NOT EXISTS idx_auth_requests_device_pending
+  ON auth_requests(user_id, request_device_identifier, creation_date);

 CREATE TABLE IF NOT EXISTS trusted_two_factor_device_tokens (
  token TEXT PRIMARY KEY,
@@ -168,6 +225,44 @@ CREATE TABLE IF NOT EXISTS trusted_two_factor_device_tokens (
 CREATE INDEX IF NOT EXISTS idx_trusted_two_factor_device_tokens_user_device
  ON trusted_two_factor_device_tokens(user_id, device_identifier);

+CREATE TABLE IF NOT EXISTS webauthn_credentials (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  name TEXT NOT NULL,
+  public_key TEXT NOT NULL,
+  credential_id TEXT NOT NULL,
+  counter INTEGER NOT NULL DEFAULT 0,
+  type TEXT,
+  aa_guid TEXT,
+  transports TEXT,
+  encrypted_user_key TEXT,
+  encrypted_public_key TEXT,
+  encrypted_private_key TEXT,
+  supports_prf INTEGER NOT NULL DEFAULT 0,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_webauthn_credentials_credential_id
+  ON webauthn_credentials(credential_id);
+CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user
+  ON webauthn_credentials(user_id);
+CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user_updated
+  ON webauthn_credentials(user_id, updated_at);
+
+CREATE TABLE IF NOT EXISTS webauthn_challenges (
+  challenge_hash TEXT PRIMARY KEY,
+  scope TEXT NOT NULL,
+  user_id TEXT,
+  expires_at INTEGER NOT NULL,
+  used_at INTEGER,
+  created_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_webauthn_challenges_expires
+  ON webauthn_challenges(expires_at);
+CREATE INDEX IF NOT EXISTS idx_webauthn_challenges_user_scope
+  ON webauthn_challenges(user_id, scope);
+
 -- Rate limiting
 CREATE TABLE IF NOT EXISTS login_attempts_ip (
  ip TEXT PRIMARY KEY,
@@ -176,14 +271,6 @@ CREATE TABLE IF NOT EXISTS login_attempts_ip (
  updated_at INTEGER NOT NULL
 );

-CREATE TABLE IF NOT EXISTS api_rate_limits (
-  identifier TEXT NOT NULL,
-  window_start INTEGER NOT NULL,
-  count INTEGER NOT NULL,
-  PRIMARY KEY (identifier, window_start)
-);
-CREATE INDEX IF NOT EXISTS idx_api_rate_window ON api_rate_limits(window_start);
-
 CREATE TABLE IF NOT EXISTS used_attachment_download_tokens (
  jti TEXT PRIMARY KEY,
  expires_at INTEGER NOT NULL
@@ -1,6 +1,6 @@
 {
  "name": "nodewarden",
-  "version": "1.4.2",
+  "version": "1.6.1",
  "description": "Minimal Bitwarden-compatible server running on Cloudflare Workers",
  "author": "shuaiplus",
  "license": "LGPL-3.0",
@@ -9,9 +9,15 @@
  "scripts": {
    "dev": "wrangler dev -c wrangler.toml",
    "dev:kv": "wrangler dev -c wrangler.kv.toml",
+    "dev:demo": "vite --config webapp/vite.config.ts --mode demo --host 127.0.0.1 --port 5174",
    "build": "vite build --config webapp/vite.config.ts",
+    "build:demo": "vite build --config webapp/vite.config.ts --mode demo && node scripts/pages-spa-redirects.cjs",
+    "domains:sync": "node scripts/sync-global-domains.mjs",
+    "i18n": "node scripts/i18n-validate.cjs",
+    "i18n:validate": "node scripts/i18n-validate.cjs",
    "deploy": "wrangler deploy",
-    "deploy:kv": "wrangler deploy -c wrangler.kv.toml"
+    "deploy:kv": "node scripts/ensure-kv.cjs && wrangler deploy -c wrangler.kv.toml",
+    "deploy:demo": "npm run build:demo && wrangler pages deploy dist --project-name nw-demo"
  },
  "keywords": [
    "bitwarden",
@@ -40,16 +46,18 @@
    "@cloudflare/workers-types": "^4.20260131.0",
    "@preact/preset-vite": "^2.10.3",
    "@types/node": "^25.2.3",
+    "autoprefixer": "^10.4.21",
+    "opencc-js": "^1.0.5",
+    "postcss": "^8.5.6",
+    "tailwindcss": "^3.4.17",
    "tsx": "^4.21.0",
    "typescript": "^5.9.3",
    "vite": "^7.3.1",
    "wrangler": "^4.71.0"
  },
  "dependencies": {
-    "@dnd-kit/core": "^6.3.1",
-    "@dnd-kit/sortable": "^10.0.0",
-    "@dnd-kit/utilities": "^3.2.2",
    "@noble/hashes": "^2.0.1",
+    "@simplewebauthn/server": "^13.3.1",
    "@tanstack/react-query": "^5.90.21",
    "@zip.js/zip.js": "^2.8.22",
    "fflate": "^0.8.2",
@@ -0,0 +1,6 @@
+export default {
+  plugins: {
+    tailwindcss: {},
+    autoprefixer: {},
+  },
+};
@@ -0,0 +1,64 @@
+#!/usr/bin/env node
+/**
+ * Make `deploy:kv` idempotent across repeated builds.
+ *
+ * KV namespaces are referenced in wrangler config by account-scoped `id`, not
+ * by name. The template ships without an id so fresh accounts can provision one
+ * on first deploy. In non-interactive builds, wrangler may try to create the
+ * same namespace again on later builds and fail with code 10014.
+ */
+const { execSync } = require('node:child_process');
+const fs = require('node:fs');
+const path = require('node:path');
+
+const CONFIG = path.resolve(__dirname, '..', 'wrangler.kv.toml');
+const BINDING = 'ATTACHMENTS_KV';
+
+const wrangler = (args) =>
+  execSync(`npx wrangler ${args}`, { encoding: 'utf8', stdio: ['ignore', 'pipe', 'inherit'] });
+
+function bindingBlockHasId(toml) {
+  const blocks = toml.match(/\[\[kv_namespaces\]\][^[]*/g) || [];
+  const block = blocks.find((entry) => new RegExp(`binding\\s*=\\s*"${BINDING}"`).test(entry));
+  return block ? /^\s*id\s*=/m.test(block) : false;
+}
+
+function expectedTitle(toml) {
+  const name = (toml.match(/^\s*name\s*=\s*"([^"]+)"/m) || [])[1] || 'worker';
+  return `${name}-${BINDING.toLowerCase().replace(/_/g, '-')}`;
+}
+
+function resolveId(title) {
+  const list = JSON.parse(wrangler('kv namespace list'));
+  const hit =
+    list.find((namespace) => namespace.title === title) ||
+    list.find((namespace) => typeof namespace.title === 'string' && namespace.title.endsWith('attachments-kv'));
+  if (hit) {
+    console.log(`[ensure-kv] reusing existing namespace "${hit.title}" (${hit.id})`);
+    return hit.id;
+  }
+
+  const out = wrangler(`kv namespace create "${title}"`);
+  const id = (out.match(/id\s*=\s*"([0-9a-fA-F]{32})"/) || [])[1];
+  if (!id) throw new Error(`[ensure-kv] could not parse new namespace id from:\n${out}`);
+  console.log(`[ensure-kv] created namespace "${title}" (${id})`);
+  return id;
+}
+
+function main() {
+  let toml = fs.readFileSync(CONFIG, 'utf8');
+  if (bindingBlockHasId(toml)) {
+    console.log(`[ensure-kv] ${BINDING} already pinned in wrangler.kv.toml; nothing to do`);
+    return;
+  }
+
+  const id = resolveId(expectedTitle(toml));
+  toml = toml.replace(
+    new RegExp(`(\\[\\[kv_namespaces\\]\\]\\s*\\n\\s*binding\\s*=\\s*"${BINDING}")`),
+    `$1\nid = "${id}"`
+  );
+  fs.writeFileSync(CONFIG, toml);
+  console.log('[ensure-kv] pinned id into wrangler.kv.toml for this build');
+}
+
+main();
@@ -0,0 +1,44 @@
+const fs = require('fs');
+const path = require('path');
+const vm = require('vm');
+
+// CONTRACT:
+// This list is the script-side locale source of truth. Keep it in sync with
+// webapp/src/lib/i18n.ts whenever adding/removing a locale.
+const localeDir = path.join(__dirname, '..', 'webapp', 'src', 'lib', 'i18n', 'locales');
+
+const localeFiles = [
+  ['en', 'en.ts', 'en', 'English'],
+  ['zh-CN', 'zh-CN.ts', 'zhCN', 'Simplified Chinese'],
+  ['zh-TW', 'zh-TW.ts', 'zhTW', 'Traditional Chinese'],
+  ['ru', 'ru.ts', 'ru', 'Russian'],
+  ['es', 'es.ts', 'es', 'Spanish'],
+];
+
+function readLocale(fileName, variableName) {
+  let code = fs.readFileSync(path.join(localeDir, fileName), 'utf8');
+  code = code
+    .replace(/const (\w+): Record<string, string> =/g, 'const $1 =')
+    .replace(/export default \w+;\s*$/m, '');
+  code += `\nresult = ${variableName};`;
+  const sandbox = { result: null };
+  vm.createContext(sandbox);
+  vm.runInContext(code, sandbox, { filename: fileName });
+  return sandbox.result;
+}
+
+function writeLocale(fileName, variableName, table, header) {
+  const body = JSON.stringify(table, null, 2);
+  fs.writeFileSync(
+    path.join(localeDir, fileName),
+    `${header}\nconst ${variableName}: Record<string, string> = ${body};\n\nexport default ${variableName};\n`,
+    'utf8'
+  );
+}
+
+module.exports = {
+  localeFiles,
+  localeDir,
+  readLocale,
+  writeLocale,
+};
@@ -0,0 +1,72 @@
+const { localeFiles, readLocale } = require('./i18n-utils.cjs');
+
+// CONTRACT:
+// This is the authoritative locale consistency gate. It checks key parity,
+// placeholder parity, and accidental mostly-English locale files. Run after any
+// user-facing text or locale-file change.
+const locales = Object.fromEntries(
+  localeFiles.map(([locale, fileName, variableName]) => [locale, readLocale(fileName, variableName)])
+);
+const base = locales.en;
+const baseKeys = Object.keys(base).sort();
+const placeholderRe = /\{\w+\}/g;
+const errors = [];
+const intentionallyEnglishKeys = new Set([
+  'txt_backup_destination_detail_note',
+  'txt_backup_protocol_webdav',
+  'txt_backup_protocol_s3',
+  'txt_backup_recommend_group_webdav',
+  'txt_backup_recommend_group_s3',
+  'txt_backup_destination_name_default_webdav',
+  'txt_backup_destination_name_default_s3',
+  'txt_dash',
+  'txt_text_3',
+]);
+const intentionallyEnglishPrefixes = [
+  'txt_log_action_',
+  'txt_log_meta_',
+  'txt_log_reason_',
+  'txt_log_target_type_',
+  'txt_log_trigger_',
+];
+
+function isIntentionallyEnglishKey(key) {
+  return intentionallyEnglishKeys.has(key) || intentionallyEnglishPrefixes.some((prefix) => key.startsWith(prefix));
+}
+
+for (const [locale, table] of Object.entries(locales)) {
+  const keys = Object.keys(table).sort();
+  const missing = baseKeys.filter((key) => !(key in table));
+  const extra = keys.filter((key) => !baseKeys.includes(key));
+  if (missing.length || extra.length) {
+    errors.push({ locale, missing, extra });
+  }
+
+  for (const key of baseKeys) {
+    const basePlaceholders = Array.from(String(base[key]).matchAll(placeholderRe), (match) => match[0]).sort().join('|');
+    const localePlaceholders = Array.from(String(table[key]).matchAll(placeholderRe), (match) => match[0]).sort().join('|');
+    if (basePlaceholders !== localePlaceholders) {
+      errors.push({ locale, key, basePlaceholders, localePlaceholders });
+    }
+  }
+
+  if (locale !== 'en') {
+    const sameAsEnglish = baseKeys.filter((key) => table[key] === base[key] && !isIntentionallyEnglishKey(key));
+    if (sameAsEnglish.length > 40) {
+      errors.push({
+        locale,
+        sameAsEnglishCount: sameAsEnglish.length,
+        sameAsEnglishSample: sameAsEnglish.slice(0, 25),
+      });
+    }
+  }
+}
+
+console.log(JSON.stringify({
+  counts: Object.fromEntries(Object.entries(locales).map(([locale, table]) => [locale, Object.keys(table).length])),
+  errors,
+}, null, 2));
+
+if (errors.length) {
+  process.exit(1);
+}
@@ -0,0 +1,7 @@
+const fs = require('node:fs');
+const path = require('node:path');
+
+const distDir = path.resolve(__dirname, '..', 'dist');
+
+fs.mkdirSync(distDir, { recursive: true });
+fs.writeFileSync(path.join(distDir, '_redirects'), '/* /index.html 200\n');
@@ -0,0 +1,160 @@
+#!/usr/bin/env node
+
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import path from 'node:path';
+
+const DEFAULT_REF = 'main';
+const OUTPUT_DIR = path.join(process.cwd(), 'src', 'static');
+const OUT_FILE = path.join(OUTPUT_DIR, 'global_domains.bitwarden.json');
+const META_FILE = path.join(OUTPUT_DIR, 'global_domains.bitwarden.meta.json');
+const ENUM_PATH = 'src/Core/Enums/GlobalEquivalentDomainsType.cs';
+const STATIC_STORE_PATH = 'src/Core/Utilities/StaticStore.cs';
+
+function parseArgs(argv) {
+  const args = { ref: process.env.BITWARDEN_SERVER_REF || DEFAULT_REF };
+  for (let i = 0; i < argv.length; i += 1) {
+    const arg = argv[i];
+    if (arg === '--ref' && argv[i + 1]) {
+      args.ref = argv[i + 1];
+      i += 1;
+    } else if (arg.startsWith('--ref=')) {
+      args.ref = arg.slice('--ref='.length);
+    }
+  }
+  return args;
+}
+
+function rawUrl(ref, filePath) {
+  return `https://raw.githubusercontent.com/bitwarden/server/${encodeURIComponent(ref)}/${filePath}`;
+}
+
+async function fetchText(url) {
+  const response = await fetch(url, {
+    headers: {
+      'User-Agent': 'NodeWarden global domains sync',
+      Accept: 'text/plain',
+    },
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to fetch ${url}: HTTP ${response.status}`);
+  }
+  return response.text();
+}
+
+function parseEnumTypes(source) {
+  const map = new Map();
+  const enumMatch = source.match(/enum\s+GlobalEquivalentDomainsType\b[\s\S]*?\{([\s\S]*?)\}/);
+  if (!enumMatch) {
+    throw new Error('GlobalEquivalentDomainsType enum was not found');
+  }
+
+  const body = enumMatch[1].replace(/\/\/.*$/gm, '');
+  const entryRe = /\b([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(\d+)\b/g;
+  let match;
+  while ((match = entryRe.exec(body)) !== null) {
+    map.set(match[1], Number(match[2]));
+  }
+
+  if (!map.size) {
+    throw new Error('No enum values were parsed from GlobalEquivalentDomainsType');
+  }
+  return map;
+}
+
+function parseStringList(source) {
+  const domains = [];
+  const stringRe = /"((?:\\.|[^"\\])*)"/g;
+  let match;
+  while ((match = stringRe.exec(source)) !== null) {
+    domains.push(match[1].replace(/\\"/g, '"').trim().toLowerCase());
+  }
+  return Array.from(new Set(domains.filter(Boolean)));
+}
+
+function parseGlobalDomains(source, enumTypes) {
+  const out = [];
+  const addRe = /GlobalDomains\.Add\s*\(\s*GlobalEquivalentDomainsType\.([A-Za-z_][A-Za-z0-9_]*)\s*,\s*new\s+List(?:<\s*string\s*>)?\s*\{([\s\S]*?)\}\s*\)\s*;/g;
+  let match;
+  while ((match = addRe.exec(source)) !== null) {
+    const name = match[1];
+    const type = enumTypes.get(name);
+    if (!Number.isInteger(type)) {
+      throw new Error(`GlobalDomains references unknown enum value ${name}`);
+    }
+
+    const domains = parseStringList(match[2]);
+    if (domains.length < 2) {
+      throw new Error(`GlobalDomains.${name} has fewer than two domains`);
+    }
+
+    out.push({
+      type,
+      domains,
+      excluded: false,
+    });
+  }
+
+  if (!out.length) {
+    throw new Error('No GlobalDomains.Add(...) rules were parsed from StaticStore.cs');
+  }
+  return out;
+}
+
+function formatRulesJson(rules) {
+  return `[\n${rules.map((rule) => `  ${JSON.stringify(rule)}`).join(',\n')}\n]`;
+}
+
+function formatMetaJson(meta) {
+  return JSON.stringify(meta, null, 2);
+}
+
+const { ref } = parseArgs(process.argv.slice(2));
+const enumUrl = rawUrl(ref, ENUM_PATH);
+const staticStoreUrl = rawUrl(ref, STATIC_STORE_PATH);
+
+const [enumSource, staticStoreSource] = await Promise.all([
+  fetchText(enumUrl),
+  fetchText(staticStoreUrl),
+]);
+
+const enumTypes = parseEnumTypes(enumSource);
+const rules = parseGlobalDomains(staticStoreSource, enumTypes);
+const domainsCount = rules.reduce((sum, rule) => sum + rule.domains.length, 0);
+const rulesJson = formatRulesJson(rules);
+
+async function readJsonFile(filePath) {
+  try {
+    return JSON.parse(await readFile(filePath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+const existingRules = await readJsonFile(OUT_FILE);
+const existingMeta = await readJsonFile(META_FILE);
+const unchangedRules = JSON.stringify(existingRules) === JSON.stringify(rules);
+const unchangedRef = existingMeta?.ref === ref;
+
+const meta = {
+  source: 'https://github.com/bitwarden/server',
+  ref,
+  generatedAt: unchangedRules && unchangedRef && existingMeta?.generatedAt
+    ? existingMeta.generatedAt
+    : new Date().toISOString(),
+  rulesCount: rules.length,
+  domainsCount,
+  sourceFiles: [
+    ENUM_PATH,
+    STATIC_STORE_PATH,
+  ],
+  sourceUrls: [
+    enumUrl,
+    staticStoreUrl,
+  ],
+};
+
+await mkdir(OUTPUT_DIR, { recursive: true });
+await writeFile(OUT_FILE, `${rulesJson}\n`, 'utf8');
+await writeFile(META_FILE, `${formatMetaJson(meta)}\n`, 'utf8');
+
+console.log(`Wrote ${rules.length} global domain rules (${domainsCount} domains) from bitwarden/server@${ref}.`);
@@ -1 +1 @@
-export const APP_VERSION = '1.4.2';
+export const APP_VERSION = '1.6.1';
@@ -1,13 +1,21 @@
+// Shared backup settings types used by both Worker and webapp code.
+//
+// CONTRACT:
+// Keep this file serializable and provider-neutral. Runtime state is operational
+// metadata; destination fields can contain provider credentials and must be
+// encrypted by src/services/backup-settings-crypto.ts before storage/export.
+// User-facing provider names should use canonical values here. Legacy aliases
+// belong in backend normalization, not in this shared type.
 export const BACKUP_DEFAULT_TIMEZONE = 'UTC';
 export const BACKUP_DEFAULT_RETENTION_COUNT = 30;
-export const BACKUP_DEFAULT_E3_REGION = 'auto';
+export const BACKUP_DEFAULT_S3_REGION = 'auto';
 export const BACKUP_DEFAULT_REMOTE_PATH = 'nodewarden';
 export const BACKUP_DEFAULT_INTERVAL_HOURS = 24;
 export const BACKUP_DEFAULT_START_TIME = '03:00';

-export type BackupDestinationType = 'e3' | 'webdav';
+export type BackupDestinationType = 's3' | 'webdav';

-export interface E3BackupDestination {
+export interface S3BackupDestination {
  endpoint: string;
  bucket: string;
  region: string;
@@ -24,7 +32,7 @@ export interface WebDavBackupDestination {
 }

 export type BackupDestinationConfig =
-  | E3BackupDestination
+  | S3BackupDestination
  | WebDavBackupDestination;

 export interface BackupRuntimeState {
@@ -91,11 +99,11 @@ export function createDefaultBackupScheduleConfig(timezone: string = BACKUP_DEFA
 }

 export function createDefaultBackupDestinationConfig(type: BackupDestinationType): BackupDestinationConfig {
-  if (type === 'e3') {
+  if (type === 's3') {
    return {
      endpoint: '',
      bucket: '',
-      region: BACKUP_DEFAULT_E3_REGION,
+      region: BACKUP_DEFAULT_S3_REGION,
      accessKeyId: '',
      secretAccessKey: '',
      rootPath: BACKUP_DEFAULT_REMOTE_PATH,
@@ -110,7 +118,7 @@ export function createDefaultBackupDestinationConfig(type: BackupDestinationType
 }

 export function createDefaultBackupDestinationName(type: BackupDestinationType, index: number): string {
-  if (type === 'e3') return `E3 ${index}`;
+  if (type === 's3') return `S3 ${index}`;
  return `WebDAV ${index}`;
 }

@@ -0,0 +1,151 @@
+const MULTI_LABEL_PUBLIC_SUFFIXES = new Set([
+  'ac.cn',
+  'com.cn',
+  'edu.cn',
+  'gov.cn',
+  'net.cn',
+  'org.cn',
+  'ah.cn',
+  'bj.cn',
+  'cq.cn',
+  'fj.cn',
+  'gd.cn',
+  'gs.cn',
+  'gx.cn',
+  'gz.cn',
+  'ha.cn',
+  'hb.cn',
+  'he.cn',
+  'hi.cn',
+  'hk.cn',
+  'hl.cn',
+  'hn.cn',
+  'jl.cn',
+  'js.cn',
+  'jx.cn',
+  'ln.cn',
+  'mo.cn',
+  'nm.cn',
+  'nx.cn',
+  'qh.cn',
+  'sc.cn',
+  'sd.cn',
+  'sh.cn',
+  'sn.cn',
+  'sx.cn',
+  'tj.cn',
+  'tw.cn',
+  'xj.cn',
+  'xz.cn',
+  'yn.cn',
+  'zj.cn',
+  'co.uk',
+  'org.uk',
+  'net.uk',
+  'ac.uk',
+  'gov.uk',
+  'com.au',
+  'net.au',
+  'org.au',
+  'edu.au',
+  'gov.au',
+  'co.nz',
+  'org.nz',
+  'net.nz',
+  'com.br',
+  'com.mx',
+  'com.ar',
+  'com.tr',
+  'com.sg',
+  'com.my',
+  'com.hk',
+  'com.tw',
+  'co.jp',
+  'ne.jp',
+  'or.jp',
+  'co.kr',
+  'or.kr',
+  'co.in',
+  'firm.in',
+  'net.in',
+  'org.in',
+  'co.id',
+  'or.id',
+  'web.id',
+  'co.il',
+  'org.il',
+  'co.za',
+  'com.sa',
+  'com.ph',
+  'com.vn',
+  'com.pk',
+  'com.bd',
+  'com.ng',
+  'github.io',
+  'pages.dev',
+  'workers.dev',
+  'cloudflareaccess.com',
+  'vercel.app',
+  'netlify.app',
+  'web.app',
+  'firebaseapp.com',
+  'herokuapp.com',
+  'fly.dev',
+  'railway.app',
+  'render.com',
+  'onrender.com',
+]);
+
+function extractHost(input: string): string {
+  let raw = input.trim().toLowerCase();
+  if (!raw) return '';
+  raw = raw.replace(/\\/g, '/');
+
+  try {
+    const candidate = /^[a-z][a-z0-9+.-]*:\/\//i.test(raw) ? raw : `https://${raw}`;
+    const parsed = new URL(candidate);
+    raw = parsed.hostname;
+  } catch {
+    raw = raw.split(/[/?#]/, 1)[0] || '';
+    const atIndex = raw.lastIndexOf('@');
+    if (atIndex >= 0) raw = raw.slice(atIndex + 1);
+    if (raw.startsWith('[')) return '';
+    const colonIndex = raw.lastIndexOf(':');
+    if (colonIndex > -1 && raw.indexOf(':') === colonIndex) raw = raw.slice(0, colonIndex);
+  }
+
+  return raw
+    .replace(/^\*+\./, '')
+    .replace(/^\.+/, '')
+    .replace(/\.+$/, '');
+}
+
+function isValidHost(host: string): boolean {
+  if (!host || host.length > 253 || !host.includes('.')) return false;
+  if (host.includes('..') || /[:/\s]/.test(host)) return false;
+  if (/^\d{1,3}(?:\.\d{1,3}){3}$/.test(host)) return false;
+  return host.split('.').every((label) => (
+    label.length > 0
+    && label.length <= 63
+    && /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/.test(label)
+  ));
+}
+
+export function normalizeEquivalentDomain(value: unknown): string {
+  const host = extractHost(String(value || ''));
+  if (!isValidHost(host)) return '';
+
+  const labels = host.split('.');
+  for (let index = 0; index < labels.length; index += 1) {
+    const suffix = labels.slice(index).join('.');
+    if (!MULTI_LABEL_PUBLIC_SUFFIXES.has(suffix)) continue;
+    if (index === 0) return '';
+    return labels.slice(index - 1).join('.');
+  }
+
+  return labels.length >= 2 ? labels.slice(-2).join('.') : '';
+}
+
+export function isValidEquivalentDomain(value: unknown): boolean {
+  return !!normalizeEquivalentDomain(value);
+}
@@ -5,10 +5,10 @@
    accessTokenTtlSeconds: 7200,
    // Refresh token lifetime in milliseconds.
    // 刷新令牌有效期（毫秒）。
-    refreshTokenTtlMs: 30 * 24 * 60 * 60 * 1000,
+    refreshTokenTtlMs: 365 * 24 * 60 * 60 * 1000,
    // Grace window for previous refresh token after rotation (ms).
    // 刷新令牌轮换后的旧令牌宽限窗口（毫秒）。
-    refreshTokenOverlapGraceMs: 60 * 1000,
+    refreshTokenOverlapGraceMs: 30 * 60 * 1000,
    // Refresh token random byte length.
    // 刷新令牌随机字节长度。
    refreshTokenRandomBytes: 32,
@@ -24,6 +24,9 @@
    // Default PBKDF2 iterations for account creation/prelogin fallback.
    // 账户创建与预登录回退使用的默认 PBKDF2 迭代次数。
    defaultKdfIterations: 600000,
+    // clientSecret length
+    // clientSecret 长度
+    clientSecretLength: 30,
  },
  rateLimit: {
    // Max failed login attempts before temporary lock.
@@ -41,6 +44,9 @@
    // Public read-only request budget per IP per minute.
    // 公开只读接口每 IP 每分钟请求配额。
    publicReadRequestsPerMinute: 120,
+    // Public website icon proxy budget per IP per minute.
+    // 公开网站图标代理每 IP 每分钟请求配额。
+    publicIconRequestsPerMinute: 500,
    // Sensitive public/auth request budget per IP per minute.
    // 敏感公开/认证接口每 IP 每分钟请求配额。
    sensitivePublicRequestsPerMinute: 30,
@@ -130,6 +136,9 @@
    // Max total items (folders + ciphers) allowed in a single import.
    // 单次导入允许的最大条目数（文件夹 + 密码项合计）。
    importItemLimit: 5000,
+    // Small fixed concurrency for blob/attachment batch cleanup work.
+    // 附件 / blob 批量清理时的保守并发数。
+    attachmentDeleteConcurrency: 4,
  },
  request: {
    // Hard body size limit for JSON API endpoints (bytes). File upload paths are exempt.
@@ -139,6 +148,11 @@
  compatibility: {
    // Single source of truth for /config.version and /api/version.
    // /config.version 与 /api/version 的统一版本号来源。
-    bitwardenServerVersion: '2026.1.0',
+    bitwardenServerVersion: '2026.4.1',
+    // Official 2026.4.x clients need this flag to receive and use cipher.key.
+    // Hiding existing item keys makes item-key encrypted vault data unreadable.
+    // 官方 2026.4.x 客户端需要该开关来接收并使用 cipher.key。
+    // 隐藏已有逐项密钥会导致逐项密钥加密的密码库数据无法解密。
+    cipherKeyEncryptionFeatureEnabled: true,
  },
 } as const;
@@ -0,0 +1,465 @@
+import type { Env } from '../types';
+import type { BackupDestinationRecord } from '../services/backup-config';
+import {
+  BACKUP_SCHEDULER_WINDOW_MINUTES,
+  requireBackupDestination,
+  hasBackupSlotBetween,
+  isBackupDueNow,
+  loadBackupSettings,
+} from '../services/backup-config';
+import {
+  createRemoteBackupTransferSession,
+  downloadRemoteBackupFile,
+  ensureRemoteRestoreCandidate,
+} from '../services/backup-uploader';
+import { getBlobObject } from '../services/blob-store';
+import { StorageService } from '../services/storage';
+import { notifyUserBackupProgress, notifyUserBackupRestoreProgress } from './notifications-hub';
+import {
+  executeConfiguredBackup,
+  importAndAuditRemoteBackupFile,
+} from '../handlers/backup';
+import { verifyBackupArchiveFileNameChecksum } from '../services/backup-archive';
+import { zipSync } from 'fflate';
+
+const BACKUP_JOB_STATE_KEY = 'backup.job.state.v1';
+const BACKUP_JOB_LEASE_MS = 10 * 60 * 1000;
+const BACKUP_JOB_HEARTBEAT_MS = 30 * 1000;
+
+interface BackupJobState {
+  token: string;
+  reason: string;
+  acquiredAt: string;
+  touchedAt: string;
+  expiresAtMs: number;
+}
+
+interface RemoteAttachmentChunkRequest {
+  destination: BackupDestinationRecord;
+  attachments: Array<{
+    blobName: string;
+  }>;
+}
+
+interface RemoteAttachmentDownloadRequest {
+  destination: BackupDestinationRecord;
+  blobName?: string | null;
+}
+
+interface RemoteAttachmentBatchDownloadRequest {
+  destination: BackupDestinationRecord;
+  blobNames?: string[] | null;
+}
+
+interface ConfiguredBackupRunRequest {
+  actorUserId?: string | null;
+  auditMetadata?: Record<string, unknown> | null;
+  destinationId?: string | null;
+  targetDeviceIdentifier?: string | null;
+  trigger?: 'manual' | 'scheduled';
+}
+
+interface RemoteBackupRestoreRequest {
+  actorUserId?: string | null;
+  allowChecksumMismatch?: boolean;
+  auditMetadata?: Record<string, unknown> | null;
+  destinationId?: string | null;
+  path?: string | null;
+  replaceExisting?: boolean;
+  targetDeviceIdentifier?: string | null;
+}
+
+function badRequest(message: string, status: number = 400): Response {
+  return new Response(JSON.stringify({ error: message }), {
+    status,
+    headers: {
+      'Content-Type': 'application/json; charset=utf-8',
+      'Cache-Control': 'no-store',
+    },
+  });
+}
+
+export class BackupTransferRunner {
+  private lastHeartbeatAt = 0;
+
+  constructor(
+    private readonly state: DurableObjectState,
+    private readonly env: Env
+  ) {
+  }
+
+  private async acquireJob(reason: string): Promise<string | null> {
+    const nowMs = Date.now();
+    const current = await this.state.storage.get<BackupJobState>(BACKUP_JOB_STATE_KEY);
+    if (current?.expiresAtMs && current.expiresAtMs > nowMs) {
+      return null;
+    }
+
+    const token = crypto.randomUUID();
+    const nowIso = new Date(nowMs).toISOString();
+    await this.state.storage.put<BackupJobState>(BACKUP_JOB_STATE_KEY, {
+      token,
+      reason,
+      acquiredAt: nowIso,
+      touchedAt: nowIso,
+      expiresAtMs: nowMs + BACKUP_JOB_LEASE_MS,
+    });
+    this.lastHeartbeatAt = 0;
+    return token;
+  }
+
+  private async touchJob(token: string): Promise<void> {
+    const nowMs = Date.now();
+    if (nowMs - this.lastHeartbeatAt < BACKUP_JOB_HEARTBEAT_MS) return;
+    this.lastHeartbeatAt = nowMs;
+
+    const current = await this.state.storage.get<BackupJobState>(BACKUP_JOB_STATE_KEY);
+    if (current?.token !== token) return;
+
+    await this.state.storage.put<BackupJobState>(BACKUP_JOB_STATE_KEY, {
+      ...current,
+      touchedAt: new Date(nowMs).toISOString(),
+      expiresAtMs: nowMs + BACKUP_JOB_LEASE_MS,
+    });
+  }
+
+  private async releaseJob(token: string): Promise<void> {
+    const current = await this.state.storage.get<BackupJobState>(BACKUP_JOB_STATE_KEY);
+    if (current?.token === token) {
+      await this.state.storage.delete(BACKUP_JOB_STATE_KEY);
+    }
+  }
+
+  private async runConfiguredBackup(request: Request): Promise<Response> {
+    let body: ConfiguredBackupRunRequest;
+    try {
+      body = await request.json<ConfiguredBackupRunRequest>();
+    } catch {
+      return badRequest('Backup run payload is invalid');
+    }
+
+    const trigger = body.trigger === 'scheduled' ? 'scheduled' : 'manual';
+    const actorUserId = String(body.actorUserId || '').trim() || null;
+    if (trigger === 'manual' && !actorUserId) {
+      return badRequest('Manual backup run requires an actor');
+    }
+
+    const token = await this.acquireJob(`${trigger}:${actorUserId || 'system'}`);
+    if (!token) {
+      return badRequest('Another backup run is already in progress', 409);
+    }
+
+    try {
+      await this.touchJob(token);
+      const storage = new StorageService(this.env.DB);
+      const progress = actorUserId
+        ? async (event: {
+          operation: 'backup-remote-run';
+          step: string;
+          fileName: string;
+          stageTitle: string;
+          stageDetail: string;
+          done?: boolean;
+          ok?: boolean;
+          error?: string | null;
+        }) => {
+          await notifyUserBackupProgress(
+            this.env,
+            actorUserId,
+            event,
+            String(body.targetDeviceIdentifier || '').trim() || null
+          );
+        }
+        : null;
+
+      const result = await executeConfiguredBackup(
+        this.env,
+        storage,
+        actorUserId,
+        trigger,
+        body.destinationId || null,
+        () => this.touchJob(token),
+        progress,
+        body.auditMetadata || null
+      );
+      const settings = await loadBackupSettings(storage, this.env, 'UTC');
+
+      return new Response(JSON.stringify({
+        object: 'backup-runner-result',
+        result,
+        settings,
+      }), {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/json; charset=utf-8',
+          'Cache-Control': 'no-store',
+        },
+      });
+    } catch (error) {
+      return badRequest(error instanceof Error ? error.message : 'Backup run failed', 500);
+    } finally {
+      await this.releaseJob(token);
+    }
+  }
+
+  private async runScheduledBackups(): Promise<Response> {
+    const token = await this.acquireJob('scheduled');
+    if (!token) {
+      return badRequest('Another backup run is already in progress', 409);
+    }
+
+    let completed = 0;
+    try {
+      await this.touchJob(token);
+      const storage = new StorageService(this.env.DB);
+      let scanStartMs = Date.now();
+
+      while (true) {
+        await this.touchJob(token);
+        const settings = await loadBackupSettings(storage, this.env, 'UTC');
+        const now = new Date();
+        const dueDestinations = settings.destinations.filter((destination) =>
+          isBackupDueNow(destination, now, BACKUP_SCHEDULER_WINDOW_MINUTES)
+          || hasBackupSlotBetween(destination, new Date(scanStartMs), now)
+        );
+
+        if (!dueDestinations.length) {
+          break;
+        }
+
+        scanStartMs = now.getTime();
+        for (const destination of dueDestinations) {
+          await this.touchJob(token);
+          await executeConfiguredBackup(
+            this.env,
+            storage,
+            null,
+            'scheduled',
+            destination.id,
+            () => this.touchJob(token)
+          );
+          completed += 1;
+        }
+      }
+
+      return new Response(JSON.stringify({
+        ok: true,
+        completed,
+      }), {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/json; charset=utf-8',
+          'Cache-Control': 'no-store',
+        },
+      });
+    } catch (error) {
+      return badRequest(error instanceof Error ? error.message : 'Scheduled backup failed', 500);
+    } finally {
+      await this.releaseJob(token);
+    }
+  }
+
+  private async restoreRemoteBackup(request: Request): Promise<Response> {
+    let body: RemoteBackupRestoreRequest;
+    try {
+      body = await request.json<RemoteBackupRestoreRequest>();
+    } catch {
+      return badRequest('Remote restore payload is invalid');
+    }
+
+    const actorUserId = String(body.actorUserId || '').trim() || null;
+    if (!actorUserId) {
+      return badRequest('Remote restore requires an actor');
+    }
+
+    const token = await this.acquireJob(`restore:${actorUserId}`);
+    if (!token) {
+      return badRequest('Another backup or restore run is already in progress', 409);
+    }
+
+    try {
+      await this.touchJob(token);
+      const storage = new StorageService(this.env.DB);
+      const settings = await loadBackupSettings(storage, this.env, 'UTC');
+      const destination = requireBackupDestination(settings, body.destinationId || null);
+      const path = ensureRemoteRestoreCandidate(String(body.path || ''));
+      const restoreFileNameFromPath = path.split('/').pop() || path;
+      const targetDeviceIdentifier = String(body.targetDeviceIdentifier || '').trim() || null;
+      const replaceExisting = !!body.replaceExisting;
+
+      await notifyUserBackupRestoreProgress(
+        this.env,
+        actorUserId,
+        {
+          operation: 'backup-restore',
+          source: 'remote',
+          step: 'remote_fetch_archive',
+          fileName: restoreFileNameFromPath,
+          stageTitle: 'txt_backup_restore_progress_remote_fetch_title',
+          stageDetail: 'txt_backup_restore_progress_remote_fetch_detail',
+          replaceExisting,
+        },
+        targetDeviceIdentifier
+      );
+
+      const remoteFile = await downloadRemoteBackupFile(destination, path);
+      const checksumOk = await verifyBackupArchiveFileNameChecksum(remoteFile.bytes, remoteFile.fileName || path);
+      if (!checksumOk && !body.allowChecksumMismatch) {
+        return badRequest('Remote backup file checksum does not match its filename');
+      }
+
+      const result = await importAndAuditRemoteBackupFile(
+        this.env,
+        storage,
+        actorUserId,
+        remoteFile,
+        destination,
+        path,
+        replaceExisting,
+        !checksumOk,
+        body.auditMetadata || null,
+        targetDeviceIdentifier
+      );
+
+      return new Response(JSON.stringify(result.result), {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/json; charset=utf-8',
+          'Cache-Control': 'no-store',
+        },
+      });
+    } catch (error) {
+      return badRequest(error instanceof Error ? error.message : 'Remote backup restore failed', 500);
+    } finally {
+      await this.releaseJob(token);
+    }
+  }
+
+  async fetch(request: Request): Promise<Response> {
+    const url = new URL(request.url);
+    if (request.method !== 'POST') {
+      return badRequest('Not found', 404);
+    }
+
+    if (url.pathname === '/internal/run-configured-backup') {
+      return this.runConfiguredBackup(request);
+    }
+
+    if (url.pathname === '/internal/run-scheduled-backups') {
+      return this.runScheduledBackups();
+    }
+
+    if (url.pathname === '/internal/restore-remote-backup') {
+      return this.restoreRemoteBackup(request);
+    }
+
+    if (url.pathname === '/internal/download-remote-attachment') {
+      let body: RemoteAttachmentDownloadRequest;
+      try {
+        body = await request.json<RemoteAttachmentDownloadRequest>();
+      } catch {
+        return badRequest('Remote attachment download payload is invalid');
+      }
+      const blobName = String(body?.blobName || '').trim();
+      if (!body?.destination || !blobName) {
+        return badRequest('Remote attachment download payload is invalid');
+      }
+      const file = await downloadRemoteBackupFile(body.destination, `attachments/${blobName}`).catch(() => null);
+      if (!file) {
+        return badRequest('Remote attachment not found', 404);
+      }
+      return new Response(file.bytes, {
+        status: 200,
+        headers: {
+          'Content-Type': file.contentType || 'application/octet-stream',
+          'Cache-Control': 'no-store',
+        },
+      });
+    }
+
+    if (url.pathname === '/internal/download-remote-attachment-batch') {
+      let body: RemoteAttachmentBatchDownloadRequest;
+      try {
+        body = await request.json<RemoteAttachmentBatchDownloadRequest>();
+      } catch {
+        return badRequest('Remote attachment batch download payload is invalid');
+      }
+      const blobNames = Array.from(new Set(
+        (Array.isArray(body?.blobNames) ? body.blobNames : [])
+          .map((blobName) => String(blobName || '').trim())
+          .filter(Boolean)
+      ));
+      if (!body?.destination || !blobNames.length || blobNames.length > 40) {
+        return badRequest('Remote attachment batch download payload is invalid');
+      }
+
+      const encoder = new TextEncoder();
+      const entries: Array<{ blobName: string; path: string }> = [];
+      const files: Record<string, Uint8Array> = {};
+      for (let i = 0; i < blobNames.length; i += 1) {
+        const blobName = blobNames[i];
+        const file = await downloadRemoteBackupFile(body.destination, `attachments/${blobName}`).catch(() => null);
+        if (!file) continue;
+        const path = `files/${i}.bin`;
+        entries.push({ blobName, path });
+        files[path] = file.bytes;
+      }
+      files['manifest.json'] = encoder.encode(JSON.stringify({ version: 1, entries }));
+
+      return new Response(zipSync(files), {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/zip',
+          'Cache-Control': 'no-store',
+        },
+      });
+    }
+
+    if (url.pathname !== '/internal/upload-attachment-chunk') {
+      return badRequest('Not found', 404);
+    }
+
+    let body: RemoteAttachmentChunkRequest;
+    try {
+      body = await request.json<RemoteAttachmentChunkRequest>();
+    } catch {
+      return badRequest('Attachment chunk payload is invalid');
+    }
+
+    if (!body?.destination || !Array.isArray(body.attachments)) {
+      return badRequest('Attachment chunk payload is invalid');
+    }
+
+    const remoteSession = createRemoteBackupTransferSession(body.destination);
+    let uploaded = 0;
+
+    for (const attachment of body.attachments) {
+      const blobName = String(attachment?.blobName || '').trim();
+      if (!blobName) {
+        return badRequest('Attachment chunk payload is invalid');
+      }
+
+      const object = await getBlobObject(this.env, blobName);
+      if (!object) {
+        return badRequest(`Attachment blob missing for ${blobName}`, 409);
+      }
+
+      const bytes = new Uint8Array(await new Response(object.body).arrayBuffer());
+      await remoteSession.putFile(`attachments/${blobName}`, bytes, {
+        contentType: object.contentType,
+      });
+      uploaded += 1;
+    }
+
+    return new Response(JSON.stringify({
+      ok: true,
+      uploaded,
+    }), {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/json; charset=utf-8',
+        'Cache-Control': 'no-store',
+      },
+    });
+  }
+}
@@ -1,16 +1,21 @@
+import { DurableObject, waitUntil } from 'cloudflare:workers';
 import type { Env } from '../types';

 const SIGNALR_RECORD_SEPARATOR = 0x1e;
 const SIGNALR_HANDSHAKE_ACK = new Uint8Array([0x7b, 0x7d, SIGNALR_RECORD_SEPARATOR]);
 const SIGNALR_UPDATE_TYPE_SYNC_VAULT = 5;
 const SIGNALR_UPDATE_TYPE_LOG_OUT = 11;
-const SIGNALR_UPDATE_TYPE_DEVICE_STATUS = 12;
 const SIGNALR_UPDATE_TYPE_BACKUP_RESTORE_PROGRESS = 13;
-const SIGNALR_PING_INTERVAL_MS = 15_000;
+const SIGNALR_UPDATE_TYPE_AUTH_REQUEST = 15;
+const SIGNALR_UPDATE_TYPE_AUTH_REQUEST_RESPONSE = 16;

 type HubProtocol = 'json' | 'messagepack';
+type HubKind = 'user' | 'anonymous-auth-request';

-interface ConnectionState {
+interface WsAttachment {
+  kind: HubKind;
+  userId: string | null;
+  authRequestId: string | null;
  handshakeComplete: boolean;
  protocol: HubProtocol;
  deviceIdentifier: string | null;
@@ -31,6 +36,12 @@ function encodeUtf8(value: string): Uint8Array {
  return new TextEncoder().encode(value);
 }

+function decodeIncomingMessage(data: string | ArrayBuffer | ArrayBufferView): string {
+  if (typeof data === 'string') return data;
+  if (data instanceof ArrayBuffer) return new TextDecoder().decode(new Uint8Array(data));
+  return new TextDecoder().decode(new Uint8Array(data.buffer, data.byteOffset, data.byteLength));
+}
+
 function encodeMsgPackInteger(value: number): Uint8Array {
  const normalized = Math.trunc(value);
  if (normalized >= 0 && normalized <= 0x7f) {
@@ -130,11 +141,12 @@ function frameSignalRBinary(payload: Uint8Array): Uint8Array {
 function buildSignalRJsonInvocation(
  updateType: number,
  payload: Record<string, unknown>,
-  contextId: string | null
+  contextId: string | null,
+  target: string = 'ReceiveMessage'
 ): string {
  return JSON.stringify({
    type: 1,
-    target: 'ReceiveMessage',
+    target,
    arguments: [
        {
          ContextId: contextId,
@@ -145,14 +157,11 @@ function buildSignalRJsonInvocation(
    }) + String.fromCharCode(SIGNALR_RECORD_SEPARATOR);
 }

-function buildSignalRJsonPing(): string {
-  return JSON.stringify({ type: 6 }) + String.fromCharCode(SIGNALR_RECORD_SEPARATOR);
-}
-
 function buildSignalRMessagePackInvocation(
  updateType: number,
  messagePayload: Record<string, unknown>,
-  contextId: string | null
+  contextId: string | null,
+  target: string = 'ReceiveMessage'
 ): Uint8Array {
  // SignalR MessagePack hub protocol uses an array-based invocation shape:
  // [type, headers, invocationId, target, arguments]
@@ -160,7 +169,7 @@ function buildSignalRMessagePackInvocation(
    1,
    {},
    null,
-    'ReceiveMessage',
+    target,
    [
      {
        ContextId: contextId,
@@ -172,24 +181,15 @@ function buildSignalRMessagePackInvocation(
  return frameSignalRBinary(encodedPayload);
 }

-function buildSignalRMessagePackPing(): Uint8Array {
-  return frameSignalRBinary(encodeMsgPack([6]));
-}
-
-function decodeIncomingMessage(data: string | ArrayBuffer | ArrayBufferView): string {
-  if (typeof data === 'string') return data;
-  if (data instanceof ArrayBuffer) return new TextDecoder().decode(new Uint8Array(data));
-  return new TextDecoder().decode(new Uint8Array(data.buffer, data.byteOffset, data.byteLength));
-}
-
-export class NotificationsHub {
-  private readonly connections = new Map<WebSocket, ConnectionState>();
-  private userId = '';
-  private pingTimer: ReturnType<typeof setInterval> | null = null;
-
-  constructor(private readonly state: DurableObjectState, private readonly env: Env) {
-    void this.state;
-    void this.env;
+export class NotificationsHub extends DurableObject<Env> {
+  constructor(ctx: DurableObjectState, env: Env) {
+    super(ctx, env);
+    this.ctx.setWebSocketAutoResponse(
+      new WebSocketRequestResponsePair(
+        JSON.stringify({ type: 6 }) + String.fromCharCode(SIGNALR_RECORD_SEPARATOR),
+        JSON.stringify({ type: 6 }) + String.fromCharCode(SIGNALR_RECORD_SEPARATOR)
+      )
+    );
  }

  async fetch(request: Request): Promise<Response> {
@@ -205,20 +205,34 @@ export class NotificationsHub {
        payload?: Record<string, unknown> | null;
      } | null;
      const revisionDate = String(body?.revisionDate || '').trim() || new Date().toISOString();
-      this.userId = String(request.headers.get('X-NodeWarden-UserId') || body?.userId || this.userId).trim();
+      const userId = String(request.headers.get('X-NodeWarden-UserId') || body?.userId || '').trim();
      const contextId = String(body?.contextId || '').trim() || null;
      const updateType = Number(body?.updateType || SIGNALR_UPDATE_TYPE_SYNC_VAULT) || SIGNALR_UPDATE_TYPE_SYNC_VAULT;
      const targetDeviceIdentifier = String(body?.targetDeviceIdentifier || '').trim() || null;
      const payload = body?.payload && typeof body.payload === 'object'
        ? body.payload
        : {
-          UserId: this.userId,
+          UserId: userId,
          Date: revisionDate,
        };
      this.broadcastMessage(updateType, payload, contextId, targetDeviceIdentifier);
      return new Response(null, { status: 204 });
    }

+    if (url.pathname === '/internal/auth-request-response' && request.method === 'POST') {
+      const body = (await request.json().catch(() => null)) as {
+        userId?: string;
+        authRequestId?: string;
+        contextId?: string | null;
+      } | null;
+      const userId = String(body?.userId || '').trim();
+      const authRequestId = String(body?.authRequestId || '').trim();
+      if (!userId || !authRequestId) return new Response('Invalid auth request notification', { status: 400 });
+
+      this.broadcastAuthRequestResponse(userId, authRequestId, String(body?.contextId || '').trim() || null);
+      return new Response(null, { status: 204 });
+    }
+
    if (url.pathname === '/internal/online' && request.method === 'GET') {
      return new Response(JSON.stringify({ deviceIdentifiers: this.getOnlineDeviceIdentifiers() }), {
        status: 200,
@@ -228,7 +242,7 @@ export class NotificationsHub {
      });
    }

-    if (url.pathname !== '/notifications/hub') {
+    if (url.pathname !== '/notifications/hub' && url.pathname !== '/notifications/anonymous-hub') {
      return new Response('Not found', { status: 404 });
    }

@@ -238,46 +252,34 @@ export class NotificationsHub {

    const requestUserId = String(url.searchParams.get('nw_uid') || '').trim();
    const requestDeviceIdentifier = String(url.searchParams.get('nw_did') || '').trim() || null;
-    if (requestUserId) {
-      this.userId = requestUserId;
-    }
+    const requestAuthRequestId = String(url.searchParams.get('nw_auth_request_id') || '').trim() || null;
+    const isAnonymousAuthRequestHub = url.pathname === '/notifications/anonymous-hub';

-    if (!this.userId) {
+    if (!isAnonymousAuthRequestHub && !requestUserId) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+    if (isAnonymousAuthRequestHub && !requestAuthRequestId) {
      return new Response('Unauthorized', { status: 401 });
    }

    const pair = new WebSocketPair();
    const client = pair[0];
    const server = pair[1];
-    server.accept();

-    this.connections.set(server, {
+    const tags: string[] = [];
+    if (requestDeviceIdentifier) {
+      tags.push(`device:${requestDeviceIdentifier}`);
+    }
+    this.ctx.acceptWebSocket(server, tags);
+
+    server.serializeAttachment({
+      kind: isAnonymousAuthRequestHub ? 'anonymous-auth-request' : 'user',
+      userId: isAnonymousAuthRequestHub ? null : requestUserId,
+      authRequestId: requestAuthRequestId,
      handshakeComplete: false,
      protocol: 'messagepack',
      deviceIdentifier: requestDeviceIdentifier,
-    });
-    this.ensurePingLoop();
-
-    server.addEventListener('message', (event) => {
-      void this.handleSocketMessage(server, event.data);
-    });
-    server.addEventListener('close', () => {
-      const shouldBroadcast = !!this.connections.get(server)?.handshakeComplete;
-      this.connections.delete(server);
-      this.stopPingLoopIfIdle();
-      if (shouldBroadcast) this.broadcastDeviceStatus();
-    });
-    server.addEventListener('error', () => {
-      const shouldBroadcast = !!this.connections.get(server)?.handshakeComplete;
-      this.connections.delete(server);
-      this.stopPingLoopIfIdle();
-      if (shouldBroadcast) this.broadcastDeviceStatus();
-      try {
-        server.close(1011, 'Socket error');
-      } catch {
-        // ignore close races
-      }
-    });
+    } satisfies WsAttachment);

    return new Response(null, {
      status: 101,
@@ -285,21 +287,20 @@ export class NotificationsHub {
    });
  }

-  private async handleSocketMessage(socket: WebSocket, rawData: string | ArrayBuffer | ArrayBufferView): Promise<void> {
-    const connection = this.connections.get(socket);
-    if (!connection) return;
+  async webSocketMessage(ws: WebSocket, message: string | ArrayBuffer | ArrayBufferView): Promise<void> {
+    const attachment = ws.deserializeAttachment() as WsAttachment | null;
+    if (!attachment) return;

-    if (!connection.handshakeComplete) {
-      const text = decodeIncomingMessage(rawData);
+    if (!attachment.handshakeComplete) {
+      const text = decodeIncomingMessage(message);
      const frames = text.split(String.fromCharCode(SIGNALR_RECORD_SEPARATOR)).filter(Boolean);
      for (const frame of frames) {
        try {
          const handshake = JSON.parse(frame) as { protocol?: string };
-          const protocol = handshake.protocol === 'json' ? 'json' : 'messagepack';
-          connection.protocol = protocol;
-          connection.handshakeComplete = true;
-          socket.send(SIGNALR_HANDSHAKE_ACK);
-          this.broadcastDeviceStatus();
+          attachment.protocol = handshake.protocol === 'json' ? 'json' : 'messagepack';
+          attachment.handshakeComplete = true;
+          ws.serializeAttachment(attachment);
+          ws.send(SIGNALR_HANDSHAKE_ACK);
          return;
        } catch {
          // Ignore malformed pre-handshake payloads.
@@ -307,53 +308,34 @@ export class NotificationsHub {
      }
      return;
    }
-  }

-  private ensurePingLoop(): void {
-    if (this.pingTimer !== null) return;
-    this.pingTimer = setInterval(() => {
-      this.broadcastPing();
-    }, SIGNALR_PING_INTERVAL_MS);
-  }
-
-  private stopPingLoopIfIdle(): void {
-    if (this.connections.size > 0 || this.pingTimer === null) return;
-    clearInterval(this.pingTimer);
-    this.pingTimer = null;
-  }
-
-  private broadcastPing(): void {
-    if (this.connections.size === 0) {
-      this.stopPingLoopIfIdle();
-      return;
-    }
-
-    for (const [socket, connection] of this.connections) {
-      if (!connection.handshakeComplete) continue;
+    if (typeof message !== 'string') {
      try {
-        if (connection.protocol === 'json') {
-          socket.send(buildSignalRJsonPing());
-        } else {
-          socket.send(buildSignalRMessagePackPing());
-        }
+        ws.send(message);
      } catch {
-        this.connections.delete(socket);
-        try {
-          socket.close(1011, 'Ping send failed');
-        } catch {
-          // ignore close races
-        }
+        // ignore send errors on echo
      }
    }
+  }

-    this.stopPingLoopIfIdle();
+  async webSocketClose(ws: WebSocket, code: number, reason: string, wasClean: boolean): Promise<void> {
+    void ws;
+    void code;
+    void reason;
+    void wasClean;
+  }
+
+  async webSocketError(ws: WebSocket, error: unknown): Promise<void> {
+    void ws;
+    void error;
  }

  private getOnlineDeviceIdentifiers(): string[] {
    const out = new Set<string>();
-    for (const connection of this.connections.values()) {
-      if (!connection.handshakeComplete || !connection.deviceIdentifier) continue;
-      out.add(connection.deviceIdentifier);
+    for (const ws of this.ctx.getWebSockets()) {
+      const attachment = ws.deserializeAttachment() as WsAttachment | null;
+      if (!attachment?.handshakeComplete || attachment.kind !== 'user' || !attachment.deviceIdentifier) continue;
+      out.add(attachment.deviceIdentifier);
    }
    return Array.from(out);
  }
@@ -364,58 +346,88 @@ export class NotificationsHub {
    contextId: string | null,
    targetDeviceIdentifier: string | null
  ): void {
-    if (!this.userId || this.connections.size === 0) return;
+    const sockets = targetDeviceIdentifier
+      ? this.ctx.getWebSockets(`device:${targetDeviceIdentifier}`)
+      : this.ctx.getWebSockets();

-    for (const [socket, connection] of this.connections) {
-      if (!connection.handshakeComplete) continue;
-      if (targetDeviceIdentifier && connection.deviceIdentifier !== targetDeviceIdentifier) continue;
+    if (sockets.length === 0) return;
+
+    for (const ws of sockets) {
+      const attachment = ws.deserializeAttachment() as WsAttachment | null;
+      if (!attachment?.handshakeComplete) continue;
      try {
-        if (connection.protocol === 'json') {
-          socket.send(buildSignalRJsonInvocation(updateType, payload, contextId));
+        if (attachment.protocol === 'json') {
+          ws.send(buildSignalRJsonInvocation(updateType, payload, contextId));
        } else {
-          socket.send(buildSignalRMessagePackInvocation(updateType, payload, contextId));
+          ws.send(buildSignalRMessagePackInvocation(updateType, payload, contextId));
        }
      } catch {
-        this.connections.delete(socket);
        try {
-          socket.close(1011, 'Notification send failed');
+          ws.close(1011, 'Notification send failed');
        } catch {
          // ignore close races
        }
      }
    }
-
-    this.stopPingLoopIfIdle();
  }

-  private broadcastDeviceStatus(): void {
-    this.broadcastMessage(
-      SIGNALR_UPDATE_TYPE_DEVICE_STATUS,
-      {
-        UserId: this.userId,
-        Date: new Date().toISOString(),
-      },
-      null,
-      null
-    );
+  private broadcastAuthRequestResponse(userId: string, authRequestId: string, contextId: string | null): void {
+    for (const ws of this.ctx.getWebSockets()) {
+      const attachment = ws.deserializeAttachment() as WsAttachment | null;
+      if (
+        !attachment?.handshakeComplete ||
+        attachment.kind !== 'anonymous-auth-request' ||
+        attachment.authRequestId !== authRequestId
+      ) {
+        continue;
+      }
+
+      const payload = {
+        UserId: userId,
+        Id: authRequestId,
+      };
+      try {
+        if (attachment.protocol === 'json') {
+          ws.send(buildSignalRJsonInvocation(
+            SIGNALR_UPDATE_TYPE_AUTH_REQUEST_RESPONSE,
+            payload,
+            contextId,
+            'AuthRequestResponseRecieved'
+          ));
+        } else {
+          ws.send(buildSignalRMessagePackInvocation(
+            SIGNALR_UPDATE_TYPE_AUTH_REQUEST_RESPONSE,
+            payload,
+            contextId,
+            'AuthRequestResponseRecieved'
+          ));
+        }
+      } catch {
+        try {
+          ws.close(1011, 'Notification send failed');
+        } catch {
+          // ignore close races
+        }
+      }
+    }
  }
 }

-export async function notifyUserVaultSync(
+export function notifyUserVaultSync(
  env: Env,
  userId: string,
  revisionDate: string,
  contextId?: string | null
-): Promise<void> {
-  return notifyUserUpdate(env, userId, SIGNALR_UPDATE_TYPE_SYNC_VAULT, revisionDate, contextId ?? null, null);
+): void {
+  waitUntil(notifyUserUpdate(env, userId, SIGNALR_UPDATE_TYPE_SYNC_VAULT, revisionDate, contextId ?? null, null));
 }

-export async function notifyUserLogout(
+export function notifyUserLogout(
  env: Env,
  userId: string,
  targetDeviceIdentifier?: string | null
-): Promise<void> {
-  return notifyUserUpdate(env, userId, SIGNALR_UPDATE_TYPE_LOG_OUT, new Date().toISOString(), null, targetDeviceIdentifier ?? null);
+): void {
+  waitUntil(notifyUserUpdate(env, userId, SIGNALR_UPDATE_TYPE_LOG_OUT, new Date().toISOString(), null, targetDeviceIdentifier ?? null));
 }

 export async function getOnlineUserDevices(env: Env, userId: string): Promise<string[]> {
@@ -431,13 +443,59 @@ export async function getOnlineUserDevices(env: Env, userId: string): Promise<st
  }
 }

