[PM-36251] feat: Navigate archive premium upsell through in-app upgrade flow

[andrebispo5]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-36251

📔 Objective

Wires the archive unavailable upsell CTA to the same in-app premium upgrade flow used by the vault list banner, instead of always opening the web vault URL.

• Renames shouldShowPremiumUpgradeBanner → isPremiumUpgradeEligible to better reflect that it checks user eligibility, not banner visibility.
• Extracts isPremiumUpgradeBannerDismissed as a separate StateService method so banner dismissal is a distinct concern.
• Adds isInAppUpgradeAvailable() and navigateToPremiumUpgrade() to VaultListProcessor, encapsulating the routing decision (in-app upgrade flow vs. web vault fallback) based on the feature flag and US storefront.
• The banner respects dismissal; the archive CTA bypasses it so a dismissed banner does not block the user from upgrading via the archive entry point.

[Copilot]

Pull request overview

Routes the “Archive unavailable” upsell CTA through the same premium in-app upgrade flow as the vault list banner (with a web vault URL fallback when in-app upgrade isn’t available), and refactors premium-upgrade banner eligibility vs. dismissal into distinct concerns.

Changes:

• Split premium upgrade logic into eligibility (isPremiumUpgradeEligible) vs. banner dismissal (isPremiumUpgradeBannerDismissed).
• Centralized in-app upgrade availability checks and navigation fallback logic inside VaultListProcessor.
• Updated/added tests to cover banner dismissal behavior and archive CTA routing (in-app vs web fallback).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
BitwardenShared/UI/Vault/Vault/VaultList/VaultListProcessor.swift	Refactors premium upgrade banner visibility logic and routes archive upsell to in-app upgrade when available, otherwise web URL fallback.
BitwardenShared/UI/Vault/Vault/VaultList/VaultListProcessorTests.swift	Updates banner tests for new eligibility/dismissal split; adds archive CTA routing tests.
BitwardenShared/Core/Platform/Services/StateService.swift	Updates StateService API by replacing shouldShowPremiumUpgradeBanner() with eligibility + dismissal methods and implements them in DefaultStateService.
BitwardenShared/Core/Platform/Services/StateServiceTests.swift	Renames/adjusts tests for the new StateService API and adds dismissal-specific tests.
BitwardenShared/Core/Platform/Services/TestHelpers/MockStateService.swift	Updates the mock to match the new StateService API used by tests/processors.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Avoid try? + optional chaining here; if the alert/action isn't present, the test will silently continue and could pass incorrectly. Unwrap the alert and use try await so failures are surfaced.

[Copilot]

Avoid try? + optional chaining here; if the alert/action isn't present, the test will silently continue and could pass incorrectly. Unwrap the alert and use try await so failures are surfaced.

Suggested change

	let alert = coordinator.alertShown.last
	XCTAssertEqual(alert?.title, Localizations.archiveUnavailable)
	XCTAssertEqual(alert?.message, Localizations.archivingItemsIsAPremiumFeatureDescriptionLong)
	try? await alert?.tapAction(title: Localizations.upgradeToPremium)
	let alert = try XCTUnwrap(coordinator.alertShown.last)
	XCTAssertEqual(alert.title, Localizations.archiveUnavailable)
	XCTAssertEqual(alert.message, Localizations.archivingItemsIsAPremiumFeatureDescriptionLong)
	try await alert.tapAction(title: Localizations.upgradeToPremium)

[Copilot]

The doc comment for test_isPremiumUpgradeEligible_true still says eligibility requires the banner to not be dismissed, but isPremiumUpgradeEligible() no longer checks dismissal (that’s covered by isPremiumUpgradeBannerDismissed()). Please update the comment (and consider renaming shouldShow to isEligible for clarity).

[Copilot]

This test claims the archive upgrade flow should work even when the banner is dismissed, but it never sets stateService.isPremiumUpgradeBannerDismissedResult = true. As written it doesn't actually verify the dismissal-bypass behavior.

