PM-27241: feat: TDE encryption v2

[david-livefront]

🎟️ Tracking

PM-27241

📔 Objective

This PR adds the updated v2 encryption flow for a SSO TDE new user.

[codecov]

Codecov Report

❌ Patch coverage is 97.84946% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.75%. Comparing base (e6f0db6) to head (bf0e8a6).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...twarden/data/auth/repository/AuthRepositoryImpl.kt	97.53%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6821      +/-   ##
==========================================
- Coverage   85.80%   85.75%   -0.06%     
==========================================
  Files         836      839       +3     
  Lines       59408    59494      +86     
  Branches     8672     8676       +4     
==========================================
+ Hits        50977    51020      +43     
- Misses       5442     5483      +41     
- Partials     2989     2991       +2     

Flag	Coverage Δ
app-data	17.60% <97.84%> (+0.06%)	⬆️
app-ui-auth-tools	20.11% <0.00%> (-0.02%)	⬇️
app-ui-platform	15.84% <0.00%> (-0.02%)	⬇️
app-ui-vault	25.64% <0.00%> (-0.02%)	⬇️
authenticator	6.60% <0.00%> (-0.01%)	⬇️
lib-core-network-bridge	4.28% <0.00%> (-0.01%)	⬇️
lib-data-ui	1.02% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Checkmarx One – Scan Summary & Details – 4d14c4de-81f9-4fe5-a651-64cecb833186

Great job! No new security vulnerabilities introduced in this pull request

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: REQUEST CHANGES

This PR introduces the v2 TDE encryption flow for new SSO users behind the V2EncryptionTde feature flag, adding postKeysForTdeRegistration to the SDK source and splitting createNewSsoUser into v1/v2 branches. The v1 path is preserved in registerUserForTdeV1 and the new v2 path in registerUserForTdeV2 calls unlockVault directly using the wrapped account cryptographic state returned from the SDK. New unit tests cover the success path and the SDK-level failure path for v2.

Code Review Details

• ⚠️ : unlockVault failures in registerUserForTdeV2 are wrapped as Result.success(VaultUnlockError) and reported to the caller as NewSsoUserResult.Success, leaving the user with a locked vault and partially set up state.
  • app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryImpl.kt:574

[claude]

⚠️ IMPORTANT: unlockVault failures are silently swallowed and reported as NewSsoUserResult.Success.

Details and fix

registerUserForTdeV2 returns Result<VaultUnlockResult>. When postKeysForTdeRegistration succeeds but unlockVault returns a VaultUnlockError variant (e.g., GenericError, InvalidStateError), the .map { ... } block still completes and produces Result.success(VaultUnlockResult.GenericError(...)). The outer createNewSsoUser then runs .fold(onSuccess = { NewSsoUserResult.Success }, ...), which ignores the wrapped error variant and returns NewSsoUserResult.Success. The caller (TrustedDeviceViewModel.handleContinueClick) treats Success as a fully completed login and navigates the user forward, but the vault is locked, account keys were never stored, and shouldTrustDevice has already been cleared on disk.

The AuthRepository.createNewSsoUser KDoc explicitly states: "Upon success the new user will also have the vault automatically unlocked for them." That contract is broken here.

The V2 JIT password flow already handles this correctly — see registerUserForJitPasswordV2 around line 1314:

.flatMap { response ->
    when (val result = vaultRepository.unlockVaultWithMasterPassword(password)) {
        VaultUnlockResult.Success -> response.asSuccess()
        is VaultUnlockError -> {
            (result.error ?: IllegalStateException("Failed to unlock vault"))
                .asFailure()
        }
    }
}

Suggest converting the .map { ... } here to a .flatMap { ... } that turns a VaultUnlockError into Result.failure, matching that pattern. The on-success disk writes can then run inside the Success branch (or in a subsequent .onSuccess).

[david-livefront]

@claude That is intended.

[david-livefront]

Thanks @quexten & @SaintPatrck