+export async function notifyAuthRequestResponse(
+  env: Env,
+  userId: string,
+  authRequestId: string,
+  contextId?: string | null
+): Promise<void> {
+  try {
+    const id = env.NOTIFICATIONS_HUB.idFromName(authRequestId);
+    const stub = env.NOTIFICATIONS_HUB.get(id);
+    await stub.fetch('https://notifications/internal/auth-request-response', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        userId,
+        authRequestId,
+        contextId: contextId || null,
+      }),
+    });
+  } catch (error) {
+    console.error('Failed to broadcast auth request response notification:', error);
+  }
+}
+
+export function notifyUserAuthRequest(
+  env: Env,
+  userId: string,
+  authRequestId: string,
+  contextId?: string | null
+): void {
+  waitUntil(notifyUserUpdate(
+    env,
+    userId,
+    SIGNALR_UPDATE_TYPE_AUTH_REQUEST,
+    new Date().toISOString(),
+    contextId ?? null,
+    null,
+    {
+      UserId: userId,
+      Id: authRequestId,
+    }
+  ));
+}
+
 async function notifyUserUpdate(
  env: Env,
  userId: string,
  updateType: number,
  revisionDate: string,
  contextId: string | null,
-  targetDeviceIdentifier: string | null
+  targetDeviceIdentifier: string | null,
+  payloadOverride?: Record<string, unknown> | null
 ): Promise<void> {
  try {
    const id = env.NOTIFICATIONS_HUB.idFromName(userId);
@@ -453,7 +511,7 @@ async function notifyUserUpdate(
        contextId: contextId || null,
        updateType,
        targetDeviceIdentifier: targetDeviceIdentifier || null,
-        payload: {
+        payload: payloadOverride || {
          UserId: userId,
          Date: revisionDate,
        },
@@ -0,0 +1,488 @@
+import {
+  generateAuthenticationOptions,
+  generateRegistrationOptions,
+  verifyAuthenticationResponse,
+  verifyRegistrationResponse,
+} from '@simplewebauthn/server';
+import type { AccountPasskeyChallengeScope, AccountPasskeyCredential, Env, User } from '../types';
+import { StorageService } from '../services/storage';
+import { AuthService } from '../services/auth';
+import { errorResponse, identityErrorResponse, jsonResponse } from '../utils/response';
+import { generateUUID } from '../utils/uuid';
+import { bytesToBase64Url } from '../utils/passkey';
+import {
+  accountPasskeyCredentialToResponse,
+  accountPasskeyPrfStatus,
+  accountPasskeyTokenTtlMs,
+  buildWebAuthnPrfOption,
+  createAccountPasskeyToken,
+  getAccountPasskeyRpConfig,
+  isSerializedEncString,
+  normalizeAccountPasskeyName,
+  normalizeAuthenticationResponse,
+  normalizeRegistrationResponse,
+  normalizeTransports,
+  sha256Base64Url,
+  toSimpleWebAuthnCredential,
+  userHandleToUserId,
+  userIdToWebAuthnUserId,
+  verifyAccountPasskeyToken,
+} from '../utils/account-passkeys';
+import { auditRequestMetadata, safeWriteAuditEvent } from '../services/audit-events';
+
+const MAX_ACCOUNT_PASSKEYS = 5;
+
+function parseBodyObject(body: unknown): Record<string, any> {
+  return body && typeof body === 'object' ? body as Record<string, any> : {};
+}
+
+async function readJsonBody(request: Request): Promise<Record<string, any> | null> {
+  try {
+    return parseBodyObject(await request.json());
+  } catch {
+    return null;
+  }
+}
+
+async function verifyUserSecret(
+  env: Env,
+  user: User,
+  body: Record<string, any>
+): Promise<boolean> {
+  const secret = String(body.masterPasswordHash || body.master_password_hash || body.secret || body.password || '').trim();
+  if (!secret) return false;
+  const storedHash = String(user.masterPasswordHash || '').trim();
+  if (!storedHash) return false;
+  const auth = new AuthService(env);
+  return auth.verifyPassword(secret, storedHash, user.email);
+}
+
+function logAccountPasskeyHandlerError(stage: string, error: unknown, details: Record<string, unknown> = {}): void {
+  const err = error instanceof Error ? error : null;
+  console.error('Account passkey handler failed', {
+    stage,
+    name: err?.name || typeof error,
+    message: err?.message || String(error),
+    stack: err?.stack,
+    ...details,
+  });
+}
+
+function passkeySetupStageMessage(stage: string): string {
+  if (stage === 'verify_master_password') return 'verifying master password';
+  if (stage === 'load_existing_credentials') return 'loading existing passkeys';
+  if (stage === 'generate_options') return 'generating passkey options';
+  if (stage === 'save_challenge') return 'saving passkey challenge';
+  if (stage === 'create_token') return 'creating passkey challenge token';
+  return 'preparing passkey setup';
+}
+
+function hasCompletePrfKeySet(body: Record<string, any>): boolean {
+  return !!(body.encryptedUserKey && body.encryptedPublicKey && body.encryptedPrivateKey);
+}
+
+function readPrfKeySet(body: Record<string, any>): {
+  encryptedUserKey: string | null;
+  encryptedPublicKey: string | null;
+  encryptedPrivateKey: string | null;
+} {
+  if (!hasCompletePrfKeySet(body)) {
+    return { encryptedUserKey: null, encryptedPublicKey: null, encryptedPrivateKey: null };
+  }
+  const encryptedUserKey = String(body.encryptedUserKey).trim();
+  const encryptedPublicKey = String(body.encryptedPublicKey).trim();
+  const encryptedPrivateKey = String(body.encryptedPrivateKey).trim();
+  if (!isSerializedEncString(encryptedUserKey) || !isSerializedEncString(encryptedPublicKey) || !isSerializedEncString(encryptedPrivateKey)) {
+    throw new Error('Invalid encrypted key set');
+  }
+  return { encryptedUserKey, encryptedPublicKey, encryptedPrivateKey };
+}
+
+async function saveChallenge(
+  storage: StorageService,
+  scope: AccountPasskeyChallengeScope,
+  challenge: string,
+  userId: string | null
+): Promise<void> {
+  const now = Date.now();
+  await storage.saveAccountPasskeyChallenge({
+    challengeHash: await sha256Base64Url(challenge),
+    scope,
+    userId,
+    expiresAt: now + accountPasskeyTokenTtlMs(scope),
+    usedAt: null,
+    createdAt: now,
+  });
+}
+
+export async function handleGetAccountPasskeyAssertionOptions(request: Request, env: Env): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const { rpId } = getAccountPasskeyRpConfig(request, env);
+  const options = await generateAuthenticationOptions({
+    rpID: rpId,
+    allowCredentials: [],
+    userVerification: 'required',
+    timeout: 60000,
+  });
+  await saveChallenge(storage, 'Authentication', options.challenge, null);
+  const token = await createAccountPasskeyToken(env, {
+    scope: 'Authentication',
+    challenge: options.challenge,
+    userId: null,
+    rpId,
+  });
+  return jsonResponse({ options, token, object: 'webAuthnLoginAssertionOptions', Object: 'webAuthnLoginAssertionOptions' });
+}
+
+export async function assertAccountPasskeyCredential(
+  request: Request,
+  env: Env,
+  storage: StorageService,
+  input: {
+    token: string;
+    deviceResponse: unknown;
+    scope: 'Authentication' | 'UpdateKeySet';
+    expectedUserId?: string | null;
+  }
+): Promise<{ user: User; credential: AccountPasskeyCredential }> {
+  const payload = await verifyAccountPasskeyToken(env, input.token, input.scope);
+  if (!payload) {
+    throw new Error('Passkey challenge token is invalid or expired');
+  }
+  if (input.expectedUserId !== undefined && payload.userId !== input.expectedUserId) {
+    throw new Error('Passkey challenge token does not match this user');
+  }
+
+  const response = normalizeAuthenticationResponse(input.deviceResponse);
+  if (!response) {
+    throw new Error('Invalid passkey assertion response');
+  }
+
+  const challengeHash = await sha256Base64Url(payload.challenge);
+  const consumed = await storage.consumeAccountPasskeyChallenge(
+    challengeHash,
+    input.scope,
+    payload.userId,
+    Date.now()
+  );
+  if (!consumed) {
+    throw new Error('Passkey challenge has expired or was already used');
+  }
+
+  const credential = await storage.getAccountPasskeyCredentialByCredentialId(response.rawId);
+  if (!credential) {
+    throw new Error('Passkey is not registered for this server');
+  }
+  if (payload.userId && credential.userId !== payload.userId) {
+    throw new Error('Passkey does not belong to this user');
+  }
+
+  const userHandleUserId = userHandleToUserId(response.response.userHandle);
+  const resolvedUserId = payload.userId || userHandleUserId || credential.userId;
+  if (!resolvedUserId || resolvedUserId !== credential.userId) {
+    throw new Error('Passkey user handle does not match this credential');
+  }
+
+  const user = await storage.getUserById(resolvedUserId);
+  if (!user || user.status !== 'active') {
+    throw new Error('Passkey user is not available');
+  }
+
+  const { origins } = getAccountPasskeyRpConfig(request, env);
+  const verification = await verifyAuthenticationResponse({
+    response,
+    expectedChallenge: payload.challenge,
+    expectedOrigin: origins,
+    expectedRPID: payload.rpId,
+    credential: toSimpleWebAuthnCredential(credential),
+    requireUserVerification: true,
+    advancedFIDOConfig: { userVerification: 'required' },
+  });
+  if (!verification.verified || !verification.authenticationInfo.userVerified) {
+    throw new Error('Passkey assertion could not be verified');
+  }
+
+  await storage.updateAccountPasskeyCounter(
+    credential.userId,
+    credential.credentialId,
+    verification.authenticationInfo.newCounter,
+    new Date().toISOString()
+  );
+  credential.counter = verification.authenticationInfo.newCounter;
+  return { user, credential };
+}
+
+export async function handleGetAccountPasskeyCredentials(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const credentials = await storage.getAccountPasskeyCredentialsByUserId(userId);
+  return jsonResponse({
+    data: credentials.map(accountPasskeyCredentialToResponse),
+    Data: credentials.map(accountPasskeyCredentialToResponse),
+    object: 'list',
+    Object: 'list',
+    continuationToken: null,
+    ContinuationToken: null,
+  });
+}
+
+export async function handleGetAccountPasskeyAttestationOptions(request: Request, env: Env, userId: string, user: User): Promise<Response> {
+  const body = await readJsonBody(request);
+  if (!body) return errorResponse('Invalid request payload', 400);
+
+  let stage = 'verify_master_password';
+  try {
+    if (!(await verifyUserSecret(env, user, body))) {
+      return errorResponse('Master password verification failed', 400);
+    }
+
+    const storage = new StorageService(env.DB);
+    stage = 'load_existing_credentials';
+    const credentials = await storage.getAccountPasskeyCredentialsByUserId(userId);
+    if (credentials.length >= MAX_ACCOUNT_PASSKEYS) {
+      return errorResponse('Maximum passkey count reached', 400);
+    }
+
+    const { rpId, rpName } = getAccountPasskeyRpConfig(request, env);
+    stage = 'generate_options';
+    const options = await generateRegistrationOptions({
+      rpID: rpId,
+      rpName,
+      userID: Uint8Array.from(userIdToWebAuthnUserId(user.id)),
+      userName: user.email,
+      userDisplayName: user.name || user.email,
+      attestationType: 'none',
+      timeout: 60000,
+      excludeCredentials: credentials.map((credential) => ({
+        id: credential.credentialId,
+        transports: (credential.transports || undefined) as any,
+      })),
+      authenticatorSelection: {
+        residentKey: 'required',
+        requireResidentKey: true,
+        userVerification: 'required',
+      },
+    });
+    (options as any).extensions = {
+      ...((options as any).extensions || {}),
+      prf: {},
+    };
+    stage = 'save_challenge';
+    await saveChallenge(storage, 'CreateCredential', options.challenge, userId);
+    stage = 'create_token';
+    const token = await createAccountPasskeyToken(env, {
+      scope: 'CreateCredential',
+      challenge: options.challenge,
+      userId,
+      rpId,
+    });
+    return jsonResponse({ options, token, object: 'webauthnCredentialCreateOptions', Object: 'webauthnCredentialCreateOptions' });
+  } catch (error) {
+    logAccountPasskeyHandlerError(stage, error, { userId });
+    return errorResponse(`Passkey setup failed while ${passkeySetupStageMessage(stage)}`, 500);
+  }
+}
+
+export async function handleGetAccountPasskeyUpdateAssertionOptions(request: Request, env: Env, userId: string, user: User): Promise<Response> {
+  const body = await readJsonBody(request);
+  if (!body) return errorResponse('Invalid request payload', 400);
+  if (!(await verifyUserSecret(env, user, body))) {
+    return errorResponse('Master password verification failed', 400);
+  }
+
+  const storage = new StorageService(env.DB);
+  let credentials = await storage.getAccountPasskeyCredentialsByUserId(userId);
+  const requestedId = String(body.credentialId || body.id || '').trim();
+  if (requestedId) {
+    credentials = credentials.filter((credential) => credential.id === requestedId);
+    if (!credentials.length) return errorResponse('Account passkey not found', 404);
+  }
+  if (!credentials.length) return errorResponse('No account passkeys registered', 404);
+
+  const { rpId } = getAccountPasskeyRpConfig(request, env);
+  const options = await generateAuthenticationOptions({
+    rpID: rpId,
+    allowCredentials: credentials.map((credential) => ({
+      id: credential.credentialId,
+      transports: (credential.transports || undefined) as any,
+    })),
+    userVerification: 'required',
+    timeout: 60000,
+  });
+  await saveChallenge(storage, 'UpdateKeySet', options.challenge, userId);
+  const token = await createAccountPasskeyToken(env, {
+    scope: 'UpdateKeySet',
+    challenge: options.challenge,
+    userId,
+    rpId,
+  });
+  return jsonResponse({ options, token, object: 'webAuthnLoginAssertionOptions', Object: 'webAuthnLoginAssertionOptions' });
+}
+
+export async function handleCreateAccountPasskeyCredential(request: Request, env: Env, userId: string): Promise<Response> {
+  const body = await readJsonBody(request);
+  if (!body) return errorResponse('Invalid request payload', 400);
+
+  const storage = new StorageService(env.DB);
+  const payload = await verifyAccountPasskeyToken(env, String(body.token || ''), 'CreateCredential');
+  if (!payload || payload.userId !== userId) {
+    return errorResponse('Passkey challenge token is invalid or expired', 400);
+  }
+
+  const challengeHash = await sha256Base64Url(payload.challenge);
+  const consumed = await storage.consumeAccountPasskeyChallenge(challengeHash, 'CreateCredential', userId, Date.now());
+  if (!consumed) {
+    return errorResponse('Passkey challenge has expired or was already used', 400);
+  }
+
+  const currentCount = await storage.countAccountPasskeyCredentialsByUserId(userId);
+  if (currentCount >= MAX_ACCOUNT_PASSKEYS) {
+    return errorResponse('Maximum passkey count reached', 400);
+  }
+
+  let prfKeySet: ReturnType<typeof readPrfKeySet>;
+  try {
+    prfKeySet = readPrfKeySet(body);
+  } catch {
+    return errorResponse('Invalid encrypted passkey key set', 400);
+  }
+
+  const registrationResponse = normalizeRegistrationResponse(body.deviceResponse);
+  if (!registrationResponse) {
+    return errorResponse('Invalid passkey registration response', 400);
+  }
+
+  const { origins } = getAccountPasskeyRpConfig(request, env);
+  let verification: Awaited<ReturnType<typeof verifyRegistrationResponse>>;
+  try {
+    verification = await verifyRegistrationResponse({
+      response: registrationResponse,
+      expectedChallenge: payload.challenge,
+      expectedOrigin: origins,
+      expectedRPID: payload.rpId,
+      requireUserPresence: true,
+      requireUserVerification: true,
+    });
+  } catch {
+    return errorResponse('Passkey registration could not be verified', 400);
+  }
+  if (!verification.verified) {
+    return errorResponse('Passkey registration could not be verified', 400);
+  }
+
+  const existing = await storage.getAccountPasskeyCredentialByCredentialId(verification.registrationInfo.credential.id);
+  if (existing) {
+    return errorResponse('Passkey is already registered', 409);
+  }
+
+  const now = new Date().toISOString();
+  const supportsPrf = !!body.supportsPrf || hasCompletePrfKeySet(body);
+  const transports = normalizeTransports(registrationResponse.response.transports);
+  const credential: AccountPasskeyCredential = {
+    id: generateUUID(),
+    userId,
+    name: normalizeAccountPasskeyName(body.name),
+    publicKey: bytesToBase64Url(verification.registrationInfo.credential.publicKey),
+    credentialId: verification.registrationInfo.credential.id,
+    counter: verification.registrationInfo.credential.counter,
+    type: verification.registrationInfo.credentialType || 'public-key',
+    aaGuid: verification.registrationInfo.aaguid || null,
+    transports,
+    encryptedUserKey: prfKeySet.encryptedUserKey,
+    encryptedPublicKey: prfKeySet.encryptedPublicKey,
+    encryptedPrivateKey: prfKeySet.encryptedPrivateKey,
+    supportsPrf,
+    createdAt: now,
+    updatedAt: now,
+  };
+
+  await storage.saveAccountPasskeyCredential(credential);
+  await safeWriteAuditEvent(env, {
+    actorUserId: userId,
+    action: 'account.passkey.create',
+    category: 'security',
+    level: 'info',
+    targetType: 'accountPasskey',
+    targetId: credential.id,
+    metadata: {
+      prfStatus: accountPasskeyPrfStatus(credential),
+      ...auditRequestMetadata(request),
+    },
+  });
+
+  return jsonResponse(accountPasskeyCredentialToResponse(credential));
+}
+
+export async function handleUpdateAccountPasskeyEncryption(request: Request, env: Env, userId: string): Promise<Response> {
+  const body = await readJsonBody(request);
+  if (!body) return errorResponse('Invalid request payload', 400);
+
+  let prfKeySet: ReturnType<typeof readPrfKeySet>;
+  try {
+    prfKeySet = readPrfKeySet(body);
+  } catch {
+    return errorResponse('Invalid encrypted passkey key set', 400);
+  }
+  if (!prfKeySet.encryptedUserKey || !prfKeySet.encryptedPublicKey || !prfKeySet.encryptedPrivateKey) {
+    return errorResponse('Encrypted passkey key set is required', 400);
+  }
+
+  const storage = new StorageService(env.DB);
+  let assertion: Awaited<ReturnType<typeof assertAccountPasskeyCredential>>;
+  try {
+    assertion = await assertAccountPasskeyCredential(request, env, storage, {
+      token: String(body.token || ''),
+      deviceResponse: body.deviceResponse,
+      scope: 'UpdateKeySet',
+      expectedUserId: userId,
+    });
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Passkey assertion failed', 400);
+  }
+
+  const updated = await storage.updateAccountPasskeyEncryption(
+    userId,
+    assertion.credential.credentialId,
+    prfKeySet.encryptedUserKey,
+    prfKeySet.encryptedPublicKey,
+    prfKeySet.encryptedPrivateKey
+  );
+  if (!updated) return errorResponse('Passkey not found', 404);
+
+  await safeWriteAuditEvent(env, {
+    actorUserId: userId,
+    action: 'account.passkey.encryption.enable',
+    category: 'security',
+    level: 'info',
+    targetType: 'accountPasskey',
+    targetId: assertion.credential.id,
+    metadata: auditRequestMetadata(request),
+  });
+  return jsonResponse({ success: true });
+}
+
+export async function handleDeleteAccountPasskeyCredential(request: Request, env: Env, userId: string, credentialId: string, user: User): Promise<Response> {
+  const body = await readJsonBody(request);
+  if (!body) return errorResponse('Invalid request payload', 400);
+  if (!(await verifyUserSecret(env, user, body))) {
+    return errorResponse('Master password verification failed', 400);
+  }
+
+  const storage = new StorageService(env.DB);
+  const deleted = await storage.deleteAccountPasskeyCredential(userId, credentialId);
+  if (!deleted) return errorResponse('Passkey not found', 404);
+
+  await safeWriteAuditEvent(env, {
+    actorUserId: userId,
+    action: 'account.passkey.delete',
+    category: 'security',
+    level: 'info',
+    targetType: 'accountPasskey',
+    targetId: credentialId,
+    metadata: auditRequestMetadata(request),
+  });
+  return jsonResponse({ success: true });
+}
+
+export function buildAccountPasskeyTokenUserDecryptionOption(credential: AccountPasskeyCredential) {
+  return buildWebAuthnPrfOption(credential);
+}
@@ -2,6 +2,7 @@ import { Env, User, ProfileResponse, DEFAULT_DEV_SECRET } from '../types';
 import { StorageService } from '../services/storage';
 import { AuthService } from '../services/auth';
 import { RateLimitService, getClientIdentifier } from '../services/ratelimit';
+import { auditRequestMetadata, writeAuditEvent, safeWriteAuditEvent } from '../services/audit-events';
 import { jsonResponse, errorResponse } from '../utils/response';
 import { generateUUID } from '../utils/uuid';
 import { LIMITS } from '../config/limits';
@@ -9,6 +10,15 @@ import { isTotpEnabled, verifyTotpToken } from '../utils/totp';
 import { createRecoveryCode, recoveryCodeEquals } from '../utils/recovery-code';
 import { buildAccountKeys } from '../utils/user-decryption';

+const TWO_FACTOR_PROVIDER_AUTHENTICATOR = 0;
+const TOTP_USER_VERIFICATION_TOKEN_TTL_MS = 10 * 60 * 1000;
+const TOTP_BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
+// CONTRACT:
+// users.master_password_hash is server-side login verification only. It does
+// not decrypt vault data. Password changes must keep encrypted user key material,
+// securityStamp, refresh-token invalidation, and client compatibility together.
+// Password hints are non-secret reminders; never treat them as recovery secrets.
 function looksLikeEncString(value: string): boolean {
  if (!value) return false;
  const firstDot = value.indexOf('.');
@@ -58,6 +68,77 @@ function normalizeTotpSecret(input: string): string {
  return out;
 }

+function randomBase32Secret(length: number = 32): string {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  let out = '';
+  for (const byte of bytes) {
+    out += TOTP_BASE32_ALPHABET[byte % TOTP_BASE32_ALPHABET.length];
+  }
+  return out;
+}
+
+function base64UrlEncodeBytes(data: Uint8Array): string {
+  const base64 = btoa(String.fromCharCode(...data));
+  return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+function base64UrlDecodeBytes(input: string): Uint8Array {
+  let base64 = input.replace(/-/g, '+').replace(/_/g, '/');
+  while (base64.length % 4) base64 += '=';
+  const binary = atob(base64);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i);
+  return out;
+}
+
+async function hmacSha256(secret: string, data: string): Promise<Uint8Array> {
+  const key = await crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+  return new Uint8Array(await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(data)));
+}
+
+async function createTotpUserVerificationToken(env: Env, user: User, key: string): Promise<string> {
+  const payload = {
+    sub: user.id,
+    key,
+    stamp: user.securityStamp,
+    exp: Date.now() + TOTP_USER_VERIFICATION_TOKEN_TTL_MS,
+  };
+  const payloadB64 = base64UrlEncodeBytes(new TextEncoder().encode(JSON.stringify(payload)));
+  const signatureB64 = base64UrlEncodeBytes(await hmacSha256(env.JWT_SECRET, payloadB64));
+  return `${payloadB64}.${signatureB64}`;
+}
+
+async function verifyTotpUserVerificationToken(env: Env, user: User, key: string, token: string): Promise<boolean> {
+  try {
+    const [payloadB64, signatureB64] = String(token || '').split('.');
+    if (!payloadB64 || !signatureB64) return false;
+    const expected = base64UrlEncodeBytes(await hmacSha256(env.JWT_SECRET, payloadB64));
+    if (expected !== signatureB64) return false;
+    const payload = JSON.parse(new TextDecoder().decode(base64UrlDecodeBytes(payloadB64))) as {
+      sub?: string;
+      key?: string;
+      stamp?: string;
+      exp?: number;
+    };
+    return (
+      payload.sub === user.id &&
+      payload.key === key &&
+      payload.stamp === user.securityStamp &&
+      typeof payload.exp === 'number' &&
+      payload.exp >= Date.now()
+    );
+  } catch {
+    return false;
+  }
+}
+
 function normalizeRecoveryCodeInput(input: string): string {
  return String(input || '').toUpperCase().replace(/[^A-Z2-7]/g, '');
 }
@@ -85,8 +166,26 @@ async function verifyUserSecret(
  return auth.verifyPassword(normalized, user.masterPasswordHash, user.email);
 }

+function readBodyString(body: Record<string, unknown>, names: string[]): string {
+  for (const name of names) {
+    const value = body[name];
+    if (typeof value === 'string') return value;
+  }
+  return '';
+}
+
+async function readRequestBody(request: Request): Promise<Record<string, unknown>> {
+  const contentType = request.headers.get('content-type') || '';
+  if (contentType.includes('application/x-www-form-urlencoded')) {
+    const formData = await request.formData();
+    return Object.fromEntries(formData.entries()) as Record<string, unknown>;
+  }
+  return await request.json();
+}
+
 function toProfile(user: User, env: Env): ProfileResponse {
  void env;
+  const accountKeys = buildAccountKeys(user);
  return {
    id: user.id,
    name: user.name,
@@ -100,7 +199,7 @@ function toProfile(user: User, env: Env): ProfileResponse {
    twoFactorEnabled: !!user.totpSecret,
    key: user.key,
    privateKey: user.privateKey,
-    accountKeys: buildAccountKeys(user),
+    accountKeys,
    securityStamp: user.securityStamp || user.id,
    organizations: [],
    providers: [],
@@ -208,6 +307,7 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
    verifyDevices: true,
    totpSecret: null,
    totpRecoveryCode: null,
+    apiKey: null,
    createdAt: now,
    updatedAt: now,
  };
@@ -220,14 +320,14 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
      return errorResponse('Registration is temporarily unavailable, retry once', 409);
    }
    await storage.setRegistered();
-    await storage.createAuditLog({
-      id: generateUUID(),
+    await writeAuditEvent(storage, {
      actorUserId: user.id,
      action: 'user.register.first_admin',
      targetType: 'user',
      targetId: user.id,
-      metadata: JSON.stringify({ email: user.email }),
-      createdAt: now,
+      category: 'security',
+      level: 'security',
+      metadata: { email: user.email, ...auditRequestMetadata(request) },
    });
    return jsonResponse({ success: true, role: user.role }, 200);
  }
@@ -252,14 +352,14 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
    return errorResponse('Invite code is invalid or expired', 403);
  }

-  await storage.createAuditLog({
-    id: generateUUID(),
+  await writeAuditEvent(storage, {
    actorUserId: user.id,
    action: 'user.register.invite',
    targetType: 'user',
    targetId: user.id,
-    metadata: JSON.stringify({ email: user.email, inviteCode }),
-    createdAt: now,
+    category: 'security',
+    level: 'info',
+    metadata: { email: user.email, inviteCode, ...auditRequestMetadata(request) },
  });

  return jsonResponse({ success: true, role: user.role }, 200);
@@ -371,6 +471,18 @@ export async function handleUpdateProfile(request: Request, env: Env, userId: st
  user.masterPasswordHint = masterPasswordHint;
  user.updatedAt = new Date().toISOString();
  await storage.saveUser(user);
+  await writeAuditEvent(storage, {
+    actorUserId: user.id,
+    action: 'account.profile.update',
+    category: 'security',
+    level: 'info',
+    targetType: 'user',
+    targetId: user.id,
+    metadata: {
+      updatedMasterPasswordHint: true,
+      ...auditRequestMetadata(request),
+    },
+  });

  return jsonResponse(toProfile(user, env));
 }
@@ -405,6 +517,18 @@ export async function handleSetVerifyDevices(request: Request, env: Env, userId:
  user.verifyDevices = body.verifyDevices;
  user.updatedAt = new Date().toISOString();
  await storage.saveUser(user);
+  await writeAuditEvent(storage, {
+    actorUserId: user.id,
+    action: 'account.verify_devices.update',
+    category: 'security',
+    level: 'security',
+    targetType: 'user',
+    targetId: user.id,
+    metadata: {
+      verifyDevices: user.verifyDevices,
+      ...auditRequestMetadata(request),
+    },
+  });

  return new Response(null, { status: 200 });
 }
@@ -454,6 +578,20 @@ export async function handleSetKeys(request: Request, env: Env, userId: string):
  user.updatedAt = new Date().toISOString();

  await storage.saveUser(user);
+  await writeAuditEvent(storage, {
+    actorUserId: user.id,
+    action: 'account.keys.update',
+    category: 'security',
+    level: 'security',
+    targetType: 'user',
+    targetId: user.id,
+    metadata: {
+      updatedKey: !!body.key,
+      updatedPrivateKey: !!body.encryptedPrivateKey,
+      updatedPublicKey: !!body.publicKey,
+      ...auditRequestMetadata(request),
+    },
+  });

  return handleGetProfile(request, env, userId);
 }
@@ -519,14 +657,15 @@ export async function handleChangePassword(request: Request, env: Env, userId: s
  user.updatedAt = new Date().toISOString();
  await storage.saveUser(user);
  await storage.deleteRefreshTokensByUserId(user.id);
-  await storage.createAuditLog({
-    id: generateUUID(),
+  AuthService.invalidateUserCache(user.id);
+  await writeAuditEvent(storage, {
    actorUserId: user.id,
    action: 'user.password.change',
    targetType: 'user',
    targetId: user.id,
-    metadata: JSON.stringify({ email: user.email }),
-    createdAt: user.updatedAt,
+    category: 'security',
+    level: 'security',
+    metadata: { email: user.email, ...auditRequestMetadata(request) },
  });

  return new Response(null, { status: 200 });
@@ -545,6 +684,164 @@ export async function handleGetTotpStatus(request: Request, env: Env, userId: st
  });
 }

+function twoFactorProviderResponse(type: number, enabled: boolean): Record<string, unknown> {
+  return {
+    Enabled: enabled,
+    Type: type,
+    Object: 'twoFactorProvider',
+  };
+}
+
+function twoFactorAuthenticatorResponse(
+  enabled: boolean,
+  key: string,
+  userVerificationToken?: string
+): Record<string, unknown> {
+  return {
+    Enabled: enabled,
+    Key: key,
+    UserVerificationToken: userVerificationToken ?? null,
+    Object: 'twoFactorAuthenticator',
+  };
+}
+
+// GET /api/two-factor
+export async function handleGetTwoFactorProviders(request: Request, env: Env, userId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  const data = user.totpSecret
+    ? [twoFactorProviderResponse(TWO_FACTOR_PROVIDER_AUTHENTICATOR, true)]
+    : [];
+
+  return jsonResponse({
+    Data: data,
+    ContinuationToken: null,
+    Object: 'list',
+  });
+}
+
+// POST /api/two-factor/get-authenticator
+export async function handleGetTwoFactorAuthenticator(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: Record<string, unknown>;
+  try {
+    body = await readRequestBody(request);
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const secret = readBodyString(body, ['masterPasswordHash', 'MasterPasswordHash', 'otp', 'OTP', 'secret', 'Secret']);
+  const verified = await verifyUserSecret(auth, user, secret);
+  if (!verified) return errorResponse('User verification failed.', 400);
+
+  const key = normalizeTotpSecret(user.totpSecret || '') || randomBase32Secret();
+  const userVerificationToken = await createTotpUserVerificationToken(env, user, key);
+  return jsonResponse(twoFactorAuthenticatorResponse(!!user.totpSecret, key, userVerificationToken));
+}
+
+// PUT/POST /api/two-factor/authenticator
+export async function handlePutTwoFactorAuthenticator(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: Record<string, unknown>;
+  try {
+    body = await readRequestBody(request);
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const key = normalizeTotpSecret(readBodyString(body, ['key', 'Key']));
+  const token = readBodyString(body, ['token', 'Token']).trim();
+  const userVerificationToken = readBodyString(body, ['userVerificationToken', 'UserVerificationToken']);
+  if (!key || !token || !userVerificationToken) {
+    return errorResponse('Key, token and userVerificationToken are required', 400);
+  }
+  if (!await verifyTotpUserVerificationToken(env, user, key, userVerificationToken)) {
+    return errorResponse('User verification failed.', 400);
+  }
+  if (!isTotpEnabled(key)) return errorResponse('Invalid TOTP secret', 400);
+  if (!await verifyTotpToken(key, token)) return errorResponse('Invalid token.', 400);
+
+  user.totpSecret = key;
+  if (!user.totpRecoveryCode) {
+    user.totpRecoveryCode = createRecoveryCode();
+  }
+  user.updatedAt = new Date().toISOString();
+  await storage.saveUser(user);
+  await storage.deleteRefreshTokensByUserId(user.id);
+  AuthService.invalidateUserCache(user.id);
+  await writeAuditEvent(storage, {
+    actorUserId: user.id,
+    action: 'account.totp.enable',
+    category: 'security',
+    level: 'security',
+    targetType: 'user',
+    targetId: user.id,
+    metadata: auditRequestMetadata(request),
+  });
+
+  return jsonResponse(twoFactorAuthenticatorResponse(true, key));
+}
+
+// DELETE /api/two-factor/authenticator and PUT/POST /api/two-factor/disable
+export async function handleDisableTwoFactorProvider(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: Record<string, unknown>;
+  try {
+    body = await readRequestBody(request);
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const typeRaw = body.type ?? body.Type ?? TWO_FACTOR_PROVIDER_AUTHENTICATOR;
+  const type = typeof typeRaw === 'number' ? typeRaw : Number.parseInt(String(typeRaw), 10);
+  if (type !== TWO_FACTOR_PROVIDER_AUTHENTICATOR) {
+    return errorResponse('Two-factor provider is not supported by this server.', 400);
+  }
+
+  const key = normalizeTotpSecret(readBodyString(body, ['key', 'Key']));
+  const userVerificationToken = readBodyString(body, ['userVerificationToken', 'UserVerificationToken']);
+  const secret = readBodyString(body, ['masterPasswordHash', 'MasterPasswordHash', 'otp', 'OTP', 'secret', 'Secret']);
+  let verified = false;
+  if (key && userVerificationToken) {
+    verified = await verifyTotpUserVerificationToken(env, user, key, userVerificationToken);
+  }
+  if (!verified) {
+    verified = await verifyUserSecret(auth, user, secret);
+  }
+  if (!verified) return errorResponse('User verification failed.', 400);
+
+  user.totpSecret = null;
+  user.updatedAt = new Date().toISOString();
+  await storage.saveUser(user);
+  await storage.deleteRefreshTokensByUserId(user.id);
+  AuthService.invalidateUserCache(user.id);
+  await writeAuditEvent(storage, {
+    actorUserId: user.id,
+    action: 'account.totp.disable',
+    category: 'security',
+    level: 'security',
+    targetType: 'user',
+    targetId: user.id,
+    metadata: auditRequestMetadata(request),
+  });
+
+  return jsonResponse(twoFactorProviderResponse(TWO_FACTOR_PROVIDER_AUTHENTICATOR, false));
+}
+
 // PUT /api/accounts/totp
 // enable: { enabled: true, secret: "...", token: "123456" }
 // disable: { enabled: false, masterPasswordHash: "..." }
@@ -580,6 +877,16 @@ export async function handleSetTotpStatus(request: Request, env: Env, userId: st
    user.updatedAt = new Date().toISOString();
    await storage.saveUser(user);
    await storage.deleteRefreshTokensByUserId(user.id);
+    AuthService.invalidateUserCache(user.id);
+    await writeAuditEvent(storage, {
+      actorUserId: user.id,
+      action: 'account.totp.enable',
+      category: 'security',
+      level: 'security',
+      targetType: 'user',
+      targetId: user.id,
+      metadata: auditRequestMetadata(request),
+    });
    return jsonResponse({ enabled: true, recoveryCode: user.totpRecoveryCode, object: 'twoFactor' });
  }

@@ -594,6 +901,16 @@ export async function handleSetTotpStatus(request: Request, env: Env, userId: st
    user.updatedAt = new Date().toISOString();
    await storage.saveUser(user);
    await storage.deleteRefreshTokensByUserId(user.id);
+    AuthService.invalidateUserCache(user.id);
+    await writeAuditEvent(storage, {
+      actorUserId: user.id,
+      action: 'account.totp.disable',
+      category: 'security',
+      level: 'security',
+      targetType: 'user',
+      targetId: user.id,
+      metadata: auditRequestMetadata(request),
+    });
    return jsonResponse({ enabled: false, object: 'twoFactor' });
  }

@@ -632,7 +949,9 @@ export async function handleGetTotpRecoveryCode(request: Request, env: Env, user
  }

  return jsonResponse({
+    Code: user.totpRecoveryCode,
    code: user.totpRecoveryCode,
+    Object: 'twoFactorRecover',
    object: 'twoFactorRecover',
  });
 }
@@ -664,7 +983,7 @@ export async function handleRecoverTwoFactor(request: Request, env: Env): Promis
  if (!clientIdentifier) {
    return errorResponse('Client IP is required', 403);
  }
-  const recoverLimitKey = `${clientIdentifier}:recover-2fa:${email || 'unknown'}`;
+  const recoverLimitKey = `${clientIdentifier}:recover-2fa`;

  const recoverAttemptCheck = await rateLimit.checkLoginAttempt(recoverLimitKey);
  if (!recoverAttemptCheck.allowed) {
@@ -701,7 +1020,17 @@ export async function handleRecoverTwoFactor(request: Request, env: Env): Promis
  user.updatedAt = new Date().toISOString();
  await storage.saveUser(user);
  await storage.deleteRefreshTokensByUserId(user.id);
+  AuthService.invalidateUserCache(user.id);
  await rateLimit.clearLoginAttempts(recoverLimitKey);
+  await safeWriteAuditEvent(env, {
+    actorUserId: user.id,
+    action: 'account.totp.recover',
+    category: 'security',
+    level: 'security',
+    targetType: 'user',
+    targetId: user.id,
+    metadata: auditRequestMetadata(request),
+  });

  return jsonResponse({
    success: true,
@@ -750,3 +1079,84 @@ export async function handleVerifyPassword(request: Request, env: Env, userId: s

  return new Response(null, { status: 200 });
 }
+
+// POST /api/accounts/api-key
+export async function handleGetApiKey(request: Request, env: Env, userId: string): Promise<Response> {
+  return apiKey(request, env, userId, false);
+}
+
+// POST /api/accounts/rotate-api-key
+export async function handleRotateApiKey(request: Request, env: Env, userId: string): Promise<Response> {
+  return apiKey(request, env, userId, true);
+}
+
+async function apiKey(request: Request, env: Env, userId: string, rotate: boolean): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: Record<string, string | undefined>;
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    if (contentType.includes('application/x-www-form-urlencoded')) {
+      const formData = await request.formData();
+      body = Object.fromEntries(formData.entries()) as Record<string, string>;
+    } else {
+      body = await request.json();
+    }
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const currentHash = String(body.masterPasswordHash || body.master_password_hash || body.password || '').trim();
+  if (!currentHash) return errorResponse('masterPasswordHash is required', 400);
+  const valid = await auth.verifyPassword(currentHash, user.masterPasswordHash, user.email);
+  if (!valid) return errorResponse('Invalid password', 400);
+
+  if (rotate || user.apiKey === null) {
+    // Upstream apikeys are 30-character random alphanumeric strings
+    user.apiKey = randomStringAlphanum(LIMITS.auth.clientSecretLength);
+    if (rotate) {
+      user.securityStamp = generateUUID();
+      await storage.deleteRefreshTokensByUserId(user.id);
+    }
+    user.updatedAt = new Date().toISOString();
+    await storage.saveUser(user);
+    AuthService.invalidateUserCache(user.id);
+    await writeAuditEvent(storage, {
+      actorUserId: user.id,
+      action: rotate ? 'account.api_key.rotate' : 'account.api_key.create',
+      category: 'security',
+      level: rotate ? 'security' : 'info',
+      targetType: 'user',
+      targetId: user.id,
+      metadata: auditRequestMetadata(request),
+    });
+  }
+
+  return jsonResponse({
+    apiKey: user.apiKey,
+    revisionDate: user.updatedAt,
+    object: 'apiKey',
+  });
+}
+
+// Generate a random alphanumeric string of the given length using crypto.getRandomValues.
+function randomStringAlphanum(length: number): string {
+  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+  let result = '';
+  const maxUnbiased = Math.floor(256 / chars.length) * chars.length;
+  const bytes = new Uint8Array(Math.max(16, length));
+
+  while (result.length < length) {
+    crypto.getRandomValues(bytes);
+    for (const value of bytes) {
+      if (value >= maxUnbiased) continue;
+      result += chars[value % chars.length];
+      if (result.length >= length) break;
+    }
+  }
+
+  return result;
+}
@@ -1,8 +1,9 @@
 import { Env, User, Invite } from '../types';
+import { AuthService } from '../services/auth';
 import { StorageService } from '../services/storage';
 import { jsonResponse, errorResponse } from '../utils/response';
-import { generateUUID } from '../utils/uuid';
 import { deleteBlobObject, getAttachmentObjectKey, getSendFileObjectKey } from '../services/blob-store';
+import { auditRequestMetadata, getAuditLogSettings, normalizeAuditLogSettings, saveAuditLogSettings, writeAuditEvent } from '../services/audit-events';

 function isAdmin(user: User): boolean {
  return user.role === 'admin' && user.status === 'active';
@@ -24,16 +25,20 @@ async function writeAuditLog(
  action: string,
  targetType: string | null,
  targetId: string | null,
-  metadata: Record<string, unknown> | null
+  metadata: Record<string, unknown> | null,
+  request?: Request
 ): Promise<void> {
-  await storage.createAuditLog({
-    id: generateUUID(),
+  await writeAuditEvent(storage, {
    actorUserId,
    action,
    targetType,
    targetId,
-    metadata: metadata ? JSON.stringify(metadata) : null,
-    createdAt: new Date().toISOString(),
+    category: action.startsWith('admin.user.') ? 'security' : 'system',
+    level: action.startsWith('admin.user.') ? 'security' : 'info',
+    metadata: {
+      ...(metadata || {}),
+      ...(request ? auditRequestMetadata(request) : {}),
+    },
  });
 }

@@ -81,6 +86,106 @@ export async function handleAdminListUsers(
  });
 }

+// GET /api/admin/logs
+export async function handleAdminListAuditLogs(
+  request: Request,
+  env: Env,
+  actorUser: User
+): Promise<Response> {
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+
+  const url = new URL(request.url);
+  const limit = Math.max(1, Math.min(200, Number(url.searchParams.get('limit') || 50)));
+  const offset = Math.max(0, Number(url.searchParams.get('offset') || 0));
+  const category = String(url.searchParams.get('category') || '').trim() || null;
+  const level = String(url.searchParams.get('level') || '').trim() || null;
+  const q = String(url.searchParams.get('q') || '').trim().toLowerCase() || null;
+  const from = String(url.searchParams.get('from') || '').trim() || null;
+  const to = String(url.searchParams.get('to') || '').trim() || null;
+
+  const storage = new StorageService(env.DB);
+  const result = await storage.listAuditLogs({ limit, offset, category, level, q, from, to });
+  return jsonResponse({
+    data: result.logs.map(log => ({
+      id: log.id,
+      actorUserId: log.actorUserId,
+      actorEmail: log.actorEmail,
+      action: log.action,
+      category: log.category,
+      level: log.level,
+      targetType: log.targetType,
+      targetId: log.targetId,
+      targetUserEmail: log.targetUserEmail,
+      metadata: log.metadata,
+      createdAt: log.createdAt,
+      object: 'auditLog',
+    })),
+    total: result.total,
+    limit,
+    offset,
+    hasMore: result.hasMore,
+    object: 'list',
+    continuationToken: result.hasMore ? String(offset + result.logs.length) : null,
+  });
+}
+
+// GET /api/admin/logs/settings
+export async function handleAdminGetAuditLogSettings(
+  request: Request,
+  env: Env,
+  actorUser: User
+): Promise<Response> {
+  void request;
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+  const storage = new StorageService(env.DB);
+  return jsonResponse({
+    object: 'auditLogSettings',
+    ...await getAuditLogSettings(storage),
+  });
+}
+
+// PUT /api/admin/logs/settings
+export async function handleAdminUpdateAuditLogSettings(
+  request: Request,
+  env: Env,
+  actorUser: User
+): Promise<Response> {
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+  const storage = new StorageService(env.DB);
+  const settings = await saveAuditLogSettings(storage, normalizeAuditLogSettings(body));
+  await writeAuditLog(storage, actorUser.id, 'admin.audit.settings.update', 'auditLog', null, { ...settings }, request);
+  return jsonResponse({
+    object: 'auditLogSettings',
+    ...settings,
+  });
+}
+
+// DELETE /api/admin/logs
+export async function handleAdminClearAuditLogs(
+  request: Request,
+  env: Env,
+  actorUser: User
+): Promise<Response> {
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+  const storage = new StorageService(env.DB);
+  const deleted = await storage.clearAuditLogs();
+  return jsonResponse({ object: 'auditLogClear', deleted });
+}
+
 // POST /api/admin/invites
 export async function handleAdminCreateInvite(
  request: Request,
@@ -115,9 +220,9 @@ export async function handleAdminCreateInvite(
  };

  await storage.createInvite(invite);
-  await writeAuditLog(storage, actorUser.id, 'admin.invite.create', 'invite', invite.code, {
+  await writeAuditLog(storage, actorUser.id, 'admin.invite.create', 'invite', null, {
    expiresInHours,
-  });
+  }, request);

  return jsonResponse(toInviteResponse(request, invite), 201);
 }
@@ -160,7 +265,7 @@ export async function handleAdminRevokeInvite(
    return errorResponse('Invite not found or already inactive', 404);
  }

-  await writeAuditLog(storage, actorUser.id, 'admin.invite.revoke', 'invite', code, null);
+  await writeAuditLog(storage, actorUser.id, 'admin.invite.revoke', 'invite', null, null, request);
  return new Response(null, { status: 204 });
 }

@@ -179,7 +284,7 @@ export async function handleAdminDeleteAllInvites(
  const deleted = await storage.deleteAllInvites();
  await writeAuditLog(storage, actorUser.id, 'admin.invite.delete_all', 'invite', null, {
    deleted,
-  });
+  }, request);

  return jsonResponse({ deleted }, 200);
 }
@@ -222,9 +327,10 @@ export async function handleAdminSetUserStatus(
  if (nextStatus === 'banned') {
    await storage.deleteRefreshTokensByUserId(target.id);
  }
+  AuthService.invalidateUserCache(target.id);
  await writeAuditLog(storage, actorUser.id, 'admin.user.status', 'user', target.id, {
    status: nextStatus,
-  });
+  }, request);

  return jsonResponse({
    id: target.id,
@@ -280,9 +386,10 @@ export async function handleAdminDeleteUser(

  await storage.deleteRefreshTokensByUserId(target.id);
  await storage.deleteUserById(target.id);
+  AuthService.invalidateUserCache(target.id);
  await writeAuditLog(storage, actorUser.id, 'admin.user.delete', 'user', target.id, {
-    email: target.email,
-  });
+    targetEmail: target.email,
+  }, request);

  return new Response(null, { status: 204 });
 }
@@ -10,7 +10,7 @@ import {
  verifyAttachmentUploadToken,
  verifyFileDownloadToken,
 } from '../utils/jwt';
-import { cipherToResponse, shouldOmitPasskeysForResponse } from './ciphers';
+import { applyCipherEmbeddedAttachmentMetadata, cipherToResponse } from './ciphers';
 import { LIMITS } from '../config/limits';
 import { readActingDeviceIdentifier } from '../utils/device';
 import {
@@ -20,14 +20,36 @@ import {
  getBlobStorageMaxBytes,
  putBlobObject,
 } from '../services/blob-store';
+import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';

-async function notifyVaultSyncForRequest(
+function notifyVaultSyncForRequest(
  request: Request,
  env: Env,
  userId: string,
  revisionDate: string
+): void {
+  notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+}
+
+async function writeAttachmentAudit(
+  storage: StorageService,
+  request: Request,
+  userId: string,
+  action: string,
+  metadata: Record<string, unknown>
 ): Promise<void> {
-  await notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action,
+    category: 'data',
+    level: action.includes('delete') ? 'security' : 'info',
+    targetType: 'attachment',
+    targetId: typeof metadata.id === 'string' ? metadata.id : null,
+    metadata: {
+      ...metadata,
+      ...auditRequestMetadata(request),
+    },
+  });
 }

 // Format file size to human readable
@@ -38,6 +60,18 @@ function formatSize(bytes: number): string {
  return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
 }

+async function runWithConcurrency<T>(
+  items: T[],
+  concurrency: number,
+  worker: (item: T) => Promise<void>
+): Promise<void> {
+  if (items.length === 0) return;
+  const limit = Math.max(1, concurrency);
+  for (let index = 0; index < items.length; index += limit) {
+    await Promise.all(items.slice(index, index + limit).map(worker));
+  }
+}
+
 async function processAttachmentUpload(
  request: Request,
  env: Env,
@@ -81,7 +115,7 @@ async function processAttachmentUpload(

  const revisionInfo = await storage.updateCipherRevisionDate(cipherId);
  if (revisionInfo) {
-    await notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
+    notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
  }

  return new Response(null, { status: 201 });
@@ -141,7 +175,7 @@ export async function handleCreateAttachment(
  // Update cipher revision date
  const revisionInfo = await storage.updateCipherRevisionDate(cipherId);
  if (revisionInfo) {
-    await notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
+    notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
  }

  // Get updated cipher for response
@@ -158,9 +192,7 @@ export async function handleCreateAttachment(
    attachmentId: attachmentId,
    url: buildDirectUploadUrl(request, `/api/ciphers/${cipherId}/attachment/${attachmentId}`, uploadToken),
    fileUploadType: 1,
-    cipherResponse: cipherToResponse(updatedCipher!, attachments, {
-      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
-    }),
+    cipherResponse: cipherToResponse(updatedCipher!, attachments),
  });
 }

@@ -250,6 +282,7 @@ export async function handleGetAttachment(
  if (!attachment || attachment.cipherId !== cipherId) {
    return errorResponse('Attachment not found', 404);
  }
+  const responseAttachment = applyCipherEmbeddedAttachmentMetadata(cipher, [attachment])[0] || attachment;

  // Generate short-lived download token
  const token = await createFileDownloadToken(cipherId, attachmentId, env.JWT_SECRET);
@@ -260,8 +293,66 @@ export async function handleGetAttachment(

  return jsonResponse({
    object: 'attachment',
-    id: attachment.id,
+    id: responseAttachment.id,
    url: downloadUrl,
+    fileName: responseAttachment.fileName,
+    key: responseAttachment.key,
+    size: String(Number(responseAttachment.size) || 0),
+    sizeName: responseAttachment.sizeName,
+  });
+}
+
+// PUT /api/ciphers/{cipherId}/attachment/{attachmentId}/metadata
+// 修正旧附件的加密元数据，供官方客户端按当前 Bitwarden 契约解密。
+export async function handleUpdateAttachmentMetadata(
+  request: Request,
+  env: Env,
+  userId: string,
+  cipherId: string,
+  attachmentId: string
+): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  const cipher = await storage.getCipher(cipherId);
+  if (!cipher || cipher.userId !== userId) {
+    return errorResponse('Cipher not found', 404);
+  }
+
+  const attachment = await storage.getAttachment(attachmentId);
+  if (!attachment || attachment.cipherId !== cipherId) {
+    return errorResponse('Attachment not found', 404);
+  }
+
+  let body: { fileName?: string | null; key?: string | null };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  if (!Object.prototype.hasOwnProperty.call(body, 'fileName') && !Object.prototype.hasOwnProperty.call(body, 'key')) {
+    return errorResponse('No metadata fields supplied', 400);
+  }
+
+  if (Object.prototype.hasOwnProperty.call(body, 'fileName')) {
+    const fileName = String(body.fileName || '').trim();
+    if (!fileName) return errorResponse('fileName is required', 400);
+    attachment.fileName = fileName;
+  }
+  if (Object.prototype.hasOwnProperty.call(body, 'key')) {
+    const key = body.key == null ? null : String(body.key || '').trim();
+    attachment.key = key || null;
+  }
+
+  await storage.saveAttachment(attachment);
+  const revisionInfo = await storage.updateCipherRevisionDate(cipherId);
+  if (revisionInfo) {
+    notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
+  }
+
+  return jsonResponse({
+    object: 'attachment',
+    id: attachment.id,
    fileName: attachment.fileName,
    key: attachment.key,
    size: String(Number(attachment.size) || 0),
@@ -358,13 +449,15 @@ export async function handleDeleteAttachment(
  // Delete attachment metadata
  await storage.deleteAttachment(attachmentId);

-  // Remove attachment from cipher
-  await storage.removeAttachmentFromCipher(cipherId, attachmentId);
-
  // Update cipher revision date
  const revisionInfo = await storage.updateCipherRevisionDate(cipherId);
  if (revisionInfo) {
-    await notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
+    notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
+    await writeAttachmentAudit(storage, request, revisionInfo.userId, 'attachment.delete', {
+      id: attachmentId,
+      cipherId,
+      size: attachment.size,
+    });
  }

  // Get updated cipher for response
@@ -372,9 +465,7 @@ export async function handleDeleteAttachment(
  const attachments = await storage.getAttachmentsByCipher(cipherId);

  return jsonResponse({
-    cipher: cipherToResponse(updatedCipher!, attachments, {
-      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
-    }),
+    cipher: cipherToResponse(updatedCipher!, attachments),
  });
 }

@@ -383,12 +474,24 @@ export async function deleteAllAttachmentsForCipher(
  env: Env,
  cipherId: string
 ): Promise<void> {
-  const storage = new StorageService(env.DB);
-  const attachments = await storage.getAttachmentsByCipher(cipherId);
+  await deleteAllAttachmentsForCiphers(env, [cipherId]);
+}