[Copilot]

Avoid try? + optional chaining here; if the alert/action isn't present, the test will silently continue and could pass incorrectly. Unwrap the alert and use try await so failures are surfaced.

[codecov]

Codecov Report

❌ Patch coverage is 98.37838% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.27%. Comparing base (4568a40) to head (38d45a0).

Files with missing lines	Patch %	Lines
...d/Core/Platform/Services/BillingStateService.swift	81.25%	3 Missing ⚠️
...I/Vault/Vault/VaultGroup/VaultGroupProcessor.swift	94.11%	3 Missing ⚠️
...ultItemSelection/VaultItemSelectionProcessor.swift	94.00%	3 Missing ⚠️
.../UI/Vault/Vault/VaultList/VaultListProcessor.swift	96.29%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2607      +/-   ##
==========================================
- Coverage   87.28%   86.27%   -1.01%     
==========================================
  Files        1908     2137     +229     
  Lines      169827   184896   +15069     
==========================================
+ Hits       148226   159512   +11286     
- Misses      21601    25384    +3783     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fedemkr]

⛏️ I wouldn't say which are the requirements here in the protocol as if they change you need to remember updating this comment as well. Also the caller doesn't need to know which are the requirements just what the function does and returns.
So for easier maintainability I'd just remove this line

Suggested change

/// (free account and 7+ days old).

[fedemkr]

⛏️ I think you can drop the outer parenthesis here:

Suggested change

	await ((try? getPremiumUpgradeBannerDismissed()) ?? false)
	await (try? getPremiumUpgradeBannerDismissed()) ?? false

🤔 Also, I think you should log the error if getPremiumUpgradeBannerDismissed throws and then return false instead of of using try? here. Or is it fine to ignore the errors on this function?

[fedemkr]

🎨 Can't you just return the operation result here?

Suggested change

	guard timeProvider.timeSince(creationDate) >= Constants.premiumUpgradeBannerAccountAge else {
	return false
	}
	return true
	return timeProvider.timeSince(creationDate) >= Constants.premiumUpgradeBannerAccountAge

[fedemkr]

🤔 Shouldn't this be logging the error when hasMinimumCipherCount throws instead of ignoring it?

[fedemkr]

🎨 IMO this services.storefrontService.isUSStorefront should be checked before hasMinimumCipherCount or even services.stateService.isPremiumUpgradeEligible as it should be faster and consume less resources than the others, as it's just a cached value.

[fedemkr]

⛏️ I'd use a guard here to avoid the nesting blocks and be more "Swifty":

Suggested change

	if await isInAppUpgradeAvailable() {
	subscribeToPremiumCheckoutStatus()
	coordinator.navigate(to: .premiumUpgrade)
	} else {
	state.url = services.environmentService.upgradeToPremiumURL
	}
	guard await isInAppUpgradeAvailable() else {
	state.url = services.environmentService.upgradeToPremiumURL
	return
	}
	subscribeToPremiumCheckoutStatus()
	coordinator.navigate(to: .premiumUpgrade)

[fedemkr]

🎨 If the banner has already been dismissed then it's wasteful to check for isInAppUpgradeAvailable as that value doesn't really matter later. So I would rewrite this with short-circuit as:

        let isBannerDismissed = await services.stateService.isPremiumUpgradeBannerDismissed()
        guard !isBannerDismissed else {
            state.shouldShowPremiumUpgradeActionCard = false
            return
        }
        state.shouldShowPremiumUpgradeActionCard = await isInAppUpgradeAvailable()

or like this:

        let isBannerDismissed = await services.stateService.isPremiumUpgradeBannerDismissed()
        state.shouldShowPremiumUpgradeActionCard = !isBannerDismissed && (await isInAppUpgradeAvailable())

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR wires the archive unavailable upsell CTA through the in-app premium upgrade flow used by the vault list banner, introduces a BillingRepository that centralizes the isInAppUpgradeAvailable decision, and extracts BillingStateService as a segregated billing-state protocol. The refactor also breaks up VaultListProcessor.perform into smaller methods and propagates the new handleNavigateToPremiumUpgrade callback through VaultItemMoreOptionsHelper, VaultGroupProcessor, and VaultItemSelectionProcessor. Test coverage is solid across the new repository, the renamed state methods, and the three processors’ premium checkout status branches.

