diff --git a/bitwarden-server.slnx b/bitwarden-server.slnx
index 28f4406b31fc..835e4b2b57f8 100644
--- a/bitwarden-server.slnx
+++ b/bitwarden-server.slnx
@@ -19,6 +19,7 @@
+
@@ -26,6 +27,7 @@
+
@@ -37,11 +39,15 @@
+
+
+
+
diff --git a/bitwarden_license/src/Commercial.Core/packages.lock.json b/bitwarden_license/src/Commercial.Core/packages.lock.json
index 5f90fe68bef3..67418c84e1d9 100644
--- a/bitwarden_license/src/Commercial.Core/packages.lock.json
+++ b/bitwarden_license/src/Commercial.Core/packages.lock.json
@@ -1159,6 +1159,7 @@
"BitPay.Light": "[1.0.1907, 1.0.1907]",
"Braintree": "[5.36.0, 5.36.0]",
"CsvHelper": "[33.1.0, 33.1.0]",
+ "Data": "[2026.6.1, )",
"DnsClient": "[1.8.0, 1.8.0]",
"Duende.IdentityServer": "[7.4.6, 7.4.6]",
"DuoUniversal": "[1.3.1, 1.3.1]",
@@ -1183,6 +1184,7 @@
"Newtonsoft.Json": "[13.0.3, 13.0.3]",
"OneOf": "[3.0.271, 3.0.271]",
"Otp.NET": "[1.4.0, 1.4.0]",
+ "Pam.Domain": "[2026.6.1, )",
"Quartz": "[3.15.1, 3.15.1]",
"Quartz.Extensions.DependencyInjection": "[3.15.1, 3.15.1]",
"Quartz.Extensions.Hosting": "[3.15.1, 3.15.1]",
@@ -1195,6 +1197,15 @@
"ZiggyCreatures.FusionCache.Backplane.StackExchangeRedis": "[2.0.2, 2.0.2]",
"ZiggyCreatures.FusionCache.Serialization.SystemTextJson": "[2.0.2, 2.0.2]"
}
+ },
+ "data": {
+ "type": "Project"
+ },
+ "pam.domain": {
+ "type": "Project",
+ "dependencies": {
+ "Data": "[2026.6.1, )"
+ }
}
}
}
diff --git a/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/packages.lock.json b/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/packages.lock.json
index 1423baf938d1..f7e8b634d243 100644
--- a/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/packages.lock.json
+++ b/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/packages.lock.json
@@ -1315,6 +1315,7 @@
"BitPay.Light": "[1.0.1907, 1.0.1907]",
"Braintree": "[5.36.0, 5.36.0]",
"CsvHelper": "[33.1.0, 33.1.0]",
+ "Data": "[2026.6.1, )",
"DnsClient": "[1.8.0, 1.8.0]",
"Duende.IdentityServer": "[7.4.6, 7.4.6]",
"DuoUniversal": "[1.3.1, 1.3.1]",
@@ -1339,6 +1340,7 @@
"Newtonsoft.Json": "[13.0.3, 13.0.3]",
"OneOf": "[3.0.271, 3.0.271]",
"Otp.NET": "[1.4.0, 1.4.0]",
+ "Pam.Domain": "[2026.6.1, )",
"Quartz": "[3.15.1, 3.15.1]",
"Quartz.Extensions.DependencyInjection": "[3.15.1, 3.15.1]",
"Quartz.Extensions.Hosting": "[3.15.1, 3.15.1]",
@@ -1352,19 +1354,29 @@
"ZiggyCreatures.FusionCache.Serialization.SystemTextJson": "[2.0.2, 2.0.2]"
}
},
+ "data": {
+ "type": "Project"
+ },
"infrastructure.entityframework": {
"type": "Project",
"dependencies": {
"AutoMapper": "[14.0.0, 14.0.0]",
- "Core": "[2026.6.0, )",
+ "Core": "[2026.6.1, )",
"Microsoft.EntityFrameworkCore.Relational": "[8.0.8, 8.0.8]",
"Microsoft.EntityFrameworkCore.SqlServer": "[8.0.8, 8.0.8]",
"Microsoft.EntityFrameworkCore.Sqlite": "[8.0.8, 8.0.8]",
"Npgsql.EntityFrameworkCore.PostgreSQL": "[8.0.4, 8.0.4]",
+ "Pam.Domain": "[2026.6.1, )",
"Pomelo.EntityFrameworkCore.MySql": "[8.0.2, 8.0.2]",
"linq2db": "[5.4.1, 5.4.1]",
"linq2db.EntityFrameworkCore": "[8.1.0, 8.1.0]"
}
+ },
+ "pam.domain": {
+ "type": "Project",
+ "dependencies": {
+ "Data": "[2026.6.1, )"
+ }
}
}
}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/AccessRequestEndpoints.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/AccessRequestEndpoints.cs
new file mode 100644
index 000000000000..7f6cd2a210dd
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/AccessRequestEndpoints.cs
@@ -0,0 +1,43 @@
+using System.Security.Claims;
+using Bit.Commercial.Pam.Api.Endpoints.Handlers;
+using Bit.Commercial.Pam.Api.Models.Request;
+
+namespace Bit.Commercial.Pam.Api.Endpoints;
+
+///
+/// The access-requests resource: lease requests through their lifecycle (the requester's own queue plus the
+/// approver's queue and decision). Mirrors the routes the former AccessRequestsController served.
+///
+internal static class AccessRequestEndpoints
+{
+ public static RouteGroupBuilder MapAccessRequestEndpoints(this RouteGroupBuilder group)
+ {
+ group.MapGet("inbox", (AccessRequestEndpointsHandler handler, ClaimsPrincipal user) => handler.GetInbox(user))
+ .WithName("Pam_AccessRequests_GetInbox");
+
+ group.MapGet("history", (AccessRequestEndpointsHandler handler, ClaimsPrincipal user) => handler.GetHistory(user))
+ .WithName("Pam_AccessRequests_GetHistory");
+
+ group.MapGet("mine", (AccessRequestEndpointsHandler handler, ClaimsPrincipal user) => handler.GetMine(user))
+ .WithName("Pam_AccessRequests_GetMine");
+
+ group.MapPost("{id:guid}/decision",
+ (Guid id, AccessDecisionRequestModel model, AccessRequestEndpointsHandler handler, ClaimsPrincipal user) =>
+ handler.Decide(user, id, model))
+ .WithName("Pam_AccessRequests_Decide");
+
+ group.MapPost("{id:guid}/activate",
+ (Guid id, AccessRequestEndpointsHandler handler, ClaimsPrincipal user) => handler.Activate(user, id))
+ .WithName("Pam_AccessRequests_Activate");
+
+ group.MapPost("{id:guid}/revoke",
+ async (Guid id, AccessRequestEndpointsHandler handler, ClaimsPrincipal user) =>
+ {
+ await handler.Revoke(user, id);
+ return TypedResults.NoContent();
+ })
+ .WithName("Pam_AccessRequests_Revoke");
+
+ return group;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/AccessRuleEndpoints.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/AccessRuleEndpoints.cs
new file mode 100644
index 000000000000..05247c97f21f
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/AccessRuleEndpoints.cs
@@ -0,0 +1,36 @@
+using Bit.Commercial.Pam.Api.Endpoints.Handlers;
+using Bit.Commercial.Pam.Api.Models.Request;
+
+namespace Bit.Commercial.Pam.Api.Endpoints;
+
+///
+/// The organizations/{orgId}/access-rules resource: rule CRUD scoped to an organization. Mirrors the routes
+/// the former AccessRulesController served. orgId is bound from the group's route prefix.
+///
+internal static class AccessRuleEndpoints
+{
+ public static RouteGroupBuilder MapAccessRuleEndpoints(this RouteGroupBuilder group)
+ {
+ group.MapGet("", (Guid orgId, AccessRuleEndpointsHandler handler) => handler.GetAll(orgId))
+ .WithName("Pam_AccessRules_GetAll");
+
+ group.MapGet("{id:guid}", (Guid orgId, Guid id, AccessRuleEndpointsHandler handler) => handler.Get(orgId, id))
+ .WithName("Pam_AccessRules_Get");
+
+ group.MapPost("", (Guid orgId, AccessRuleRequestModel model, AccessRuleEndpointsHandler handler) => handler.Post(orgId, model))
+ .WithName("Pam_AccessRules_Post");
+
+ group.MapPut("{id:guid}", (Guid orgId, Guid id, AccessRuleRequestModel model, AccessRuleEndpointsHandler handler) => handler.Put(orgId, id, model))
+ .WithName("Pam_AccessRules_Put");
+
+ group.MapDelete("{id:guid}",
+ async (Guid orgId, Guid id, AccessRuleEndpointsHandler handler) =>
+ {
+ await handler.Delete(orgId, id);
+ return TypedResults.NoContent();
+ })
+ .WithName("Pam_AccessRules_Delete");
+
+ return group;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/CipherLeaseEndpoints.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/CipherLeaseEndpoints.cs
new file mode 100644
index 000000000000..0e2c84b38f49
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/CipherLeaseEndpoints.cs
@@ -0,0 +1,30 @@
+using System.Security.Claims;
+using Bit.Commercial.Pam.Api.Endpoints.Handlers;
+using Bit.Commercial.Pam.Api.Models.Request;
+
+namespace Bit.Commercial.Pam.Api.Endpoints;
+
+///
+/// The ciphers/{id}/lease resource: the per-cipher leasing entry points (pre-check, state, submit).
+/// Mirrors the routes the former CipherLeaseController served. id is bound from the group's route
+/// prefix. The deprecated GET …/lease/cipher read-back is hosted by a small MVC controller in the Api
+/// project (it depends on the Api Vault response models).
+///
+internal static class CipherLeaseEndpoints
+{
+ public static RouteGroupBuilder MapCipherLeaseEndpoints(this RouteGroupBuilder group)
+ {
+ group.MapGet("pre-check", (Guid id, CipherLeaseEndpointsHandler handler, ClaimsPrincipal user) => handler.PreCheck(user, id))
+ .WithName("Pam_CipherLease_PreCheck");
+
+ group.MapGet("state", (Guid id, CipherLeaseEndpointsHandler handler, ClaimsPrincipal user) => handler.State(user, id))
+ .WithName("Pam_CipherLease_State");
+
+ group.MapPost("",
+ (Guid id, AccessRequestCreateRequestModel model, CipherLeaseEndpointsHandler handler, ClaimsPrincipal user) =>
+ handler.Post(user, id, model))
+ .WithName("Pam_CipherLease_Post");
+
+ return group;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Filters/PamExceptionHandlerEndpointFilter.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Filters/PamExceptionHandlerEndpointFilter.cs
new file mode 100644
index 000000000000..e3a110a9d257
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Filters/PamExceptionHandlerEndpointFilter.cs
@@ -0,0 +1,92 @@
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Api;
+using Microsoft.IdentityModel.Tokens;
+
+namespace Bit.Commercial.Pam.Api.Endpoints.Filters;
+
+///
+/// Minimal API equivalent of the internal-API branch of Bit.Api.Utilities.ExceptionHandlerFilterAttribute.
+/// Minimal API endpoints do not run MVC exception filters and src/Api has no exception-handling middleware,
+/// so this filter translates thrown exceptions into Bitwarden's with the same
+/// status codes the controllers produced (e.g. → 404 "Resource not found.").
+///
+public class PamExceptionHandlerEndpointFilter : IEndpointFilter
+{
+ public async ValueTask InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+ {
+ try
+ {
+ return await next(context);
+ }
+ catch (Exception exception)
+ {
+ return Handle(exception, context.HttpContext);
+ }
+ }
+
+ private static IResult Handle(Exception exception, HttpContext httpContext)
+ {
+ var message = "An error has occurred.";
+ int statusCode;
+ ErrorResponseModel? validationModel = null;
+
+ switch (exception)
+ {
+ case BadRequestException badRequestException:
+ statusCode = StatusCodes.Status400BadRequest;
+ if (badRequestException.ModelState != null)
+ {
+ validationModel = new ErrorResponseModel(badRequestException.ModelState);
+ }
+ else
+ {
+ message = badRequestException.Message;
+ }
+ break;
+ case NotSupportedException when !string.IsNullOrWhiteSpace(exception.Message):
+ message = exception.Message;
+ statusCode = StatusCodes.Status400BadRequest;
+ break;
+ case ApplicationException:
+ statusCode = StatusCodes.Status402PaymentRequired;
+ break;
+ case NotFoundException:
+ message = "Resource not found.";
+ statusCode = StatusCodes.Status404NotFound;
+ break;
+ case SecurityTokenValidationException:
+ message = "Invalid token.";
+ statusCode = StatusCodes.Status403Forbidden;
+ break;
+ case UnauthorizedAccessException:
+ message = "Unauthorized.";
+ statusCode = StatusCodes.Status401Unauthorized;
+ break;
+ case ConflictException:
+ message = exception.Message;
+ statusCode = StatusCodes.Status409Conflict;
+ break;
+ case AggregateException aggregateException:
+ statusCode = StatusCodes.Status400BadRequest;
+ validationModel = new ErrorResponseModel(message, aggregateException.InnerExceptions.Select(e => e.Message));
+ break;
+ default:
+ httpContext.RequestServices.GetRequiredService>()
+ .LogError(0, exception, "Unhandled exception");
+ message = "An unhandled server error has occurred.";
+ statusCode = StatusCodes.Status500InternalServerError;
+ break;
+ }
+
+ var errorModel = validationModel ?? new ErrorResponseModel(message);
+ var environment = httpContext.RequestServices.GetRequiredService();
+ if (environment.IsDevelopment())
+ {
+ errorModel.ExceptionMessage = exception.Message;
+ errorModel.ExceptionStackTrace = exception.StackTrace;
+ errorModel.InnerExceptionMessage = exception.InnerException?.Message;
+ }
+
+ return Results.Json(errorModel, statusCode: statusCode);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Filters/PamValidationEndpointFilter.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Filters/PamValidationEndpointFilter.cs
new file mode 100644
index 000000000000..f2155c40714c
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Filters/PamValidationEndpointFilter.cs
@@ -0,0 +1,44 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Models.Api;
+
+namespace Bit.Commercial.Pam.Api.Endpoints.Filters;
+
+///
+/// Minimal API equivalent of the MVC ModelStateValidationFilterAttribute: runs DataAnnotations validation
+/// (including ) over the request-model arguments and, on failure, short-circuits
+/// with Bitwarden's internal 400 — the same body the controllers produced.
+///
+public class PamValidationEndpointFilter : IEndpointFilter
+{
+ private const string RequestModelNamespace = "Bit.Commercial.Pam.Api.Models.Request";
+
+ public async ValueTask InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+ {
+ foreach (var argument in context.Arguments)
+ {
+ if (argument is null || argument.GetType().Namespace != RequestModelNamespace)
+ {
+ continue;
+ }
+
+ var results = new List();
+ if (Validator.TryValidateObject(argument, new ValidationContext(argument), results, validateAllProperties: true))
+ {
+ continue;
+ }
+
+ var validationErrors = results
+ .SelectMany(
+ result => result.MemberNames.Any() ? result.MemberNames : [string.Empty],
+ (result, member) => (member, message: result.ErrorMessage ?? string.Empty))
+ .GroupBy(error => error.member)
+ .ToDictionary(group => group.Key, group => (IEnumerable)group.Select(error => error.message).ToArray());
+
+ return Results.Json(
+ new ErrorResponseModel("The model state is invalid.", validationErrors),
+ statusCode: StatusCodes.Status400BadRequest);
+ }
+
+ return await next(context);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Filters/RequireFeatureEndpointFilter.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Filters/RequireFeatureEndpointFilter.cs
new file mode 100644
index 000000000000..95448d9c43ca
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Filters/RequireFeatureEndpointFilter.cs
@@ -0,0 +1,23 @@
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+
+namespace Bit.Commercial.Pam.Api.Endpoints.Filters;
+
+///
+/// Minimal API equivalent of : gates an endpoint group
+/// behind a boolean feature flag. When the flag is disabled a (a
+/// ) is thrown, which renders as a 404.
+///
+public class RequireFeatureEndpointFilter(string featureFlagKey) : IEndpointFilter
+{
+ public async ValueTask InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+ {
+ var featureService = context.HttpContext.RequestServices.GetRequiredService();
+ if (!featureService.IsEnabled(featureFlagKey))
+ {
+ throw new FeatureUnavailableException();
+ }
+
+ return await next(context);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/AccessRequestEndpointsHandler.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/AccessRequestEndpointsHandler.cs
new file mode 100644
index 000000000000..215f92cccb87
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/AccessRequestEndpointsHandler.cs
@@ -0,0 +1,67 @@
+using System.Security.Claims;
+using Bit.Commercial.Pam.Api.Models.Request;
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Core.Services;
+using Bit.SharedWeb.Models.Response;
+
+namespace Bit.Commercial.Pam.Api.Endpoints.Handlers;
+
+///
+/// Handler for the access-requests resource. Holds the logic the AccessRequestsController previously
+/// hosted; the Minimal API endpoints (see AccessRequestEndpoints) resolve this handler from DI.
+///
+public class AccessRequestEndpointsHandler(
+ IUserService userService,
+ IListInboxRequestsQuery listInboxRequestsQuery,
+ IListInboxHistoryQuery listInboxHistoryQuery,
+ IDecideAccessRequestCommand decideAccessRequestCommand,
+ IListMyAccessRequestsQuery listMyAccessRequestsQuery,
+ IActivateAccessRequestCommand activateAccessRequestCommand,
+ ICancelAccessRequestCommand cancelAccessRequestCommand)
+{
+ public async Task> GetInbox(ClaimsPrincipal user)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var requests = await listInboxRequestsQuery.GetPendingAsync(userId);
+ return new ListResponseModel(
+ requests.Select(r => new AccessRequestDetailsResponseModel(r)));
+ }
+
+ public async Task> GetHistory(ClaimsPrincipal user)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var history = await listInboxHistoryQuery.GetHistoryAsync(userId);
+ return new ListResponseModel(
+ history.Select(r => new AccessRequestDetailsResponseModel(r)));
+ }
+
+ public async Task> GetMine(ClaimsPrincipal user)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var requests = await listMyAccessRequestsQuery.GetMineAsync(userId);
+ return new ListResponseModel(
+ requests.Select(r => new AccessRequestDetailsResponseModel(r)));
+ }
+
+ public async Task Decide(ClaimsPrincipal user, Guid id, AccessDecisionRequestModel model)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var result = await decideAccessRequestCommand.DecideAsync(userId, id, model.ToSubmission());
+ return new AccessRequestDetailsResponseModel(result);
+ }
+
+ public async Task Activate(ClaimsPrincipal user, Guid id)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var lease = await activateAccessRequestCommand.ActivateAsync(userId, id);
+ return new AccessLeaseResponseModel(lease);
+ }
+
+ public async Task Revoke(ClaimsPrincipal user, Guid id)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ await cancelAccessRequestCommand.CancelAsync(userId, id);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/AccessRuleEndpointsHandler.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/AccessRuleEndpointsHandler.cs
new file mode 100644
index 000000000000..9783d2b20401
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/AccessRuleEndpointsHandler.cs
@@ -0,0 +1,83 @@
+using Bit.SharedWeb.Models.Response;
+using Bit.Commercial.Pam.Api.Models.Request;
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.Api.Endpoints.Handlers;
+
+///
+/// Handler for the organizations/{orgId}/access-rules resource. Holds the logic the
+/// AccessRulesController previously hosted; the Minimal API endpoints (see AccessRuleEndpoints)
+/// resolve this handler from DI.
+///
+public class AccessRuleEndpointsHandler(
+ ICurrentContext currentContext,
+ IAccessRuleRepository repository,
+ ICreateAccessRuleCommand createCommand,
+ IUpdateAccessRuleCommand updateCommand,
+ IDeleteAccessRuleCommand deleteCommand)
+{
+ public async Task> GetAll(Guid orgId)
+ {
+ await EnsureMemberAsync(orgId);
+
+ var rules = await repository.GetManyDetailsByOrganizationIdAsync(orgId);
+ return new ListResponseModel(
+ rules.Select(rule => new AccessRuleResponseModel(rule)));
+ }
+
+ public async Task Get(Guid orgId, Guid id)
+ {
+ await EnsureMemberAsync(orgId);
+
+ var rule = await repository.GetDetailsByIdAsync(id);
+ if (rule is null || rule.OrganizationId != orgId)
+ {
+ throw new NotFoundException();
+ }
+
+ return new AccessRuleResponseModel(rule);
+ }
+
+ public async Task Post(Guid orgId, AccessRuleRequestModel model)
+ {
+ await EnsureAdminAsync(orgId);
+
+ var rule = await createCommand.CreateAsync(model.ToAccessRule(orgId), model.Collections);
+ return new AccessRuleResponseModel(rule);
+ }
+
+ public async Task Put(Guid orgId, Guid id, AccessRuleRequestModel model)
+ {
+ await EnsureAdminAsync(orgId);
+
+ var rule = await updateCommand.UpdateAsync(orgId, id, model.ToAccessRule(orgId), model.Collections);
+ return new AccessRuleResponseModel(rule);
+ }
+
+ public async Task Delete(Guid orgId, Guid id)
+ {
+ await EnsureAdminAsync(orgId);
+
+ await deleteCommand.DeleteAsync(orgId, id);
+ }
+
+ private async Task EnsureMemberAsync(Guid orgId)
+ {
+ if (!await currentContext.OrganizationUser(orgId))
+ {
+ throw new NotFoundException();
+ }
+ }
+
+ private async Task EnsureAdminAsync(Guid orgId)
+ {
+ if (!await currentContext.OrganizationAdmin(orgId) && !await currentContext.OrganizationOwner(orgId))
+ {
+ throw new NotFoundException();
+ }
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/CipherLeaseEndpointsHandler.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/CipherLeaseEndpointsHandler.cs
new file mode 100644
index 000000000000..59ae5eafd769
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/CipherLeaseEndpointsHandler.cs
@@ -0,0 +1,41 @@
+using System.Security.Claims;
+using Bit.Commercial.Pam.Api.Models.Request;
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Core.Services;
+
+namespace Bit.Commercial.Pam.Api.Endpoints.Handlers;
+
+///
+/// Handler for the ciphers/{id}/lease resource: the per-cipher leasing entry points (pre-check, state,
+/// submit). The deprecated full-cipher read-back (GET …/lease/cipher) is hosted by a small MVC controller
+/// in the Api project instead, since it depends on the Api Vault response models.
+///
+public class CipherLeaseEndpointsHandler(
+ IUserService userService,
+ IAccessPreCheckQuery preCheckQuery,
+ IGetCipherAccessStateQuery cipherAccessStateQuery,
+ ISubmitAccessRequestCommand submitAccessRequestCommand)
+{
+ public async Task PreCheck(ClaimsPrincipal user, Guid id)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var result = await preCheckQuery.PreCheckAsync(userId, id);
+ return new AccessPreCheckResponseModel(id, result);
+ }
+
+ public async Task State(ClaimsPrincipal user, Guid id)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var result = await cipherAccessStateQuery.GetStateAsync(userId, id);
+ return new CipherAccessStateResponseModel(result);
+ }
+
+ public async Task Post(ClaimsPrincipal user, Guid id, AccessRequestCreateRequestModel model)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var result = await submitAccessRequestCommand.SubmitAsync(userId, id, model.ToSubmission());
+ return new AccessRequestResultResponseModel(result);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/LeaseEndpointsHandler.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/LeaseEndpointsHandler.cs
new file mode 100644
index 000000000000..78c396b7aab0
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/Handlers/LeaseEndpointsHandler.cs
@@ -0,0 +1,59 @@
+using System.Security.Claims;
+using Bit.Commercial.Pam.Api.Models.Request;
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Core.Services;
+using Bit.SharedWeb.Models.Response;
+
+namespace Bit.Commercial.Pam.Api.Endpoints.Handlers;
+
+///
+/// Handler for the leases resource. Holds the logic the LeasesController previously hosted; the
+/// Minimal API endpoints (see LeaseEndpoints) are thin lambdas that resolve this handler from DI.
+///
+public class LeaseEndpointsHandler(
+ IUserService userService,
+ IListActiveLeasesQuery listActiveLeasesQuery,
+ IListLeaseHistoryQuery listLeaseHistoryQuery,
+ IListMyActiveAccessLeasesQuery listMyActiveAccessLeasesQuery,
+ IRevokeAccessLeaseCommand revokeAccessLeaseCommand,
+ IRequestLeaseExtensionCommand requestLeaseExtensionCommand)
+{
+ public async Task> GetActive(ClaimsPrincipal user)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var leases = await listActiveLeasesQuery.GetActiveAsync(userId);
+ return new ListResponseModel(
+ leases.Select(l => new AccessLeaseResponseModel(l)));
+ }
+
+ public async Task> GetHistory(ClaimsPrincipal user)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var leases = await listLeaseHistoryQuery.GetHistoryAsync(userId);
+ return new ListResponseModel(
+ leases.Select(l => new AccessLeaseResponseModel(l)));
+ }
+
+ public async Task> GetMine(ClaimsPrincipal user)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var leases = await listMyActiveAccessLeasesQuery.GetMineActiveAsync(userId);
+ return new ListResponseModel(
+ leases.Select(l => new AccessLeaseResponseModel(l)));
+ }
+
+ public async Task Revoke(ClaimsPrincipal user, Guid id, AccessLeaseRevokeRequestModel model)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ await revokeAccessLeaseCommand.RevokeAsync(userId, id, model.Reason);
+ }
+
+ public async Task Extend(ClaimsPrincipal user, Guid id, AccessLeaseExtensionRequestModel model)
+ {
+ var userId = userService.GetProperUserId(user)!.Value;
+ var details = await requestLeaseExtensionCommand.ExtendAsync(userId, model.ToSubmission(id));
+ return new AccessRequestDetailsResponseModel(details);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/LeaseEndpoints.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/LeaseEndpoints.cs
new file mode 100644
index 000000000000..c81cd70d8f23
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/LeaseEndpoints.cs
@@ -0,0 +1,39 @@
+using System.Security.Claims;
+using Bit.Commercial.Pam.Api.Endpoints.Handlers;
+using Bit.Commercial.Pam.Api.Models.Request;
+
+namespace Bit.Commercial.Pam.Api.Endpoints;
+
+///
+/// The leases resource: the caller's own leases, the governance surface over manageable collections, and the
+/// per-lease actions (revoke, extend). Mirrors the routes the former LeasesController served.
+///
+internal static class LeaseEndpoints
+{
+ public static RouteGroupBuilder MapLeaseEndpoints(this RouteGroupBuilder group)
+ {
+ group.MapGet("active", (LeaseEndpointsHandler handler, ClaimsPrincipal user) => handler.GetActive(user))
+ .WithName("Pam_Leases_GetActive");
+
+ group.MapGet("history", (LeaseEndpointsHandler handler, ClaimsPrincipal user) => handler.GetHistory(user))
+ .WithName("Pam_Leases_GetHistory");
+
+ group.MapGet("mine", (LeaseEndpointsHandler handler, ClaimsPrincipal user) => handler.GetMine(user))
+ .WithName("Pam_Leases_GetMine");
+
+ group.MapPost("{id:guid}/revoke",
+ async (Guid id, AccessLeaseRevokeRequestModel model, LeaseEndpointsHandler handler, ClaimsPrincipal user) =>
+ {
+ await handler.Revoke(user, id, model);
+ return TypedResults.NoContent();
+ })
+ .WithName("Pam_Leases_Revoke");
+
+ group.MapPost("{id:guid}/extend",
+ (Guid id, AccessLeaseExtensionRequestModel model, LeaseEndpointsHandler handler, ClaimsPrincipal user) =>
+ handler.Extend(user, id, model))
+ .WithName("Pam_Leases_Extend");
+
+ return group;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Endpoints/PamEndpointsExtensions.cs b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/PamEndpointsExtensions.cs
new file mode 100644
index 000000000000..c18eedf73cc5
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Endpoints/PamEndpointsExtensions.cs
@@ -0,0 +1,46 @@
+using Bit.Commercial.Pam.Api.Endpoints.Filters;
+using Bit.Core;
+using Bit.Core.Auth.Identity;
+
+namespace Bit.Commercial.Pam.Api.Endpoints;
+
+///
+/// Maps the PAM HTTP surface as Minimal API endpoint groups. Each resource group shares the same cross-cutting
+/// chain — authorization, exception → ErrorResponseModel translation, the PAM feature gate, and request-model
+/// validation — reproducing what the MVC controllers received from attributes and conventions. Routes are identical
+/// to the controllers they replace.
+///
+public static class PamEndpointsExtensions
+{
+ public static void MapPamEndpoints(this IEndpointRouteBuilder endpoints)
+ {
+ endpoints.MapGroup("/leases").WithPamDefaults().MapLeaseEndpoints();
+ endpoints.MapGroup("/access-requests").WithPamDefaults().MapAccessRequestEndpoints();
+ endpoints.MapGroup("/organizations/{orgId:guid}/access-rules").WithPamDefaults().MapAccessRuleEndpoints();
+ endpoints.MapGroup("/ciphers/{id:guid}/lease").WithPamDefaults().MapCipherLeaseEndpoints();
+ }
+
+ ///
+ /// Applies the shared PAM endpoint chain to a group. Order matters: the exception filter is outermost so it
+ /// translates throws from the feature filter (),
+ /// the validation filter, and the handlers into the ErrorResponseModel contract.