-  for (const attachment of attachments) {
+export async function deleteAllAttachmentsForCiphers(
+  env: Env,
+  cipherIds: string[]
+): Promise<void> {
+  const storage = new StorageService(env.DB);
+  const attachmentsByCipher = await storage.getAttachmentsByCipherIds(cipherIds);
+  const attachments = Array.from(attachmentsByCipher.entries()).flatMap(([ownedCipherId, items]) =>
+    items.map((attachment) => ({ attachment, cipherId: ownedCipherId }))
+  );
+  if (!attachments.length) return;
+
+  await runWithConcurrency(attachments, LIMITS.performance.attachmentDeleteConcurrency, async ({ attachment, cipherId }) => {
    const path = getAttachmentObjectKey(cipherId, attachment.id);
    await deleteBlobObject(env, path);
-    await storage.deleteAttachment(attachment.id);
-  }
+  });
+
+  await storage.bulkDeleteAttachmentsByIds(attachments.map(({ attachment }) => attachment.id));
 }
@@ -0,0 +1,269 @@
+import type { AuthRequestRecord, AuthRequestType, Env } from '../types';
+import { StorageService } from '../services/storage';
+import { generateUUID } from '../utils/uuid';
+import { readAuthRequestDeviceInfo, readActingDeviceIdentifier } from '../utils/device';
+import { errorResponse, jsonResponse } from '../utils/response';
+import { isAuthRequestExpired } from '../services/storage-auth-request-repo';
+import { notifyAuthRequestResponse, notifyUserAuthRequest } from '../durable/notifications-hub';
+
+const AUTH_REQUEST_TYPE_AUTHENTICATE_AND_UNLOCK = 0;
+const AUTH_REQUEST_TYPE_UNLOCK = 1;
+const AUTH_REQUEST_TYPE_ADMIN_APPROVAL = 2;
+
+function normalizeText(value: unknown, maxLength: number): string {
+  return String(value ?? '').trim().slice(0, maxLength);
+}
+
+function getClientIp(request: Request): string | null {
+  return (
+    request.headers.get('CF-Connecting-IP') ||
+    request.headers.get('X-Forwarded-For')?.split(',')[0]?.trim() ||
+    null
+  );
+}
+
+function getCountryName(request: Request): string | null {
+  return request.headers.get('CF-IPCountry') || null;
+}
+
+function deviceTypeName(type: number): string {
+  const names: Record<number, string> = {
+    0: 'Android',
+    1: 'iOS',
+    2: 'Chrome Extension',
+    3: 'Firefox Extension',
+    4: 'Opera Extension',
+    5: 'Edge Extension',
+    6: 'Windows Desktop',
+    7: 'macOS Desktop',
+    8: 'Linux Desktop',
+    9: 'Chrome',
+    10: 'Firefox',
+    11: 'Opera',
+    12: 'Edge',
+    13: 'Internet Explorer',
+    14: 'Unknown Browser',
+    15: 'Android',
+    16: 'Windows UWP',
+    17: 'Safari',
+    18: 'Vivaldi',
+    19: 'Vivaldi Extension',
+    20: 'Safari Extension',
+    21: 'SDK',
+    22: 'Server',
+    23: 'Windows CLI',
+    24: 'macOS CLI',
+    25: 'Linux CLI',
+    26: 'DuckDuckGo',
+  };
+  return names[type] || `Device ${type}`;
+}
+
+function buildOrigin(request: Request): string {
+  return new URL(request.url).host;
+}
+
+function toAuthRequestResponse(request: Request, authRequest: AuthRequestRecord, requestDeviceId?: string | null) {
+  return {
+    id: authRequest.id,
+    Id: authRequest.id,
+    publicKey: authRequest.publicKey,
+    PublicKey: authRequest.publicKey,
+    requestDeviceIdentifier: authRequest.requestDeviceIdentifier,
+    RequestDeviceIdentifier: authRequest.requestDeviceIdentifier,
+    requestDeviceTypeValue: authRequest.requestDeviceType,
+    RequestDeviceTypeValue: authRequest.requestDeviceType,
+    requestDeviceType: deviceTypeName(authRequest.requestDeviceType),
+    RequestDeviceType: deviceTypeName(authRequest.requestDeviceType),
+    requestIpAddress: authRequest.requestIpAddress,
+    RequestIpAddress: authRequest.requestIpAddress,
+    requestCountryName: authRequest.requestCountryName,
+    RequestCountryName: authRequest.requestCountryName,
+    key: authRequest.key,
+    Key: authRequest.key,
+    masterPasswordHash: authRequest.masterPasswordHash,
+    MasterPasswordHash: authRequest.masterPasswordHash,
+    creationDate: authRequest.creationDate,
+    CreationDate: authRequest.creationDate,
+    responseDate: authRequest.responseDate,
+    ResponseDate: authRequest.responseDate,
+    requestApproved: authRequest.approved ?? false,
+    RequestApproved: authRequest.approved ?? false,
+    requestDeviceId: requestDeviceId ?? null,
+    RequestDeviceId: requestDeviceId ?? null,
+    origin: buildOrigin(request),
+    Origin: buildOrigin(request),
+    object: 'auth-request',
+    Object: 'auth-request',
+  };
+}
+
+function listResponse<T>(data: T[]) {
+  return {
+    data,
+    Data: data,
+    object: 'list',
+    Object: 'list',
+    continuationToken: null,
+    ContinuationToken: null,
+  };
+}
+
+async function readJsonBody(request: Request): Promise<Record<string, any> | null> {
+  try {
+    const body = await request.json();
+    return body && typeof body === 'object' ? body as Record<string, any> : null;
+  } catch {
+    return null;
+  }
+}
+
+function readBodyValue(body: Record<string, any>, names: string[]): unknown {
+  for (const name of names) {
+    if (body[name] !== undefined) return body[name];
+  }
+  return undefined;
+}
+
+function isSupportedAuthRequestType(value: number): value is AuthRequestType {
+  return value === AUTH_REQUEST_TYPE_AUTHENTICATE_AND_UNLOCK || value === AUTH_REQUEST_TYPE_UNLOCK || value === AUTH_REQUEST_TYPE_ADMIN_APPROVAL;
+}
+
+export async function handleCreateAuthRequest(request: Request, env: Env): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const body = await readJsonBody(request);
+  if (!body) return errorResponse('Invalid request payload', 400);
+
+  const email = normalizeText(readBodyValue(body, ['email', 'Email']), 320).toLowerCase();
+  const publicKey = normalizeText(readBodyValue(body, ['publicKey', 'PublicKey']), 8192);
+  const accessCode = normalizeText(readBodyValue(body, ['accessCode', 'AccessCode']), 25);
+  const requestedType = Number(readBodyValue(body, ['type', 'Type']));
+  const type = Number.isFinite(requestedType) ? requestedType : AUTH_REQUEST_TYPE_AUTHENTICATE_AND_UNLOCK;
+  const deviceInfo = readAuthRequestDeviceInfo(
+    {
+      deviceIdentifier: normalizeText(readBodyValue(body, ['deviceIdentifier', 'DeviceIdentifier']), 128),
+      deviceName: normalizeText(readBodyValue(body, ['deviceName', 'DeviceName']), 128),
+      deviceType: String(readBodyValue(body, ['deviceType', 'DeviceType']) ?? ''),
+    },
+    request
+  );
+
+  if (!email || !publicKey || !accessCode || !deviceInfo.deviceIdentifier) {
+    return errorResponse('Email, public key, device identifier, and access code are required.', 400);
+  }
+  if (!isSupportedAuthRequestType(type) || type === AUTH_REQUEST_TYPE_ADMIN_APPROVAL) {
+    return errorResponse('Invalid auth request type.', 400);
+  }
+
+  const user = await storage.getUser(email);
+  if (!user || user.status !== 'active') {
+    return errorResponse('User or known device not found.', 400);
+  }
+
+  await storage.pruneExpiredAuthRequests();
+  const now = new Date().toISOString();
+  const authRequest: AuthRequestRecord = {
+    id: generateUUID(),
+    userId: user.id,
+    organizationId: null,
+    type,
+    requestDeviceIdentifier: deviceInfo.deviceIdentifier,
+    requestDeviceType: deviceInfo.deviceType,
+    requestIpAddress: getClientIp(request),
+    requestCountryName: getCountryName(request),
+    responseDeviceIdentifier: null,
+    accessCode,
+    publicKey,
+    key: null,
+    masterPasswordHash: null,
+    approved: null,
+    creationDate: now,
+    responseDate: null,
+    authenticationDate: null,
+  };
+  await storage.createAuthRequest(authRequest);
+  notifyUserAuthRequest(env, user.id, authRequest.id, deviceInfo.deviceIdentifier);
+  return jsonResponse(toAuthRequestResponse(request, authRequest));
+}
+
+export async function handleGetAuthRequest(request: Request, env: Env, userId: string, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const authRequest = await storage.getAuthRequestById(id);
+  if (!authRequest || authRequest.userId !== userId) return errorResponse('Not found', 404);
+  return jsonResponse(toAuthRequestResponse(request, authRequest));
+}
+
+export async function handleGetAuthRequestResponse(request: Request, env: Env, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const url = new URL(request.url);
+  const accessCode = normalizeText(url.searchParams.get('code'), 25);
+  const authRequest = await storage.getAuthRequestById(id);
+  if (!authRequest || authRequest.accessCode !== accessCode || isAuthRequestExpired(authRequest)) {
+    return errorResponse('Not found', 404);
+  }
+  return jsonResponse(toAuthRequestResponse(request, authRequest));
+}
+
+export async function handleListAuthRequests(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const authRequests = await storage.listAuthRequestsByUserId(userId);
+  return jsonResponse(listResponse(authRequests.map((authRequest) => toAuthRequestResponse(request, authRequest))));
+}
+
+export async function handleListPendingAuthRequests(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  await storage.pruneExpiredAuthRequests();
+  const authRequests = await storage.listPendingAuthRequestsByUserId(userId);
+  const rows = await Promise.all(authRequests.map(async (authRequest) => {
+    const device = await storage.getDevice(userId, authRequest.requestDeviceIdentifier);
+    return toAuthRequestResponse(request, authRequest, device?.deviceIdentifier ?? authRequest.requestDeviceIdentifier);
+  }));
+  return jsonResponse(listResponse(rows));
+}
+
+export async function handleUpdateAuthRequest(request: Request, env: Env, userId: string, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const body = await readJsonBody(request);
+  if (!body) return errorResponse('Invalid request payload', 400);
+
+  const authRequest = await storage.getAuthRequestById(id);
+  if (!authRequest || authRequest.userId !== userId || isAuthRequestExpired(authRequest)) {
+    return errorResponse('Not found', 404);
+  }
+  if (authRequest.approved !== null || authRequest.responseDate || authRequest.authenticationDate) {
+    return errorResponse('Auth request has already been answered.', 409);
+  }
+
+  const latestForUser = await storage.listPendingAuthRequestsByUserId(userId);
+  const latestForDevice = latestForUser.find((item) => item.requestDeviceIdentifier === authRequest.requestDeviceIdentifier);
+  if (latestForDevice?.id !== authRequest.id) {
+    return errorResponse('This request is no longer valid. Make sure to approve the most recent request.', 400);
+  }
+
+  const approved = Boolean(readBodyValue(body, ['requestApproved', 'RequestApproved']));
+  const key = normalizeText(readBodyValue(body, ['key', 'Key']), 20000);
+  const masterPasswordHash = normalizeText(readBodyValue(body, ['masterPasswordHash', 'MasterPasswordHash']), 20000) || null;
+  const responseDeviceIdentifier =
+    normalizeText(readBodyValue(body, ['deviceIdentifier', 'DeviceIdentifier']), 128) ||
+    readActingDeviceIdentifier(request) ||
+    'web';
+
+  if (approved && !key) {
+    return errorResponse('Encrypted key is required to approve the request.', 400);
+  }
+
+  const updated = await storage.updateAuthRequestResponse(id, userId, {
+    approved,
+    responseDeviceIdentifier,
+    key,
+    masterPasswordHash,
+  });
+  if (!updated) return errorResponse('Auth request has already been answered.', 409);
+  const updatedRequest = await storage.getAuthRequestById(id);
+  // Match Bitwarden upstream behavior: only approval wakes the originating anonymous
+  // client. Denials are not pushed to avoid leaking that a login attempt was rejected.
+  if (approved) {
+    await notifyAuthRequestResponse(env, userId, id);
+  }
+  return jsonResponse(toAuthRequestResponse(request, updatedRequest || authRequest));
+}
@@ -1,20 +1,20 @@
 import type { Env, User } from '../types';
 import { errorResponse, jsonResponse } from '../utils/response';
-import { generateUUID } from '../utils/uuid';
 import {
  type BackupArchiveBundle,
  buildBackupArchive,
  inspectBackupArchiveFileNameChecksum,
+  parseBackupArchive,
  verifyBackupArchiveFileNameChecksum,
 } from '../services/backup-archive';
 import {
  type BackupDestinationRecord,
  type BackupSettingsInput,
-  BACKUP_SCHEDULER_WINDOW_MINUTES,
+  type BackupSettings,
+  type WebDavBackupDestination,
  getBackupLocalDateKey,
  getDefaultBackupSettings,
  getBackupSettingsRepairState,
-  isBackupDueNow,
  loadBackupSettings,
  normalizeBackupSettingsInput,
  normalizeImportedBackupSettings,
@@ -30,6 +30,7 @@ import {
 } from '../services/backup-import';
 import {
  type RemoteBackupTransferSession,
+  type RemoteBackupFile,
  createRemoteBackupTransferSession,
  deleteRemoteBackupFile,
  downloadRemoteBackupFile,
@@ -39,8 +40,10 @@ import {
  uploadBackupArchive,
 } from '../services/backup-uploader';
 import { StorageService } from '../services/storage';
+import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
 import { getBlobObject } from '../services/blob-store';
 import { notifyUserBackupProgress, notifyUserBackupRestoreProgress } from '../durable/notifications-hub';
+import { unzipSync } from 'fflate';

 function isAdmin(user: User): boolean {
  return user.role === 'admin' && user.status === 'active';
@@ -52,16 +55,20 @@ async function writeAuditLog(
  action: string,
  targetType: string | null,
  targetId: string | null,
-  metadata: Record<string, unknown> | null
+  metadata: Record<string, unknown> | null,
+  request?: Request
 ): Promise<void> {
-  await storage.createAuditLog({
-    id: generateUUID(),
+  await writeAuditEvent(storage, {
    actorUserId,
    action,
    targetType,
    targetId,
-    metadata: metadata ? JSON.stringify(metadata) : null,
-    createdAt: new Date().toISOString(),
+    category: 'data',
+    level: action.endsWith('.failed') ? 'error' : 'info',
+    metadata: {
+      ...(metadata || {}),
+      ...(request ? auditRequestMetadata(request) : {}),
+    },
  });
 }

@@ -99,6 +106,37 @@ interface RemoteAttachmentIndexPayload {
  blobs: Record<string, { sizeBytes: number; updatedAt: string }>;
 }

+const REMOTE_ATTACHMENT_SYNC_EXTERNAL_SUBREQUEST_LIMIT = 50;
+const REMOTE_ATTACHMENT_SYNC_SUBREQUEST_RESERVE = 6;
+const REMOTE_ATTACHMENT_SYNC_MAX_WEB_DAV_BATCH_SIZE = 18;
+const REMOTE_ATTACHMENT_SYNC_MAX_S3_BATCH_SIZE = 40;
+const REMOTE_ATTACHMENT_RESTORE_BATCH_SIZE = 40;
+
+function countRemotePathSegments(value: string): number {
+  return String(value || '').replace(/\\/g, '/').split('/').filter(Boolean).length;
+}
+
+function getRemoteAttachmentSyncBatchSize(destination: BackupDestinationRecord): number {
+  if (destination.type === 's3') {
+    return REMOTE_ATTACHMENT_SYNC_MAX_S3_BATCH_SIZE;
+  }
+
+  const remotePath = String((destination.destination as WebDavBackupDestination).remotePath || '');
+  const fixedWebDavDirectoryCalls = countRemotePathSegments(remotePath) + 1; // remotePath plus the shared "attachments" dir.
+  const available = REMOTE_ATTACHMENT_SYNC_EXTERNAL_SUBREQUEST_LIMIT
+    - REMOTE_ATTACHMENT_SYNC_SUBREQUEST_RESERVE
+    - fixedWebDavDirectoryCalls;
+
+  if (available < 2) {
+    throw new Error('WebDAV remote backup path is too deep for safe attachment batching');
+  }
+
+  return Math.max(1, Math.min(
+    REMOTE_ATTACHMENT_SYNC_MAX_WEB_DAV_BATCH_SIZE,
+    Math.floor(available / 2)
+  ));
+}
+
 async function loadRemoteAttachmentIndex(session: RemoteBackupTransferSession): Promise<Map<string, number>> {
  try {
    const file = await session.download(REMOTE_ATTACHMENT_INDEX_PATH);
@@ -113,7 +151,19 @@ async function loadRemoteAttachmentIndex(session: RemoteBackupTransferSession):
    );
  } catch (error) {
    const message = error instanceof Error ? error.message : String(error);
-    if (message.includes('404') || message.includes('Please select a backup file')) {
+    const normalized = message.toLowerCase();
+    // Some WebDAV providers return non-standard codes such as 530 when the
+    // attachment index does not exist yet. Treat these "missing file" style
+    // responses as an empty index so first-time incremental backups can proceed.
+    if (
+      normalized.includes('404')
+      || normalized.includes('403')
+      || normalized.includes('530')
+      || normalized.includes('not found')
+      || normalized.includes('file not found')
+      || normalized.includes('does not exist')
+      || normalized.includes('please select a backup file')
+    ) {
      return new Map<string, number>();
    }
    throw error;
@@ -142,12 +192,45 @@ async function saveRemoteAttachmentIndex(
  });
 }

-async function executeConfiguredBackup(
+async function uploadRemoteAttachmentChunk(
+  env: Env,
+  destination: BackupDestinationRecord,
+  attachments: Array<{ blobName: string }>
+): Promise<void> {
+  if (!attachments.length) return;
+  const id = env.BACKUP_TRANSFER_RUNNER.idFromName('remote-attachment-sync');
+  const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
+  const response = await stub.fetch('https://backup-transfer/internal/upload-attachment-chunk', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json; charset=utf-8',
+    },
+    body: JSON.stringify({
+      destination,
+      attachments,
+    }),
+  });
+  if (!response.ok) {
+    let message = `Attachment sync failed: ${response.status}`;
+    try {
+      const payload = await response.json<{ error?: string }>();
+      if (payload?.error) {
+        message = payload.error;
+      }
+    } catch {
+      // Ignore JSON parse failures and preserve the status-based error.
+    }
+    throw new Error(message);
+  }
+}
+
+export async function executeConfiguredBackup(
  env: Env,
  storage: StorageService,
  actorUserId: string | null,
  trigger: 'manual' | 'scheduled',
  destinationId?: string | null,
+  keepAlive?: (() => Promise<void>) | null,
  progress?: ((event: {
    operation: 'backup-remote-run';
    step: string;
@@ -157,9 +240,13 @@ async function executeConfiguredBackup(
    done?: boolean;
    ok?: boolean;
    error?: string | null;
-  }) => Promise<void>) | null
+  }) => Promise<void>) | null,
+  auditMetadata?: Record<string, unknown> | null
 ): Promise<{ fileName: string; fileSize: number; remotePath: string; provider: string }> {
  const maxArchiveUploadAttempts = 3;
+  const touchLease = async () => {
+    await keepAlive?.();
+  };
  const currentSettings = await loadBackupSettings(storage, env, 'UTC');
  const destination = requireBackupDestination(currentSettings, destinationId);

@@ -168,9 +255,11 @@ async function executeConfiguredBackup(
  destination.runtime.lastAttemptLocalDate = getBackupLocalDateKey(now, destination.schedule.timezone);
  destination.runtime.lastErrorAt = null;
  destination.runtime.lastErrorMessage = null;
+  await touchLease();
  await saveBackupSettings(storage, env, currentSettings);

  try {
+    await touchLease();
    await progress?.({
      operation: 'backup-remote-run',
      step: 'remote_run_prepare',
@@ -178,8 +267,10 @@ async function executeConfiguredBackup(
      stageTitle: 'txt_backup_remote_run_progress_prepare_title',
      stageDetail: 'txt_backup_remote_run_progress_prepare_detail',
    });
+    await touchLease();
    const archive = await buildBackupArchive(env, now, {
      includeAttachments: destination.includeAttachments,
+      timeZone: destination.schedule.timezone,
      progress: progress
        ? async (event) => {
          if (event.step === 'archive_ready') {
@@ -205,29 +296,30 @@ async function executeConfiguredBackup(
        : 'txt_backup_remote_run_progress_sync_attachments_skipped_detail',
    });
    const remoteSession = createRemoteBackupTransferSession(destination);
-    const remoteAttachmentIndex = await loadRemoteAttachmentIndex(remoteSession);
-    let attachmentIndexChanged = false;
-    for (const attachment of archive.manifest.attachmentBlobs || []) {
-      if (remoteAttachmentIndex.get(attachment.blobName) === attachment.sizeBytes) {
-        continue;
+    if (destination.includeAttachments) {
+      await touchLease();
+      const remoteAttachmentIndex = await loadRemoteAttachmentIndex(remoteSession);
+      const pendingAttachments = (archive.manifest.attachmentBlobs || [])
+        .filter((attachment) => remoteAttachmentIndex.get(attachment.blobName) !== attachment.sizeBytes);
+      const attachmentSyncBatchSize = getRemoteAttachmentSyncBatchSize(destination);
+      for (let i = 0; i < pendingAttachments.length; i += attachmentSyncBatchSize) {
+        await touchLease();
+        const chunk = pendingAttachments
+          .slice(i, i + attachmentSyncBatchSize)
+          .map((attachment) => ({ blobName: attachment.blobName }));
+        await uploadRemoteAttachmentChunk(env, destination, chunk);
      }
-      const remotePath = `attachments/${attachment.blobName}`;
-      const object = await getBlobObject(env, attachment.blobName);
-      if (!object) {
-        throw new Error(`Attachment blob missing for ${attachment.blobName}`);
+      if (pendingAttachments.length) {
+        for (const attachment of pendingAttachments) {
+          remoteAttachmentIndex.set(attachment.blobName, attachment.sizeBytes);
+        }
+        await touchLease();
+        await saveRemoteAttachmentIndex(remoteSession, remoteAttachmentIndex);
      }
-      const bytes = new Uint8Array(await new Response(object.body).arrayBuffer());
-      await remoteSession.putFile(remotePath, bytes, {
-        contentType: object.contentType,
-      });
-      remoteAttachmentIndex.set(attachment.blobName, attachment.sizeBytes);
-      attachmentIndexChanged = true;
-    }
-    if (attachmentIndexChanged) {
-      await saveRemoteAttachmentIndex(remoteSession, remoteAttachmentIndex);
    }
    let upload: Awaited<ReturnType<typeof uploadBackupArchive>> | null = null;
    for (let attempt = 1; attempt <= maxArchiveUploadAttempts; attempt++) {
+      await touchLease();
      await progress?.({
        operation: 'backup-remote-run',
        step: 'remote_run_upload_archive',
@@ -237,6 +329,7 @@ async function executeConfiguredBackup(
      });
      upload = await remoteSession.uploadArchive(archive.bytes, archive.fileName);
      try {
+        await touchLease();
        await progress?.({
          operation: 'backup-remote-run',
          step: 'remote_run_verify_archive',
@@ -267,6 +360,7 @@ async function executeConfiguredBackup(
    let prunedFileCount = 0;
    let pruneErrorMessage: string | null = null;
    try {
+      await touchLease();
      await progress?.({
        operation: 'backup-remote-run',
        step: 'remote_run_cleanup',
@@ -285,8 +379,10 @@ async function executeConfiguredBackup(
    destination.runtime.lastUploadedFileName = archive.fileName;
    destination.runtime.lastUploadedSizeBytes = archive.bytes.byteLength;
    destination.runtime.lastUploadedDestination = upload.remotePath;
+    await touchLease();
    await saveBackupSettings(storage, env, currentSettings);

+    await touchLease();
    await writeAuditLog(storage, actorUserId, `admin.backup.remote.${trigger}`, 'backup', null, {
      ...getBackupDestinationSummary(destination),
      provider: upload.provider,
@@ -296,6 +392,7 @@ async function executeConfiguredBackup(
      uploadVerificationAttempts: maxArchiveUploadAttempts,
      prunedFileCount,
      pruneError: pruneErrorMessage,
+      ...(auditMetadata || {}),
    });

    await progress?.({
@@ -317,11 +414,14 @@ async function executeConfiguredBackup(
  } catch (error) {
    destination.runtime.lastErrorAt = new Date().toISOString();
    destination.runtime.lastErrorMessage = error instanceof Error ? error.message : 'Backup upload failed';
+    await touchLease();
    await saveBackupSettings(storage, env, currentSettings);

+    await touchLease();
    await writeAuditLog(storage, actorUserId, `admin.backup.remote.${trigger}.failed`, 'backup', null, {
      ...getBackupDestinationSummary(destination),
      error: destination.runtime.lastErrorMessage,
+      ...(auditMetadata || {}),
    });
    await progress?.({
      operation: 'backup-remote-run',
@@ -337,14 +437,293 @@ async function executeConfiguredBackup(
  }
 }

+interface DurableBackupRunResponse {
+  result: {
+    fileName: string;
+    fileSize: number;
+    remotePath: string;
+    provider: string;
+  };
+  settings: BackupSettings;
+}
+
+async function runConfiguredBackupInDurableObject(
+  env: Env,
+  payload: {
+    actorUserId: string | null;
+    auditMetadata?: Record<string, unknown> | null;
+    destinationId?: string | null;
+    targetDeviceIdentifier?: string | null;
+    trigger: 'manual' | 'scheduled';
+  }
+): Promise<DurableBackupRunResponse | null> {
+  const id = env.BACKUP_TRANSFER_RUNNER.idFromName('configured-backup-runner');
+  const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
+  const response = await stub.fetch('https://backup-transfer/internal/run-configured-backup', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json; charset=utf-8',
+    },
+    body: JSON.stringify(payload),
+  });
+  if (response.status === 409) {
+    return null;
+  }
+  if (!response.ok) {
+    let message = `Backup run failed: ${response.status}`;
+    try {
+      const body = await response.json<{ error?: string }>();
+      if (body?.error) message = body.error;
+    } catch {
+      // Preserve the status-based message when the DO returns a non-JSON error.
+    }
+    throw new Error(message);
+  }
+  const body = await response.json<DurableBackupRunResponse>();
+  if (!body?.result || !body?.settings) {
+    throw new Error('Backup run response is invalid');
+  }
+  return body;
+}
+
+async function runScheduledBackupsInDurableObject(env: Env): Promise<void> {
+  const id = env.BACKUP_TRANSFER_RUNNER.idFromName('configured-backup-runner');
+  const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
+  const response = await stub.fetch('https://backup-transfer/internal/run-scheduled-backups', {
+    method: 'POST',
+  });
+  if (response.status === 409) {
+    return;
+  }
+  if (!response.ok) {
+    let message = `Scheduled backup failed: ${response.status}`;
+    try {
+      const body = await response.json<{ error?: string }>();
+      if (body?.error) message = body.error;
+    } catch {
+      // Preserve the status-based message when the DO returns a non-JSON error.
+    }
+    throw new Error(message);
+  }
+}
+
+async function downloadRemoteAttachmentViaDurableObject(
+  env: Env,
+  destination: BackupDestinationRecord,
+  blobName: string
+): Promise<Uint8Array | null> {
+  const id = env.BACKUP_TRANSFER_RUNNER.idFromName('remote-attachment-restore');
+  const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
+  const response = await stub.fetch('https://backup-transfer/internal/download-remote-attachment', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json; charset=utf-8',
+    },
+    body: JSON.stringify({
+      destination,
+      blobName,
+    }),
+  });
+  if (response.status === 404) {
+    return null;
+  }
+  if (!response.ok) {
+    throw new Error(`Remote attachment download failed: ${response.status}`);
+  }
+  return new Uint8Array(await response.arrayBuffer());
+}
+
+async function downloadRemoteAttachmentBatchViaDurableObject(
+  env: Env,
+  destination: BackupDestinationRecord,
+  blobNames: string[]
+): Promise<Map<string, Uint8Array>> {
+  const names = Array.from(new Set(blobNames.map((blobName) => String(blobName || '').trim()).filter(Boolean)));
+  const result = new Map<string, Uint8Array>();
+  if (!names.length) return result;
+
+  const id = env.BACKUP_TRANSFER_RUNNER.idFromName('remote-attachment-restore');
+  const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
+  const response = await stub.fetch('https://backup-transfer/internal/download-remote-attachment-batch', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json; charset=utf-8',
+    },
+    body: JSON.stringify({
+      destination,
+      blobNames: names,
+    }),
+  });
+  if (!response.ok) {
+    throw new Error(`Remote attachment batch download failed: ${response.status}`);
+  }
+
+  const files = unzipSync(new Uint8Array(await response.arrayBuffer()));
+  const manifestBytes = files['manifest.json'];
+  if (!manifestBytes) return result;
+  const manifest = JSON.parse(new TextDecoder().decode(manifestBytes)) as {
+    entries?: Array<{ blobName?: string; path?: string }>;
+  };
+  for (const entry of manifest.entries || []) {
+    const blobName = String(entry.blobName || '').trim();
+    const path = String(entry.path || '').trim();
+    const bytes = path ? files[path] : null;
+    if (blobName && bytes) {
+      result.set(blobName, bytes);
+    }
+  }
+  return result;
+}
+
+function collectExternalRemoteAttachmentBlobNames(archiveBytes: Uint8Array): string[] {
+  const parsed = parseBackupArchive(archiveBytes, { allowExternalAttachmentBlobs: true });
+  const refs = new Map(
+    (parsed.payload.manifest.attachmentBlobs || [])
+      .map((item) => [`${String(item.cipherId || '').trim()}/${String(item.attachmentId || '').trim()}`, item])
+  );
+  const names: string[] = [];
+  const seen = new Set<string>();
+
+  for (const row of parsed.payload.db.attachments || []) {
+    const cipherId = String(row.cipher_id || '').trim();
+    const attachmentId = String(row.id || '').trim();
+    const inlinePath = `attachments/${cipherId}/${attachmentId}.bin`;
+    if (parsed.files[inlinePath]) continue;
+    const ref = refs.get(`${cipherId}/${attachmentId}`);
+    const blobName = String(ref?.blobName || '').trim();
+    if (blobName && !seen.has(blobName)) {
+      seen.add(blobName);
+      names.push(blobName);
+    }
+  }
+
+  return names;
+}
+
 function toImportStatusCode(message: string): number {
  const lower = message.toLowerCase();
+  if (lower.includes('checksum')) return 400;
  if (lower.includes('invalid backup') || lower.includes('invalid json')) return 400;
  if (lower.includes('fresh instance')) return 409;
  if (lower.includes('not configured') || lower.includes('kv')) return 409;
  return 500;
 }

+export async function importAndAuditRemoteBackupFile(
+  env: Env,
+  storage: StorageService,
+  actorUserId: string,
+  remoteFile: RemoteBackupFile,
+  destination: BackupDestinationRecord,
+  remotePath: string,
+  replaceExisting: boolean,
+  checksumMismatchAccepted: boolean,
+  auditMetadata: Record<string, unknown> | null = null,
+  targetDeviceIdentifier: string | null = null
+): Promise<BackupImportExecutionResult> {
+  const restoreFileName = remoteFile.fileName || remotePath.split('/').pop() || remotePath;
+  const externalAttachmentBlobNames = collectExternalRemoteAttachmentBlobNames(remoteFile.bytes);
+  const externalAttachmentCache = new Map<string, Uint8Array | null>();
+  const progress: BackupRestoreProgressReporter = async (event) => {
+    await notifyUserBackupRestoreProgress(
+      env,
+      actorUserId,
+      {
+        operation: 'backup-restore',
+        ...event,
+      },
+      targetDeviceIdentifier
+    );
+  };
+  const result = await importRemoteBackupArchiveBytes(
+    remoteFile.bytes,
+    env,
+    actorUserId,
+    replaceExisting,
+    {
+      loadAttachment: async (blobName) => {
+        const normalized = String(blobName || '').trim();
+        if (!normalized) return null;
+        if (externalAttachmentCache.has(normalized)) {
+          return externalAttachmentCache.get(normalized) || null;
+        }
+
+        const start = Math.max(0, externalAttachmentBlobNames.indexOf(normalized));
+        const batchNames = externalAttachmentBlobNames
+          .slice(start, start + REMOTE_ATTACHMENT_RESTORE_BATCH_SIZE)
+          .filter((name) => !externalAttachmentCache.has(name));
+        if (!batchNames.includes(normalized)) {
+          batchNames.unshift(normalized);
+        }
+
+        try {
+          const batch = await downloadRemoteAttachmentBatchViaDurableObject(env, destination, batchNames);
+          for (const name of batchNames) {
+            externalAttachmentCache.set(name, batch.get(name) || null);
+          }
+        } catch {
+          externalAttachmentCache.set(normalized, await downloadRemoteAttachmentViaDurableObject(env, destination, normalized).catch(() => null));
+        }
+        return externalAttachmentCache.get(normalized) || null;
+      },
+    },
+    progress,
+    restoreFileName
+  );
+  await writeAuditLog(storage, result.auditActorUserId, 'admin.backup.import', 'backup', null, {
+    users: result.result.imported.users,
+    ciphers: result.result.imported.ciphers,
+    attachments: result.result.imported.attachmentFiles,
+    skippedAttachments: result.result.skipped.attachments,
+    skippedReason: result.result.skipped.reason,
+    replaceExisting,
+    ...getBackupDestinationSummary(destination),
+    remotePath,
+    bytes: remoteFile.bytes.byteLength,
+    trigger: 'remote',
+    checksumMismatchAccepted,
+    ...(auditMetadata || {}),
+  });
+  return result;
+}
+
+async function restoreRemoteBackupInDurableObject(
+  env: Env,
+  payload: {
+    actorUserId: string;
+    allowChecksumMismatch?: boolean;
+    auditMetadata?: Record<string, unknown> | null;
+    destinationId?: string | null;
+    path: string;
+    replaceExisting?: boolean;
+    targetDeviceIdentifier?: string | null;
+  }
+): Promise<BackupImportExecutionResult['result'] | null> {
+  const id = env.BACKUP_TRANSFER_RUNNER.idFromName('configured-backup-runner');
+  const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
+  const response = await stub.fetch('https://backup-transfer/internal/restore-remote-backup', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json; charset=utf-8',
+    },
+    body: JSON.stringify(payload),
+  });
+  if (response.status === 409) {
+    return null;
+  }
+  if (!response.ok) {
+    let message = `Remote backup restore failed: ${response.status}`;
+    try {
+      const body = await response.json<{ error?: string }>();
+      if (body?.error) message = body.error;
+    } catch {
+      // Preserve the status-based message when the DO returns a non-JSON error.
+    }
+    throw new Error(message);
+  }
+  return response.json<BackupImportExecutionResult['result']>();
+}
+
 async function runImportAndAudit(
  env: Env,
  request: Request,
@@ -384,18 +763,12 @@ async function runImportAndAudit(
    skippedReason: imported.result.skipped.reason,
    replaceExisting,
    ...metadata,
-  });
+  }, request);
  return imported;
 }

 export async function runScheduledBackupIfDue(env: Env): Promise<void> {
-  const storage = new StorageService(env.DB);
-  const settings = await loadBackupSettings(storage, env, 'UTC');
-  const now = new Date();
-  for (const destination of settings.destinations) {
-    if (!isBackupDueNow(destination, now, BACKUP_SCHEDULER_WINDOW_MINUTES)) continue;
-    await executeConfiguredBackup(env, storage, null, 'scheduled', destination.id);
-  }
+  await runScheduledBackupsInDurableObject(env);
 }

 export async function handleGetAdminBackupSettings(request: Request, env: Env, actorUser: User): Promise<Response> {
@@ -440,7 +813,7 @@ export async function handleUpdateAdminBackupSettings(request: Request, env: Env
  await writeAuditLog(storage, actorUser.id, 'admin.backup.settings.update', 'backup', null, {
    destinationCount: next.destinations.length,
    scheduledDestinationCount: next.destinations.filter((destination) => destination.schedule.enabled).length,
-  });
+  }, request);
  return jsonResponse(next);
 }

@@ -490,14 +863,13 @@ export async function handleRepairAdminBackupSettings(request: Request, env: Env
  await writeAuditLog(storage, actorUser.id, 'admin.backup.settings.repair', 'backup', null, {
    destinationCount: next.destinations.length,
    scheduledDestinationCount: next.destinations.filter((destination) => destination.schedule.enabled).length,
-  });
+  }, request);
  return jsonResponse(next);
 }

 export async function handleRunAdminConfiguredBackup(request: Request, env: Env, actorUser: User): Promise<Response> {
  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);

-  const storage = new StorageService(env.DB);
  try {
    let body: { destinationId?: string } | null = null;
    try {
@@ -508,30 +880,25 @@ export async function handleRunAdminConfiguredBackup(request: Request, env: Env,
      return errorResponse('Backup run payload is invalid', 400);
    }

-    const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null;
-    const progress = async (event: {
-      operation: 'backup-remote-run';
-      step: string;
-      fileName: string;
-      stageTitle: string;
-      stageDetail: string;
-      done?: boolean;
-      ok?: boolean;
-      error?: string | null;
-    }) => {
-      await notifyUserBackupProgress(env, actorUser.id, event, targetDeviceIdentifier);
-    };
-    const result = await executeConfiguredBackup(env, storage, actorUser.id, 'manual', body?.destinationId || null, progress);
-    const settings = await loadBackupSettings(storage, env, 'UTC');
+    const outcome = await runConfiguredBackupInDurableObject(env, {
+      actorUserId: actorUser.id,
+      auditMetadata: auditRequestMetadata(request),
+      destinationId: body?.destinationId || null,
+      targetDeviceIdentifier: String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null,
+      trigger: 'manual',
+    });
+    if (!outcome) {
+      return errorResponse('Another backup run is already in progress', 409);
+    }
    return jsonResponse({
      object: 'backup-run',
      result: {
-        fileName: result.fileName,
-        fileSize: result.fileSize,
-        provider: result.provider,
-        remotePath: result.remotePath,
+        fileName: outcome.result.fileName,
+        fileSize: outcome.result.fileSize,
+        provider: outcome.result.provider,
+        remotePath: outcome.result.remotePath,
      },
-      settings,
+      settings: outcome.settings,
    });
  } catch (error) {
    return errorResponse(error instanceof Error ? error.message : 'Backup run failed', 500);
@@ -617,7 +984,7 @@ export async function handleDeleteAdminRemoteBackup(request: Request, env: Env,
    await writeAuditLog(storage, actorUser.id, 'admin.backup.remote.delete', 'backup', null, {
      ...getBackupDestinationSummary(destination),
      remotePath: path,
-    });
+    }, request);
    return jsonResponse({ object: 'backup-remote-delete', deleted: true, path });
  } catch (error) {
    return errorResponse(error instanceof Error ? error.message : 'Remote backup delete failed', 409);
@@ -634,76 +1001,22 @@ export async function handleRestoreAdminRemoteBackup(request: Request, env: Env,
    return errorResponse('Remote restore payload is invalid', 400);
  }

-  const storage = new StorageService(env.DB);
  try {
-    const settings = await loadBackupSettings(storage, env, 'UTC');
-    const destination = requireBackupDestination(settings, body.destinationId || null);
    const path = ensureRemoteRestoreCandidate(String(body.path || ''));
    const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null;
-    const restoreFileNameFromPath = path.split('/').pop() || path;
-    await notifyUserBackupRestoreProgress(
-      env,
-      actorUser.id,
-      {
-        operation: 'backup-restore',
-        source: 'remote',
-        step: 'remote_fetch_archive',
-        fileName: restoreFileNameFromPath,
-        stageTitle: 'txt_backup_restore_progress_remote_fetch_title',
-        stageDetail: 'txt_backup_restore_progress_remote_fetch_detail',
-        replaceExisting: !!body.replaceExisting,
-      },
-      targetDeviceIdentifier
-    );
-    const remoteFile = await downloadRemoteBackupFile(destination, path);
-    const checksumOk = await verifyBackupArchiveFileNameChecksum(remoteFile.bytes, remoteFile.fileName || path);
-    if (!checksumOk && !body.allowChecksumMismatch) {
-      return errorResponse('Remote backup file checksum does not match its filename', 400);
+    const imported = await restoreRemoteBackupInDurableObject(env, {
+      actorUserId: actorUser.id,
+      allowChecksumMismatch: !!body.allowChecksumMismatch,
+      auditMetadata: auditRequestMetadata(request),
+      destinationId: body.destinationId || null,
+      path,
+      replaceExisting: !!body.replaceExisting,
+      targetDeviceIdentifier,
+    });
+    if (!imported) {
+      return errorResponse('Another backup or restore run is already in progress', 409);
    }
-    const restoreFileName = remoteFile.fileName || path.split('/').pop() || path;
-    const progress: BackupRestoreProgressReporter = async (event) => {
-      await notifyUserBackupRestoreProgress(
-        env,
-        actorUser.id,
-        {
-          operation: 'backup-restore',
-          ...event,
-        },
-        targetDeviceIdentifier
-      );
-    };
-    const imported = await (async () => {
-      const storage = new StorageService(env.DB);
-      const result = await importRemoteBackupArchiveBytes(
-        remoteFile.bytes,
-        env,
-        actorUser.id,
-        !!body.replaceExisting,
-        {
-            loadAttachment: async (blobName) => {
-              const file = await downloadRemoteBackupFile(destination, `attachments/${blobName}`).catch(() => null);
-              return file?.bytes || null;
-            },
-        },
-        progress,
-        restoreFileName
-      );
-      await writeAuditLog(storage, result.auditActorUserId, 'admin.backup.import', 'backup', null, {
-        users: result.result.imported.users,
-        ciphers: result.result.imported.ciphers,
-        attachments: result.result.imported.attachmentFiles,
-        skippedAttachments: result.result.skipped.attachments,
-        skippedReason: result.result.skipped.reason,
-        replaceExisting: !!body.replaceExisting,
-        ...getBackupDestinationSummary(destination),
-        remotePath: path,
-        bytes: remoteFile.bytes.byteLength,
-        trigger: 'remote',
-        checksumMismatchAccepted: !checksumOk,
-      });
-      return result;
-    })();
-    return jsonResponse(imported.result);
+    return jsonResponse(imported);
  } catch (error) {
    const message = error instanceof Error ? error.message : 'Remote backup restore failed';
    return errorResponse(message, toImportStatusCode(message));
@@ -777,7 +1090,7 @@ export async function handleAdminExportBackup(request: Request, env: Env, actorU
    attachments: archive.manifest.tableCounts.attachments,
    compressedBytes: archive.bytes.byteLength,
    includesAttachments: archive.manifest.includes.attachments,
-  });
+  }, request);

  return new Response(archive.bytes, {
    status: 200,
@@ -1,11 +1,15 @@
 import type { Device, DevicePendingAuthRequest, DeviceResponse, ProtectedDeviceResponse as ProtectedDeviceWireResponse } from '../types';
 import { Env } from '../types';
 import { getOnlineUserDevices, notifyUserLogout } from '../durable/notifications-hub';
+import { AuthService } from '../services/auth';
+import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
 import { StorageService } from '../services/storage';
 import { errorResponse, jsonResponse } from '../utils/response';
 import { readKnownDeviceProbe } from '../utils/device';
 import { generateUUID } from '../utils/uuid';

+const PERMANENT_TRUST_EXPIRES_AT_MS = Date.UTC(2099, 11, 31, 23, 59, 59);
+
 function normalizeIdentifier(value: string | null | undefined): string {
  return String(value || '').trim();
 }
@@ -23,13 +27,18 @@ function isTrustedDevice(device: Pick<Device, 'encryptedUserKey' | 'encryptedPub
 }

 function buildDeviceResponse(device: Device): DeviceResponse {
+  const displayName = String(device.deviceNote || '').trim() || device.name;
  const response = {
    Id: device.deviceIdentifier,
    id: device.deviceIdentifier,
    UserId: device.userId,
    userId: device.userId,
-    Name: device.name,
-    name: device.name,
+    Name: displayName,
+    name: displayName,
+    SystemName: device.name,
+    systemName: device.name,
+    DeviceNote: device.deviceNote,
+    deviceNote: device.deviceNote,
    Identifier: device.deviceIdentifier,
    identifier: device.deviceIdentifier,
    Type: device.type,
@@ -38,6 +47,10 @@ function buildDeviceResponse(device: Device): DeviceResponse {
    creationDate: device.createdAt,
    RevisionDate: device.updatedAt,
    revisionDate: device.updatedAt,
+    LastSeenAt: device.lastSeenAt,
+    lastSeenAt: device.lastSeenAt,
+    HasStoredDevice: true,
+    hasStoredDevice: true,
    IsTrusted: isTrustedDevice(device),
    isTrusted: isTrustedDevice(device),
    EncryptedUserKey: device.encryptedUserKey,
@@ -55,8 +68,12 @@ function buildProtectedDeviceResponse(device: Device): ProtectedDeviceWireRespon
  const response = {
    Id: device.deviceIdentifier,
    id: device.deviceIdentifier,
-    Name: device.name,
-    name: device.name,
+    Name: String(device.deviceNote || '').trim() || device.name,
+    name: String(device.deviceNote || '').trim() || device.name,
+    SystemName: device.name,
+    systemName: device.name,
+    DeviceNote: device.deviceNote,
+    deviceNote: device.deviceNote,
    Identifier: device.deviceIdentifier,
    identifier: device.deviceIdentifier,
    Type: device.type,
@@ -101,6 +118,10 @@ async function readJsonBody(request: Request): Promise<any> {
  }
 }

+function parseDeviceName(value: unknown): string {
+  return String(value || '').trim().slice(0, 128);
+}
+
 // GET /api/devices/knowndevice
 // Compatible with Bitwarden/Vaultwarden behavior:
 // - X-Request-Email: base64url(email) without padding
@@ -203,12 +224,15 @@ export async function handleGetAuthorizedDevices(request: Request, env: Env, use
      encryptedPublicKey: null,
      encryptedPrivateKey: null,
      devicePendingAuthRequest: null,
+      deviceNote: null,
+      lastSeenAt: null,
      createdAt: '',
      updatedAt: '',
    };
    data.push({
      ...buildDeviceResponse(placeholderDevice),
      isTrusted: true,
+      hasStoredDevice: false,
      online: onlineSet.has(row.deviceIdentifier),
      trusted: true,
      trustedTokenCount: row.tokenCount,
@@ -245,9 +269,50 @@ export async function handleRevokeTrustedDevice(

  const storage = new StorageService(env.DB);
  const removed = await storage.deleteTrustedTwoFactorTokensByDevice(userId, normalized);
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action: 'device.trust.revoke',
+    category: 'device',
+    level: 'security',
+    targetType: 'device',
+    targetId: normalized,
+    metadata: { removed, ...auditRequestMetadata(request) },
+  });
  return jsonResponse({ success: true, removed });
 }

+// POST /api/devices/authorized/:deviceIdentifier/permanent
+// Upgrades an existing active 2FA remember-token record to permanent trust.
+export async function handleTrustDevicePermanently(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = String(deviceIdentifier || '').trim();
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  const updated = await storage.updateTrustedTwoFactorTokensExpiryByDevice(userId, normalized, PERMANENT_TRUST_EXPIRES_AT_MS);
+  if (!updated) return errorResponse('Device is not currently trusted', 409);
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action: 'device.trust.permanent',
+    category: 'device',
+    level: 'security',
+    targetType: 'device',
+    targetId: normalized,
+    metadata: { updated, ...auditRequestMetadata(request) },
+  });
+
+  return jsonResponse({
+    success: true,
+    updated,
+    trustedUntil: new Date(PERMANENT_TRUST_EXPIRES_AT_MS).toISOString(),
+  });
+}
+
 // DELETE /api/devices/:deviceIdentifier
 export async function handleDeleteDevice(
  request: Request,
@@ -264,11 +329,53 @@ export async function handleDeleteDevice(
  await storage.deleteRefreshTokensByDevice(userId, normalized);
  const deleted = await storage.deleteDevice(userId, normalized);
  if (deleted) {
-    await notifyUserLogout(env, userId, normalized);
+    AuthService.invalidateDeviceCache(userId, normalized);
+    notifyUserLogout(env, userId, normalized);
  }
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action: 'device.delete',
+    category: 'device',
+    level: 'security',
+    targetType: 'device',
+    targetId: normalized,
+    metadata: { deleted, ...auditRequestMetadata(request) },
+  });
  return jsonResponse({ success: deleted });
 }

+// PUT /api/devices/:deviceIdentifier/name
+export async function handleUpdateDeviceName(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  const normalized = String(deviceIdentifier || '').trim();
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const body = await readJsonBody(request);
+  const name = parseDeviceName(body?.name);
+  if (!name) return errorResponse('Device name is required', 400);
+
+  const storage = new StorageService(env.DB);
+  const updated = await storage.updateDeviceName(userId, normalized, name);
+  if (!updated) return errorResponse('Device not found', 404);
+
+  const device = await storage.getDevice(userId, normalized);
+  if (!device) return errorResponse('Device not found', 404);
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action: 'device.name.update',
+    category: 'device',
+    level: 'info',
+    targetType: 'device',
+    targetId: normalized,
+    metadata: { name, ...auditRequestMetadata(request) },
+  });
+  return jsonResponse(buildDeviceResponse(device));
+}
+
 // DELETE /api/devices
 export async function handleDeleteAllDevices(request: Request, env: Env, userId: string): Promise<Response> {
  void request;
@@ -284,7 +391,17 @@ export async function handleDeleteAllDevices(request: Request, env: Env, userId:
  user.securityStamp = generateUUID();
  user.updatedAt = new Date().toISOString();
  await storage.saveUser(user);
-  await notifyUserLogout(env, userId, null);
+  AuthService.invalidateUserCache(userId);
+  notifyUserLogout(env, userId, null);
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action: 'device.delete_all',
+    category: 'device',
+    level: 'security',
+    targetType: 'user',
+    targetId: userId,
+    metadata: { removedTrusted, removedSessions, removedDevices, ...auditRequestMetadata(request) },
+  });
  return jsonResponse({ success: true, removedTrusted, removedSessions: removedSessions ?? 0, removedDevices });
 }

@@ -376,6 +493,15 @@ export async function handleUntrustDevices(
    if (!deviceIdentifier) continue;
    await storage.deleteTrustedTwoFactorTokensByDevice(userId, deviceIdentifier);
  }
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action: 'device.trust.revoke_batch',
+    category: 'device',
+    level: 'security',
+    targetType: 'user',
+    targetId: userId,
+    metadata: { requested: devices.length, removed, ...auditRequestMetadata(request) },
+  });
  return jsonResponse({ success: true, removed });
 }

@@ -415,8 +541,18 @@ export async function handleDeactivateDevice(
  await storage.deleteRefreshTokensByDevice(userId, normalized);
  const deleted = await storage.deleteDevice(userId, normalized);
  if (deleted) {
-    await notifyUserLogout(env, userId, normalized);
+    AuthService.invalidateDeviceCache(userId, normalized);
+    notifyUserLogout(env, userId, normalized);
  }
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action: 'device.deactivate',
+    category: 'device',
+    level: 'security',
+    targetType: 'device',
+    targetId: normalized,
+    metadata: { deleted, ...auditRequestMetadata(request) },
+  });
  return jsonResponse({ success: deleted });
 }

@@ -0,0 +1,85 @@
+import type { Env } from '../types';
+import { StorageService } from '../services/storage';
+import {
+  buildDomainsResponse,
+  customRulesToActiveEquivalentDomains,
+  normalizeCustomEquivalentDomains,
+  normalizeEquivalentDomains,
+  normalizeExcludedGlobalTypes,
+} from '../services/domain-rules';
+import { errorResponse, jsonResponse } from '../utils/response';
+
+// CONTRACT:
+// This route accepts both camelCase and PascalCase Bitwarden-compatible payloads.
+// It stores custom rules, then derives equivalentDomains from the non-excluded
+// custom rules. Keep this behavior aligned with backup import/export and
+// src/services/storage-domain-rules-repo.ts.
+function firstPresent(payload: Record<string, unknown>, keys: string[]): unknown {
+  for (const key of keys) {
+    if (Object.prototype.hasOwnProperty.call(payload, key)) return payload[key];
+  }
+  return undefined;
+}
+
+async function readPayload(request: Request): Promise<Record<string, unknown>> {
+  try {
+    const parsed = await request.json();
+    return parsed && typeof parsed === 'object' && !Array.isArray(parsed)
+      ? parsed as Record<string, unknown>
+      : {};
+  } catch {
+    return {};
+  }
+}
+
+export async function handleGetDomains(env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const settings = await storage.getUserDomainSettings(userId);
+  return jsonResponse(buildDomainsResponse(
+    settings.equivalentDomains,
+    settings.customEquivalentDomains,
+    settings.excludedGlobalEquivalentDomains
+  ));
+}
+
+export async function handleUpdateDomains(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const payload = await readPayload(request);
+  const current = await storage.getUserDomainSettings(userId);
+  const equivalentDomainsRaw = firstPresent(payload, [
+    'equivalentDomains',
+    'EquivalentDomains',
+  ]);
+  const customEquivalentDomainsRaw = firstPresent(payload, [
+    'customEquivalentDomains',
+    'CustomEquivalentDomains',
+  ]);
+  const excludedGlobalEquivalentDomainsRaw = firstPresent(payload, [
+    'excludedGlobalEquivalentDomains',
+    'ExcludedGlobalEquivalentDomains',
+    // Some older compatible clients send the excluded type list under this key.
+    'globalEquivalentDomains',
+    'GlobalEquivalentDomains',
+  ]);
+  const customEquivalentDomains = customEquivalentDomainsRaw === undefined
+    ? (equivalentDomainsRaw === undefined
+        ? current.customEquivalentDomains
+        : normalizeCustomEquivalentDomains(normalizeEquivalentDomains(equivalentDomainsRaw)))
+    : normalizeCustomEquivalentDomains(customEquivalentDomainsRaw);
+  const equivalentDomains = customRulesToActiveEquivalentDomains(customEquivalentDomains);
+  const excludedGlobalEquivalentDomains = excludedGlobalEquivalentDomainsRaw === undefined
+    ? current.excludedGlobalEquivalentDomains
+    : normalizeExcludedGlobalTypes(excludedGlobalEquivalentDomainsRaw);
+
+  await storage.saveUserDomainSettings(userId, equivalentDomains, customEquivalentDomains, excludedGlobalEquivalentDomains);
+
+  const settings = await storage.getUserDomainSettings(userId);
+  if (!settings) {
+    return errorResponse('Domain settings unavailable', 500);
+  }
+  return jsonResponse(buildDomainsResponse(
+    settings.equivalentDomains,
+    settings.customEquivalentDomains,
+    settings.excludedGlobalEquivalentDomains
+  ));
+}
@@ -5,14 +5,36 @@ import { jsonResponse, errorResponse } from '../utils/response';
 import { readActingDeviceIdentifier } from '../utils/device';
 import { generateUUID } from '../utils/uuid';
 import { parsePagination, encodeContinuationToken } from '../utils/pagination';
+import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';

-async function notifyVaultSyncForRequest(
+function notifyVaultSyncForRequest(
  request: Request,
  env: Env,
  userId: string,
  revisionDate: string
+): void {
+  notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+}
+
+async function writeFolderAudit(
+  storage: StorageService,
+  request: Request,
+  userId: string,
+  action: string,
+  metadata: Record<string, unknown>
 ): Promise<void> {
-  await notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action,
+    category: 'data',
+    level: action.includes('delete') ? 'security' : 'info',
+    targetType: 'folder',
+    targetId: typeof metadata.id === 'string' ? metadata.id : null,
+    metadata: {
+      ...metadata,
+      ...auditRequestMetadata(request),
+    },
+  });
 }

 // Convert internal folder to API response format
@@ -21,6 +43,7 @@ function folderToResponse(folder: Folder): FolderResponse {
    id: folder.id,
    name: folder.name,
    revisionDate: folder.updatedAt,
+    creationDate: folder.createdAt,
    object: 'folder',
  };
 }
@@ -87,7 +110,7 @@ export async function handleCreateFolder(request: Request, env: Env, userId: str

  await storage.saveFolder(folder);
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, userId, revisionDate);

  return jsonResponse(folderToResponse(folder), 200);
 }
@@ -115,7 +138,7 @@ export async function handleUpdateFolder(request: Request, env: Env, userId: str

  await storage.saveFolder(folder);
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, userId, revisionDate);

  return jsonResponse(folderToResponse(folder));
 }
@@ -132,7 +155,10 @@ export async function handleDeleteFolder(request: Request, env: Env, userId: str
  await storage.clearFolderFromCiphers(userId, id);
  await storage.deleteFolder(id, userId);
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  await writeFolderAudit(storage, request, userId, 'folder.delete', {
+    id,
+  });

  return new Response(null, { status: 204 });
 }
@@ -155,7 +181,10 @@ export async function handleBulkDeleteFolders(request: Request, env: Env, userId

  const revisionDate = await storage.bulkDeleteFolders(ids, userId);
  if (revisionDate) {
-    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+    notifyVaultSyncForRequest(request, env, userId, revisionDate);
+    await writeFolderAudit(storage, request, userId, 'folder.delete.bulk', {
+      count: ids.length,
+    });
  }

  return new Response(null, { status: 204 });
@@ -14,14 +14,22 @@ import {
  buildAccountKeys,
  buildUserDecryptionOptions,
 } from '../utils/user-decryption';
+import { auditRequestMetadata, safeWriteAuditEvent } from '../services/audit-events';
+import {
+  assertAccountPasskeyCredential,
+  buildAccountPasskeyTokenUserDecryptionOption,
+} from './account-passkeys';
+import { isAuthRequestExpired } from '../services/storage-auth-request-repo';

 const TWO_FACTOR_REMEMBER_TTL_MS = 30 * 24 * 60 * 60 * 1000;
 const TWO_FACTOR_PROVIDER_AUTHENTICATOR = 0;
 const TWO_FACTOR_PROVIDER_REMEMBER = 5;
-// Android client (2026.2.x) deserializes TwoFactorProviders2 keys with -1 for recovery code.
-// Keep request parsing backward-compatible with historical provider values (8 / 100).
+const TWO_FACTOR_PROVIDER_RECOVERY_CODE = 8;
+const WEB_REFRESH_COOKIE = 'nodewarden_web_refresh';
+// Some UI surfaces use -1 for the recovery-code settings dialog. Login itself follows
+// the official Identity provider enum (RecoveryCode = 8), while request parsing remains
+// compatible with older/local provider values.
 const TWO_FACTOR_PROVIDER_RECOVERY_CODE_RESPONSE = '-1';
-const TWO_FACTOR_PROVIDER_RECOVERY_CODE_LEGACY = 8;
 const TWO_FACTOR_PROVIDER_RECOVERY_CODE_ANDROID_REQUEST = 100;

 function resolveTotpSecret(userSecret: string | null): string | null {
@@ -31,6 +39,85 @@ function resolveTotpSecret(userSecret: string | null): string | null {
  return null;
 }

+async function resolveDeviceSession(
+  storage: StorageService,
+  userId: string,
+  deviceInfo: ReturnType<typeof readAuthRequestDeviceInfo>
+): Promise<{ identifier: string; sessionStamp: string } | null> {
+  if (!deviceInfo.deviceIdentifier) return null;
+  const existingDevice = await storage.getDevice(userId, deviceInfo.deviceIdentifier);
+  const sessionStamp = String(existingDevice?.sessionStamp || '').trim() || generateUUID();
+  return { identifier: deviceInfo.deviceIdentifier, sessionStamp };
+}
+
+function shouldUseWebSession(request: Request): boolean {
+  return String(request.headers.get('X-NodeWarden-Web-Session') || '').trim() === '1';
+}
+
+function parseCookieValue(request: Request, name: string): string | null {
+  const rawCookie = String(request.headers.get('Cookie') || '').trim();
+  if (!rawCookie) return null;
+  for (const part of rawCookie.split(';')) {
+    const [key, ...rest] = part.trim().split('=');
+    if (key !== name) continue;
+    const value = rest.join('=').trim();
+    return value ? decodeURIComponent(value) : null;
+  }
+  return null;
+}
+
+function constantTimeEquals(a: string, b: string): boolean {
+  const encA = new TextEncoder().encode(a);
+  const encB = new TextEncoder().encode(b);
+  if (encA.length !== encB.length) return false;
+
+  let diff = 0;
+  for (let i = 0; i < encA.length; i++) {
+    diff |= encA[i] ^ encB[i];
+  }
+  return diff === 0;
+}
+
+function readBodyValue(body: Record<string, string>, names: string[]): string | undefined {
+  for (const name of names) {
+    const value = body[name];
+    if (value != null) return value;
+  }
+  return undefined;
+}
+
+function buildRefreshCookie(request: Request, refreshToken: string, maxAgeSeconds: number): string {
+  const isHttps = new URL(request.url).protocol === 'https:';
+  const parts = [
+    `${WEB_REFRESH_COOKIE}=${encodeURIComponent(refreshToken)}`,
+    'Path=/identity/connect',
+    'HttpOnly',
+    'SameSite=Strict',
+    `Max-Age=${Math.max(0, Math.floor(maxAgeSeconds))}`,
+  ];
+  if (isHttps) parts.push('Secure');
+  return parts.join('; ');
+}
+
+function buildClearedRefreshCookie(request: Request): string {
+  return buildRefreshCookie(request, '', 0);
+}
+
+function withWebRefreshCookie(request: Request, response: Response, refreshToken: string | null): Response {
+  const headers = new Headers(response.headers);
+  headers.append(
+    'Set-Cookie',
+    refreshToken
+      ? buildRefreshCookie(request, refreshToken, Math.floor(LIMITS.auth.refreshTokenTtlMs / 1000))
+      : buildClearedRefreshCookie(request)
+  );
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers,
+  });
+}
+
 function buildPreloginResponse(
  email: string,
  kdfType: number,
@@ -53,12 +140,13 @@ function buildPreloginResponse(
  };
 }

-function twoFactorRequiredResponse(message: string = 'Two factor required.', includeRecoveryCode: boolean = false): Response {
-  const providers = includeRecoveryCode
-    ? [String(TWO_FACTOR_PROVIDER_AUTHENTICATOR), TWO_FACTOR_PROVIDER_RECOVERY_CODE_RESPONSE]
-    : [String(TWO_FACTOR_PROVIDER_AUTHENTICATOR)];
-  const providers2: Record<string, null> = {};
-  for (const provider of providers) providers2[provider] = null;
+function twoFactorRequiredResponse(message: string = 'Two factor required.'): Response {
+  // Match Bitwarden Identity: TwoFactorProviders2 lists enabled 2FA providers only.
+  // Clients expose recovery-code entry points themselves; Android 2026.4 fails to
+  // parse the challenge if an unknown recovery provider key such as "8" is included.
+  const providers = [String(TWO_FACTOR_PROVIDER_AUTHENTICATOR)];
+  const providers2: Record<string, { Email: null }> = {};
+  for (const provider of providers) providers2[provider] = { Email: null };
  const customResponse = {
    TwoFactorProviders: providers,
    TwoFactorProviders2: providers2,
@@ -151,10 +239,11 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
    // Login with password
    const email = body.username?.toLowerCase();
    const passwordHash = body.password;
-    const twoFactorToken = body.twoFactorToken;
-    const twoFactorProvider = body.twoFactorProvider;
-    const twoFactorRemember = body.twoFactorRemember;
-    const loginIdentifier = `${clientIdentifier}:${email}`;
+    const authRequestId = readBodyValue(body, ['authRequest', 'AuthRequest']);
+    const twoFactorToken = readBodyValue(body, ['twoFactorToken', 'TwoFactorToken']);
+    const twoFactorProvider = readBodyValue(body, ['twoFactorProvider', 'TwoFactorProvider']);
+    const twoFactorRemember = readBodyValue(body, ['twoFactorRemember', 'TwoFactorRemember']);
+    const loginIdentifier = clientIdentifier;
    const deviceInfo = readAuthRequestDeviceInfo(body, request);

    if (!email || !passwordHash) {
@@ -179,11 +268,57 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
    }
    if (user.status !== 'active') {
      await rateLimit.recordFailedLogin(loginIdentifier);
+      await safeWriteAuditEvent(env, {
+        actorUserId: user.id,
+        action: 'auth.login.failed.user_inactive',
+        category: 'auth',
+        level: 'warn',
+        targetType: 'user',
+        targetId: user.id,
+        metadata: {
+          grantType,
+          deviceIdentifier: deviceInfo.deviceIdentifier,
+          ...auditRequestMetadata(request),
+        },
+      });
      return identityErrorResponse('Account is disabled', 'invalid_grant', 400);
    }

-    const valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash, user.email);
+    let validatedAuthRequestId: string | null = null;
+    let valid = false;
+    const normalizedAuthRequestId = String(authRequestId || '').trim();
+    if (normalizedAuthRequestId) {
+      const authRequest = await storage.getAuthRequestById(normalizedAuthRequestId);
+      valid = !!(
+        authRequest &&
+        authRequest.userId === user.id &&
+        authRequest.type === 0 &&
+        authRequest.approved === true &&
+        authRequest.responseDate &&
+        !authRequest.authenticationDate &&
+        !isAuthRequestExpired(authRequest) &&
+        constantTimeEquals(authRequest.accessCode, passwordHash)
+      );
+      if (valid) {
+        validatedAuthRequestId = authRequest!.id;
+      }
+    } else {
+      valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash, user.email);
+    }
    if (!valid) {
+      await safeWriteAuditEvent(env, {
+        actorUserId: user.id,
+        action: normalizedAuthRequestId ? 'auth.login.failed.bad_auth_request' : 'auth.login.failed.bad_password',
+        category: 'auth',
+        level: 'warn',
+        targetType: 'user',
+        targetId: user.id,
+        metadata: {
+          grantType,
+          deviceIdentifier: deviceInfo.deviceIdentifier,
+          ...auditRequestMetadata(request),
+        },
+      });
      return recordFailedLoginAndBuildResponse(
        rateLimit,
        loginIdentifier,
@@ -195,7 +330,6 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
    let trustedTwoFactorTokenToReturn: string | undefined;
    const effectiveTotpSecret = resolveTotpSecret(user.totpSecret);
    if (effectiveTotpSecret) {
-      const canUseRecoveryCode = !!user.totpRecoveryCode;
      const normalizedTwoFactorProvider = String(twoFactorProvider ?? '').trim();
      const normalizedTwoFactorToken = String(twoFactorToken ?? '').trim();
      let rememberRequested = ['1', 'true', 'True', 'TRUE', 'on', 'yes', 'Yes', 'YES'].includes(String(twoFactorRemember || '').trim());
@@ -205,7 +339,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      // Upstream-compatible behavior: if 2FA is required and either provider or token is missing,
      // respond with a 2FA challenge payload.
      if (!hasProvider || !hasToken) {
-        return twoFactorRequiredResponse('Two factor required.', canUseRecoveryCode);
+        return twoFactorRequiredResponse('Two factor required.');
      }

      let passedByRememberToken = false;
@@ -220,7 +354,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>