Code Review Details

No new findings beyond those already captured in existing open review threads on this PR. The substantive concerns raised earlier — including the archive-upsell subscription path, the duplication of subscribeToPremiumCheckoutStatus across three processors, the BillingStateService interface segregation, and lock/dismiss handling in BillingCoordinator — are tracked in prior comments and remain the right place to continue that discussion.

Minor observations not worth their own inline:

• VaultListProcessor.swift line 360-363: the outer [weak self] on the Alert.archiveUnavailable action closure is shadowed by the inner [weak self] on the Task and can be dropped for clarity.
• VaultGroupProcessor.subscribeToPremiumCheckoutStatus on .confirmed calls refreshVaultGroup() (which only triggers a sync) but does not refresh state.hasPremium; not a defect in the current call paths since the archive helper reads premium live, but worth keeping in mind if local state.hasPremium is later used to gate UI on this screen.

[claude]

❓ QUESTION: The same Alert.archiveUnavailable is also shown from VaultItemMoreOptionsHelper.archive() (when a non-premium user taps Archive on an individual cipher), but that path still goes straight to services.environmentService.upgradeToPremiumURL and bypasses the new in-app upgrade flow.

Details

BitwardenShared/UI/Vault/Helpers/VaultItemMoreOptionsHelper.swift:131-134:

Alert.archiveUnavailable(action: { [weak self] in
    guard let self else { return }
    handleOpenURL(services.environmentService.upgradeToPremiumURL)
}),

Was the more-options entry point intentionally left out of scope, or should it be migrated to the same navigateToPremiumUpgrade() path so that the identical alert routes consistently from both entry points?

[claude]

⚠️ IMPORTANT: Archive entry navigates to .premiumUpgrade without subscribing to premiumCheckoutStatusPublisher, so a successful checkout never dismisses the upgrade screen.

Details and fix

PremiumUpgradeProcessor.subscribeToPremiumCheckoutStatus only handles .canceled itself; for .confirmed, .pending, and .syncing it relies on the parent owning the dismiss (see the explicit comment in PremiumUpgradeProcessor.swift:120-122: "VaultListProcessor owns the dismiss and all post-dismiss actions via DismissAction for each of these states.").

VaultListProcessor.navigateToPremiumUpgrade() calls subscribeToPremiumCheckoutStatus() before navigating, but the new code path in this helper does not. Concrete consequences when in-app upgrade is available and the user completes checkout from the archive more-options entry:

• The premium upgrade modal does not dismiss after .confirmed (no DismissAction).
• The vault is not refreshed and state.hasPremium is not updated, so the archive group still appears unavailable.
• The "upgrade pending" alert is not shown for .pending.
• The confirming-loading overlay is not shown for .syncing.

VaultItemMoreOptionsHelper is a @MainActor helper, not a StateProcessor, so it cannot reasonably own the dismiss/refresh logic. The cleanest fix is to keep the upsell routing centralized in VaultListProcessor — either by surfacing this through the existing .upgradeToPremium action, or by exposing a coordinator/delegate hook so the processor can subscribe before navigation.

Reference: BitwardenShared/UI/Billing/PremiumUpgrade/PremiumUpgradeProcessor.swift:117-124, BitwardenShared/UI/Vault/Vault/VaultList/VaultListProcessor.swift:562-569.

[fedemkr]

@andrebispo5 have you checked this?

[KatherineInCode]

🤔 BillingRepository is already marked as AutoMockable; we shouldn't need a manual mock, right?

[KatherineInCode]

🤔 Why is it necessary for this to conform to AnyObject?