+ ///
+ private static RouteGroupBuilder WithPamDefaults(this RouteGroupBuilder group)
+ {
+ group.RequireAuthorization(Policies.Application);
+ group.AddEndpointFilter();
+ group.RequireFeature(FeatureFlagKeys.Pam);
+ group.AddEndpointFilter();
+ group.WithGroupName("internal");
+ return group;
+ }
+
+ ///
+ /// Minimal API equivalent of [RequireFeature(key)]: gates every endpoint in the group behind the flag.
+ ///
+ public static RouteGroupBuilder RequireFeature(this RouteGroupBuilder group, string featureFlagKey)
+ {
+ group.AddEndpointFilter(new RequireFeatureEndpointFilter(featureFlagKey));
+ return group;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessDecisionRequestModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessDecisionRequestModel.cs
new file mode 100644
index 000000000000..d6b64b3b74ee
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessDecisionRequestModel.cs
@@ -0,0 +1,25 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Commercial.Pam.Models;
+using Bit.Pam.Enums;
+
+namespace Bit.Commercial.Pam.Api.Models.Request;
+
+///
+/// An approver's decision on a pending access request. is the
+/// value on the wire (0 = deny, 1 = approve);
+/// is optional.
+///
+public class AccessDecisionRequestModel
+{
+ [Required]
+ [EnumDataType(typeof(AccessDecisionVerdict))]
+ public AccessDecisionVerdict? Verdict { get; set; }
+
+ public string? Comment { get; set; }
+
+ public AccessDecisionSubmission ToSubmission() => new()
+ {
+ Verdict = Verdict!.Value,
+ Comment = Comment,
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessLeaseExtensionRequestModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessLeaseExtensionRequestModel.cs
new file mode 100644
index 000000000000..7839824cddd6
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessLeaseExtensionRequestModel.cs
@@ -0,0 +1,21 @@
+using Bit.Commercial.Pam.Models;
+namespace Bit.Commercial.Pam.Api.Models.Request;
+
+///
+/// A request to extend an active lease, identified by the route's lease id. The lease's end is pushed out by
+/// ; a justifying is required. Extensions are always auto-approved,
+/// subject to the governing rule allowing extensions and the per-lease maximum not being reached.
+///
+public class AccessLeaseExtensionRequestModel
+{
+ public int DurationSeconds { get; set; }
+
+ public string? Reason { get; set; }
+
+ public AccessLeaseExtensionSubmission ToSubmission(Guid leaseId) => new()
+ {
+ LeaseId = leaseId,
+ DurationSeconds = DurationSeconds,
+ Reason = Reason,
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessLeaseRevokeRequestModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessLeaseRevokeRequestModel.cs
new file mode 100644
index 000000000000..1bf078f34c89
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessLeaseRevokeRequestModel.cs
@@ -0,0 +1,9 @@
+namespace Bit.Commercial.Pam.Api.Models.Request;
+
+///
+/// A request to revoke an active lease early. is optional and retained for the audit trail.
+///
+public class AccessLeaseRevokeRequestModel
+{
+ public string? Reason { get; set; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessRequestCreateRequestModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessRequestCreateRequestModel.cs
new file mode 100644
index 000000000000..8af9108c7cc1
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessRequestCreateRequestModel.cs
@@ -0,0 +1,26 @@
+using Bit.Commercial.Pam.Models;
+namespace Bit.Commercial.Pam.Api.Models.Request;
+
+///
+/// A request to lease a cipher. Supply for the automatic path, or
+/// / + for the human path. The server validates the shape
+/// against the cipher's resolved approval outcome (run a pre-check first). The cipher is identified by the route.
+///
+public class AccessRequestCreateRequestModel
+{
+ public int? DurationSeconds { get; set; }
+
+ public DateTime? Start { get; set; }
+
+ public DateTime? End { get; set; }
+
+ public string? Reason { get; set; }
+
+ public AccessRequestSubmission ToSubmission() => new()
+ {
+ DurationSeconds = DurationSeconds,
+ Start = Start,
+ End = End,
+ Reason = Reason,
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessRuleRequestModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessRuleRequestModel.cs
new file mode 100644
index 000000000000..2c5fd18fd521
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Request/AccessRuleRequestModel.cs
@@ -0,0 +1,80 @@
+using System.ComponentModel.DataAnnotations;
+using System.Text.Json;
+using Bit.Pam.Entities;
+
+namespace Bit.Commercial.Pam.Api.Models.Request;
+
+public class AccessRuleRequestModel
+{
+ [Required]
+ [StringLength(256)]
+ public string Name { get; set; } = null!;
+
+ public string? Description { get; set; }
+
+ [Required]
+ public object Conditions { get; set; } = null!;
+
+ ///
+ /// When true, the rule enforces a per-cipher singleton (at most one active lease per cipher across all users).
+ ///
+ public bool SingleActiveLease { get; set; }
+
+ ///
+ /// Default lease duration in seconds, used to pre-fill a request opened under this rule. Null means the
+ /// backend default applies.
+ ///
+ public int? DefaultLeaseDurationSeconds { get; set; }
+
+ ///
+ /// Hard ceiling on the duration of any single lease granted under this rule, in seconds. Null means no
+ /// per-rule cap.
+ ///
+ public int? MaxLeaseDurationSeconds { get; set; }
+
+ ///
+ /// When false, the rule is inactive and does not gate access for the collections it governs. Defaults to
+ /// true so a request that omits the field creates an active rule.
+ ///
+ public bool Enabled { get; set; } = true;
+
+ ///
+ /// When true, a member holding an active lease under this rule may extend it once (always auto-approved), by up
+ /// to .
+ ///
+ public bool AllowsExtensions { get; set; }
+
+ ///
+ /// The longest a single extension may run, in seconds. Required to be positive when
+ /// is true.
+ ///
+ public int? MaxExtensionDurationSeconds { get; set; }
+
+ ///
+ /// The complete set of collections this rule governs. The rule's associations are replaced to match
+ /// exactly this set; an empty array clears all associations.
+ ///
+ [Required]
+ public IEnumerable Collections { get; set; } = null!;
+
+ public AccessRule ToAccessRule(Guid organizationId) => new()
+ {
+ OrganizationId = organizationId,
+ Name = Name,
+ Description = Description,
+ Conditions = SerializeConditions(Conditions),
+ SingleActiveLease = SingleActiveLease,
+ DefaultLeaseDurationSeconds = DefaultLeaseDurationSeconds,
+ MaxLeaseDurationSeconds = MaxLeaseDurationSeconds,
+ Enabled = Enabled,
+ AllowsExtensions = AllowsExtensions,
+ MaxExtensionDurationSeconds = MaxExtensionDurationSeconds,
+ };
+
+ private static string SerializeConditions(object conditions) => conditions switch
+ {
+ JsonElement je when je.ValueKind == JsonValueKind.Null => string.Empty,
+ JsonElement je => je.GetRawText(),
+ _ => JsonSerializer.Serialize(conditions),
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessDeciderKindNames.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessDeciderKindNames.cs
new file mode 100644
index 000000000000..33b2163a99dc
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessDeciderKindNames.cs
@@ -0,0 +1,20 @@
+using Bit.Pam.Enums;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+///
+/// Maps the backend to the vocabulary the client expects on a decision:
+/// human | automatic. Mirrors / .
+///
+public static class AccessDeciderKindNames
+{
+ public const string Human = "human";
+ public const string Automatic = "automatic";
+
+ public static string From(AccessDeciderKind kind) => kind switch
+ {
+ AccessDeciderKind.Human => Human,
+ AccessDeciderKind.Automatic => Automatic,
+ _ => throw new ArgumentOutOfRangeException(nameof(kind), kind, null),
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessLeaseResponseModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessLeaseResponseModel.cs
new file mode 100644
index 000000000000..2efddaab6e29
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessLeaseResponseModel.cs
@@ -0,0 +1,58 @@
+using Bit.Core.Models.Api;
+using Bit.Pam.Entities;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+///
+/// An access lease as its requester sees it: the originating request, string status vocabulary, and revocation
+/// fields. Powers the request-submission envelope, the caller-scoped "my active leases" surface, and the cipher
+/// access-state snapshot. Fields without a backing store in v1 (,
+/// ) are null.
+///
+public class AccessLeaseResponseModel : ResponseModel
+{
+ public AccessLeaseResponseModel(AccessLease lease)
+ : base("accessLease")
+ {
+ ArgumentNullException.ThrowIfNull(lease);
+
+ Id = lease.Id;
+ RequestId = lease.AccessRequestId;
+ CipherId = lease.CipherId;
+ CollectionId = lease.CollectionId;
+ OrganizationId = lease.OrganizationId;
+ RequesterId = lease.RequesterId;
+ Status = AccessLeaseStatusNames.From(lease.Status);
+ NotBefore = lease.NotBefore.AsUtc();
+ NotAfter = lease.NotAfter.AsUtc();
+ RevokedAt = lease.RevokedDate.AsUtc();
+ RevokedByUserId = lease.RevokedBy;
+ }
+
+ public Guid Id { get; }
+
+ /// The request this lease was born from.
+ public Guid RequestId { get; }
+
+ public Guid CipherId { get; }
+ public Guid CollectionId { get; }
+
+ /// The access rule that gated the cipher at grant time. Not tracked in v1.
+ public string? RuleId => null;
+
+ public Guid OrganizationId { get; }
+
+ /// The user the lease was granted to (the original requester).
+ public Guid RequesterId { get; }
+
+ /// active | expired | revoked.
+ public string Status { get; }
+
+ public DateTime NotBefore { get; }
+ public DateTime NotAfter { get; }
+ public DateTime? RevokedAt { get; }
+ public Guid? RevokedByUserId { get; }
+
+ /// The reason captured on early revocation. Recorded on the audit decision, not surfaced here in v1.
+ public string? RevocationReason => null;
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessLeaseStatusNames.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessLeaseStatusNames.cs
new file mode 100644
index 000000000000..7d4ff8423cf3
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessLeaseStatusNames.cs
@@ -0,0 +1,22 @@
+using Bit.Pam.Enums;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+///
+/// Maps the backend to the status vocabulary the leasing client expects:
+/// active | expired | revoked. Mirrors for the request side.
+///
+public static class AccessLeaseStatusNames
+{
+ public const string Active = "active";
+ public const string Expired = "expired";
+ public const string Revoked = "revoked";
+
+ public static string From(AccessLeaseStatus status) => status switch
+ {
+ AccessLeaseStatus.Active => Active,
+ AccessLeaseStatus.Expired => Expired,
+ AccessLeaseStatus.Revoked => Revoked,
+ _ => throw new ArgumentOutOfRangeException(nameof(status), status, null),
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessPreCheckResponseModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessPreCheckResponseModel.cs
new file mode 100644
index 000000000000..c15f5b0ad26f
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessPreCheckResponseModel.cs
@@ -0,0 +1,29 @@
+using Bit.Commercial.Pam.Enums;
+using Bit.Commercial.Pam.Models;
+using Bit.Core.Models.Api;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+public class AccessPreCheckResponseModel : ResponseModel
+{
+ public AccessPreCheckResponseModel(Guid cipherId, AccessPreCheckResult result)
+ : base("accessPreCheck")
+ {
+ CipherId = cipherId;
+ ApprovalMode = result.ApprovalMode;
+ HasActiveLease = result.HasActiveLease;
+ }
+
+ public Guid CipherId { get; }
+
+ ///
+ /// when a request would be approved immediately,
+ /// when it needs an approver.
+ ///
+ public AccessApprovalMode ApprovalMode { get; }
+
+ ///
+ /// True when the caller already holds an active lease: reveal the credential, no request needed.
+ ///
+ public bool HasActiveLease { get; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestDecisionResponseModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestDecisionResponseModel.cs
new file mode 100644
index 000000000000..f60b2de27386
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestDecisionResponseModel.cs
@@ -0,0 +1,32 @@
+using Bit.Pam.Enums;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+///
+/// One decision on an access request: who decided (), their identity for a human decision,
+/// the verdict, an optional comment, and when. An element of
+/// — the request's full decision log, oldest first.
+///
+/// For an automatic (access-rule) decision // are null; for a
+/// human decision they carry the approver (name/email denormalized by the server, null only when the user could not be
+/// resolved).
+///
+public class AccessRequestDecisionResponseModel
+{
+ /// human | automatic.
+ public string DeciderKind { get; init; } = AccessDeciderKindNames.Human;
+
+ /// The human approver, or null for an automatic decision.
+ public Guid? Id { get; init; }
+
+ public string? Name { get; init; }
+
+ public string? Email { get; init; }
+
+ public string? Comment { get; init; }
+
+ /// The verdict reached (0 = deny, 1 = approve).
+ public AccessDecisionVerdict Verdict { get; init; }
+
+ public DateTime DecidedAt { get; init; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestDetailsResponseModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestDetailsResponseModel.cs
new file mode 100644
index 000000000000..c0e1aa1cd8c7
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestDetailsResponseModel.cs
@@ -0,0 +1,110 @@
+using Bit.Core.Models.Api;
+using Bit.Pam.Models;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+///
+/// An access request with its denormalized display fields (cipher/collection names, requester identity), serving the
+/// approver inbox, the caller's own request list, and the cipher access-state snapshot. Fields without a backing
+/// store in v1 (, ) are always null.
+///
+public class AccessRequestDetailsResponseModel : ResponseModel
+{
+ public AccessRequestDetailsResponseModel(AccessRequestDetails details)
+ : base("accessRequestDetails")
+ {
+ ArgumentNullException.ThrowIfNull(details);
+
+ Id = details.Id;
+ CipherId = details.CipherId;
+ CollectionId = details.CollectionId;
+ OrganizationId = details.OrganizationId;
+ RequesterId = details.RequesterId;
+ Status = AccessRequestStatusNames.From(details.Status, details.ProducedLeaseId.HasValue);
+ RequestedNotBefore = details.NotBefore.AsUtc();
+ RequestedNotAfter = details.NotAfter.AsUtc();
+ RequestedTtlSeconds = (int)(details.NotAfter - details.NotBefore).TotalSeconds;
+ Reason = details.Reason;
+ SubmittedAt = details.CreationDate.AsUtc();
+ ResolvedAt = details.ResolvedDate.AsUtc();
+ // The request's full decision log, oldest first: one element per recorded decision (human or automatic).
+ // Empty only while pending (no decision recorded yet).
+ Decisions = details.Decisions
+ .Select(d => new AccessRequestDecisionResponseModel
+ {
+ DeciderKind = AccessDeciderKindNames.From(d.DeciderKind),
+ Id = d.Id,
+ Name = d.Name,
+ Email = d.Email,
+ Comment = d.Comment,
+ Verdict = d.Verdict,
+ DecidedAt = d.DecidedAt.AsUtc(),
+ })
+ .ToList();
+ ProducedLeaseId = details.ProducedLeaseId;
+ ProducedLeaseStatus = details.ProducedLeaseStatus.HasValue
+ ? AccessLeaseStatusNames.From(details.ProducedLeaseStatus.Value)
+ : null;
+ ExtensionOfLeaseId = details.ExtensionOfLeaseId;
+ CipherName = details.CipherName;
+ CollectionName = details.CollectionName;
+ RequesterName = details.RequesterName;
+ RequesterEmail = details.RequesterEmail;
+ }
+
+ public Guid Id { get; }
+ public Guid CipherId { get; }
+ public Guid CollectionId { get; }
+
+ /// The access rule that gated the cipher at submit time. Not tracked in v1.
+ public string? RuleId => null;
+
+ public Guid OrganizationId { get; }
+ public Guid RequesterId { get; }
+
+ /// pending | approved | activated | denied | canceled | expired.
+ public string Status { get; }
+
+ public DateTime RequestedNotBefore { get; }
+ public DateTime RequestedNotAfter { get; }
+ public int RequestedTtlSeconds { get; }
+ public string? Reason { get; }
+ public DateTime SubmittedAt { get; }
+ public DateTime? ResolvedAt { get; }
+
+ /// Distinct from ; set when an approved request lapses unactivated. Not tracked in v1.
+ public DateTime? ExpiredAt => null;
+
+ ///
+ /// The request's decision log, oldest first — one element per decision (human or automatic). Each carries who
+ /// decided (deciderKind), the verdict, and (for a human decision) the approver's identity and comment.
+ /// Empty only while pending. An array so multi-party approval lands without breaking the contract.
+ ///
+ public IEnumerable Decisions { get; }
+
+ /// Set once an approved request has produced a lease.
+ public Guid? ProducedLeaseId { get; }
+
+ ///
+ /// The produced lease's status (active | expired | revoked), or null when no lease exists. The inbox uses
+ /// this to keep an ended lease out of the "active" group so it is not offered for revocation.
+ ///
+ public string? ProducedLeaseStatus { get; }
+
+ /// The parent lease if this is an extension request.
+ public Guid? ExtensionOfLeaseId { get; }
+
+ ///
+ /// Always null in v0: human requests are window-bound, so itself bounds when an
+ /// approved request can be activated. A separate deadline only becomes meaningful with on-demand (duration-only)
+ /// human requests, which don't exist yet.
+ ///
+ public DateTime? ActivationDeadline => null;
+
+ /// The cipher's client-encrypted name. The only cipher attribute exposed by the inbox.
+ public string? CipherName { get; }
+
+ public string? CollectionName { get; }
+ public string? RequesterName { get; }
+ public string? RequesterEmail { get; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestResponseModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestResponseModel.cs
new file mode 100644
index 000000000000..fcb34799d55a
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestResponseModel.cs
@@ -0,0 +1,36 @@
+using Bit.Core.Models.Api;
+using Bit.Pam.Entities;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+public class AccessRequestResponseModel : ResponseModel
+{
+ public AccessRequestResponseModel(AccessRequest request)
+ : base("accessRequest")
+ {
+ ArgumentNullException.ThrowIfNull(request);
+
+ Id = request.Id;
+ CipherId = request.CipherId;
+ CollectionId = request.CollectionId;
+ OrganizationId = request.OrganizationId;
+ Status = AccessRequestStatusNames.From(request.Status, hasLease: false);
+ NotBefore = request.NotBefore.AsUtc();
+ NotAfter = request.NotAfter.AsUtc();
+ Reason = request.Reason;
+ CreationDate = request.CreationDate.AsUtc();
+ }
+
+ public Guid Id { get; }
+ public Guid CipherId { get; }
+ public Guid CollectionId { get; }
+ public Guid OrganizationId { get; }
+
+ /// pending | approved | activated | denied | cancelled | expired.
+ public string Status { get; }
+
+ public DateTime NotBefore { get; }
+ public DateTime NotAfter { get; }
+ public string? Reason { get; }
+ public DateTime CreationDate { get; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestResultResponseModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestResultResponseModel.cs
new file mode 100644
index 000000000000..5e398e84f11d
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestResultResponseModel.cs
@@ -0,0 +1,26 @@
+using Bit.Commercial.Pam.Enums;
+using Bit.Commercial.Pam.Models;
+using Bit.Core.Models.Api;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+public class AccessRequestResultResponseModel : ResponseModel
+{
+ public AccessRequestResultResponseModel(AccessRequestResult result)
+ : base("accessRequestResult")
+ {
+ ArgumentNullException.ThrowIfNull(result);
+
+ ApprovalMode = result.ApprovalMode;
+ Request = new AccessRequestResponseModel(result.Request);
+ }
+
+ ///
+ /// when the was approved on submit and is ready
+ /// to activate (the client shows "Start lease"), when it is pending an
+ /// approver. No lease is minted at submit on either path; the requester activates the request to start the lease.
+ ///
+ public AccessApprovalMode ApprovalMode { get; }
+
+ public AccessRequestResponseModel Request { get; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestStatusNames.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestStatusNames.cs
new file mode 100644
index 000000000000..a5872777809a
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRequestStatusNames.cs
@@ -0,0 +1,28 @@
+using Bit.Pam.Enums;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+///
+/// Maps the backend (plus whether the request has produced a lease) to the status
+/// vocabulary the approver-inbox client expects: pending | approved | activated | denied | cancelled | expired.
+/// An approved request that has produced a lease is reported as activated.
+///
+public static class AccessRequestStatusNames
+{
+ public const string Pending = "pending";
+ public const string Approved = "approved";
+ public const string Activated = "activated";
+ public const string Denied = "denied";
+ public const string Cancelled = "cancelled";
+ public const string Expired = "expired";
+
+ public static string From(AccessRequestStatus status, bool hasLease) => status switch
+ {
+ AccessRequestStatus.Pending => Pending,
+ AccessRequestStatus.Approved => hasLease ? Activated : Approved,
+ AccessRequestStatus.Denied => Denied,
+ AccessRequestStatus.Cancelled => Cancelled,
+ AccessRequestStatus.ExpiredUnanswered => Expired,
+ _ => throw new ArgumentOutOfRangeException(nameof(status), status, null),
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRuleResponseModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRuleResponseModel.cs
new file mode 100644
index 000000000000..778aaddd1732
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/AccessRuleResponseModel.cs
@@ -0,0 +1,60 @@
+using System.Text.Json;
+using Bit.Core.Models.Api;
+using Bit.Pam.Models;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+public class AccessRuleResponseModel : ResponseModel
+{
+ public AccessRuleResponseModel(AccessRuleDetails rule)
+ : base("accessRule")
+ {
+ ArgumentNullException.ThrowIfNull(rule);
+
+ Id = rule.Id;
+ OrganizationId = rule.OrganizationId;
+ Name = rule.Name;
+ Description = rule.Description;
+ Conditions = TryParseConditions(rule.Conditions);
+ SingleActiveLease = rule.SingleActiveLease;
+ DefaultLeaseDurationSeconds = rule.DefaultLeaseDurationSeconds;
+ MaxLeaseDurationSeconds = rule.MaxLeaseDurationSeconds;
+ Enabled = rule.Enabled;
+ AllowsExtensions = rule.AllowsExtensions;
+ MaxExtensionDurationSeconds = rule.MaxExtensionDurationSeconds;
+ CreationDate = rule.CreationDate.AsUtc();
+ RevisionDate = rule.RevisionDate.AsUtc();
+ Collections = rule.CollectionIds.ToList();
+ }
+
+ public Guid Id { get; }
+ public Guid OrganizationId { get; }
+ public string Name { get; }
+ public string? Description { get; }
+ public JsonElement? Conditions { get; }
+ public bool SingleActiveLease { get; }
+ public int? DefaultLeaseDurationSeconds { get; }
+ public int? MaxLeaseDurationSeconds { get; }
+ public bool Enabled { get; }
+ public bool AllowsExtensions { get; }
+ public int? MaxExtensionDurationSeconds { get; }
+ public DateTime CreationDate { get; }
+ public DateTime RevisionDate { get; }
+ public IEnumerable Collections { get; }
+
+ private static JsonElement? TryParseConditions(string? conditionsJson)
+ {
+ if (string.IsNullOrEmpty(conditionsJson))
+ {
+ return null;
+ }
+ try
+ {
+ return JsonDocument.Parse(conditionsJson).RootElement;
+ }
+ catch (JsonException)
+ {
+ return null;
+ }
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/CipherAccessStateResponseModel.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/CipherAccessStateResponseModel.cs
new file mode 100644
index 000000000000..8e3e124b2bae
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/CipherAccessStateResponseModel.cs
@@ -0,0 +1,42 @@
+using Bit.Commercial.Pam.Models;
+using Bit.Core.Models.Api;
+
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+///
+/// A single-snapshot read of the caller's access state for one cipher, powering the cipher-view banner and the
+/// vault-row badge. At most one of the three branches is meaningfully "next": an active lease authorizes access, a
+/// pending request awaits a decision, and an approved request awaits activation by the caller.
+///
+public class CipherAccessStateResponseModel : ResponseModel
+{
+ public CipherAccessStateResponseModel(CipherAccessState state)
+ : base("cipherAccessState")
+ {
+ ArgumentNullException.ThrowIfNull(state);
+
+ CipherId = state.CipherId;
+ ActiveLease = state.ActiveLease is null ? null : new AccessLeaseResponseModel(state.ActiveLease);
+ PendingRequest = state.PendingRequest is null ? null : new AccessRequestDetailsResponseModel(state.PendingRequest);
+ ApprovedRequest = state.ApprovedRequest is null ? null : new AccessRequestDetailsResponseModel(state.ApprovedRequest);
+ ExtensionsAllowed = state.ExtensionsAllowed;
+ MaxExtensionDurationSeconds = state.MaxExtensionDurationSeconds;
+ }
+
+ public Guid CipherId { get; }
+
+ public AccessLeaseResponseModel? ActiveLease { get; }
+ public AccessRequestDetailsResponseModel? PendingRequest { get; }
+
+ ///
+ /// An approved request awaiting activation, with a window that can still produce access. The caller activates it
+ /// to mint the lease; lapsed approvals are never surfaced here.
+ ///
+ public AccessRequestDetailsResponseModel? ApprovedRequest { get; }
+
+ /// Whether the active lease can still be extended (the rule opts in and it has not been extended yet).
+ public bool ExtensionsAllowed { get; }
+
+ /// The longest a single extension of the active lease may run, in seconds; null when there is no cap or no active lease.
+ public int? MaxExtensionDurationSeconds { get; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/Models/Response/PamDateTimeExtensions.cs b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/PamDateTimeExtensions.cs
new file mode 100644
index 000000000000..d170b50902cd
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/Models/Response/PamDateTimeExtensions.cs
@@ -0,0 +1,23 @@
+namespace Bit.Commercial.Pam.Api.Models.Response;
+
+///
+/// Marks PAM response timestamps as UTC for serialization.
+///
+/// PAM entities and read models are materialised by Dapper, which leaves their as
+/// . System.Text.Json then writes an unspecified-kind value with no timezone
+/// designator (e.g. "2026-06-15T13:00:00"), which a JavaScript client parses as local time. For any
+/// client east/west of UTC the instant shifts — and in the approver inbox that shift drops still-valid requests whose
+/// requested window only appears to have lapsed.
+///
+/// The stored values are already UTC instants (the commands stamp them from UtcNow), so we relabel the kind
+/// with . We deliberately do not use ToUniversalTime(), which treats an
+/// unspecified value as local and would shift the clock. This mirrors the convention in CipherRepository, which
+/// specifies UTC on the dates it returns.
+///
+internal static class PamDateTimeExtensions
+{
+ public static DateTime AsUtc(this DateTime value) => DateTime.SpecifyKind(value, DateTimeKind.Utc);
+
+ public static DateTime? AsUtc(this DateTime? value) =>
+ value.HasValue ? DateTime.SpecifyKind(value.Value, DateTimeKind.Utc) : null;
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Api/PamApiServiceCollectionExtensions.cs b/bitwarden_license/src/Commercial.Pam/Api/PamApiServiceCollectionExtensions.cs
new file mode 100644
index 000000000000..fd4376aa8dc1
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Api/PamApiServiceCollectionExtensions.cs
@@ -0,0 +1,19 @@
+using Bit.Commercial.Pam.Api.Endpoints.Handlers;
+
+namespace Bit.Commercial.Pam.Api;
+
+public static class PamApiServiceCollectionExtensions
+{
+ ///
+ /// Registers the PAM Minimal API endpoint handlers. The endpoints (see PamEndpointsExtensions) resolve
+ /// these from DI. PAM is a commercial feature, so this is only wired in non-OSS builds.
+ ///
+ public static IServiceCollection AddPamApiServices(this IServiceCollection services)
+ {
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ return services;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Commercial.Pam.csproj b/bitwarden_license/src/Commercial.Pam/Commercial.Pam.csproj
new file mode 100644
index 000000000000..53fe2115f558
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Commercial.Pam.csproj
@@ -0,0 +1,29 @@
+
+
+
+ Bit.Commercial.Pam
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/bitwarden_license/src/Commercial.Pam/Engine/AccessEvaluation.cs b/bitwarden_license/src/Commercial.Pam/Engine/AccessEvaluation.cs
new file mode 100644
index 000000000000..d21c67772673
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Engine/AccessEvaluation.cs
@@ -0,0 +1,49 @@
+namespace Bit.Commercial.Pam.Engine;
+
+public enum AccessEvaluationOutcome
+{
+ Allow,
+ RequiresApproval,
+ Deny,
+}
+
+public enum DenyReason
+{
+ None = 0,
+ NotWithinIpRange,
+ NotWithinTimeWindow,
+ UnsupportedCondition,
+}
+
+public sealed record AccessEvaluation
+{
+ public required AccessEvaluationOutcome Outcome { get; init; }
+ public DenyReason Reason { get; init; } = DenyReason.None;
+
+ public static AccessEvaluation Allow { get; } = new() { Outcome = AccessEvaluationOutcome.Allow };
+ public static AccessEvaluation RequiresApproval { get; } = new() { Outcome = AccessEvaluationOutcome.RequiresApproval };
+
+ public static AccessEvaluation Deny(DenyReason reason) => new()
+ {
+ Outcome = AccessEvaluationOutcome.Deny,
+ Reason = reason
+ };
+
+ public static AccessEvaluation Combine(IEnumerable evaluations)
+ {
+ var requiresApproval = false;
+ foreach (var evaluation in evaluations)
+ {
+ switch (evaluation.Outcome)
+ {
+ case AccessEvaluationOutcome.Deny:
+ return evaluation;
+ case AccessEvaluationOutcome.RequiresApproval:
+ requiresApproval = true;
+ break;
+ }
+ }
+
+ return requiresApproval ? RequiresApproval : Allow;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Engine/AccessRuleEngine.cs b/bitwarden_license/src/Commercial.Pam/Engine/AccessRuleEngine.cs
new file mode 100644
index 000000000000..453c054bbb3b
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Engine/AccessRuleEngine.cs
@@ -0,0 +1,82 @@
+using System.Globalization;
+using System.Net;
+using Bit.Commercial.Pam.Models.Conditions;
+
+namespace Bit.Commercial.Pam.Engine;
+
+///
+/// Evaluates the access rule's flat list of s against the caller's signals. Each
+/// condition yields an ; the results combine with deny taking precedence over a
+/// pending approval, which in turn takes precedence over allow. An empty list is vacuously satisfied (allow).