        // Remember token missing/invalid/expired should re-enter the 2FA challenge flow.
        if (!passedByRememberToken) {
-          return twoFactorRequiredResponse('Two factor required.', canUseRecoveryCode);
+          return twoFactorRequiredResponse('Two factor required.');
        }
      } else if (normalizedTwoFactorProvider === String(TWO_FACTOR_PROVIDER_AUTHENTICATOR)) {
        const totpOk = await verifyTotpToken(effectiveTotpSecret, normalizedTwoFactorToken);
@@ -229,7 +363,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
        }
      } else if (
        normalizedTwoFactorProvider === TWO_FACTOR_PROVIDER_RECOVERY_CODE_RESPONSE ||
-        normalizedTwoFactorProvider === String(TWO_FACTOR_PROVIDER_RECOVERY_CODE_LEGACY) ||
+        normalizedTwoFactorProvider === String(TWO_FACTOR_PROVIDER_RECOVERY_CODE) ||
        normalizedTwoFactorProvider === String(TWO_FACTOR_PROVIDER_RECOVERY_CODE_ANDROID_REQUEST)
      ) {
        if (!recoveryCodeEquals(normalizedTwoFactorToken, user.totpRecoveryCode)) {
@@ -259,10 +393,261 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
    }

    // Persist device only after successful password + (optional) 2FA verification.
-    const deviceSession =
-      deviceInfo.deviceIdentifier
-        ? { identifier: deviceInfo.deviceIdentifier, sessionStamp: generateUUID() }
-        : null;
+    const deviceSession = await resolveDeviceSession(storage, user.id, deviceInfo);
+    if (deviceSession) {
+      await storage.upsertDevice(
+        user.id,
+        deviceSession.identifier,
+        deviceInfo.deviceName,
+        deviceInfo.deviceType,
+        deviceSession.sessionStamp
+      );
+    }
+
+    // Successful login - clear failed attempts
+    await rateLimit.clearLoginAttempts(loginIdentifier);
+    if (validatedAuthRequestId) {
+      await storage.markAuthRequestAuthenticated(validatedAuthRequestId);
+    }
+
+    const accessToken = await auth.generateAccessToken(user, deviceSession);
+    const refreshToken = await auth.generateRefreshToken(user.id, deviceSession);
+    const accountKeys = buildAccountKeys(user);
+    const userDecryptionOptions = buildUserDecryptionOptions(user);
+    await safeWriteAuditEvent(env, {
+      actorUserId: user.id,
+      action: 'auth.login.success',
+      category: 'auth',
+      level: 'info',
+      targetType: 'user',
+      targetId: user.id,
+      metadata: {
+        grantType,
+        webSession: shouldUseWebSession(request),
+        deviceIdentifier: deviceSession?.identifier ?? deviceInfo.deviceIdentifier,
+        deviceType: deviceInfo.deviceType,
+        ...auditRequestMetadata(request),
+      },
+    });
+
+    const response: TokenResponse = {
+      access_token: accessToken,
+      expires_in: LIMITS.auth.accessTokenTtlSeconds,
+      token_type: 'Bearer',
+      ...(shouldUseWebSession(request) ? { web_session: true } : { refresh_token: refreshToken }),
+      ...(trustedTwoFactorTokenToReturn ? { TwoFactorToken: trustedTwoFactorTokenToReturn } : {}),
+      Key: user.key,
+      PrivateKey: user.privateKey,
+      AccountKeys: accountKeys,
+      accountKeys: accountKeys,
+      Kdf: user.kdfType,
+      KdfIterations: user.kdfIterations,
+      KdfMemory: user.kdfMemory,
+      KdfParallelism: user.kdfParallelism,
+      ForcePasswordReset: false,
+      ResetMasterPassword: false,
+      MasterPasswordPolicy: {
+        Object: 'masterPasswordPolicy',
+      },
+      ApiUseKeyConnector: false,
+      scope: 'api offline_access',
+      unofficialServer: true,
+      UserDecryptionOptions: userDecryptionOptions,
+      userDecryptionOptions: userDecryptionOptions,
+    };
+
+    const baseResponse = jsonResponse(response);
+    return shouldUseWebSession(request)
+      ? withWebRefreshCookie(request, baseResponse, refreshToken)
+      : baseResponse;
+
+  } else if (grantType === 'webauthn') {
+    const loginIdentifier = clientIdentifier;
+    const loginCheck = await rateLimit.checkLoginAttempt(loginIdentifier);
+    if (!loginCheck.allowed) {
+      return identityErrorResponse(
+        `Too many failed login attempts. Try again in ${Math.ceil(loginCheck.retryAfterSeconds! / 60)} minutes.`,
+        'TooManyRequests',
+        429
+      );
+    }
+
+    const token = String(body.token || '').trim();
+    let deviceResponse: unknown = body.deviceResponse;
+    if (typeof deviceResponse === 'string') {
+      try {
+        deviceResponse = JSON.parse(deviceResponse);
+      } catch {
+        return identityErrorResponse('Invalid passkey response', 'invalid_request', 400);
+      }
+    }
+    if (!token || !deviceResponse) {
+      return identityErrorResponse('Passkey token and deviceResponse are required', 'invalid_request', 400);
+    }
+
+    let asserted: Awaited<ReturnType<typeof assertAccountPasskeyCredential>>;
+    try {
+      asserted = await assertAccountPasskeyCredential(request, env, storage, {
+        token,
+        deviceResponse,
+        scope: 'Authentication',
+      });
+    } catch (error) {
+      await rateLimit.recordFailedLogin(loginIdentifier);
+      await safeWriteAuditEvent(env, {
+        actorUserId: null,
+        action: 'auth.passkey.login.failed',
+        category: 'auth',
+        level: 'warn',
+        targetType: 'accountPasskey',
+        targetId: null,
+        metadata: {
+          grantType,
+          reason: error instanceof Error ? error.message : 'assertion_failed',
+          ...auditRequestMetadata(request),
+        },
+      });
+      return identityErrorResponse('Passkey is invalid. Try again', 'invalid_grant', 400);
+    }
+
+    const { user, credential } = asserted;
+    if (user.status !== 'active') {
+      await rateLimit.recordFailedLogin(loginIdentifier);
+      return identityErrorResponse('Account is disabled', 'invalid_grant', 400);
+    }
+
+    const deviceInfo = readAuthRequestDeviceInfo(body, request);
+    const deviceSession = await resolveDeviceSession(storage, user.id, deviceInfo);
+    if (deviceSession) {
+      await storage.upsertDevice(
+        user.id,
+        deviceSession.identifier,
+        deviceInfo.deviceName,
+        deviceInfo.deviceType,
+        deviceSession.sessionStamp
+      );
+    }
+
+    await rateLimit.clearLoginAttempts(loginIdentifier);
+
+    const accessToken = await auth.generateAccessToken(user, deviceSession);
+    const refreshToken = await auth.generateRefreshToken(user.id, deviceSession);
+    const accountKeys = buildAccountKeys(user);
+    const webAuthnPrfOption = buildAccountPasskeyTokenUserDecryptionOption(credential);
+    const userDecryptionOptions = buildUserDecryptionOptions(user, webAuthnPrfOption);
+    await safeWriteAuditEvent(env, {
+      actorUserId: user.id,
+      action: 'auth.passkey.login.success',
+      category: 'auth',
+      level: 'info',
+      targetType: 'accountPasskey',
+      targetId: credential.id,
+      metadata: {
+        grantType,
+        webSession: shouldUseWebSession(request),
+        deviceIdentifier: deviceSession?.identifier ?? deviceInfo.deviceIdentifier,
+        deviceType: deviceInfo.deviceType,
+        ...auditRequestMetadata(request),
+      },
+    });
+
+    const response: TokenResponse = {
+      access_token: accessToken,
+      expires_in: LIMITS.auth.accessTokenTtlSeconds,
+      token_type: 'Bearer',
+      ...(shouldUseWebSession(request) ? { web_session: true } : { refresh_token: refreshToken }),
+      Key: user.key,
+      PrivateKey: user.privateKey,
+      AccountKeys: accountKeys,
+      accountKeys: accountKeys,
+      Kdf: user.kdfType,
+      KdfIterations: user.kdfIterations,
+      KdfMemory: user.kdfMemory,
+      KdfParallelism: user.kdfParallelism,
+      ForcePasswordReset: false,
+      ResetMasterPassword: false,
+      MasterPasswordPolicy: {
+        Object: 'masterPasswordPolicy',
+      },
+      ApiUseKeyConnector: false,
+      scope: 'api offline_access',
+      unofficialServer: true,
+      UserDecryptionOptions: userDecryptionOptions,
+      userDecryptionOptions: userDecryptionOptions,
+    };
+
+    const baseResponse = jsonResponse(response);
+    return shouldUseWebSession(request)
+      ? withWebRefreshCookie(request, baseResponse, refreshToken)
+      : baseResponse;
+
+  } else if (grantType === 'client_credentials') {
+    // Login with client credentials
+    const clientId = body.client_id;
+    const clientSecret = body.client_secret;
+    const scope = body.scope;
+    const deviceInfo = readAuthRequestDeviceInfo(body, request);
+
+    const loginIdentifier = clientIdentifier;
+    const parmValid = checkClientCredentialsParam(clientId, clientSecret, scope);
+    if (!parmValid) {
+      return identityErrorResponse('Parameter error', 'invalid_request', 400);
+    }
+
+    // Check login lockout before user lookup to reduce user-enumeration signal
+    const loginCheck = await rateLimit.checkLoginAttempt(loginIdentifier);
+    if (!loginCheck.allowed) {
+      return identityErrorResponse(
+        `Too many failed login attempts. Try again in ${Math.ceil(loginCheck.retryAfterSeconds! / 60)} minutes.`,
+        'TooManyRequests',
+        429
+      );
+    }
+
+    const uid = clientId.slice(5);
+    const user = await storage.getUserById(uid);
+    if (!user) {
+      await rateLimit.recordFailedLogin(loginIdentifier);
+      return identityErrorResponse('ClientId or clientSecret is incorrect. Try again', 'invalid_grant', 400);
+    }
+    if (user.status !== 'active') {
+      await rateLimit.recordFailedLogin(loginIdentifier);
+      await safeWriteAuditEvent(env, {
+        actorUserId: user.id,
+        action: 'auth.login.failed.user_inactive',
+        category: 'auth',
+        level: 'warn',
+        targetType: 'user',
+        targetId: user.id,
+        metadata: {
+          grantType,
+          deviceIdentifier: deviceInfo.deviceIdentifier,
+          ...auditRequestMetadata(request),
+        },
+      });
+      return identityErrorResponse('Account is disabled', 'invalid_grant', 400);
+    }
+
+    if (!user.apiKey || !constantTimeEquals(clientSecret, user.apiKey)) {
+      await rateLimit.recordFailedLogin(loginIdentifier);
+      await safeWriteAuditEvent(env, {
+        actorUserId: user.id,
+        action: 'auth.login.failed.bad_api_key',
+        category: 'auth',
+        level: 'warn',
+        targetType: 'user',
+        targetId: user.id,
+        metadata: {
+          grantType,
+          deviceIdentifier: deviceInfo.deviceIdentifier,
+          ...auditRequestMetadata(request),
+        },
+      });
+      return identityErrorResponse('ClientId or clientSecret is incorrect. Try again', 'invalid_grant', 400);
+    }
+
+    // Persist device only after successful client credential verification.
+    const deviceSession = await resolveDeviceSession(storage, user.id, deviceInfo);
    if (deviceSession) {
      await storage.upsertDevice(
        user.id,
@@ -278,17 +663,33 @@ export async function handleToken(request: Request, env: Env): Promise<Response>

    const accessToken = await auth.generateAccessToken(user, deviceSession);
    const refreshToken = await auth.generateRefreshToken(user.id, deviceSession);
+    const accountKeys = buildAccountKeys(user);
+    const userDecryptionOptions = buildUserDecryptionOptions(user);
+    await safeWriteAuditEvent(env, {
+      actorUserId: user.id,
+      action: 'auth.login.success',
+      category: 'auth',
+      level: 'info',
+      targetType: 'user',
+      targetId: user.id,
+      metadata: {
+        grantType,
+        webSession: shouldUseWebSession(request),
+        deviceIdentifier: deviceSession?.identifier ?? deviceInfo.deviceIdentifier,
+        deviceType: deviceInfo.deviceType,
+        ...auditRequestMetadata(request),
+      },
+    });

    const response: TokenResponse = {
      access_token: accessToken,
      expires_in: LIMITS.auth.accessTokenTtlSeconds,
      token_type: 'Bearer',
-      refresh_token: refreshToken,
-      ...(trustedTwoFactorTokenToReturn ? { TwoFactorToken: trustedTwoFactorTokenToReturn } : {}),
+      ...(shouldUseWebSession(request) ? { web_session: true } : { refresh_token: refreshToken }),
      Key: user.key,
      PrivateKey: user.privateKey,
-      AccountKeys: buildAccountKeys(user),
-      accountKeys: buildAccountKeys(user),
+      AccountKeys: accountKeys,
+      accountKeys: accountKeys,
      Kdf: user.kdfType,
      KdfIterations: user.kdfIterations,
      KdfMemory: user.kdfMemory,
@@ -301,11 +702,14 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      ApiUseKeyConnector: false,
      scope: 'api offline_access',
      unofficialServer: true,
-      UserDecryptionOptions: buildUserDecryptionOptions(user),
-      userDecryptionOptions: buildUserDecryptionOptions(user),
+      UserDecryptionOptions: userDecryptionOptions,
+      userDecryptionOptions: userDecryptionOptions,
    };

-    return jsonResponse(response);
+    const baseResponse = jsonResponse(response);
+    return shouldUseWebSession(request)
+      ? withWebRefreshCookie(request, baseResponse, refreshToken)
+      : baseResponse;

  } else if (grantType === 'send_access') {
    const sendAccessLimit = await rateLimit.consumeBudget(`${clientIdentifier}:public`, LIMITS.rateLimit.publicRequestsPerMinute);
@@ -371,14 +775,35 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
    }

    // Refresh token
-    const refreshToken = body.refresh_token;
+    const refreshToken = String(body.refresh_token || '').trim() || (
+      shouldUseWebSession(request)
+        ? parseCookieValue(request, WEB_REFRESH_COOKIE)
+        : null
+    );
    if (!refreshToken) {
      return identityErrorResponse('Refresh token is required', 'invalid_request', 400);
    }

-    const result = await auth.refreshAccessToken(refreshToken);
-    if (!result) {
-      return identityErrorResponse('Invalid refresh token', 'invalid_grant', 400);
+    const result = await auth.refreshAccessTokenDetailed(refreshToken);
+    if (!result.ok) {
+      await safeWriteAuditEvent(env, {
+        actorUserId: result.userId ?? null,
+        action: `auth.refresh.failed.${result.reason}`,
+        category: 'auth',
+        level: 'warn',
+        targetType: result.deviceIdentifier ? 'device' : 'refreshToken',
+        targetId: result.deviceIdentifier ?? null,
+        metadata: {
+          grantType,
+          reason: result.reason,
+          webSession: shouldUseWebSession(request),
+          ...auditRequestMetadata(request),
+        },
+      });
+      const invalidResponse = identityErrorResponse('Invalid refresh token', 'invalid_grant', 400);
+      return shouldUseWebSession(request)
+        ? withWebRefreshCookie(request, invalidResponse, null)
+        : invalidResponse;
    }

    // Keep a short overlap window for old refresh token to absorb
@@ -389,17 +814,22 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
    );

    const { accessToken, user, device } = result;
+    if (device?.identifier) {
+      await storage.touchDeviceLastSeen(user.id, device.identifier);
+    }
    const newRefreshToken = await auth.generateRefreshToken(user.id, device);
+    const accountKeys = buildAccountKeys(user);
+    const userDecryptionOptions = buildUserDecryptionOptions(user);

    const response: TokenResponse = {
      access_token: accessToken,
      expires_in: LIMITS.auth.accessTokenTtlSeconds,
      token_type: 'Bearer',
-      refresh_token: newRefreshToken,
+      ...(shouldUseWebSession(request) ? { web_session: true } : { refresh_token: newRefreshToken }),
      Key: user.key,
      PrivateKey: user.privateKey,
-      AccountKeys: buildAccountKeys(user),
-      accountKeys: buildAccountKeys(user),
+      AccountKeys: accountKeys,
+      accountKeys: accountKeys,
      Kdf: user.kdfType,
      KdfIterations: user.kdfIterations,
      KdfMemory: user.kdfMemory,
@@ -412,11 +842,14 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      ApiUseKeyConnector: false,
      scope: 'api offline_access',
      unofficialServer: true,
-      UserDecryptionOptions: buildUserDecryptionOptions(user),
-      userDecryptionOptions: buildUserDecryptionOptions(user),
+      UserDecryptionOptions: userDecryptionOptions,
+      userDecryptionOptions: userDecryptionOptions,
    };

-    return jsonResponse(response);
+    const baseResponse = jsonResponse(response);
+    return shouldUseWebSession(request)
+      ? withWebRefreshCookie(request, baseResponse, newRefreshToken)
+      : baseResponse;
  }

  return identityErrorResponse('Unsupported grant type', 'unsupported_grant_type', 400);
@@ -470,10 +903,30 @@ export async function handleRevocation(request: Request, env: Env): Promise<Resp
    return new Response(null, { status: 200 });
  }

-  const token = String(body.token || '').trim();
+  const token = String(body.token || '').trim() || (
+    shouldUseWebSession(request)
+      ? (parseCookieValue(request, WEB_REFRESH_COOKIE) || '')
+      : ''
+  );
  if (token) {
    await storage.deleteRefreshToken(token);
  }

-  return new Response(null, { status: 200 });
+  const baseResponse = new Response(null, { status: 200 });
+  return shouldUseWebSession(request)
+    ? withWebRefreshCookie(request, baseResponse, null)
+    : baseResponse;
+}
+
+export function checkClientCredentialsParam(clientId: string, clientSecret: string, scope: string): boolean {
+  if (scope !== 'api') {
+    return false;
+  }
+  if (!clientId.startsWith('user.')) {
+    return false;
+  }
+  if (!clientSecret) {
+    return false;
+  }
+  return true;
 }
@@ -5,7 +5,7 @@ import { errorResponse, jsonResponse } from '../utils/response';
 import { readActingDeviceIdentifier } from '../utils/device';
 import { generateUUID } from '../utils/uuid';
 import { LIMITS } from '../config/limits';
-import { normalizeCipherLoginForStorage, normalizeCipherSshKeyForCompatibility } from './ciphers';
+import { normalizeCipherLoginForStorage, normalizeCipherSshKeyForCompatibility, validateCipherEncryptedFieldsForCompatibility } from './ciphers';

 // Bitwarden client import request format
 interface CiphersImportRequest {
@@ -19,12 +19,11 @@ interface CiphersImportRequest {
    sshKey?: any | null;
    key?: string | null;
    login?: {
-      uris?: Array<{ uri: string | null; match?: number | null }> | null;
+      uris?: Array<{ uri: string | null; uriChecksum?: string | null; match?: number | null }> | null;
      username?: string | null;
      password?: string | null;
      totp?: string | null;
      autofillOnPageLoad?: boolean | null;
-      fido2Credentials?: any[] | null;
      uri?: string | null;
      passwordRevisionDate?: string | null;
      [key: string]: any;
@@ -83,6 +82,16 @@ function bindNull(v: any): any {
  return v === undefined ? null : v;
 }

+function readAliasedImportProp<T = unknown>(source: any, aliases: string[]): T | undefined {
+  if (!source || typeof source !== 'object') return undefined;
+  for (const key of aliases) {
+    if (Object.prototype.hasOwnProperty.call(source, key)) {
+      return source[key] as T;
+    }
+  }
+  return undefined;
+}
+
 async function runBatchInChunks(db: D1Database, statements: D1PreparedStatement[], chunkSize: number): Promise<void> {
  for (let i = 0; i < statements.length; i += chunkSize) {
    const chunk = statements.slice(i, i + chunkSize);
@@ -159,9 +168,16 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
  const cipherMapRows: Array<{ index: number; sourceId: string | null; id: string }> = [];
  for (let i = 0; i < ciphers.length; i++) {
    const c = ciphers[i];
-    const folderId = cipherFolderMap.get(i) || null;
+    const folderId = cipherFolderMap.get(i) || readAliasedImportProp<string | null>(c, ['folderId', 'FolderId']) || null;
    const sourceIdRaw = String(c?.id ?? '').trim();
    const sourceId = sourceIdRaw || null;
+    const login = readAliasedImportProp<any | null>(c, ['login', 'Login']);
+    const card = readAliasedImportProp<any | null>(c, ['card', 'Card']);
+    const identity = readAliasedImportProp<any | null>(c, ['identity', 'Identity']);
+    const secureNote = readAliasedImportProp<any | null>(c, ['secureNote', 'SecureNote']);
+    const fields = readAliasedImportProp<any[] | null>(c, ['fields', 'Fields']);
+    const passwordHistory = readAliasedImportProp<any[] | null>(c, ['passwordHistory', 'PasswordHistory']);
+    const key = readAliasedImportProp<string | null>(c, ['key', 'Key']);

    const cipher: Cipher = {
      ...c,
@@ -172,70 +188,74 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
      name: c.name ?? 'Untitled',
      notes: c.notes ?? null,
      favorite: c.favorite ?? false,
-      login: c.login ? {
-        ...c.login,
-        username: c.login.username ?? null,
-        password: c.login.password ?? null,
-        uris: c.login.uris?.map(u => ({
+      login: login ? {
+        ...login,
+        username: login.username ?? null,
+        password: login.password ?? null,
+        uris: login.uris?.map((u: any) => ({
          ...u,
          uri: u.uri ?? null,
-          uriChecksum: null,
+          uriChecksum: u.uriChecksum ?? null,
          match: u.match ?? null,
        })) || null,
-        totp: c.login.totp ?? null,
-        autofillOnPageLoad: c.login.autofillOnPageLoad ?? null,
-        fido2Credentials: c.login.fido2Credentials ?? null,
-        uri: c.login.uri ?? null,
-        passwordRevisionDate: c.login.passwordRevisionDate ?? null,
+        totp: login.totp ?? null,
+        autofillOnPageLoad: login.autofillOnPageLoad ?? null,
+        fido2Credentials: Array.isArray(login.fido2Credentials) ? login.fido2Credentials : null,
+        uri: login.uri ?? null,
+        passwordRevisionDate: login.passwordRevisionDate ?? null,
      } : null,
-      card: c.card ? {
-        ...c.card,
-        cardholderName: c.card.cardholderName ?? null,
-        brand: c.card.brand ?? null,
-        number: c.card.number ?? null,
-        expMonth: c.card.expMonth ?? null,
-        expYear: c.card.expYear ?? null,
-        code: c.card.code ?? null,
+      card: card ? {
+        ...card,
+        cardholderName: card.cardholderName ?? null,
+        brand: card.brand ?? null,
+        number: card.number ?? null,
+        expMonth: card.expMonth ?? null,
+        expYear: card.expYear ?? null,
+        code: card.code ?? null,
      } : null,
-      identity: c.identity ? {
-        ...c.identity,
-        title: c.identity.title ?? null,
-        firstName: c.identity.firstName ?? null,
-        middleName: c.identity.middleName ?? null,
-        lastName: c.identity.lastName ?? null,
-        address1: c.identity.address1 ?? null,
-        address2: c.identity.address2 ?? null,
-        address3: c.identity.address3 ?? null,
-        city: c.identity.city ?? null,
-        state: c.identity.state ?? null,
-        postalCode: c.identity.postalCode ?? null,
-        country: c.identity.country ?? null,
-        company: c.identity.company ?? null,
-        email: c.identity.email ?? null,
-        phone: c.identity.phone ?? null,
-        ssn: c.identity.ssn ?? null,
-        username: c.identity.username ?? null,
-        passportNumber: c.identity.passportNumber ?? null,
-        licenseNumber: c.identity.licenseNumber ?? null,
+      identity: identity ? {
+        ...identity,
+        title: identity.title ?? null,
+        firstName: identity.firstName ?? null,
+        middleName: identity.middleName ?? null,
+        lastName: identity.lastName ?? null,
+        address1: identity.address1 ?? null,
+        address2: identity.address2 ?? null,
+        address3: identity.address3 ?? null,
+        city: identity.city ?? null,
+        state: identity.state ?? null,
+        postalCode: identity.postalCode ?? null,
+        country: identity.country ?? null,
+        company: identity.company ?? null,
+        email: identity.email ?? null,
+        phone: identity.phone ?? null,
+        ssn: identity.ssn ?? null,
+        username: identity.username ?? null,
+        passportNumber: identity.passportNumber ?? null,
+        licenseNumber: identity.licenseNumber ?? null,
      } : null,
-      secureNote: c.secureNote ?? null,
-      fields: c.fields?.map(f => ({
+      secureNote: secureNote ?? null,
+      fields: fields?.map((f: any) => ({
        ...f,
        name: f.name ?? null,
        value: f.value ?? null,
        type: f.type,
        linkedId: f.linkedId ?? null,
      })) || null,
-      passwordHistory: c.passwordHistory ?? null,
+      passwordHistory: passwordHistory ?? null,
      reprompt: c.reprompt ?? 0,
      sshKey: normalizeCipherSshKeyForCompatibility((c as any).sshKey ?? null),
-      key: (c as any).key ?? null,
+      key: key ?? null,
      createdAt: now,
      updatedAt: now,
      archivedAt: null,
      deletedAt: null,
    };
    cipher.login = normalizeCipherLoginForStorage(cipher.login);
+    const compatibilityError = validateCipherEncryptedFieldsForCompatibility(cipher);
+    if (compatibilityError) {
+      return errorResponse(`Cipher ${i + 1}: ${compatibilityError}`, 400);
+    }

    cipherRows.push(cipher);
    cipherMapRows.push({ index: i, sourceId, id: cipher.id });
@@ -273,7 +293,7 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st

  // Update revision date
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+  notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));

  if (returnCipherMap) {
    return jsonResponse({
@@ -56,3 +56,18 @@ export async function handleNotificationsHub(request: Request, env: Env): Promis
  }
  return stub.fetch(new Request(forwardedUrl.toString(), request));
 }
+
+export async function handleAnonymousNotificationsHub(request: Request, env: Env): Promise<Response> {
+  const url = new URL(request.url);
+  const authRequestId = String(url.searchParams.get('Token') || url.searchParams.get('token') || '').trim();
+  if (!authRequestId) return errorResponse('Token is required', 400);
+  if (request.headers.get('Upgrade')?.toLowerCase() !== 'websocket') {
+    return errorResponse('Expected websocket', 426);
+  }
+
+  const id = env.NOTIFICATIONS_HUB.idFromName(authRequestId);
+  const stub = env.NOTIFICATIONS_HUB.get(id);
+  const forwardedUrl = new URL(request.url);
+  forwardedUrl.searchParams.set('nw_auth_request_id', authRequestId);
+  return stub.fetch(new Request(forwardedUrl.toString(), request));
+}
@@ -29,6 +29,28 @@ import {
  setSendPassword,
  validateDeletionDate,
 } from './sends-shared';
+import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
+
+async function writeSendAudit(
+  storage: StorageService,
+  request: Request,
+  userId: string,
+  action: string,
+  metadata: Record<string, unknown>
+): Promise<void> {
+  await writeAuditEvent(storage, {
+    actorUserId: userId,
+    action,
+    category: 'data',
+    level: action.includes('delete') ? 'security' : 'info',
+    targetType: 'send',
+    targetId: typeof metadata.id === 'string' ? metadata.id : null,
+    metadata: {
+      ...metadata,
+      ...auditRequestMetadata(request),
+    },
+  });
+}

 async function processSendFileUpload(
  request: Request,
@@ -76,7 +98,7 @@ async function processSendFileUpload(

  const storage = new StorageService(env.DB);
  const revisionDate = await storage.updateRevisionDate(send.userId);
-  await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, send.userId, revisionDate);

  return new Response(null, { status: 201 });
 }
@@ -97,8 +119,9 @@ export async function handleGetSends(request: Request, env: Env, userId: string)
    sends = await storage.getAllSends(userId);
  }

+  const sendResponses = sends.map(sendToResponse);
  return jsonResponse({
-    data: sends.map(sendToResponse),
+    data: sendResponses,
    object: 'list',
    continuationToken,
  });
@@ -225,7 +248,7 @@ export async function handleCreateSend(request: Request, env: Env, userId: strin

  await storage.saveSend(send);
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, userId, revisionDate);

  return jsonResponse(sendToResponse(send));
 }
@@ -348,7 +371,7 @@ export async function handleCreateFileSendV2(request: Request, env: Env, userId:

  await storage.saveSend(send);
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, userId, revisionDate);
  const jwtSecret = getSafeJwtSecret(env);
  if (!jwtSecret) {
    return errorResponse('Server configuration error', 500);
@@ -595,13 +618,12 @@ export async function handleUpdateSend(request: Request, env: Env, userId: strin
  send.updatedAt = new Date().toISOString();
  await storage.saveSend(send);
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, userId, revisionDate);

  return jsonResponse(sendToResponse(send));
 }

 export async function handleDeleteSend(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
-  void request;
  const storage = new StorageService(env.DB);
  const send = await storage.getSend(sendId);
  if (!send || send.userId !== userId) {
@@ -618,7 +640,11 @@ export async function handleDeleteSend(request: Request, env: Env, userId: strin

  await storage.deleteSend(sendId, userId);
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  await writeSendAudit(storage, request, userId, 'send.delete', {
+    id: sendId,
+    type: send.type,
+  });

  return new Response(null, { status: 200 });
 }
@@ -649,14 +675,17 @@ export async function handleBulkDeleteSends(request: Request, env: Env, userId:

  const revisionDate = await storage.bulkDeleteSends(body.ids, userId);
  if (revisionDate) {
-    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+    notifyVaultSyncForRequest(request, env, userId, revisionDate);
+    await writeSendAudit(storage, request, userId, 'send.delete.bulk', {
+      count: sends.length,
+      requestedCount: body.ids.length,
+    });
  }

  return new Response(null, { status: 200 });
 }

 export async function handleRemoveSendPassword(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
-  void request;
  const storage = new StorageService(env.DB);
  const send = await storage.getSend(sendId);
  if (!send || send.userId !== userId) {
@@ -667,13 +696,16 @@ export async function handleRemoveSendPassword(request: Request, env: Env, userI
  send.updatedAt = new Date().toISOString();
  await storage.saveSend(send);
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  await writeSendAudit(storage, request, userId, 'send.password.remove', {
+    id: send.id,
+    type: send.type,
+  });

  return jsonResponse(sendToResponse(send));
 }

 export async function handleRemoveSendAuth(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
-  void request;
  const storage = new StorageService(env.DB);
  const send = await storage.getSend(sendId);
  if (!send || send.userId !== userId) {
@@ -685,7 +717,11 @@ export async function handleRemoveSendAuth(request: Request, env: Env, userId: s
  send.updatedAt = new Date().toISOString();
  await storage.saveSend(send);
  const revisionDate = await storage.updateRevisionDate(userId);
-  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  await writeSendAudit(storage, request, userId, 'send.auth.remove', {
+    id: send.id,
+    type: send.type,
+  });

  return jsonResponse(sendToResponse(send));
 }
@@ -89,7 +89,7 @@ export async function handleAccessSend(request: Request, env: Env, accessId: str
    }
    send.accessCount += 1;
    const revisionDate = await storage.updateRevisionDate(send.userId);
-    await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+    notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
  }

  const creatorIdentifier = await getCreatorIdentifier(storage, send);
@@ -162,7 +162,7 @@ export async function handleAccessSendFile(
  }
  send.accessCount += 1;
  const revisionDate = await storage.updateRevisionDate(send.userId);
-  await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, send.userId, revisionDate);

  const token = await createSendFileDownloadToken(send.id, fileId, secret);
  const url = new URL(request.url);
@@ -202,7 +202,7 @@ export async function handleAccessSendV2(request: Request, env: Env): Promise<Re
    }
    send.accessCount += 1;
    const revisionDate = await storage.updateRevisionDate(send.userId);
-    await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+    notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
  }

  const creatorIdentifier = await getCreatorIdentifier(storage, send);
@@ -241,7 +241,7 @@ export async function handleAccessSendFileV2(request: Request, env: Env, fileId:
  }
  send.accessCount += 1;
  const revisionDate = await storage.updateRevisionDate(send.userId);
-  await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+  notifyVaultSyncForRequest(request, env, send.userId, revisionDate);

  const downloadToken = await createSendFileDownloadToken(send.id, fileId, jwt.secret);
  const url = new URL(request.url);
@@ -9,13 +9,13 @@ export const SEND_INACCESSIBLE_MSG = 'Send does not exist or is no longer availa
 const SEND_PASSWORD_ITERATIONS = 100_000;
 export const SEND_PASSWORD_LIMIT_SCOPE = 'send-password';

-export async function notifyVaultSyncForRequest(
+export function notifyVaultSyncForRequest(
  request: Request,
  env: Env,
  userId: string,
  revisionDate: string
-): Promise<void> {
-  await notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+): void {
+  notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
 }

 export function getAliasedProp(source: unknown, aliases: string[]): { present: boolean; value: unknown } {
@@ -1,7 +1,7 @@
 import { Env, SyncResponse, CipherResponse, FolderResponse, ProfileResponse } from '../types';
 import { StorageService } from '../services/storage';
 import { errorResponse } from '../utils/response';
-import { cipherToResponse } from './ciphers';
+import { cipherToResponse, isCipherResponseSyncCompatible, shouldPreserveRepairableCipherUris } from './ciphers';
 import { sendToResponse } from './sends';
 import { LIMITS } from '../config/limits';
 import {
@@ -9,88 +9,39 @@ import {
  buildUserDecryptionCompat,
  buildUserDecryptionOptions,
 } from '../utils/user-decryption';
+import { buildDomainsResponse } from '../services/domain-rules';
+import { buildWebAuthnPrfOption } from '../utils/account-passkeys';

-interface SyncCacheEntry {
-  userId: string;
-  revisionDate: string;
-  body: string;
-  expiresAt: number;
-  bytes: number;
+// CONTRACT:
+// /api/sync reuses cipherToResponse() as the single cipher response shaper.
+// Filtering invalid cipher responses here protects clients from stored rows that
+// would otherwise make official apps fail after an HTTP 200 sync.
+// Keep this aligned with src/handlers/ciphers.ts when adding new vault fields.
+function buildSyncCacheRequest(
+  request: Request,
+  userId: string,
+  revisionDate: string,
+  accountPasskeyCacheTag: string,
+  excludeDomains: boolean,
+  excludeSends: boolean,
+  preserveRepairableUris: boolean
+): Request {
+  const url = new URL(request.url);
+  const cacheUrl = new URL(
+    `/__nodewarden/cache/sync/${encodeURIComponent(userId)}/${encodeURIComponent(revisionDate)}/${encodeURIComponent(accountPasskeyCacheTag)}/${excludeDomains ? '1' : '0'}/${excludeSends ? '1' : '0'}/${preserveRepairableUris ? '1' : '0'}`,
+    url.origin
+  );
+  return new Request(cacheUrl.toString(), { method: 'GET' });
 }

-const syncResponseCache = new Map<string, SyncCacheEntry>();
-let syncResponseCacheTotalBytes = 0;
-const textEncoder = new TextEncoder();
-
-function buildSyncCacheKey(userId: string, revisionDate: string, excludeDomains: boolean): string {
-  return `${userId}:${revisionDate}:${excludeDomains ? '1' : '0'}`;
-}
-
-function readSyncCache(key: string): string | null {
-  const hit = syncResponseCache.get(key);
+async function readSyncCache(cacheRequest: Request): Promise<Response | null> {
+  const hit = await caches.default.match(cacheRequest);
  if (!hit) return null;
-  if (hit.expiresAt <= Date.now()) {
-    deleteSyncCacheEntry(key, hit);
-    return null;
-  }
-  return hit.body;
+  return new Response(hit.body, hit);
 }

-function deleteSyncCacheEntry(key: string, entry?: SyncCacheEntry): void {
-  const existing = entry ?? syncResponseCache.get(key);
-  if (!existing) return;
-  syncResponseCache.delete(key);
-  syncResponseCacheTotalBytes = Math.max(0, syncResponseCacheTotalBytes - existing.bytes);
-}
-
-function pruneExpiredSyncCache(nowMs: number = Date.now()): void {
-  for (const [key, entry] of syncResponseCache.entries()) {
-    if (entry.expiresAt <= nowMs) {
-      deleteSyncCacheEntry(key, entry);
-    }
-  }
-}
-
-function pruneStaleUserSyncCache(userId: string, revisionDate: string): void {
-  for (const [key, entry] of syncResponseCache.entries()) {
-    if (entry.userId === userId && entry.revisionDate !== revisionDate) {
-      deleteSyncCacheEntry(key, entry);
-    }
-  }
-}
-
-function writeSyncCache(userId: string, revisionDate: string, key: string, body: string): void {
-  const nowMs = Date.now();
-  pruneExpiredSyncCache(nowMs);
-  pruneStaleUserSyncCache(userId, revisionDate);
-
-  const bodyBytes = textEncoder.encode(body).byteLength;
-  if (bodyBytes > LIMITS.cache.syncResponseMaxBodyBytes) {
-    return;
-  }
-
-  const existing = syncResponseCache.get(key);
-  if (existing) {
-    deleteSyncCacheEntry(key, existing);
-  }
-
-  while (
-    syncResponseCache.size >= LIMITS.cache.syncResponseMaxEntries ||
-    syncResponseCacheTotalBytes + bodyBytes > LIMITS.cache.syncResponseMaxTotalBytes
-  ) {
-    const oldestKey = syncResponseCache.keys().next().value as string | undefined;
-    if (!oldestKey) break;
-    deleteSyncCacheEntry(oldestKey);
-  }
-
-  syncResponseCache.set(key, {
-    userId,
-    revisionDate,
-    body,
-    expiresAt: nowMs + LIMITS.cache.syncResponseTtlMs,
-    bytes: bodyBytes,
-  });
-  syncResponseCacheTotalBytes += bodyBytes;
+async function writeSyncCache(cacheRequest: Request, response: Response): Promise<void> {
+  await caches.default.put(cacheRequest, response.clone());
 }

 // GET /api/sync
@@ -99,34 +50,46 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
  const url = new URL(request.url);
  const excludeDomainsParam = url.searchParams.get('excludeDomains');
  const excludeDomains = excludeDomainsParam !== null && /^(1|true|yes)$/i.test(excludeDomainsParam);
-  const userAgent = String(request.headers.get('user-agent') || '').toLowerCase();
-  const omitFido2Credentials =
-    userAgent.includes('android') ||
-    userAgent.includes('iphone') ||
-    userAgent.includes('ipad') ||
-    userAgent.includes('ios');
+  const excludeSendsParam = url.searchParams.get('excludeSends');
+  const excludeSends = excludeSendsParam !== null && /^(1|true|yes)$/i.test(excludeSendsParam);
+  const preserveRepairableUris = shouldPreserveRepairableCipherUris(request);

  const user = await storage.getUserById(userId);
  if (!user) {
    return errorResponse('User not found', 404);
  }

-  const revisionDate = await storage.getRevisionDate(userId);
-  const cacheKey = buildSyncCacheKey(userId, revisionDate, excludeDomains);
-  const cachedBody = readSyncCache(cacheKey);
-  if (cachedBody) {
-    return new Response(cachedBody, {
-      status: 200,
-      headers: { 'Content-Type': 'application/json' },
-    });
+  const [revisionDate, accountPasskeys] = await Promise.all([
+    storage.getRevisionDate(userId),
+    storage.getAccountPasskeyCredentialsByUserId(userId),
+  ]);
+  const accountPasskeyCacheTag = accountPasskeys
+    .map((credential) => [
+      credential.id,
+      credential.updatedAt,
+      credential.supportsPrf ? '1' : '0',
+      credential.encryptedUserKey && credential.encryptedPublicKey && credential.encryptedPrivateKey ? '1' : '0',
+    ].join(':'))
+    .join(',');
+  const cacheRequest = buildSyncCacheRequest(request, userId, revisionDate, accountPasskeyCacheTag, excludeDomains, excludeSends, preserveRepairableUris);
+  const cachedResponse = await readSyncCache(cacheRequest);
+  if (cachedResponse) {
+    return cachedResponse;
  }

-  const ciphers = await storage.getAllCiphers(userId);
-  const folders = await storage.getAllFolders(userId);
-  const sends = await storage.getAllSends(userId);
-  const attachmentsByCipher = await storage.getAttachmentsByUserId(userId);
+  const [ciphers, folders, sends, attachmentsByCipher, domainSettings] = await Promise.all([
+    storage.getAllCiphers(userId),
+    storage.getAllFolders(userId),
+    excludeSends ? Promise.resolve([]) : storage.getAllSends(userId),
+    storage.getAttachmentsByUserId(userId),
+    excludeDomains ? Promise.resolve(null) : storage.getUserDomainSettings(userId),
+  ]);
+  const accountKeys = buildAccountKeys(user);
+  const webAuthnPrfOptions = accountPasskeys
+    .map(buildWebAuthnPrfOption)
+    .filter((option): option is NonNullable<typeof option> => !!option);
+  const userDecryptionOptions = buildUserDecryptionOptions(user, webAuthnPrfOptions[0] || null);

-  // Build profile response
  const profile: ProfileResponse = {
    id: user.id,
    name: user.name,
@@ -140,7 +103,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
    twoFactorEnabled: !!user.totpSecret,
    key: user.key,
    privateKey: user.privateKey,
-    accountKeys: buildAccountKeys(user),
+    accountKeys,
    securityStamp: user.securityStamp || user.id,
    organizations: [],
    providers: [],
@@ -152,53 +115,61 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
    object: 'profile',
  };

-  // Build cipher responses with attachments
  const cipherResponses: CipherResponse[] = [];
  for (const cipher of ciphers) {
-    const attachments = attachmentsByCipher.get(cipher.id) || [];
-    cipherResponses.push(cipherToResponse(cipher, attachments, { omitFido2Credentials }));
+    const response = cipherToResponse(cipher, attachmentsByCipher.get(cipher.id) || [], { preserveRepairableUris });
+    if (isCipherResponseSyncCompatible(response)) {
+      cipherResponses.push(response);
+    }
  }

-  // Build folder responses
-  const folderResponses: FolderResponse[] = folders.map(folder => ({
-    id: folder.id,
-    name: folder.name,
-    revisionDate: folder.updatedAt,
-    object: 'folder',
-  }));
+  const folderResponses: FolderResponse[] = [];
+  for (const folder of folders) {
+    folderResponses.push({
+      id: folder.id,
+      name: folder.name,
+      revisionDate: folder.updatedAt,
+      creationDate: folder.createdAt,
+      object: 'folder',
+    });
+  }

+  const sendResponses = sends.map(sendToResponse);
  const syncResponse: SyncResponse = {
-    profile: profile,
+    profile,
    folders: folderResponses,
    collections: [],
    ciphers: cipherResponses,
    domains: excludeDomains
      ? null
-      : {
-          equivalentDomains: [],
-          globalEquivalentDomains: [],
-          object: 'domains',
-        },
+      : buildDomainsResponse(
+          domainSettings?.equivalentDomains || [],
+          domainSettings?.customEquivalentDomains || [],
+          domainSettings?.excludedGlobalEquivalentDomains || [],
+          { omitExcludedGlobals: true }
+        ),
    policies: [],
-    sends: sends.map(sendToResponse),
+    sends: sendResponses,
    UserDecryption: {
-      MasterPasswordUnlock: buildUserDecryptionOptions(user).MasterPasswordUnlock,
+      MasterPasswordUnlock: userDecryptionOptions.MasterPasswordUnlock,
      TrustedDeviceOption: null,
      KeyConnectorOption: null,
+      WebAuthnPrfOption: webAuthnPrfOptions[0] || null,
+      WebAuthnPrfOptions: webAuthnPrfOptions,
      Object: 'userDecryption',
    },
-    // PascalCase for desktop/browser clients
-    UserDecryptionOptions: buildUserDecryptionOptions(user),
-    // camelCase for Android client (SyncResponseJson uses @SerialName("userDecryption"))
+    UserDecryptionOptions: userDecryptionOptions,
    userDecryption: buildUserDecryptionCompat(user) as SyncResponse['userDecryption'],
    object: 'sync',
  };

-  const body = JSON.stringify(syncResponse);
-  writeSyncCache(userId, revisionDate, cacheKey, body);
-
-  return new Response(body, {
+  const response = new Response(JSON.stringify(syncResponse), {
    status: 200,
-    headers: { 'Content-Type': 'application/json' },
+    headers: {
+      'Content-Type': 'application/json',
+      'Cache-Control': `private, max-age=${Math.max(1, Math.floor(LIMITS.cache.syncResponseTtlMs / 1000))}`,
+    },
  });
+  await writeSyncCache(cacheRequest, response);
+  return response;
 }
@@ -1,5 +1,6 @@
 import { Env } from './types';
 import { NotificationsHub } from './durable/notifications-hub';
+import { BackupTransferRunner } from './durable/backup-transfer-runner';
 import { handleRequest } from './router';
 import { StorageService } from './services/storage';
 import { applyCors, jsonResponse } from './utils/response';
@@ -9,6 +10,15 @@ let dbInitialized = false;
 let dbInitError: string | null = null;
 let dbInitPromise: Promise<void> | null = null;

+function normalizeRequestUrl(request: Request): Request {
+  const url = new URL(request.url);
+  const normalizedPathname = url.pathname.length <= 1 ? url.pathname : url.pathname.replace(/\/+$/, '');
+  if (normalizedPathname === url.pathname) return request;
+
+  url.pathname = normalizedPathname;
+  return new Request(url.toString(), request);
+}
+
 function isWorkerHandledPath(path: string): boolean {
  return (
    path.startsWith('/api/') ||
@@ -22,13 +32,33 @@ function isWorkerHandledPath(path: string): boolean {
  );
 }

+function addSearchIndexHeaders(request: Request, response: Response): Response {
+  const url = new URL(request.url);
+  const contentType = String(response.headers.get('Content-Type') || '').toLowerCase();
+  const shouldNoIndex =
+    url.pathname === '/robots.txt' ||
+    contentType.includes('text/html');
+
+  if (!shouldNoIndex) return response;
+
+  const headers = new Headers(response.headers);
+  headers.set('X-Robots-Tag', 'noindex, nofollow, noarchive, nosnippet');
+
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers,
+  });
+}
+
 async function maybeServeAsset(request: Request, env: Env): Promise<Response | null> {
  if (!env.ASSETS) return null;
  if (request.method !== 'GET' && request.method !== 'HEAD') return null;
  const url = new URL(request.url);
  if (isWorkerHandledPath(url.pathname)) return null;

-  return env.ASSETS.fetch(request);
+  const response = await env.ASSETS.fetch(request);
+  return addSearchIndexHeaders(request, response);
 }

 async function ensureDatabaseInitialized(env: Env): Promise<void> {
@@ -56,9 +86,10 @@ async function ensureDatabaseInitialized(env: Env): Promise<void> {
 export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
    void ctx;
-    const assetResponse = await maybeServeAsset(request, env);
+    const normalizedRequest = normalizeRequestUrl(request);
+    const assetResponse = await maybeServeAsset(normalizedRequest, env);
    if (assetResponse) {
-      return applyCors(request, assetResponse);
+      return applyCors(normalizedRequest, assetResponse);
    }

    await ensureDatabaseInitialized(env);
@@ -76,11 +107,11 @@ export default {
        },
        500
      );
-      return applyCors(request, resp);
+      return applyCors(normalizedRequest, resp);
    }

-    const resp = await handleRequest(request, env);
-    return applyCors(request, resp);
+    const resp = await handleRequest(normalizedRequest, env);
+    return applyCors(normalizedRequest, resp);
  },

  async scheduled(controller: ScheduledController, env: Env, ctx: ExecutionContext): Promise<void> {
@@ -97,3 +128,4 @@ export default {
 };

 export { NotificationsHub };
+export { BackupTransferRunner };
@@ -7,6 +7,10 @@ import {
  handleAdminRevokeInvite,
  handleAdminSetUserStatus,
  handleAdminDeleteUser,
+  handleAdminListAuditLogs,
+  handleAdminGetAuditLogSettings,
+  handleAdminUpdateAuditLogSettings,
+  handleAdminClearAuditLogs,
 } from './handlers/admin';
 import { handleAdminBackupRoute } from './router-admin-backup';

@@ -21,6 +25,20 @@ export async function handleAdminRoute(
    return handleAdminListUsers(request, env, actorUser);
  }

+  if (path === '/api/admin/logs' && method === 'GET') {
+    return handleAdminListAuditLogs(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/logs' && method === 'DELETE') {
+    return handleAdminClearAuditLogs(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/logs/settings') {
+    if (method === 'GET') return handleAdminGetAuditLogSettings(request, env, actorUser);
+    if (method === 'PUT' || method === 'POST') return handleAdminUpdateAuditLogSettings(request, env, actorUser);
+    return null;
+  }
+
  const adminBackupResponse = await handleAdminBackupRoute(request, env, actorUser, path, method);
  if (adminBackupResponse) return adminBackupResponse;

@@ -11,6 +11,12 @@ import {
  handleGetTotpStatus,
  handleSetTotpStatus,
  handleGetTotpRecoveryCode,
+  handleGetTwoFactorProviders,
+  handleGetTwoFactorAuthenticator,
+  handlePutTwoFactorAuthenticator,
+  handleDisableTwoFactorProvider,
+  handleGetApiKey,
+  handleRotateApiKey,
 } from './handlers/accounts';
 import {
  handleGetCiphers,
@@ -58,10 +64,26 @@ import {
  handleCreateAttachment,
  handleUploadAttachment,
  handleGetAttachment,
+  handleUpdateAttachmentMetadata,
  handleDeleteAttachment,
 } from './handlers/attachments';
 import { handleAuthenticatedDeviceRoute } from './router-devices';
 import { handleAdminRoute } from './router-admin';
+import { handleGetDomains, handleUpdateDomains } from './handlers/domains';
+import {
+  handleCreateAccountPasskeyCredential,
+  handleDeleteAccountPasskeyCredential,
+  handleGetAccountPasskeyAttestationOptions,
+  handleGetAccountPasskeyCredentials,
+  handleGetAccountPasskeyUpdateAssertionOptions,
+  handleUpdateAccountPasskeyEncryption,
+} from './handlers/account-passkeys';
+import {
+  handleGetAuthRequest,
+  handleListAuthRequests,
+  handleListPendingAuthRequests,
+  handleUpdateAuthRequest,
+} from './handlers/auth-requests';

 export async function handleAuthenticatedRoute(
  request: Request,
@@ -107,6 +129,25 @@ export async function handleAuthenticatedRoute(
    return handleGetTotpRecoveryCode(request, env, userId);
  }

+  if (path === '/api/two-factor') {
+    if (method === 'GET') return handleGetTwoFactorProviders(request, env, userId);
+    return errorResponse('Method not allowed', 405);
+  }
+
+  if (path === '/api/two-factor/get-authenticator' && method === 'POST') {
+    return handleGetTwoFactorAuthenticator(request, env, userId);
+  }
+
+  if (path === '/api/two-factor/authenticator') {
+    if (method === 'PUT' || method === 'POST') return handlePutTwoFactorAuthenticator(request, env, userId);
+    if (method === 'DELETE') return handleDisableTwoFactorProvider(request, env, userId);
+    return errorResponse('Method not allowed', 405);
+  }
+
+  if (path === '/api/two-factor/disable' && (method === 'PUT' || method === 'POST')) {
+    return handleDisableTwoFactorProvider(request, env, userId);
+  }
+
  if (path === '/api/accounts/revision-date' && method === 'GET') {
    return handleGetRevisionDate(request, env, userId);
  }
@@ -119,6 +160,36 @@ export async function handleAuthenticatedRoute(
    return handleSetVerifyDevices(request, env, userId);
  }

+  if ((path === '/api/accounts/api-key' || path === '/api/accounts/api_key') && method === 'POST') {
+    return handleGetApiKey(request, env, userId);
+  }
+
+  if ((path === '/api/accounts/rotate-api-key' || path === '/api/accounts/rotate_api_key') && method === 'POST') {
+    return handleRotateApiKey(request, env, userId);
+  }
+
+  if (path === '/api/webauthn' || path === '/webauthn') {
+    if (method === 'GET') return handleGetAccountPasskeyCredentials(request, env, userId);
+    if (method === 'POST') return handleCreateAccountPasskeyCredential(request, env, userId);
+    if (method === 'PUT') return handleUpdateAccountPasskeyEncryption(request, env, userId);
+    return errorResponse('Method not allowed', 405);
+  }
+
+  if ((path === '/api/webauthn/attestation-options' || path === '/webauthn/attestation-options') && method === 'POST') {
+    return handleGetAccountPasskeyAttestationOptions(request, env, userId, currentUser);
+  }
+
+  if ((path === '/api/webauthn/assertion-options' || path === '/webauthn/assertion-options') && method === 'POST') {
+    return handleGetAccountPasskeyUpdateAssertionOptions(request, env, userId, currentUser);
+  }
+
+  const accountPasskeyDeleteMatch =
+    path.match(/^\/api\/webauthn\/([^/]+)\/delete$/i) ||
+    path.match(/^\/webauthn\/([^/]+)\/delete$/i);
+  if (accountPasskeyDeleteMatch && method === 'POST') {
+    return handleDeleteAccountPasskeyCredential(request, env, userId, accountPasskeyDeleteMatch[1], currentUser);
+  }
+
  if (path === '/api/sync' && method === 'GET') {
    return handleSync(request, env, userId);
  }
@@ -191,6 +262,11 @@ export async function handleAuthenticatedRoute(
      if (method === 'DELETE') return handleDeleteAttachment(request, env, userId, cipherId, attachmentId);
    }

+    const attachmentMetadataMatch = subPath.match(/^\/attachment\/([a-f0-9-]+)\/metadata$/i);
+    if (attachmentMetadataMatch && (method === 'POST' || method === 'PUT')) {
+      return handleUpdateAttachmentMetadata(request, env, userId, cipherId, attachmentMetadataMatch[1]);
+    }
+
    const attachmentDeleteMatch = subPath.match(/^\/attachment\/([a-f0-9-]+)\/delete$/i);
    if (attachmentDeleteMatch && method === 'POST') {
      return handleDeleteAttachment(request, env, userId, cipherId, attachmentDeleteMatch[1]);
@@ -215,8 +291,21 @@ export async function handleAuthenticatedRoute(
    if (method === 'DELETE') return handleDeleteFolder(request, env, userId, folderId);
  }

-  if (path.startsWith('/api/auth-requests')) {
-    return jsonResponse({ data: [], object: 'list', continuationToken: null });
+  if (path === '/api/auth-requests' || path === '/api/auth-requests/') {
+    if (method === 'GET') return handleListAuthRequests(request, env, userId);
+    return errorResponse('Method not allowed', 405);
+  }
+
+  if (path === '/api/auth-requests/pending') {
+    if (method === 'GET') return handleListPendingAuthRequests(request, env, userId);
+    return errorResponse('Method not allowed', 405);
+  }
+
+  const authRequestMatch = path.match(/^\/api\/auth-requests\/([a-f0-9-]+)$/i);
+  if (authRequestMatch) {
+    if (method === 'GET') return handleGetAuthRequest(request, env, userId, authRequestMatch[1]);
+    if (method === 'PUT') return handleUpdateAuthRequest(request, env, userId, authRequestMatch[1]);
+    return errorResponse('Method not allowed', 405);
  }

  if (path === '/api/collections' || path.startsWith('/api/collections/')) {
@@ -281,14 +370,9 @@ export async function handleAuthenticatedRoute(
    return null;
  }

-  if (path === '/api/settings/domains') {
-    if (method === 'GET' || method === 'PUT' || method === 'POST') {
-      return jsonResponse({
-        equivalentDomains: [],
-        globalEquivalentDomains: [],
-        object: 'domains',
-      });
-    }
+  if (path === '/api/settings/domains' || path === '/settings/domains') {
+    if (method === 'GET') return handleGetDomains(env, userId);
+    if (method === 'PUT' || method === 'POST') return handleUpdateDomains(request, env, userId);
    return null;
  }

@@ -11,8 +11,10 @@ import {
  handleDeactivateDevice,
  handleRevokeAllTrustedDevices,
  handleRevokeTrustedDevice,
+  handleTrustDevicePermanently,
  handleDeleteAllDevices,
  handleDeleteDevice,
+  handleUpdateDeviceName,
  handleUpdateDeviceToken,
  handleUpdateDeviceWebPushAuth,
  handleClearDeviceToken,
@@ -43,6 +45,12 @@ export async function handleAuthenticatedDeviceRoute(
    return handleRevokeTrustedDevice(request, env, userId, deviceIdentifier);
  }

+  const permanentAuthorizedDeviceMatch = path.match(/^\/api\/devices\/authorized\/([^/]+)\/permanent$/i);
+  if (permanentAuthorizedDeviceMatch && method === 'POST') {
+    const deviceIdentifier = decodeURIComponent(permanentAuthorizedDeviceMatch[1]);
+    return handleTrustDevicePermanently(request, env, userId, deviceIdentifier);
+  }
+
  const deleteDeviceMatch = path.match(/^\/api\/devices\/([^/]+)$/i);
  if (deleteDeviceMatch && method === 'GET') {
    const deviceIdentifier = decodeURIComponent(deleteDeviceMatch[1]);
@@ -53,6 +61,12 @@ export async function handleAuthenticatedDeviceRoute(
    return handleDeleteDevice(request, env, userId, deviceIdentifier);
  }

+  const updateDeviceNameMatch = path.match(/^\/api\/devices\/([^/]+)\/name$/i);
+  if (updateDeviceNameMatch && method === 'PUT') {
+    const deviceIdentifier = decodeURIComponent(updateDeviceNameMatch[1]);
+    return handleUpdateDeviceName(request, env, userId, deviceIdentifier);
+  }
+
  const identifierMatch = path.match(/^\/api\/devices\/identifier\/([^/]+)$/i);
  if (identifierMatch && method === 'GET') {
    const deviceIdentifier = decodeURIComponent(identifierMatch[1]);
@@ -9,19 +9,26 @@ import {
 } from './handlers/sends';
 import { handleKnownDevice } from './handlers/devices';
 import { handleToken, handlePrelogin, handleRevocation } from './handlers/identity';
+import { handleGetAccountPasskeyAssertionOptions } from './handlers/account-passkeys';
 import {
  handleRegister,
  handleGetPasswordHint,
  handleRecoverTwoFactor,
 } from './handlers/accounts';
+import {
+  handleCreateAuthRequest,
+  handleGetAuthRequestResponse,
+} from './handlers/auth-requests';
 import { handlePublicDownloadAttachment } from './handlers/attachments';
 import { handlePublicUploadAttachment } from './handlers/attachments';
 import {
+  handleAnonymousNotificationsHub,
  handleNotificationsHub,
  handleNotificationsNegotiate,
 } from './handlers/notifications';
 import { handlePublicUploadSendFile } from './handlers/sends';
 import { jsonResponse } from './utils/response';
+import { StorageService } from './services/storage';
 import type { Env } from './types';

 type PublicRateLimiter = (category?: string, maxRequests?: number) => Promise<Response | null>;
@@ -31,6 +38,7 @@ export interface WebBootstrapResponse {
  defaultKdfIterations: number;
  jwtUnsafeReason: JwtUnsafeReason;
  jwtSecretMinLength: number;
+  registrationInviteRequired: boolean;
 }

 function isSameOriginWriteRequest(request: Request): boolean {
@@ -52,16 +60,25 @@ function isSameOriginWriteRequest(request: Request): boolean {
  return false;
 }