[KatherineInCode]

🎨 Ideally new tests are Swift Testing, instead of XCTest. The skill in the repo should be able to convert it for you fairly easily

[KatherineInCode]

🤔 I have to wonder if it would make sense to actually put these in a BillingStateService for some sort of interface segregation, like we have with the ConfigStateService, BiometricsStateService, UserSessionStateService, etc.

[fedemkr]

⛏️ Remove what this checks inside. Unless it's strictly necessary this shouldn't be added to protocol docs as the caller should only care in this case if the in-app premium upgrade path is available and not how billing internally checks that.
👍 The callout for the banner dismissal is correct as it's something that callers may need to know for their logic.

Suggested change

	/// Checks (in order):
	/// 1. The `.premiumUpgradePath` feature flag is enabled.
	/// 2. The App Store storefront is in the United States.
	/// 3. The user is eligible for a premium upgrade (not already premium and account is 7+ days old).
	/// 4. The vault contains at least the minimum cipher count.
	///

[fedemkr]

⛏️ You can use comma separated conditions here with one guard:

Suggested change

	guard await configService.getFeatureFlag(.premiumUpgradePath) else { return false }
	guard await storefrontService.isUSStorefront() else { return false }
	guard await stateService.isPremiumUpgradeEligible() else { return false }
	guard await configService.getFeatureFlag(.premiumUpgradePath),
	storefrontService.isUSStorefront(),
	stateService.isPremiumUpgradeEligible()
	else {
	return false
	}

[fedemkr]

🎨 This file is gigantic, could you move this to BillingStateService as an extension so the implementation is there? You can check ServerCommunicationConfigStateService as an example.
Also move its tests.

[fedemkr]

@andrebispo5 have you checked this?

[claude]

♻️ DEBT: New subscribeToPremiumCheckoutStatus() lacks coverage for the .confirmed, .pending, and .syncing branches.

Details

The existing VaultGroupProcessorTests.test_perform_morePressed_navigateToPremiumUpgrade_inAppUpgradeAvailable only asserts that premiumCheckoutStatusPublisher() was called. None of the dismiss / loading-overlay / pending-alert / refreshVaultGroup paths inside this sink are exercised.

VaultListProcessorTests already provides this coverage (test_subscribeToPremiumCheckoutStatus_confirmed/pending/syncing/canceled). Mirroring that pattern here would prevent regressions in the new in-app upgrade flow for vault groups.

The same gap exists in VaultItemSelectionProcessor.swift:166-204 — its tests also only assert the publisher was called, not that .confirmed/.pending/.syncing produce the expected dismiss/alert/overlay behavior.

[andrebispo5]

This navigation will change in a future PR, the amount of work to refactor it is not worth it for now.

[claude]

♻️ DEBT: subscribeToPremiumCheckoutStatus() is duplicated across three processors with only the .confirmed branch differing.

Details and fix

This PR introduces near-identical copies of navigateToPremiumUpgrade() + subscribeToPremiumCheckoutStatus() in VaultListProcessor, VaultGroupProcessor, and VaultItemSelectionProcessor. The .canceled, .pending, and .syncing branches are byte-for-byte the same; only the post-.confirmed action varies (refresh vault list vs. refresh vault group vs. nothing).

This couples three processors to identical orchestration logic. A bug fix or behavior change to the pending/syncing branch must be applied in three places, and the duplication is likely to grow as more entry points are added.

Suggested approaches:

• Extract a PremiumCheckoutFlowHandler (or similar) helper holding the AnyCancellable and accepting an onConfirmed: () async -> Void closure for the variant behavior.
• Or expose the orchestration on the existing BillingService/BillingRepository so processors only inject a confirmation callback.

Worth doing as a follow-up since the pattern is now anchored in three places.

[andrebispo5]

This navigation will change in a future PR, the amount of work to refactor it is not worth it for now.

[fedemkr]

Looks good 🎉