+/// Unparseable inputs fail closed before they reach the engine.
+///
+public sealed class AccessRuleEngine : IAccessRuleEngine
+{
+ public AccessEvaluation Evaluate(IReadOnlyList conditions, AccessSignals signals) =>
+ AccessEvaluation.Combine(conditions.Select(condition => EvaluateCondition(condition, signals)));
+
+ private static AccessEvaluation EvaluateCondition(AccessCondition condition, AccessSignals signals) => condition switch
+ {
+ HumanApprovalCondition => AccessEvaluation.RequiresApproval,
+ IpAllowlistCondition ip => EvaluateIpAllowlist(ip, signals),
+ TimeOfDayCondition time => EvaluateTimeOfDay(time, signals),
+ // A condition kind the engine does not understand cannot be shown to be satisfied, so deny.
+ _ => AccessEvaluation.Deny(DenyReason.UnsupportedCondition),
+ };
+
+ private static AccessEvaluation EvaluateIpAllowlist(IpAllowlistCondition condition, AccessSignals signals)
+ {
+ // An allowlist with no entries permits no address; combined with an unknown caller IP, both fail closed.
+ if (condition.Cidrs.Count == 0 || signals.IpAddress is null)
+ {
+ return AccessEvaluation.Deny(DenyReason.NotWithinIpRange);
+ }
+
+ foreach (var cidr in condition.Cidrs)
+ {
+ if (IPNetwork.TryParse(cidr, out var network) && network.Contains(signals.IpAddress))
+ {
+ return AccessEvaluation.Allow;
+ }
+ }
+
+ return AccessEvaluation.Deny(DenyReason.NotWithinIpRange);
+ }
+
+ private static AccessEvaluation EvaluateTimeOfDay(TimeOfDayCondition condition, AccessSignals signals)
+ {
+ if (!TimeZoneInfo.TryFindSystemTimeZoneById(condition.Tz, out var timeZone))
+ {
+ // The window cannot be evaluated without a valid timezone, so fail closed.
+ return AccessEvaluation.Deny(DenyReason.NotWithinTimeWindow);
+ }
+
+ var local = TimeZoneInfo.ConvertTime(signals.Timestamp, timeZone);
+ var day = local.DayOfWeek;
+ var time = TimeOnly.FromTimeSpan(local.TimeOfDay);
+
+ foreach (var window in condition.Windows)
+ {
+ if (WindowContains(window, day, time))
+ {
+ return AccessEvaluation.Allow;
+ }
+ }
+
+ return AccessEvaluation.Deny(DenyReason.NotWithinTimeWindow);
+ }
+
+ private static bool WindowContains(TimeWindow window, DayOfWeek day, TimeOnly time)
+ {
+ // AccessWeekday values align with System.DayOfWeek (Sunday = 0), so a direct cast compares correctly.
+ var dayMatches = window.Days.Any(d => (DayOfWeek)d == day);
+ if (!dayMatches)
+ {
+ return false;
+ }
+
+ return TimeOnly.TryParseExact(window.From, "HH:mm", CultureInfo.InvariantCulture, DateTimeStyles.None, out var from)
+ && TimeOnly.TryParseExact(window.To, "HH:mm", CultureInfo.InvariantCulture, DateTimeStyles.None, out var to)
+ && time >= from && time <= to;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Engine/AccessSignals.cs b/bitwarden_license/src/Commercial.Pam/Engine/AccessSignals.cs
new file mode 100644
index 000000000000..6594abd104c0
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Engine/AccessSignals.cs
@@ -0,0 +1,25 @@
+using System.Net;
+
+namespace Bit.Commercial.Pam.Engine;
+
+///
+/// The request-time inputs an access rule is evaluated against: the caller's source IP and the instant the
+/// evaluation is performed. is null when the caller's address cannot be determined, which
+/// IP-restricted rules treat as a denial so access never opens up on a missing signal.
+///
+public sealed record AccessSignals
+{
+ public required IPAddress? IpAddress { get; init; }
+ public required DateTimeOffset Timestamp { get; init; }
+
+ ///
+ /// Builds the signals for the current request: the caller's source IP (parsed, or null when it is absent or
+ /// unparseable) and the supplied evaluation . Callers typically pass the request's
+ /// source address (e.g. ICurrentContext.IpAddress).
+ ///
+ public static AccessSignals From(string? ipAddress, DateTimeOffset timestamp) => new()
+ {
+ IpAddress = IPAddress.TryParse(ipAddress, out var ip) ? ip : null,
+ Timestamp = timestamp,
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Engine/IAccessRuleEngine.cs b/bitwarden_license/src/Commercial.Pam/Engine/IAccessRuleEngine.cs
new file mode 100644
index 000000000000..b3cd1c003525
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Engine/IAccessRuleEngine.cs
@@ -0,0 +1,14 @@
+using Bit.Commercial.Pam.Models.Conditions;
+
+namespace Bit.Commercial.Pam.Engine;
+
+///
+/// Evaluates an access rule's conditions — a flat list of ANDed together — against
+/// the request-time , deciding whether access is allowed, denied, or gated on human
+/// approval. The engine is pure: it reads no state and issues no leases. Lease lifecycle is owned by the lease
+/// commands and queries, which call the engine to decide whether a lease may be issued or its data handed over.
+///
+public interface IAccessRuleEngine
+{
+ AccessEvaluation Evaluate(IReadOnlyList conditions, AccessSignals signals);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Enums/AccessApprovalMode.cs b/bitwarden_license/src/Commercial.Pam/Enums/AccessApprovalMode.cs
new file mode 100644
index 000000000000..4ba9a6867356
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Enums/AccessApprovalMode.cs
@@ -0,0 +1,11 @@
+namespace Bit.Commercial.Pam.Enums;
+
+///
+/// The approval path a lease request will take, surfaced by the pre-check so the client can present the right
+/// workflow: (pick a duration) or (pick a window + justify).
+///
+public enum AccessApprovalMode : byte
+{
+ Automatic = 0,
+ Human = 1,
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Enums/AccessWeekday.cs b/bitwarden_license/src/Commercial.Pam/Enums/AccessWeekday.cs
new file mode 100644
index 000000000000..b8693bb06d6c
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Enums/AccessWeekday.cs
@@ -0,0 +1,21 @@
+using System.Text.Json.Serialization;
+using Bit.Commercial.Pam.Models.Conditions;
+
+namespace Bit.Commercial.Pam.Enums;
+
+///
+/// A day of the week used in a window. Values align with
+/// (Sunday = 0) so the engine can compare directly. Serialized as the lowercase
+/// three-letter tokens ("sun".."sat") via .
+///
+[JsonConverter(typeof(AccessWeekdayJsonConverter))]
+public enum AccessWeekday : byte
+{
+ Sun = 0,
+ Mon = 1,
+ Tue = 2,
+ Wed = 3,
+ Thu = 4,
+ Fri = 5,
+ Sat = 6,
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Models/AccessDecisionSubmission.cs b/bitwarden_license/src/Commercial.Pam/Models/AccessDecisionSubmission.cs
new file mode 100644
index 000000000000..28f3ce21c814
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/AccessDecisionSubmission.cs
@@ -0,0 +1,12 @@
+using Bit.Pam.Enums;
+
+namespace Bit.Commercial.Pam.Models;
+
+///
+/// An approver's decision on a pending lease request: approve or deny, with an optional comment.
+///
+public sealed class AccessDecisionSubmission
+{
+ public required AccessDecisionVerdict Verdict { get; init; }
+ public string? Comment { get; init; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Models/AccessLeaseExtensionSubmission.cs b/bitwarden_license/src/Commercial.Pam/Models/AccessLeaseExtensionSubmission.cs
new file mode 100644
index 000000000000..bb3b975ed5d4
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/AccessLeaseExtensionSubmission.cs
@@ -0,0 +1,13 @@
+namespace Bit.Commercial.Pam.Models;
+
+///
+/// A request to extend an active lease. Extensions are always auto-approved, subject to the governing rule's
+/// AllowsExtensions / MaxExtensionDurationSeconds settings: the lease's end is pushed out by
+/// in place (no new lease is minted), and a justifying is required.
+///
+public sealed class AccessLeaseExtensionSubmission
+{
+ public Guid LeaseId { get; init; }
+ public int DurationSeconds { get; init; }
+ public string? Reason { get; init; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Models/AccessPreCheckResult.cs b/bitwarden_license/src/Commercial.Pam/Models/AccessPreCheckResult.cs
new file mode 100644
index 000000000000..1400384739d0
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/AccessPreCheckResult.cs
@@ -0,0 +1,10 @@
+using Bit.Commercial.Pam.Enums;
+namespace Bit.Commercial.Pam.Models;
+
+///
+/// The result of a pre-check. When is true the caller already holds an active lease for
+/// the cipher, so the client should reveal the credential rather than prompt for a new request; otherwise
+/// describes whether a fresh request would be approved automatically or require human
+/// approval.
+///
+public sealed record AccessPreCheckResult(AccessApprovalMode ApprovalMode, bool HasActiveLease = false);
diff --git a/bitwarden_license/src/Commercial.Pam/Models/AccessRequestResult.cs b/bitwarden_license/src/Commercial.Pam/Models/AccessRequestResult.cs
new file mode 100644
index 000000000000..005602cd4267
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/AccessRequestResult.cs
@@ -0,0 +1,23 @@
+using Bit.Commercial.Pam.Enums;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+
+namespace Bit.Commercial.Pam.Models;
+
+///
+/// The result of submitting an access request. Neither path mints a lease at submit: the
+/// path creates an already-
+/// the requester then activates to start the lease, while the
+/// path creates a request to await
+/// an approver. tells the client which workflow to present.
+///
+public sealed record AccessRequestResult(
+ AccessApprovalMode ApprovalMode,
+ AccessRequest Request)
+{
+ public static AccessRequestResult Automatic(AccessRequest request) =>
+ new(AccessApprovalMode.Automatic, request);
+
+ public static AccessRequestResult Human(AccessRequest request) =>
+ new(AccessApprovalMode.Human, request);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Models/AccessRequestSubmission.cs b/bitwarden_license/src/Commercial.Pam/Models/AccessRequestSubmission.cs
new file mode 100644
index 000000000000..cd473ddfddc9
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/AccessRequestSubmission.cs
@@ -0,0 +1,14 @@
+namespace Bit.Commercial.Pam.Models;
+
+///
+/// A request to lease a cipher. The automatic path supplies (and an optional
+/// ); the human path supplies a / window and a required
+/// . The command validates the shape against the cipher's resolved approval outcome.
+///
+public sealed class AccessRequestSubmission
+{
+ public int? DurationSeconds { get; init; }
+ public DateTime? Start { get; init; }
+ public DateTime? End { get; init; }
+ public string? Reason { get; init; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Models/CipherAccessState.cs b/bitwarden_license/src/Commercial.Pam/Models/CipherAccessState.cs
new file mode 100644
index 000000000000..0cfd604abd06
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/CipherAccessState.cs
@@ -0,0 +1,20 @@
+using Bit.Pam.Entities;
+
+using Bit.Pam.Models;
+namespace Bit.Commercial.Pam.Models;
+
+///
+/// The caller's access state for a single cipher: the active lease they hold (if any), their pending request (if
+/// any), and their approved-but-not-yet-activated request (if any). Approval no longer mints the lease, so the
+/// approved request is the startable state in between — the caller activates it to produce the active lease.
+/// ExtensionsAllowed says whether the active lease can still be extended (the rule opts in and it has not been
+/// extended yet — a lease may be extended once); MaxExtensionDurationSeconds is the longest a single extension may
+/// run, so the banner can gate its "Extend" control and cap the duration picker.
+///
+public record CipherAccessState(
+ Guid CipherId,
+ AccessLease? ActiveLease,
+ AccessRequestDetails? PendingRequest,
+ AccessRequestDetails? ApprovedRequest,
+ bool ExtensionsAllowed = false,
+ int? MaxExtensionDurationSeconds = null);
diff --git a/bitwarden_license/src/Commercial.Pam/Models/Conditions/AccessCondition.cs b/bitwarden_license/src/Commercial.Pam/Models/Conditions/AccessCondition.cs
new file mode 100644
index 000000000000..cf68f6e0a7aa
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/Conditions/AccessCondition.cs
@@ -0,0 +1,13 @@
+using System.Text.Json.Serialization;
+
+namespace Bit.Commercial.Pam.Models.Conditions;
+
+///
+/// Base type for a single leaf condition in an access rule's flat conditions list. Polymorphic deserialization is
+/// keyed by the JSON kind property.
+///
+[JsonPolymorphic(TypeDiscriminatorPropertyName = "kind", UnknownDerivedTypeHandling = JsonUnknownDerivedTypeHandling.FailSerialization)]
+[JsonDerivedType(typeof(HumanApprovalCondition), "human_approval")]
+[JsonDerivedType(typeof(IpAllowlistCondition), "ip_allowlist")]
+[JsonDerivedType(typeof(TimeOfDayCondition), "time_of_day")]
+public abstract class AccessCondition;
diff --git a/bitwarden_license/src/Commercial.Pam/Models/Conditions/AccessWeekdayJsonConverter.cs b/bitwarden_license/src/Commercial.Pam/Models/Conditions/AccessWeekdayJsonConverter.cs
new file mode 100644
index 000000000000..cb463cacf51b
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/Conditions/AccessWeekdayJsonConverter.cs
@@ -0,0 +1,52 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Bit.Commercial.Pam.Enums;
+
+namespace Bit.Commercial.Pam.Models.Conditions;
+
+///
+/// (De)serializes as the lowercase three-letter tokens the conditions JSON uses
+/// ("sun".."sat"), keeping the wire format stable while the value is strongly typed in C#. This is the
+/// single source of truth for the accepted day vocabulary; an unknown token fails closed with a
+/// .
+///
+public sealed class AccessWeekdayJsonConverter : JsonConverter
+{
+ private static readonly IReadOnlyDictionary _fromToken =
+ new Dictionary(StringComparer.OrdinalIgnoreCase)
+ {
+ ["sun"] = AccessWeekday.Sun,
+ ["mon"] = AccessWeekday.Mon,
+ ["tue"] = AccessWeekday.Tue,
+ ["wed"] = AccessWeekday.Wed,
+ ["thu"] = AccessWeekday.Thu,
+ ["fri"] = AccessWeekday.Fri,
+ ["sat"] = AccessWeekday.Sat,
+ };
+
+ public override AccessWeekday Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+ {
+ if (reader.TokenType == JsonTokenType.String &&
+ _fromToken.TryGetValue(reader.GetString()!, out var day))
+ {
+ return day;
+ }
+
+ throw new JsonException("Invalid day. Expected one of: sun, mon, tue, wed, thu, fri, sat.");
+ }
+
+ public override void Write(Utf8JsonWriter writer, AccessWeekday value, JsonSerializerOptions options) =>
+ writer.WriteStringValue(ToToken(value));
+
+ private static string ToToken(AccessWeekday day) => day switch
+ {
+ AccessWeekday.Sun => "sun",
+ AccessWeekday.Mon => "mon",
+ AccessWeekday.Tue => "tue",
+ AccessWeekday.Wed => "wed",
+ AccessWeekday.Thu => "thu",
+ AccessWeekday.Fri => "fri",
+ AccessWeekday.Sat => "sat",
+ _ => throw new ArgumentOutOfRangeException(nameof(day), day, null),
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Models/Conditions/HumanApprovalCondition.cs b/bitwarden_license/src/Commercial.Pam/Models/Conditions/HumanApprovalCondition.cs
new file mode 100644
index 000000000000..73bbf53a15b1
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/Conditions/HumanApprovalCondition.cs
@@ -0,0 +1,6 @@
+namespace Bit.Commercial.Pam.Models.Conditions;
+
+///
+/// Always requires a human decision before a lease can be issued.
+///
+public sealed class HumanApprovalCondition : AccessCondition;
diff --git a/bitwarden_license/src/Commercial.Pam/Models/Conditions/IpAllowlistCondition.cs b/bitwarden_license/src/Commercial.Pam/Models/Conditions/IpAllowlistCondition.cs
new file mode 100644
index 000000000000..9f095b778311
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/Conditions/IpAllowlistCondition.cs
@@ -0,0 +1,9 @@
+namespace Bit.Commercial.Pam.Models.Conditions;
+
+///
+/// Auto-approves a lease when the requester's IP matches a listed CIDR; otherwise denies.
+///
+public sealed class IpAllowlistCondition : AccessCondition
+{
+ public IReadOnlyList Cidrs { get; init; } = [];
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Models/Conditions/TimeOfDayCondition.cs b/bitwarden_license/src/Commercial.Pam/Models/Conditions/TimeOfDayCondition.cs
new file mode 100644
index 000000000000..ee1be2a44eed
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/Conditions/TimeOfDayCondition.cs
@@ -0,0 +1,19 @@
+using Bit.Commercial.Pam.Enums;
+namespace Bit.Commercial.Pam.Models.Conditions;
+
+///
+/// Auto-approves a lease when the request falls inside one of the configured windows, evaluated in
+/// the named IANA timezone; otherwise denies.
+///
+public sealed class TimeOfDayCondition : AccessCondition
+{
+ public string Tz { get; init; } = string.Empty;
+ public IReadOnlyList Windows { get; init; } = [];
+}
+
+public sealed class TimeWindow
+{
+ public IReadOnlyList Days { get; init; } = [];
+ public string From { get; init; } = string.Empty;
+ public string To { get; init; } = string.Empty;
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Models/GoverningRule.cs b/bitwarden_license/src/Commercial.Pam/Models/GoverningRule.cs
new file mode 100644
index 000000000000..05caab465854
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Models/GoverningRule.cs
@@ -0,0 +1,28 @@
+using Bit.Commercial.Pam.Models.Conditions;
+
+namespace Bit.Commercial.Pam.Models;
+
+///
+/// The access rule that governs a cipher for a particular caller: which collection's rule applies, the owning
+/// organization, whether the rule requires human approval, and the parsed flat list of s
+/// so the rule engine can evaluate them against the caller's signals. A null governing rule means the cipher is not
+/// leasing-gated for the caller.
+///
+public sealed record GoverningRule(
+ Guid OrganizationId,
+ Guid CollectionId,
+ bool RequiresHumanApproval,
+ IReadOnlyList Conditions)
+{
+ ///
+ /// When true, a member holding an active lease under this rule may extend it once (always auto-approved), by up
+ /// to .
+ ///
+ public bool AllowsExtensions { get; init; }
+
+ ///
+ /// The longest a single extension under this rule may run, in seconds; meaningful only when
+ /// is true.
+ ///
+ public int? MaxExtensionDurationSeconds { get; init; }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/ActivateAccessRequestCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/ActivateAccessRequestCommand.cs
new file mode 100644
index 000000000000..2069e61e9445
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/ActivateAccessRequestCommand.cs
@@ -0,0 +1,127 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Exceptions;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands;
+
+public class ActivateAccessRequestCommand : IActivateAccessRequestCommand
+{
+ private readonly IAccessRequestRepository _accessRequestRepository;
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly IApproverInboxNotifier _approverInboxNotifier;
+ private readonly IRequesterNotifier _requesterNotifier;
+ private readonly ISingleActiveLeaseEvaluator _singleActiveLeaseEvaluator;
+ private readonly TimeProvider _timeProvider;
+
+ public ActivateAccessRequestCommand(
+ IAccessRequestRepository accessRequestRepository,
+ IAccessLeaseRepository accessLeaseRepository,
+ IApproverInboxNotifier approverInboxNotifier,
+ IRequesterNotifier requesterNotifier,
+ ISingleActiveLeaseEvaluator singleActiveLeaseEvaluator,
+ TimeProvider timeProvider)
+ {
+ _accessRequestRepository = accessRequestRepository;
+ _accessLeaseRepository = accessLeaseRepository;
+ _approverInboxNotifier = approverInboxNotifier;
+ _requesterNotifier = requesterNotifier;
+ _singleActiveLeaseEvaluator = singleActiveLeaseEvaluator;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task ActivateAsync(Guid userId, Guid requestId)
+ {
+ var request = await _accessRequestRepository.GetByIdAsync(requestId);
+
+ // 404 for both missing and someone else's request, so the caller can't probe for requests they don't own.
+ if (request is null || request.RequesterId != userId)
+ {
+ throw new NotFoundException();
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+
+ // Activation is idempotent while the produced lease is live (double-click, a second tab racing the
+ // auto-activating open flow); a revoked or lapsed lease is final — a request authorizes access at most once.
+ var existing = await _accessLeaseRepository.GetByAccessRequestIdAsync(request.Id);
+ if (existing is not null)
+ {
+ if (existing.Status == AccessLeaseStatus.Active && existing.NotAfter > now)
+ {
+ return existing;
+ }
+ throw new ConflictException("This request's access has already been used and is no longer active.");
+ }
+
+ if (request.Status != AccessRequestStatus.Approved)
+ {
+ throw new ConflictException(request.Status == AccessRequestStatus.Pending
+ ? "This request has not been approved yet."
+ : "This request can no longer be activated.");
+ }
+
+ if (request.NotBefore > now)
+ {
+ throw new BadRequestException("The approved access window has not started yet.");
+ }
+
+ if (request.NotAfter <= now)
+ {
+ throw new BadRequestException("The approved access window has already ended.");
+ }
+
+ var lease = new AccessLease
+ {
+ AccessRequestId = request.Id,
+ OrganizationId = request.OrganizationId,
+ CollectionId = request.CollectionId,
+ CipherId = request.CipherId,
+ RequesterId = request.RequesterId,
+ Status = AccessLeaseStatus.Active,
+ // Activation mints the window the approver approved, exactly as the old approval-time path did; the
+ // creation date is the activation audit timestamp (no decision row is written — approval was the
+ // decision).
+ NotBefore = request.NotBefore,
+ NotAfter = request.NotAfter,
+ CreationDate = now,
+ };
+ lease.SetNewId();
+
+ // The per-cipher singleton binds only when every path the caller reaches the cipher through is governed by a
+ // singleton rule; an escape path leaves them unconstrained. The mint proc enforces it under a range lock.
+ var enforceSingleActiveLease = await _singleActiveLeaseEvaluator.AppliesAsync(userId, request.CipherId);
+
+ var outcome = await _accessLeaseRepository.CreateFromApprovedRequestAsync(lease, now, enforceSingleActiveLease);
+
+ if (outcome == AccessLeaseMintOutcome.SingleActiveLeaseConflict)
+ {
+ throw new ConflictException("Another active lease exists for this item. Try again once it ends.");
+ }
+
+ if (outcome == AccessLeaseMintOutcome.PreconditionFailed)
+ {
+ // Lost a race: the guarded insert re-checks every precondition, so a miss means another activation won
+ // or the request changed underneath us. If the winner's lease is live, activation still succeeded from
+ // this caller's point of view.
+ var winner = await _accessLeaseRepository.GetByAccessRequestIdAsync(request.Id);
+ if (winner is { Status: AccessLeaseStatus.Active } && winner.NotAfter > now)
+ {
+ return winner;
+ }
+ throw new ConflictException("This request can no longer be activated.");
+ }
+
+ // The approver's history row just flipped approved -> activated and gained a revocable lease; tell every
+ // approver of this collection to re-fetch, mirroring decide and revoke.
+ await _approverInboxNotifier.NotifyCollectionApproversAsync(request.CollectionId);
+
+ // Tell the requester's other devices the approved request just minted a lease, so their "My requests" view
+ // and any open partial cipher pick up the live lease without a manual refresh.
+ await _requesterNotifier.NotifyRequesterAsync(request.RequesterId);
+
+ return lease;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/CancelAccessRequestCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/CancelAccessRequestCommand.cs
new file mode 100644
index 000000000000..a934caf6efb9
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/CancelAccessRequestCommand.cs
@@ -0,0 +1,105 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Exceptions;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands;
+
+public class CancelAccessRequestCommand : ICancelAccessRequestCommand
+{
+ private readonly IAccessRequestRepository _accessRequestRepository;
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly IApproverCollectionAccessQuery _approverCollectionAccessQuery;
+ private readonly IApproverInboxNotifier _approverInboxNotifier;
+ private readonly IRequesterNotifier _requesterNotifier;
+ private readonly TimeProvider _timeProvider;
+
+ public CancelAccessRequestCommand(
+ IAccessRequestRepository accessRequestRepository,
+ IAccessLeaseRepository accessLeaseRepository,
+ IApproverCollectionAccessQuery approverCollectionAccessQuery,
+ IApproverInboxNotifier approverInboxNotifier,
+ IRequesterNotifier requesterNotifier,
+ TimeProvider timeProvider)
+ {
+ _accessRequestRepository = accessRequestRepository;
+ _accessLeaseRepository = accessLeaseRepository;
+ _approverCollectionAccessQuery = approverCollectionAccessQuery;
+ _approverInboxNotifier = approverInboxNotifier;
+ _requesterNotifier = requesterNotifier;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task CancelAsync(Guid userId, Guid requestId)
+ {
+ var request = await _accessRequestRepository.GetByIdAsync(requestId);
+
+ // 404 when the request is missing or the caller is neither its requester nor a managing approver, so the
+ // caller can't probe for requests they have no business seeing. Mirrors the inbox/decide surfaces.
+ if (request is null)
+ {
+ throw new NotFoundException();
+ }
+
+ var isRequester = request.RequesterId == userId;
+ var isManager = !isRequester
+ && await _approverCollectionAccessQuery.CanManageCollectionAsync(userId, request.CollectionId);
+ if (!isRequester && !isManager)
+ {
+ throw new NotFoundException();
+ }
+
+ // Only a request that has not produced a lease can be cancelled: still Pending, or Approved that the requester
+ // has not yet activated. Anything else (denied/cancelled/expired) is terminal; surfaced as a conflict so the
+ // client refreshes. The stored procs additionally guard the transition to stay race-safe.
+ if (request.Status is not (AccessRequestStatus.Pending or AccessRequestStatus.Approved))
+ {
+ throw new ConflictException("This request has already been resolved.");
+ }
+
+ // An approved request that has minted a lease is governed by that lease, not the request: end it via lease
+ // revoke while active, and once the lease has ended the request is terminal history.
+ var lease = await _accessLeaseRepository.GetByAccessRequestIdAsync(requestId);
+ if (lease is not null)
+ {
+ throw lease.Status == AccessLeaseStatus.Active
+ ? new ConflictException("This request has an active lease; revoke the lease instead.")
+ : new ConflictException("This request has already been resolved.");
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+
+ if (isRequester)
+ {
+ // The requester withdraws their own request: Cancelled, no decision recorded. A user who is both the
+ // requester and a manager takes this branch when cancelling their own request.
+ await _accessRequestRepository.CancelAsync(request.Id, now);
+ }
+ else
+ {
+ // A managing approver retracts the request: Denied, recorded as a human Deny decision so the audit trail
+ // names the approver — mirrors RevokeAccessLeaseCommand.
+ var decision = new AccessDecision
+ {
+ AccessRequestId = request.Id,
+ DeciderKind = AccessDeciderKind.Human,
+ ApproverId = userId,
+ Verdict = AccessDecisionVerdict.Deny,
+ Comment = null,
+ CreationDate = now,
+ };
+ decision.SetNewId();
+ await _accessRequestRepository.CancelWithDecisionAsync(request, decision, now);
+ }
+
+ // The request just left the pending/approved set; tell every approver of this collection to re-fetch so it
+ // drops out of their inbox. Mirrors decide.
+ await _approverInboxNotifier.NotifyCollectionApproversAsync(request.CollectionId);
+
+ // Tell the requester their request is gone, so a manager's retraction reaches them and their other devices
+ // drop the request from "My requests" without a manual refresh.