-function getNwIconSvg(): string {
-  return `<svg xmlns="http://www.w3.org/2000/svg" width="96" height="96" viewBox="0 0 96 96" role="img" aria-label="NW icon"><rect x="4" y="4" width="88" height="88" rx="20" fill="#111418"/><text x="48" y="60" text-anchor="middle" font-size="36" font-family="-apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif" font-weight="800" letter-spacing="0.5" fill="#FFFFFF">NW</text></svg>`;
+function getDefaultWebsiteIconSvg(): string {
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="96" height="96" viewBox="0 0 96 96" role="img" aria-label="Globe icon"><circle cx="48" cy="48" r="34" fill="none" stroke="#8ea9c7" stroke-width="6"/><path d="M14 48h68M48 14c10 10 16 21.5 16 34s-6 24-16 34c-10-10-16-21.5-16-34s6-24 16-34zm-24 10c8 5 17 8 24 8s16-3 24-8m-48 48c8-5 17-8 24-8s16 3 24 8" fill="none" stroke="#8ea9c7" stroke-width="6" stroke-linecap="round" stroke-linejoin="round"/></svg>`;
 }

 function handleNwFavicon(): Response {
-  return new Response(getNwIconSvg(), {
+  return new Response(getDefaultWebsiteIconSvg(), {
    status: 200,
    headers: {
      'Content-Type': 'image/svg+xml; charset=utf-8',
-      'Cache-Control': `public, max-age=${LIMITS.cache.iconTtlSeconds}`,
+      'Cache-Control': `public, max-age=${LIMITS.cache.iconTtlSeconds}, immutable`,
+    },
+  });
+}
+
+function handleMissingWebsiteIcon(): Response {
+  return new Response(null, {
+    status: 404,
+    headers: {
+      'Cache-Control': 'public, max-age=300',
    },
  });
 }
@@ -104,6 +121,7 @@ function buildConfigResponse(origin: string) {
    _icon_service_url: buildIconServiceTemplate(origin),
    _icon_service_csp: buildIconServiceCsp(origin),
    featureStates: {
+      'cipher-key-encryption': LIMITS.compatibility.cipherKeyEncryptionFeatureEnabled,
      'duo-redirect': true,
      'email-verification': true,
      'pm-19051-send-email-verification': false,
@@ -116,7 +134,12 @@ function buildConfigResponse(origin: string) {
 }

 function normalizeIconHost(rawHost: string): string | null {
-  const decoded = decodeURIComponent(String(rawHost || '').trim()).toLowerCase().replace(/\.+$/, '');
+  let decoded: string;
+  try {
+    decoded = decodeURIComponent(String(rawHost || '').trim()).toLowerCase().replace(/\.+$/, '');
+  } catch {
+    return null;
+  }
  if (!decoded || decoded.includes('/') || decoded.includes('\\')) return null;
  try {
    const parsed = new URL(`https://${decoded}`);
@@ -126,58 +149,154 @@ function normalizeIconHost(rawHost: string): string | null {
  }
 }

-async function handleWebsiteIcon(host: string): Promise<Response> {
+const ICON_UPSTREAM_TIMEOUT_MS = 2500;
+const ICON_MAX_BUFFER_BYTES = 256 * 1024;
+const BITWARDEN_DEFAULT_GLOBE_ICON_BYTES = 500;
+const BITWARDEN_DEFAULT_GLOBE_ICON_SHA256 = 'aaa64871332ad5b7d28fe8874efb19c2d9cc2f1e6de75d52b080b438225a0783';
+
+type IconSource = {
+  url: string;
+  rejectImage?: {
+    byteLength: number;
+    sha256: string;
+  };
+  headers?: HeadersInit;
+};
+
+async function fetchIconSource(source: { url: string; headers?: HeadersInit }): Promise<Response> {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), ICON_UPSTREAM_TIMEOUT_MS);
+  try {
+    return await fetch(source.url, {
+      headers: source.headers,
+      redirect: 'follow',
+      signal: controller.signal,
+      cf: {
+        cacheEverything: true,
+        cacheTtl: LIMITS.cache.iconTtlSeconds,
+      },
+    } as RequestInit & { cf: { cacheEverything: boolean; cacheTtl: number } });
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+async function sha256Hex(bytes: ArrayBuffer): Promise<string> {
+  const digest = await crypto.subtle.digest('SHA-256', bytes);
+  return Array.from(new Uint8Array(digest), (byte) => byte.toString(16).padStart(2, '0')).join('');
+}
+
+function getPositiveContentLength(headers: Headers): number | null {
+  const raw = headers.get('Content-Length');
+  if (!raw) return null;
+  const value = Number(raw);
+  return Number.isFinite(value) && value > 0 ? value : null;
+}
+
+async function readIconBytes(response: Response, maxBytes: number): Promise<ArrayBuffer | null> {
+  if (!response.body) return null;
+  const reader = response.body.getReader();
+  const chunks: Uint8Array[] = [];
+  let totalBytes = 0;
+  let timedOut = false;
+  const timeout = setTimeout(() => {
+    timedOut = true;
+    void reader.cancel().catch(() => undefined);
+  }, ICON_UPSTREAM_TIMEOUT_MS);
+
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      if (!value) continue;
+
+      totalBytes += value.byteLength;
+      if (totalBytes > maxBytes) {
+        await reader.cancel().catch(() => undefined);
+        return null;
+      }
+      chunks.push(value);
+    }
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timeout);
+  }
+
+  if (timedOut || totalBytes === 0) return null;
+
+  const output = new ArrayBuffer(totalBytes);
+  const bytes = new Uint8Array(output);
+  let offset = 0;
+  for (const chunk of chunks) {
+    bytes.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+  return output;
+}
+
+function iconResponse(body: BodyInit | null, contentType: string | null): Response {
+  return new Response(body, {
+    status: 200,
+    headers: {
+      'Content-Type': contentType || 'image/png',
+      'Cache-Control': `public, max-age=${LIMITS.cache.iconTtlSeconds}, immutable`,
+    },
+  });
+}
+
+async function handleWebsiteIcon(host: string, fallbackMode: 'default' | 'not-found' = 'default'): Promise<Response> {
  const normalizedHost = normalizeIconHost(host);
-  if (!normalizedHost) return handleNwFavicon();
+  if (!normalizedHost) return fallbackMode === 'not-found' ? handleMissingWebsiteIcon() : handleNwFavicon();

  const encodedHost = encodeURIComponent(normalizedHost);
  const requestHeaders = { 'User-Agent': 'NodeWarden/1.0' };
-  const upstreamSources: Array<{ url: string; headers?: HeadersInit }> = [
+  const upstreamSources: IconSource[] = [
+    {
+      url: `https://favicon.im/zh/${encodedHost}?larger=true&throw-error-on-404=true`,
+      headers: requestHeaders,
+    },
    {
      url: `https://icons.bitwarden.net/${encodedHost}/icon.png`,
-      headers: requestHeaders,
-    },
-    {
-      url: `https://favicon.im/${encodedHost}`,
-      headers: requestHeaders,
-    },
-    {
-      url: `https://icons.duckduckgo.com/ip3/${encodedHost}.ico`,
+      rejectImage: {
+        byteLength: BITWARDEN_DEFAULT_GLOBE_ICON_BYTES,
+        sha256: BITWARDEN_DEFAULT_GLOBE_ICON_SHA256,
+      },
      headers: requestHeaders,
    },
  ];

-  try {
-    for (const source of upstreamSources) {
-      const resp = await fetch(source.url, {
-        headers: source.headers,
-        redirect: 'follow',
-        cf: {
-          cacheEverything: true,
-          cacheTtl: LIMITS.cache.iconTtlSeconds,
-        },
-      } as RequestInit & { cf: { cacheEverything: boolean; cacheTtl: number } });
+  for (const source of upstreamSources) {
+    try {
+      const resp = await fetchIconSource(source);

      if (!resp.ok) continue;
      const contentType = String(resp.headers.get('Content-Type') || '').toLowerCase();
      if (!contentType.startsWith('image/')) continue;

-      return new Response(resp.body, {
-        status: 200,
-        headers: {
-          'Content-Type': resp.headers.get('Content-Type') || 'image/png',
-          'Cache-Control': `public, max-age=${LIMITS.cache.iconTtlSeconds}`,
-        },
-      });
-    }
+      const contentLength = getPositiveContentLength(resp.headers);
+      if (contentLength !== null && contentLength > ICON_MAX_BUFFER_BYTES) continue;

-    return handleNwFavicon();
-  } catch {
-    return handleNwFavicon();
+      const bytes = await readIconBytes(resp, ICON_MAX_BUFFER_BYTES);
+      if (!bytes) continue;
+      if (
+        source.rejectImage &&
+        bytes.byteLength === source.rejectImage.byteLength &&
+        (await sha256Hex(bytes)) === source.rejectImage.sha256
+      ) {
+        continue;
+      }
+
+      return iconResponse(bytes, resp.headers.get('Content-Type'));
+    } catch {
+      continue;
+    }
  }
+
+  return fallbackMode === 'not-found' ? handleMissingWebsiteIcon() : handleNwFavicon();
 }

-export function buildWebBootstrapResponse(env: Env): WebBootstrapResponse {
+export async function buildWebBootstrapResponse(env: Env): Promise<WebBootstrapResponse> {
  const secret = (env.JWT_SECRET || '').trim();
  const jwtUnsafeReason =
    !secret
@@ -187,11 +306,14 @@ export function buildWebBootstrapResponse(env: Env): WebBootstrapResponse {
        : secret.length < LIMITS.auth.jwtSecretMinLength
          ? 'too_short'
          : null;
+  const storage = new StorageService(env.DB);
+  const userCount = await storage.getUserCount();

  return {
    defaultKdfIterations: LIMITS.auth.defaultKdfIterations,
    jwtUnsafeReason,
    jwtSecretMinLength: LIMITS.auth.jwtSecretMinLength,
+    registrationInviteRequired: userCount > 0,
  };
 }

@@ -215,12 +337,15 @@ export async function handlePublicRoute(
  if ((path === '/api/web-bootstrap' || path === '/web-bootstrap') && method === 'GET') {
    const blocked = await enforcePublicRateLimit('public-read', LIMITS.rateLimit.publicReadRequestsPerMinute);
    if (blocked) return blocked;
-    return jsonResponse(buildWebBootstrapResponse(env));
+    return jsonResponse(await buildWebBootstrapResponse(env));
  }

  const iconMatch = path.match(/^\/icons\/([^/]+)\/icon\.png$/i);
  if (iconMatch && method === 'GET') {
-    return handleWebsiteIcon(iconMatch[1]);
+    const blocked = await enforcePublicRateLimit('public-icon', LIMITS.rateLimit.publicIconRequestsPerMinute);
+    if (blocked) return blocked;
+    const fallbackMode = new URL(request.url).searchParams.get('fallback') === '404' ? 'not-found' : 'default';
+    return handleWebsiteIcon(iconMatch[1], fallbackMode);
  }

  const publicAttachmentMatch = path.match(/^\/api\/attachments\/([a-f0-9-]+)\/([a-f0-9-]+)$/i);
@@ -270,6 +395,19 @@ export async function handlePublicRoute(
    return handleDownloadSendFile(request, env, sendDownloadMatch[1], sendDownloadMatch[2]);
  }

+  if ((path === '/api/auth-requests' || path === '/api/auth-requests/') && method === 'POST') {
+    const blocked = await enforcePublicRateLimit('public-sensitive', LIMITS.rateLimit.sensitivePublicRequestsPerMinute);
+    if (blocked) return blocked;
+    return handleCreateAuthRequest(request, env);
+  }
+
+  const authRequestResponseMatch = path.match(/^\/api\/auth-requests\/([a-f0-9-]+)\/response$/i);
+  if (authRequestResponseMatch && method === 'GET') {
+    const blocked = await enforcePublicRateLimit('public-sensitive', LIMITS.rateLimit.sensitivePublicRequestsPerMinute);
+    if (blocked) return blocked;
+    return handleGetAuthRequestResponse(request, env, authRequestResponseMatch[1]);
+  }
+
  if (path === '/identity/connect/token' && method === 'POST') {
    return handleToken(request, env);
  }
@@ -303,6 +441,12 @@ export async function handlePublicRoute(
    return handlePrelogin(request, env);
  }

+  if (path === '/identity/accounts/webauthn/assertion-options' && method === 'GET') {
+    const blocked = await enforcePublicRateLimit('public-sensitive', LIMITS.rateLimit.sensitivePublicRequestsPerMinute);
+    if (blocked) return blocked;
+    return handleGetAccountPasskeyAssertionOptions(request, env);
+  }
+
  if ((path === '/identity/accounts/recover-2fa' || path === '/api/accounts/recover-2fa') && method === 'POST') {
    return handleRecoverTwoFactor(request, env);
  }
@@ -351,5 +495,9 @@ export async function handlePublicRoute(
  if (path === '/notifications/hub' && method === 'GET') {
    return handleNotificationsHub(request, env);
  }
+
+  if (path === '/notifications/anonymous-hub' && method === 'GET') {
+    return handleAnonymousNotificationsHub(request, env);
+  }
  return null;
 }
@@ -0,0 +1,210 @@
+import type { Env } from '../types';
+import { generateUUID } from '../utils/uuid';
+import { StorageService } from './storage';
+
+export type AuditLogCategory = 'auth' | 'security' | 'device' | 'data' | 'system';
+export type AuditLogLevel = 'info' | 'warn' | 'error' | 'security';
+
+export interface AuditEventInput {
+  actorUserId?: string | null;
+  action: string;
+  category: AuditLogCategory;
+  level?: AuditLogLevel;
+  targetType?: string | null;
+  targetId?: string | null;
+  metadata?: Record<string, unknown> | null;
+}
+
+const SENSITIVE_KEY_RE = /(token|secret|password|key|hash|code|private)/i;
+const MAX_METADATA_BYTES = 2048;
+const AUDIT_CLEANUP_INTERVAL_MS = 6 * 60 * 60 * 1000;
+const AUDIT_CLEANUP_PROBABILITY = 0.02;
+const AUDIT_LOG_SETTINGS_KEY = 'audit.logs.settings.v1';
+const DEFAULT_AUDIT_LOG_SETTINGS: AuditLogSettings = {
+  retentionDays: 90,
+  maxEntries: null,
+};
+let lastAuditCleanupAt = 0;
+
+export interface AuditLogSettings {
+  retentionDays: number | null;
+  maxEntries: number | null;
+}
+
+const ALLOWED_METADATA_KEYS = new Set([
+  'method',
+  'path',
+  'ip',
+  'userAgent',
+  'email',
+  'targetEmail',
+  'grantType',
+  'webSession',
+  'deviceIdentifier',
+  'deviceType',
+  'reason',
+  'status',
+  'verifyDevices',
+  'changed',
+  'removed',
+  'updated',
+  'deleted',
+  'removedTrusted',
+  'removedSessions',
+  'removedDevices',
+  'requested',
+  'count',
+  'requestedCount',
+  'type',
+  'folderId',
+  'cipherId',
+  'size',
+  'users',
+  'ciphers',
+  'attachments',
+  'skippedAttachments',
+  'skippedReason',
+  'replaceExisting',
+  'provider',
+  'prfStatus',
+  'fileName',
+  'fileBytes',
+  'bytes',
+  'compressedBytes',
+  'includesAttachments',
+  'destinationName',
+  'destinationId',
+  'destinationType',
+  'destinationCount',
+  'scheduledDestinationCount',
+  'retentionDays',
+  'maxEntries',
+  'remotePath',
+  'trigger',
+  'prunedFileCount',
+  'pruneError',
+  'uploadVerificationAttempts',
+  'error',
+  'expiresInHours',
+  'checksumMismatchAccepted',
+]);
+
+function normalizePositiveInteger(value: unknown, allowed: readonly number[]): number | null {
+  if (value === null || value === 0 || value === '0' || value === 'forever' || value === 'unlimited') return null;
+  const parsed = Math.floor(Number(value));
+  return allowed.includes(parsed) ? parsed : null;
+}
+
+export function normalizeAuditLogSettings(value: unknown): AuditLogSettings {
+  const input = value && typeof value === 'object' ? value as Record<string, unknown> : {};
+  const retentionDays = normalizePositiveInteger(input.retentionDays, [7, 30, 90, 180, 365]);
+  const maxEntries = normalizePositiveInteger(input.maxEntries, [1_000, 5_000, 10_000, 50_000]);
+
+  if (retentionDays) return { retentionDays, maxEntries: null };
+  if (maxEntries) return { retentionDays: null, maxEntries };
+  if (input.retentionDays === null || input.retentionDays === 0 || input.retentionDays === '0') {
+    return { retentionDays: null, maxEntries: null };
+  }
+  if (input.maxEntries === null || input.maxEntries === 0 || input.maxEntries === '0') {
+    return { retentionDays: null, maxEntries: null };
+  }
+
+  return {
+    ...DEFAULT_AUDIT_LOG_SETTINGS,
+  };
+}
+
+export function auditRequestMetadata(request: Request): Record<string, unknown> {
+  const url = new URL(request.url);
+  return {
+    method: request.method,
+    path: url.pathname,
+    ip: request.headers.get('CF-Connecting-IP') || request.headers.get('X-Forwarded-For') || null,
+    userAgent: request.headers.get('User-Agent') || null,
+  };
+}
+
+function sanitizeMetadata(metadata: Record<string, unknown>): Record<string, unknown> {
+  const clean: Record<string, unknown> = {};
+  for (const [key, value] of Object.entries(metadata)) {
+    if (!ALLOWED_METADATA_KEYS.has(key)) continue;
+    if (value === undefined || value === null || value === '') continue;
+    if (SENSITIVE_KEY_RE.test(key)) continue;
+    if (Array.isArray(value)) {
+      clean[key] = value.length;
+      continue;
+    }
+    if (typeof value === 'object') continue;
+    clean[key] = value;
+  }
+  return clean;
+}
+
+export async function getAuditLogSettings(storage: StorageService): Promise<AuditLogSettings> {
+  const raw = await storage.getConfigValue(AUDIT_LOG_SETTINGS_KEY);
+  if (!raw) return { ...DEFAULT_AUDIT_LOG_SETTINGS };
+  try {
+    return normalizeAuditLogSettings(JSON.parse(raw));
+  } catch {
+    return { ...DEFAULT_AUDIT_LOG_SETTINGS };
+  }
+}
+
+export async function saveAuditLogSettings(storage: StorageService, settings: AuditLogSettings): Promise<AuditLogSettings> {
+  const normalized = normalizeAuditLogSettings(settings);
+  await storage.setConfigValue(AUDIT_LOG_SETTINGS_KEY, JSON.stringify(normalized));
+  await applyAuditLogRetention(storage, normalized);
+  return normalized;
+}
+
+export async function applyAuditLogRetention(storage: StorageService, settings?: AuditLogSettings): Promise<void> {
+  const current = settings || await getAuditLogSettings(storage);
+  if (current.retentionDays) {
+    const before = new Date(Date.now() - current.retentionDays * 24 * 60 * 60 * 1000).toISOString();
+    await storage.pruneAuditLogs(before);
+  }
+  if (current.maxEntries) {
+    await storage.pruneAuditLogsToMax(current.maxEntries);
+  }
+}
+
+async function maybePruneAuditLogs(storage: StorageService): Promise<void> {
+  const now = Date.now();
+  if (now - lastAuditCleanupAt < AUDIT_CLEANUP_INTERVAL_MS) return;
+  if (Math.random() > AUDIT_CLEANUP_PROBABILITY) return;
+  lastAuditCleanupAt = now;
+  await applyAuditLogRetention(storage);
+}
+
+async function insertAuditEvent(storage: StorageService, event: AuditEventInput): Promise<void> {
+  const metadata = sanitizeMetadata(event.metadata || {});
+  let metadataJson = JSON.stringify(metadata);
+  if (new TextEncoder().encode(metadataJson).byteLength > MAX_METADATA_BYTES) {
+    metadataJson = JSON.stringify({ truncated: true });
+  }
+
+  await storage.createAuditLog({
+    id: generateUUID(),
+    actorUserId: event.actorUserId ?? null,
+    action: event.action,
+    category: event.category,
+    level: event.level || 'info',
+    targetType: event.targetType ?? null,
+    targetId: event.targetId ?? null,
+    metadata: metadataJson,
+    createdAt: new Date().toISOString(),
+  });
+  await maybePruneAuditLogs(storage);
+}
+
+export async function writeAuditEvent(storage: StorageService, event: AuditEventInput): Promise<void> {
+  try {
+    await insertAuditEvent(storage, event);
+  } catch (error) {
+    console.error('audit log write failed', error);
+  }
+}
+
+export async function safeWriteAuditEvent(env: Env, event: AuditEventInput): Promise<void> {
+  await writeAuditEvent(new StorageService(env.DB), event);
+}
@@ -6,22 +6,135 @@ import { StorageService } from './storage';
 // The client already does heavy PBKDF2 (600k iterations).
 // This second layer only needs to be non-trivial, not expensive.
 const SERVER_HASH_ITERATIONS = 100_000;
+const SERVER_HASH_PREFIX = '$s$';
+const AUTH_CONTEXT_CACHE_TTL_MS = 15 * 1000;
+
+interface CachedUserEntry {
+  user: User | null;
+  expiresAt: number;
+}
+
+interface CachedDeviceEntry {
+  device: Awaited<ReturnType<StorageService['getDevice']>>;
+  expiresAt: number;
+}

 export interface VerifiedAccessContext {
  payload: JWTPayload;
  user: User;
 }

+export type RefreshAccessTokenFailureReason =
+  | 'token_not_found_or_expired'
+  | 'user_missing'
+  | 'user_inactive'
+  | 'device_missing'
+  | 'device_session_mismatch';
+
+export type RefreshAccessTokenResult =
+  | { ok: true; accessToken: string; user: User; device: { identifier: string; sessionStamp: string } | null }
+  | {
+      ok: false;
+      reason: RefreshAccessTokenFailureReason;
+      userId?: string | null;
+      deviceIdentifier?: string | null;
+    };
+
 export class AuthService {
  private storage: StorageService;
+  private static userCache = new Map<string, CachedUserEntry>();
+  private static deviceCache = new Map<string, CachedDeviceEntry>();

  constructor(private env: Env) {
    this.storage = new StorageService(env.DB);
  }

+  static invalidateUserCache(userId: string): void {
+    const normalizedUserId = String(userId || '').trim();
+    if (!normalizedUserId) return;
+    AuthService.userCache.delete(normalizedUserId);
+    const prefix = `${normalizedUserId}:`;
+    for (const key of AuthService.deviceCache.keys()) {
+      if (key.startsWith(prefix)) {
+        AuthService.deviceCache.delete(key);
+      }
+    }
+  }
+
+  static invalidateDeviceCache(userId: string, deviceId: string): void {
+    const normalizedUserId = String(userId || '').trim();
+    const normalizedDeviceId = String(deviceId || '').trim();
+    if (!normalizedUserId || !normalizedDeviceId) return;
+    AuthService.deviceCache.delete(`${normalizedUserId}:${normalizedDeviceId}`);
+  }
+
+  private readCachedUser(userId: string): User | null | undefined {
+    const cached = AuthService.userCache.get(userId);
+    if (!cached) return undefined;
+    if (cached.expiresAt <= Date.now()) {
+      AuthService.userCache.delete(userId);
+      return undefined;
+    }
+    return cached.user;
+  }
+
+  private writeCachedUser(userId: string, user: User | null): void {
+    AuthService.userCache.set(userId, {
+      user,
+      expiresAt: Date.now() + AUTH_CONTEXT_CACHE_TTL_MS,
+    });
+  }
+
+  private async getCachedUser(userId: string): Promise<User | null> {
+    const cached = this.readCachedUser(userId);
+    if (cached !== undefined) return cached;
+    const user = await this.storage.getUserById(userId);
+    this.writeCachedUser(userId, user);
+    return user;
+  }
+
+  private async getFreshUser(userId: string): Promise<User | null> {
+    const user = await this.storage.getUserById(userId);
+    this.writeCachedUser(userId, user);
+    return user;
+  }
+
+  private readCachedDevice(userId: string, deviceId: string) {
+    const cacheKey = `${userId}:${deviceId}`;
+    const cached = AuthService.deviceCache.get(cacheKey);
+    if (!cached) return undefined;
+    if (cached.expiresAt <= Date.now()) {
+      AuthService.deviceCache.delete(cacheKey);
+      return undefined;
+    }
+    return cached.device;
+  }
+
+  private writeCachedDevice(userId: string, deviceId: string, device: Awaited<ReturnType<StorageService['getDevice']>>): void {
+    const cacheKey = `${userId}:${deviceId}`;
+    AuthService.deviceCache.set(cacheKey, {
+      device,
+      expiresAt: Date.now() + AUTH_CONTEXT_CACHE_TTL_MS,
+    });
+  }
+
+  private async getCachedDevice(userId: string, deviceId: string) {
+    const cached = this.readCachedDevice(userId, deviceId);
+    if (cached !== undefined) return cached;
+    const device = await this.storage.getDevice(userId, deviceId);
+    this.writeCachedDevice(userId, deviceId, device);
+    return device;
+  }
+
+  private async getFreshDevice(userId: string, deviceId: string) {
+    const device = await this.storage.getDevice(userId, deviceId);
+    this.writeCachedDevice(userId, deviceId, device);
+    return device;
+  }
+
  // Second-layer hash: PBKDF2-SHA256(clientHash, email-salt, iterations).
  // Ensures database contents alone cannot be used to authenticate (pass-the-hash defense).
-  // Result is prefixed with "$s$" to distinguish from legacy raw client hashes.
+  // Result is prefixed to distinguish server-hashed credentials from invalid legacy rows.
  async hashPasswordServer(clientHash: string, email: string): Promise<string> {
    const keyMaterial = await crypto.subtle.importKey(
      'raw',
@@ -39,19 +152,16 @@ export class AuthService {
    const bytes = new Uint8Array(bits);
    let binary = '';
    for (const b of bytes) binary += String.fromCharCode(b);
-    return '$s$' + btoa(binary);
+    return SERVER_HASH_PREFIX + btoa(binary);
  }

-  // Verify password: hash the input the same way, then constant-time compare.
-  async verifyPassword(inputHash: string, storedHash: string, email?: string): Promise<boolean> {
-    // New server-hashed passwords are prefixed with "$s$".
-    // Legacy accounts (created before the upgrade) store raw client hashes without prefix.
-    if (email && storedHash.startsWith('$s$')) {
-      const serverHash = await this.hashPasswordServer(inputHash, email);
-      return this.constantTimeEquals(serverHash, storedHash);
+  // Verify password: new rows use server-side hashing; legacy rows store the raw client hash.
+  async verifyPassword(inputHash: string, storedHash: string, email: string): Promise<boolean> {
+    if (!storedHash.startsWith(SERVER_HASH_PREFIX)) {
+      return this.constantTimeEquals(inputHash, storedHash);
    }
-    // Legacy path: direct constant-time comparison of raw client hashes.
-    return this.constantTimeEquals(inputHash, storedHash);
+    const serverHash = await this.hashPasswordServer(inputHash, email);
+    return this.constantTimeEquals(serverHash, storedHash);
  }

  private constantTimeEquals(a: string, b: string): boolean {
@@ -97,15 +207,22 @@ export class AuthService {
    const payload = await verifyJWT(parts[1], this.env.JWT_SECRET);
    if (!payload) return null;

-    const user = await this.storage.getUserById(payload.sub);
+    let user = await this.getCachedUser(payload.sub);
+    if (!user || user.status !== 'active' || payload.sstamp !== user.securityStamp) {
+      user = await this.getFreshUser(payload.sub);
+    }
    if (!user) return null;
+    if (user.status !== 'active') return null;

    if (payload.sstamp !== user.securityStamp) {
      return null;
    }

    if (payload.did) {
-      const device = await this.storage.getDevice(user.id, payload.did);
+      let device = await this.getCachedDevice(user.id, payload.did);
+      if (!device || !payload.dstamp || payload.dstamp !== device.sessionStamp) {
+        device = await this.getFreshDevice(user.id, payload.did);
+      }
      if (!device) return null;
      if (!payload.dstamp || payload.dstamp !== device.sessionStamp) return null;
    }
@@ -120,34 +237,45 @@ export class AuthService {
  }

  // Refresh access token
-  async refreshAccessToken(
-    refreshToken: string
-  ): Promise<{ accessToken: string; user: User; device: { identifier: string; sessionStamp: string } | null } | null> {
+  async refreshAccessTokenDetailed(refreshToken: string): Promise<RefreshAccessTokenResult> {
    const record = await this.storage.getRefreshTokenRecord(refreshToken);
-    if (!record?.userId) return null;
+    if (!record?.userId) return { ok: false, reason: 'token_not_found_or_expired' };

    const user = await this.storage.getUserById(record.userId);
-    if (!user) return null;
+    if (!user) {
+      await this.storage.deleteRefreshToken(refreshToken);
+      return { ok: false, reason: 'user_missing', userId: record.userId, deviceIdentifier: record.deviceIdentifier };
+    }
    if (user.status !== 'active') {
      await this.storage.deleteRefreshToken(refreshToken);
-      return null;
+      return { ok: false, reason: 'user_inactive', userId: user.id, deviceIdentifier: record.deviceIdentifier };
    }

    let device: { identifier: string; sessionStamp: string } | null = null;
-    if (record.deviceIdentifier) {
-      const boundDevice = await this.storage.getDevice(user.id, record.deviceIdentifier);
-      if (!boundDevice) {
-        await this.storage.deleteRefreshToken(refreshToken);
-        return null;
-      }
-      if (!record.deviceSessionStamp || boundDevice.sessionStamp !== record.deviceSessionStamp) {
-        await this.storage.deleteRefreshToken(refreshToken);
-        return null;
-      }
-      device = { identifier: boundDevice.deviceIdentifier, sessionStamp: boundDevice.sessionStamp };
+    if (!record.deviceIdentifier || !record.deviceSessionStamp) {
+      await this.storage.deleteRefreshToken(refreshToken);
+      return { ok: false, reason: 'device_missing', userId: user.id, deviceIdentifier: record.deviceIdentifier };
    }

+    const boundDevice = await this.storage.getDevice(user.id, record.deviceIdentifier);
+    if (!boundDevice) {
+      await this.storage.deleteRefreshToken(refreshToken);
+      return { ok: false, reason: 'device_missing', userId: user.id, deviceIdentifier: record.deviceIdentifier };
+    }
+    if (boundDevice.sessionStamp !== record.deviceSessionStamp) {
+      await this.storage.deleteRefreshToken(refreshToken);
+      return { ok: false, reason: 'device_session_mismatch', userId: user.id, deviceIdentifier: record.deviceIdentifier };
+    }
+    device = { identifier: boundDevice.deviceIdentifier, sessionStamp: boundDevice.sessionStamp };
+
    const accessToken = await this.generateAccessToken(user, device);
-    return { accessToken, user, device };
+    return { ok: true, accessToken, user, device };
+  }
+
+  async refreshAccessToken(
+    refreshToken: string
+  ): Promise<{ accessToken: string; user: User; device: { identifier: string; sessionStamp: string } | null } | null> {
+    const result = await this.refreshAccessTokenDetailed(refreshToken);
+    return result.ok ? result : null;
  }
 }
@@ -1,14 +1,28 @@
 import { zipSync, unzipSync } from 'fflate';
 import type { Env } from '../types';
 import { APP_VERSION } from '../../shared/app-version';
+import { BACKUP_SETTINGS_CONFIG_KEY } from './backup-config';
+import { exportPortableBackupSettingsEnvelope } from './backup-settings-crypto';
 import {
  getAttachmentObjectKey,
  getBlobStorageKind,
 } from './blob-store';

+// CONTRACT:
+// This file defines the exported instance-backup archive shape. Keep it in lock
+// step with src/services/backup-import.ts and webapp/src/lib/api/backup.ts.
+//
+// WHEN CHANGING THIS:
+// - Add persistent tables to BackupPayload, export SQL, manifest tableCounts,
+//   and validateBackupPayloadContents().
+// - Keep secrets and transient runtime rows sanitized before writing db.json.
+// - users.api_key is intentionally not exported.
+// - backup.settings.v1 is exported as portable-only; the current server runtime
+//   envelope must not leave the instance.
 type SqlRow = Record<string, string | number | null>;

 const BACKUP_FORMAT_VERSION = 1;
+const BACKUP_RUNNER_LOCK_CONFIG_KEY = 'backup.runner.lock.v1';
 const BACKUP_FILE_HASH_PREFIX_LENGTH = 5;
 // Worker-side backup export must stay well below Cloudflare CPU limits.
 // Prefer store-only ZIP entries over heavier compression to keep exports reliable.
@@ -48,10 +62,13 @@ export interface BackupPayload {
  db: {
    config: SqlRow[];
    users: SqlRow[];
+    domain_settings: SqlRow[];
    user_revisions: SqlRow[];
    folders: SqlRow[];
    ciphers: SqlRow[];
    attachments: SqlRow[];
+    webauthn_credentials?: SqlRow[];
+    trusted_two_factor_device_tokens?: SqlRow[];
  };
 }

@@ -71,6 +88,7 @@ export interface BackupFileIntegrityCheckResult {
 export interface BuildBackupArchiveOptions {
  includeAttachments?: boolean;
  progress?: BackupArchiveBuildProgressReporter;
+  timeZone?: string;
 }

 export interface BackupArchiveBuildProgressEvent {
@@ -88,22 +106,52 @@ async function queryRows(db: D1Database, sql: string, ...values: unknown[]): Pro
  return (result.results || []).map((row) => ({ ...row }));
 }

+function sanitizeConfigRowsForExport(rows: SqlRow[]): SqlRow[] {
+  const sanitized: SqlRow[] = [];
+  for (const row of rows) {
+    const key = String(row.key || '').trim();
+    if (!key || key === BACKUP_RUNNER_LOCK_CONFIG_KEY) continue;
+
+    if (key === BACKUP_SETTINGS_CONFIG_KEY) {
+      const portableOnly = exportPortableBackupSettingsEnvelope(typeof row.value === 'string' ? row.value : null);
+      if (portableOnly) sanitized.push({ ...row, value: portableOnly });
+      continue;
+    }
+
+    sanitized.push({ ...row });
+  }
+  return sanitized;
+}
+
 async function sha256Hex(bytes: Uint8Array): Promise<string> {
  const digest = await crypto.subtle.digest('SHA-256', bytes);
  return Array.from(new Uint8Array(digest)).map((byte) => byte.toString(16).padStart(2, '0')).join('');
 }

-function buildBackupFileName(date: Date = new Date(), checksumPrefix: string | null = null): string {
-  const parts = [
-    date.getUTCFullYear().toString().padStart(4, '0'),
-    (date.getUTCMonth() + 1).toString().padStart(2, '0'),
-    date.getUTCDate().toString().padStart(2, '0'),
-    date.getUTCHours().toString().padStart(2, '0'),
-    date.getUTCMinutes().toString().padStart(2, '0'),
-    date.getUTCSeconds().toString().padStart(2, '0'),
-  ];
+function getDateParts(date: Date, timeZone: string): string {
+  const formatter = new Intl.DateTimeFormat('en-CA', {
+    timeZone,
+    year: 'numeric',
+    month: '2-digit',
+    day: '2-digit',
+    hour: '2-digit',
+    minute: '2-digit',
+    second: '2-digit',
+    hourCycle: 'h23',
+  });
+  const parts = formatter.formatToParts(date);
+  const pick = (type: string): string => parts.find((part) => part.type === type)?.value || '';
+  return `${pick('year')}${pick('month')}${pick('day')}_${pick('hour')}${pick('minute')}${pick('second')}`;
+}
+
+function buildBackupFileNameInTimeZone(
+  date: Date = new Date(),
+  checksumPrefix: string | null = null,
+  timeZone: string = 'UTC'
+): string {
+  const parts = getDateParts(date, timeZone);
  const suffix = checksumPrefix ? `_${checksumPrefix}` : '';
-  return `nodewarden_backup_${parts[0]}${parts[1]}${parts[2]}_${parts[3]}${parts[4]}${parts[5]}${suffix}.zip`;
+  return `nodewarden_backup_${parts}${suffix}.zip`;
 }

 export function extractBackupFileChecksumPrefix(fileName: string): string | null {
@@ -250,9 +298,12 @@ export function validateBackupPayloadContents(
  const configRows = ensureRowArray(payload.db.config, 'config');
  const userRows = ensureRowArray(payload.db.users, 'users');
  const revisionRows = ensureRowArray(payload.db.user_revisions, 'user_revisions');
+  const domainSettingsRows = ensureRowArray(payload.db.domain_settings || [], 'domain_settings');
  const folderRows = ensureRowArray(payload.db.folders, 'folders');
  const cipherRows = ensureRowArray(payload.db.ciphers, 'ciphers');
  const attachmentRows = ensureRowArray(payload.db.attachments, 'attachments');
+  const accountPasskeyRows = ensureRowArray(payload.db.webauthn_credentials || [], 'webauthn_credentials');
+  const trustedTwoFactorTokenRows = ensureRowArray(payload.db.trusted_two_factor_device_tokens || [], 'trusted_two_factor_device_tokens');
  const externalAttachmentKeys = new Set<string>(
    options.allowExternalAttachmentBlobs
      ? (payload.manifest.attachmentBlobs || []).map((item) => `attachments/${String(item.cipherId || '').trim()}/${String(item.attachmentId || '').trim()}.bin`)
@@ -280,6 +331,18 @@ export function validateBackupPayloadContents(
    }
  }

+  const domainSettingUserIds = new Set<string>();
+  for (const row of domainSettingsRows) {
+    const userId = String(row.user_id || '').trim();
+    if (!userId || !userIds.has(userId)) {
+      throw new Error(`Backup archive contains domain settings for an unknown user: ${userId || '(empty)'}`);
+    }
+    if (domainSettingUserIds.has(userId)) {
+      throw new Error(`Backup archive contains duplicate domain settings for user: ${userId}`);
+    }
+    domainSettingUserIds.add(userId);
+  }
+
  const folderIds = new Set<string>();
  for (const row of folderRows) {
    const id = String(row.id || '').trim();
@@ -313,6 +376,37 @@ export function validateBackupPayloadContents(
      throw new Error(`Backup archive is missing required file: attachments/${cipherId}/${id}.bin`);
    }
  }
+
+  const accountPasskeyIds = new Set<string>();
+  const accountPasskeyCredentialIds = new Set<string>();
+  for (const row of accountPasskeyRows) {
+    const id = String(row.id || '').trim();
+    const userId = String(row.user_id || '').trim();
+    const credentialId = String(row.credential_id || '').trim();
+    const publicKey = String(row.public_key || '').trim();
+    if (!id || !userIds.has(userId) || !credentialId || !publicKey) {
+      throw new Error('Backup archive contains an invalid account passkey row');
+    }
+    if (accountPasskeyIds.has(id)) throw new Error(`Backup archive contains duplicate account passkey id: ${id}`);
+    if (accountPasskeyCredentialIds.has(credentialId)) throw new Error(`Backup archive contains duplicate account passkey credential id: ${credentialId}`);
+    accountPasskeyIds.add(id);
+    accountPasskeyCredentialIds.add(credentialId);
+  }
+
+  const trustedTwoFactorTokens = new Set<string>();
+  for (const row of trustedTwoFactorTokenRows) {
+    const token = String(row.token || '').trim();
+    const userId = String(row.user_id || '').trim();
+    const deviceIdentifier = String(row.device_identifier || '').trim();
+    const expiresAt = Number(row.expires_at || 0);
+    if (!token || !userIds.has(userId) || !deviceIdentifier || !Number.isFinite(expiresAt) || expiresAt <= 0) {
+      throw new Error('Backup archive contains an invalid trusted two-factor device token row');
+    }
+    if (trustedTwoFactorTokens.has(token)) {
+      throw new Error(`Backup archive contains duplicate trusted two-factor device token: ${token}`);
+    }
+    trustedTwoFactorTokens.add(token);
+  }
 }

 export async function buildBackupArchive(
@@ -331,14 +425,18 @@ export async function buildBackupArchive(
    includeAttachments,
  });
  const encoder = new TextEncoder();
-  const [configRows, userRows, revisionRows, folderRows, cipherRows, attachmentRows] = await Promise.all([
+  const [configRows, userRows, domainSettingsRows, revisionRows, folderRows, cipherRows, attachmentRows, accountPasskeyRows, trustedTwoFactorTokenRows] = await Promise.all([
    queryRows(env.DB, 'SELECT key, value FROM config ORDER BY key ASC'),
    queryRows(env.DB, 'SELECT id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, totp_secret, totp_recovery_code, created_at, updated_at FROM users ORDER BY created_at ASC'),
+    queryRows(env.DB, 'SELECT user_id, equivalent_domains, custom_equivalent_domains, excluded_global_equivalent_domains, updated_at FROM domain_settings ORDER BY user_id ASC'),
    queryRows(env.DB, 'SELECT user_id, revision_date FROM user_revisions ORDER BY user_id ASC'),
    queryRows(env.DB, 'SELECT id, user_id, name, created_at, updated_at FROM folders ORDER BY created_at ASC'),
    queryRows(env.DB, 'SELECT id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, archived_at, deleted_at FROM ciphers ORDER BY created_at ASC'),
    queryRows(env.DB, 'SELECT id, cipher_id, file_name, size, size_name, key FROM attachments ORDER BY cipher_id ASC, id ASC'),
+    queryRows(env.DB, 'SELECT id, user_id, name, public_key, credential_id, counter, type, aa_guid, transports, encrypted_user_key, encrypted_public_key, encrypted_private_key, supports_prf, created_at, updated_at FROM webauthn_credentials ORDER BY created_at ASC'),
+    queryRows(env.DB, 'SELECT token, user_id, device_identifier, expires_at FROM trusted_two_factor_device_tokens WHERE expires_at >= ? ORDER BY user_id ASC, device_identifier ASC, expires_at DESC', date.getTime()),
  ]);
+  const exportedConfigRows = sanitizeConfigRowsForExport(configRows);
  const exportedAttachmentRows = includeAttachments ? attachmentRows : [];
  const attachmentBlobs: BackupManifestAttachmentBlob[] = exportedAttachmentRows.map((row) => {
    const cipherId = String(row.cipher_id || '').trim();
@@ -357,12 +455,15 @@ export async function buildBackupArchive(
    appVersion: APP_VERSION,
    storageKind: getBlobStorageKind(env),
    tableCounts: {
-      config: configRows.length,
+      config: exportedConfigRows.length,
      users: userRows.length,
+      domain_settings: domainSettingsRows.length,
      user_revisions: revisionRows.length,
      folders: folderRows.length,
      ciphers: cipherRows.length,
      attachments: exportedAttachmentRows.length,
+      webauthn_credentials: accountPasskeyRows.length,
+      trusted_two_factor_device_tokens: trustedTwoFactorTokenRows.length,
    },
    includes: {
      attachments: includeAttachments,
@@ -378,12 +479,15 @@ export async function buildBackupArchive(
  const files: Record<string, Uint8Array> = {
    'manifest.json': encoder.encode(JSON.stringify(manifestBase, null, BACKUP_JSON_INDENT)),
    'db.json': encoder.encode(JSON.stringify({
-      config: configRows,
+      config: exportedConfigRows,
      users: userRows,
+      domain_settings: domainSettingsRows,
      user_revisions: revisionRows,
      folders: folderRows,
      ciphers: cipherRows,
      attachments: exportedAttachmentRows,
+      webauthn_credentials: accountPasskeyRows,
+      trusted_two_factor_device_tokens: trustedTwoFactorTokenRows,
    }, null, BACKUP_JSON_INDENT)),
  };

@@ -398,7 +502,8 @@ export async function buildBackupArchive(
  });
  const bytes = zipSync(createZipEntries(files));
  const fileHashPrefix = (await sha256Hex(bytes)).slice(0, BACKUP_FILE_HASH_PREFIX_LENGTH);
-  const fileName = buildBackupFileName(date, fileHashPrefix);
+  const backupTimeZone = options.timeZone || 'UTC';
+  const fileName = buildBackupFileNameInTimeZone(date, fileHashPrefix, backupTimeZone);
  await options.progress?.({
    step: 'archive_ready',
    fileName,
@@ -16,7 +16,7 @@ import {
  type BackupRuntimeState,
  type BackupScheduleConfig,
  type BackupSettings,
-  type E3BackupDestination,
+  type S3BackupDestination,
  type WebDavBackupDestination,
  createBackupRandomId,
  createDefaultBackupDestinationName,
@@ -35,7 +35,7 @@ export type {
  BackupRuntimeState,
  BackupScheduleConfig,
  BackupSettings,
-  E3BackupDestination,
+  S3BackupDestination,
  WebDavBackupDestination,
 } from '../../shared/backup-schema';

@@ -105,7 +105,7 @@ function normalizeStartTime(value: unknown, fallback: string = BACKUP_DEFAULT_ST
  return `${String(hour).padStart(2, '0')}:${String(minute).padStart(2, '0')}`;
 }

-function normalizeE3Destination(value: unknown, allowIncomplete = false): E3BackupDestination {
+function normalizeS3Destination(value: unknown, allowIncomplete = false): S3BackupDestination {
  const source = isPlainObject(value) ? value : {};
  const endpoint = asTrimmedString(source.endpoint);
  const bucket = asTrimmedString(source.bucket);
@@ -115,17 +115,17 @@ function normalizeE3Destination(value: unknown, allowIncomplete = false): E3Back
  const rootPath = normalizePath(source.rootPath);

  if (!allowIncomplete || endpoint) {
-    if (!endpoint) throw new Error('E3 endpoint is required');
-    if (!/^https?:\/\//i.test(endpoint)) throw new Error('E3 endpoint must start with http:// or https://');
+    if (!endpoint) throw new Error('S3 endpoint is required');
+    if (!/^https?:\/\//i.test(endpoint)) throw new Error('S3 endpoint must start with http:// or https://');
  }
  if (!allowIncomplete || bucket) {
-    if (!bucket) throw new Error('E3 bucket is required');
+    if (!bucket) throw new Error('S3 bucket is required');
  }
  if (!allowIncomplete || accessKeyId) {
-    if (!accessKeyId) throw new Error('E3 access key is required');
+    if (!accessKeyId) throw new Error('S3 access key is required');
  }
  if (!allowIncomplete || secretAccessKey) {
-    if (!secretAccessKey) throw new Error('E3 secret key is required');
+    if (!secretAccessKey) throw new Error('S3 secret key is required');
  }

  return {
@@ -169,7 +169,7 @@ function normalizeDestination(
  destination: unknown,
  allowIncomplete = false
 ): BackupDestinationConfig {
-  if (destinationType === 'e3') return normalizeE3Destination(destination, allowIncomplete);
+  if (destinationType === 's3') return normalizeS3Destination(destination, allowIncomplete);
  return normalizeWebDavDestination(destination, allowIncomplete);
 }

@@ -204,7 +204,8 @@ function defaultDestinationName(type: BackupDestinationType, index: number): str

 function getDestinationType(raw: unknown): BackupDestinationType {
  const value = asTrimmedString(raw);
-  if (value === 'e3' || value === 'webdav') return value;
+  if (value === 'e3') return 's3';
+  if (value === 's3' || value === 'webdav') return value;
  throw new Error('Backup destination type is invalid');
 }

@@ -266,8 +267,8 @@ function parseLegacyBackupSettings(rawValue: Record<string, unknown>, fallbackTi
      : BACKUP_DEFAULT_INTERVAL_HOURS;
  const destinationTypeRaw = asTrimmedString(rawValue.destinationType);
  const destinationType: BackupDestinationType =
-    destinationTypeRaw === 'e3' || destinationTypeRaw === 'webdav'
-      ? destinationTypeRaw
+    destinationTypeRaw === 'e3' || destinationTypeRaw === 's3' || destinationTypeRaw === 'webdav'
+      ? getDestinationType(destinationTypeRaw)
      : 'webdav';
  const destination = {
    id: createBackupRandomId(),
@@ -408,13 +409,6 @@ export async function loadBackupSettings(storage: StorageService, env: Env, fall

 export async function saveBackupSettings(storage: StorageService, env: Env, settings: BackupSettings): Promise<void> {
  const users = await storage.getAllUsers();
-  const hasPortableAdmins = users.some(
-    (user) => user.role === 'admin' && user.status === 'active' && typeof user.publicKey === 'string' && user.publicKey.trim().length > 0
-  );
-  if (!hasPortableAdmins) {
-    await storage.setConfigValue(BACKUP_SETTINGS_CONFIG_KEY, serializeBackupSettings(settings));
-    return;
-  }
  const encrypted = await encryptBackupSettingsEnvelope(serializeBackupSettings(settings), env, users);
  await storage.setConfigValue(BACKUP_SETTINGS_CONFIG_KEY, encrypted);
 }
@@ -441,12 +435,6 @@ export async function normalizeImportedBackupSettingsValue(
    try {
      const decrypted = await decryptBackupSettingsRuntime(raw, env);
      const settings = parseBackupSettings(decrypted, fallbackTimezone);
-      const hasPortableAdmins = users.some(
-        (user) => user.role === 'admin' && user.status === 'active' && typeof user.publicKey === 'string' && user.publicKey.trim().length > 0
-      );
-      if (!hasPortableAdmins) {
-        return serializeBackupSettings(settings);
-      }
      return encryptBackupSettingsEnvelope(serializeBackupSettings(settings), env, users);
    } catch {
      // Keep imported portable recovery data intact until an admin signs in and repairs it.
@@ -454,12 +442,6 @@ export async function normalizeImportedBackupSettingsValue(
    }
  }
  const settings = parseBackupSettings(raw, fallbackTimezone);
-  const hasPortableAdmins = users.some(
-    (user) => user.role === 'admin' && user.status === 'active' && typeof user.publicKey === 'string' && user.publicKey.trim().length > 0
-  );
-  if (!hasPortableAdmins) {
-    return serializeBackupSettings(settings);
-  }
  return encryptBackupSettingsEnvelope(serializeBackupSettings(settings), env, users);
 }

@@ -598,6 +580,50 @@ function getBackupSlotStartsForLocalDay(
  return slots;
 }

+export function hasBackupSlotBetween(
+  destination: BackupDestinationRecord,
+  startInclusive: Date,
+  endExclusive: Date
+): boolean {
+  if (!destination.schedule.enabled) return false;
+  const startMs = startInclusive.getTime();
+  const endMs = endExclusive.getTime();
+  if (!Number.isFinite(startMs) || !Number.isFinite(endMs) || endMs <= startMs) return false;
+
+  const lastAttemptAt = destination.runtime.lastAttemptAt ? new Date(destination.runtime.lastAttemptAt) : null;
+  const lastAttemptMs = lastAttemptAt && Number.isFinite(lastAttemptAt.getTime())
+    ? lastAttemptAt.getTime()
+    : Number.NEGATIVE_INFINITY;
+
+  const dayCursor = new Date(startMs);
+  dayCursor.setUTCHours(0, 0, 0, 0);
+  const endDay = new Date(endMs);
+  endDay.setUTCHours(0, 0, 0, 0);
+  const checkedLocalDateKeys = new Set<string>();
+
+  while (dayCursor.getTime() <= endDay.getTime() + 24 * 60 * 60 * 1000) {
+    const localDateKey = getBackupLocalDateKey(dayCursor, destination.schedule.timezone);
+    if (!checkedLocalDateKeys.has(localDateKey)) {
+      checkedLocalDateKeys.add(localDateKey);
+      const slotStarts = getBackupSlotStartsForLocalDay(
+        localDateKey,
+        destination.schedule.timezone,
+        destination.schedule.startTime,
+        destination.schedule.intervalHours
+      );
+      for (const slotStart of slotStarts) {
+        const slotStartMs = slotStart.getTime();
+        if (slotStartMs < startMs || slotStartMs >= endMs) continue;
+        if (lastAttemptMs >= slotStartMs) continue;
+        return true;
+      }
+    }
+    dayCursor.setUTCDate(dayCursor.getUTCDate() + 1);
+  }
+
+  return false;
+}
+
 export function isBackupDueNow(
  destination: BackupDestinationRecord,
  now: Date,
@@ -8,11 +8,24 @@ import {
  validateBackupPayloadContents,
 } from './backup-archive';

+// CONTRACT:
+// Restore is intentionally whitelist-based. Old backups may contain retired
+// fields, but only the columns listed here are imported. Keep this file in sync
+// with src/services/backup-archive.ts whenever backup contents change.
+//
+// WHEN CHANGING THIS:
+// - Update BackupTableName, BACKUP_TABLES, reset statements, prepared payloads,
+//   shadow-table count validation, insert column lists, and frontend import
+//   count types together.
+// - Do not import users.api_key, even if an older backup contains it.
 type SqlRow = Record<string, string | number | null>;
 type BackupTableName =
  | 'config'
  | 'users'
+  | 'domain_settings'
  | 'user_revisions'
+  | 'trusted_two_factor_device_tokens'
+  | 'webauthn_credentials'
  | 'folders'
  | 'ciphers'
  | 'attachments';
@@ -20,7 +33,10 @@ type BackupTableName =
 const BACKUP_TABLES: BackupTableName[] = [
  'config',
  'users',
+  'domain_settings',
  'user_revisions',
+  'trusted_two_factor_device_tokens',
+  'webauthn_credentials',
  'folders',
  'ciphers',
  'attachments',
@@ -35,7 +51,10 @@ export interface BackupImportResultBody {
  imported: {
    config: number;
    users: number;
+    domainSettings: number;
    userRevisions: number;
+    trustedTwoFactorDeviceTokens: number;
+    webauthnCredentials: number;
    folders: number;
    ciphers: number;
    attachments: number;
@@ -155,6 +174,9 @@ function buildResetImportTargetStatements(db: D1Database): D1PreparedStatement[]
    'DELETE FROM attachments',
    'DELETE FROM ciphers',
    'DELETE FROM folders',
+    'DELETE FROM webauthn_credentials',
+    'DELETE FROM trusted_two_factor_device_tokens',
+    'DELETE FROM domain_settings',
    'DELETE FROM user_revisions',
    'DELETE FROM users',
    'DELETE FROM config',
@@ -276,7 +298,10 @@ async function importPreparedBackupRows(db: D1Database, payload: BackupPayload['
      ...row,
      verify_devices: row.verify_devices ?? 1,
    })),
+    domain_settings: cloneRows(payload.domain_settings || []),
    user_revisions: cloneRows(payload.user_revisions || []),
+    trusted_two_factor_device_tokens: cloneRows(payload.trusted_two_factor_device_tokens || []),
+    webauthn_credentials: cloneRows(payload.webauthn_credentials || []),
    folders: cloneRows(payload.folders || []),
    ciphers: cloneRows(payload.ciphers || []).map((row) => ({
      ...row,
@@ -603,6 +628,37 @@ async function importBackupRows(db: D1Database, payload: BackupPayload['db'], us
    tableName('user_revisions'),
    buildInsertStatements(db, tableName('user_revisions'), ['user_id', 'revision_date'], payload.user_revisions || [], true)
  );
+  await runInsertBatch(
+    db,
+    tableName('domain_settings'),
+    buildInsertStatements(
+      db,
+      tableName('domain_settings'),
+      ['user_id', 'equivalent_domains', 'custom_equivalent_domains', 'excluded_global_equivalent_domains', 'updated_at'],
+      payload.domain_settings || [],
+      true
+    )
+  );
+  await runInsertBatch(
+    db,
+    tableName('trusted_two_factor_device_tokens'),
+    buildInsertStatements(
+      db,
+      tableName('trusted_two_factor_device_tokens'),
+      ['token', 'user_id', 'device_identifier', 'expires_at'],
+      payload.trusted_two_factor_device_tokens || []
+    )
+  );
+  await runInsertBatch(
+    db,
+    tableName('webauthn_credentials'),
+    buildInsertStatements(
+      db,
+      tableName('webauthn_credentials'),
+      ['id', 'user_id', 'name', 'public_key', 'credential_id', 'counter', 'type', 'aa_guid', 'transports', 'encrypted_user_key', 'encrypted_public_key', 'encrypted_private_key', 'supports_prf', 'created_at', 'updated_at'],
+      payload.webauthn_credentials || []
+    )
+  );
  await runInsertBatch(
    db,
    tableName('folders'),
@@ -669,7 +725,10 @@ export async function importBackupArchiveBytes(
    await validateShadowTableCounts(env.DB, {
      config: (db.config || []).length,
      users: (db.users || []).length,
+      domain_settings: (db.domain_settings || []).length,
      user_revisions: (db.user_revisions || []).length,
+      trusted_two_factor_device_tokens: (db.trusted_two_factor_device_tokens || []).length,
+      webauthn_credentials: (db.webauthn_credentials || []).length,
      folders: (db.folders || []).length,
      ciphers: (db.ciphers || []).length,
      attachments: (db.attachments || []).length,
@@ -690,7 +749,10 @@ export async function importBackupArchiveBytes(
    await validateShadowTableCounts(env.DB, {
      config: (db.config || []).length,
      users: (db.users || []).length,
+      domain_settings: (db.domain_settings || []).length,
      user_revisions: (db.user_revisions || []).length,
+      trusted_two_factor_device_tokens: (db.trusted_two_factor_device_tokens || []).length,
+      webauthn_credentials: (db.webauthn_credentials || []).length,
      folders: (db.folders || []).length,
      ciphers: (db.ciphers || []).length,
      attachments: restored.restoredAttachments.length,
@@ -729,7 +791,10 @@ export async function importBackupArchiveBytes(
        imported: {
          config: (db.config || []).length,
          users: (db.users || []).length,
+          domainSettings: (db.domain_settings || []).length,
          userRevisions: (db.user_revisions || []).length,
+          trustedTwoFactorDeviceTokens: (db.trusted_two_factor_device_tokens || []).length,
+          webauthnCredentials: (db.webauthn_credentials || []).length,
          folders: (db.folders || []).length,
          ciphers: (db.ciphers || []).length,
          attachments: restored.restoredAttachments.length,
@@ -804,7 +869,10 @@ export async function importRemoteBackupArchiveBytes(
    await validateShadowTableCounts(env.DB, {
      config: (db.config || []).length,
      users: (db.users || []).length,
+      domain_settings: (db.domain_settings || []).length,
      user_revisions: (db.user_revisions || []).length,
+      trusted_two_factor_device_tokens: (db.trusted_two_factor_device_tokens || []).length,
+      webauthn_credentials: (db.webauthn_credentials || []).length,
      folders: (db.folders || []).length,
      ciphers: (db.ciphers || []).length,
      attachments: (db.attachments || []).length,
@@ -825,7 +893,10 @@ export async function importRemoteBackupArchiveBytes(
    await validateShadowTableCounts(env.DB, {
      config: (db.config || []).length,
      users: (db.users || []).length,
+      domain_settings: (db.domain_settings || []).length,
      user_revisions: (db.user_revisions || []).length,
+      trusted_two_factor_device_tokens: (db.trusted_two_factor_device_tokens || []).length,
+      webauthn_credentials: (db.webauthn_credentials || []).length,
      folders: (db.folders || []).length,
      ciphers: (db.ciphers || []).length,
      attachments: restored.restoredAttachments.length,
@@ -870,7 +941,10 @@ export async function importRemoteBackupArchiveBytes(
        imported: {
          config: (db.config || []).length,
          users: (db.users || []).length,
+          domainSettings: (db.domain_settings || []).length,
          userRevisions: (db.user_revisions || []).length,
+          trustedTwoFactorDeviceTokens: (db.trusted_two_factor_device_tokens || []).length,
+          webauthnCredentials: (db.webauthn_credentials || []).length,
          folders: (db.folders || []).length,
          ciphers: (db.ciphers || []).length,
          attachments: restored.restoredAttachments.length,
@@ -1,5 +1,17 @@
 import type { Env, User } from '../types';