+ await _requesterNotifier.NotifyRequesterAsync(request.RequesterId);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/CreateAccessRuleCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/CreateAccessRuleCommand.cs
new file mode 100644
index 000000000000..3ee74a581d0b
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/CreateAccessRuleCommand.cs
@@ -0,0 +1,98 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Pam.Entities;
+using Bit.Pam.Models;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands;
+
+public class CreateAccessRuleCommand : ICreateAccessRuleCommand
+{
+ private readonly IAccessRuleRepository _repository;
+ private readonly ICollectionRepository _collectionRepository;
+ private readonly IAccessRuleValidator _validator;
+ private readonly TimeProvider _timeProvider;
+
+ public CreateAccessRuleCommand(
+ IAccessRuleRepository repository,
+ ICollectionRepository collectionRepository,
+ IAccessRuleValidator validator,
+ TimeProvider timeProvider)
+ {
+ _repository = repository;
+ _collectionRepository = collectionRepository;
+ _validator = validator;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task CreateAsync(AccessRule rule, IEnumerable collectionIds)
+ {
+ if (string.IsNullOrWhiteSpace(rule.Name))
+ {
+ throw new BadRequestException("Name is required.");
+ }
+
+ if (rule.AllowsExtensions && rule.MaxExtensionDurationSeconds is not > 0)
+ {
+ throw new BadRequestException("A maximum extension length is required when extensions are allowed.");
+ }
+
+ var validation = _validator.Validate(rule.Conditions);
+ if (!validation.IsValid)
+ {
+ throw new BadRequestException(validation.Error!);
+ }
+
+ var existing = await _repository.GetManyByOrganizationIdAsync(rule.OrganizationId);
+ if (existing.Any(p => string.Equals(p.Name, rule.Name, StringComparison.OrdinalIgnoreCase)))
+ {
+ throw new BadRequestException("A rule with that name already exists.");
+ }
+
+ var desiredCollectionIds = await ValidateCollectionsAsync(rule.OrganizationId, collectionIds);
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+ rule.CreationDate = now;
+ rule.RevisionDate = now;
+
+ var created = await _repository.CreateAsync(rule);
+
+ await _repository.SetCollectionAssociationsAsync(
+ created.OrganizationId, created.Id, desiredCollectionIds, []);
+
+ return AccessRuleDetails.From(created, desiredCollectionIds);
+ }
+
+ private async Task> ValidateCollectionsAsync(Guid organizationId, IEnumerable collectionIds)
+ {
+ var distinctIds = collectionIds.Distinct().ToList();
+ if (distinctIds.Count == 0)
+ {
+ return distinctIds;
+ }
+
+ var collections = await _collectionRepository.GetManyByManyIdsAsync(distinctIds);
+ if (collections.Count != distinctIds.Count)
+ {
+ throw new BadRequestException("One or more collections could not be found.");
+ }
+
+ if (collections.Any(c => c.OrganizationId != organizationId))
+ {
+ throw new BadRequestException("One or more collections do not belong to this organization.");
+ }
+
+ if (collections.Any(IsGovernedByAnotherRule))
+ {
+ throw new BadRequestException("One or more collections are already governed by another access rule.");
+ }
+
+ return distinctIds;
+ }
+
+ // A new rule has no Id yet, so any existing association is a conflict.
+ private static bool IsGovernedByAnotherRule(Collection collection) => collection.AccessRuleId.HasValue;
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/DecideAccessRequestCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/DecideAccessRequestCommand.cs
new file mode 100644
index 000000000000..7ff819b74189
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/DecideAccessRequestCommand.cs
@@ -0,0 +1,120 @@
+using Bit.Commercial.Pam.Models;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Exceptions;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Pam.Models;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands;
+
+public class DecideAccessRequestCommand : IDecideAccessRequestCommand
+{
+ private readonly IAccessRequestRepository _accessRequestRepository;
+ private readonly IApproverCollectionAccessQuery _approverCollectionAccessQuery;
+ private readonly IApproverInboxNotifier _approverInboxNotifier;
+ private readonly IRequesterNotifier _requesterNotifier;
+ private readonly TimeProvider _timeProvider;
+
+ public DecideAccessRequestCommand(
+ IAccessRequestRepository accessRequestRepository,
+ IApproverCollectionAccessQuery approverCollectionAccessQuery,
+ IApproverInboxNotifier approverInboxNotifier,
+ IRequesterNotifier requesterNotifier,
+ TimeProvider timeProvider)
+ {
+ _accessRequestRepository = accessRequestRepository;
+ _approverCollectionAccessQuery = approverCollectionAccessQuery;
+ _approverInboxNotifier = approverInboxNotifier;
+ _requesterNotifier = requesterNotifier;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task DecideAsync(Guid userId, Guid requestId, AccessDecisionSubmission submission)
+ {
+ var request = await _accessRequestRepository.GetByIdAsync(requestId);
+
+ // 404 for both missing and not-visible, so the caller can't probe for requests they don't manage.
+ if (request is null || !await _approverCollectionAccessQuery.CanManageCollectionAsync(userId, request.CollectionId))
+ {
+ throw new NotFoundException();
+ }
+
+ if (request.Status != AccessRequestStatus.Pending)
+ {
+ throw new ConflictException("This request has already been resolved.");
+ }
+
+ // Self-approval is blocked server-side even though the client disables the buttons. Surfaced as 400 rather
+ // than 403 because Bitwarden clients treat 403 as a forced logout.
+ if (request.RequesterId == userId)
+ {
+ throw new BadRequestException("You cannot decide your own request.");
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+ var approved = submission.Verdict == AccessDecisionVerdict.Approve;
+ var status = approved ? AccessRequestStatus.Approved : AccessRequestStatus.Denied;
+
+ // An approval the requester can never activate (the requested window already ended) would only mint a dead
+ // "approved" state, so reject it. Denial is still allowed so the audit trail can close the request out.
+ if (approved && request.NotAfter <= now)
+ {
+ throw new BadRequestException("The requested access window has already ended.");
+ }
+
+ var decision = new AccessDecision
+ {
+ AccessRequestId = request.Id,
+ DeciderKind = AccessDeciderKind.Human,
+ ApproverId = userId,
+ Verdict = submission.Verdict,
+ Comment = string.IsNullOrWhiteSpace(submission.Comment) ? null : submission.Comment,
+ CreationDate = now,
+ };
+ decision.SetNewId();
+
+ // Approval records the verdict only. The lease that actually authorizes access is minted when the requester
+ // activates the approved request (ActivateAccessRequestCommand) — until then they hold a startable approval,
+ // not access. The automatic path still mints instantly at submit, where the requester is present and asking.
+ await _accessRequestRepository.ResolveWithDecisionAsync(request, decision, status, now);
+
+ // The request just left the pending queue; tell every approver of this collection to re-fetch.
+ await _approverInboxNotifier.NotifyCollectionApproversAsync(request.CollectionId);
+
+ // Tell the requester their request was resolved, so their "My requests" view flips to approved/denied and
+ // an approval becomes activatable without a manual refresh.
+ await _requesterNotifier.NotifyRequesterAsync(request.RequesterId);
+
+ // The client repaints the row from Status, ResolvedAt, and the single Decisions element (verdict + comment),
+ // so those must be accurate; the approver's denormalized name/email is resolved on the next read. Project from
+ // what we just wrote rather than re-reading.
+ return new AccessRequestDetails
+ {
+ Id = request.Id,
+ ExtensionOfLeaseId = request.ExtensionOfLeaseId,
+ OrganizationId = request.OrganizationId,
+ CollectionId = request.CollectionId,
+ CipherId = request.CipherId,
+ RequesterId = request.RequesterId,
+ NotBefore = request.NotBefore,
+ NotAfter = request.NotAfter,
+ Reason = request.Reason,
+ Status = status,
+ CreationDate = request.CreationDate,
+ ResolvedDate = now,
+ Decisions =
+ [
+ new AccessRequestDecision
+ {
+ DeciderKind = AccessDeciderKind.Human,
+ Id = userId,
+ Comment = decision.Comment,
+ Verdict = decision.Verdict,
+ DecidedAt = now,
+ },
+ ],
+ };
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/DeleteAccessRuleCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/DeleteAccessRuleCommand.cs
new file mode 100644
index 000000000000..afd166ff3b9e
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/DeleteAccessRuleCommand.cs
@@ -0,0 +1,26 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Core.Exceptions;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands;
+
+public class DeleteAccessRuleCommand : IDeleteAccessRuleCommand
+{
+ private readonly IAccessRuleRepository _repository;
+
+ public DeleteAccessRuleCommand(IAccessRuleRepository repository)
+ {
+ _repository = repository;
+ }
+
+ public async Task DeleteAsync(Guid organizationId, Guid id)
+ {
+ var existing = await _repository.GetByIdAsync(id);
+ if (existing is null || existing.OrganizationId != organizationId)
+ {
+ throw new NotFoundException();
+ }
+
+ await _repository.DeleteAsync(existing);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IActivateAccessRequestCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IActivateAccessRequestCommand.cs
new file mode 100644
index 000000000000..2410fc632931
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IActivateAccessRequestCommand.cs
@@ -0,0 +1,23 @@
+using Bit.Pam.Entities;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+
+public interface IActivateAccessRequestCommand
+{
+ ///
+ /// Activates the caller's approved access request: mints the active lease that authorizes access, spanning the
+ /// request's approved window. Only the requester may activate, and only while the window is open. Activation is
+ /// idempotent while the produced lease is live — a repeat call returns the existing lease.
+ ///
+ ///
+ /// The request does not exist or the caller is not its requester.
+ ///
+ ///
+ /// The request is not approved (still pending, or denied/cancelled/expired), or it already produced a lease that
+ /// has since been revoked or has lapsed — a request authorizes access at most once.
+ ///
+ ///
+ /// The approved window has not started yet or has already ended.
+ ///
+ Task ActivateAsync(Guid userId, Guid requestId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/ICancelAccessRequestCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/ICancelAccessRequestCommand.cs
new file mode 100644
index 000000000000..086198bd206f
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/ICancelAccessRequestCommand.cs
@@ -0,0 +1,17 @@
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+
+public interface ICancelAccessRequestCommand
+{
+ ///
+ /// Withdraws the caller's own pending access request: transitions it to
+ /// and drops it from any approver's inbox. Only the requester
+ /// may cancel, and only while the request is still pending.
+ ///
+ ///
+ /// The request does not exist or the caller is not its requester.
+ ///
+ ///
+ /// The request is no longer pending (already approved, denied, cancelled, or expired) and cannot be withdrawn.
+ ///
+ Task CancelAsync(Guid userId, Guid requestId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/ICreateAccessRuleCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/ICreateAccessRuleCommand.cs
new file mode 100644
index 000000000000..2ed1a09a8893
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/ICreateAccessRuleCommand.cs
@@ -0,0 +1,12 @@
+using Bit.Pam.Entities;
+using Bit.Pam.Models;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+
+public interface ICreateAccessRuleCommand
+{
+ ///
+ /// Creates an access rule and associates exactly the given collections with it.
+ ///
+ Task CreateAsync(AccessRule rule, IEnumerable collectionIds);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IDecideAccessRequestCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IDecideAccessRequestCommand.cs
new file mode 100644
index 000000000000..476820e38c19
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IDecideAccessRequestCommand.cs
@@ -0,0 +1,23 @@
+using Bit.Commercial.Pam.Models;
+using Bit.Pam.Models;
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+
+public interface IDecideAccessRequestCommand
+{
+ ///
+ /// Approves or denies a pending lease request on behalf of an approver. The caller must be able to Manage the
+ /// request's collection and must not be the requester. An approval does not mint the lease — the requester
+ /// activates the approved request when they access the item. Returns the updated inbox row.
+ ///
+ ///
+ /// The request does not exist or the caller cannot Manage its collection.
+ ///
+ /// The request is no longer pending.
+ ///
+ /// The caller is the requester (self-approval), or the verdict is an approval but the requested window has
+ /// already ended (the requester could never activate it). Self-approval per the spec calls for 403, but
+ /// Bitwarden clients treat 403 as a forced logout, so this is surfaced as 400 — matching the existing convention
+ /// in the Admin Console controllers.
+ ///
+ Task DecideAsync(Guid userId, Guid requestId, AccessDecisionSubmission submission);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IDeleteAccessRuleCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IDeleteAccessRuleCommand.cs
new file mode 100644
index 000000000000..f16f77cb32fd
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IDeleteAccessRuleCommand.cs
@@ -0,0 +1,6 @@
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+
+public interface IDeleteAccessRuleCommand
+{
+ Task DeleteAsync(Guid organizationId, Guid id);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IRequestLeaseExtensionCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IRequestLeaseExtensionCommand.cs
new file mode 100644
index 000000000000..2f61987bcfeb
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IRequestLeaseExtensionCommand.cs
@@ -0,0 +1,24 @@
+using Bit.Commercial.Pam.Models;
+using Bit.Pam.Models;
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+
+public interface IRequestLeaseExtensionCommand
+{
+ ///
+ /// Extends the caller's active lease by the requested duration. Extensions are always auto-approved, subject to
+ /// the governing rule's AllowsExtensions / MaxExtensionDurationSeconds settings: the lease's end is
+ /// pushed out in place (no new lease is minted) and an auto-approved extension request is recorded. Only the
+ /// lease's requester may extend it.
+ ///
+ ///
+ /// The lease does not exist or the caller is not its requester.
+ ///
+ ///
+ /// The lease is no longer active (revoked or expired).
+ ///
+ ///
+ /// The item is not lease-gated or does not allow extensions, the lease has already been extended, the duration is
+ /// non-positive or exceeds the maximum extension length, or no justification was supplied.
+ ///
+ Task ExtendAsync(Guid userId, AccessLeaseExtensionSubmission submission);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IRevokeAccessLeaseCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IRevokeAccessLeaseCommand.cs
new file mode 100644
index 000000000000..232d64e7c5da
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IRevokeAccessLeaseCommand.cs
@@ -0,0 +1,15 @@
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+
+public interface IRevokeAccessLeaseCommand
+{
+ ///
+ /// Ends an active lease early, settling it to revoked. The caller must be either the lease's holder (ending their
+ /// own access) or able to Manage the lease's collection (a managing approver or org admin); the actor is recorded
+ /// as the revoker. The optional reason is retained for the audit trail.
+ ///
+ ///
+ /// The lease does not exist, or the caller is neither its holder nor able to Manage its collection.
+ ///
+ /// The lease is not active.
+ Task RevokeAsync(Guid userId, Guid leaseId, string? reason);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/ISubmitAccessRequestCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/ISubmitAccessRequestCommand.cs
new file mode 100644
index 000000000000..24b28f71fbb7
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/ISubmitAccessRequestCommand.cs
@@ -0,0 +1,11 @@
+using Bit.Commercial.Pam.Models;
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+
+public interface ISubmitAccessRequestCommand
+{
+ ///
+ /// Submits a request to lease a cipher. On the automatic path a lease is issued immediately; on the human path a
+ /// pending request is created. The submission's shape is validated against the cipher's resolved approval outcome.
+ ///
+ Task SubmitAsync(Guid userId, Guid cipherId, AccessRequestSubmission submission);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IUpdateAccessRuleCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IUpdateAccessRuleCommand.cs
new file mode 100644
index 000000000000..93b563d6d3d2
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/Interfaces/IUpdateAccessRuleCommand.cs
@@ -0,0 +1,12 @@
+using Bit.Pam.Entities;
+using Bit.Pam.Models;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+
+public interface IUpdateAccessRuleCommand
+{
+ ///
+ /// Updates an access rule and replaces its collection associations with exactly the given collections.
+ ///
+ Task UpdateAsync(Guid organizationId, Guid id, AccessRule update, IEnumerable collectionIds);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/RequestLeaseExtensionCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/RequestLeaseExtensionCommand.cs
new file mode 100644
index 000000000000..20c9c4533a10
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/RequestLeaseExtensionCommand.cs
@@ -0,0 +1,158 @@
+using Bit.Commercial.Pam.Engine;
+using Bit.Commercial.Pam.Models;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Pam.Models;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands;
+
+public class RequestLeaseExtensionCommand : IRequestLeaseExtensionCommand
+{
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly IGoverningRuleResolver _resolver;
+ private readonly IAccessRequestRepository _accessRequestRepository;
+ private readonly IApproverInboxNotifier _approverInboxNotifier;
+ private readonly IRequesterNotifier _requesterNotifier;
+ private readonly ICurrentContext _currentContext;
+ private readonly TimeProvider _timeProvider;
+
+ public RequestLeaseExtensionCommand(
+ IAccessLeaseRepository accessLeaseRepository,
+ IGoverningRuleResolver resolver,
+ IAccessRequestRepository accessRequestRepository,
+ IApproverInboxNotifier approverInboxNotifier,
+ IRequesterNotifier requesterNotifier,
+ ICurrentContext currentContext,
+ TimeProvider timeProvider)
+ {
+ _accessLeaseRepository = accessLeaseRepository;
+ _resolver = resolver;
+ _accessRequestRepository = accessRequestRepository;
+ _approverInboxNotifier = approverInboxNotifier;
+ _requesterNotifier = requesterNotifier;
+ _currentContext = currentContext;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task ExtendAsync(Guid userId, AccessLeaseExtensionSubmission submission)
+ {
+ var lease = await _accessLeaseRepository.GetByIdAsync(submission.LeaseId);
+
+ // 404 for both missing and someone else's lease, so the caller can't probe for leases they don't own.
+ if (lease is null || lease.RequesterId != userId)
+ {
+ throw new NotFoundException();
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+
+ if (lease.Status != AccessLeaseStatus.Active || lease.NotAfter <= now)
+ {
+ throw new ConflictException("This lease is no longer active.");
+ }
+
+ // Extensions reuse the cipher's governing rule, but never its approval gate: they are always auto-approved,
+ // gated only by the rule opting in and the per-lease maximum.
+ var signals = AccessSignals.From(_currentContext.IpAddress, new DateTimeOffset(now, TimeSpan.Zero));
+ var governingRule = await _resolver.ResolveAsync(userId, lease.CipherId, signals);
+ if (governingRule is null)
+ {
+ throw new BadRequestException("This item does not require a lease.");
+ }
+
+ if (!governingRule.AllowsExtensions)
+ {
+ throw new BadRequestException("This item does not allow extending a lease.");
+ }
+
+ if (submission.DurationSeconds <= 0)
+ {
+ throw new BadRequestException("A positive duration is required.");
+ }
+
+ // The rule's max extension length is the cap (the admin picks it from presets); it is always set when
+ // AllowsExtensions is true. A missing cap is treated as zero so a misconfigured rule denies.
+ if (submission.DurationSeconds > (governingRule.MaxExtensionDurationSeconds ?? 0))
+ {
+ throw new BadRequestException("The requested duration exceeds the maximum extension length for this item.");
+ }
+
+ if (string.IsNullOrWhiteSpace(submission.Reason))
+ {
+ throw new BadRequestException("A justification is required to extend a lease.");
+ }
+
+ // A lease may be extended exactly once. Friendly early check; the mint proc re-counts under a per-lease lock
+ // and is the race-safe authority.
+ if (await _accessRequestRepository.CountExtensionsByLeaseIdAsync(lease.Id) >= 1)
+ {
+ throw new BadRequestException("This lease has already been extended.");
+ }
+
+ // The extension window spans from the lease's current end to its new end; NotAfter is the lease's new end.
+ var request = new AccessRequest
+ {
+ ExtensionOfLeaseId = lease.Id,
+ OrganizationId = lease.OrganizationId,
+ CollectionId = lease.CollectionId,
+ CipherId = lease.CipherId,
+ RequesterId = userId,
+ NotBefore = lease.NotAfter,
+ NotAfter = lease.NotAfter.AddSeconds(submission.DurationSeconds),
+ Reason = submission.Reason,
+ Status = AccessRequestStatus.Approved,
+ CreationDate = now,
+ ResolvedDate = now,
+ };
+ request.SetNewId();
+
+ var decision = new AccessDecision
+ {
+ AccessRequestId = request.Id,
+ DeciderKind = AccessDeciderKind.Automatic,
+ Verdict = AccessDecisionVerdict.Approve,
+ CreationDate = now,
+ };
+ decision.SetNewId();
+
+ var outcome = await _accessRequestRepository.CreateApprovedExtensionAsync(request, decision, now);
+
+ switch (outcome)
+ {
+ case AccessLeaseExtendOutcome.LeaseNotActive:
+ throw new ConflictException("This lease is no longer active.");
+ case AccessLeaseExtendOutcome.AlreadyExtended:
+ throw new BadRequestException("This lease has already been extended.");
+ }
+
+ // The parent lease's window just grew. Tell every approver of the collection to re-fetch (their active-leases
+ // and history views show the new end), and tell the requester's other devices so the banner/badge countdown
+ // reflects the longer window without a manual refresh.
+ await _approverInboxNotifier.NotifyCollectionApproversAsync(lease.CollectionId);
+ await _requesterNotifier.NotifyRequesterAsync(lease.RequesterId);
+
+ // Project the approved-extension state the client renders (Status approved + ExtensionOfLeaseId set) from
+ // what we just wrote. The parent lease's end has already been pushed out, so the next access-state snapshot
+ // re-emits the longer countdown.
+ return new AccessRequestDetails
+ {
+ Id = request.Id,
+ ExtensionOfLeaseId = request.ExtensionOfLeaseId,
+ OrganizationId = request.OrganizationId,
+ CollectionId = request.CollectionId,
+ CipherId = request.CipherId,
+ RequesterId = request.RequesterId,
+ NotBefore = request.NotBefore,
+ NotAfter = request.NotAfter,
+ Reason = request.Reason,
+ Status = AccessRequestStatus.Approved,
+ CreationDate = request.CreationDate,
+ ResolvedDate = request.ResolvedDate,
+ };
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/RevokeAccessLeaseCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/RevokeAccessLeaseCommand.cs
new file mode 100644
index 000000000000..cf0a2b8aa514
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/RevokeAccessLeaseCommand.cs
@@ -0,0 +1,75 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Exceptions;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands;
+
+public class RevokeAccessLeaseCommand : IRevokeAccessLeaseCommand
+{
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly IApproverCollectionAccessQuery _approverCollectionAccessQuery;
+ private readonly IApproverInboxNotifier _approverInboxNotifier;
+ private readonly IRequesterNotifier _requesterNotifier;
+ private readonly TimeProvider _timeProvider;
+
+ public RevokeAccessLeaseCommand(
+ IAccessLeaseRepository accessLeaseRepository,
+ IApproverCollectionAccessQuery approverCollectionAccessQuery,
+ IApproverInboxNotifier approverInboxNotifier,
+ IRequesterNotifier requesterNotifier,
+ TimeProvider timeProvider)
+ {
+ _accessLeaseRepository = accessLeaseRepository;
+ _approverCollectionAccessQuery = approverCollectionAccessQuery;
+ _approverInboxNotifier = approverInboxNotifier;
+ _requesterNotifier = requesterNotifier;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task RevokeAsync(Guid userId, Guid leaseId, string? reason)
+ {
+ var lease = await _accessLeaseRepository.GetByIdAsync(leaseId);
+
+ // Who may end a lease early: the lease's own holder (ending their own access), or anyone who can Manage its
+ // collection (a managing approver or org admin). Either way the lease settles to revoked, recording the actor
+ // as RevokedBy — RevokedBy == RequesterId distinguishes a self-end from an operator revoke. 404 covers both
+ // missing and not-authorized, so a caller can't probe for leases they can't touch.
+ var isHolder = lease is not null && lease.RequesterId == userId;
+ if (lease is null ||
+ (!isHolder && !await _approverCollectionAccessQuery.CanManageCollectionAsync(userId, lease.CollectionId)))
+ {
+ throw new NotFoundException();
+ }
+
+ if (lease.Status != AccessLeaseStatus.Active)
+ {
+ throw new ConflictException("This lease is not active.");
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+
+ // The reason has no dedicated column, so it is preserved as a human decision against the originating request.
+ var auditDecision = new AccessDecision
+ {
+ AccessRequestId = lease.AccessRequestId,
+ DeciderKind = AccessDeciderKind.Human,
+ ApproverId = userId,
+ Verdict = AccessDecisionVerdict.Deny,
+ Comment = string.IsNullOrWhiteSpace(reason) ? null : reason,
+ CreationDate = now,
+ };
+ auditDecision.SetNewId();
+
+ await _accessLeaseRepository.RevokeAsync(lease, auditDecision, now);
+
+ // The active lease just drained; tell every approver of this collection to re-fetch.
+ await _approverInboxNotifier.NotifyCollectionApproversAsync(lease.CollectionId);
+
+ // Tell the lease holder their access ended, so an open cipher re-locks and the banner/badges drop the lease
+ // — whether an operator revoked it or the holder ended it from another device.
+ await _requesterNotifier.NotifyRequesterAsync(lease.RequesterId);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/SubmitAccessRequestCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/SubmitAccessRequestCommand.cs
new file mode 100644
index 000000000000..bf4a6bca63b1
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/SubmitAccessRequestCommand.cs
@@ -0,0 +1,305 @@
+using Bit.Commercial.Pam.Engine;
+using Bit.Commercial.Pam.Models;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Vault.Repositories;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Pam.Repositories;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands;
+
+public class SubmitAccessRequestCommand : ISubmitAccessRequestCommand
+{
+ ///
+ /// The maximum lease window length, applied to both the automatic duration and the human-requested window.
+ /// Global for v0; per-rule configuration is a later concern.
+ ///
+ public const int MaxDurationSeconds = 24 * 60 * 60;
+
+ private readonly ICipherRepository _cipherRepository;
+ private readonly IGoverningRuleResolver _resolver;
+ private readonly IAccessRuleEngine _ruleEngine;
+ private readonly ICurrentContext _currentContext;
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly IAccessRequestRepository _accessRequestRepository;
+ private readonly IApproverInboxNotifier _approverInboxNotifier;
+ private readonly IRequesterNotifier _requesterNotifier;
+ private readonly ICollectionRepository _collectionRepository;
+ private readonly IUserRepository _userRepository;
+ private readonly IOrganizationRepository _organizationRepository;
+ private readonly IMailService _mailService;
+ private readonly ILogger _logger;
+ private readonly TimeProvider _timeProvider;
+
+ public SubmitAccessRequestCommand(
+ ICipherRepository cipherRepository,
+ IGoverningRuleResolver resolver,
+ IAccessRuleEngine ruleEngine,
+ ICurrentContext currentContext,
+ IAccessLeaseRepository accessLeaseRepository,
+ IAccessRequestRepository accessRequestRepository,
+ IApproverInboxNotifier approverInboxNotifier,
+ IRequesterNotifier requesterNotifier,
+ ICollectionRepository collectionRepository,
+ IUserRepository userRepository,
+ IOrganizationRepository organizationRepository,
+ IMailService mailService,
+ ILogger logger,
+ TimeProvider timeProvider)
+ {
+ _cipherRepository = cipherRepository;
+ _resolver = resolver;
+ _ruleEngine = ruleEngine;
+ _currentContext = currentContext;
+ _accessLeaseRepository = accessLeaseRepository;
+ _accessRequestRepository = accessRequestRepository;
+ _approverInboxNotifier = approverInboxNotifier;
+ _requesterNotifier = requesterNotifier;
+ _collectionRepository = collectionRepository;
+ _userRepository = userRepository;
+ _organizationRepository = organizationRepository;
+ _mailService = mailService;
+ _logger = logger;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task SubmitAsync(Guid userId, Guid cipherId, AccessRequestSubmission submission)
+ {
+ var cipher = await _cipherRepository.GetByIdAsync(cipherId, userId);
+ if (cipher is null)
+ {
+ throw new NotFoundException();
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+ var signals = AccessSignals.From(_currentContext.IpAddress, new DateTimeOffset(now, TimeSpan.Zero));
+
+ var governingRule = await _resolver.ResolveAsync(userId, cipherId, signals);
+ if (governingRule is null)
+ {
+ throw new BadRequestException("This item does not require a lease.");
+ }
+
+ if (await _accessLeaseRepository.GetActiveByRequesterIdCipherIdAsync(userId, cipherId, now) is not null)
+ {
+ throw new BadRequestException("You already have active access to this item.");
+ }
+
+ if (await _accessRequestRepository.GetActivePendingByRequesterIdCipherIdAsync(userId, cipherId) is not null)
+ {
+ throw new BadRequestException("You already have a pending request for this item.");
+ }
+
+ // An approved-but-not-yet-activated request already grants startable access; a second request would let the
+ // caller stack grants. Lapsed approvals don't match here, so they correctly don't block a fresh request.
+ if (await _accessRequestRepository.GetActiveApprovedByRequesterIdCipherIdAsync(userId, cipherId, now) is not null)
+ {
+ throw new BadRequestException("You already have an approved request for this item.");
+ }
+
+ return governingRule.RequiresHumanApproval
+ ? await RequestHumanApprovalAsync(userId, cipherId, governingRule, submission)
+ : await ApproveAutomaticallyAsync(userId, cipherId, governingRule, submission, now, signals);
+ }
+
+ private async Task ApproveAutomaticallyAsync(
+ Guid userId, Guid cipherId, GoverningRule governingRule, AccessRequestSubmission submission, DateTime now,
+ AccessSignals signals)
+ {
+ if (submission.Start.HasValue || submission.End.HasValue)
+ {
+ throw new BadRequestException("This item is approved automatically; provide a duration, not a window.");
+ }
+
+ if (submission.DurationSeconds is not { } durationSeconds || durationSeconds <= 0)
+ {
+ throw new BadRequestException("A positive duration is required.");
+ }
+
+ if (durationSeconds > MaxDurationSeconds)
+ {
+ throw new BadRequestException($"The requested duration exceeds the maximum of {MaxDurationSeconds} seconds.");
+ }
+
+ // The cipher must satisfy its access rule's conditions (source IP, time of day, ...) before the request is
+ // auto-approved. The resolver only routes a rule here when it carries no human-approval gate, so the engine
+ // never asks for approval on this path; any non-allow outcome is a denial we surface to the caller.
+ var evaluation = _ruleEngine.Evaluate(governingRule.Conditions, signals);
+ if (evaluation.Outcome != AccessEvaluationOutcome.Allow)
+ {
+ throw new BadRequestException(DenyMessage(evaluation));
+ }
+
+ var notAfter = now.AddSeconds(durationSeconds);
+
+ var request = new AccessRequest
+ {
+ OrganizationId = governingRule.OrganizationId,
+ CollectionId = governingRule.CollectionId,
+ CipherId = cipherId,
+ RequesterId = userId,
+ NotBefore = now,
+ NotAfter = notAfter,
+ Reason = string.IsNullOrWhiteSpace(submission.Reason) ? null : submission.Reason,
+ Status = AccessRequestStatus.Approved,
+ CreationDate = now,
+ ResolvedDate = now,
+ };
+ request.SetNewId();
+
+ var decision = new AccessDecision
+ {
+ AccessRequestId = request.Id,
+ DeciderKind = AccessDeciderKind.Automatic,
+ Verdict = AccessDecisionVerdict.Approve,
+ CreationDate = now,
+ };
+ decision.SetNewId();
+
+ // Auto-approval records only the request and its automatic verdict — no lease. The requester explicitly
+ // activates the approved request (ActivateAccessRequestCommand) to start the lease, exactly like the human
+ // path after approval. Deferring the mint means the per-cipher single-active-lease guard runs at activation,
+ // the one place a lease is now minted, rather than here.
+ await _accessRequestRepository.CreateAutoApprovedAsync(request, decision);
+
+ // Tell the requester's other devices a new approved request exists, so "My requests" can offer to activate it
+ // without a manual refresh.
+ await _requesterNotifier.NotifyRequesterAsync(userId);
+
+ return AccessRequestResult.Automatic(request);
+ }
+
+ private async Task RequestHumanApprovalAsync(
+ Guid userId, Guid cipherId, GoverningRule governingRule, AccessRequestSubmission submission)
+ {
+ if (submission.DurationSeconds.HasValue)
+ {
+ throw new BadRequestException("This item requires human approval; provide a start and end date, not a duration.");
+ }
+
+ if (string.IsNullOrWhiteSpace(submission.Reason))
+ {
+ throw new BadRequestException("A reason is required for items that need human approval.");
+ }
+
+ if (submission.Start is not { } start || submission.End is not { } end)
+ {
+ throw new BadRequestException("A start and end date are required.");
+ }
+
+ if (start >= end)
+ {
+ throw new BadRequestException("The start date must be before the end date.");
+ }
+
+ if ((end - start).TotalSeconds > MaxDurationSeconds)
+ {
+ throw new BadRequestException($"The requested window exceeds the maximum of {MaxDurationSeconds} seconds.");
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+ var request = new AccessRequest
+ {
+ OrganizationId = governingRule.OrganizationId,
+ CollectionId = governingRule.CollectionId,
+ CipherId = cipherId,
+ RequesterId = userId,
+ NotBefore = start,
+ NotAfter = end,
+ Reason = submission.Reason,
+ Status = AccessRequestStatus.Pending,
+ CreationDate = now,
+ };
+
+ var created = await _accessRequestRepository.CreateAsync(request);
+
+ // A new request just entered the pending queue; tell every approver of this collection to re-fetch.
+ await _approverInboxNotifier.NotifyCollectionApproversAsync(created.CollectionId);
+
+ // Tell the requester's other devices a new pending request exists, so "My requests" reflects it without a
+ // manual refresh.
+ await _requesterNotifier.NotifyRequesterAsync(userId);
+
+ // Also email the collection's approvers so they learn about the request outside of an open session.
+ await NotifyApproversByEmailAsync(created);
+
+ return AccessRequestResult.Human(created);
+ }
+
+ ///
+ /// Emails the managers (approvers) of the request's collection that a new request is pending their review.
+ /// Best-effort: failures are logged and swallowed so they never fail the request submission.
+ ///
+ private async Task NotifyApproversByEmailAsync(AccessRequest request)
+ {
+ try
+ {
+ var managerIds = await _collectionRepository.GetManagingUserIdsAsync(request.CollectionId);
+
+ // The requester may manage the collection themselves; never notify them of their own request.
+ var recipientIds = managerIds.Where(id => id != request.RequesterId).ToList();
+ if (recipientIds.Count == 0)
+ {
+ return;
+ }
+
+ var managers = await _userRepository.GetManyAsync(recipientIds);
+ var managerEmails = managers
+ .Select(u => u.Email)
+ .Where(email => !string.IsNullOrWhiteSpace(email))
+ .Distinct(StringComparer.OrdinalIgnoreCase)
+ .ToList();
+ if (managerEmails.Count == 0)
+ {
+ return;
+ }
+
+ var requester = await _userRepository.GetByIdAsync(request.RequesterId);
+ if (requester is null || string.IsNullOrWhiteSpace(requester.Email))
+ {
+ _logger.LogWarning(
+ "Skipping PAM approver email for access request {AccessRequestId}; requester not found or has no email.",
+ request.Id);
+ return;
+ }
+
+ var organization = await _organizationRepository.GetByIdAsync(request.OrganizationId);
+ if (organization is null)
+ {
+ _logger.LogWarning(
+ "Skipping PAM approver email for access request {AccessRequestId}; organization not found.",
+ request.Id);
+ return;
+ }
+
+ await _mailService.SendPamPendingAccessRequestEmailsAsync(
+ managerEmails,
+ organization.Name,
+ requester.Name,
+ requester.Email,
+ request.NotBefore,
+ request.NotAfter,
+ request.Reason);
+ }
+ catch (Exception ex)
+ {
+ // Best effort: the request is already persisted and the inbox push already fired. An email failure
+ // must never fail the submission, so log and move on.
+ _logger.LogError(ex,
+ "Failed to send PAM approver emails for access request {AccessRequestId}.", request.Id);
+ }
+ }
+
+ private static string DenyMessage(AccessEvaluation evaluation) => evaluation.Reason switch
+ {
+ DenyReason.NotWithinIpRange => "Access to this item is not permitted from your current network.",
+ DenyReason.NotWithinTimeWindow => "Access to this item is not permitted at this time.",
+ _ => "Access to this item is not permitted right now.",
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/UpdateAccessRuleCommand.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/UpdateAccessRuleCommand.cs
new file mode 100644
index 000000000000..ecc32e72430f
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Commands/UpdateAccessRuleCommand.cs
@@ -0,0 +1,116 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Pam.Entities;
+using Bit.Pam.Models;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Commands;
+
+public class UpdateAccessRuleCommand : IUpdateAccessRuleCommand
+{
+ private readonly IAccessRuleRepository _repository;
+ private readonly ICollectionRepository _collectionRepository;
+ private readonly IAccessRuleValidator _validator;
+ private readonly TimeProvider _timeProvider;
+
+ public UpdateAccessRuleCommand(
+ IAccessRuleRepository repository,
+ ICollectionRepository collectionRepository,
+ IAccessRuleValidator validator,
+ TimeProvider timeProvider)
+ {
+ _repository = repository;
+ _collectionRepository = collectionRepository;
+ _validator = validator;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task UpdateAsync(Guid organizationId, Guid id, AccessRule update,
+ IEnumerable collectionIds)
+ {
+ if (string.IsNullOrWhiteSpace(update.Name))
+ {
+ throw new BadRequestException("Name is required.");
+ }
+
+ if (update.AllowsExtensions && update.MaxExtensionDurationSeconds is not > 0)
+ {
+ throw new BadRequestException("A maximum extension length is required when extensions are allowed.");
+ }
+
+ var existing = await _repository.GetDetailsByIdAsync(id);
+ if (existing is null || existing.OrganizationId != organizationId)
+ {
+ throw new NotFoundException();
+ }
+
+ var validation = _validator.Validate(update.Conditions);
+ if (!validation.IsValid)
+ {
+ throw new BadRequestException(validation.Error!);
+ }
+
+ var siblings = await _repository.GetManyByOrganizationIdAsync(organizationId);
+ if (siblings.Any(p => p.Id != id && string.Equals(p.Name, update.Name, StringComparison.OrdinalIgnoreCase)))
+ {
+ throw new BadRequestException("A rule with that name already exists.");
+ }
+
+ var desiredCollectionIds = await ValidateCollectionsAsync(organizationId, id, collectionIds);
+
+ // Persist a plain AccessRule: the AccessRuleDetails returned by GetDetailsByIdAsync carries an extra
+ // CollectionIds property that the base ReplaceAsync would otherwise forward to AccessRule_Update.
+ var toPersist = new AccessRule
+ {
+ Id = existing.Id,
+ OrganizationId = existing.OrganizationId,
+ Name = update.Name,
+ Description = update.Description,
+ Conditions = update.Conditions,
+ SingleActiveLease = update.SingleActiveLease,
+ DefaultLeaseDurationSeconds = update.DefaultLeaseDurationSeconds,
+ MaxLeaseDurationSeconds = update.MaxLeaseDurationSeconds,
+ Enabled = update.Enabled,
+ AllowsExtensions = update.AllowsExtensions,
+ MaxExtensionDurationSeconds = update.MaxExtensionDurationSeconds,
+ CreationDate = existing.CreationDate,
+ RevisionDate = _timeProvider.GetUtcNow().UtcDateTime,
+ };
+ await _repository.ReplaceAsync(toPersist);
+
+ var toClear = existing.CollectionIds.Except(desiredCollectionIds).ToList();
+ await _repository.SetCollectionAssociationsAsync(organizationId, id, desiredCollectionIds, toClear);
+
+ return AccessRuleDetails.From(toPersist, desiredCollectionIds);
+ }
+
+ private async Task> ValidateCollectionsAsync(Guid organizationId, Guid accessRuleId,
+ IEnumerable collectionIds)
+ {
+ var distinctIds = collectionIds.Distinct().ToList();
+ if (distinctIds.Count == 0)
+ {
+ return distinctIds;
+ }
+
+ var collections = await _collectionRepository.GetManyByManyIdsAsync(distinctIds);
+ if (collections.Count != distinctIds.Count)
+ {
+ throw new BadRequestException("One or more collections could not be found.");
+ }
+
+ if (collections.Any(c => c.OrganizationId != organizationId))
+ {
+ throw new BadRequestException("One or more collections do not belong to this organization.");
+ }
+
+ if (collections.Any(c => c.AccessRuleId.HasValue && c.AccessRuleId != accessRuleId))
+ {
+ throw new BadRequestException("One or more collections are already governed by another access rule.");
+ }
+
+ return distinctIds;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/AccessPreCheckQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/AccessPreCheckQuery.cs
new file mode 100644
index 000000000000..2f6acd757b5f
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/AccessPreCheckQuery.cs
@@ -0,0 +1,61 @@
+using Bit.Commercial.Pam.Engine;
+using Bit.Commercial.Pam.Enums;
+using Bit.Commercial.Pam.Models;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Vault.Repositories;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries;
+
+public class AccessPreCheckQuery : IAccessPreCheckQuery
+{
+ private readonly ICipherRepository _cipherRepository;
+ private readonly IGoverningRuleResolver _resolver;
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly ICurrentContext _currentContext;
+ private readonly TimeProvider _timeProvider;
+
+ public AccessPreCheckQuery(
+ ICipherRepository cipherRepository,
+ IGoverningRuleResolver resolver,
+ IAccessLeaseRepository accessLeaseRepository,
+ ICurrentContext currentContext,
+ TimeProvider timeProvider)
+ {
+ _cipherRepository = cipherRepository;
+ _resolver = resolver;
+ _accessLeaseRepository = accessLeaseRepository;
+ _currentContext = currentContext;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task PreCheckAsync(Guid userId, Guid cipherId)
+ {
+ // GetByIdAsync filters by access, so a null result means the caller cannot see the cipher.
+ var cipher = await _cipherRepository.GetByIdAsync(cipherId, userId);
+ if (cipher is null)
+ {
+ throw new NotFoundException();
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+
+ // A caller who already holds an active lease should be sent straight to the credential, not prompted to make
+ // a request that SubmitAccessRequestCommand would reject. This mirrors the active-lease guard there.
+ if (await _accessLeaseRepository.GetActiveByRequesterIdCipherIdAsync(userId, cipherId, now) is not null)
+ {
+ return new AccessPreCheckResult(AccessApprovalMode.Automatic, HasActiveLease: true);
+ }
+
+ var signals = AccessSignals.From(_currentContext.IpAddress, new DateTimeOffset(now, TimeSpan.Zero));
+ var governingRule = await _resolver.ResolveAsync(userId, cipherId, signals);
+ var approvalMode = governingRule?.RequiresHumanApproval == true
+ ? AccessApprovalMode.Human
+ : AccessApprovalMode.Automatic;
+
+ return new AccessPreCheckResult(approvalMode);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/GetCipherAccessStateQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/GetCipherAccessStateQuery.cs
new file mode 100644
index 000000000000..afaf6d4e48c7
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/GetCipherAccessStateQuery.cs
@@ -0,0 +1,103 @@
+using Bit.Commercial.Pam.Engine;
+using Bit.Commercial.Pam.Models;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Vault.Repositories;
+using Bit.Pam.Entities;
+using Bit.Pam.Models;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries;
+
+public class GetCipherAccessStateQuery : IGetCipherAccessStateQuery
+{
+ private readonly ICipherRepository _cipherRepository;
+ private readonly IGoverningRuleResolver _resolver;
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly IAccessRequestRepository _accessRequestRepository;
+ private readonly ICurrentContext _currentContext;
+ private readonly TimeProvider _timeProvider;
+
+ public GetCipherAccessStateQuery(
+ ICipherRepository cipherRepository,
+ IGoverningRuleResolver resolver,
+ IAccessLeaseRepository accessLeaseRepository,
+ IAccessRequestRepository accessRequestRepository,
+ ICurrentContext currentContext,
+ TimeProvider timeProvider)
+ {
+ _cipherRepository = cipherRepository;
+ _resolver = resolver;
+ _accessLeaseRepository = accessLeaseRepository;
+ _accessRequestRepository = accessRequestRepository;
+ _currentContext = currentContext;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task GetStateAsync(Guid userId, Guid cipherId)
+ {
+ // GetByIdAsync filters by access, so a null result means the caller cannot see the cipher.
+ var cipher = await _cipherRepository.GetByIdAsync(cipherId, userId);
+ if (cipher is null)
+ {
+ throw new NotFoundException();
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+ var signals = AccessSignals.From(_currentContext.IpAddress, new DateTimeOffset(now, TimeSpan.Zero));
+ var activeLease = await _accessLeaseRepository.GetActiveByRequesterIdCipherIdAsync(userId, cipherId, now);
+ var pending = await _accessRequestRepository.GetActivePendingByRequesterIdCipherIdAsync(userId, cipherId);
+ var approved = await _accessRequestRepository.GetActiveApprovedByRequesterIdCipherIdAsync(userId, cipherId, now);
+
+ var extensionsAllowed = false;
+ int? maxExtensionDurationSeconds = null;
+ if (activeLease is not null)
+ {
+ // Extension eligibility drives the banner's "Extend" control. A lease may be extended once, so it is
+ // extendable only while the rule opts in and no extension has been recorded yet; surface the rule's max
+ // length so the client can cap its duration picker.
+ var rule = await _resolver.ResolveAsync(userId, cipherId, signals);
+ if (rule?.AllowsExtensions == true)
+ {
+ var used = await _accessRequestRepository.CountExtensionsByLeaseIdAsync(activeLease.Id);
+ extensionsAllowed = used == 0;
+ maxExtensionDurationSeconds = rule.MaxExtensionDurationSeconds;
+ }
+ }
+ else if (pending is null && approved is null && await _resolver.ResolveAsync(userId, cipherId, signals) is null)
+ {
+ // Nothing to report and the cipher isn't leasing-gated. (When a lease or request exists we still return a
+ // snapshot even if the rule was since removed, so the caller's state isn't hidden.)
+ throw new NotFoundException();
+ }
+
+ return new CipherAccessState(
+ cipherId,
+ activeLease,
+ pending is null ? null : ToDetails(pending),
+ approved is null ? null : ToDetails(approved),
+ extensionsAllowed,
+ maxExtensionDurationSeconds);
+ }
+
+ // Neither a pending nor an approved-unactivated request has produced a lease (the approved read excludes
+ // activated rows), and the approver identity/comment and inbox display-name fields aren't needed for this
+ // caller-scoped snapshot, so they stay null.
+ private static AccessRequestDetails ToDetails(AccessRequest request) => new()
+ {
+ Id = request.Id,
+ ExtensionOfLeaseId = request.ExtensionOfLeaseId,
+ OrganizationId = request.OrganizationId,
+ CollectionId = request.CollectionId,
+ CipherId = request.CipherId,
+ RequesterId = request.RequesterId,
+ NotBefore = request.NotBefore,
+ NotAfter = request.NotAfter,
+ Reason = request.Reason,
+ Status = request.Status,
+ CreationDate = request.CreationDate,
+ ResolvedDate = request.ResolvedDate,
+ };
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/GetLeasedCipherQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/GetLeasedCipherQuery.cs
new file mode 100644
index 000000000000..16110361f770
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/GetLeasedCipherQuery.cs
@@ -0,0 +1,62 @@
+using Bit.Commercial.Pam.Engine;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Context;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Repositories;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries;
+
+public class GetLeasedCipherQuery : IGetLeasedCipherQuery
+{
+ private readonly ICipherRepository _cipherRepository;
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly IGoverningRuleResolver _resolver;
+ private readonly IAccessRuleEngine _ruleEngine;
+ private readonly ICurrentContext _currentContext;
+ private readonly TimeProvider _timeProvider;
+
+ public GetLeasedCipherQuery(
+ ICipherRepository cipherRepository,
+ IAccessLeaseRepository accessLeaseRepository,
+ IGoverningRuleResolver resolver,
+ IAccessRuleEngine ruleEngine,
+ ICurrentContext currentContext,
+ TimeProvider timeProvider)
+ {
+ _cipherRepository = cipherRepository;
+ _accessLeaseRepository = accessLeaseRepository;
+ _resolver = resolver;
+ _ruleEngine = ruleEngine;
+ _currentContext = currentContext;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task GetLeasedCipherAsync(Guid userId, Guid cipherId)
+ {
+ var now = _timeProvider.GetUtcNow();
+
+ // Without an active lease whose window contains now, the caller is not entitled to the full data right now.
+ var lease = await _accessLeaseRepository.GetActiveByRequesterIdCipherIdAsync(userId, cipherId, now.UtcDateTime);
+ if (lease is null)
+ {
+ return null;
+ }
+
+ var signals = AccessSignals.From(_currentContext.IpAddress, now);
+
+ // A lease grants a window, but the access rule's environmental conditions (source IP, time of day) must
+ // still hold at the moment the data is handed over. Approval is not re-checked here: holding the lease is
+ // proof it was already granted, so only an outright denial withholds the data.
+ var governingRule = await _resolver.ResolveAsync(userId, cipherId, signals);
+ if (governingRule is not null
+ && _ruleEngine.Evaluate(governingRule.Conditions, signals).Outcome == AccessEvaluationOutcome.Deny)
+ {
+ return null;
+ }
+
+ // GetByIdAsync filters by access, so a null result means the caller cannot see the cipher.
+ return await _cipherRepository.GetByIdAsync(cipherId, userId);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IAccessPreCheckQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IAccessPreCheckQuery.cs
new file mode 100644
index 000000000000..b4fb773493ec
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IAccessPreCheckQuery.cs
@@ -0,0 +1,11 @@
+using Bit.Commercial.Pam.Models;
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+
+public interface IAccessPreCheckQuery
+{
+ ///
+ /// Determines, without any side effects, whether the caller requesting access to the cipher would be approved
+ /// automatically or would require human approval.
+ ///
+ Task PreCheckAsync(Guid userId, Guid cipherId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IGetCipherAccessStateQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IGetCipherAccessStateQuery.cs
new file mode 100644
index 000000000000..566d23aa6763
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IGetCipherAccessStateQuery.cs
@@ -0,0 +1,12 @@
+using Bit.Commercial.Pam.Models;
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+
+public interface IGetCipherAccessStateQuery
+{
+ ///
+ /// Returns the caller's lease state for a single leasing-gated cipher — their active lease and pending request, if
+ /// any. Throws when the caller cannot see the cipher, or when
+ /// the cipher is not leasing-gated and the caller holds nothing to report.
+ ///
+ Task GetStateAsync(Guid userId, Guid cipherId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IGetLeasedCipherQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IGetLeasedCipherQuery.cs
new file mode 100644
index 000000000000..882c4b194893
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IGetLeasedCipherQuery.cs
@@ -0,0 +1,13 @@
+using Bit.Core.Vault.Models.Data;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+
+public interface IGetLeasedCipherQuery
+{
+ ///
+ /// Returns the cipher with its complete data, but only if the caller currently holds an active lease for it and
+ /// can otherwise access it. Returns null when there is no active lease or the caller cannot access the cipher, so
+ /// callers cannot distinguish "no lease" from "no such cipher".
+ ///
+ Task GetLeasedCipherAsync(Guid userId, Guid cipherId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListActiveLeasesQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListActiveLeasesQuery.cs
new file mode 100644
index 000000000000..8ff16ec418d6
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListActiveLeasesQuery.cs
@@ -0,0 +1,14 @@
+using Bit.Pam.Entities;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+
+public interface IListActiveLeasesQuery
+{
+ ///
+ /// Returns every currently-active lease on the collections the caller can Manage — the governance view of all
+ /// active access in the caller's scope, not just their own leases. Scope is resolved the same way as the approver
+ /// inbox (): the caller's manageable collections across every organization.
+ /// Returns an empty collection when the caller manages none.
+ ///
+ Task> GetActiveAsync(Guid userId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListInboxHistoryQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListInboxHistoryQuery.cs
new file mode 100644
index 000000000000..6e1664767a7c
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListInboxHistoryQuery.cs
@@ -0,0 +1,12 @@
+using Bit.Pam.Models;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+
+public interface IListInboxHistoryQuery
+{
+ ///
+ /// Returns the resolved lease requests (no longer pending) the user can approve, within the history retention
+ /// window, for collections the user can Manage. Returns an empty collection when the user manages none.
+ ///
+ Task> GetHistoryAsync(Guid userId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListInboxRequestsQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListInboxRequestsQuery.cs
new file mode 100644
index 000000000000..01221b30c72c
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListInboxRequestsQuery.cs
@@ -0,0 +1,12 @@
+using Bit.Pam.Models;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+
+public interface IListInboxRequestsQuery
+{
+ ///
+ /// Returns the pending lease requests the user can approve — those on collections the user can Manage. Returns an
+ /// empty collection when the user manages none.
+ ///
+ Task> GetPendingAsync(Guid userId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListLeaseHistoryQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListLeaseHistoryQuery.cs
new file mode 100644
index 000000000000..e6af8614d296
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListLeaseHistoryQuery.cs
@@ -0,0 +1,14 @@
+using Bit.Pam.Entities;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+
+public interface IListLeaseHistoryQuery
+{
+ ///
+ /// Returns the ended leases (expired or revoked) on the collections the caller can Manage, within the shared
+ /// history window — the governance history view of recently-ended access in the caller's scope. Scope is resolved
+ /// the same way as the approver inbox (): the caller's manageable collections
+ /// across every organization. Returns an empty collection when the caller manages none.
+ ///
+ Task> GetHistoryAsync(Guid userId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListMyAccessRequestsQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListMyAccessRequestsQuery.cs
new file mode 100644
index 000000000000..7c45c55c6cdb
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListMyAccessRequestsQuery.cs
@@ -0,0 +1,12 @@
+using Bit.Pam.Models;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+
+public interface IListMyAccessRequestsQuery
+{
+ ///
+ /// Returns the caller's own lease requests across every organization they belong to, regardless of status. Returns
+ /// an empty collection when they have none.
+ ///
+ Task> GetMineAsync(Guid userId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListMyActiveAccessLeasesQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListMyActiveAccessLeasesQuery.cs
new file mode 100644
index 000000000000..2fe1fcc95a7f
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/Interfaces/IListMyActiveAccessLeasesQuery.cs
@@ -0,0 +1,12 @@
+using Bit.Pam.Entities;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+
+public interface IListMyActiveAccessLeasesQuery
+{
+ ///
+ /// Returns the caller's currently-active leases across every organization they belong to. Returns an empty
+ /// collection when none are active.
+ ///
+ Task> GetMineActiveAsync(Guid userId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListActiveLeasesQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListActiveLeasesQuery.cs
new file mode 100644
index 000000000000..093fa2d6842d
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListActiveLeasesQuery.cs
@@ -0,0 +1,35 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Pam.Entities;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries;
+
+public class ListActiveLeasesQuery : IListActiveLeasesQuery
+{
+ private readonly IApproverCollectionAccessQuery _approverCollectionAccessQuery;
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly TimeProvider _timeProvider;
+
+ public ListActiveLeasesQuery(
+ IApproverCollectionAccessQuery approverCollectionAccessQuery,
+ IAccessLeaseRepository accessLeaseRepository,
+ TimeProvider timeProvider)
+ {
+ _approverCollectionAccessQuery = approverCollectionAccessQuery;
+ _accessLeaseRepository = accessLeaseRepository;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task> GetActiveAsync(Guid userId)
+ {
+ var manageableCollectionIds = await _approverCollectionAccessQuery.GetManageableCollectionIdsAsync(userId);
+ if (manageableCollectionIds.Count == 0)
+ {
+ return new List();
+ }
+
+ return await _accessLeaseRepository.GetManyActiveByCollectionIdsAsync(
+ manageableCollectionIds, _timeProvider.GetUtcNow().UtcDateTime);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListInboxHistoryQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListInboxHistoryQuery.cs
new file mode 100644
index 000000000000..ffcd904606ad
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListInboxHistoryQuery.cs
@@ -0,0 +1,40 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Pam.Models;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries;
+
+public class ListInboxHistoryQuery : IListInboxHistoryQuery
+{
+ ///
+ /// How far back the resolved history reaches. Older activity may be omitted. v1 has no pagination.
+ ///
+ public const int HistoryRetentionDays = 90;
+
+ private readonly IApproverCollectionAccessQuery _approverCollectionAccessQuery;
+ private readonly IAccessRequestRepository _accessRequestRepository;
+ private readonly TimeProvider _timeProvider;
+
+ public ListInboxHistoryQuery(
+ IApproverCollectionAccessQuery approverCollectionAccessQuery,
+ IAccessRequestRepository accessRequestRepository,
+ TimeProvider timeProvider)
+ {
+ _approverCollectionAccessQuery = approverCollectionAccessQuery;
+ _accessRequestRepository = accessRequestRepository;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task> GetHistoryAsync(Guid userId)
+ {
+ var manageableCollectionIds = await _approverCollectionAccessQuery.GetManageableCollectionIdsAsync(userId);
+ if (manageableCollectionIds.Count == 0)
+ {
+ return new List();
+ }
+
+ var since = _timeProvider.GetUtcNow().UtcDateTime.AddDays(-HistoryRetentionDays);
+ return await _accessRequestRepository.GetManyInboxHistoryByCollectionIdsAsync(manageableCollectionIds, since);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListInboxRequestsQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListInboxRequestsQuery.cs
new file mode 100644
index 000000000000..b5a6ecb69769
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListInboxRequestsQuery.cs
@@ -0,0 +1,31 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Pam.Models;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries;
+
+public class ListInboxRequestsQuery : IListInboxRequestsQuery
+{
+ private readonly IApproverCollectionAccessQuery _approverCollectionAccessQuery;
+ private readonly IAccessRequestRepository _accessRequestRepository;
+
+ public ListInboxRequestsQuery(
+ IApproverCollectionAccessQuery approverCollectionAccessQuery,
+ IAccessRequestRepository accessRequestRepository)
+ {
+ _approverCollectionAccessQuery = approverCollectionAccessQuery;
+ _accessRequestRepository = accessRequestRepository;
+ }
+
+ public async Task> GetPendingAsync(Guid userId)
+ {
+ var manageableCollectionIds = await _approverCollectionAccessQuery.GetManageableCollectionIdsAsync(userId);
+ if (manageableCollectionIds.Count == 0)
+ {
+ return new List();
+ }
+
+ return await _accessRequestRepository.GetManyInboxPendingByCollectionIdsAsync(manageableCollectionIds);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListLeaseHistoryQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListLeaseHistoryQuery.cs
new file mode 100644
index 000000000000..2244c697aef6
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListLeaseHistoryQuery.cs
@@ -0,0 +1,36 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Pam.Entities;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries;
+
+public class ListLeaseHistoryQuery : IListLeaseHistoryQuery
+{
+ private readonly IApproverCollectionAccessQuery _approverCollectionAccessQuery;
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly TimeProvider _timeProvider;
+
+ public ListLeaseHistoryQuery(
+ IApproverCollectionAccessQuery approverCollectionAccessQuery,
+ IAccessLeaseRepository accessLeaseRepository,
+ TimeProvider timeProvider)
+ {
+ _approverCollectionAccessQuery = approverCollectionAccessQuery;
+ _accessLeaseRepository = accessLeaseRepository;
+ _timeProvider = timeProvider;
+ }
+
+ public async Task> GetHistoryAsync(Guid userId)
+ {
+ var manageableCollectionIds = await _approverCollectionAccessQuery.GetManageableCollectionIdsAsync(userId);
+ if (manageableCollectionIds.Count == 0)
+ {
+ return new List();
+ }
+
+ // Shares the approver inbox's history window so request history and lease history reach equally far back.