+// CONTRACT:
+// Backup settings contain provider credentials. They are stored as a v2 envelope:
+// - runtime: AES-GCM encrypted with a key derived from JWT_SECRET for the current
+//   server's scheduled backup runner.
+// - portable: AES-GCM encrypted with a random DEK; that DEK is RSA-wrapped for
+//   active admin public keys so settings can be repaired after restore/migration.
+//   Historical/imported databases may not have usable admin public keys; in that
+//   case portable.wraps is empty but the runtime ciphertext is still encrypted.
+//
+// New admin-entered provider secrets, such as mail API keys, should use this
+// pattern or a deliberately documented replacement. Do not store provider
+// secrets as plain config JSON.
 const RUNTIME_SALT = 'nodewarden.backup-settings.runtime.v2';
 const RUNTIME_INFO = 'runtime';
 const PORTABLE_ALGORITHM = 'RSA-OAEP';
@@ -155,6 +167,20 @@ export function parseBackupSettingsEnvelope(raw: string | null): BackupSettingsE
  }
 }

+export function exportPortableBackupSettingsEnvelope(raw: string | null): string | null {
+  const envelope = parseBackupSettingsEnvelope(raw);
+  if (!envelope) return null;
+  return JSON.stringify({
+    version: 2,
+    portableOnly: true,
+    runtime: {
+      iv: '',
+      ciphertext: '',
+    },
+    portable: envelope.portable,
+  });
+}
+
 export async function encryptBackupSettingsEnvelope(
  plaintext: string,
  env: Env,
@@ -162,9 +188,6 @@ export async function encryptBackupSettingsEnvelope(
 ): Promise<string> {
  const encoder = new TextEncoder();
  const eligibleUsers = getEligiblePortableUsers(users);
-  if (!eligibleUsers.length) {
-    throw new Error('No active administrator public keys are available for backup settings recovery');
-  }

  const runtimeKey = await deriveRuntimeKey(env.JWT_SECRET);
  const runtime = await encryptAesGcm(encoder.encode(plaintext), runtimeKey);
@@ -181,18 +204,22 @@ export async function encryptBackupSettingsEnvelope(

  const wraps: BackupSettingsPortableWrap[] = [];
  for (const user of eligibleUsers) {
-    const publicKey = await importPortablePublicKey(user.publicKey!);
-    const wrappedKey = new Uint8Array(
-      await crypto.subtle.encrypt(
-        { name: PORTABLE_ALGORITHM },
-        publicKey,
-        portableDek
-      )
-    );
-    wraps.push({
-      userId: user.id,
-      wrappedKey: bytesToBase64(wrappedKey),
-    });
+    try {
+      const publicKey = await importPortablePublicKey(user.publicKey!);
+      const wrappedKey = new Uint8Array(
+        await crypto.subtle.encrypt(
+          { name: PORTABLE_ALGORITHM },
+          publicKey,
+          portableDek
+        )
+      );
+      wraps.push({
+        userId: user.id,
+        wrappedKey: bytesToBase64(wrappedKey),
+      });
+    } catch {
+      // Keep runtime settings usable even if an imported admin key is malformed.
+    }
  }

  const envelope: BackupSettingsEnvelopeV2 = {
@@ -1,7 +1,7 @@
 import {
  BackupDestinationRecord,
  BackupDestinationType,
-  E3BackupDestination,
+  S3BackupDestination,
  WebDavBackupDestination,
 } from './backup-config';

@@ -213,13 +213,13 @@ function ensureDestinationConfigReady(destination: BackupDestinationRecord): voi
    if (!String(config.password || '')) throw new Error('WebDAV password is required');
    return;
  }
-  if (destination.type === 'e3') {
-    const config = destination.destination as E3BackupDestination;
-    if (!String(config.endpoint || '').trim()) throw new Error('E3 endpoint is required');
-    if (!/^https?:\/\//i.test(String(config.endpoint || '').trim())) throw new Error('E3 endpoint must start with http:// or https://');
-    if (!String(config.bucket || '').trim()) throw new Error('E3 bucket is required');
-    if (!String(config.accessKeyId || '').trim()) throw new Error('E3 access key is required');
-    if (!String(config.secretAccessKey || '')) throw new Error('E3 secret key is required');
+  if (destination.type === 's3') {
+    const config = destination.destination as S3BackupDestination;
+    if (!String(config.endpoint || '').trim()) throw new Error('S3 endpoint is required');
+    if (!/^https?:\/\//i.test(String(config.endpoint || '').trim())) throw new Error('S3 endpoint must start with http:// or https://');
+    if (!String(config.bucket || '').trim()) throw new Error('S3 bucket is required');
+    if (!String(config.accessKeyId || '').trim()) throw new Error('S3 access key is required');
+    if (!String(config.secretAccessKey || '')) throw new Error('S3 secret key is required');
  }
 }

@@ -448,16 +448,16 @@ async function existsInWebDav(config: WebDavBackupDestination, relativePath: str
  return true;
 }

-function e3BucketBaseUrl(config: E3BackupDestination): URL {
+function s3BucketBaseUrl(config: S3BackupDestination): URL {
  return new URL(`${config.endpoint.replace(/\/+$/, '')}/${encodeURIComponent(config.bucket)}`);
 }

-function normalizeE3ObjectKey(config: E3BackupDestination, relativePath: string): string {
+function normalizeS3ObjectKey(config: S3BackupDestination, relativePath: string): string {
  return buildJoinedPath(config.rootPath, normalizeRelativePath(relativePath));
 }

-async function signedE3Request(
-  config: E3BackupDestination,
+async function signedS3Request(
+  config: S3BackupDestination,
  method: 'GET' | 'PUT' | 'DELETE' | 'HEAD',
  url: URL,
  body?: Uint8Array,
@@ -494,41 +494,41 @@ async function signedE3Request(
  });
 }

-async function putToE3(
-  config: E3BackupDestination,
+async function putToS3(
+  config: S3BackupDestination,
  relativePath: string,
  bytes: Uint8Array,
  options: RemoteBackupFilePutOptions = {}
 ): Promise<void> {
-  const objectKey = normalizeE3ObjectKey(config, relativePath);
-  const url = new URL(`${e3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
-  const response = await signedE3Request(config, 'PUT', url, bytes, options.contentType);
+  const objectKey = normalizeS3ObjectKey(config, relativePath);
+  const url = new URL(`${s3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
+  const response = await signedS3Request(config, 'PUT', url, bytes, options.contentType);

  if (!response.ok) {
-    throw new Error(`E3 upload failed: ${response.status}`);
+    throw new Error(`S3 upload failed: ${response.status}`);
  }
 }

-async function uploadToE3(config: E3BackupDestination, archive: Uint8Array, fileName: string): Promise<BackupUploadResult> {
-  await putToE3(config, fileName, archive, { contentType: 'application/zip' });
+async function uploadToS3(config: S3BackupDestination, archive: Uint8Array, fileName: string): Promise<BackupUploadResult> {
+  await putToS3(config, fileName, archive, { contentType: 'application/zip' });
  return {
-    provider: 'e3',
-    remotePath: normalizeE3ObjectKey(config, fileName),
+    provider: 's3',
+    remotePath: normalizeS3ObjectKey(config, fileName),
  };
 }

-async function listE3Entries(config: E3BackupDestination, relativePath: string): Promise<RemoteBackupListResult> {
+async function listS3Entries(config: S3BackupDestination, relativePath: string): Promise<RemoteBackupListResult> {
  const currentPath = normalizeRelativePath(relativePath);
-  const targetPrefixBase = normalizeE3ObjectKey(config, currentPath);
+  const targetPrefixBase = normalizeS3ObjectKey(config, currentPath);
  const targetPrefix = trimSlashes(targetPrefixBase) ? `${trimSlashes(targetPrefixBase)}/` : '';
-  const url = e3BucketBaseUrl(config);
+  const url = s3BucketBaseUrl(config);
  url.searchParams.set('list-type', '2');
  url.searchParams.set('delimiter', '/');
  if (targetPrefix) url.searchParams.set('prefix', targetPrefix);

-  const response = await signedE3Request(config, 'GET', url);
+  const response = await signedS3Request(config, 'GET', url);
  if (!response.ok) {
-    throw new Error(`E3 listing failed: ${response.status}`);
+    throw new Error(`S3 listing failed: ${response.status}`);
  }

  const xml = await response.text();
@@ -581,26 +581,26 @@ async function listE3Entries(config: E3BackupDestination, relativePath: string):
  for (const item of items) deduped.set(`${item.isDirectory ? 'd' : 'f'}:${item.path}`, item);

  return {
-    provider: 'e3',
+    provider: 's3',
    currentPath,
    parentPath: parentPath(currentPath),
    items: sortRemoteItems(Array.from(deduped.values())),
  };
 }

-async function downloadFromE3(config: E3BackupDestination, relativePath: string): Promise<RemoteBackupFile> {
+async function downloadFromS3(config: S3BackupDestination, relativePath: string): Promise<RemoteBackupFile> {
  const normalized = normalizeRelativePath(relativePath);
  if (!normalized || normalized.endsWith('/')) {
    throw new Error('Please select a backup file');
  }
-  const objectKey = normalizeE3ObjectKey(config, normalized);
-  const url = new URL(`${e3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
-  const response = await signedE3Request(config, 'GET', url);
+  const objectKey = normalizeS3ObjectKey(config, normalized);
+  const url = new URL(`${s3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
+  const response = await signedS3Request(config, 'GET', url);
  if (!response.ok) {
-    throw new Error(`E3 download failed: ${response.status}`);
+    throw new Error(`S3 download failed: ${response.status}`);
  }
  return {
-    provider: 'e3',
+    provider: 's3',
    remotePath: normalized,
    fileName: basename(normalized) || 'backup.zip',
    contentType: String(response.headers.get('Content-Type') || 'application/zip').trim() || 'application/zip',
@@ -608,35 +608,35 @@ async function downloadFromE3(config: E3BackupDestination, relativePath: string)
  };
 }

-async function deleteFromE3(config: E3BackupDestination, relativePath: string): Promise<void> {
-  const objectKey = normalizeE3ObjectKey(config, relativePath);
-  const url = new URL(`${e3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
-  const response = await signedE3Request(config, 'DELETE', url);
+async function deleteFromS3(config: S3BackupDestination, relativePath: string): Promise<void> {
+  const objectKey = normalizeS3ObjectKey(config, relativePath);
+  const url = new URL(`${s3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
+  const response = await signedS3Request(config, 'DELETE', url);
  if (!response.ok && response.status !== 404) {
-    throw new Error(`E3 delete failed: ${response.status}`);
+    throw new Error(`S3 delete failed: ${response.status}`);
  }
 }

-async function existsInE3(config: E3BackupDestination, relativePath: string): Promise<boolean> {
-  const objectKey = normalizeE3ObjectKey(config, relativePath);
-  const url = new URL(`${e3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
-  const response = await signedE3Request(config, 'HEAD', url);
+async function existsInS3(config: S3BackupDestination, relativePath: string): Promise<boolean> {
+  const objectKey = normalizeS3ObjectKey(config, relativePath);
+  const url = new URL(`${s3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
+  const response = await signedS3Request(config, 'HEAD', url);
  if (response.status === 404) return false;
  if (!response.ok) {
-    throw new Error(`E3 existence check failed: ${response.status}`);
+    throw new Error(`S3 existence check failed: ${response.status}`);
  }
  return true;
 }

 interface ConfiguredDestinationAdapter {
-  provider: 'webdav' | 'e3';
-  config: WebDavBackupDestination | E3BackupDestination;
-  upload: (config: WebDavBackupDestination | E3BackupDestination, archive: Uint8Array, fileName: string) => Promise<BackupUploadResult>;
-  putFile: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string, bytes: Uint8Array, options?: RemoteBackupFilePutOptions) => Promise<void>;
-  list: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string) => Promise<RemoteBackupListResult>;
-  download: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string) => Promise<RemoteBackupFile>;
-  deleteFile: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string) => Promise<void>;
-  exists: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string) => Promise<boolean>;
+  provider: 'webdav' | 's3';
+  config: WebDavBackupDestination | S3BackupDestination;
+  upload: (config: WebDavBackupDestination | S3BackupDestination, archive: Uint8Array, fileName: string) => Promise<BackupUploadResult>;
+  putFile: (config: WebDavBackupDestination | S3BackupDestination, relativePath: string, bytes: Uint8Array, options?: RemoteBackupFilePutOptions) => Promise<void>;
+  list: (config: WebDavBackupDestination | S3BackupDestination, relativePath: string) => Promise<RemoteBackupListResult>;
+  download: (config: WebDavBackupDestination | S3BackupDestination, relativePath: string) => Promise<RemoteBackupFile>;
+  deleteFile: (config: WebDavBackupDestination | S3BackupDestination, relativePath: string) => Promise<void>;
+  exists: (config: WebDavBackupDestination | S3BackupDestination, relativePath: string) => Promise<boolean>;
 }

 export interface RemoteBackupTransferSession {
@@ -666,16 +666,16 @@ function resolveConfiguredDestinationAdapter(
      exists: (config, relativePath) => existsInWebDav(config as WebDavBackupDestination, relativePath),
    };
  }
-  if (destination.type === 'e3') {
+  if (destination.type === 's3') {
    return {
-      provider: 'e3',
-      config: destination.destination as E3BackupDestination,
-      upload: (config, archive, fileName) => uploadToE3(config as E3BackupDestination, archive, fileName),
-      putFile: (config, relativePath, bytes, options) => putToE3(config as E3BackupDestination, relativePath, bytes, options),
-      list: (config, relativePath) => listE3Entries(config as E3BackupDestination, relativePath),
-      download: (config, relativePath) => downloadFromE3(config as E3BackupDestination, relativePath),
-      deleteFile: (config, relativePath) => deleteFromE3(config as E3BackupDestination, relativePath),
-      exists: (config, relativePath) => existsInE3(config as E3BackupDestination, relativePath),
+      provider: 's3',
+      config: destination.destination as S3BackupDestination,
+      upload: (config, archive, fileName) => uploadToS3(config as S3BackupDestination, archive, fileName),
+      putFile: (config, relativePath, bytes, options) => putToS3(config as S3BackupDestination, relativePath, bytes, options),
+      list: (config, relativePath) => listS3Entries(config as S3BackupDestination, relativePath),
+      download: (config, relativePath) => downloadFromS3(config as S3BackupDestination, relativePath),
+      deleteFile: (config, relativePath) => deleteFromS3(config as S3BackupDestination, relativePath),
+      exists: (config, relativePath) => existsInS3(config as S3BackupDestination, relativePath),
    };
  }

@@ -703,7 +703,7 @@ export function createRemoteBackupTransferSession(destination: BackupDestination
        provider: adapter.provider,
        remotePath: adapter.provider === 'webdav'
          ? buildJoinedPath((adapter.config as WebDavBackupDestination).remotePath, fileName)
-          : normalizeE3ObjectKey(adapter.config as E3BackupDestination, fileName),
+          : normalizeS3ObjectKey(adapter.config as S3BackupDestination, fileName),
      };
    },
    putFile,
@@ -0,0 +1,222 @@
+import bitwardenGlobalDomainsRaw from '../static/global_domains.bitwarden.json';
+import customGlobalDomainsRaw from '../static/global_domains.custom.json';
+import type { CustomEquivalentDomain, DomainRulesResponse, GlobalEquivalentDomain } from '../types';
+import { normalizeEquivalentDomain } from '../../shared/domain-normalize';
+
+// CONTRACT:
+// Equivalent domains are a Bitwarden compatibility surface. The DB stores both
+// the full custom rule list and the derived active equivalent-domain groups:
+// - custom_equivalent_domains: UI/client rules with id + excluded state.
+// - equivalent_domains: active groups derived from non-excluded custom rules.
+// - excluded_global_equivalent_domains: disabled global rule type ids.
+// Do not treat equivalent_domains and custom_equivalent_domains as accidental
+// duplicates without a migration and compatibility plan.
+type RawGlobalDomain = Partial<GlobalEquivalentDomain> & {
+  Type?: unknown;
+  Domains?: unknown;
+  Excluded?: unknown;
+};
+
+function normalizeDomain(value: unknown): string {
+  return normalizeEquivalentDomain(value);
+}
+
+function normalizeGlobalDomain(entry: RawGlobalDomain): GlobalEquivalentDomain | null {
+  const type = Number(entry.type ?? entry.Type);
+  if (!Number.isInteger(type)) return null;
+
+  const rawDomains = entry.domains ?? entry.Domains;
+  if (!Array.isArray(rawDomains)) return null;
+
+  const domains = Array.from(new Set(rawDomains.map(normalizeDomain).filter(Boolean)));
+  if (domains.length < 2) return null;
+
+  return {
+    type,
+    domains,
+    excluded: Boolean(entry.excluded ?? entry.Excluded ?? false),
+  };
+}
+
+function normalizeGlobalDomains(input: unknown): GlobalEquivalentDomain[] {
+  if (!Array.isArray(input)) return [];
+
+  const seen = new Set<number>();
+  const out: GlobalEquivalentDomain[] = [];
+  for (const entry of input) {
+    const normalized = normalizeGlobalDomain(entry as RawGlobalDomain);
+    if (!normalized || seen.has(normalized.type)) continue;
+    seen.add(normalized.type);
+    out.push(normalized);
+  }
+  return out;
+}
+
+const bitwardenGlobalDomains = normalizeGlobalDomains(bitwardenGlobalDomainsRaw);
+const customGlobalDomains = normalizeGlobalDomains(customGlobalDomainsRaw);
+
+export const globalDomains: readonly GlobalEquivalentDomain[] = [
+  ...bitwardenGlobalDomains,
+  ...customGlobalDomains,
+];
+
+export function normalizeEquivalentDomains(input: unknown): string[][] {
+  if (!Array.isArray(input)) return [];
+
+  const groups: string[][] = [];
+  const seenGroups = new Set<string>();
+  for (const group of input) {
+    if (!Array.isArray(group)) continue;
+    const domains = Array.from(new Set(group.map(normalizeDomain).filter(Boolean)));
+    if (domains.length < 2) continue;
+    const key = domains.slice().sort().join('\n');
+    if (seenGroups.has(key)) continue;
+    seenGroups.add(key);
+    groups.push(domains);
+  }
+  return groups;
+}
+
+export function mergeEquivalentDomainGroups(input: string[][]): string[][] {
+  const parent = new Map<string, string>();
+
+  function find(domain: string): string {
+    const current = parent.get(domain);
+    if (!current) {
+      parent.set(domain, domain);
+      return domain;
+    }
+    if (current === domain) return domain;
+    const root = find(current);
+    parent.set(domain, root);
+    return root;
+  }
+
+  function union(a: string, b: string): void {
+    const rootA = find(a);
+    const rootB = find(b);
+    if (rootA !== rootB) parent.set(rootB, rootA);
+  }
+
+  for (const group of normalizeEquivalentDomains(input)) {
+    if (group.length < 2) continue;
+    const [first, ...rest] = group;
+    find(first);
+    for (const domain of rest) union(first, domain);
+  }
+
+  const components = new Map<string, string[]>();
+  for (const domain of parent.keys()) {
+    const root = find(domain);
+    const group = components.get(root) || [];
+    group.push(domain);
+    components.set(root, group);
+  }
+
+  return Array.from(components.values())
+    .map((group) => group.sort())
+    .filter((group) => group.length >= 2)
+    .sort((a, b) => a[0].localeCompare(b[0]));
+}
+
+export function expandCustomEquivalentDomainsWithGlobals(
+  customGroups: string[][],
+  activeGlobalGroups: string[][]
+): string[][] {
+  const normalizedCustomGroups = normalizeEquivalentDomains(customGroups);
+  if (!normalizedCustomGroups.length) return [];
+
+  const customDomains = new Set(normalizedCustomGroups.flat());
+  return mergeEquivalentDomainGroups([
+    ...activeGlobalGroups,
+    ...normalizedCustomGroups,
+  ]).filter((group) => group.some((domain) => customDomains.has(domain)));
+}
+
+function createCustomDomainId(domains: string[], index: number): string {
+  return `custom:${domains.slice().sort().join('|')}:${index}`;
+}
+
+export function normalizeCustomEquivalentDomains(input: unknown): CustomEquivalentDomain[] {
+  if (!Array.isArray(input)) return [];
+
+  const rules: CustomEquivalentDomain[] = [];
+  const seenGroups = new Set<string>();
+  for (const [index, item] of input.entries()) {
+    const record = Array.isArray(item)
+      ? { domains: item, excluded: false, id: '' }
+      : item && typeof item === 'object'
+        ? item as Record<string, unknown>
+        : null;
+    if (!record) continue;
+
+    const domains = normalizeEquivalentDomains([record.domains ?? record.Domains])[0];
+    if (!domains) continue;
+
+    const key = domains.slice().sort().join('\n');
+    if (seenGroups.has(key)) continue;
+    seenGroups.add(key);
+
+    const rawId = String(record.id ?? record.Id ?? '').trim();
+    rules.push({
+      id: rawId || createCustomDomainId(domains, index),
+      domains,
+      excluded: Boolean(record.excluded ?? record.Excluded ?? false),
+    });
+  }
+  return rules;
+}
+
+export function customRulesToActiveEquivalentDomains(rules: CustomEquivalentDomain[]): string[][] {
+  return mergeEquivalentDomainGroups(rules
+    .filter((rule) => !rule.excluded)
+    .map((rule) => rule.domains));
+}
+
+export function normalizeExcludedGlobalTypes(input: unknown): number[] {
+  if (!Array.isArray(input)) return [];
+
+  const validTypes = new Set(globalDomains.map((entry) => entry.type));
+  const seen = new Set<number>();
+  const out: number[] = [];
+  for (const item of input) {
+    const type = Number(typeof item === 'object' && item !== null ? (item as Record<string, unknown>).type : item);
+    const excluded = typeof item === 'object' && item !== null
+      ? Boolean((item as Record<string, unknown>).excluded)
+      : true;
+    if (!excluded || !Number.isInteger(type) || !validTypes.has(type) || seen.has(type)) continue;
+    seen.add(type);
+    out.push(type);
+  }
+  return out;
+}
+
+export function buildDomainsResponse(
+  equivalentDomains: string[][],
+  customEquivalentDomains: CustomEquivalentDomain[],
+  excludedGlobalEquivalentDomains: number[],
+  options: { omitExcludedGlobals?: boolean } = {}
+): DomainRulesResponse {
+  const excluded = new Set(excludedGlobalEquivalentDomains);
+  const activeGlobalDomainGroups = globalDomains
+    .filter((entry) => !excluded.has(entry.type))
+    .map((entry) => entry.domains);
+  const mergedEquivalentDomains = expandCustomEquivalentDomainsWithGlobals(
+    equivalentDomains,
+    activeGlobalDomainGroups
+  );
+  const globals = globalDomains
+    .map((entry) => ({
+      type: entry.type,
+      domains: entry.domains,
+      excluded: excluded.has(entry.type),
+    }))
+    .filter((entry) => !options.omitExcludedGlobals || !entry.excluded);
+
+  return {
+    equivalentDomains: mergedEquivalentDomains,
+    customEquivalentDomains,
+    globalEquivalentDomains: globals,
+    object: 'domains',
+  };
+}
@@ -0,0 +1,331 @@
+import type { AccountPasskeyChallenge, AccountPasskeyChallengeScope, AccountPasskeyCredential } from '../types';
+
+type SafeBindFn = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedStatement;
+
+let accountPasskeySchemaReady = false;
+
+const ACCOUNT_PASSKEY_CREDENTIAL_COLUMN_DEFS = [
+  { name: 'id', sql: 'id TEXT' },
+  { name: 'user_id', sql: "user_id TEXT NOT NULL DEFAULT ''" },
+  { name: 'name', sql: "name TEXT NOT NULL DEFAULT 'Account passkey'" },
+  { name: 'public_key', sql: "public_key TEXT NOT NULL DEFAULT ''" },
+  { name: 'credential_id', sql: "credential_id TEXT NOT NULL DEFAULT ''" },
+  { name: 'counter', sql: 'counter INTEGER NOT NULL DEFAULT 0' },
+  { name: 'type', sql: 'type TEXT' },
+  { name: 'aa_guid', sql: 'aa_guid TEXT' },
+  { name: 'transports', sql: 'transports TEXT' },
+  { name: 'encrypted_user_key', sql: 'encrypted_user_key TEXT' },
+  { name: 'encrypted_public_key', sql: 'encrypted_public_key TEXT' },
+  { name: 'encrypted_private_key', sql: 'encrypted_private_key TEXT' },
+  { name: 'supports_prf', sql: 'supports_prf INTEGER NOT NULL DEFAULT 0' },
+  { name: 'created_at', sql: "created_at TEXT NOT NULL DEFAULT ''" },
+  { name: 'updated_at', sql: "updated_at TEXT NOT NULL DEFAULT ''" },
+] as const;
+
+const ACCOUNT_PASSKEY_CHALLENGE_COLUMNS = [
+  'challenge_hash',
+  'scope',
+  'user_id',
+  'expires_at',
+  'used_at',
+  'created_at',
+] as const;
+
+async function tableColumns(db: D1Database, tableName: 'webauthn_credentials' | 'webauthn_challenges'): Promise<Set<string>> {
+  const result = await db.prepare(`PRAGMA table_info(${tableName})`).all<{ name: string }>();
+  return new Set((result.results || []).map((row) => String(row.name || '').trim()).filter(Boolean));
+}
+
+async function ensureAccountPasskeySchema(db: D1Database): Promise<void> {
+  if (accountPasskeySchemaReady) return;
+
+  await db
+    .prepare(
+      'CREATE TABLE IF NOT EXISTS webauthn_credentials (' +
+        'id TEXT PRIMARY KEY, user_id TEXT NOT NULL, name TEXT NOT NULL, public_key TEXT NOT NULL, credential_id TEXT NOT NULL, counter INTEGER NOT NULL DEFAULT 0, ' +
+        'type TEXT, aa_guid TEXT, transports TEXT, encrypted_user_key TEXT, encrypted_public_key TEXT, encrypted_private_key TEXT, supports_prf INTEGER NOT NULL DEFAULT 0, ' +
+        'created_at TEXT NOT NULL, updated_at TEXT NOT NULL, ' +
+        'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)'
+    )
+    .run();
+  let credentialColumns = await tableColumns(db, 'webauthn_credentials');
+  for (const column of ACCOUNT_PASSKEY_CREDENTIAL_COLUMN_DEFS) {
+    if (!credentialColumns.has(column.name)) {
+      await db.prepare(`ALTER TABLE webauthn_credentials ADD COLUMN ${column.sql}`).run();
+    }
+  }
+  credentialColumns = await tableColumns(db, 'webauthn_credentials');
+  if (!credentialColumns.has('credential_id')) {
+    throw new Error('webauthn_credentials schema is missing credential_id');
+  }
+  await db.prepare('CREATE UNIQUE INDEX IF NOT EXISTS idx_webauthn_credentials_id ON webauthn_credentials(id)').run();
+  await db.prepare('CREATE UNIQUE INDEX IF NOT EXISTS idx_webauthn_credentials_credential_id ON webauthn_credentials(credential_id)').run();
+  await db.prepare('CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user ON webauthn_credentials(user_id)').run();
+  await db.prepare('CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user_updated ON webauthn_credentials(user_id, updated_at)').run();
+
+  await db
+    .prepare(
+      'CREATE TABLE IF NOT EXISTS webauthn_challenges (' +
+        'challenge_hash TEXT PRIMARY KEY, scope TEXT NOT NULL, user_id TEXT, expires_at INTEGER NOT NULL, used_at INTEGER, created_at INTEGER NOT NULL)'
+    )
+    .run();
+  const challengeColumns = await tableColumns(db, 'webauthn_challenges');
+  const challengeSchemaComplete = ACCOUNT_PASSKEY_CHALLENGE_COLUMNS.every((column) => challengeColumns.has(column));
+  if (!challengeSchemaComplete) {
+    await db.prepare('DROP TABLE IF EXISTS webauthn_challenges').run();
+    await db
+      .prepare(
+        'CREATE TABLE webauthn_challenges (' +
+          'challenge_hash TEXT PRIMARY KEY, scope TEXT NOT NULL, user_id TEXT, expires_at INTEGER NOT NULL, used_at INTEGER, created_at INTEGER NOT NULL)'
+      )
+      .run();
+  }
+  await db.prepare('CREATE INDEX IF NOT EXISTS idx_webauthn_challenges_expires ON webauthn_challenges(expires_at)').run();
+  await db.prepare('CREATE INDEX IF NOT EXISTS idx_webauthn_challenges_user_scope ON webauthn_challenges(user_id, scope)').run();
+
+  accountPasskeySchemaReady = true;
+}
+
+function parseTransports(value: string | null): string[] | null {
+  if (!value) return null;
+  try {
+    const parsed = JSON.parse(value);
+    if (!Array.isArray(parsed)) return null;
+    return parsed.map((item) => String(item || '').trim()).filter(Boolean);
+  } catch {
+    return null;
+  }
+}
+
+function mapCredentialRow(row: {
+  id: string;
+  user_id: string;
+  name: string;
+  public_key: string;
+  credential_id: string;
+  counter: number;
+  type: string | null;
+  aa_guid: string | null;
+  transports: string | null;
+  encrypted_user_key: string | null;
+  encrypted_public_key: string | null;
+  encrypted_private_key: string | null;
+  supports_prf: number;
+  created_at: string;
+  updated_at: string;
+}): AccountPasskeyCredential {
+  return {
+    id: row.id,
+    userId: row.user_id,
+    name: row.name,
+    publicKey: row.public_key,
+    credentialId: row.credential_id,
+    counter: Number(row.counter || 0),
+    type: row.type ?? null,
+    aaGuid: row.aa_guid ?? null,
+    transports: parseTransports(row.transports),
+    encryptedUserKey: row.encrypted_user_key ?? null,
+    encryptedPublicKey: row.encrypted_public_key ?? null,
+    encryptedPrivateKey: row.encrypted_private_key ?? null,
+    supportsPrf: !!row.supports_prf,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+function mapChallengeRow(row: {
+  challenge_hash: string;
+  scope: AccountPasskeyChallengeScope;
+  user_id: string | null;
+  expires_at: number;
+  used_at: number | null;
+  created_at: number;
+}): AccountPasskeyChallenge {
+  return {
+    challengeHash: row.challenge_hash,
+    scope: row.scope,
+    userId: row.user_id ?? null,
+    expiresAt: Number(row.expires_at || 0),
+    usedAt: row.used_at == null ? null : Number(row.used_at),
+    createdAt: Number(row.created_at || 0),
+  };
+}
+
+export async function saveAccountPasskeyCredential(
+  db: D1Database,
+  safeBind: SafeBindFn,
+  credential: AccountPasskeyCredential
+): Promise<void> {
+  await ensureAccountPasskeySchema(db);
+  await safeBind(
+    db.prepare(
+      'INSERT INTO webauthn_credentials(' +
+        'id, user_id, name, public_key, credential_id, counter, type, aa_guid, transports, ' +
+        'encrypted_user_key, encrypted_public_key, encrypted_private_key, supports_prf, created_at, updated_at' +
+        ') VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+        'ON CONFLICT(id) DO UPDATE SET ' +
+        'name=excluded.name, public_key=excluded.public_key, credential_id=excluded.credential_id, counter=excluded.counter, ' +
+        'type=excluded.type, aa_guid=excluded.aa_guid, transports=excluded.transports, encrypted_user_key=excluded.encrypted_user_key, ' +
+        'encrypted_public_key=excluded.encrypted_public_key, encrypted_private_key=excluded.encrypted_private_key, supports_prf=excluded.supports_prf, updated_at=excluded.updated_at'
+    ),
+    credential.id,
+    credential.userId,
+    credential.name,
+    credential.publicKey,
+    credential.credentialId,
+    credential.counter,
+    credential.type,
+    credential.aaGuid,
+    credential.transports ? JSON.stringify(credential.transports) : null,
+    credential.encryptedUserKey,
+    credential.encryptedPublicKey,
+    credential.encryptedPrivateKey,
+    credential.supportsPrf ? 1 : 0,
+    credential.createdAt,
+    credential.updatedAt
+  ).run();
+}
+
+export async function listAccountPasskeyCredentialsByUserId(
+  db: D1Database,
+  userId: string
+): Promise<AccountPasskeyCredential[]> {
+  await ensureAccountPasskeySchema(db);
+  const rows = await db
+    .prepare('SELECT * FROM webauthn_credentials WHERE user_id = ? ORDER BY created_at ASC')
+    .bind(userId)
+    .all<any>();
+  return (rows.results || []).map(mapCredentialRow);
+}
+
+export async function getAccountPasskeyCredentialById(
+  db: D1Database,
+  userId: string,
+  id: string
+): Promise<AccountPasskeyCredential | null> {
+  await ensureAccountPasskeySchema(db);
+  const row = await db
+    .prepare('SELECT * FROM webauthn_credentials WHERE user_id = ? AND id = ? LIMIT 1')
+    .bind(userId, id)
+    .first<any>();
+  return row ? mapCredentialRow(row) : null;
+}
+
+export async function getAccountPasskeyCredentialByCredentialId(
+  db: D1Database,
+  credentialId: string
+): Promise<AccountPasskeyCredential | null> {
+  await ensureAccountPasskeySchema(db);
+  const row = await db
+    .prepare('SELECT * FROM webauthn_credentials WHERE credential_id = ? LIMIT 1')
+    .bind(credentialId)
+    .first<any>();
+  return row ? mapCredentialRow(row) : null;
+}
+
+export async function countAccountPasskeyCredentialsByUserId(
+  db: D1Database,
+  userId: string
+): Promise<number> {
+  await ensureAccountPasskeySchema(db);
+  const row = await db
+    .prepare('SELECT COUNT(*) AS count FROM webauthn_credentials WHERE user_id = ?')
+    .bind(userId)
+    .first<{ count: number }>();
+  return Number(row?.count || 0);
+}
+
+export async function updateAccountPasskeyCounter(
+  db: D1Database,
+  userId: string,
+  credentialId: string,
+  counter: number,
+  updatedAt: string
+): Promise<void> {
+  await ensureAccountPasskeySchema(db);
+  await db
+    .prepare('UPDATE webauthn_credentials SET counter = ?, updated_at = ? WHERE user_id = ? AND credential_id = ?')
+    .bind(counter, updatedAt, userId, credentialId)
+    .run();
+}
+
+export async function updateAccountPasskeyEncryption(
+  db: D1Database,
+  userId: string,
+  credentialId: string,
+  encryptedUserKey: string,
+  encryptedPublicKey: string,
+  encryptedPrivateKey: string,
+  updatedAt: string
+): Promise<boolean> {
+  await ensureAccountPasskeySchema(db);
+  const result = await db
+    .prepare(
+      'UPDATE webauthn_credentials SET encrypted_user_key = ?, encrypted_public_key = ?, encrypted_private_key = ?, supports_prf = 1, updated_at = ? ' +
+        'WHERE user_id = ? AND credential_id = ?'
+    )
+    .bind(encryptedUserKey, encryptedPublicKey, encryptedPrivateKey, updatedAt, userId, credentialId)
+    .run();
+  return Number(result.meta.changes || 0) > 0;
+}
+
+export async function deleteAccountPasskeyCredential(
+  db: D1Database,
+  userId: string,
+  id: string
+): Promise<boolean> {
+  await ensureAccountPasskeySchema(db);
+  const result = await db
+    .prepare('DELETE FROM webauthn_credentials WHERE user_id = ? AND id = ?')
+    .bind(userId, id)
+    .run();
+  return Number(result.meta.changes || 0) > 0;
+}
+
+export async function saveAccountPasskeyChallenge(
+  db: D1Database,
+  challenge: AccountPasskeyChallenge
+): Promise<void> {
+  await ensureAccountPasskeySchema(db);
+  await db.prepare('DELETE FROM webauthn_challenges WHERE expires_at < ? OR used_at IS NOT NULL').bind(Date.now()).run();
+  await db
+    .prepare(
+      'INSERT INTO webauthn_challenges(challenge_hash, scope, user_id, expires_at, used_at, created_at) VALUES(?, ?, ?, ?, ?, ?) ' +
+        'ON CONFLICT(challenge_hash) DO UPDATE SET scope=excluded.scope, user_id=excluded.user_id, expires_at=excluded.expires_at, used_at=excluded.used_at, created_at=excluded.created_at'
+    )
+    .bind(
+      challenge.challengeHash,
+      challenge.scope,
+      challenge.userId,
+      challenge.expiresAt,
+      challenge.usedAt,
+      challenge.createdAt
+    )
+    .run();
+}
+
+export async function consumeAccountPasskeyChallenge(
+  db: D1Database,
+  challengeHash: string,
+  scope: AccountPasskeyChallengeScope,
+  userId: string | null,
+  nowMs: number
+): Promise<AccountPasskeyChallenge | null> {
+  await ensureAccountPasskeySchema(db);
+  const row = await db
+    .prepare('SELECT * FROM webauthn_challenges WHERE challenge_hash = ? AND scope = ? LIMIT 1')
+    .bind(challengeHash, scope)
+    .first<any>();
+  if (!row) return null;
+  const challenge = mapChallengeRow(row);
+  if (challenge.usedAt != null || challenge.expiresAt < nowMs) return null;
+  if (userId !== null && challenge.userId !== userId) return null;
+  if (userId === null && challenge.userId !== null) return null;
+
+  const result = await db
+    .prepare('UPDATE webauthn_challenges SET used_at = ? WHERE challenge_hash = ? AND used_at IS NULL')
+    .bind(nowMs, challengeHash)
+    .run();
+  if (Number(result.meta.changes || 0) <= 0) return null;
+  return { ...challenge, usedAt: nowMs };
+}
@@ -1,5 +1,72 @@
 import type { AuditLog, Invite } from '../types';

+export interface AuditLogListOptions {
+  limit: number;
+  offset: number;
+  category?: string | null;
+  level?: string | null;
+  q?: string | null;
+  from?: string | null;
+  to?: string | null;
+}
+
+export interface AuditLogListResult {
+  logs: AuditLog[];
+  total: number;
+  hasMore: boolean;
+}
+
+function auditLogFromRow(row: any): AuditLog {
+  return {
+    id: row.id,
+    actorUserId: row.actor_user_id ?? null,
+    actorEmail: row.actor_email ?? null,
+    action: row.action,
+    category: row.category || 'system',
+    level: row.level || 'info',
+    targetType: row.target_type ?? null,
+    targetId: row.target_id ?? null,
+    targetUserEmail: row.target_user_email ?? null,
+    metadata: row.metadata ?? null,
+    createdAt: row.created_at,
+  };
+}
+
+function buildAuditWhere(options: AuditLogListOptions): { where: string; params: unknown[] } {
+  const conditions: string[] = [];
+  const params: unknown[] = [];
+
+  if (options.from) {
+    conditions.push('l.created_at >= ?');
+    params.push(options.from);
+  }
+  if (options.to) {
+    conditions.push('l.created_at <= ?');
+    params.push(options.to);
+  }
+  if (options.category) {
+    conditions.push('l.category = ?');
+    params.push(options.category);
+  }
+  if (options.level) {
+    conditions.push('l.level = ?');
+    params.push(options.level);
+  }
+  if (options.q) {
+    const q = options.q.toLowerCase().slice(0, 48);
+    const like = `%${q}%`;
+    conditions.push(
+      '(LOWER(l.action) LIKE ? OR LOWER(COALESCE(l.actor_user_id, \'\')) LIKE ? OR LOWER(COALESCE(l.target_type, \'\')) LIKE ? OR LOWER(COALESCE(l.target_id, \'\')) LIKE ? OR LOWER(COALESCE(actor.email, \'\')) LIKE ? OR LOWER(COALESCE(target.email, \'\')) LIKE ?)'
+    );
+    params.push(like, like, like, like, like, like);
+  }
+
+  return {
+    where: conditions.length ? `WHERE ${conditions.join(' AND ')}` : '',
+    params,
+  };
+}
+
 export async function createInvite(db: D1Database, invite: Invite): Promise<void> {
  await db
    .prepare(
@@ -77,8 +144,60 @@ export async function deleteAllInvites(db: D1Database): Promise<number> {
 export async function createAuditLog(db: D1Database, log: AuditLog): Promise<void> {
  await db
    .prepare(
-      'INSERT INTO audit_logs(id, actor_user_id, action, target_type, target_id, metadata, created_at) VALUES(?, ?, ?, ?, ?, ?, ?)'
+      'INSERT INTO audit_logs(id, actor_user_id, action, category, level, target_type, target_id, metadata, created_at) VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?)'
    )
-    .bind(log.id, log.actorUserId, log.action, log.targetType, log.targetId, log.metadata, log.createdAt)
+    .bind(log.id, log.actorUserId, log.action, log.category, log.level, log.targetType, log.targetId, log.metadata, log.createdAt)
    .run();
 }
+
+export async function pruneAuditLogs(db: D1Database, beforeIso: string): Promise<number> {
+  const result = await db
+    .prepare('DELETE FROM audit_logs WHERE created_at < ?')
+    .bind(beforeIso)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function pruneAuditLogsToMax(db: D1Database, maxEntries: number): Promise<number> {
+  const limit = Math.max(1, Math.floor(maxEntries));
+  const result = await db
+    .prepare(
+      'DELETE FROM audit_logs WHERE id IN (' +
+        'SELECT id FROM audit_logs ORDER BY created_at DESC LIMIT -1 OFFSET ?' +
+      ')'
+    )
+    .bind(limit)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function clearAuditLogs(db: D1Database): Promise<number> {
+  const result = await db.prepare('DELETE FROM audit_logs').run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function listAuditLogs(db: D1Database, options: AuditLogListOptions): Promise<AuditLogListResult> {
+  const limit = Math.max(1, Math.min(200, Math.floor(options.limit || 50)));
+  const offset = Math.max(0, Math.floor(options.offset || 0));
+  const { where, params } = buildAuditWhere(options);
+
+  const rows = await db
+    .prepare(
+      'SELECT l.id, l.actor_user_id, actor.email AS actor_email, l.action, l.category, l.level, l.target_type, l.target_id, target.email AS target_user_email, l.metadata, l.created_at ' +
+        'FROM audit_logs l ' +
+        'LEFT JOIN users actor ON actor.id = l.actor_user_id ' +
+        "LEFT JOIN users target ON l.target_type = 'user' AND target.id = l.target_id " +
+        `${where} ORDER BY l.created_at DESC LIMIT ? OFFSET ?`
+    )
+    .bind(...params, limit + 1, offset)
+    .all<any>();
+  const results = rows.results || [];
+  const logs = results.slice(0, limit).map(auditLogFromRow);
+  const hasMore = results.length > limit;
+
+  return {
+    logs,
+    total: offset + logs.length + (hasMore ? 1 : 0),
+    hasMore,
+  };
+}
@@ -34,6 +34,22 @@ export async function deleteAttachment(db: D1Database, id: string): Promise<void
  await db.prepare('DELETE FROM attachments WHERE id = ?').bind(id).run();
 }

+export async function bulkDeleteAttachmentsByIds(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  attachmentIds: string[]
+): Promise<void> {
+  const uniqueIds = [...new Set(attachmentIds.map((id) => String(id || '').trim()).filter(Boolean))];
+  if (!uniqueIds.length) return;
+  const chunkSize = sqlChunkSize(0);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db.prepare(`DELETE FROM attachments WHERE id IN (${placeholders})`).bind(...chunk).run();
+  }
+}
+
 export async function getAttachmentsByCipher(db: D1Database, cipherId: string): Promise<Attachment[]> {
  const res = await db
    .prepare('SELECT id, cipher_id, file_name, size, size_name, key FROM attachments WHERE cipher_id = ?')
@@ -119,11 +135,6 @@ export async function addAttachmentToCipher(db: D1Database, cipherId: string, at
  await db.prepare('UPDATE attachments SET cipher_id = ? WHERE id = ?').bind(cipherId, attachmentId).run();
 }

-export async function removeAttachmentFromCipher(cipherId: string, attachmentId: string): Promise<void> {
-  void cipherId;
-  void attachmentId;
-}
-
 export async function deleteAllAttachmentsByCipher(db: D1Database, cipherId: string): Promise<void> {
  await db.prepare('DELETE FROM attachments WHERE cipher_id = ?').bind(cipherId).run();
 }
@@ -0,0 +1,139 @@
+import type { AuthRequestRecord, AuthRequestType } from '../types';
+
+const AUTH_REQUEST_EXPIRATION_MS = 15 * 60 * 1000;
+
+function mapAuthRequestRow(row: any): AuthRequestRecord {
+  return {
+    id: row.id,
+    userId: row.user_id,
+    organizationId: row.organization_id ?? null,
+    type: Number(row.type) as AuthRequestType,
+    requestDeviceIdentifier: row.request_device_identifier,
+    requestDeviceType: Number(row.request_device_type ?? 14),
+    requestIpAddress: row.request_ip_address ?? null,
+    requestCountryName: row.request_country_name ?? null,
+    responseDeviceIdentifier: row.response_device_identifier ?? null,
+    accessCode: row.access_code,
+    publicKey: row.public_key,
+    key: row.key ?? null,
+    masterPasswordHash: row.master_password_hash ?? null,
+    approved: row.approved == null ? null : Number(row.approved) === 1,
+    creationDate: row.creation_date,
+    responseDate: row.response_date ?? null,
+    authenticationDate: row.authentication_date ?? null,
+  };
+}
+
+export function isAuthRequestExpired(request: AuthRequestRecord, nowMs: number = Date.now()): boolean {
+  return new Date(request.creationDate).getTime() + AUTH_REQUEST_EXPIRATION_MS <= nowMs;
+}
+
+const AUTH_REQUEST_SELECT =
+  'SELECT id, user_id, organization_id, type, request_device_identifier, request_device_type, request_ip_address, request_country_name, ' +
+  'response_device_identifier, access_code, public_key, key, master_password_hash, approved, creation_date, response_date, authentication_date ' +
+  'FROM auth_requests';
+
+export async function createAuthRequest(db: D1Database, request: AuthRequestRecord): Promise<void> {
+  await db
+    .prepare(
+      'INSERT INTO auth_requests(' +
+        'id, user_id, organization_id, type, request_device_identifier, request_device_type, request_ip_address, request_country_name, ' +
+        'response_device_identifier, access_code, public_key, key, master_password_hash, approved, creation_date, response_date, authentication_date' +
+        ') VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'
+    )
+    .bind(
+      request.id,
+      request.userId,
+      request.organizationId,
+      request.type,
+      request.requestDeviceIdentifier,
+      request.requestDeviceType,
+      request.requestIpAddress,
+      request.requestCountryName,
+      request.responseDeviceIdentifier,
+      request.accessCode,
+      request.publicKey,
+      request.key,
+      request.masterPasswordHash,
+      request.approved == null ? null : (request.approved ? 1 : 0),
+      request.creationDate,
+      request.responseDate,
+      request.authenticationDate
+    )
+    .run();
+}
+
+export async function getAuthRequestById(db: D1Database, id: string): Promise<AuthRequestRecord | null> {
+  const row = await db.prepare(`${AUTH_REQUEST_SELECT} WHERE id = ? LIMIT 1`).bind(id).first<any>();
+  return row ? mapAuthRequestRow(row) : null;
+}
+
+export async function listAuthRequestsByUserId(db: D1Database, userId: string): Promise<AuthRequestRecord[]> {
+  const res = await db.prepare(`${AUTH_REQUEST_SELECT} WHERE user_id = ? ORDER BY creation_date DESC`).bind(userId).all<any>();
+  return (res.results || []).map(mapAuthRequestRow);
+}
+
+export async function listPendingAuthRequestsByUserId(db: D1Database, userId: string, nowMs: number = Date.now()): Promise<AuthRequestRecord[]> {
+  const cutoff = new Date(nowMs - AUTH_REQUEST_EXPIRATION_MS).toISOString();
+  const res = await db
+    .prepare(
+      'SELECT ar.id, ar.user_id, ar.organization_id, ar.type, ar.request_device_identifier, ar.request_device_type, ar.request_ip_address, ar.request_country_name, ' +
+        'ar.response_device_identifier, ar.access_code, ar.public_key, ar.key, ar.master_password_hash, ar.approved, ar.creation_date, ar.response_date, ar.authentication_date ' +
+        'FROM auth_requests ar ' +
+        'JOIN (' +
+        '  SELECT request_device_identifier, MAX(creation_date) AS latest_creation_date ' +
+        '  FROM auth_requests ' +
+        '  WHERE user_id = ? AND type IN (0, 1) AND approved IS NULL AND response_date IS NULL AND authentication_date IS NULL AND creation_date >= ? ' +
+        '  GROUP BY request_device_identifier' +
+        ') latest ON latest.request_device_identifier = ar.request_device_identifier AND latest.latest_creation_date = ar.creation_date ' +
+        'WHERE ar.user_id = ? AND ar.type IN (0, 1) AND ar.approved IS NULL AND ar.response_date IS NULL AND ar.authentication_date IS NULL ' +
+        'ORDER BY ar.creation_date DESC'
+    )
+    .bind(userId, cutoff, userId)
+    .all<any>();
+  return (res.results || []).map(mapAuthRequestRow).filter((request) => !isAuthRequestExpired(request, nowMs));
+}
+
+export async function updateAuthRequestResponse(
+  db: D1Database,
+  id: string,
+  userId: string,
+  update: {
+    approved: boolean;
+    responseDeviceIdentifier: string;
+    key?: string | null;
+    masterPasswordHash?: string | null;
+    responseDate?: string;
+  }
+): Promise<boolean> {
+  const result = await db
+    .prepare(
+      'UPDATE auth_requests SET approved = ?, response_device_identifier = ?, key = ?, master_password_hash = ?, response_date = ? ' +
+        'WHERE id = ? AND user_id = ? AND approved IS NULL AND response_date IS NULL AND authentication_date IS NULL'
+    )
+    .bind(
+      update.approved ? 1 : 0,
+      update.responseDeviceIdentifier,
+      update.approved ? (update.key ?? null) : null,
+      update.approved ? (update.masterPasswordHash ?? null) : null,
+      update.responseDate || new Date().toISOString(),
+      id,
+      userId
+    )
+    .run();
+  return Number(result.meta.changes ?? 0) > 0;
+}
+
+export async function markAuthRequestAuthenticated(db: D1Database, id: string, authenticationDate: string = new Date().toISOString()): Promise<boolean> {
+  const result = await db
+    .prepare('UPDATE auth_requests SET authentication_date = ? WHERE id = ? AND authentication_date IS NULL')
+    .bind(authenticationDate, id)
+    .run();
+  return Number(result.meta.changes ?? 0) > 0;
+}
+
+export async function pruneExpiredAuthRequests(db: D1Database, nowMs: number = Date.now()): Promise<number> {
+  const cutoff = new Date(nowMs - AUTH_REQUEST_EXPIRATION_MS).toISOString();
+  const result = await db.prepare('DELETE FROM auth_requests WHERE creation_date < ?').bind(cutoff).run();
+  return Number(result.meta.changes ?? 0);
+}
@@ -27,6 +27,47 @@ interface CipherRow {
  deleted_at: string | null;
 }

+const CIPHER_SCALAR_DATA_KEYS = new Set([
+  'id',
+  'userId',
+  'user_id',
+  'type',
+  'folderId',
+  'folder_id',
+  'name',
+  'notes',
+  'favorite',
+  'reprompt',
+  'key',
+  'attachments',
+  'Attachments',
+  'attachments2',
+  'Attachments2',
+  'createdAt',
+  'created_at',
+  'creationDate',
+  'updatedAt',
+  'updated_at',
+  'revisionDate',
+  'archivedAt',
+  'archived_at',
+  'archivedDate',
+  'deletedAt',
+  'deleted_at',
+  'deletedDate',
+]);
+
+function buildCipherData(cipher: Cipher, folderId: string | null): string {
+  const payload: Record<string, unknown> = {
+    ...cipher,
+    folderId,
+  };
+  for (const key of CIPHER_SCALAR_DATA_KEYS) {
+    delete payload[key];
+  }
+  return JSON.stringify(payload);
+}
+
 function parseCipherRow(row: CipherRow | null | undefined): Cipher | null {
  if (!row?.data) return null;
  try {
@@ -68,10 +109,7 @@ export async function getCipher(db: D1Database, id: string): Promise<Cipher | nu

 export async function saveCipher(db: D1Database, safeBind: SafeBind, cipher: Cipher): Promise<void> {
  const folderId = normalizeOptionalId(cipher.folderId);
-  const data = JSON.stringify({
-    ...cipher,
-    folderId,
-  });
+  const data = buildCipherData(cipher, folderId);
  const stmt = db.prepare(
    'INSERT INTO ciphers(id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, archived_at, deleted_at) ' +
    'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
@@ -117,8 +155,7 @@ export async function bulkSoftDeleteCiphers(
  if (!uniqueIds.length) return null;

  const now = new Date().toISOString();
-  const patch = JSON.stringify({ deletedAt: now, updatedAt: now });
-  const chunkSize = sqlChunkSize(4);
+  const chunkSize = sqlChunkSize(3);

  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
    const chunk = uniqueIds.slice(i, i + chunkSize);
@@ -126,10 +163,11 @@ export async function bulkSoftDeleteCiphers(
    await db
      .prepare(
        `UPDATE ciphers
-         SET deleted_at = ?, updated_at = ?, data = json_patch(data, ?)
+         SET deleted_at = ?, updated_at = ?,
+             data = json_remove(data, '$.deletedAt', '$.deletedDate', '$.updatedAt', '$.revisionDate')
         WHERE user_id = ? AND id IN (${placeholders})`
      )
-      .bind(now, now, patch, userId, ...chunk)
+      .bind(now, now, userId, ...chunk)
      .run();
  }

@@ -148,8 +186,7 @@ export async function bulkRestoreCiphers(
  if (!uniqueIds.length) return null;

  const now = new Date().toISOString();
-  const patch = JSON.stringify({ deletedAt: null, updatedAt: now });
-  const chunkSize = sqlChunkSize(3);
+  const chunkSize = sqlChunkSize(2);

  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
    const chunk = uniqueIds.slice(i, i + chunkSize);
@@ -157,10 +194,11 @@ export async function bulkRestoreCiphers(
    await db
      .prepare(
        `UPDATE ciphers
-         SET deleted_at = NULL, updated_at = ?, data = json_patch(data, ?)
+         SET deleted_at = NULL, updated_at = ?,
+             data = json_remove(data, '$.deletedAt', '$.deletedDate', '$.updatedAt', '$.revisionDate')
         WHERE user_id = ? AND id IN (${placeholders})`
      )
-      .bind(now, patch, userId, ...chunk)
+      .bind(now, userId, ...chunk)
      .run();
  }

@@ -262,8 +300,7 @@ export async function bulkMoveCiphers(
  const now = new Date().toISOString();
  const normalizedFolderId = normalizeOptionalId(folderId);
  const uniqueIds = sanitizeIds(ids);
-  const patch = JSON.stringify({ folderId: normalizedFolderId, updatedAt: now });
-  const chunkSize = sqlChunkSize(4);
+  const chunkSize = sqlChunkSize(3);

  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
    const chunk = uniqueIds.slice(i, i + chunkSize);
@@ -271,10 +308,11 @@ export async function bulkMoveCiphers(
    await db
      .prepare(
        `UPDATE ciphers
-         SET folder_id = ?, updated_at = ?, data = json_patch(data, ?)
+         SET folder_id = ?, updated_at = ?,
+             data = json_remove(data, '$.folderId', '$.folder_id', '$.updatedAt', '$.revisionDate')
         WHERE user_id = ? AND id IN (${placeholders})`
      )
-      .bind(normalizedFolderId, now, patch, userId, ...chunk)
+      .bind(normalizedFolderId, now, userId, ...chunk)
      .run();
  }

@@ -293,8 +331,7 @@ export async function bulkArchiveCiphers(
  if (!uniqueIds.length) return null;

  const now = new Date().toISOString();
-  const patch = JSON.stringify({ archivedAt: now, archivedDate: now, updatedAt: now });
-  const chunkSize = sqlChunkSize(4);
+  const chunkSize = sqlChunkSize(3);

  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
    const chunk = uniqueIds.slice(i, i + chunkSize);
@@ -302,10 +339,11 @@ export async function bulkArchiveCiphers(
    await db
      .prepare(
        `UPDATE ciphers
-         SET archived_at = ?, updated_at = ?, data = json_patch(data, ?)
+         SET archived_at = ?, updated_at = ?,
+             data = json_remove(data, '$.archivedAt', '$.archivedDate', '$.updatedAt', '$.revisionDate')
         WHERE user_id = ? AND id IN (${placeholders}) AND deleted_at IS NULL`
      )
-      .bind(now, now, patch, userId, ...chunk)
+      .bind(now, now, userId, ...chunk)
      .run();
  }

@@ -324,8 +362,7 @@ export async function bulkUnarchiveCiphers(
  if (!uniqueIds.length) return null;

  const now = new Date().toISOString();
-  const patch = JSON.stringify({ archivedAt: null, archivedDate: null, updatedAt: now });
-  const chunkSize = sqlChunkSize(3);
+  const chunkSize = sqlChunkSize(2);

  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
    const chunk = uniqueIds.slice(i, i + chunkSize);
@@ -333,10 +370,11 @@ export async function bulkUnarchiveCiphers(
    await db
      .prepare(
        `UPDATE ciphers
-         SET archived_at = NULL, updated_at = ?, data = json_patch(data, ?)
+         SET archived_at = NULL, updated_at = ?,
+             data = json_remove(data, '$.archivedAt', '$.archivedDate', '$.updatedAt', '$.revisionDate')
         WHERE user_id = ? AND id IN (${placeholders})`
      )
-      .bind(now, patch, userId, ...chunk)
+      .bind(now, userId, ...chunk)
      .run();
  }

@@ -8,11 +8,13 @@ function mapDeviceRow(row: any): Device {
    userId: row.user_id,
    deviceIdentifier: row.device_identifier,
    name: row.name,
+    deviceNote: row.device_note ?? null,
    type: row.type,
    sessionStamp: row.session_stamp || '',
    encryptedUserKey: row.encrypted_user_key ?? null,
    encryptedPublicKey: row.encrypted_public_key ?? null,
    encryptedPrivateKey: row.encrypted_private_key ?? null,
+    lastSeenAt: row.last_seen_at ?? null,
    createdAt: row.created_at,
    updatedAt: row.updated_at,
  };
@@ -33,31 +35,62 @@ export async function upsertDevice(
  }
 ): Promise<void> {
  const now = new Date().toISOString();
-  const effectiveSessionStamp = String(sessionStamp || '').trim() || (await getDeviceById(userId, deviceIdentifier))?.sessionStamp || '';
+  const existingDevice = await getDeviceById(userId, deviceIdentifier);
+  const effectiveSessionStamp = String(sessionStamp || '').trim() || existingDevice?.sessionStamp || '';
+  const effectiveName = String(name || '').trim() || String(existingDevice?.name || '').trim();
  await db
    .prepare(
-      'INSERT INTO devices(user_id, device_identifier, name, type, session_stamp, encrypted_user_key, encrypted_public_key, encrypted_private_key, banned, banned_at, created_at, updated_at) VALUES(?, ?, ?, ?, ?, ?, ?, ?, 0, NULL, ?, ?) ' +
+      'INSERT INTO devices(user_id, device_identifier, name, type, session_stamp, encrypted_user_key, encrypted_public_key, encrypted_private_key, banned, banned_at, device_note, last_seen_at, created_at, updated_at) VALUES(?, ?, ?, ?, ?, ?, ?, ?, 0, NULL, ?, ?, ?, ?) ' +
        'ON CONFLICT(user_id, device_identifier) DO UPDATE SET name=excluded.name, type=excluded.type, session_stamp=excluded.session_stamp, ' +
        'encrypted_user_key=COALESCE(excluded.encrypted_user_key, encrypted_user_key), ' +
        'encrypted_public_key=COALESCE(excluded.encrypted_public_key, encrypted_public_key), ' +
        'encrypted_private_key=COALESCE(excluded.encrypted_private_key, encrypted_private_key), ' +
+        'last_seen_at=excluded.last_seen_at, ' +
        'updated_at=excluded.updated_at'
    )
    .bind(
      userId,
      deviceIdentifier,
-      name,
+      effectiveName,
      type,
      effectiveSessionStamp,
      keys?.encryptedUserKey ?? null,
      keys?.encryptedPublicKey ?? null,
      keys?.encryptedPrivateKey ?? null,
+      existingDevice?.deviceNote ?? null,
+      now,
      now,
      now
    )
    .run();
 }