+ var since = _timeProvider.GetUtcNow().UtcDateTime.AddDays(-ListInboxHistoryQuery.HistoryRetentionDays);
+ return await _accessLeaseRepository.GetManyEndedByCollectionIdsAsync(manageableCollectionIds, since);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListMyAccessRequestsQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListMyAccessRequestsQuery.cs
new file mode 100644
index 000000000000..dcb0ace0bbe1
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListMyAccessRequestsQuery.cs
@@ -0,0 +1,18 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Pam.Models;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries;
+
+public class ListMyAccessRequestsQuery : IListMyAccessRequestsQuery
+{
+ private readonly IAccessRequestRepository _accessRequestRepository;
+
+ public ListMyAccessRequestsQuery(IAccessRequestRepository accessRequestRepository)
+ {
+ _accessRequestRepository = accessRequestRepository;
+ }
+
+ public Task> GetMineAsync(Guid userId) =>
+ _accessRequestRepository.GetManyByRequesterIdAsync(userId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListMyActiveAccessLeasesQuery.cs b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListMyActiveAccessLeasesQuery.cs
new file mode 100644
index 000000000000..6a7bca15fcbb
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/OrganizationFeatures/Queries/ListMyActiveAccessLeasesQuery.cs
@@ -0,0 +1,20 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Pam.Entities;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.OrganizationFeatures.Queries;
+
+public class ListMyActiveAccessLeasesQuery : IListMyActiveAccessLeasesQuery
+{
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly TimeProvider _timeProvider;
+
+ public ListMyActiveAccessLeasesQuery(IAccessLeaseRepository accessLeaseRepository, TimeProvider timeProvider)
+ {
+ _accessLeaseRepository = accessLeaseRepository;
+ _timeProvider = timeProvider;
+ }
+
+ public Task> GetMineActiveAsync(Guid userId) =>
+ _accessLeaseRepository.GetManyActiveByRequesterIdAsync(userId, _timeProvider.GetUtcNow().UtcDateTime);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/AccessRuleValidator.cs b/bitwarden_license/src/Commercial.Pam/Services/AccessRuleValidator.cs
new file mode 100644
index 000000000000..9ebc5c33b2aa
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/AccessRuleValidator.cs
@@ -0,0 +1,145 @@
+using System.Net;
+using System.Text.Json;
+using System.Text.RegularExpressions;
+using Bit.Commercial.Pam.Models.Conditions;
+
+namespace Bit.Commercial.Pam.Services;
+
+public sealed partial class AccessRuleValidator : IAccessRuleValidator
+{
+ private const int MaxConditions = 10;
+
+ private static readonly JsonSerializerOptions JsonOptions = new()
+ {
+ PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+ PropertyNameCaseInsensitive = true,
+ };
+
+ [GeneratedRegex(@"^([01][0-9]|2[0-3]):[0-5][0-9]$")]
+ private static partial Regex TimeOfDayRegex();
+
+ public AccessRuleValidationResult Validate(string? conditionsJson)
+ {
+ if (conditionsJson is null)
+ {
+ return AccessRuleValidationResult.Valid;
+ }
+
+ if (string.IsNullOrWhiteSpace(conditionsJson))
+ {
+ return AccessRuleValidationResult.Invalid("Conditions JSON cannot be empty.");
+ }
+
+ List? conditions;
+ try
+ {
+ conditions = JsonSerializer.Deserialize>(conditionsJson, JsonOptions);
+ }
+ catch (JsonException ex)
+ {
+ return AccessRuleValidationResult.Invalid($"Conditions JSON is malformed: {ex.Message}");
+ }
+
+ if (conditions is null)
+ {
+ return AccessRuleValidationResult.Invalid("Conditions must be an array.");
+ }
+
+ // An empty list is allowed: it is vacuously satisfied, so the rule governs its collections — routing access
+ // through the PAM flow for audit logging — without imposing any gating condition. The engine evaluates it
+ // to Allow.
+ if (conditions.Count > MaxConditions)
+ {
+ return AccessRuleValidationResult.Invalid($"Conditions cannot contain more than {MaxConditions} conditions.");
+ }
+
+ foreach (var condition in conditions)
+ {
+ var result = ValidateCondition(condition);
+ if (!result.IsValid)
+ {
+ return result;
+ }
+ }
+
+ return AccessRuleValidationResult.Valid;
+ }
+
+ private static AccessRuleValidationResult ValidateCondition(AccessCondition? condition)
+ {
+ return condition switch
+ {
+ HumanApprovalCondition => AccessRuleValidationResult.Valid,
+ IpAllowlistCondition ip => ValidateIpAllowlist(ip),
+ TimeOfDayCondition tod => ValidateTimeOfDay(tod),
+ null => AccessRuleValidationResult.Invalid("Conditions cannot contain a null entry."),
+ _ => AccessRuleValidationResult.Invalid($"Unsupported condition kind: {condition.GetType().Name}."),
+ };
+ }
+
+ private static AccessRuleValidationResult ValidateIpAllowlist(IpAllowlistCondition condition)
+ {
+ if (condition.Cidrs.Count == 0)
+ {
+ return AccessRuleValidationResult.Invalid("ip_allowlist requires at least one CIDR.");
+ }
+
+ foreach (var cidr in condition.Cidrs)
+ {
+ if (string.IsNullOrWhiteSpace(cidr) || !IPNetwork.TryParse(cidr, out _))
+ {
+ return AccessRuleValidationResult.Invalid($"Invalid CIDR: '{cidr}'.");
+ }
+ }
+
+ return AccessRuleValidationResult.Valid;
+ }
+
+ private static AccessRuleValidationResult ValidateTimeOfDay(TimeOfDayCondition condition)
+ {
+ if (string.IsNullOrWhiteSpace(condition.Tz))
+ {
+ return AccessRuleValidationResult.Invalid("time_of_day requires a tz.");
+ }
+
+ try
+ {
+ TimeZoneInfo.FindSystemTimeZoneById(condition.Tz);
+ }
+ catch (TimeZoneNotFoundException)
+ {
+ return AccessRuleValidationResult.Invalid($"Unknown timezone: '{condition.Tz}'.");
+ }
+ catch (InvalidTimeZoneException)
+ {
+ return AccessRuleValidationResult.Invalid($"Invalid timezone: '{condition.Tz}'.");
+ }
+
+ if (condition.Windows.Count == 0)
+ {
+ return AccessRuleValidationResult.Invalid("time_of_day requires at least one window.");
+ }
+
+ foreach (var window in condition.Windows)
+ {
+ if (window.Days.Count == 0)
+ {
+ return AccessRuleValidationResult.Invalid("time_of_day window requires at least one day.");
+ }
+
+ // Day tokens are validated during deserialization by AccessWeekdayJsonConverter; an unknown token fails
+ // the JSON parse above and is reported as malformed.
+ if (!TimeOfDayRegex().IsMatch(window.From))
+ {
+ return AccessRuleValidationResult.Invalid($"Invalid 'from' time: '{window.From}'. Expected HH:mm.");
+ }
+
+ if (!TimeOfDayRegex().IsMatch(window.To))
+ {
+ return AccessRuleValidationResult.Invalid($"Invalid 'to' time: '{window.To}'. Expected HH:mm.");
+ }
+ }
+
+ return AccessRuleValidationResult.Valid;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/ApproverCollectionAccessQuery.cs b/bitwarden_license/src/Commercial.Pam/Services/ApproverCollectionAccessQuery.cs
new file mode 100644
index 000000000000..80a49f40912b
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/ApproverCollectionAccessQuery.cs
@@ -0,0 +1,62 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Commercial.Pam.Services;
+
+public class ApproverCollectionAccessQuery : IApproverCollectionAccessQuery
+{
+ private readonly ICollectionRepository _collectionRepository;
+ private readonly ICurrentContext _currentContext;
+ private readonly IApplicationCacheService _applicationCacheService;
+
+ public ApproverCollectionAccessQuery(
+ ICollectionRepository collectionRepository,
+ ICurrentContext currentContext,
+ IApplicationCacheService applicationCacheService)
+ {
+ _collectionRepository = collectionRepository;
+ _currentContext = currentContext;
+ _applicationCacheService = applicationCacheService;
+ }
+
+ public async Task> GetManageableCollectionIdsAsync(Guid userId)
+ {
+ // Collections the user is assigned with Manage (the repository aggregates Manage across direct and group
+ // access), mirroring BulkCollectionAuthorizationHandler.
+ var assigned = await _collectionRepository.GetManyByUserIdAsync(userId);
+ var manageable = assigned.Where(c => c.Manage).Select(c => c.Id).ToHashSet();
+
+ // Owners/Admins (when the org permits) and EditAnyCollection custom users can manage every collection in the
+ // organization, so fold those collections in too.
+ foreach (var org in _currentContext.Organizations)
+ {
+ var canManageAll = org.Permissions.EditAnyCollection;
+ if (!canManageAll && org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin)
+ {
+ var ability = await _applicationCacheService.GetOrganizationAbilityAsync(org.Id);
+ canManageAll = ability?.AllowAdminAccessToAllCollectionItems ?? false;
+ }
+
+ if (!canManageAll)
+ {
+ continue;
+ }
+
+ var orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(org.Id);
+ foreach (var collection in orgCollections)
+ {
+ manageable.Add(collection.Id);
+ }
+ }
+
+ return manageable;
+ }
+
+ public async Task CanManageCollectionAsync(Guid userId, Guid collectionId)
+ {
+ var manageable = await GetManageableCollectionIdsAsync(userId);
+ return manageable.Contains(collectionId);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/ApproverInboxNotifier.cs b/bitwarden_license/src/Commercial.Pam/Services/ApproverInboxNotifier.cs
new file mode 100644
index 000000000000..f6f0cb3134ab
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/ApproverInboxNotifier.cs
@@ -0,0 +1,27 @@
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+
+namespace Bit.Commercial.Pam.Services;
+
+public class ApproverInboxNotifier : IApproverInboxNotifier
+{
+ private readonly ICollectionRepository _collectionRepository;
+ private readonly IPushNotificationService _pushNotificationService;
+
+ public ApproverInboxNotifier(
+ ICollectionRepository collectionRepository,
+ IPushNotificationService pushNotificationService)
+ {
+ _collectionRepository = collectionRepository;
+ _pushNotificationService = pushNotificationService;
+ }
+
+ public async Task NotifyCollectionApproversAsync(Guid collectionId)
+ {
+ var userIds = await _collectionRepository.GetManagingUserIdsAsync(collectionId);
+ foreach (var userId in userIds)
+ {
+ await _pushNotificationService.PushRefreshApproverInboxAsync(userId);
+ }
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/CipherLeaseGate.cs b/bitwarden_license/src/Commercial.Pam/Services/CipherLeaseGate.cs
new file mode 100644
index 000000000000..a2e83bda99a4
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/CipherLeaseGate.cs
@@ -0,0 +1,203 @@
+using Bit.Commercial.Pam.Engine;
+using Bit.Core;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Vault.Authorization;
+using Bit.Core.Vault.Entities;
+using Bit.Pam.Repositories;
+using Bit.Pam.Services;
+
+namespace Bit.Commercial.Pam.Services;
+
+///
+public class CipherLeaseGate : ICipherLeaseGate
+{
+ private readonly IFeatureService _featureService;
+ private readonly IGoverningRuleResolver _resolver;
+ private readonly IAccessLeaseRepository _accessLeaseRepository;
+ private readonly ICollectionRepository _collectionRepository;
+ private readonly ICollectionCipherRepository _collectionCipherRepository;
+ private readonly ICurrentContext _currentContext;
+ private readonly TimeProvider _timeProvider;
+
+ public CipherLeaseGate(
+ IFeatureService featureService,
+ IGoverningRuleResolver resolver,
+ IAccessLeaseRepository accessLeaseRepository,
+ ICollectionRepository collectionRepository,
+ ICollectionCipherRepository collectionCipherRepository,
+ ICurrentContext currentContext,
+ TimeProvider timeProvider)
+ {
+ _featureService = featureService;
+ _resolver = resolver;
+ _accessLeaseRepository = accessLeaseRepository;
+ _collectionRepository = collectionRepository;
+ _collectionCipherRepository = collectionCipherRepository;
+ _currentContext = currentContext;
+ _timeProvider = timeProvider;
+ }
+
+ private bool Enabled => _featureService.IsEnabled(FeatureFlagKeys.Pam);
+
+ public async Task AuthorizeReadAsync(Guid userId, Cipher cipher)
+ {
+ if (!Enabled)
+ {
+ return FullCipherAccess.Unrestricted();
+ }
+
+ return await IsBlockedAsync(userId, cipher.Id)
+ ? null
+ : FullCipherAccess.ForCipher(cipher.Id);
+ }
+
+ public Task AuthorizeReadManyAsync(
+ Guid userId,
+ IEnumerable ciphers,
+ IEnumerable? collections,
+ IDictionary>? collectionCiphersByCipher)
+ {
+ if (!Enabled)
+ {
+ return Task.FromResult(FullCipherAccess.Unrestricted());
+ }
+
+ return Task.FromResult(BuildBulkWitness(ciphers, collections, collectionCiphersByCipher));
+ }
+
+ public async Task AuthorizeReadManyAsync(Guid userId, IEnumerable ciphers)
+ {
+ if (!Enabled)
+ {
+ return FullCipherAccess.Unrestricted();
+ }
+
+ var collections = await _collectionRepository.GetManyByUserIdAsync(userId);
+ var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdAsync(userId);
+ var collectionCiphersByCipher = collectionCiphers.GroupBy(c => c.CipherId).ToDictionary(g => g.Key);
+ return BuildBulkWitness(ciphers, collections, collectionCiphersByCipher);
+ }
+
+ // Bulk reads never release a gated cipher's secrets, regardless of lease state, so the witness
+ // authorizes only the non-gated subset and the gated ones fall through to the partial shape.
+ private FullCipherAccess BuildBulkWitness(
+ IEnumerable ciphers,
+ IEnumerable? collections,
+ IDictionary>? collectionCiphersByCipher)
+ {
+ var gated = GetGatedCipherIds(collections, collectionCiphersByCipher);
+ var authorized = ciphers.Select(c => c.Id).Where(id => !gated.Contains(id));
+ return FullCipherAccess.ForCiphers(authorized);
+ }
+
+ public ISet GetGatedCipherIds(
+ IEnumerable? collections,
+ IDictionary>? collectionCiphersByCipher)
+ {
+ var gated = new HashSet();
+ if (!Enabled || collections == null || collectionCiphersByCipher == null)
+ {
+ return gated;
+ }
+
+ var leasingCollectionIds = collections
+ .Where(c => c.AccessRuleId.HasValue)
+ .Select(c => c.Id)
+ .ToHashSet();
+ if (leasingCollectionIds.Count == 0)
+ {
+ return gated;
+ }
+
+ foreach (var (cipherId, collectionCiphers) in collectionCiphersByCipher)
+ {
+ if (collectionCiphers.Any() && collectionCiphers.All(cc => leasingCollectionIds.Contains(cc.CollectionId)))
+ {
+ gated.Add(cipherId);
+ }
+ }
+
+ return gated;
+ }
+
+ public async Task EnsureCanMutateAsync(Guid userId, Cipher cipher)
+ {
+ if (!Enabled)
+ {
+ return FullCipherAccess.Unrestricted();
+ }
+
+ if (await IsBlockedAsync(userId, cipher.Id))
+ {
+ throw new NotFoundException();
+ }
+
+ return FullCipherAccess.ForCipher(cipher.Id);
+ }
+
+ public async Task EnsureCanMutateManyAsync(Guid userId, IEnumerable ciphers)
+ {
+ if (!Enabled)
+ {
+ return FullCipherAccess.Unrestricted();
+ }
+
+ var cipherList = ciphers as ICollection ?? ciphers.ToList();
+ if (cipherList.Count == 0)
+ {
+ return FullCipherAccess.ForCiphers([]);
+ }
+
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+ var leasedCipherIds = (await _accessLeaseRepository.GetManyActiveByRequesterIdAsync(userId, now))
+ .Select(l => l.CipherId)
+ .ToHashSet();
+ var signals = AccessSignals.From(_currentContext.IpAddress, new DateTimeOffset(now, TimeSpan.Zero));
+
+ foreach (var cipher in cipherList)
+ {
+ if (leasedCipherIds.Contains(cipher.Id))
+ {
+ // A valid lease overrides gating, so no resolve is needed.
+ continue;
+ }
+
+ if (await _resolver.ResolveAsync(userId, cipher.Id, signals) is not null)
+ {
+ // Gated with no lease: refuse the whole batch, mirroring how the service hides
+ // inaccessible ciphers.
+ throw new NotFoundException();
+ }
+ }
+
+ return FullCipherAccess.ForCiphers(cipherList.Select(c => c.Id));
+ }
+
+ public FullCipherAccess Unrestricted() =>
+ // The flag-off path is unrestricted anyway; gating only ever narrows access, never widens it.
+ FullCipherAccess.Unrestricted();
+
+ ///
+ /// True when the cipher is leasing-gated for the caller and they hold no valid active lease — the
+ /// shared "withhold full data" condition behind both read and mutation decisions. Resolves the
+ /// governing rule first so non-gated ciphers (the common case) cost no lease query.
+ ///
+ private async Task IsBlockedAsync(Guid userId, Guid cipherId)
+ {
+ var now = _timeProvider.GetUtcNow().UtcDateTime;
+ var signals = AccessSignals.From(_currentContext.IpAddress, new DateTimeOffset(now, TimeSpan.Zero));
+
+ if (await _resolver.ResolveAsync(userId, cipherId, signals) is null)
+ {
+ return false;
+ }
+
+ var activeLease = await _accessLeaseRepository.GetActiveByRequesterIdCipherIdAsync(userId, cipherId, now);
+ return activeLease is null;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/GoverningRuleResolver.cs b/bitwarden_license/src/Commercial.Pam/Services/GoverningRuleResolver.cs
new file mode 100644
index 000000000000..8eccc33ddca6
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/GoverningRuleResolver.cs
@@ -0,0 +1,112 @@
+using System.Text.Json;
+using Bit.Commercial.Pam.Engine;
+using Bit.Commercial.Pam.Models;
+using Bit.Commercial.Pam.Models.Conditions;
+using Bit.Core.Repositories;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.Services;
+
+public class GoverningRuleResolver : IGoverningRuleResolver
+{
+ private static readonly JsonSerializerOptions _jsonOptions = new()
+ {
+ PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+ PropertyNameCaseInsensitive = true,
+ };
+
+ private readonly ICollectionCipherRepository _collectionCipherRepository;
+ private readonly ICollectionRepository _collectionRepository;
+ private readonly IAccessRuleRepository _accessRuleRepository;
+ private readonly IAccessRuleEngine _ruleEngine;
+
+ public GoverningRuleResolver(
+ ICollectionCipherRepository collectionCipherRepository,
+ ICollectionRepository collectionRepository,
+ IAccessRuleRepository accessRuleRepository,
+ IAccessRuleEngine ruleEngine)
+ {
+ _collectionCipherRepository = collectionCipherRepository;
+ _collectionRepository = collectionRepository;
+ _accessRuleRepository = accessRuleRepository;
+ _ruleEngine = ruleEngine;
+ }
+
+ public async Task ResolveAsync(Guid userId, Guid cipherId, AccessSignals signals)
+ {
+ var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(userId, cipherId);
+ if (collectionCiphers.Count == 0)
+ {
+ return null;
+ }
+
+ var collectionIds = collectionCiphers.Select(cc => cc.CollectionId).ToHashSet();
+ var collections = await _collectionRepository.GetManyByManyIdsAsync(collectionIds);
+
+ // Deterministic order so ties between equally-favourable rules resolve to a stable governing collection.
+ var governed = collections
+ .Where(c => collectionIds.Contains(c.Id) && c.AccessRuleId.HasValue)
+ .OrderBy(c => c.Id);
+
+ // Least-restrictive wins: among the rules on the collections through which the caller reaches the cipher,
+ // an automatic grant (Allow) is favoured over one needing human approval (RequiresApproval), which is
+ // favoured over a denial (Deny). Evaluating each rule against the request signals means a failing automatic
+ // rule (e.g. an out-of-range IP) never pre-empts a different path that would grant or route to a human.
+ GoverningRule? best = null;
+ var bestOutcome = AccessEvaluationOutcome.Deny;
+ foreach (var collection in governed)
+ {
+ var accessRule = await _accessRuleRepository.GetByIdAsync(collection.AccessRuleId!.Value);
+ if (accessRule is null)
+ {
+ continue;
+ }
+
+ var conditions = Parse(accessRule.Conditions);
+ var outcome = _ruleEngine.Evaluate(conditions, signals).Outcome;
+ if (best is not null && outcome >= bestOutcome)
+ {
+ continue;
+ }
+
+ bestOutcome = outcome;
+ best = new GoverningRule(
+ collection.OrganizationId,
+ collection.Id,
+ outcome == AccessEvaluationOutcome.RequiresApproval,
+ conditions)
+ {
+ AllowsExtensions = accessRule.AllowsExtensions,
+ MaxExtensionDurationSeconds = accessRule.MaxExtensionDurationSeconds,
+ };
+
+ if (outcome == AccessEvaluationOutcome.Allow)
+ {
+ // Nothing beats an automatic grant; stop scanning the remaining collections.
+ break;
+ }
+ }
+
+ return best;
+ }
+
+ ///
+ /// Parses the stored conditions JSON into a flat list of . A malformed or
+ /// unparseable document fails safe to a single human-approval condition so access is never silently auto-approved
+ /// on conditions the server could not understand; the human-approval path then routes it to an approver rather
+ /// than issuing an automatic lease.
+ ///
+ private static IReadOnlyList Parse(string conditionsJson)
+ {
+ try
+ {
+ return JsonSerializer.Deserialize>(conditionsJson, _jsonOptions) ?? FailSafe();
+ }
+ catch (JsonException)
+ {
+ return FailSafe();
+ }
+ }
+
+ private static IReadOnlyList FailSafe() => [new HumanApprovalCondition()];
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/IAccessRuleValidator.cs b/bitwarden_license/src/Commercial.Pam/Services/IAccessRuleValidator.cs
new file mode 100644
index 000000000000..12afdd5e13f7
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/IAccessRuleValidator.cs
@@ -0,0 +1,16 @@
+namespace Bit.Commercial.Pam.Services;
+
+public interface IAccessRuleValidator
+{
+ ///
+ /// Validates a raw JSON conditions document. A null or empty document is treated as "no conditions
+ /// configured" and considered valid; callers decide how to treat that semantically.
+ ///
+ AccessRuleValidationResult Validate(string? conditionsJson);
+}
+
+public sealed record AccessRuleValidationResult(bool IsValid, string? Error)
+{
+ public static AccessRuleValidationResult Valid { get; } = new(true, null);
+ public static AccessRuleValidationResult Invalid(string error) => new(false, error);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/IApproverCollectionAccessQuery.cs b/bitwarden_license/src/Commercial.Pam/Services/IApproverCollectionAccessQuery.cs
new file mode 100644
index 000000000000..202e179c0462
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/IApproverCollectionAccessQuery.cs
@@ -0,0 +1,19 @@
+namespace Bit.Commercial.Pam.Services;
+
+///
+/// Resolves which collections the current user can Manage — the single authorization predicate for the approver
+/// inbox. A user "approves" a request iff they can Manage the collection that holds the request's cipher. The list
+/// endpoints use the full set as a filter; the decision/revoke endpoints check a single collection.
+///
+public interface IApproverCollectionAccessQuery
+{
+ ///
+ /// The ids of every collection the user can Manage: collections they are assigned with Manage (directly or via
+ /// group), plus all collections in any organization where they are an Owner/Admin (when the org allows admin
+ /// access to all collection items) or hold the EditAnyCollection permission.
+ ///
+ Task> GetManageableCollectionIdsAsync(Guid userId);
+
+ /// Whether the user can Manage the given collection.
+ Task CanManageCollectionAsync(Guid userId, Guid collectionId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/IApproverInboxNotifier.cs b/bitwarden_license/src/Commercial.Pam/Services/IApproverInboxNotifier.cs
new file mode 100644
index 000000000000..d52ce58b8e3e
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/IApproverInboxNotifier.cs
@@ -0,0 +1,11 @@
+namespace Bit.Commercial.Pam.Services;
+
+///
+/// Pushes the RefreshApproverInbox signal to every user who can Manage a collection, telling their clients to
+/// re-fetch the approver inbox. Fired whenever something the inbox renders changes (a new pending request, a request
+/// leaving pending, a lease being revoked).
+///
+public interface IApproverInboxNotifier
+{
+ Task NotifyCollectionApproversAsync(Guid collectionId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/IGoverningRuleResolver.cs b/bitwarden_license/src/Commercial.Pam/Services/IGoverningRuleResolver.cs
new file mode 100644
index 000000000000..9e31d9d98b8f
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/IGoverningRuleResolver.cs
@@ -0,0 +1,17 @@
+using Bit.Commercial.Pam.Engine;
+using Bit.Commercial.Pam.Models;
+
+namespace Bit.Commercial.Pam.Services;
+
+public interface IGoverningRuleResolver
+{
+ ///
+ /// Resolves the leasing context that governs for the caller, evaluating each
+ /// reachable collection's rule against the request , or null when the cipher is not
+ /// leasing-gated for them (no reachable collection carries an access rule). When more than one governing
+ /// collection applies, the least-restrictive applicable rule wins: an automatic grant is favoured over one that
+ /// needs human approval, which is favoured over a denial — so the caller is never routed to an approver when some
+ /// path would auto-grant, and a failing automatic rule never pre-empts a path that would grant.
+ ///
+ Task ResolveAsync(Guid userId, Guid cipherId, AccessSignals signals);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/IRequesterNotifier.cs b/bitwarden_license/src/Commercial.Pam/Services/IRequesterNotifier.cs
new file mode 100644
index 000000000000..d0dbf5082990
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/IRequesterNotifier.cs
@@ -0,0 +1,13 @@
+namespace Bit.Commercial.Pam.Services;
+
+///
+/// Pushes the RefreshAccessRequest signal to a single requester, telling their clients to re-fetch their own
+/// access requests and active leases. Fired whenever something the requester's view renders changes for a reason
+/// other than their own local action — a pending request being decided, a held lease being revoked or extended, a
+/// request being cancelled — so their "My requests" list, lease banner, and row badges stay live, and an open cipher
+/// re-locks the moment its lease ends.
+///
+public interface IRequesterNotifier
+{
+ Task NotifyRequesterAsync(Guid requesterId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/ISingleActiveLeaseEvaluator.cs b/bitwarden_license/src/Commercial.Pam/Services/ISingleActiveLeaseEvaluator.cs
new file mode 100644
index 000000000000..d28b4c515a2c
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/ISingleActiveLeaseEvaluator.cs
@@ -0,0 +1,13 @@
+namespace Bit.Commercial.Pam.Services;
+
+public interface ISingleActiveLeaseEvaluator
+{
+ ///
+ /// Decides whether the per-cipher single-active-lease constraint binds for the caller, using the same
+ /// union-over-paths logic as cipher gating. Returns true only when the caller reaches the cipher through at
+ /// least one collection and every such collection is governed by a rule whose
+ /// SingleActiveLease is true. Any ungated path (no access rule) or a path governed by a non-singleton
+ /// rule is an escape that leaves the caller unconstrained, so the method returns false.
+ ///
+ Task AppliesAsync(Guid userId, Guid cipherId);
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/RequesterNotifier.cs b/bitwarden_license/src/Commercial.Pam/Services/RequesterNotifier.cs
new file mode 100644
index 000000000000..f4e439260fb0
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/RequesterNotifier.cs
@@ -0,0 +1,18 @@
+using Bit.Core.Platform.Push;
+
+namespace Bit.Commercial.Pam.Services;
+
+public class RequesterNotifier : IRequesterNotifier
+{
+ private readonly IPushNotificationService _pushNotificationService;
+
+ public RequesterNotifier(IPushNotificationService pushNotificationService)
+ {
+ _pushNotificationService = pushNotificationService;
+ }
+
+ public Task NotifyRequesterAsync(Guid requesterId)
+ {
+ return _pushNotificationService.PushRefreshAccessRequestAsync(requesterId);
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Services/SingleActiveLeaseEvaluator.cs b/bitwarden_license/src/Commercial.Pam/Services/SingleActiveLeaseEvaluator.cs
new file mode 100644
index 000000000000..87653bf65daa
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Services/SingleActiveLeaseEvaluator.cs
@@ -0,0 +1,61 @@
+using Bit.Core.Repositories;
+using Bit.Pam.Repositories;
+
+namespace Bit.Commercial.Pam.Services;
+
+public class SingleActiveLeaseEvaluator : ISingleActiveLeaseEvaluator
+{
+ private readonly ICollectionCipherRepository _collectionCipherRepository;
+ private readonly ICollectionRepository _collectionRepository;
+ private readonly IAccessRuleRepository _accessRuleRepository;
+
+ public SingleActiveLeaseEvaluator(
+ ICollectionCipherRepository collectionCipherRepository,
+ ICollectionRepository collectionRepository,
+ IAccessRuleRepository accessRuleRepository)
+ {
+ _collectionCipherRepository = collectionCipherRepository;
+ _collectionRepository = collectionRepository;
+ _accessRuleRepository = accessRuleRepository;
+ }
+
+ public async Task AppliesAsync(Guid userId, Guid cipherId)
+ {
+ var collectionCiphers = await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(userId, cipherId);
+ if (collectionCiphers.Count == 0)
+ {
+ // No reachable collection: there is no path, so the constraint does not bind.
+ return false;
+ }
+
+ var collectionIds = collectionCiphers.Select(cc => cc.CollectionId).ToHashSet();
+ var collections = await _collectionRepository.GetManyByManyIdsAsync(collectionIds);
+
+ var paths = collections.Where(c => collectionIds.Contains(c.Id)).ToList();
+ if (paths.Count == 0)
+ {
+ return false;
+ }
+
+ foreach (var collection in paths)
+ {
+ // An ungated path is an escape: the caller can reach the cipher without any singleton rule, so the
+ // constraint does not bind for them.
+ if (!collection.AccessRuleId.HasValue)
+ {
+ return false;
+ }
+
+ var accessRule = await _accessRuleRepository.GetByIdAsync(collection.AccessRuleId.Value);
+
+ // A missing rule, or a rule that does not ask for a singleton, is likewise an escape path.
+ if (accessRule is null || !accessRule.SingleActiveLease)
+ {
+ return false;
+ }
+ }
+
+ // Every path is governed by a singleton rule: the constraint binds.
+ return true;
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/Utilities/ServiceCollectionExtensions.cs b/bitwarden_license/src/Commercial.Pam/Utilities/ServiceCollectionExtensions.cs
new file mode 100644
index 000000000000..fd77eaca772b
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/Utilities/ServiceCollectionExtensions.cs
@@ -0,0 +1,45 @@
+using Bit.Commercial.Pam.Engine;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Commercial.Pam.Services;
+using Bit.Pam.Services;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+
+namespace Bit.Commercial.Pam.Utilities;
+
+public static class ServiceCollectionExtensions
+{
+ public static void AddCommercialPamServices(this IServiceCollection services)
+ {
+ services.AddSingleton();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddSingleton();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.AddScoped();
+ services.TryAddSingleton(TimeProvider.System);
+ services.AddScoped();
+ }
+}
diff --git a/bitwarden_license/src/Commercial.Pam/packages.lock.json b/bitwarden_license/src/Commercial.Pam/packages.lock.json
new file mode 100644
index 000000000000..db3a2021f277
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Pam/packages.lock.json
@@ -0,0 +1,1099 @@
+{
+ "version": 1,
+ "dependencies": {
+ "net10.0": {
+ "AdaptiveCards": {
+ "type": "Transitive",
+ "resolved": "3.1.0",
+ "contentHash": "b+sPwH0oyAflpgxCyNPMzH92xrQjWl6GuuEBv86/VhO6iHhiWv+PtwzqMS70nOXZQRzpl9YVHXAvn+dKot5IBQ==",
+ "dependencies": {
+ "Newtonsoft.Json": "13.0.3"
+ }
+ },
+ "AspNetCoreRateLimit": {
+ "type": "Transitive",
+ "resolved": "5.0.0",
+ "contentHash": "6fq9+o1maGADUmpK/PvcF0DtXW2+7bSkIL7MDIo/agbIHKN8XkMQF4oze60DO731WaQmHmK260hB30FwPzCmEg==",
+ "dependencies": {
+ "Newtonsoft.Json": "13.0.2"
+ }
+ },
+ "AspNetCoreRateLimit.Redis": {
+ "type": "Transitive",
+ "resolved": "2.0.0",
+ "contentHash": "3g6Mb4Y+rW14/oE7Qt8WFA9zS7XNdHx7TH3k/XQix7PtUWEZSSAK+VsqDhDIPkUysUHFBDUA7olNeTjytpzA/g==",
+ "dependencies": {
+ "AspNetCoreRateLimit": "5.0.0",
+ "StackExchange.Redis": "2.6.80"
+ }
+ },
+ "AutoMapper": {
+ "type": "Transitive",
+ "resolved": "14.0.0",
+ "contentHash": "OC+1neAPM4oCCqQj3g2GJ2shziNNhOkxmNB9cVS8jtx4JbgmRzLcUOxB9Tsz6cVPHugdkHgCaCrTjjSI0Z5sCQ=="
+ },
+ "AWSSDK.Core": {
+ "type": "Transitive",
+ "resolved": "4.0.3.3",
+ "contentHash": "YQv10JuxnciWh0QwnkarSbge4gXQV1qTURf5jkBjNUH/3jYS9QrbxopA4TK1qdjfOfP37tqiJkLSrRRNqX81aw=="
+ },
+ "AWSSDK.SimpleEmail": {
+ "type": "Transitive",
+ "resolved": "4.0.2.5",
+ "contentHash": "LvV5mXlvpR3fTAJysO3KmUC6bR/KUZpdkcMJ5b6lYNpStlsFN+MXcaMh34TuwYaTCgIjF3bJb4oZifFkgh+Ccw==",
+ "dependencies": {
+ "AWSSDK.Core": "[4.0.3.3, 5.0.0)"
+ }
+ },
+ "AWSSDK.SQS": {
+ "type": "Transitive",
+ "resolved": "4.0.2.5",
+ "contentHash": "bHA9m/2RZHNKt6NGvQ56rfEDj/pfUlcwPeCg2HmPJ3jZPyoerBuEsYvFkMP3YJNv3aoycNWZoiDk0/ULP0tEyA==",
+ "dependencies": {
+ "AWSSDK.Core": "[4.0.3.3, 5.0.0)"
+ }
+ },
+ "Azure.Core": {
+ "type": "Transitive",
+ "resolved": "1.47.3",
+ "contentHash": "u/uCNtUWT+Q/Is7/PAMy3KP9kq5vY5klRnyAvRxO/kEa5OnV3/X5lHlCajNANC7vmej6jAqceqLBJNO/VyCKzg==",
+ "dependencies": {
+ "Microsoft.Bcl.AsyncInterfaces": "8.0.0",
+ "System.ClientModel": "1.6.1",
+ "System.Memory.Data": "8.0.1"
+ }
+ },
+ "Azure.Core.Amqp": {
+ "type": "Transitive",
+ "resolved": "1.3.1",
+ "contentHash": "AY1ZM4WwLBb9L2WwQoWs7wS2XKYg83tp3yVVdgySdebGN0FuIszuEqCy3Nhv6qHpbkjx/NGuOTsUbF/oNGBgwA==",
+ "dependencies": {
+ "Microsoft.Azure.Amqp": "2.6.7",
+ "System.Memory.Data": "1.0.2"
+ }
+ },
+ "Azure.Data.Tables": {
+ "type": "Transitive",
+ "resolved": "12.11.0",
+ "contentHash": "MabH2HegMvZA1ocaMhEfW/idyTa3CoH64s43/V9/KFRGdVqEj0EETvd3ItDe6Bbs2teiR40KE9Kz9NLDc5DJJw==",
+ "dependencies": {
+ "Azure.Core": "1.44.1"
+ }
+ },
+ "Azure.Extensions.AspNetCore.DataProtection.Blobs": {
+ "type": "Transitive",
+ "resolved": "1.3.4",
+ "contentHash": "zS+x0MpUMSbvZD598lwAoax+ohIeSAvGlXpT71iP7FFmMZ+Tjz/8hx+jZH/RbV2cJYTYbux8XFDll7LMPuz46g==",
+ "dependencies": {
+ "Azure.Core": "1.38.0",
+ "Azure.Storage.Blobs": "12.16.0"
+ }
+ },
+ "Azure.Identity": {
+ "type": "Transitive",
+ "resolved": "1.11.4",
+ "contentHash": "Sf4BoE6Q3jTgFkgBkx7qztYOFELBCo+wQgpYDwal/qJ1unBH73ywPztIJKXBXORRzAeNijsuxhk94h0TIMvfYg==",
+ "dependencies": {
+ "Azure.Core": "1.38.0",
+ "Microsoft.Identity.Client": "4.61.3",
+ "Microsoft.Identity.Client.Extensions.Msal": "4.61.3",
+ "System.Security.Cryptography.ProtectedData": "4.7.0"
+ }
+ },
+ "Azure.Messaging.ServiceBus": {
+ "type": "Transitive",
+ "resolved": "7.20.1",
+ "contentHash": "DxCkedWPQuiXrIyFcriOhsQcZmDZW+j9d55Ev4nnK3yjMUFjlVe4Hj37fuZTJlNhC3P+7EumqBTt33R6DfOxGA==",
+ "dependencies": {
+ "Azure.Core": "1.46.2",
+ "Azure.Core.Amqp": "1.3.1",
+ "Microsoft.Azure.Amqp": "2.7.0"
+ }
+ },
+ "Azure.Storage.Blobs": {
+ "type": "Transitive",
+ "resolved": "12.26.0",
+ "contentHash": "EBRSHmI0eNzdufcIS1Rf7Ez9M8V1Jl7pMV4UWDERDMCv513KtAVsgz2ez2FQP9Qnwg7uEQrP+Uc7vBtumlr7sQ==",
+ "dependencies": {
+ "Azure.Core": "1.47.3",
+ "Azure.Storage.Common": "12.25.0"
+ }
+ },
+ "Azure.Storage.Blobs.Batch": {
+ "type": "Transitive",
+ "resolved": "12.23.0",
+ "contentHash": "1Cj2/OEPoNpcwjQZ/vtng4ImrwuDlOZhYd3mKCxQXzUe50dl0lM5AWX8KE8GGKd5pLuRKYMNmn3mRvWpv/Me+A==",
+ "dependencies": {
+ "Azure.Core": "1.47.3",
+ "Azure.Storage.Blobs": "12.26.0",
+ "Azure.Storage.Common": "12.25.0"
+ }
+ },
+ "Azure.Storage.Common": {
+ "type": "Transitive",
+ "resolved": "12.25.0",
+ "contentHash": "MHGWp4aLHRo0BdLj25U2qYdYK//Zz21k4bs3SVyNQEmJbBl3qZ8GuOmTSXJ+Zad93HnFXfvD8kyMr0gjA8Ftpw==",
+ "dependencies": {
+ "Azure.Core": "1.47.3",
+ "System.IO.Hashing": "8.0.0"
+ }
+ },
+ "Azure.Storage.Queues": {
+ "type": "Transitive",
+ "resolved": "12.24.0",
+ "contentHash": "YSR051EMu421JZNCOyOB2JpVyA4bSW8CnbTYmYlwxsYIUJuwiMy2toSXIoq9RKG9PuBtnT5dS9M6QCYNGaswAw==",
+ "dependencies": {
+ "Azure.Core": "1.47.3",
+ "Azure.Storage.Common": "12.25.0"
+ }
+ },
+ "BitPay.Light": {
+ "type": "Transitive",
+ "resolved": "1.0.1907",
+ "contentHash": "QTTIgXakHrRNQPxNyH7bZ7frm0bI8N6gRDtiqVyKG/QYQ+KfjN70xt0zQ0kO0zf8UBaKuwcV5B7vvpXtzR9ijg==",
+ "dependencies": {
+ "Newtonsoft.Json": "12.0.2"
+ }
+ },
+ "BouncyCastle.Cryptography": {
+ "type": "Transitive",
+ "resolved": "2.6.2",
+ "contentHash": "7oWOcvnntmMKNzDLsdxAYqApt+AjpRpP2CShjMfIa3umZ42UQMvH0tl1qAliYPNYO6vTdcGMqnRrCPmsfzTI1w=="
+ },
+ "Braintree": {
+ "type": "Transitive",
+ "resolved": "5.36.0",
+ "contentHash": "K43RjhEU5qXoYYxo0C0o54msQxbdRjVP+hDMZwSXsei4fLBHA2xwS1NCooZ9girCQNjoWOM8bygkHTVGgN+sag==",
+ "dependencies": {
+ "Newtonsoft.Json": "13.0.1",
+ "System.Xml.XPath.XmlDocument": "4.3.0"
+ }
+ },
+ "CsvHelper": {
+ "type": "Transitive",
+ "resolved": "33.1.0",
+ "contentHash": "kqfTOZGrn7NarNeXgjh86JcpTHUoeQDMB8t9NVa/ZtlSYiV1rxfRnQ49WaJsob4AiGrbK0XDzpyKkBwai4F8eg=="
+ },
+ "Dapper": {
+ "type": "Transitive",
+ "resolved": "2.1.66",
+ "contentHash": "/q77jUgDOS+bzkmk3Vy9SiWMaetTw+NOoPAV0xPBsGVAyljd5S6P+4RUW7R3ZUGGr9lDRyPKgAMj2UAOwvqZYw=="
+ },
+ "DnsClient": {
+ "type": "Transitive",
+ "resolved": "1.8.0",
+ "contentHash": "RRwtaCXkXWsx0mmsReGDqCbRLtItfUbkRJlet1FpdciVhyMGKcPd57T1+8Jki9ojHlq9fntVhXQroOOgRak8DQ=="
+ },
+ "Duende.IdentityModel": {
+ "type": "Transitive",
+ "resolved": "8.0.0",
+ "contentHash": "8i+Tv4c38LgwoTRKbD0+MqtnNNDSVA83G6JkjGHgC4/7jH0nxZBP0RBhH8xTsvNQ5Pv9zrg+TR8rmtWK9HDOPg=="
+ },
+ "Duende.IdentityServer": {
+ "type": "Transitive",
+ "resolved": "7.4.6",
+ "contentHash": "Zvri5e+SrOWLz0wmJry0ZaU8gVygv966jzP/CbMSCtV0K/nqK7abL9gQr9aKKmjt5DsONauUMT2E0cK/GbXJAg==",
+ "dependencies": {
+ "Duende.IdentityServer.Storage": "7.4.6",
+ "Microsoft.AspNetCore.Authentication.OpenIdConnect": "10.0.0"
+ }
+ },
+ "Duende.IdentityServer.Storage": {
+ "type": "Transitive",
+ "resolved": "7.4.6",
+ "contentHash": "qPNsoj5H1TaT5gYptA/Z5LZE/UT4PFsgDen8K1DLj4W9O8i1PuEfFiba9CbmwLPs/TUS2xikCbxfiUgBUqn8GQ==",
+ "dependencies": {
+ "Duende.IdentityModel": "8.0.0"
+ }
+ },
+ "DuoUniversal": {
+ "type": "Transitive",
+ "resolved": "1.3.1",
+ "contentHash": "BZUJplORCBO1PVDFT5v7HDYAlpgHAkay5N9vzRpJ/sBm+GU44pxNlo7v95Ym0tvUeKy0WWWv/iE4FjErYoZUHQ==",
+ "dependencies": {
+ "Microsoft.IdentityModel.JsonWebTokens": "6.34.0"
+ }
+ },
+ "Fido2": {
+ "type": "Transitive",
+ "resolved": "3.0.1",
+ "contentHash": "S0Bz1vfcKlO4Jase3AWp5XnQ746psf4oGx5kL+D2A10j1SsjoAOAIIpanSwfi0cEepDHgk1bClcOKY5TjOzGdA==",
+ "dependencies": {
+ "Fido2.Models": "3.0.1",
+ "NSec.Cryptography": "22.4.0",
+ "System.IdentityModel.Tokens.Jwt": "6.17.0"
+ }
+ },
+ "Fido2.AspNet": {
+ "type": "Transitive",
+ "resolved": "3.0.1",
+ "contentHash": "5n5shEXD7RFUyTesjUHGDjkpgES7j4KotQo1GwUcS08k+fx+1tl/zCFHJ9RFDuUwO+S681ZILT2PyA67IPYpaA==",
+ "dependencies": {
+ "Fido2": "3.0.1",
+ "Fido2.Models": "3.0.1"
+ }
+ },
+ "Fido2.Models": {
+ "type": "Transitive",
+ "resolved": "3.0.1",
+ "contentHash": "mgjcuGETuYSCUEaZG+jQeeuuEMkDLc4GDJHBvKDdOz6oSOWp5adPdWP4btZx7Pi+9fu4szN3JIjJmby67MaILw=="
+ },
+ "Handlebars.Net": {
+ "type": "Transitive",
+ "resolved": "2.1.6",
+ "contentHash": "WsYWCEXsIM6hEOSOSRHtIYLjC8BnbT5MVmqhNKRqUI7qiv0t8x3nJiBTEv0ZZfvUAMAFnadGIzSsS/U2anVG1Q=="
+ },
+ "LaunchDarkly.Cache": {
+ "type": "Transitive",
+ "resolved": "1.0.2",
+ "contentHash": "0bEnUVFVeW1TTDXb/bW6kS3FLQTLeGtw7Xh8yt6WNO56utVmtgcrMLvcnF6yeTn+N4FXrKfW09KkLNmK8YYQvw=="
+ },
+ "LaunchDarkly.CommonSdk": {
+ "type": "Transitive",
+ "resolved": "7.1.1",
+ "contentHash": "J557Na/XeYV8JjgWbGRMzi5eOgXrEMqcuPBtkZP/y7EgFLiWgvaPBGDm+hq766Kp0Kxs2MaZaNTQn4Fog7Hebw==",
+ "dependencies": {
+ "LaunchDarkly.Logging": "2.0.0"
+ }
+ },
+ "LaunchDarkly.EventSource": {
+ "type": "Transitive",
+ "resolved": "5.3.0",
+ "contentHash": "i++YvdrzvTc1tOxfVreU2yjo/E+iTFcVtwiB4PZ/3uTouNdhABLbJfz1jmGN3jmnvJKWhsMeEZLZM0dzkI+PXQ==",
+ "dependencies": {
+ "LaunchDarkly.Logging": "[2.0.0, 3.0.0)"
+ }
+ },
+ "LaunchDarkly.InternalSdk": {
+ "type": "Transitive",
+ "resolved": "3.6.0",
+ "contentHash": "Drf1rL+sZ/4UZDUovDLgRN9qQPf8J4QTQjJR2A8nCuxkFU7QjVFXqqW9+KL8RfX3DmJkhpgC3QVA1B9B6xEYJQ==",
+ "dependencies": {
+ "LaunchDarkly.CommonSdk": "[7.1.1, 8.0.0)",
+ "LaunchDarkly.Logging": "[2.0.0, 3.0.0)"
+ }
+ },
+ "LaunchDarkly.Logging": {
+ "type": "Transitive",
+ "resolved": "2.0.0",
+ "contentHash": "lsLKNqAZ7HIlkdTIrf4FetfRA1SUDE3WlaZQn79aSVkLjYWEhUhkDDK7hORGh4JoA3V2gXN+cIvJQax2uR/ijA=="
+ },
+ "LaunchDarkly.ServerSdk": {
+ "type": "Transitive",
+ "resolved": "8.11.0",
+ "contentHash": "MMXfyGMDtul9UhEleHXdGNe2amLY1gjTZ9K2R18XoZp5OOlSGu4CmBqE4MXMsXhLYoEtYg2GIibmoTSPaU2Y+A==",
+ "dependencies": {
+ "LaunchDarkly.Cache": "1.0.2",
+ "LaunchDarkly.CommonSdk": "7.1.1",
+ "LaunchDarkly.EventSource": "5.3.0",
+ "LaunchDarkly.InternalSdk": "3.6.0",
+ "LaunchDarkly.Logging": "2.0.0"
+ }
+ },
+ "libsodium": {
+ "type": "Transitive",
+ "resolved": "1.0.18.2",
+ "contentHash": "flArHoVdscSzyV8ZdPV+bqqY2TTFlaN+xZf/vIqsmHI51KVcD/mOdUPaK3n/k/wGKz8dppiktXUqSmf3AXFgig=="
+ },
+ "linq2db": {
+ "type": "Transitive",
+ "resolved": "5.4.1",
+ "contentHash": "qyH32MbFK6T55KsEcQYTbPFfkOa1Mo65lY/Zo8SFVMy0pwkQBCTnA/RUxyG5+l3D/mgfPz85PH3upDrtklSMrw=="
+ },
+ "linq2db.EntityFrameworkCore": {
+ "type": "Transitive",
+ "resolved": "8.1.0",
+ "contentHash": "wEUTdkWsrtwlE3aAb4qmxNkjrZOVp39KBM+wPvEnTNXoSym6Po3u9/PWRWAsbJAGjoljv5604ACcCOp/yMJ5XQ==",
+ "dependencies": {
+ "Microsoft.EntityFrameworkCore.Relational": "8.0.0",
+ "linq2db": "5.4.0"
+ }
+ },
+ "MailKit": {
+ "type": "Transitive",
+ "resolved": "4.16.0",
+ "contentHash": "trJ82DOpAmo8i1jO1vNE+dGn4mPRyeYfy4swRcAGgMJhPoI1Kohf4OFJJf0+YIj4iUxgxPn8W+ht7e7KiYzSjg==",
+ "dependencies": {
+ "MimeKit": "4.16.0"
+ }
+ },
+ "Microsoft.AspNetCore.Authentication.JwtBearer": {
+ "type": "Transitive",
+ "resolved": "10.0.8",
+ "contentHash": "oGnE+X/SN6jdqao9WOkOIfyZ5+a0AtluJWy1Mxndq+kcWG6sx5k6l6tucu8/wJ7o9fHfLgVCzm/c4v/KVgVk6w==",
+ "dependencies": {
+ "Microsoft.IdentityModel.Protocols.OpenIdConnect": "8.0.1"
+ }
+ },
+ "Microsoft.AspNetCore.Authentication.OpenIdConnect": {
+ "type": "Transitive",
+ "resolved": "10.0.0",
+ "contentHash": "6ATONu+5A2oh/vzmoFhf3cuQcclMaWGHrb1kvjVsYtml+gzuWD48MmbsItM4xAUQkJZ2t8XFmbGp8pZLPxKneA==",
+ "dependencies": {
+ "Microsoft.IdentityModel.Protocols.OpenIdConnect": "8.0.1"
+ }
+ },
+ "Microsoft.AspNetCore.DataProtection": {
+ "type": "Transitive",
+ "resolved": "10.0.8",
+ "contentHash": "Rlbrr3XSGB4dwnUY/pA70TpVyrQhelDAUkIiGfJ2Tm32mscTYxrRnk9Ooy1rRhGZ1g7rliJPuNzhyMMKmRH5pw=="
+ },
+ "Microsoft.Azure.Amqp": {
+ "type": "Transitive",
+ "resolved": "2.7.0",
+ "contentHash": "gm/AEakujttMzrDhZ5QpRz3fICVkYDn/oDG9SmxDP+J7R8JDBXYU9WWG7hr6wQy40mY+wjUF0yUGXDPRDRNJwQ=="
+ },
+ "Microsoft.Azure.Cosmos": {
+ "type": "Transitive",
+ "resolved": "3.52.0",
+ "contentHash": "NEjNpaO19gvJrXowqHFcYPSpro5+TNjHO/JpU4VXP37by2aU2RVnmgpZsWL1GUl5wCPZ4VIOUsP1lrHpfW8ADQ==",
+ "dependencies": {
+ "Azure.Core": "1.44.1",
+ "Microsoft.Bcl.AsyncInterfaces": "6.0.0",
+ "Microsoft.Bcl.HashCode": "1.1.0",
+ "System.Configuration.ConfigurationManager": "6.0.0"
+ }
+ },
+ "Microsoft.Azure.NotificationHubs": {
+ "type": "Transitive",
+ "resolved": "4.2.0",
+ "contentHash": "LOCxFB/sB1frfuXjecdDRDKEHkH+I1qKRatS5NyWIgYhpKhIcAlPNIJajcwLgQBShckdc3hMG9E+75CnL3qDhQ==",
+ "dependencies": {
+ "Newtonsoft.Json": "13.0.1"
+ }
+ },
+ "Microsoft.Bcl.AsyncInterfaces": {
+ "type": "Transitive",
+ "resolved": "8.0.0",
+ "contentHash": "3WA9q9yVqJp222P3x1wYIGDAkpjAku0TMUaaQV22g6L67AI0LdOIrVS7Ht2vJfLHGSPVuqN94vIr15qn+HEkHw=="
+ },
+ "Microsoft.Bcl.Cryptography": {
+ "type": "Transitive",
+ "resolved": "9.0.13",
+ "contentHash": "5T+bH3Lb1nEe8Hf/ixMxLmhlrx5wRi53wv7OhVwG2F1ZviW1ejFRS1NHur3uqPpJRGtkQwUchtY6zhVK2R+v+w=="
+ },
+ "Microsoft.Bcl.HashCode": {
+ "type": "Transitive",
+ "resolved": "1.1.0",
+ "contentHash": "J2G1k+u5unBV+aYcwxo94ip16Rkp65pgWFb0R6zwJipzWNMgvqlWeuI7/+R+e8bob66LnSG+llLJ+z8wI94cHg=="
+ },
+ "Microsoft.Bot.Builder": {
+ "type": "Transitive",
+ "resolved": "4.23.0",
+ "contentHash": "bLTrp/tfSNWDAIJ90TqyZ8JtpjCvNO7kgvhW0R5eSu72tAifwEIi2uxhFS+c8alsa2DM4EW3JSemoDgn0r6Hog==",
+ "dependencies": {
+ "Microsoft.Bot.Connector": "4.23.0",
+ "Microsoft.Bot.Connector.Streaming": "4.23.0",
+ "Microsoft.Bot.Streaming": "4.23.0"
+ }
+ },
+ "Microsoft.Bot.Builder.Integration.AspNet.Core": {
+ "type": "Transitive",
+ "resolved": "4.23.0",
+ "contentHash": "p6xghjJfg3Vh/q2NSd77TtuvCykuEakzMaELHctf3Cw4eTILsXWIgEJ0QxyelMnJGJjgfBwFS9ZeC2hWUFYzBA==",
+ "dependencies": {
+ "Microsoft.Bot.Builder": "4.23.0",
+ "Microsoft.Bot.Configuration": "4.23.0",
+ "Microsoft.Bot.Connector.Streaming": "4.23.0",
+ "Microsoft.Bot.Streaming": "4.23.0",
+ "Newtonsoft.Json": "13.0.3"
+ }
+ },
+ "Microsoft.Bot.Configuration": {
+ "type": "Transitive",
+ "resolved": "4.23.0",
+ "contentHash": "yCzxNU5QAEQ6zy7VBNuz3GwOY8OZcDkNYOmPw/QuVzViozxuJI200BMl+a5jhY9Nd7j6bGxO7Y3mmHy4Tu7Teg==",
+ "dependencies": {
+ "Newtonsoft.Json": "13.0.3"
+ }
+ },
+ "Microsoft.Bot.Connector": {
+ "type": "Transitive",
+ "resolved": "4.23.0",
+ "contentHash": "/vgAQ8LonwAnyu6CzYYElU4k65k+9V2ncwztpZtBM+IuwkhDe3iAO2ycObqcyhMMWYUV81IOb0JZYcabjiZ4NQ==",
+ "dependencies": {
+ "Microsoft.Bot.Schema": "4.23.0",
+ "Microsoft.Identity.Client": "4.66.1",
+ "Microsoft.Identity.Web.Certificateless": "3.3.0",
+ "Microsoft.IdentityModel.Protocols.OpenIdConnect": "8.1.2",
+ "Microsoft.Rest.ClientRuntime": "2.3.24",
+ "Newtonsoft.Json": "13.0.3"
+ }
+ },
+ "Microsoft.Bot.Connector.Streaming": {
+ "type": "Transitive",
+ "resolved": "4.23.0",
+ "contentHash": "Yz6PcySgtje88IGEJXj6agzya48pBL34/A5Zs3/xqmHvEQlI2ypMNc3OBOo2TRGxykklCSwc60PN2k95d4pbFw==",
+ "dependencies": {
+ "Microsoft.Bot.Schema": "4.23.0",
+ "Microsoft.Bot.Streaming": "4.23.0",
+ "Newtonsoft.Json": "13.0.3"
+ }
+ },
+ "Microsoft.Bot.Schema": {
+ "type": "Transitive",
+ "resolved": "4.23.0",
+ "contentHash": "HZeEXg/PuniNRIUU8ioSx/LrOXcbTZCZ1hUIqDdc6akWwhjrC2sTv7TaBpD0FlY4hDyUvj3GLyurPI/YChGPzA==",
+ "dependencies": {
+ "AdaptiveCards": "3.1.0",
+ "Newtonsoft.Json": "13.0.3"
+ }
+ },
+ "Microsoft.Bot.Streaming": {
+ "type": "Transitive",
+ "resolved": "4.23.0",
+ "contentHash": "gYudjsFAVjwZBRU5irJh7sdsD7gNRFfZEUwWTqkNp1eGaR1t+4sJY+YyqYL3PyCMSgLrKE46bt/JWuDi3CjRfA==",
+ "dependencies": {
+ "Newtonsoft.Json": "13.0.3"
+ }
+ },
+ "Microsoft.Data.SqlClient": {
+ "type": "Transitive",
+ "resolved": "7.0.0",
+ "contentHash": "/oolEwtHuDtpLKU8OItOTTxVJalgPtIkcNBwzXJ3YGyrkOAvLYqMtin9Z1jxqryJpds3PjuZBF5iKIYVVYVSvQ==",
+ "dependencies": {