+export async function updateDeviceName(
+  db: D1Database,
+  userId: string,
+  deviceIdentifier: string,
+  name: string
+): Promise<boolean> {
+  const result = await db
+    .prepare('UPDATE devices SET device_note = ? WHERE user_id = ? AND device_identifier = ?')
+    .bind(String(name || '').trim(), userId, deviceIdentifier)
+    .run();
+  return Number(result.meta.changes ?? 0) > 0;
+}
+
+export async function touchDeviceLastSeen(
+  db: D1Database,
+  userId: string,
+  deviceIdentifier: string
+): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db
+    .prepare('UPDATE devices SET last_seen_at = ? WHERE user_id = ? AND device_identifier = ?')
+    .bind(now, userId, deviceIdentifier)
+    .run();
+  return Number(result.meta.changes ?? 0) > 0;
+}
+
 export async function updateDeviceKeys(
  db: D1Database,
  userId: string,
@@ -133,8 +166,8 @@ export async function isKnownDeviceByEmail(
 export async function getDevicesByUserId(db: D1Database, userId: string): Promise<Device[]> {
  const res = await db
    .prepare(
-      'SELECT user_id, device_identifier, name, type, session_stamp, encrypted_user_key, encrypted_public_key, encrypted_private_key, banned, banned_at, created_at, updated_at ' +
-        'FROM devices WHERE user_id = ? ORDER BY updated_at DESC'
+      'SELECT user_id, device_identifier, name, type, session_stamp, encrypted_user_key, encrypted_public_key, encrypted_private_key, banned, banned_at, device_note, last_seen_at, created_at, updated_at ' +
+        'FROM devices WHERE user_id = ? ORDER BY COALESCE(last_seen_at, created_at) DESC, updated_at DESC'
    )
    .bind(userId)
    .all<any>();
@@ -144,7 +177,7 @@ export async function getDevicesByUserId(db: D1Database, userId: string): Promis
 export async function getDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<Device | null> {
  const row = await db
    .prepare(
-      'SELECT user_id, device_identifier, name, type, session_stamp, encrypted_user_key, encrypted_public_key, encrypted_private_key, banned, banned_at, created_at, updated_at ' +
+      'SELECT user_id, device_identifier, name, type, session_stamp, encrypted_user_key, encrypted_public_key, encrypted_private_key, banned, banned_at, device_note, last_seen_at, created_at, updated_at ' +
        'FROM devices WHERE user_id = ? AND device_identifier = ? LIMIT 1'
    )
    .bind(userId, deviceIdentifier)
@@ -200,6 +233,21 @@ export async function deleteTrustedTwoFactorTokensByUserId(db: D1Database, userI
  return Number(result.meta.changes ?? 0);
 }

+export async function updateTrustedTwoFactorTokensExpiryByDevice(
+  db: D1Database,
+  userId: string,
+  deviceIdentifier: string,
+  expiresAtMs: number
+): Promise<number> {
+  const now = Date.now();
+  await db.prepare('DELETE FROM trusted_two_factor_device_tokens WHERE expires_at < ?').bind(now).run();
+  const result = await db
+    .prepare('UPDATE trusted_two_factor_device_tokens SET expires_at = ? WHERE user_id = ? AND device_identifier = ? AND expires_at >= ?')
+    .bind(expiresAtMs, userId, deviceIdentifier, now)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
 export async function saveTrustedTwoFactorDeviceToken(
  db: D1Database,
  trustedTokenKey: TrustedTokenKeyFn,
@@ -0,0 +1,73 @@
+import type { UserDomainSettings } from '../types';
+import { normalizeCustomEquivalentDomains, normalizeEquivalentDomains } from './domain-rules';
+
+// Storage adapter for the domain_settings table.
+//
+// CONTRACT:
+// equivalent_domains is kept as the active derived groups for compatibility and
+// fallback reads. custom_equivalent_domains is the full rule list that preserves
+// UI/client state. Save both together through saveUserDomainSettings().
+function parseJsonArray<T>(raw: string | null | undefined, fallback: T[]): T[] {
+  if (!raw) return fallback;
+  try {
+    const parsed = JSON.parse(raw) as unknown;
+    return Array.isArray(parsed) ? parsed as T[] : fallback;
+  } catch {
+    return fallback;
+  }
+}
+
+export async function getUserDomainSettings(db: D1Database, userId: string): Promise<UserDomainSettings> {
+  const row = await db
+    .prepare('SELECT equivalent_domains, custom_equivalent_domains, excluded_global_equivalent_domains, updated_at FROM domain_settings WHERE user_id = ?')
+    .bind(userId)
+    .first<{
+      equivalent_domains: string | null;
+      custom_equivalent_domains: string | null;
+      excluded_global_equivalent_domains: string | null;
+      updated_at: string | null;
+    }>();
+  const equivalentDomains = normalizeEquivalentDomains(parseJsonArray<string[]>(row?.equivalent_domains, []));
+  const storedCustomEquivalentDomains = row?.custom_equivalent_domains
+    ? normalizeCustomEquivalentDomains(parseJsonArray<unknown>(row.custom_equivalent_domains, []))
+    : [];
+  const customEquivalentDomains = storedCustomEquivalentDomains.length
+    ? storedCustomEquivalentDomains
+    : normalizeCustomEquivalentDomains(equivalentDomains);
+
+  return {
+    userId,
+    equivalentDomains,
+    customEquivalentDomains,
+    excludedGlobalEquivalentDomains: parseJsonArray<number>(row?.excluded_global_equivalent_domains, []),
+    updatedAt: row?.updated_at || null,
+  };
+}
+
+export async function saveUserDomainSettings(
+  db: D1Database,
+  userId: string,
+  equivalentDomains: string[][],
+  customEquivalentDomains: UserDomainSettings['customEquivalentDomains'],
+  excludedGlobalEquivalentDomains: number[],
+  updatedAt: string
+): Promise<void> {
+  await db
+    .prepare(
+      'INSERT INTO domain_settings(user_id, equivalent_domains, custom_equivalent_domains, excluded_global_equivalent_domains, updated_at) ' +
+      'VALUES(?, ?, ?, ?, ?) ' +
+      'ON CONFLICT(user_id) DO UPDATE SET ' +
+      'equivalent_domains = excluded.equivalent_domains, ' +
+      'custom_equivalent_domains = excluded.custom_equivalent_domains, ' +
+      'excluded_global_equivalent_domains = excluded.excluded_global_equivalent_domains, ' +
+      'updated_at = excluded.updated_at'
+    )
+    .bind(
+      userId,
+      JSON.stringify(equivalentDomains),
+      JSON.stringify(customEquivalentDomains),
+      JSON.stringify(excludedGlobalEquivalentDomains),
+      updatedAt
+    )
+    .run();
+}
@@ -1,4 +1,4 @@
-import type { Cipher, Folder } from '../types';
+import type { Folder } from '../types';

 function mapFolderRow(row: any): Folder {
  return {
@@ -36,26 +36,18 @@ export async function deleteFolder(db: D1Database, id: string, userId: string):
 export async function clearFolderFromCiphers(
  db: D1Database,
  userId: string,
-  folderId: string,
-  saveCipher: (cipher: Cipher) => Promise<void>
+  folderId: string
 ): Promise<void> {
  const now = new Date().toISOString();
-  const res = await db
-    .prepare('SELECT data FROM ciphers WHERE user_id = ? AND folder_id = ?')
-    .bind(userId, folderId)
-    .all<{ data: string }>();
-
-  for (const row of (res.results || [])) {
-    let cipher: Cipher;
-    try {
-      cipher = JSON.parse(row.data) as Cipher;
-    } catch {
-      continue;
-    }
-    cipher.folderId = null;
-    cipher.updatedAt = now;
-    await saveCipher(cipher);
-  }
+  await db
+    .prepare(
+      `UPDATE ciphers
+       SET folder_id = NULL, updated_at = ?,
+           data = json_remove(data, '$.folderId', '$.folder_id', '$.updatedAt', '$.revisionDate')
+       WHERE user_id = ? AND folder_id = ?`
+    )
+    .bind(now, userId, folderId)
+    .run();
 }

 export async function bulkDeleteFolders(
@@ -63,34 +55,26 @@ export async function bulkDeleteFolders(
  userId: string,
  ids: string[],
  sqlChunkSize: (fixedBindCount: number) => number,
-  saveCipher: (cipher: Cipher) => Promise<void>,
  updateRevisionDate: (userId: string) => Promise<string>
 ): Promise<string | null> {
  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
  if (!uniqueIds.length) return null;

-  const chunkSize = sqlChunkSize(1);
  const now = new Date().toISOString();
+  const chunkSize = sqlChunkSize(2);

  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
    const chunk = uniqueIds.slice(i, i + chunkSize);
    const placeholders = chunk.map(() => '?').join(',');
-    const res = await db
-      .prepare(`SELECT data FROM ciphers WHERE user_id = ? AND folder_id IN (${placeholders})`)
-      .bind(userId, ...chunk)
-      .all<{ data: string }>();
-
-    for (const row of res.results || []) {
-      let cipher: Cipher;
-      try {
-        cipher = JSON.parse(row.data) as Cipher;
-      } catch {
-        continue;
-      }
-      cipher.folderId = null;
-      cipher.updatedAt = now;
-      await saveCipher(cipher);
-    }
+    await db
+      .prepare(
+        `UPDATE ciphers
+         SET folder_id = NULL, updated_at = ?,
+             data = json_remove(data, '$.folderId', '$.folder_id', '$.updatedAt', '$.revisionDate')
+         WHERE user_id = ? AND folder_id IN (${placeholders})`
+      )
+      .bind(now, userId, ...chunk)
+      .run();

    await db
      .prepare(`DELETE FROM folders WHERE user_id = ? AND id IN (${placeholders})`)
@@ -28,13 +28,6 @@ export async function getRefreshTokenRecord(
  db: D1Database,
  refreshTokenKey: RefreshTokenKeyFn,
  maybeCleanupExpiredRefreshTokens: CleanupExpiredFn,
-  saveRefreshTokenRecord: (
-    token: string,
-    userId: string,
-    expiresAtMs?: number,
-    deviceIdentifier?: string | null,
-    deviceSessionStamp?: string | null
-  ) => Promise<void>,
  deleteRefreshTokenRecord: (token: string) => Promise<void>,
  token: string
 ): Promise<RefreshTokenRecord | null> {
@@ -42,39 +35,11 @@ export async function getRefreshTokenRecord(
  await maybeCleanupExpiredRefreshTokens(now);
  const tokenKey = await refreshTokenKey(token);

-  let row = await db
+  const row = await db
    .prepare('SELECT user_id, expires_at, device_identifier, device_session_stamp FROM refresh_tokens WHERE token = ?')
    .bind(tokenKey)
    .first<{ user_id: string; expires_at: number; device_identifier: string | null; device_session_stamp: string | null }>();

-  if (!row) {
-    const legacyRow = await db
-      .prepare('SELECT user_id, expires_at, device_identifier, device_session_stamp FROM refresh_tokens WHERE token = ?')
-      .bind(token)
-      .first<{ user_id: string; expires_at: number; device_identifier: string | null; device_session_stamp: string | null }>();
-
-    if (legacyRow) {
-      if (legacyRow.expires_at && legacyRow.expires_at < now) {
-        await deleteRefreshTokenRecord(token);
-        return null;
-      }
-      await saveRefreshTokenRecord(
-        token,
-        legacyRow.user_id,
-        legacyRow.expires_at,
-        legacyRow.device_identifier ?? null,
-        legacyRow.device_session_stamp ?? null
-      );
-      await db.prepare('DELETE FROM refresh_tokens WHERE token = ?').bind(token).run();
-      return {
-        userId: legacyRow.user_id,
-        expiresAt: legacyRow.expires_at,
-        deviceIdentifier: legacyRow.device_identifier ?? null,
-        deviceSessionStamp: legacyRow.device_session_stamp ?? null,
-      };
-    }
-  }
-
  if (!row) return null;
  if (row.expires_at && row.expires_at < now) {
    await deleteRefreshTokenRecord(token);
@@ -1,18 +1,32 @@
 // IMPORTANT:
-// Keep this schema list in sync with migrations/0001_init.sql.
-// Any new table/column/index must be added to both places together.
+// This is the runtime D1 schema bootstrap. Keep it in sync with
+// migrations/0001_init.sql. Any new table/column/index must be added to both
+// places together.
+//
+// WHEN CHANGING THIS:
+// - Bump STORAGE_SCHEMA_VERSION in src/services/storage.ts so existing installs
+//   rerun these idempotent statements.
+// - If the new table stores persistent data, update the backup export/import
+//   contract in src/services/backup-archive.ts and backup-import.ts.
+// - Keep statements idempotent; D1 may execute them again on later requests.
 const SCHEMA_STATEMENTS: readonly string[] = [
  'CREATE TABLE IF NOT EXISTS users (' +
  'id TEXT PRIMARY KEY, email TEXT NOT NULL UNIQUE, name TEXT, master_password_hint TEXT, master_password_hash TEXT NOT NULL, ' +
  'key TEXT NOT NULL, private_key TEXT, public_key TEXT, kdf_type INTEGER NOT NULL, ' +
  'kdf_iterations INTEGER NOT NULL, kdf_memory INTEGER, kdf_parallelism INTEGER, ' +
-  'security_stamp TEXT NOT NULL, role TEXT NOT NULL DEFAULT \'user\', status TEXT NOT NULL DEFAULT \'active\', verify_devices INTEGER NOT NULL DEFAULT 1, totp_secret TEXT, totp_recovery_code TEXT, created_at TEXT NOT NULL, updated_at TEXT NOT NULL)',
+  'security_stamp TEXT NOT NULL, role TEXT NOT NULL DEFAULT \'user\', status TEXT NOT NULL DEFAULT \'active\', verify_devices INTEGER NOT NULL DEFAULT 1, totp_secret TEXT, totp_recovery_code TEXT, api_key TEXT, created_at TEXT NOT NULL, updated_at TEXT NOT NULL)',
  'ALTER TABLE users ADD COLUMN master_password_hint TEXT',
  'ALTER TABLE users ADD COLUMN role TEXT NOT NULL DEFAULT \'user\'',
  'ALTER TABLE users ADD COLUMN status TEXT NOT NULL DEFAULT \'active\'',
  'ALTER TABLE users ADD COLUMN verify_devices INTEGER NOT NULL DEFAULT 1',
  'ALTER TABLE users ADD COLUMN totp_secret TEXT',
  'ALTER TABLE users ADD COLUMN totp_recovery_code TEXT',
+  'ALTER TABLE users ADD COLUMN api_key TEXT',
+
+  'CREATE TABLE IF NOT EXISTS domain_settings (' +
+  'user_id TEXT PRIMARY KEY, equivalent_domains TEXT NOT NULL DEFAULT \'[]\', custom_equivalent_domains TEXT NOT NULL DEFAULT \'[]\', excluded_global_equivalent_domains TEXT NOT NULL DEFAULT \'[]\', updated_at TEXT NOT NULL, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'ALTER TABLE domain_settings ADD COLUMN custom_equivalent_domains TEXT NOT NULL DEFAULT \'[]\'',

  'CREATE TABLE IF NOT EXISTS user_revisions (' +
  'user_id TEXT PRIMARY KEY, revision_date TEXT NOT NULL, ' +
@@ -27,6 +41,8 @@ const SCHEMA_STATEMENTS: readonly string[] = [
  'CREATE INDEX IF NOT EXISTS idx_ciphers_user_updated ON ciphers(user_id, updated_at)',
  'CREATE INDEX IF NOT EXISTS idx_ciphers_user_archived ON ciphers(user_id, archived_at)',
  'CREATE INDEX IF NOT EXISTS idx_ciphers_user_deleted ON ciphers(user_id, deleted_at)',
+  'CREATE INDEX IF NOT EXISTS idx_ciphers_user_deleted_updated ON ciphers(user_id, deleted_at, updated_at)',
+  'CREATE INDEX IF NOT EXISTS idx_ciphers_user_folder ON ciphers(user_id, folder_id)',

  'CREATE TABLE IF NOT EXISTS folders (' +
  'id TEXT PRIMARY KEY, user_id TEXT NOT NULL, name TEXT NOT NULL, created_at TEXT NOT NULL, updated_at TEXT NOT NULL, ' +
@@ -47,6 +63,7 @@ const SCHEMA_STATEMENTS: readonly string[] = [
  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
  'CREATE INDEX IF NOT EXISTS idx_sends_user_updated ON sends(user_id, updated_at)',
  'CREATE INDEX IF NOT EXISTS idx_sends_user_deletion ON sends(user_id, deletion_date)',
+  'CREATE INDEX IF NOT EXISTS idx_sends_user_updated_id ON sends(user_id, updated_at, id)',
  'ALTER TABLE sends ADD COLUMN auth_type INTEGER NOT NULL DEFAULT 2',
  'ALTER TABLE sends ADD COLUMN emails TEXT',

@@ -65,13 +82,19 @@ const SCHEMA_STATEMENTS: readonly string[] = [
  'CREATE INDEX IF NOT EXISTS idx_invites_created_by ON invites(created_by, created_at)',

  'CREATE TABLE IF NOT EXISTS audit_logs (' +
-  'id TEXT PRIMARY KEY, actor_user_id TEXT, action TEXT NOT NULL, target_type TEXT, target_id TEXT, metadata TEXT, created_at TEXT NOT NULL, ' +
+  'id TEXT PRIMARY KEY, actor_user_id TEXT, action TEXT NOT NULL, category TEXT NOT NULL DEFAULT \'system\', level TEXT NOT NULL DEFAULT \'info\', target_type TEXT, target_id TEXT, metadata TEXT, created_at TEXT NOT NULL, ' +
  'FOREIGN KEY (actor_user_id) REFERENCES users(id) ON DELETE SET NULL)',
+  'ALTER TABLE audit_logs ADD COLUMN category TEXT NOT NULL DEFAULT \'system\'',
+  'ALTER TABLE audit_logs ADD COLUMN level TEXT NOT NULL DEFAULT \'info\'',
+  'UPDATE audit_logs SET category = json_extract(metadata, \'$.category\') WHERE json_valid(metadata) AND json_extract(metadata, \'$.category\') IN (\'auth\', \'security\', \'device\', \'data\', \'system\')',
+  'UPDATE audit_logs SET level = json_extract(metadata, \'$.level\') WHERE json_valid(metadata) AND json_extract(metadata, \'$.level\') IN (\'info\', \'warn\', \'error\', \'security\')',
  'CREATE INDEX IF NOT EXISTS idx_audit_logs_created_at ON audit_logs(created_at)',
  'CREATE INDEX IF NOT EXISTS idx_audit_logs_actor_created ON audit_logs(actor_user_id, created_at)',
+  'CREATE INDEX IF NOT EXISTS idx_audit_logs_category_created ON audit_logs(category, created_at)',
+  'CREATE INDEX IF NOT EXISTS idx_audit_logs_level_created ON audit_logs(level, created_at)',

  'CREATE TABLE IF NOT EXISTS devices (' +
-  'user_id TEXT NOT NULL, device_identifier TEXT NOT NULL, name TEXT NOT NULL, type INTEGER NOT NULL, session_stamp TEXT, encrypted_user_key TEXT, encrypted_public_key TEXT, encrypted_private_key TEXT, banned INTEGER NOT NULL DEFAULT 0, banned_at TEXT, ' +
+  'user_id TEXT NOT NULL, device_identifier TEXT NOT NULL, name TEXT NOT NULL, type INTEGER NOT NULL, session_stamp TEXT, encrypted_user_key TEXT, encrypted_public_key TEXT, encrypted_private_key TEXT, banned INTEGER NOT NULL DEFAULT 0, banned_at TEXT, device_note TEXT, last_seen_at TEXT, ' +
  'created_at TEXT NOT NULL, updated_at TEXT NOT NULL, ' +
  'PRIMARY KEY (user_id, device_identifier), ' +
  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
@@ -82,16 +105,37 @@ const SCHEMA_STATEMENTS: readonly string[] = [
  'ALTER TABLE devices ADD COLUMN encrypted_private_key TEXT',
  'ALTER TABLE devices ADD COLUMN banned INTEGER NOT NULL DEFAULT 0',
  'ALTER TABLE devices ADD COLUMN banned_at TEXT',
+  'ALTER TABLE devices ADD COLUMN device_note TEXT',
+  'ALTER TABLE devices ADD COLUMN last_seen_at TEXT',
+  'CREATE INDEX IF NOT EXISTS idx_devices_user_last_seen ON devices(user_id, last_seen_at)',
+
+  'CREATE TABLE IF NOT EXISTS auth_requests (' +
+  'id TEXT PRIMARY KEY, user_id TEXT NOT NULL, organization_id TEXT, type INTEGER NOT NULL, request_device_identifier TEXT NOT NULL, request_device_type INTEGER NOT NULL, ' +
+  'request_ip_address TEXT, request_country_name TEXT, response_device_identifier TEXT, access_code TEXT NOT NULL, public_key TEXT NOT NULL, key TEXT, master_password_hash TEXT, ' +
+  'approved INTEGER, creation_date TEXT NOT NULL, response_date TEXT, authentication_date TEXT, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'CREATE INDEX IF NOT EXISTS idx_auth_requests_user_created ON auth_requests(user_id, creation_date)',
+  'CREATE INDEX IF NOT EXISTS idx_auth_requests_user_pending ON auth_requests(user_id, approved, response_date, authentication_date, creation_date)',
+  'CREATE INDEX IF NOT EXISTS idx_auth_requests_device_pending ON auth_requests(user_id, request_device_identifier, creation_date)',

  'CREATE TABLE IF NOT EXISTS trusted_two_factor_device_tokens (' +
  'token TEXT PRIMARY KEY, user_id TEXT NOT NULL, device_identifier TEXT NOT NULL, expires_at INTEGER NOT NULL, ' +
  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
  'CREATE INDEX IF NOT EXISTS idx_trusted_two_factor_device_tokens_user_device ON trusted_two_factor_device_tokens(user_id, device_identifier)',

-  'CREATE TABLE IF NOT EXISTS api_rate_limits (' +
-  'identifier TEXT NOT NULL, window_start INTEGER NOT NULL, count INTEGER NOT NULL, ' +
-  'PRIMARY KEY (identifier, window_start))',
-  'CREATE INDEX IF NOT EXISTS idx_api_rate_window ON api_rate_limits(window_start)',
+  'CREATE TABLE IF NOT EXISTS webauthn_credentials (' +
+  'id TEXT PRIMARY KEY, user_id TEXT NOT NULL, name TEXT NOT NULL, public_key TEXT NOT NULL, credential_id TEXT NOT NULL, counter INTEGER NOT NULL DEFAULT 0, ' +
+  'type TEXT, aa_guid TEXT, transports TEXT, encrypted_user_key TEXT, encrypted_public_key TEXT, encrypted_private_key TEXT, supports_prf INTEGER NOT NULL DEFAULT 0, ' +
+  'created_at TEXT NOT NULL, updated_at TEXT NOT NULL, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'CREATE UNIQUE INDEX IF NOT EXISTS idx_webauthn_credentials_credential_id ON webauthn_credentials(credential_id)',
+  'CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user ON webauthn_credentials(user_id)',
+  'CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user_updated ON webauthn_credentials(user_id, updated_at)',
+
+  'CREATE TABLE IF NOT EXISTS webauthn_challenges (' +
+  'challenge_hash TEXT PRIMARY KEY, scope TEXT NOT NULL, user_id TEXT, expires_at INTEGER NOT NULL, used_at INTEGER, created_at INTEGER NOT NULL)',
+  'CREATE INDEX IF NOT EXISTS idx_webauthn_challenges_expires ON webauthn_challenges(expires_at)',
+  'CREATE INDEX IF NOT EXISTS idx_webauthn_challenges_user_scope ON webauthn_challenges(user_id, scope)',

  'CREATE TABLE IF NOT EXISTS login_attempts_ip (' +
  'ip TEXT PRIMARY KEY, attempts INTEGER NOT NULL, locked_until INTEGER, updated_at INTEGER NOT NULL)',
@@ -4,7 +4,7 @@ type SafeBind = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedState
 const USER_SELECT_COLUMNS =
  'id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, ' +
  'kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, ' +
-  'totp_secret, totp_recovery_code, created_at, updated_at';
+  'totp_secret, totp_recovery_code, api_key, created_at, updated_at';

 function mapUserRow(row: any): User {
  return {
@@ -26,6 +26,7 @@ function mapUserRow(row: any): User {
    verifyDevices: row.verify_devices == null ? true : !!row.verify_devices,
    totpSecret: row.totp_secret ?? null,
    totpRecoveryCode: row.totp_recovery_code ?? null,
+    apiKey: row.api_key ?? null,
    createdAt: row.created_at,
    updatedAt: row.updated_at,
  };
@@ -64,11 +65,11 @@ export async function getAllUsers(db: D1Database): Promise<User[]> {
 export async function saveUser(db: D1Database, safeBind: SafeBind, user: User): Promise<void> {
  const email = user.email.toLowerCase();
  const stmt = db.prepare(
-    'INSERT INTO users(id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, totp_secret, totp_recovery_code, created_at, updated_at) ' +
-    'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+    'INSERT INTO users(id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, totp_secret, totp_recovery_code, api_key, created_at, updated_at) ' +
+    'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
    'ON CONFLICT(id) DO UPDATE SET ' +
    'email=excluded.email, name=excluded.name, master_password_hint=excluded.master_password_hint, master_password_hash=excluded.master_password_hash, key=excluded.key, private_key=excluded.private_key, public_key=excluded.public_key, ' +
-    'kdf_type=excluded.kdf_type, kdf_iterations=excluded.kdf_iterations, kdf_memory=excluded.kdf_memory, kdf_parallelism=excluded.kdf_parallelism, security_stamp=excluded.security_stamp, role=excluded.role, status=excluded.status, verify_devices=excluded.verify_devices, totp_secret=excluded.totp_secret, totp_recovery_code=excluded.totp_recovery_code, updated_at=excluded.updated_at'
+    'kdf_type=excluded.kdf_type, kdf_iterations=excluded.kdf_iterations, kdf_memory=excluded.kdf_memory, kdf_parallelism=excluded.kdf_parallelism, security_stamp=excluded.security_stamp, role=excluded.role, status=excluded.status, verify_devices=excluded.verify_devices, totp_secret=excluded.totp_secret, totp_recovery_code=excluded.totp_recovery_code, api_key=excluded.api_key, updated_at=excluded.updated_at'
  );
  await safeBind(
    stmt,
@@ -90,6 +91,7 @@ export async function saveUser(db: D1Database, safeBind: SafeBind, user: User):
    user.verifyDevices ? 1 : 0,
    user.totpSecret,
    user.totpRecoveryCode,
+    user.apiKey,
    user.createdAt,
    user.updatedAt
  ).run();
@@ -102,8 +104,8 @@ export async function createUser(db: D1Database, safeBind: SafeBind, user: User)
 export async function createFirstUser(db: D1Database, safeBind: SafeBind, user: User): Promise<boolean> {
  const email = user.email.toLowerCase();
  const stmt = db.prepare(
-    'INSERT INTO users(id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, totp_secret, totp_recovery_code, created_at, updated_at) ' +
-    'SELECT ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ' +
+    'INSERT INTO users(id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, totp_secret, totp_recovery_code, api_key, created_at, updated_at) ' +
+    'SELECT ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ' +
    'WHERE NOT EXISTS (SELECT 1 FROM users LIMIT 1)'
  );
  const result = await safeBind(
@@ -126,6 +128,7 @@ export async function createFirstUser(db: D1Database, safeBind: SafeBind, user:
    user.verifyDevices ? 1 : 0,
    user.totpSecret,
    user.totpRecoveryCode,
+    user.apiKey,
    user.createdAt,
    user.updatedAt
  ).run();
@@ -1,4 +1,4 @@
-import { User, Cipher, Folder, Attachment, Device, Invite, AuditLog, Send, TrustedDeviceTokenSummary, RefreshTokenRecord } from '../types';
+import { User, Cipher, Folder, Attachment, Device, Invite, AuditLog, Send, TrustedDeviceTokenSummary, RefreshTokenRecord, CustomEquivalentDomain, AccountPasskeyChallenge, AccountPasskeyChallengeScope, AccountPasskeyCredential, AuthRequestRecord } from '../types';
 import { LIMITS } from '../config/limits';
 import { ensureStorageSchema } from './storage-schema';
 import {
@@ -18,12 +18,17 @@ import {
  saveUser as saveStoredUser,
 } from './storage-user-repo';
 import {
+  type AuditLogListOptions,
  createAuditLog as createStoredAuditLog,
+  clearAuditLogs as clearStoredAuditLogs,
  createInvite as createStoredInvite,
  deleteAllInvites as deleteStoredInvites,
  getInvite as findStoredInvite,
+  listAuditLogs as listStoredAuditLogs,
  listInvites as listStoredInvites,
  markInviteUsed as markStoredInviteUsed,
+  pruneAuditLogs as pruneStoredAuditLogs,
+  pruneAuditLogsToMax as pruneStoredAuditLogsToMax,
  revokeInvite as revokeStoredInvite,
 } from './storage-admin-repo';
 import {
@@ -51,13 +56,13 @@ import {
 } from './storage-cipher-repo';
 import {
  addAttachmentToCipher as attachStoredAttachmentToCipher,
+  bulkDeleteAttachmentsByIds as deleteStoredAttachmentsByIds,
  deleteAllAttachmentsByCipher as deleteStoredAttachmentsByCipher,
  deleteAttachment as deleteStoredAttachment,
  getAttachment as findStoredAttachment,
  getAttachmentsByCipher as listStoredAttachmentsByCipher,
  getAttachmentsByCipherIds as listStoredAttachmentsByCipherIds,
  getAttachmentsByUserId as listStoredAttachmentsByUserId,
-  removeAttachmentFromCipher as detachStoredAttachmentFromCipher,
  saveAttachment as saveStoredAttachment,
  updateCipherRevisionDate as updateStoredCipherRevisionDate,
 } from './storage-attachment-repo';
@@ -92,9 +97,21 @@ import {
  isKnownDevice as getKnownStoredDevice,
  isKnownDeviceByEmail as getKnownStoredDeviceByEmail,
  saveTrustedTwoFactorDeviceToken as saveStoredTrustedDeviceToken,
+  touchDeviceLastSeen as touchStoredDeviceLastSeen,
  upsertDevice as saveStoredDevice,
+  updateDeviceName as updateStoredDeviceName,
  updateDeviceKeys as updateStoredDeviceKeys,
+  updateTrustedTwoFactorTokensExpiryByDevice as updateStoredTrustedTokensExpiryByDevice,
 } from './storage-device-repo';
+import {
+  createAuthRequest as createStoredAuthRequest,
+  getAuthRequestById as findStoredAuthRequestById,
+  listAuthRequestsByUserId as listStoredAuthRequestsByUserId,
+  listPendingAuthRequestsByUserId as listStoredPendingAuthRequestsByUserId,
+  markAuthRequestAuthenticated as markStoredAuthRequestAuthenticated,
+  pruneExpiredAuthRequests as pruneStoredExpiredAuthRequests,
+  updateAuthRequestResponse as updateStoredAuthRequestResponse,
+} from './storage-auth-request-repo';
 import {
  ensureUsedAttachmentDownloadTokenTable as ensureStoredAttachmentTokenTable,
  consumeAttachmentDownloadToken as consumeStoredAttachmentDownloadToken,
@@ -103,10 +120,31 @@ import {
  getRevisionDate as getStoredRevisionDate,
  updateRevisionDate as updateStoredRevisionDate,
 } from './storage-revision-repo';
+import {
+  getUserDomainSettings as getStoredUserDomainSettings,
+  saveUserDomainSettings as saveStoredUserDomainSettings,
+} from './storage-domain-rules-repo';
+import {
+  consumeAccountPasskeyChallenge as consumeStoredAccountPasskeyChallenge,
+  countAccountPasskeyCredentialsByUserId as countStoredAccountPasskeyCredentialsByUserId,
+  deleteAccountPasskeyCredential as deleteStoredAccountPasskeyCredential,
+  getAccountPasskeyCredentialByCredentialId as findStoredAccountPasskeyCredentialByCredentialId,
+  getAccountPasskeyCredentialById as findStoredAccountPasskeyCredentialById,
+  listAccountPasskeyCredentialsByUserId as listStoredAccountPasskeyCredentialsByUserId,
+  saveAccountPasskeyChallenge as saveStoredAccountPasskeyChallenge,
+  saveAccountPasskeyCredential as saveStoredAccountPasskeyCredential,
+  updateAccountPasskeyCounter as updateStoredAccountPasskeyCounter,
+  updateAccountPasskeyEncryption as updateStoredAccountPasskeyEncryption,
+} from './storage-account-passkey-repo';

 const TWO_FACTOR_REMEMBER_TTL_MS = 30 * 24 * 60 * 60 * 1000;
 const STORAGE_SCHEMA_VERSION_KEY = 'schema.version';
-const STORAGE_SCHEMA_VERSION = '2026-03-23.1';
+// IMPORTANT:
+// Bump this whenever src/services/storage-schema.ts or migrations/0001_init.sql
+// changes. Existing D1 installs only rerun ensureStorageSchema() when this value
+// differs from config.schema.version.
+const STORAGE_SCHEMA_VERSION = '2026-06-12-auth-requests';
+const REQUIRED_SCHEMA_TABLES = ['webauthn_credentials', 'webauthn_challenges', 'auth_requests'] as const;

 // D1-backed storage.
 // Contract:
@@ -137,6 +175,16 @@ export class StorageService {
    return stmt.bind(...values.map(v => v === undefined ? null : v));
  }

+  private async hasRequiredSchemaTables(): Promise<boolean> {
+    const placeholders = REQUIRED_SCHEMA_TABLES.map(() => '?').join(', ');
+    const result = await this.db
+      .prepare(`SELECT name FROM sqlite_master WHERE type = 'table' AND name IN (${placeholders})`)
+      .bind(...REQUIRED_SCHEMA_TABLES)
+      .all<{ name: string }>();
+    const found = new Set((result.results || []).map((row) => row.name));
+    return REQUIRED_SCHEMA_TABLES.every((table) => found.has(table));
+  }
+
  private sqlChunkSize(fixedBindCount: number): number {
    return Math.max(
      1,
@@ -180,7 +228,10 @@ export class StorageService {

    await this.db.prepare('CREATE TABLE IF NOT EXISTS config (key TEXT PRIMARY KEY, value TEXT NOT NULL)').run();
    const schemaVersion = await getStoredConfigValue(this.db, STORAGE_SCHEMA_VERSION_KEY);
-    if (schemaVersion !== STORAGE_SCHEMA_VERSION) {
+    const schemaMissingRequiredTables = schemaVersion === STORAGE_SCHEMA_VERSION
+      ? !(await this.hasRequiredSchemaTables())
+      : true;
+    if (schemaVersion !== STORAGE_SCHEMA_VERSION || schemaMissingRequiredTables) {
      await ensureStorageSchema(this.db);
      await saveConfigValue(this.db, STORAGE_SCHEMA_VERSION_KEY, STORAGE_SCHEMA_VERSION);
    }
@@ -268,6 +319,112 @@ export class StorageService {
    await createStoredAuditLog(this.db, log);
  }

+  async listAuditLogs(options: AuditLogListOptions): Promise<{ logs: AuditLog[]; total: number; hasMore: boolean }> {
+    return listStoredAuditLogs(this.db, options);
+  }
+
+  async pruneAuditLogs(beforeIso: string): Promise<number> {
+    return pruneStoredAuditLogs(this.db, beforeIso);
+  }
+
+  async pruneAuditLogsToMax(maxEntries: number): Promise<number> {
+    return pruneStoredAuditLogsToMax(this.db, maxEntries);
+  }
+
+  async clearAuditLogs(): Promise<number> {
+    return clearStoredAuditLogs(this.db);
+  }
+
+  // --- Domain rules ---
+
+  async getUserDomainSettings(userId: string) {
+    return getStoredUserDomainSettings(this.db, userId);
+  }
+
+  async saveUserDomainSettings(
+    userId: string,
+    equivalentDomains: string[][],
+    customEquivalentDomains: CustomEquivalentDomain[],
+    excludedGlobalEquivalentDomains: number[]
+  ): Promise<void> {
+    await saveStoredUserDomainSettings(
+      this.db,
+      userId,
+      equivalentDomains,
+      customEquivalentDomains,
+      excludedGlobalEquivalentDomains,
+      new Date().toISOString()
+    );
+    await this.updateRevisionDate(userId);
+  }
+
+  // --- Account passkeys / WebAuthn login credentials ---
+
+  async saveAccountPasskeyCredential(credential: AccountPasskeyCredential): Promise<void> {
+    await saveStoredAccountPasskeyCredential(this.db, this.safeBind.bind(this), credential);
+  }
+
+  async getAccountPasskeyCredentialsByUserId(userId: string): Promise<AccountPasskeyCredential[]> {
+    return listStoredAccountPasskeyCredentialsByUserId(this.db, userId);
+  }
+
+  async getAccountPasskeyCredentialById(userId: string, id: string): Promise<AccountPasskeyCredential | null> {
+    return findStoredAccountPasskeyCredentialById(this.db, userId, id);
+  }
+
+  async getAccountPasskeyCredentialByCredentialId(credentialId: string): Promise<AccountPasskeyCredential | null> {
+    return findStoredAccountPasskeyCredentialByCredentialId(this.db, credentialId);
+  }
+
+  async countAccountPasskeyCredentialsByUserId(userId: string): Promise<number> {
+    return countStoredAccountPasskeyCredentialsByUserId(this.db, userId);
+  }
+
+  async updateAccountPasskeyCounter(
+    userId: string,
+    credentialId: string,
+    counter: number,
+    updatedAt: string = new Date().toISOString()
+  ): Promise<void> {
+    await updateStoredAccountPasskeyCounter(this.db, userId, credentialId, counter, updatedAt);
+  }
+
+  async updateAccountPasskeyEncryption(
+    userId: string,
+    credentialId: string,
+    encryptedUserKey: string,
+    encryptedPublicKey: string,
+    encryptedPrivateKey: string,
+    updatedAt: string = new Date().toISOString()
+  ): Promise<boolean> {
+    return updateStoredAccountPasskeyEncryption(
+      this.db,
+      userId,
+      credentialId,
+      encryptedUserKey,
+      encryptedPublicKey,
+      encryptedPrivateKey,
+      updatedAt
+    );
+  }
+
+  async deleteAccountPasskeyCredential(userId: string, id: string): Promise<boolean> {
+    return deleteStoredAccountPasskeyCredential(this.db, userId, id);
+  }
+
+  async saveAccountPasskeyChallenge(challenge: AccountPasskeyChallenge): Promise<void> {
+    await saveStoredAccountPasskeyChallenge(this.db, challenge);
+  }
+
+  async consumeAccountPasskeyChallenge(
+    challengeHash: string,
+    scope: AccountPasskeyChallengeScope,
+    userId: string | null,
+    nowMs: number = Date.now()
+  ): Promise<AccountPasskeyChallenge | null> {
+    return consumeStoredAccountPasskeyChallenge(this.db, challengeHash, scope, userId, nowMs);
+  }
+
  // --- Ciphers ---

  async getCipher(id: string): Promise<Cipher | null> {
@@ -338,7 +495,6 @@ export class StorageService {
      userId,
      ids,
      this.sqlChunkSize.bind(this),
-      this.saveCipher.bind(this),
      this.updateRevisionDate.bind(this)
    );
  }
@@ -346,7 +502,7 @@ export class StorageService {
  // Clear folder references from all ciphers owned by the user.
  // Without this, deleting a folder leaves stale folderId values in cipher JSON.
  async clearFolderFromCiphers(userId: string, folderId: string): Promise<void> {
-    await clearStoredFolderFromCiphers(this.db, userId, folderId, this.saveCipher.bind(this));
+    await clearStoredFolderFromCiphers(this.db, userId, folderId);
  }

  async getAllFolders(userId: string): Promise<Folder[]> {
@@ -371,6 +527,10 @@ export class StorageService {
    await deleteStoredAttachment(this.db, id);
  }

+  async bulkDeleteAttachmentsByIds(ids: string[]): Promise<void> {
+    await deleteStoredAttachmentsByIds(this.db, this.sqlChunkSize.bind(this), ids);
+  }
+
  async getAttachmentsByCipher(cipherId: string): Promise<Attachment[]> {
    return listStoredAttachmentsByCipher(this.db, cipherId);
  }
@@ -387,10 +547,6 @@ export class StorageService {
    await attachStoredAttachmentToCipher(this.db, cipherId, attachmentId);
  }

-  async removeAttachmentFromCipher(cipherId: string, attachmentId: string): Promise<void> {
-    await detachStoredAttachmentFromCipher(cipherId, attachmentId);
-  }
-
  async deleteAllAttachmentsByCipher(cipherId: string): Promise<void> {
    await deleteStoredAttachmentsByCipher(this.db, cipherId);
  }
@@ -431,7 +587,6 @@ export class StorageService {
      this.db,
      this.refreshTokenKey.bind(this),
      this.maybeCleanupExpiredRefreshTokens.bind(this),
-      this.saveRefreshToken.bind(this),
      this.deleteRefreshToken.bind(this),
      token
    );
@@ -550,6 +705,14 @@ export class StorageService {
    return updateStoredDeviceKeys(this.db, userId, deviceIdentifier, keys);
  }

+  async updateDeviceName(userId: string, deviceIdentifier: string, name: string): Promise<boolean> {
+    return updateStoredDeviceName(this.db, userId, deviceIdentifier, name);
+  }
+
+  async touchDeviceLastSeen(userId: string, deviceIdentifier: string): Promise<boolean> {
+    return touchStoredDeviceLastSeen(this.db, userId, deviceIdentifier);
+  }
+
  async clearDeviceKeys(userId: string, deviceIdentifiers: string[]): Promise<number> {
    return clearStoredDeviceKeys(this.db, userId, deviceIdentifiers);
  }
@@ -562,6 +725,45 @@ export class StorageService {
    return deleteStoredDevicesByUserId(this.db, userId);
  }

+  // --- Auth requests / Login with device ---
+
+  async createAuthRequest(request: AuthRequestRecord): Promise<void> {
+    await createStoredAuthRequest(this.db, request);
+  }
+
+  async getAuthRequestById(id: string): Promise<AuthRequestRecord | null> {
+    return findStoredAuthRequestById(this.db, id);
+  }
+
+  async listAuthRequestsByUserId(userId: string): Promise<AuthRequestRecord[]> {
+    return listStoredAuthRequestsByUserId(this.db, userId);
+  }
+
+  async listPendingAuthRequestsByUserId(userId: string): Promise<AuthRequestRecord[]> {
+    return listStoredPendingAuthRequestsByUserId(this.db, userId);
+  }
+
+  async updateAuthRequestResponse(
+    id: string,
+    userId: string,
+    update: {
+      approved: boolean;
+      responseDeviceIdentifier: string;
+      key?: string | null;
+      masterPasswordHash?: string | null;
+    }
+  ): Promise<boolean> {
+    return updateStoredAuthRequestResponse(this.db, id, userId, update);
+  }
+
+  async markAuthRequestAuthenticated(id: string): Promise<boolean> {
+    return markStoredAuthRequestAuthenticated(this.db, id);
+  }
+
+  async pruneExpiredAuthRequests(): Promise<number> {
+    return pruneStoredExpiredAuthRequests(this.db);
+  }
+
  async getTrustedDeviceTokenSummariesByUserId(userId: string): Promise<TrustedDeviceTokenSummary[]> {
    return listStoredTrustedTokenSummaries(this.db, userId);
  }
@@ -574,6 +776,10 @@ export class StorageService {
    return deleteStoredTrustedTokensByUserId(this.db, userId);
  }

+  async updateTrustedTwoFactorTokensExpiryByDevice(userId: string, deviceIdentifier: string, expiresAtMs: number): Promise<number> {
+    return updateStoredTrustedTokensExpiryByDevice(this.db, userId, deviceIdentifier, expiresAtMs);
+  }
+
  // --- Trusted 2FA remember tokens (device-bound) ---

  async saveTrustedTwoFactorDeviceToken(
@@ -0,0 +1,93 @@
+[
+  {"type":2,"domains":["ameritrade.com","tdameritrade.com"],"excluded":false},
+  {"type":3,"domains":["bankofamerica.com","bofa.com","mbna.com","usecfo.com"],"excluded":false},
+  {"type":4,"domains":["sprint.com","sprintpcs.com","nextel.com"],"excluded":false},
+  {"type":0,"domains":["youtube.com","google.com","gmail.com"],"excluded":false},
+  {"type":1,"domains":["apple.com","icloud.com"],"excluded":false},
+  {"type":5,"domains":["wellsfargo.com","wf.com","wellsfargoadvisors.com"],"excluded":false},
+  {"type":6,"domains":["mymerrill.com","ml.com","merrilledge.com"],"excluded":false},
+  {"type":7,"domains":["accountonline.com","citi.com","citibank.com","citicards.com","citibankonline.com"],"excluded":false},
+  {"type":8,"domains":["cnet.com","cnettv.com","com.com","download.com","news.com","search.com","upload.com"],"excluded":false},
+  {"type":9,"domains":["bananarepublic.com","gap.com","oldnavy.com","piperlime.com"],"excluded":false},
+  {"type":10,"domains":["bing.com","hotmail.com","live.com","microsoft.com","msn.com","passport.net","windows.com","microsoftonline.com","office.com","office365.com","microsoftstore.com","xbox.com","azure.com","windowsazure.com","cloud.microsoft"],"excluded":false},
+  {"type":11,"domains":["ua2go.com","ual.com","united.com","unitedwifi.com"],"excluded":false},
+  {"type":12,"domains":["overture.com","yahoo.com"],"excluded":false},
+  {"type":13,"domains":["zonealarm.com","zonelabs.com"],"excluded":false},
+  {"type":14,"domains":["paypal.com","paypal-search.com"],"excluded":false},
+  {"type":15,"domains":["avon.com","youravon.com"],"excluded":false},
+  {"type":16,"domains":["diapers.com","soap.com","wag.com","yoyo.com","beautybar.com","casa.com","afterschool.com","vine.com","bookworm.com","look.com","vinemarket.com"],"excluded":false},
+  {"type":17,"domains":["1800contacts.com","800contacts.com"],"excluded":false},
+  {"type":18,"domains":["amazon.com","amazon.com.be","amazon.ae","amazon.ca","amazon.co.uk","amazon.com.au","amazon.com.br","amazon.com.mx","amazon.com.tr","amazon.de","amazon.es","amazon.fr","amazon.in","amazon.it","amazon.nl","amazon.pl","amazon.sa","amazon.se","amazon.sg"],"excluded":false},
+  {"type":19,"domains":["cox.com","cox.net","coxbusiness.com"],"excluded":false},
+  {"type":20,"domains":["mynortonaccount.com","norton.com"],"excluded":false},
+  {"type":21,"domains":["verizon.com","verizon.net"],"excluded":false},
+  {"type":22,"domains":["rakuten.com","buy.com"],"excluded":false},
+  {"type":23,"domains":["siriusxm.com","sirius.com"],"excluded":false},
+  {"type":24,"domains":["ea.com","origin.com","play4free.com","tiberiumalliance.com"],"excluded":false},
+  {"type":25,"domains":["37signals.com","basecamp.com","basecamphq.com","highrisehq.com"],"excluded":false},
+  {"type":26,"domains":["steampowered.com","steamcommunity.com","steamgames.com"],"excluded":false},
+  {"type":27,"domains":["chart.io","chartio.com"],"excluded":false},
+  {"type":28,"domains":["gotomeeting.com","citrixonline.com"],"excluded":false},
+  {"type":29,"domains":["gogoair.com","gogoinflight.com"],"excluded":false},
+  {"type":30,"domains":["mysql.com","oracle.com"],"excluded":false},
+  {"type":31,"domains":["discover.com","discovercard.com"],"excluded":false},
+  {"type":32,"domains":["dcu.org","dcu-online.org"],"excluded":false},
+  {"type":33,"domains":["healthcare.gov","cuidadodesalud.gov","cms.gov"],"excluded":false},
+  {"type":34,"domains":["pepco.com","pepcoholdings.com"],"excluded":false},
+  {"type":35,"domains":["century21.com","21online.com"],"excluded":false},
+  {"type":36,"domains":["comcast.com","comcast.net","xfinity.com"],"excluded":false},
+  {"type":37,"domains":["cricketwireless.com","aiowireless.com"],"excluded":false},
+  {"type":38,"domains":["mandtbank.com","mtb.com"],"excluded":false},
+  {"type":39,"domains":["dropbox.com","getdropbox.com"],"excluded":false},
+  {"type":40,"domains":["snapfish.com","snapfish.ca"],"excluded":false},
+  {"type":41,"domains":["alibaba.com","aliexpress.com","aliyun.com","net.cn"],"excluded":false},
+  {"type":42,"domains":["playstation.com","sonyentertainmentnetwork.com"],"excluded":false},
+  {"type":43,"domains":["mercadolivre.com","mercadolivre.com.br","mercadolibre.com","mercadolibre.com.ar","mercadolibre.com.mx"],"excluded":false},
+  {"type":44,"domains":["zendesk.com","zopim.com"],"excluded":false},
+  {"type":45,"domains":["autodesk.com","tinkercad.com"],"excluded":false},
+  {"type":46,"domains":["railnation.ru","railnation.de","rail-nation.com","railnation.gr","railnation.us","trucknation.de","traviangames.com"],"excluded":false},
+  {"type":47,"domains":["wpcu.coop","wpcuonline.com"],"excluded":false},
+  {"type":48,"domains":["mathletics.com","mathletics.com.au","mathletics.co.uk"],"excluded":false},
+  {"type":49,"domains":["discountbank.co.il","telebank.co.il"],"excluded":false},
+  {"type":50,"domains":["mi.com","xiaomi.com"],"excluded":false},
+  {"type":52,"domains":["postepay.it","poste.it"],"excluded":false},
+  {"type":51,"domains":["facebook.com","messenger.com"],"excluded":false},
+  {"type":53,"domains":["skysports.com","skybet.com","skyvegas.com"],"excluded":false},
+  {"type":54,"domains":["disneymoviesanywhere.com","go.com","disney.com","dadt.com","disneyplus.com"],"excluded":false},
+  {"type":55,"domains":["pokemon-gl.com","pokemon.com"],"excluded":false},
+  {"type":56,"domains":["myuv.com","uvvu.com"],"excluded":false},
+  {"type":58,"domains":["mdsol.com","imedidata.com"],"excluded":false},
+  {"type":57,"domains":["bank-yahav.co.il","bankhapoalim.co.il"],"excluded":false},
+  {"type":59,"domains":["sears.com","shld.net"],"excluded":false},
+  {"type":60,"domains":["xiami.com","alipay.com"],"excluded":false},
+  {"type":61,"domains":["belkin.com","seedonk.com"],"excluded":false},
+  {"type":62,"domains":["turbotax.com","intuit.com"],"excluded":false},
+  {"type":63,"domains":["shopify.com","myshopify.com"],"excluded":false},
+  {"type":64,"domains":["ebay.com","ebay.at","ebay.be","ebay.ca","ebay.ch","ebay.cn","ebay.co.jp","ebay.co.th","ebay.co.uk","ebay.com.au","ebay.com.hk","ebay.com.my","ebay.com.sg","ebay.com.tw","ebay.de","ebay.es","ebay.fr","ebay.ie","ebay.in","ebay.it","ebay.nl","ebay.ph","ebay.pl"],"excluded":false},
+  {"type":65,"domains":["techdata.com","techdata.ch"],"excluded":false},
+  {"type":66,"domains":["schwab.com","schwabplan.com"],"excluded":false},
+  {"type":68,"domains":["tesla.com","teslamotors.com"],"excluded":false},
+  {"type":69,"domains":["morganstanley.com","morganstanleyclientserv.com","stockplanconnect.com","ms.com"],"excluded":false},
+  {"type":70,"domains":["taxact.com","taxactonline.com"],"excluded":false},
+  {"type":71,"domains":["mediawiki.org","wikibooks.org","wikidata.org","wikimedia.org","wikinews.org","wikipedia.org","wikiquote.org","wikisource.org","wikiversity.org","wikivoyage.org","wiktionary.org"],"excluded":false},
+  {"type":72,"domains":["airbnb.at","airbnb.be","airbnb.ca","airbnb.ch","airbnb.cl","airbnb.co.cr","airbnb.co.id","airbnb.co.in","airbnb.co.kr","airbnb.co.nz","airbnb.co.uk","airbnb.co.ve","airbnb.com","airbnb.com.ar","airbnb.com.au","airbnb.com.bo","airbnb.com.br","airbnb.com.bz","airbnb.com.co","airbnb.com.ec","airbnb.com.gt","airbnb.com.hk","airbnb.com.hn","airbnb.com.mt","airbnb.com.my","airbnb.com.ni","airbnb.com.pa","airbnb.com.pe","airbnb.com.py","airbnb.com.sg","airbnb.com.sv","airbnb.com.tr","airbnb.com.tw","airbnb.cz","airbnb.de","airbnb.dk","airbnb.es","airbnb.fi","airbnb.fr","airbnb.gr","airbnb.gy","airbnb.hu","airbnb.ie","airbnb.is","airbnb.it","airbnb.jp","airbnb.mx","airbnb.nl","airbnb.no","airbnb.pl","airbnb.pt","airbnb.ru","airbnb.se"],"excluded":false},
+  {"type":73,"domains":["eventbrite.at","eventbrite.be","eventbrite.ca","eventbrite.ch","eventbrite.cl","eventbrite.co","eventbrite.co.nz","eventbrite.co.uk","eventbrite.com","eventbrite.com.ar","eventbrite.com.au","eventbrite.com.br","eventbrite.com.mx","eventbrite.com.pe","eventbrite.de","eventbrite.dk","eventbrite.es","eventbrite.fi","eventbrite.fr","eventbrite.hk","eventbrite.ie","eventbrite.it","eventbrite.nl","eventbrite.pt","eventbrite.se","eventbrite.sg"],"excluded":false},
+  {"type":74,"domains":["stackexchange.com","superuser.com","stackoverflow.com","serverfault.com","mathoverflow.net","askubuntu.com","stackapps.com"],"excluded":false},
+  {"type":75,"domains":["docusign.com","docusign.net"],"excluded":false},
+  {"type":76,"domains":["envato.com","themeforest.net","codecanyon.net","videohive.net","audiojungle.net","graphicriver.net","photodune.net","3docean.net"],"excluded":false},
+  {"type":77,"domains":["x10hosting.com","x10premium.com"],"excluded":false},
+  {"type":78,"domains":["dnsomatic.com","opendns.com","umbrella.com"],"excluded":false},
+  {"type":79,"domains":["cagreatamerica.com","canadaswonderland.com","carowinds.com","cedarfair.com","cedarpoint.com","dorneypark.com","kingsdominion.com","knotts.com","miadventure.com","schlitterbahn.com","valleyfair.com","visitkingsisland.com","worldsoffun.com"],"excluded":false},
+  {"type":80,"domains":["ubnt.com","ui.com"],"excluded":false},
+  {"type":81,"domains":["discordapp.com","discord.com"],"excluded":false},
+  {"type":82,"domains":["netcup.de","netcup.eu","customercontrolpanel.de"],"excluded":false},
+  {"type":83,"domains":["yandex.com","ya.ru","yandex.az","yandex.by","yandex.co.il","yandex.com.am","yandex.com.ge","yandex.com.tr","yandex.ee","yandex.fi","yandex.fr","yandex.kg","yandex.kz","yandex.lt","yandex.lv","yandex.md","yandex.pl","yandex.ru","yandex.tj","yandex.tm","yandex.ua","yandex.uz"],"excluded":false},
+  {"type":84,"domains":["sonyentertainmentnetwork.com","sony.com"],"excluded":false},
+  {"type":85,"domains":["proton.me","protonmail.com","protonvpn.com"],"excluded":false},
+  {"type":86,"domains":["ubisoft.com","ubi.com"],"excluded":false},
+  {"type":87,"domains":["transferwise.com","wise.com"],"excluded":false},
+  {"type":88,"domains":["takeaway.com","just-eat.dk","just-eat.no","just-eat.fr","just-eat.ch","lieferando.de","lieferando.at","thuisbezorgd.nl","pyszne.pl"],"excluded":false},
+  {"type":89,"domains":["atlassian.com","bitbucket.org","trello.com","statuspage.io","atlassian.net","jira.com"],"excluded":false},
+  {"type":90,"domains":["pinterest.com","pinterest.com.au","pinterest.cl","pinterest.de","pinterest.dk","pinterest.es","pinterest.fr","pinterest.co.uk","pinterest.jp","pinterest.co.kr","pinterest.nz","pinterest.pt","pinterest.se"],"excluded":false},
+  {"type":91,"domains":["twitter.com","x.com"],"excluded":false}
+]
@@ -0,0 +1,15 @@
+{
+  "source": "https://github.com/bitwarden/server",
+  "ref": "main",
+  "generatedAt": "2026-05-05T00:00:00.000Z",
+  "rulesCount": 91,
+  "domainsCount": 436,
+  "sourceFiles": [
+    "src/Core/Enums/GlobalEquivalentDomainsType.cs",
+    "src/Core/Utilities/StaticStore.cs"
+  ],
+  "sourceUrls": [
+    "https://raw.githubusercontent.com/bitwarden/server/main/src/Core/Enums/GlobalEquivalentDomainsType.cs",
+    "https://raw.githubusercontent.com/bitwarden/server/main/src/Core/Utilities/StaticStore.cs"
+  ]
+}
@@ -0,0 +1,3 @@
+[
+  {"type":-10001,"domains":["nodewarden.example","nw.example"],"excluded":false,"source":"nodewarden"}
+]
@@ -2,6 +2,7 @@
 export interface Env {
  DB: D1Database;
  NOTIFICATIONS_HUB: DurableObjectNamespace;
+  BACKUP_TRANSFER_RUNNER: DurableObjectNamespace;
  ASSETS?: {
    fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
  };
@@ -10,7 +11,9 @@ export interface Env {
  // Optional fallback for attachment/send file storage (no credit card required).
  ATTACHMENTS_KV?: KVNamespace;
  JWT_SECRET: string;
-  TOTP_SECRET?: string;
+  WEBAUTHN_RP_ID?: string;
+  WEBAUTHN_RP_NAME?: string;
+  WEBAUTHN_ALLOWED_ORIGINS?: string;
 }

 export type UserRole = 'admin' | 'user';
@@ -50,10 +53,39 @@ export interface User {
  verifyDevices?: boolean;
  totpSecret: string | null;
  totpRecoveryCode: string | null;
+  apiKey: string | null;
  createdAt: string;
  updatedAt: string;
 }

+export interface UserDomainSettings {
+  userId: string;
+  equivalentDomains: string[][];
+  customEquivalentDomains: CustomEquivalentDomain[];
+  excludedGlobalEquivalentDomains: number[];
+  updatedAt: string | null;
+}
+
+export interface CustomEquivalentDomain {
+  id: string;
+  domains: string[];
+  excluded: boolean;
+}
+
+export interface GlobalEquivalentDomain {
+  type: number;
+  domains: string[];
+  excluded: boolean;
+  [key: string]: unknown;
+}
+
+export interface DomainRulesResponse {
+  equivalentDomains: string[][];
+  customEquivalentDomains: CustomEquivalentDomain[];
+  globalEquivalentDomains: GlobalEquivalentDomain[];
+  object: 'domains';
+}
+
 export interface Invite {
  code: string;
  createdBy: string;
@@ -67,9 +99,13 @@ export interface Invite {
 export interface AuditLog {
  id: string;
  actorUserId: string | null;
+  actorEmail?: string | null;
  action: string;
+  category: 'auth' | 'security' | 'device' | 'data' | 'system';
+  level: 'info' | 'warn' | 'error' | 'security';
  targetType: string | null;
  targetId: string | null;
+  targetUserEmail?: string | null;
  metadata: string | null;
  createdAt: string;
 }
@@ -189,29 +225,88 @@ export interface Device {
  userId: string;
  deviceIdentifier: string;
  name: string;
+  deviceNote: string | null;
  type: number;
  sessionStamp: string;
  encryptedUserKey: string | null;
  encryptedPublicKey: string | null;
  encryptedPrivateKey: string | null;
  devicePendingAuthRequest?: DevicePendingAuthRequest | null;
+  lastSeenAt: string | null;
  createdAt: string;
  updatedAt: string;
 }

+export type AccountPasskeyPrfStatus = 0 | 1 | 2;
+
+export interface AccountPasskeyCredential {
+  id: string;
+  userId: string;
+  name: string;
+  publicKey: string;
+  credentialId: string;
+  counter: number;
+  type: string | null;
+  aaGuid: string | null;
+  transports: string[] | null;
+  encryptedUserKey: string | null;
+  encryptedPublicKey: string | null;
+  encryptedPrivateKey: string | null;
+  supportsPrf: boolean;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export type AccountPasskeyChallengeScope = 'Authentication' | 'CreateCredential' | 'UpdateKeySet';
+
+export interface AccountPasskeyChallenge {
+  challengeHash: string;
+  scope: AccountPasskeyChallengeScope;
+  userId: string | null;
+  expiresAt: number;
+  usedAt: number | null;
+  createdAt: number;
+}
+
 export interface DevicePendingAuthRequest {
  id: string;
  creationDate: string;
 }

+export type AuthRequestType = 0 | 1 | 2;
+
+export interface AuthRequestRecord {
+  id: string;
+  userId: string;
+  organizationId: string | null;
+  type: AuthRequestType;
+  requestDeviceIdentifier: string;
+  requestDeviceType: number;
+  requestIpAddress: string | null;
+  requestCountryName: string | null;
+  responseDeviceIdentifier: string | null;
+  accessCode: string;
+  publicKey: string;
+  key: string | null;
+  masterPasswordHash: string | null;
+  approved: boolean | null;
+  creationDate: string;
+  responseDate: string | null;
+  authenticationDate: string | null;
+}
+
 export interface DeviceResponse {
  id: string;
  userId?: string | null;
  name: string;
+  systemName?: string | null;
+  deviceNote?: string | null;
  identifier: string;
  type: number;
  creationDate: string;
  revisionDate: string;
+  lastSeenAt?: string | null;
+  hasStoredDevice?: boolean;
  isTrusted: boolean;
  encryptedUserKey: string | null;
  encryptedPublicKey: string | null;
@@ -333,6 +428,14 @@ export interface MasterPasswordUnlock {
  Object: string;
 }

+export interface WebAuthnPrfDecryptionOption {
+  EncryptedPrivateKey: string;
+  EncryptedUserKey: string;
+  CredentialId: string;
+  Transports: string[];
+  Object?: string;
+}
+
 export interface UserDecryptionOptions {
  HasMasterPassword: boolean;
  Object: string;
@@ -340,6 +443,7 @@ export interface UserDecryptionOptions {
  MasterPasswordUnlock: MasterPasswordUnlock;
  TrustedDeviceOption: null;
  KeyConnectorOption: null;
+  WebAuthnPrfOption?: WebAuthnPrfDecryptionOption | null;
 }

 // API Response types
@@ -347,7 +451,8 @@ export interface TokenResponse {
  access_token: string;
  expires_in: number;
  token_type: string;
-  refresh_token: string;
+  refresh_token?: string;
+  web_session?: boolean;
  TwoFactorToken?: string;
  Key: string;
  PrivateKey: string | null;
@@ -367,6 +472,10 @@ export interface TokenResponse {
  accountKeys?: any | null;
  UserDecryptionOptions: UserDecryptionOptions;
  userDecryptionOptions?: UserDecryptionOptions;
+  VaultKeys?: {
+    symEncKey: string;
+    symMacKey: string;
+  };
 }

 export interface ProfileResponse {
@@ -438,6 +547,7 @@ export interface FolderResponse {
  id: string;
  name: string;
  revisionDate: string;
+  creationDate: string;
  object: string;
 }

@@ -453,7 +563,8 @@ export interface SyncResponse {
    MasterPasswordUnlock: MasterPasswordUnlock | null;
    TrustedDeviceOption?: null;
    KeyConnectorOption?: null;
-    WebAuthnPrfOption?: null;
+    WebAuthnPrfOption?: WebAuthnPrfDecryptionOption | null;
+    WebAuthnPrfOptions?: WebAuthnPrfDecryptionOption[];
    Object?: string;
  } | null;
  // PascalCase for desktop/browser clients
@@ -0,0 +1,269 @@
+import type {
+  AuthenticationResponseJSON,
+  AuthenticatorTransportFuture,
+  RegistrationResponseJSON,
+  WebAuthnCredential,
+} from '@simplewebauthn/server';
+import type {
+  AccountPasskeyChallengeScope,
+  AccountPasskeyCredential,
+  AccountPasskeyPrfStatus,
+  Env,
+  WebAuthnPrfDecryptionOption,
+} from '../types';
+import { base64UrlToBytes, bytesToBase64Url } from './passkey';
+
+const ACCOUNT_PASSKEY_TOKEN_TYPE = 'nodewarden.account-passkey.challenge.v1';
+const ACCOUNT_PASSKEY_TOKEN_TTL_MS = 17 * 60 * 1000;
+const ACCOUNT_PASSKEY_CREATE_TOKEN_TTL_MS = 7 * 60 * 1000;
+const DEFAULT_RP_NAME = 'NodeWarden';
+
+interface AccountPasskeyTokenPayload {
+  typ: typeof ACCOUNT_PASSKEY_TOKEN_TYPE;
+  scope: AccountPasskeyChallengeScope;
+  challenge: string;
+  userId: string | null;
+  rpId: string;
+  iat: number;
+  exp: number;
+}
+
+function textBytes(value: string): Uint8Array {
+  return new TextEncoder().encode(value);
+}
+
+async function importHmacKey(secret: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey('raw', textBytes(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign', 'verify']);
+}
+
+async function hmacSha256(secret: string, data: string): Promise<Uint8Array> {
+  const key = await importHmacKey(secret);
+  return new Uint8Array(await crypto.subtle.sign('HMAC', key, textBytes(data)));
+}
+
+function encodeJson(value: unknown): string {
+  return bytesToBase64Url(textBytes(JSON.stringify(value)));
+}
+
+function decodeJson<T>(value: string): T | null {
+  try {
+    return JSON.parse(new TextDecoder().decode(base64UrlToBytes(value))) as T;
+  } catch {
+    return null;
+  }
+}
+
+export async function sha256Base64Url(value: string): Promise<string> {
+  const digest = await crypto.subtle.digest('SHA-256', textBytes(value));
+  return bytesToBase64Url(new Uint8Array(digest));
+}
+
+export function accountPasskeyTokenTtlMs(scope: AccountPasskeyChallengeScope): number {
+  return scope === 'CreateCredential' ? ACCOUNT_PASSKEY_CREATE_TOKEN_TTL_MS : ACCOUNT_PASSKEY_TOKEN_TTL_MS;
+}
+
+export async function createAccountPasskeyToken(
+  env: Env,
+  input: {
+    scope: AccountPasskeyChallengeScope;
+    challenge: string;
+    userId?: string | null;
+    rpId: string;
+    ttlMs?: number;
+  }
+): Promise<string> {
+  const now = Date.now();
+  const payload: AccountPasskeyTokenPayload = {
+    typ: ACCOUNT_PASSKEY_TOKEN_TYPE,
+    scope: input.scope,
+    challenge: input.challenge,
+    userId: input.userId ?? null,
+    rpId: input.rpId,
+    iat: now,
+    exp: now + (input.ttlMs ?? accountPasskeyTokenTtlMs(input.scope)),
+  };
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const data = `${encodeJson(header)}.${encodeJson(payload)}`;
+  const signature = bytesToBase64Url(await hmacSha256(env.JWT_SECRET, data));
+  return `${data}.${signature}`;
+}
+
+export async function verifyAccountPasskeyToken(
+  env: Env,
+  token: string,
+  scope: AccountPasskeyChallengeScope
+): Promise<AccountPasskeyTokenPayload | null> {
+  try {
+    const parts = String(token || '').split('.');
+    if (parts.length !== 3) return null;
+    const data = `${parts[0]}.${parts[1]}`;
+    const expected = await hmacSha256(env.JWT_SECRET, data);
+    const actual = base64UrlToBytes(parts[2]);
+    if (actual.length !== expected.length) return null;
+    let diff = 0;
+    for (let i = 0; i < actual.length; i += 1) diff |= actual[i] ^ expected[i];
+    if (diff !== 0) return null;
+
+    const payload = decodeJson<AccountPasskeyTokenPayload>(parts[1]);
+    if (!payload || payload.typ !== ACCOUNT_PASSKEY_TOKEN_TYPE || payload.scope !== scope) return null;
+    if (!payload.challenge || !payload.rpId || !Number.isFinite(payload.exp)) return null;
+    if (payload.exp < Date.now()) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+export function getAccountPasskeyRpConfig(request: Request, env: Env): { rpId: string; rpName: string; origins: string[] } {
+  const url = new URL(request.url);
+  const configuredRpId = String(env.WEBAUTHN_RP_ID || '').trim();
+  const rpId = configuredRpId || url.hostname;
+  const rpName = String(env.WEBAUTHN_RP_NAME || '').trim() || DEFAULT_RP_NAME;
+  const configuredOrigins = String(env.WEBAUTHN_ALLOWED_ORIGINS || '')
+    .split(',')
+    .map((origin) => origin.trim())
+    .filter(Boolean);
+  const origins = new Set<string>([url.origin, ...configuredOrigins]);
+  const requestOrigin = request.headers.get('Origin');
+  if (
+    requestOrigin
+    && (
+      requestOrigin.startsWith('chrome-extension://')
+      || requestOrigin.startsWith('moz-extension://')
+      || requestOrigin.startsWith('safari-web-extension://')
+    )
+  ) {
+    origins.add(requestOrigin);
+  }
+  return { rpId, rpName, origins: Array.from(origins) };
+}
+
+export function userIdToWebAuthnUserId(userId: string): Uint8Array {
+  return textBytes(userId);
+}
+
+export function userHandleToUserId(userHandle: string | undefined): string | null {
+  if (!userHandle) return null;
+  try {
+    const decoded = new TextDecoder().decode(base64UrlToBytes(userHandle));
+    return decoded.trim() || null;
+  } catch {
+    return null;
+  }
+}
+
+export function accountPasskeyPrfStatus(credential: Pick<AccountPasskeyCredential, 'supportsPrf' | 'encryptedUserKey' | 'encryptedPublicKey' | 'encryptedPrivateKey'>): AccountPasskeyPrfStatus {
+  if (!credential.supportsPrf) return 2;
+  if (credential.encryptedUserKey && credential.encryptedPublicKey && credential.encryptedPrivateKey) return 0;
+  return 1;
+}
+
+export function buildWebAuthnPrfOption(
+  credential: AccountPasskeyCredential
+): WebAuthnPrfDecryptionOption | null {
+  if (accountPasskeyPrfStatus(credential) !== 0) return null;
+  return {
+    EncryptedPrivateKey: credential.encryptedPrivateKey!,
+    EncryptedUserKey: credential.encryptedUserKey!,
+    CredentialId: credential.credentialId,
+    Transports: credential.transports || [],
+    Object: 'webAuthnPrfDecryptionOption',
+  };
+}
+
+export function accountPasskeyCredentialToResponse(credential: AccountPasskeyCredential): Record<string, unknown> {
+  const prfStatus = accountPasskeyPrfStatus(credential);
+  return {
+    Id: credential.id,
+    id: credential.id,
+    Name: credential.name,
+    name: credential.name,
+    PrfStatus: prfStatus,
+    prfStatus,
+    EncryptedPublicKey: credential.encryptedPublicKey,
+    encryptedPublicKey: credential.encryptedPublicKey,
+    EncryptedUserKey: credential.encryptedUserKey,
+    encryptedUserKey: credential.encryptedUserKey,
+    CreationDate: credential.createdAt,
+    RevisionDate: credential.updatedAt,
+    Object: 'webauthnCredential',
+    object: 'webauthnCredential',
+  };
+}
+
+export function toSimpleWebAuthnCredential(credential: AccountPasskeyCredential): WebAuthnCredential {
+  return {
+    id: credential.credentialId,
+    publicKey: Uint8Array.from(base64UrlToBytes(credential.publicKey)),
+    counter: credential.counter,
+    transports: (credential.transports || undefined) as AuthenticatorTransportFuture[] | undefined,
+  };
+}
+
+export function normalizeRegistrationResponse(raw: unknown): RegistrationResponseJSON | null {
+  const input = raw && typeof raw === 'object' ? raw as Record<string, any> : null;
+  const response = input?.response && typeof input.response === 'object' ? input.response as Record<string, any> : null;
+  if (!input || !response) return null;
+  const clientDataJSON = response.clientDataJSON || response.clientDataJson;
+  if (!input.id || !input.rawId || !clientDataJSON || !response.attestationObject) return null;
+  return {
+    id: String(input.id),
+    rawId: String(input.rawId),
+    type: 'public-key',
+    authenticatorAttachment: input.authenticatorAttachment,
+    clientExtensionResults: input.clientExtensionResults || input.extensions || {},
+    response: {
+      attestationObject: String(response.attestationObject),
+      clientDataJSON: String(clientDataJSON),
+      authenticatorData: response.authenticatorData ? String(response.authenticatorData) : undefined,
+      transports: Array.isArray(response.transports) ? response.transports.map(String) as AuthenticatorTransportFuture[] : undefined,
+      publicKey: response.publicKey ? String(response.publicKey) : undefined,
+      publicKeyAlgorithm: typeof response.publicKeyAlgorithm === 'number' ? response.publicKeyAlgorithm : undefined,
+    },
+  };
+}
+
+export function normalizeAuthenticationResponse(raw: unknown): AuthenticationResponseJSON | null {
+  const input = raw && typeof raw === 'object' ? raw as Record<string, any> : null;
+  const response = input?.response && typeof input.response === 'object' ? input.response as Record<string, any> : null;
+  if (!input || !response) return null;
+  const clientDataJSON = response.clientDataJSON || response.clientDataJson;
+  if (!input.id || !input.rawId || !clientDataJSON || !response.authenticatorData || !response.signature) return null;
+  return {
+    id: String(input.id),
+    rawId: String(input.rawId),
+    type: 'public-key',
+    authenticatorAttachment: input.authenticatorAttachment,
+    clientExtensionResults: input.clientExtensionResults || input.extensions || {},
+    response: {
+      authenticatorData: String(response.authenticatorData),
+      clientDataJSON: String(clientDataJSON),
+      signature: String(response.signature),
+      userHandle: response.userHandle ? String(response.userHandle) : undefined,
+    },
+  };
+}
+
+export function normalizeAccountPasskeyName(value: unknown): string {
+  const normalized = String(value || '').trim();
+  return (normalized || 'Account passkey').slice(0, 128);
+}
+
+export function normalizeTransports(value: unknown): string[] | null {
+  if (!Array.isArray(value)) return null;
+  const transports = value.map((item) => String(item || '').trim()).filter(Boolean);
+  return transports.length ? transports.slice(0, 12) : null;
+}
+
+export function isSerializedEncString(value: unknown): value is string {
+  const text = String(value || '').trim();
+  if (!text) return false;
+  const parts = text.split('.');
+  if (parts.length !== 2) return false;
+  const type = Number(parts[0]);
+  const bodyParts = parts[1].split('|');
+  if (type === 2) return bodyParts.length === 3 && bodyParts.every(Boolean);
+  if (type === 3 || type === 4) return bodyParts.length === 1 && !!bodyParts[0];
+  if (type === 5 || type === 6) return bodyParts.length === 2 && bodyParts.every(Boolean);
+  return false;
+}
@@ -1,6 +1,8 @@
 import { JWTPayload } from '../types';
 import { LIMITS } from '../config/limits';

+const hmacKeyCache = new Map<string, Promise<CryptoKey>>();
+
 // Base64 URL encode
 function base64UrlEncode(data: Uint8Array): string {
  const base64 = btoa(String.fromCharCode(...data));
@@ -19,6 +21,23 @@ function base64UrlDecode(str: string): Uint8Array {
  return bytes;
 }

+function getHmacKey(secret: string): Promise<CryptoKey> {
+  const cacheKey = secret;
+  let cached = hmacKeyCache.get(cacheKey);
+  if (cached) return cached;
+
+  const encoder = new TextEncoder();
+  cached = crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign', 'verify']
+  );
+  hmacKeyCache.set(cacheKey, cached);
+  return cached;
+}
+
 // Create JWT
 export async function createJWT(payload: Omit<JWTPayload, 'iat' | 'exp' | 'iss' | 'premium' | 'email_verified' | 'amr'>, secret: string, expiresIn: number = LIMITS.auth.accessTokenTtlSeconds): Promise<string> {
  const header = { alg: 'HS256', typ: 'JWT' };
@@ -40,13 +59,7 @@ export async function createJWT(payload: Omit<JWTPayload, 'iat' | 'exp' | 'iss'
  
  const data = `${headerB64}.${payloadB64}`;
  
-  const key = await crypto.subtle.importKey(
-    'raw',
-    encoder.encode(secret),
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign']
-  );
+  const key = await getHmacKey(secret);
  
  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
@@ -63,13 +76,7 @@ export async function verifyJWT(token: string, secret: string): Promise<JWTPaylo
    const [headerB64, payloadB64, signatureB64] = parts;
    const encoder = new TextEncoder();
    
-    const key = await crypto.subtle.importKey(
-      'raw',
-      encoder.encode(secret),
-      { name: 'HMAC', hash: 'SHA-256' },
-      false,
-      ['verify']
-    );
+    const key = await getHmacKey(secret);
    
    const data = `${headerB64}.${payloadB64}`;
    const signature = base64UrlDecode(signatureB64);
@@ -133,13 +140,7 @@ export async function createFileDownloadToken(
  
  const data = `${headerB64}.${payloadB64}`;
  
-  const key = await crypto.subtle.importKey(
-    'raw',
-    encoder.encode(secret),
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign']
-  );
+  const key = await getHmacKey(secret);
  
  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
@@ -159,13 +160,7 @@ export async function verifyFileDownloadToken(
    const [headerB64, payloadB64, signatureB64] = parts;
    const encoder = new TextEncoder();
    
-    const key = await crypto.subtle.importKey(
-      'raw',
-      encoder.encode(secret),
-      { name: 'HMAC', hash: 'SHA-256' },
-      false,
-      ['verify']
-    );
+    const key = await getHmacKey(secret);
    
    const data = `${headerB64}.${payloadB64}`;
    const signature = base64UrlDecode(signatureB64);
@@ -205,13 +200,7 @@ export async function createAttachmentUploadToken(
  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
  const data = `${headerB64}.${payloadB64}`;

-  const key = await crypto.subtle.importKey(
-    'raw',
-    encoder.encode(secret),
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign']
-  );
+  const key = await getHmacKey(secret);

  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
@@ -229,13 +218,7 @@ export async function verifyAttachmentUploadToken(
    const [headerB64, payloadB64, signatureB64] = parts;
    const encoder = new TextEncoder();

-    const key = await crypto.subtle.importKey(
-      'raw',
-      encoder.encode(secret),
-      { name: 'HMAC', hash: 'SHA-256' },
-      false,
-      ['verify']
-    );
+    const key = await getHmacKey(secret);

    const data = `${headerB64}.${payloadB64}`;
    const signature = base64UrlDecode(signatureB64);
@@ -285,13 +268,7 @@ export async function createSendFileDownloadToken(
  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
  const data = `${headerB64}.${payloadB64}`;

-  const key = await crypto.subtle.importKey(
-    'raw',
-    encoder.encode(secret),
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign']
-  );
+  const key = await getHmacKey(secret);

  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
@@ -309,13 +286,7 @@ export async function verifySendFileDownloadToken(
    const [headerB64, payloadB64, signatureB64] = parts;
    const encoder = new TextEncoder();

-    const key = await crypto.subtle.importKey(
-      'raw',
-      encoder.encode(secret),
-      { name: 'HMAC', hash: 'SHA-256' },
-      false,
-      ['verify']
-    );
+    const key = await getHmacKey(secret);

    const data = `${headerB64}.${payloadB64}`;
    const signature = base64UrlDecode(signatureB64);
@@ -361,13 +332,7 @@ export async function createSendFileUploadToken(
  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
  const data = `${headerB64}.${payloadB64}`;

-  const key = await crypto.subtle.importKey(
-    'raw',
-    encoder.encode(secret),
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign']
-  );
+  const key = await getHmacKey(secret);

  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
@@ -385,13 +350,7 @@ export async function verifySendFileUploadToken(
    const [headerB64, payloadB64, signatureB64] = parts;
    const encoder = new TextEncoder();

-    const key = await crypto.subtle.importKey(
-      'raw',
-      encoder.encode(secret),
-      { name: 'HMAC', hash: 'SHA-256' },
-      false,
-      ['verify']
-    );
+    const key = await getHmacKey(secret);

    const data = `${headerB64}.${payloadB64}`;
    const signature = base64UrlDecode(signatureB64);
@@ -430,13 +389,7 @@ export async function createSendAccessToken(sendId: string, secret: string): Pro
  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
  const data = `${headerB64}.${payloadB64}`;

-  const key = await crypto.subtle.importKey(
-    'raw',
-    encoder.encode(secret),
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign']
-  );
+  const key = await getHmacKey(secret);
  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
  return `${data}.${signatureB64}`;
@@ -450,13 +403,7 @@ export async function verifySendAccessToken(token: string, secret: string): Prom
    const [headerB64, payloadB64, signatureB64] = parts;
    const encoder = new TextEncoder();

-    const key = await crypto.subtle.importKey(
-      'raw',
-      encoder.encode(secret),
-      { name: 'HMAC', hash: 'SHA-256' },
-      false,
-      ['verify']
-    );
+    const key = await getHmacKey(secret);

    const data = `${headerB64}.${payloadB64}`;
    const signature = base64UrlDecode(signatureB64);
@@ -0,0 +1,30 @@
+export function bytesToBase64Url(bytes: Uint8Array): string {
+  let binary = '';
+  for (const b of bytes) binary += String.fromCharCode(b);
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}
+
+export function base64UrlToBytes(input: string): Uint8Array {
+  const normalized = String(input || '').replace(/-/g, '+').replace(/_/g, '/');
+  const padded = normalized + '='.repeat((4 - (normalized.length % 4 || 4)) % 4);
+  const binary = atob(padded);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i += 1) out[i] = binary.charCodeAt(i);
+  return out;
+}
+
+export function randomChallenge(size: number = 32): string {
+  return bytesToBase64Url(crypto.getRandomValues(new Uint8Array(size)));
+}
+
+export function parseClientDataJSON(base64Url: string): { type?: string; challenge?: string; origin?: string } | null {
+  try {
+    const raw = base64UrlToBytes(base64Url);
+    const text = new TextDecoder().decode(raw);
+    const parsed = JSON.parse(text) as { type?: string; challenge?: string; origin?: string };
+    if (!parsed || typeof parsed !== 'object') return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
@@ -15,12 +15,44 @@ const DEFAULT_CORS_HEADERS = [
  'X-Request-Email',
  'X-Device-Identifier',
  'X-Device-Name',
+  'X-NodeWarden-Web-Session',
 ];

-function getAllowedOrigin(request: Request): string | null {
+function isExtensionOrigin(origin: string): boolean {
+  return (
+    origin.startsWith('chrome-extension://')
+    || origin.startsWith('moz-extension://')
+    || origin.startsWith('safari-web-extension://')
+  );
+}
+
+function isWildcardCorsPath(path: string): boolean {
+  return (
+    path.startsWith('/icons/')
+    || path === '/config'
+    || path === '/api/config'
+    || path === '/api/version'
+  );
+}
+
+function getCorsPolicy(request: Request): { allowOrigin: string | null; allowCredentials: boolean } {
+  const url = new URL(request.url);
  const origin = request.headers.get('Origin');
-  if (!origin) return '*';
-  return origin;
+  if (!origin) {
+    return isWildcardCorsPath(url.pathname)
+      ? { allowOrigin: '*', allowCredentials: false }
+      : { allowOrigin: null, allowCredentials: false };
+  }
+  if (origin === url.origin) {
+    return { allowOrigin: origin, allowCredentials: true };
+  }
+  if (isExtensionOrigin(origin)) {
+    return { allowOrigin: origin, allowCredentials: true };
+  }
+  if (isWildcardCorsPath(url.pathname)) {
+    return { allowOrigin: '*', allowCredentials: false };
+  }
+  return { allowOrigin: null, allowCredentials: false };
 }

 function buildCorsHeaders(request: Request): Record<string, string> {
@@ -35,13 +67,14 @@ function buildCorsHeaders(request: Request): Record<string, string> {
    'Access-Control-Allow-Headers': allowHeaders.join(', '),
    'Access-Control-Expose-Headers': '*',
    'Access-Control-Max-Age': String(LIMITS.cors.preflightMaxAgeSeconds),
-    'Access-Control-Allow-Private-Network': 'true',
  };

-  const allowedOrigin = getAllowedOrigin(request);
-  if (allowedOrigin) {
-    headers['Access-Control-Allow-Origin'] = allowedOrigin;
-    headers['Access-Control-Allow-Credentials'] = 'true';
+  const corsPolicy = getCorsPolicy(request);
+  if (corsPolicy.allowOrigin) {
+    headers['Access-Control-Allow-Origin'] = corsPolicy.allowOrigin;
+    if (corsPolicy.allowCredentials) {
+      headers['Access-Control-Allow-Credentials'] = 'true';
+    }
    headers['Vary'] = 'Origin, Access-Control-Request-Headers';
  }

@@ -1,4 +1,4 @@
-import { User, UserDecryptionOptions } from '../types';
+import { User, UserDecryptionOptions, WebAuthnPrfDecryptionOption } from '../types';

 function normalizeOptionalPublicKey(value: unknown): string {
  if (value == null) return '';
@@ -40,7 +40,8 @@ export function buildMasterPasswordUnlock(
 }

 export function buildUserDecryptionOptions(
-  user: Pick<User, 'email' | 'key' | 'kdfType' | 'kdfIterations' | 'kdfMemory' | 'kdfParallelism'>
+  user: Pick<User, 'email' | 'key' | 'kdfType' | 'kdfIterations' | 'kdfMemory' | 'kdfParallelism'>,
+  webAuthnPrfOption: WebAuthnPrfDecryptionOption | null = null
 ): UserDecryptionOptions {
  return {
    HasMasterPassword: true,
@@ -48,6 +49,7 @@ export function buildUserDecryptionOptions(
    MasterPasswordUnlock: buildMasterPasswordUnlock(user),
    TrustedDeviceOption: null,
    KeyConnectorOption: null,
+    WebAuthnPrfOption: webAuthnPrfOption,
  };
 }

@@ -0,0 +1,33 @@
+/** @type {import('tailwindcss').Config} */
+export default {
+  content: ['./webapp/index.html', './webapp/src/**/*.{ts,tsx}'],
+  darkMode: ['class', '[data-theme="dark"]'],
+  theme: {
+    extend: {
+      colors: {
+        canvas: 'var(--bg-accent)',
+        panel: 'var(--panel)',
+        'panel-soft': 'var(--panel-soft)',
+        'panel-muted': 'var(--panel-muted)',
+        line: 'var(--line)',
+        'line-soft': 'var(--line-soft)',
+        ink: 'var(--text)',
+        muted: 'var(--muted)',
+        'muted-strong': 'var(--muted-strong)',
+        brand: 'var(--primary)',
+        'brand-hover': 'var(--primary-hover)',
+        'brand-strong': 'var(--primary-strong)',
+        danger: 'var(--danger)',
+      },
+      boxShadow: {
+        soft: 'var(--shadow-sm)',
+        panel: 'var(--shadow-md)',
+        elevated: 'var(--shadow-lg)',
+      },
+      fontFamily: {
+        sans: ['Segoe UI', 'PingFang SC', 'Microsoft YaHei', 'Noto Sans SC', 'sans-serif'],
+      },
+    },
+  },
+  plugins: [],
+};
@@ -3,13 +3,98 @@
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' https://cloudflareinsights.com https://*.cloudflareinsights.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://cloudflareinsights.com https://*.cloudflareinsights.com; connect-src 'self' https://api.pwnedpasswords.com https://cloudflareinsights.com https://*.cloudflareinsights.com; font-src 'self'; form-action 'self'; base-uri 'self';" />
-    <link rel="icon" type="image/png" href="/favicon.ico" />
+
+  <meta http-equiv="Content-Security-Policy" content="
+    default-src 'self';
+    script-src 'self' 'unsafe-inline';
+    style-src 'self' 'unsafe-inline';
+    img-src 'self' data:;
+    connect-src 'self';
+    font-src 'self';
+    form-action 'self';
+    base-uri 'self';
+  " />
+
+    <link rel="icon" type="image/svg+xml" href="/nodewarden-logo-bg.svg" />
+    <link rel="alternate icon" type="image/x-icon" href="/favicon.ico" />
    <link rel="apple-touch-icon" href="/apple-touch-icon.png" />
+    <link rel="manifest" href="/manifest.webmanifest" />
+    <meta name="theme-color" content="#0f172a" />
+    <meta name="mobile-web-app-capable" content="yes" />
+    <meta name="apple-mobile-web-app-capable" content="yes" />
+    <meta name="apple-mobile-web-app-title" content="NodeWarden" />
+    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
+
    <title>NodeWarden</title>
+    <style>
+      html,
+      body,
+      #root {
+        min-height: 100%;
+      }
+
+      body {
+        margin: 0;
+        background: #eef4ff;
+        color: #0f172a;
+        font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+      }
+
+      .boot-screen {
+        min-height: 100vh;
+        display: grid;
+        place-items: center;
+        padding: 24px;
+        box-sizing: border-box;
+      }
+
+      .boot-card {
+        width: min(420px, 100%);
+        display: grid;
+        gap: 14px;
+        justify-items: center;
+        padding: 28px;
+        border: 1px solid rgba(148, 163, 184, 0.35);
+        border-radius: 22px;
+        background: rgba(255, 255, 255, 0.82);
+        box-shadow: 0 20px 45px rgba(15, 23, 42, 0.10);
+      }
+
+      .boot-logo {
+        width: 74px;
+        height: 58px;
+        object-fit: contain;
+      }
+
+      .boot-line {
+        width: 72%;
+        height: 12px;
+        border-radius: 999px;
+        background: linear-gradient(90deg, #dbeafe, #bfdbfe, #dbeafe);
+        background-size: 180% 100%;
+        animation: boot-shimmer 1.2s ease-in-out infinite;
+      }
+
+      .boot-line.short {
+        width: 46%;
+      }
+
+      @keyframes boot-shimmer {
+        0% { background-position: 180% 0; }
+        100% { background-position: -180% 0; }
+      }
+    </style>
  </head>
  <body>
-    <div id="root"></div>
+    <div id="root">
+      <div class="boot-screen">
+        <div class="boot-card" aria-label="Loading NodeWarden">
+          <img class="boot-logo" src="/nodewarden-logo.svg" alt="" />
+          <div class="boot-line"></div>
+          <div class="boot-line short"></div>
+        </div>
+      </div>
+    </div>
    <script type="module" src="/src/main.tsx"></script>
  </body>
 </html>
@@ -0,0 +1,48 @@
+{
+  "name": "NodeWarden",
+  "short_name": "NodeWarden",
+  "description": "A lightweight Bitwarden-compatible vault for Cloudflare Workers.",
+  "id": "/",
+  "start_url": "/vault",
+  "scope": "/",
+  "display": "standalone",
+  "display_override": ["window-controls-overlay", "standalone", "minimal-ui"],
+  "orientation": "any",
+  "background_color": "#eef4ff",
+  "theme_color": "#0f172a",
+  "categories": ["security", "productivity", "utilities"],
+  "icons": [
+    {
+      "src": "/icon-192.png",
+      "sizes": "192x192",
+      "type": "image/png",
+      "purpose": "any"
+    },
+    {
+      "src": "/icon-512.png",
+      "sizes": "512x512",
+      "type": "image/png",
+      "purpose": "any"
+    },
+    {
+      "src": "/icon-512.png",
+      "sizes": "512x512",
+      "type": "image/png",
+      "purpose": "maskable"
+    }
+  ],
+  "shortcuts": [
+    {
+      "name": "Vault",
+      "short_name": "Vault",
+      "url": "/vault",
+      "icons": [{ "src": "/icon-192.png", "sizes": "192x192", "type": "image/png" }]
+    },
+    {
+      "name": "TOTP Codes",
+      "short_name": "TOTP",
+      "url": "/vault/totp",
+      "icons": [{ "src": "/icon-192.png", "sizes": "192x192", "type": "image/png" }]
+    }
+  ]
+}
@@ -0,0 +1,6 @@
+<svg width="760" height="760" viewBox="0 0 760 760" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <rect width="760" height="760" fill="#116FF9"/>
+  <path d="M386.5 183C497.785 183 588 271.2 588 380C588 419.877 575.879 456.986 555.046 488H17.6816C16.5766 481.834 16 475.484 16 469C16 413.617 58.0774 368.061 112.008 362.558C108.771 353.989 107 344.701 107 335C107 291.922 141.922 257 185 257C198.365 257 210.945 260.362 221.94 266.286C258.437 215.895 318.539 183 386.5 183Z" fill="#F6821F"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M92.6568 91.0069C88.7796 262.923 101.55 381.119 143.869 469.459C186.188 557.799 258.092 616.353 372.665 668.892C485.877 616.354 556.929 557.802 598.746 469.461C640.564 381.12 653.181 262.923 649.35 91.0069H92.6568ZM539.796 432.933C570.479 365.533 581.347 278.379 582.419 153.939L582.422 153.432H377.661V593.786L378.405 593.364C458.602 547.962 509.101 500.36 539.796 432.933Z" fill="white"/>
+  <path d="M604.465 305C680.976 305 743 367.233 743 444C743 459.378 740.509 474.172 735.913 488H379V423.553C391.721 397.751 418.287 380 449 380C459.483 380 469.482 382.068 478.613 385.818C500.559 338.11 548.658 305 604.465 305Z" fill="#FD9C33"/>
+</svg>
@@ -0,0 +1,5 @@
+<svg width="727" height="580" viewBox="0 0 727 580" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path d="M370.5 93C481.785 93 572 181.2 572 290C572 329.877 559.879 366.986 539.046 398H1.68164C0.576599 391.834 0 385.484 0 379C0 323.617 42.0774 278.061 96.0078 272.558C92.7712 263.989 91 254.701 91 245C91 201.922 125.922 167 169 167C182.365 167 194.945 170.362 205.94 176.286C242.437 125.895 302.539 93 370.5 93Z" fill="#F6821F"/>
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M76.6568 1.00686C72.7796 172.923 85.5495 291.119 127.869 379.459C170.188 467.799 242.092 526.353 356.665 578.892C469.877 526.354 540.929 467.802 582.746 379.461C624.564 291.12 637.181 172.923 633.35 1.00686H76.6568ZM523.796 342.933C554.479 275.533 565.347 188.379 566.419 63.9394L566.422 63.432H361.661V503.786L362.405 503.364C442.602 457.962 493.101 410.36 523.796 342.933Z" fill="#116FF9"/>
+  <path d="M588.465 215C664.976 215 727 277.233 727 354C727 369.378 724.509 384.172 719.913 398H363V333.553C375.721 307.751 402.287 290 433 290C443.483 290 453.482 292.068 462.613 295.818C484.559 248.11 532.658 215 588.465 215Z" fill="#FD9C33"/>
+</svg>
@@ -0,0 +1,12 @@
+<svg width="862" height="102" viewBox="0 0 8620 1017" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M238.439 995.188H0V209.944C0 111.788 76.3004 53.1675 156.688 53.1675C220.726 53.1675 276.589 74.9799 309.289 126.784L633.566 640.737V74.9799H872.005V860.224C872.005 958.379 795.704 1015.64 715.317 1015.64C652.641 1015.64 595.416 993.824 562.716 942.02L238.439 428.067V995.188Z" fill="black"/>
+<path d="M1389.81 1015.64C1177.26 1015.64 1015.12 852.044 1015.12 653.007C1015.12 455.332 1177.26 291.74 1389.81 291.74C1602.36 291.74 1764.5 455.332 1764.5 653.007C1764.5 852.044 1602.36 1015.64 1389.81 1015.64ZM1389.81 785.244C1467.47 785.244 1519.25 725.26 1519.25 654.37C1519.25 582.117 1467.47 522.133 1389.81 522.133C1312.15 522.133 1260.37 582.117 1260.37 654.37C1260.37 725.26 1312.15 785.244 1389.81 785.244Z" fill="black"/>
+<path d="M2221.42 1015.64C2008.87 1015.64 1846.73 853.407 1846.73 655.733C1846.73 437.61 1991.16 293.103 2207.79 293.103C2258.21 293.103 2308.62 308.099 2350.86 331.275V0H2596.11V655.733C2596.11 864.314 2439.42 1015.64 2221.42 1015.64ZM2221.42 785.244C2299.08 785.244 2350.86 726.623 2350.86 654.37C2350.86 583.48 2299.08 523.496 2221.42 523.496C2143.76 523.496 2091.98 583.48 2091.98 654.37C2091.98 726.623 2143.76 785.244 2221.42 785.244Z" fill="black"/>
+<path d="M3086.45 1014.27C2868.45 1014.27 2704.95 869.767 2704.95 646.19C2704.95 449.879 2852.1 286.287 3067.38 286.287C3290.83 286.287 3414.82 452.606 3414.82 635.284V696.631H2940.66C2957.01 764.795 3008.79 805.693 3083.73 805.693C3149.13 805.693 3200.9 770.248 3225.43 717.08L3413.45 811.146C3354.87 937.93 3239.05 1014.27 3086.45 1014.27ZM2951.56 569.847H3170.93C3160.03 531.676 3121.88 496.231 3064.65 496.231C3006.06 496.231 2966.55 530.312 2951.56 569.847Z" fill="black"/>
+<path d="M3604.95 845.228L3441.45 74.9799H3693.51L3812.05 704.811L3915.6 246.752C3945.58 111.788 4009.62 54.5308 4107.72 54.5308C4205.82 54.5308 4269.85 111.788 4299.83 246.752L4403.38 704.811L4521.92 74.9799H4773.98L4610.48 845.228C4587.32 955.653 4513.74 1017 4414.28 1017C4324.35 1017 4243.97 957.016 4220.8 856.134L4107.72 358.54L3994.63 856.134C3971.46 957.016 3891.08 1017 3801.15 1017C3701.69 1017 3628.11 955.653 3604.95 845.228Z" fill="black"/>
+<path d="M5121.11 1015.64C4922.19 1015.64 4787.3 852.044 4787.3 653.007C4787.3 455.332 4949.44 291.74 5161.99 291.74C5379.99 291.74 5536.68 444.426 5536.68 653.007V995.188H5305.05V944.747C5261.45 989.735 5200.14 1015.64 5121.11 1015.64ZM5161.99 785.244C5239.65 785.244 5291.43 725.26 5291.43 654.37C5291.43 582.117 5239.65 522.133 5161.99 522.133C5084.33 522.133 5032.55 582.117 5032.55 654.37C5032.55 725.26 5084.33 785.244 5161.99 785.244Z" fill="black"/>
+<path d="M5918.02 995.188H5672.77V617.562C5672.77 436.247 5776.32 291.74 5998.41 291.74C6044.73 291.74 6095.15 299.92 6129.21 314.916V550.761C6096.51 533.039 6055.63 523.496 6021.57 523.496C5957.53 523.496 5918.02 560.304 5918.02 625.741V995.188Z" fill="black"/>
+<path d="M6565.74 1015.64C6353.19 1015.64 6191.05 853.407 6191.05 655.733C6191.05 437.61 6335.48 293.103 6552.12 293.103C6602.53 293.103 6652.94 308.099 6695.18 331.275V0H6940.43V655.733C6940.43 864.314 6783.74 1015.64 6565.74 1015.64ZM6565.74 785.244C6643.41 785.244 6695.18 726.623 6695.18 654.37C6695.18 583.48 6643.41 523.496 6565.74 523.496C6488.08 523.496 6436.31 583.48 6436.31 654.37C6436.31 726.623 6488.08 785.244 6565.74 785.244Z" fill="black"/>
+<path d="M7430.78 1014.27C7212.77 1014.27 7049.27 869.767 7049.27 646.19C7049.27 449.879 7196.42 286.287 7411.7 286.287C7635.15 286.287 7759.14 452.606 7759.14 635.284V696.631H7284.99C7301.34 764.795 7353.11 805.693 7428.05 805.693C7493.45 805.693 7545.23 770.248 7569.75 717.08L7757.78 811.146C7699.19 937.93 7583.38 1014.27 7430.78 1014.27ZM7295.89 569.847H7515.25C7504.35 531.676 7466.2 496.231 7408.98 496.231C7350.39 496.231 7310.88 530.312 7295.89 569.847Z" fill="black"/>
+<path d="M8250.76 531.676C8160.84 531.676 8126.77 603.929 8126.77 689.815V995.188H7881.52V659.823C7881.52 459.422 7998.7 293.103 8250.76 293.103C8502.82 293.103 8620 459.422 8620 659.823V995.188H8374.75V689.815C8374.75 603.929 8340.69 531.676 8250.76 531.676Z" fill="black"/>
+</svg>
@@ -0,0 +1,428 @@
+Attribution-ShareAlike 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+     Considerations for licensors: Our public licenses are
+     intended for use by those authorized to give the public
+     permission to use material in ways otherwise restricted by
+     copyright and certain other rights. Our licenses are
+     irrevocable. Licensors should read and understand the terms
+     and conditions of the license they choose before applying it.
+     Licensors should also secure all rights necessary before
+     applying our licenses so that the public can reuse the
+     material as expected. Licensors should clearly mark any
+     material not subject to the license. This includes other CC-
+     licensed material, or material used under an exception or
+     limitation to copyright. More considerations for licensors:
+	wiki.creativecommons.org/Considerations_for_licensors
+
+     Considerations for the public: By using one of our public
+     licenses, a licensor grants the public permission to use the
+     licensed material under specified terms and conditions. If
+     the licensor's permission is not necessary for any reason--for
+     example, because of any applicable exception or limitation to
+     copyright--then that use is not regulated by the license. Our
+     licenses grant only permissions under copyright and certain
+     other rights that a licensor has authority to grant. Use of
+     the licensed material may still be restricted for other
+     reasons, including because others have copyright or other
+     rights in the material. A licensor may make special requests,
+     such as asking that all changes be marked or described.
+     Although not required by our licenses, you are encouraged to
+     respect those requests where reasonable. More_considerations
+     for the public: 
+	wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution-ShareAlike 4.0 International Public
+License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution-ShareAlike 4.0 International Public License ("Public
+License"). To the extent this Public License may be interpreted as a
+contract, You are granted the Licensed Rights in consideration of Your
+acceptance of these terms and conditions, and the Licensor grants You
+such rights in consideration of benefits the Licensor receives from
+making the Licensed Material available under these terms and
+conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. BY-SA Compatible License means a license listed at
+     creativecommons.org/compatiblelicenses, approved by Creative
+     Commons as essentially the equivalent of this Public License.
+
+  d. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  e. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  f. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  g. License Elements means the license attributes listed in the name
+     of a Creative Commons Public License. The License Elements of this
+     Public License are Attribution and ShareAlike.
+
+  h. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  i. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  j. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  k. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  l. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  m. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part; and
+
+            b. produce, reproduce, and Share Adapted Material.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. Additional offer from the Licensor -- Adapted Material.
+               Every recipient of Adapted Material from You
+               automatically receives an offer from the Licensor to
+               exercise the Licensed Rights in the Adapted Material
+               under the conditions of the Adapter's License You apply.
+
+            c. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+  b. ShareAlike.
+
+     In addition to the conditions in Section 3(a), if You Share
+     Adapted Material You produce, the following conditions also apply.
+
+       1. The Adapter's License You apply must be a Creative Commons
+          license with the same License Elements, this version or
+          later, or a BY-SA Compatible License.
+
+       2. You must include the text of, or the URI or hyperlink to, the
+          Adapter's License You apply. You may satisfy this condition
+          in any reasonable manner based on the medium, means, and
+          context in which You Share Adapted Material.
+
+       3. You may not offer or impose any additional or different terms
+          or conditions on, or apply any Effective Technological
+          Measures to, Adapted Material that restrict exercise of the
+          rights granted under the Adapter's License You apply.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material,
+
+     including for purposes of Section 3(b); and
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public
+licenses. Notwithstanding, Creative Commons may elect to apply one of
+its public licenses to material it publishes and in those instances
+will be considered the “Licensor.” The text of the Creative Commons
+public licenses is dedicated to the public domain under the CC0 Public
+Domain Dedication. Except for the limited purpose of indicating that
+material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the
+public licenses.
+
+Creative Commons may be contacted at creativecommons.org.
+
@@ -0,0 +1,4 @@
+Payment logos in this directory are from datatrans/payment-logos.
+
+Source: https://github.com/datatrans/payment-logos
+License: CC-BY-SA-4.0
@@ -0,0 +1,4 @@
+<svg width="120" height="80" version="1.1" viewBox="0 0 120 80" xmlns="http://www.w3.org/2000/svg">
+<rect x="40" width="80" height="80" rx="4" fill="#fff" fill-rule="evenodd" />
+<path d="m120 76v-8.6763h-9.651l-4.969-5.4944-4.994 5.4944h-31.822v-25.607h-10.27l12.74-28.831h12.286l4.3857 9.877v-9.877h15.208l2.64 7.4429 2.658-7.4429h11.789v-8.8854c0-2.2091-1.7909-4-4-4h-112c-2.2091 4.4409e-16 -4 1.7909-4 4v72c4.4409e-16 2.2091 1.7909 4 4 4h112c2.2091 0 4-1.7909 4-4zm-8.026-11.882h8.026l-10.616-11.258 10.616-11.13h-7.898l-6.556 7.1645-6.4935-7.1645h-8.0275l10.554 11.194-10.554 11.194h7.8041l6.5889-7.2283 6.556 7.2283zm1.878-11.249 6.148 6.5406v-13.027l-6.148 6.4861zm-35.78 6.0675v-3.4864h12.633v-5.0534h-12.633v-3.4859h12.953l5e-4 -5.1815h-19.062v22.388h19.062l-5e-4 -5.1813h-12.953zm35.883-20.456h6.045v-22.388h-9.403l-5.022 13.944-4.989-13.944h-9.5631v22.388h6.0446v-15.672l5.7575 15.672h5.373l5.757-15.704v15.704zm-29.809 0h6.8765l-9.8824-22.388h-7.8682l-9.8833 22.388h6.7166l1.8554-4.4776h10.298l1.887 4.4776zm-3.9976-9.4992h-6.0773l3.0387-7.3242 3.0386 7.3242z" fill="#0690FF"/>
+</svg>
@@ -0,0 +1,11 @@
+<svg width="120" height="80" viewBox="0 0 120 80" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="120" height="80" rx="4" fill="url(#paint0_linear_804_2)"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M65.3997 64.8343C79.0213 64.8992 91.4542 53.7631 91.4542 40.2157C91.4542 25.4007 79.0213 15.1605 65.3997 15.1654H53.6768C39.8921 15.1605 28.5459 25.4038 28.5459 40.2157C28.5459 53.7661 39.8921 64.8993 53.6768 64.8343H65.3997Z" fill="#3477B9"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M53.6852 17.1522C41.0891 17.1561 30.8821 27.3313 30.8792 39.8896C30.8821 52.4456 41.089 62.6199 53.6852 62.6238C66.2843 62.6199 76.4934 52.4456 76.4952 39.8896C76.4933 27.3313 66.2843 17.1561 53.6852 17.1522ZM39.2291 39.8896C39.241 33.7529 43.0866 28.5199 48.5095 26.4404V53.3355C43.0866 51.2572 39.2409 46.0271 39.2291 39.8896ZM58.859 53.3415V26.4396C64.2838 28.514 68.1355 33.7499 68.1453 39.8896C68.1355 46.0311 64.2838 51.263 58.859 53.3415Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_804_2" x1="1.68141e-06" y1="21" x2="120" y2="54" gradientUnits="userSpaceOnUse">
+<stop stop-color="#3479C0"/>
+<stop offset="1" stop-color="#133362"/>
+</linearGradient>
+</defs>
+</svg>
@@ -0,0 +1,22 @@
+<svg width="120" height="80" viewBox="0 0 120 80" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="120" height="80" rx="4" fill="white"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M29 80H116.002C118.21 80 120 78.211 120 75.9957V48C120 48 87.8616 70.1063 29 80Z" fill="#E7792B"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M113.088 33.8624C113.088 30.7125 110.888 28.8951 107.053 28.8951H102.12V45.7197H105.443V38.9609H105.877L110.481 45.7197H114.571L109.202 38.6314C111.708 38.129 113.088 36.4383 113.088 33.8624ZM106.414 36.6411H105.443V31.5451H106.467C108.538 31.5451 109.665 32.4018 109.665 34.0385C109.665 35.7305 108.538 36.6411 106.414 36.6411Z" fill="#1A1918"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M90.4839 45.7197H99.9176V42.8713H93.8077V38.3298H99.6923V35.4802H93.8077V31.746H99.9176V28.8951H90.4839V45.7197Z" fill="#1A1918"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M80.7677 40.1959L76.2205 28.8951H72.5864L79.8236 46.1512H81.613L88.9799 28.8951H85.3742L80.7677 40.1959Z" fill="#1A1918"/>
+<path d="M64.6178 46.7197C69.7118 46.7197 73.8414 42.6454 73.8414 37.6197C73.8414 32.5939 69.7118 28.5197 64.6178 28.5197C59.5238 28.5197 55.3943 32.5939 55.3943 37.6197C55.3943 42.6454 59.5238 46.7197 64.6178 46.7197Z" fill="url(#paint0_radial_823_341)"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M41.2231 37.3191C41.2231 42.2643 45.159 46.0986 50.224 46.0986C51.6556 46.0986 52.8817 45.8211 54.3943 45.1184V41.2555C53.0642 42.5685 51.8869 43.0982 50.3788 43.0982C47.0287 43.0982 44.651 40.7017 44.651 37.2944C44.651 34.0645 47.1038 31.5165 50.224 31.5165C51.8104 31.5165 53.0115 32.0749 54.3943 33.4093V29.5483C52.9344 28.8177 51.7334 28.5148 50.3024 28.5148C45.2631 28.5148 41.2231 32.4272 41.2231 37.3191Z" fill="#1A1918"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M35.2687 35.3515C33.2725 34.6229 32.6868 34.1419 32.6868 33.2332C32.6868 32.173 33.731 31.3683 35.1646 31.3683C36.1614 31.3683 36.9803 31.772 37.8467 32.7307L39.5873 30.4824C38.157 29.248 36.446 28.6169 34.5763 28.6169C31.5589 28.6169 29.2576 30.6839 29.2576 33.4379C29.2576 35.7558 30.3295 36.9421 33.453 38.0516C34.7555 38.5047 35.4182 38.8063 35.7529 39.0097C36.417 39.4381 36.7497 40.0439 36.7497 40.7504C36.7497 42.1135 35.6515 43.1236 34.1671 43.1236C32.5807 43.1236 31.3032 42.341 30.537 40.8798L28.3879 42.9214C29.9204 45.1405 31.7611 46.124 34.2923 46.124C37.7485 46.124 40.1736 43.8568 40.1736 40.5996C40.1736 37.9268 39.0523 36.7165 35.2687 35.3515Z" fill="#1A1918"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M23.8091 28.8951H27.1355V45.7197H23.8091V28.8951Z" fill="#1A1918"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M13.1242 28.8951H8.2417V45.7197H13.0985C15.6811 45.7197 17.5456 45.1184 19.1828 43.7775C21.1283 42.1889 22.2786 39.7949 22.2786 37.319C22.2786 32.3537 18.5187 28.8951 13.1242 28.8951ZM17.01 41.5336C15.9644 42.4651 14.6073 42.8713 12.4582 42.8713H11.5655V31.746H12.4582C14.6073 31.746 15.9111 32.1249 17.01 33.1064C18.1603 34.1171 18.8521 35.683 18.8521 37.2943C18.8521 38.9096 18.1603 40.5235 17.01 41.5336Z" fill="#1A1918"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M115.21 29.5275C115.21 29.233 115.005 29.0712 114.643 29.0712H114.162V30.5499H114.52V29.9766L114.939 30.5499H115.376L114.883 29.9402C115.094 29.8843 115.21 29.7329 115.21 29.5275ZM114.58 29.7296H114.52V29.3429H114.584C114.761 29.3429 114.853 29.4059 114.853 29.5327C114.853 29.664 114.76 29.7296 114.58 29.7296Z" fill="#1A1918"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M114.715 28.5187C113.987 28.5187 113.41 29.092 113.41 29.8077C113.41 30.5233 113.994 31.0973 114.715 31.0973C115.424 31.0973 116.005 30.5175 116.005 29.8077C116.005 29.1018 115.424 28.5187 114.715 28.5187ZM114.71 30.8672C114.138 30.8672 113.669 30.3966 113.669 29.8096C113.669 29.2207 114.132 28.7508 114.71 28.7508C115.28 28.7508 115.745 29.2318 115.745 29.8096C115.745 30.3914 115.28 30.8672 114.71 30.8672Z" fill="#1A1918"/>
+<defs>
+<radialGradient id="paint0_radial_823_341" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(71.5 44) rotate(-142.431) scale(16.4012 16.1816)">
+<stop stop-color="#F59900"/>
+<stop offset="0.210082" stop-color="#F39501"/>
+<stop offset="0.908163" stop-color="#CE3C0B"/>
+<stop offset="1" stop-color="#A4420A"/>
+</radialGradient>
+</defs>
+</svg>
@@ -0,0 +1,42 @@
+<svg width="120" height="80" viewBox="0 0 120 80" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="120" height="80" rx="4" fill="white"/>
+<path d="M100.9 58.8C100.9 65.8 95.1996 71.5 88.1996 71.5H19.0996V21.2C19.0996 14.2 24.7996 8.5 31.7996 8.5H100.9V58.8Z" fill="white"/>
+<path d="M78.3994 45.9H83.6494C83.7994 45.9 84.1494 45.85 84.2994 45.85C85.2994 45.65 86.1494 44.75 86.1494 43.5C86.1494 42.3 85.2994 41.4 84.2994 41.15C84.1494 41.1 83.8494 41.1 83.6494 41.1H78.3994V45.9Z" fill="url(#paint0_linear_833_6149)"/>
+<path d="M83.0494 12.75C78.0494 12.75 73.9494 16.8 73.9494 21.85V31.3H86.7994C87.0994 31.3 87.4494 31.3 87.6994 31.35C90.5994 31.5 92.7494 33 92.7494 35.6C92.7494 37.65 91.2994 39.4 88.5994 39.75V39.85C91.5494 40.05 93.7994 41.7 93.7994 44.25C93.7994 47 91.2994 48.8 87.9994 48.8H73.8994V67.3H87.2494C92.2494 67.3 96.3494 63.25 96.3494 58.2V12.75H83.0494Z" fill="url(#paint1_linear_833_6149)"/>
+<path d="M85.4994 36.2C85.4994 35 84.6494 34.2 83.6494 34.05C83.5494 34.05 83.2994 34 83.1494 34H78.3994V38.4H83.1494C83.2994 38.4 83.5994 38.4 83.6494 38.35C84.6494 38.2 85.4994 37.4 85.4994 36.2Z" fill="url(#paint2_linear_833_6149)"/>
+<path d="M57.8988 12.75C52.8988 12.75 48.7988 16.8 48.7988 21.85V33.75C51.0988 31.8 55.0988 30.55 61.5488 30.85C64.9988 31 68.6988 31.95 68.6988 31.95V35.8C66.8488 34.85 64.6488 34 61.7988 33.8C56.8988 33.45 53.9488 35.85 53.9488 40.05C53.9488 44.3 56.8988 46.7 61.7988 46.3C64.6488 46.1 66.8488 45.2 68.6988 44.3V48.15C68.6988 48.15 65.0488 49.1 61.5488 49.25C55.0988 49.55 51.0988 48.3 48.7988 46.35V67.35H62.1488C67.1488 67.35 71.2488 63.3 71.2488 58.25V12.75H57.8988Z" fill="url(#paint3_linear_833_6149)"/>
+<path d="M32.7496 12.75C27.7496 12.75 23.6496 16.8 23.6496 21.85V44.3C26.1996 45.55 28.8496 46.35 31.4996 46.35C34.6496 46.35 36.3496 44.45 36.3496 41.85V31.25H44.1496V41.8C44.1496 45.9 41.5996 49.25 32.9496 49.25C27.6996 49.25 23.5996 48.1 23.5996 48.1V67.25H36.9496C41.9496 67.25 46.0496 63.2 46.0496 58.15V12.75H32.7496Z" fill="url(#paint4_linear_833_6149)"/>
+<defs>
+<linearGradient id="paint0_linear_833_6149" x1="60.9804" y1="40.0821" x2="126.075" y2="40.0821" gradientUnits="userSpaceOnUse">
+<stop stop-color="#007940"/>
+<stop offset="0.2285" stop-color="#00873F"/>
+<stop offset="0.7433" stop-color="#40A737"/>
+<stop offset="1" stop-color="#5CB531"/>
+</linearGradient>
+<linearGradient id="paint1_linear_833_6149" x1="73.9404" y1="40.0023" x2="96.4108" y2="40.0023" gradientUnits="userSpaceOnUse">
+<stop stop-color="#007940"/>
+<stop offset="0.2285" stop-color="#00873F"/>
+<stop offset="0.7433" stop-color="#40A737"/>
+<stop offset="1" stop-color="#5CB531"/>
+</linearGradient>
+<linearGradient id="paint2_linear_833_6149" x1="73.9396" y1="36.1925" x2="96.409" y2="36.1925" gradientUnits="userSpaceOnUse">
+<stop stop-color="#007940"/>
+<stop offset="0.2285" stop-color="#00873F"/>
+<stop offset="0.7433" stop-color="#40A737"/>
+<stop offset="1" stop-color="#5CB531"/>
+</linearGradient>
+<linearGradient id="paint3_linear_833_6149" x1="48.6689" y1="40.0023" x2="70.8287" y2="40.0023" gradientUnits="userSpaceOnUse">
+<stop stop-color="#6C2C2F"/>
+<stop offset="0.1735" stop-color="#882730"/>
+<stop offset="0.5731" stop-color="#BE1833"/>
+<stop offset="0.8585" stop-color="#DC0436"/>
+<stop offset="1" stop-color="#E60039"/>
+</linearGradient>
+<linearGradient id="paint4_linear_833_6149" x1="23.6382" y1="40.0023" x2="46.4553" y2="40.0023" gradientUnits="userSpaceOnUse">
+<stop stop-color="#1F286F"/>
+<stop offset="0.4751" stop-color="#004E94"/>
+<stop offset="0.8261" stop-color="#0066B1"/>
+<stop offset="1" stop-color="#006FBC"/>
+</linearGradient>
+</defs>
+</svg>
@@ -0,0 +1,7 @@
+<svg width="120" height="80" viewBox="0 0 120 80" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="120" height="80" rx="4" fill="white"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M97.5288 54.6562V53.7384H97.289L97.0137 54.3698L96.7378 53.7384H96.498V54.6562H96.6675V53.9637L96.9257 54.5609H97.1011L97.36 53.9624V54.6562H97.5288ZM96.0111 54.6562V53.8947H96.318V53.7397H95.5361V53.8947H95.843V54.6562H96.0111Z" fill="#00A2E5"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M49.6521 58.595H70.3479V21.4044H49.6521V58.595Z" fill="#7375CF"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M98.2675 40.0003C98.2675 53.063 87.6791 63.652 74.6171 63.652C69.0996 63.652 64.0229 61.7624 60 58.5956C65.5011 54.2646 69.0339 47.5448 69.0339 40.0003C69.0339 32.4552 65.5011 25.7354 60 21.4044C64.0229 18.2376 69.0996 16.348 74.6171 16.348C87.6791 16.348 98.2675 26.937 98.2675 40.0003Z" fill="#00A2E5"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M50.966 40.0003C50.966 32.4552 54.4988 25.7354 59.9999 21.4044C55.977 18.2376 50.9003 16.348 45.3828 16.348C32.3208 16.348 21.7324 26.937 21.7324 40.0003C21.7324 53.063 32.3208 63.652 45.3828 63.652C50.9003 63.652 55.977 61.7624 59.9999 58.5956C54.4988 54.2646 50.966 47.5448 50.966 40.0003Z" fill="#EB001B"/>
+</svg>
--- a/Show More
+++ b/Show More