+ "Microsoft.Bcl.Cryptography": "9.0.13",
+ "Microsoft.Data.SqlClient.Extensions.Abstractions": "1.0.0",
+ "Microsoft.Data.SqlClient.Internal.Logging": "1.0.0",
+ "Microsoft.Data.SqlClient.SNI.runtime": "6.0.2",
+ "Microsoft.IdentityModel.JsonWebTokens": "8.16.0",
+ "Microsoft.IdentityModel.Protocols.OpenIdConnect": "8.16.0",
+ "Microsoft.SqlServer.Server": "1.0.0",
+ "System.Configuration.ConfigurationManager": "9.0.13",
+ "System.Security.Cryptography.Pkcs": "9.0.13"
+ }
+ },
+ "Microsoft.Data.SqlClient.Extensions.Abstractions": {
+ "type": "Transitive",
+ "resolved": "1.0.0",
+ "contentHash": "rlnxc0KfwDSbE8ZHntFnl8SCgOa9QtJZblMv2zXLhRwl1Je7fsdsVzxSjzzC4JMsfAK+jXJWyezRB8SxUY4BdA==",
+ "dependencies": {
+ "Microsoft.Data.SqlClient.Internal.Logging": "1.0.0"
+ }
+ },
+ "Microsoft.Data.SqlClient.Internal.Logging": {
+ "type": "Transitive",
+ "resolved": "1.0.0",
+ "contentHash": "Kue/7CF8KNT9zozfr30C94dMZVZml3atqWZvQemSXvTau76tRdypzeKiBKXadqgbOME0UiQIyVTNo5WxCRNVNg=="
+ },
+ "Microsoft.Data.SqlClient.SNI.runtime": {
+ "type": "Transitive",
+ "resolved": "6.0.2",
+ "contentHash": "f+pRODTWX7Y67jXO3T5S2dIPZ9qMJNySjlZT/TKmWVNWe19N8jcWmHaqHnnchaq3gxEKv1SWVY5EFzOD06l41w=="
+ },
+ "Microsoft.Data.Sqlite.Core": {
+ "type": "Transitive",
+ "resolved": "8.0.8",
+ "contentHash": "qHInO2EvOcPhjgboP0TGnXM7rASdvWXrw6jAH8Yuz5YP82VTje7d/NKiX1i+dVbE3+G3JuW1kqNVB8yLvsqgYA==",
+ "dependencies": {
+ "SQLitePCLRaw.core": "2.1.6"
+ }
+ },
+ "Microsoft.EntityFrameworkCore": {
+ "type": "Transitive",
+ "resolved": "8.0.8",
+ "contentHash": "iK+jrJzkfbIxutB7or808BPmJtjUEi5O+eSM7cLDwsyde6+3iOujCSfWnrHrLxY3u+EQrJD+aD8DJ6ogPA2Rtw==",
+ "dependencies": {
+ "Microsoft.EntityFrameworkCore.Abstractions": "8.0.8",
+ "Microsoft.EntityFrameworkCore.Analyzers": "8.0.8"
+ }
+ },
+ "Microsoft.EntityFrameworkCore.Abstractions": {
+ "type": "Transitive",
+ "resolved": "8.0.8",
+ "contentHash": "9mMQkZsfL1c2iifBD8MWRmwy59rvsVtR9NOezJj7+g1j4P7g49MJHd8k8faC/v7d5KuHkQ6KOQiSItvoRt9PXA=="
+ },
+ "Microsoft.EntityFrameworkCore.Analyzers": {
+ "type": "Transitive",
+ "resolved": "8.0.8",
+ "contentHash": "OlAXMU+VQgLz5y5/SBkLvAa9VeiR3dlJqgIebEEH2M2NGA3evm68/Tv7SLWmSxwnEAtA3nmDEZF2pacK6eXh4Q=="
+ },
+ "Microsoft.EntityFrameworkCore.Relational": {
+ "type": "Transitive",
+ "resolved": "8.0.8",
+ "contentHash": "3WnrwdXxKg4L98cDx0lNEEau8U2lsfuBJCs0Yzht+5XVTmahboM7MukKfQHAzVsHUPszm6ci929S7Qas0WfVHA==",
+ "dependencies": {
+ "Microsoft.EntityFrameworkCore": "8.0.8"
+ }
+ },
+ "Microsoft.EntityFrameworkCore.Sqlite": {
+ "type": "Transitive",
+ "resolved": "8.0.8",
+ "contentHash": "IDB7Xs16hN/3VkWFCCa4r3fqoJxMVezwq418gr8dBkRBO0pxH+BX/Kjk/U3PYXDvzVLkXqUgJsHv1XoFrJbZPQ==",
+ "dependencies": {
+ "Microsoft.EntityFrameworkCore.Sqlite.Core": "8.0.8",
+ "SQLitePCLRaw.bundle_e_sqlite3": "2.1.6"
+ }
+ },
+ "Microsoft.EntityFrameworkCore.Sqlite.Core": {
+ "type": "Transitive",
+ "resolved": "8.0.8",
+ "contentHash": "w5k/ENj3+BPbmggqh83RRuPhhKcJmW7CmdJuGwdX1eFrmptJwnzKiHfQCPkJAu9df16PSs5YFeWrDgepfqnltA==",
+ "dependencies": {
+ "Microsoft.Data.Sqlite.Core": "8.0.8",
+ "Microsoft.EntityFrameworkCore.Relational": "8.0.8",
+ "Microsoft.Extensions.DependencyModel": "8.0.1"
+ }
+ },
+ "Microsoft.EntityFrameworkCore.SqlServer": {
+ "type": "Transitive",
+ "resolved": "8.0.8",
+ "contentHash": "A2F52W+hnGqvprx37HcAnYnJv4QoFFdc9cxd/QGNSd1vCu1I0eAEKRd0r9KS3E5I5RRj/m9XJfYCyTdy1cdn5Q==",
+ "dependencies": {
+ "Microsoft.Data.SqlClient": "5.1.5",
+ "Microsoft.EntityFrameworkCore.Relational": "8.0.8"
+ }
+ },
+ "Microsoft.Extensions.Caching.Cosmos": {
+ "type": "Transitive",
+ "resolved": "1.8.0",
+ "contentHash": "8UI41/U5yla1z48klbtRdXxxloAChRzhAm592bitBNzTlXBq87zeO6Lbdvuh5d6oLNCU0I01kw6ovTD9Z6y05g==",
+ "dependencies": {
+ "Microsoft.Azure.Cosmos": "3.47.0",
+ "Newtonsoft.Json": "13.0.3"
+ }
+ },
+ "Microsoft.Extensions.Caching.SqlServer": {
+ "type": "Transitive",
+ "resolved": "10.0.8",
+ "contentHash": "GSP1UIw/VFiLOWBOCQYwLHsLnkqqqqEC9sc8IqCXpbSkwz03EZ9u4jcFORTE4TJ/gkKXKP6L3AO+ZFZ5MFX4Gg==",
+ "dependencies": {
+ "Azure.Identity": "1.11.4",
+ "Microsoft.Data.SqlClient": "5.2.2"
+ }
+ },
+ "Microsoft.Extensions.Caching.StackExchangeRedis": {
+ "type": "Transitive",
+ "resolved": "10.0.8",
+ "contentHash": "fle9ns3q2kk63vt/wHFtLw1U9kiEbM42vTk2Sar8VBjiGJFkXAgm0QEKFx15YMHkJIPRVdknWaovpvgGEgn10g==",
+ "dependencies": {
+ "StackExchange.Redis": "2.7.27"
+ }
+ },
+ "Microsoft.Extensions.Configuration.EnvironmentVariables": {
+ "type": "Transitive",
+ "resolved": "10.0.8",
+ "contentHash": "bVGqctAfPGfTxJvNp8pMshtvpsUj6r6JkeiCNVIGVYO5gBxuxdN0Lbr25kEvE/zXdctkEc44g8HssnPgDnFGVA=="
+ },
+ "Microsoft.Extensions.Configuration.UserSecrets": {
+ "type": "Transitive",
+ "resolved": "10.0.8",
+ "contentHash": "6XTfFOnf27WY8kEeZkTZ4YNn0t+imgvdQ0YaAdR4vgURKATo9bCaVJ1KB71IOJAQtJP7Elb53VHlTNXg2CtSsA=="
+ },
+ "Microsoft.Extensions.DependencyModel": {
+ "type": "Transitive",
+ "resolved": "8.0.1",
+ "contentHash": "5Ou6varcxLBzQ+Agfm0k0pnH7vrEITYlXMDuE6s7ZHlZHz6/G8XJ3iISZDr5rfwfge6RnXJ1+Wc479mMn52vjA=="
+ },
+ "Microsoft.Extensions.Identity.Stores": {
+ "type": "Transitive",
+ "resolved": "10.0.8",
+ "contentHash": "xVbg4qLWyjKSJVxtL56PQPlHu/URpWPKufhfOj61+tkCmNs6DIgnGxG8BAO/fAfacoBDDYg+p1zBjFzzj/EQog=="
+ },
+ "Microsoft.Identity.Client": {
+ "type": "Transitive",
+ "resolved": "4.66.1",
+ "contentHash": "mE+m3pZ7zSKocSubKXxwZcUrCzLflC86IdLxrVjS8tialy0b1L+aECBqRBC/ykcPlB4y7skg49TaTiA+O2UfDw==",
+ "dependencies": {
+ "Microsoft.IdentityModel.Abstractions": "6.35.0"
+ }
+ },
+ "Microsoft.Identity.Client.Extensions.Msal": {
+ "type": "Transitive",
+ "resolved": "4.61.3",
+ "contentHash": "PWnJcznrSGr25MN8ajlc2XIDW4zCFu0U6FkpaNLEWLgd1NgFCp5uDY3mqLDgM8zCN8hqj8yo5wHYfLB2HjcdGw==",
+ "dependencies": {
+ "Microsoft.Identity.Client": "4.61.3",
+ "System.Security.Cryptography.ProtectedData": "4.5.0"
+ }
+ },
+ "Microsoft.Identity.Web.Certificateless": {
+ "type": "Transitive",
+ "resolved": "3.3.0",
+ "contentHash": "ybEVPCLeJFuTCDVTtt3OlD5n+CYQgUAzmn0YZw+Z4NR5XwB4iGQ/zMqQ+ruJfgoKGWe6BTl0vCfsv1O4XPqCvg==",
+ "dependencies": {
+ "Microsoft.Identity.Client": "4.66.1",
+ "Microsoft.IdentityModel.JsonWebTokens": "8.1.2"
+ }
+ },
+ "Microsoft.IdentityModel.Abstractions": {
+ "type": "Transitive",
+ "resolved": "8.16.0",
+ "contentHash": "gSxKLWRZzBpIsEoeUPkxfywNCCvRvl7hkq146XHPk5vOQc9izSf1I+uL1vh4y2U19QPxd9Z8K/8AdWyxYz2lSg=="
+ },
+ "Microsoft.IdentityModel.JsonWebTokens": {
+ "type": "Transitive",
+ "resolved": "8.16.0",
+ "contentHash": "prBU72cIP4V8E9fhN+o/YdskTsLeIcnKPbhZf0X6mD7fdxoZqnS/NdEkSr+9Zp+2q7OZBOMfNBKGbTbhXODO4w==",
+ "dependencies": {
+ "Microsoft.IdentityModel.Tokens": "8.16.0"
+ }
+ },
+ "Microsoft.IdentityModel.Logging": {
+ "type": "Transitive",
+ "resolved": "8.16.0",
+ "contentHash": "MTzXmETkNQPACR7/XCXM1OGM6oU9RkyibqeJRtO9Ndew2LnGjMf9Atqj2VSf4XC27X0FQycUAlzxxEgQMWn2xQ==",
+ "dependencies": {
+ "Microsoft.IdentityModel.Abstractions": "8.16.0"
+ }
+ },
+ "Microsoft.IdentityModel.Protocols": {
+ "type": "Transitive",
+ "resolved": "8.16.0",
+ "contentHash": "UFrU7d46UTsPQTa2HIEIpB9H1uJe1BW9FLw5uhEJ2ZuKdur8bcUA/bO5caq5dlBt5gNJeRIB3QQXYNs5fCQCZA==",
+ "dependencies": {
+ "Microsoft.IdentityModel.Tokens": "8.16.0"
+ }
+ },
+ "Microsoft.IdentityModel.Protocols.OpenIdConnect": {
+ "type": "Transitive",
+ "resolved": "8.16.0",
+ "contentHash": "h4yVXyJsEBBX5lg2G5ftMsi5JzcNEGAzrNphA6DQ6eOd8P0s+cDCOyPwVTYLePZvJL5unbPvYIvzrbTXzFjXnQ==",
+ "dependencies": {
+ "Microsoft.IdentityModel.Protocols": "8.16.0",
+ "System.IdentityModel.Tokens.Jwt": "8.16.0"
+ }
+ },
+ "Microsoft.IdentityModel.Tokens": {
+ "type": "Transitive",
+ "resolved": "8.16.0",
+ "contentHash": "rtViGJcGsN7WcfUNErwNeQgjuU5cJNl6FDQsfi9TncwO+Epzn0FTfBsg3YuFW1Q0Ch/KPxaVdjLw3/+5Z5ceFQ==",
+ "dependencies": {
+ "Microsoft.IdentityModel.Logging": "8.16.0"
+ }
+ },
+ "Microsoft.NETCore.Platforms": {
+ "type": "Transitive",
+ "resolved": "1.1.0",
+ "contentHash": "kz0PEW2lhqygehI/d6XsPCQzD7ff7gUJaVGPVETX611eadGsA3A877GdSlU0LRVMCTH/+P3o2iDTak+S08V2+A=="
+ },
+ "Microsoft.OpenApi": {
+ "type": "Transitive",
+ "resolved": "2.4.1",
+ "contentHash": "u7QhXCISMQuab3flasb1hoaiERmUqyWsW7tmQODyILoQ7mJV5IRGM+2KKZYo0QUfC13evEOcHAb6TPWgqEQtrw=="
+ },
+ "Microsoft.Rest.ClientRuntime": {
+ "type": "Transitive",
+ "resolved": "2.3.24",
+ "contentHash": "hZH7XgM3eV2jFrnq7Yf0nBD4WVXQzDrer2gEY7HMNiwio2hwDsTHO6LWuueNQAfRpNp4W7mKxcXpwXUiuVIlYw==",
+ "dependencies": {
+ "Newtonsoft.Json": "10.0.3"
+ }
+ },
+ "Microsoft.SqlServer.Server": {
+ "type": "Transitive",
+ "resolved": "1.0.0",
+ "contentHash": "N4KeF3cpcm1PUHym1RmakkzfkEv3GRMyofVv40uXsQhCQeglr2OHNcUk2WOG51AKpGO8ynGpo9M/kFXSzghwug=="
+ },
+ "MimeKit": {
+ "type": "Transitive",
+ "resolved": "4.16.0",
+ "contentHash": "X0LFxeM4gPRIhODyY/HYS9b+zRZ7y//v59rFzgS6wLxcPuZThnMtNZHtrr0fjLyRRkg3gqJBtvW36XfUzZ7Djw==",
+ "dependencies": {
+ "BouncyCastle.Cryptography": "2.6.2",
+ "System.Security.Cryptography.Pkcs": "10.0.0"
+ }
+ },
+ "MySqlConnector": {
+ "type": "Transitive",
+ "resolved": "2.3.5",
+ "contentHash": "AmEfUPkFl+Ev6jJ8Dhns3CYHBfD12RHzGYWuLt6DfG6/af6YvOMyPz74ZPPjBYQGRJkumD2Z48Kqm8s5DJuhLA=="
+ },
+ "NETStandard.Library": {
+ "type": "Transitive",
+ "resolved": "1.6.1",
+ "contentHash": "WcSp3+vP+yHNgS8EV5J7pZ9IRpeDuARBPN28by8zqff1wJQXm26PVU8L3/fYLBJVU7BtDyqNVWq2KlCVvSSR4A==",
+ "dependencies": {
+ "Microsoft.NETCore.Platforms": "1.1.0"
+ }
+ },
+ "Newtonsoft.Json": {
+ "type": "Transitive",
+ "resolved": "13.0.3",
+ "contentHash": "HrC5BXdl00IP9zeV+0Z848QWPAoCr9P3bDEZguI+gkLcBKAOxix/tLEAAHC+UvDNPv4a2d18lOReHMOagPa+zQ=="
+ },
+ "Npgsql": {
+ "type": "Transitive",
+ "resolved": "8.0.3",
+ "contentHash": "6WEmzsQJCZAlUG1pThKg/RmeF6V+I0DmBBBE/8YzpRtEzhyZzKcK7ulMANDm5CkxrALBEC8H+5plxHWtIL7xnA=="
+ },
+ "Npgsql.EntityFrameworkCore.PostgreSQL": {
+ "type": "Transitive",
+ "resolved": "8.0.4",
+ "contentHash": "/hHd9MqTRVDgIpsToCcxMDxZqla0HAQACiITkq1+L9J2hmHKV6lBAPlauF+dlNSfHpus7rrljWx4nAanKD6qAw==",
+ "dependencies": {
+ "Microsoft.EntityFrameworkCore": "8.0.4",
+ "Microsoft.EntityFrameworkCore.Abstractions": "8.0.4",
+ "Microsoft.EntityFrameworkCore.Relational": "8.0.4",
+ "Npgsql": "8.0.3"
+ }
+ },
+ "NSec.Cryptography": {
+ "type": "Transitive",
+ "resolved": "22.4.0",
+ "contentHash": "lEntcPYd7h3aZ8xxi/y/4TML7o8w0GEGqd+w4L1omqFLbdCBmhxJAeO2YBmv/fXbJKgKCQLm7+TD4bR605PEUQ==",
+ "dependencies": {
+ "libsodium": "[1.0.18.2, 1.0.19)"
+ }
+ },
+ "OneOf": {
+ "type": "Transitive",
+ "resolved": "3.0.271",
+ "contentHash": "pqpqeK8xQGggExhr4tesVgJkjdn+9HQAO0QgrYV2hFjE3y90okzk1kQMntMiUOGfV7FrCUfKPaVvPBD4IANqKg=="
+ },
+ "Otp.NET": {
+ "type": "Transitive",
+ "resolved": "1.4.0",
+ "contentHash": "Fk1NKc0lWmlo6LAFYpFJInRgFKt72knRNEvxndDYoQHFwYOPXav+WEUBvQA0k4lxq5xt0SymrZ+oi0F/G40bPQ=="
+ },
+ "Pipelines.Sockets.Unofficial": {
+ "type": "Transitive",
+ "resolved": "2.2.8",
+ "contentHash": "zG2FApP5zxSx6OcdJQLbZDk2AVlN2BNQD6MorwIfV6gVj0RRxWPEp2LXAxqDGZqeNV1Zp0BNPcNaey/GXmTdvQ=="
+ },
+ "Pomelo.EntityFrameworkCore.MySql": {
+ "type": "Transitive",
+ "resolved": "8.0.2",
+ "contentHash": "XjnlcxVBLnEMbyEc5cZzgZeDyLvAniACZQ04W1slWN0f4rmfNzl98gEMvHnFH0fMDF06z9MmgGi/Sr7hJ+BVnw==",
+ "dependencies": {
+ "Microsoft.EntityFrameworkCore.Relational": "[8.0.2, 8.0.999]",
+ "MySqlConnector": "2.3.5"
+ }
+ },
+ "Quartz": {
+ "type": "Transitive",
+ "resolved": "3.15.1",
+ "contentHash": "XIbhzUAKSm3xdl1ORLPnK7mc5XANP3cuvYQhCtuX/8888IN41e9OXJak4R9OlmAGRnyAMqHE40yojVa89NS1wg=="
+ },
+ "Quartz.Extensions.DependencyInjection": {
+ "type": "Transitive",
+ "resolved": "3.15.1",
+ "contentHash": "LinB9z54aPn49C/DGM1v3OflX2nosrEo4zNz10vfYqcCndFJ8MNU9k++Ap9T7vxeZc355WStPDggpX60TYj1Lg==",
+ "dependencies": {
+ "Quartz": "3.15.1"
+ }
+ },
+ "Quartz.Extensions.Hosting": {
+ "type": "Transitive",
+ "resolved": "3.15.1",
+ "contentHash": "svqLTEnVLb0VPUcNCd/khRqagwxM/yybUZ2sEOd7HFdPO+5dAOttL+ARtXSyBeaGWPWAaxY4VvU7pJTZzYhORw==",
+ "dependencies": {
+ "Quartz.Extensions.DependencyInjection": "3.15.1"
+ }
+ },
+ "RabbitMQ.Client": {
+ "type": "Transitive",
+ "resolved": "7.1.2",
+ "contentHash": "y3c6ulgULScWthHw5PLM1ShHRLhxg0vCtzX/hh61gRgNecL3ZC3WoBW2HYHoXOVRqTl99Br9E7CZEytGZEsCyQ=="
+ },
+ "SendGrid": {
+ "type": "Transitive",
+ "resolved": "9.29.3",
+ "contentHash": "nb/zHePecN9U4/Bmct+O+lpgK994JklbCCNMIgGPOone/DngjQoMCHeTvkl+m0Nglvm0dqMEshmvB4fO8eF3dA==",
+ "dependencies": {
+ "Newtonsoft.Json": "13.0.1",
+ "starkbank-ecdsa": "[1.3.3, 2.0.0)"
+ }
+ },
+ "Serilog": {
+ "type": "Transitive",
+ "resolved": "2.10.0",
+ "contentHash": "+QX0hmf37a0/OZLxM3wL7V6/ADvC1XihXN4Kq/p6d8lCPfgkRdiuhbWlMaFjR9Av0dy5F0+MBeDmDdRZN/YwQA=="
+ },
+ "Serilog.Extensions.Logging": {
+ "type": "Transitive",
+ "resolved": "3.1.0",
+ "contentHash": "IWfem7wfrFbB3iw1OikqPFNPEzfayvDuN4WP7Ue1AVFskalMByeWk3QbtUXQR34SBkv1EbZ3AySHda/ErDgpcg==",
+ "dependencies": {
+ "Serilog": "2.9.0"
+ }
+ },
+ "Serilog.Extensions.Logging.File": {
+ "type": "Transitive",
+ "resolved": "3.0.0",
+ "contentHash": "bUYjMHn7NhpK+/8HDftG7+G5hpWzD49XTSvLoUFZGgappDa6FoseqFOsLrjLRjwe1zM+igH5mySFJv3ntb+qcg==",
+ "dependencies": {
+ "Serilog": "2.10.0",
+ "Serilog.Extensions.Logging": "3.1.0",
+ "Serilog.Formatting.Compact": "1.1.0",
+ "Serilog.Sinks.Async": "1.5.0",
+ "Serilog.Sinks.RollingFile": "3.3.0"
+ }
+ },
+ "Serilog.Formatting.Compact": {
+ "type": "Transitive",
+ "resolved": "1.1.0",
+ "contentHash": "pNroKVjo+rDqlxNG5PXkRLpfSCuDOBY0ri6jp9PLe505ljqwhwZz8ospy2vWhQlFu5GkIesh3FcDs4n7sWZODA==",
+ "dependencies": {
+ "Serilog": "2.8.0"
+ }
+ },
+ "Serilog.Sinks.Async": {
+ "type": "Transitive",
+ "resolved": "1.5.0",
+ "contentHash": "csHYIqAwI4Gy9oAhXYRwxGrQEAtBg3Ep7WaCzsnA1cZuBZjVAU0n7hWaJhItjO7hbLHh/9gRVxALCUB4Dv+gZw==",
+ "dependencies": {
+ "Serilog": "2.9.0"
+ }
+ },
+ "Serilog.Sinks.File": {
+ "type": "Transitive",
+ "resolved": "3.2.0",
+ "contentHash": "VHbo68pMg5hwSWrzLEdZv5b/rYmIgHIRhd4d5rl8GnC5/a8Fr+RShT5kWyeJOXax1el6mNJ+dmHDOVgnNUQxaw==",
+ "dependencies": {
+ "Serilog": "2.3.0"
+ }
+ },
+ "Serilog.Sinks.RollingFile": {
+ "type": "Transitive",
+ "resolved": "3.3.0",
+ "contentHash": "2lT5X1r3GH4P0bRWJfhA7etGl8Q2Ipw9AACvtAHWRUSpYZ42NGVyHoVs2ALBZ/cAkkS+tA4jl80Zie144eLQPg==",
+ "dependencies": {
+ "Serilog.Sinks.File": "3.2.0"
+ }
+ },
+ "SQLitePCLRaw.bundle_e_sqlite3": {
+ "type": "Transitive",
+ "resolved": "2.1.6",
+ "contentHash": "BmAf6XWt4TqtowmiWe4/5rRot6GerAeklmOPfviOvwLoF5WwgxcJHAxZtySuyW9r9w+HLILnm8VfJFLCUJYW8A==",
+ "dependencies": {
+ "SQLitePCLRaw.lib.e_sqlite3": "2.1.6",
+ "SQLitePCLRaw.provider.e_sqlite3": "2.1.6"
+ }
+ },
+ "SQLitePCLRaw.core": {
+ "type": "Transitive",
+ "resolved": "2.1.6",
+ "contentHash": "wO6v9GeMx9CUngAet8hbO7xdm+M42p1XeJq47ogyRoYSvNSp0NGLI+MgC0bhrMk9C17MTVFlLiN6ylyExLCc5w=="
+ },
+ "SQLitePCLRaw.lib.e_sqlite3": {
+ "type": "Transitive",
+ "resolved": "2.1.6",
+ "contentHash": "2ObJJLkIUIxRpOUlZNGuD4rICpBnrBR5anjyfUFQep4hMOIeqW+XGQYzrNmHSVz5xSWZ3klSbh7sFR6UyDj68Q=="
+ },
+ "SQLitePCLRaw.provider.e_sqlite3": {
+ "type": "Transitive",
+ "resolved": "2.1.6",
+ "contentHash": "PQ2Oq3yepLY4P7ll145P3xtx2bX8xF4PzaKPRpw9jZlKvfe4LE/saAV82inND9usn1XRpmxXk7Lal3MTI+6CNg==",
+ "dependencies": {
+ "SQLitePCLRaw.core": "2.1.6"
+ }
+ },
+ "StackExchange.Redis": {
+ "type": "Transitive",
+ "resolved": "2.8.31",
+ "contentHash": "RCHVQa9Zke8k0oBgJn1Yl6BuYy8i6kv+sdMObiH60nOwD6QvWAjxdDwOm+LO78E8WsGiPqgOuItkz98fPS6haQ==",
+ "dependencies": {
+ "Pipelines.Sockets.Unofficial": "2.2.8"
+ }
+ },
+ "starkbank-ecdsa": {
+ "type": "Transitive",
+ "resolved": "1.3.3",
+ "contentHash": "OblOaKb1enXn+dSp7tsx9yjwV+/BEKM9jFhshIkZTwCk7LuTFTp+wSon6rFzuPiIiTGtvVWQNUw2slHjGktJog=="
+ },
+ "Stripe.net": {
+ "type": "Transitive",
+ "resolved": "48.5.0",
+ "contentHash": "wOAZYR0EnrLMok/ScfVOpTxjci+n3vFP0A7w/BE63yJdkRSDwZVCJIhlOjeJvgyQnMX8ZbwDAHMaxaiDa0Z5TA==",
+ "dependencies": {
+ "Newtonsoft.Json": "13.0.3",
+ "System.Configuration.ConfigurationManager": "8.0.0"
+ }
+ },
+ "Swashbuckle.AspNetCore.Swagger": {
+ "type": "Transitive",
+ "resolved": "10.1.7",
+ "contentHash": "EjLibt/d/QuRv170GoihTbcPUpgzSFm2WKHhnGJFZQ03JYzfuitsM79azaAR8NBwRunU7yScSX6HRE5JUlrEMQ==",
+ "dependencies": {
+ "Microsoft.OpenApi": "2.4.1"
+ }
+ },
+ "Swashbuckle.AspNetCore.SwaggerGen": {
+ "type": "Transitive",
+ "resolved": "10.1.7",
+ "contentHash": "PuubO9BjvNn6U3D9kLpuWKY1JtziWw7SsGBq0age1E50uQjQ8Fzl8s0EwzrLfANqYJNgDnJi9l7N1QxcGVB2Zw==",
+ "dependencies": {
+ "Swashbuckle.AspNetCore.Swagger": "10.1.7"
+ }
+ },
+ "System.ClientModel": {
+ "type": "Transitive",
+ "resolved": "1.6.1",
+ "contentHash": "xcHHhDqB5MnOOY8yIn64Vzp6gtBEs6k5J1hluG04CrShSvQNXOx4PSDs7wJiXLDidlY/FZJmxJdKTKskyJwjvw==",
+ "dependencies": {
+ "System.Memory.Data": "8.0.1"
+ }
+ },
+ "System.Configuration.ConfigurationManager": {
+ "type": "Transitive",
+ "resolved": "9.0.13",
+ "contentHash": "GbBrJq9S/gYpHzm7Pxx6Y5tDyfSfyxW6tlP5oiKJV38uf19Wp+GIIAnWfyL1zmNiz1+EjwVapw2WkBFvvqKQzg==",
+ "dependencies": {
+ "System.Security.Cryptography.ProtectedData": "9.0.13"
+ }
+ },
+ "System.IdentityModel.Tokens.Jwt": {
+ "type": "Transitive",
+ "resolved": "8.16.0",
+ "contentHash": "rrs2u7DRMXQG2yh0oVyF/vLwosfRv20Ld2iEpYcKwQWXHjfV+gFXNQsQ9p008kR9Ou4pxBs68Q6/9zC8Gi1wjg==",
+ "dependencies": {
+ "Microsoft.IdentityModel.JsonWebTokens": "8.16.0",
+ "Microsoft.IdentityModel.Tokens": "8.16.0"
+ }
+ },
+ "System.IO.Hashing": {
+ "type": "Transitive",
+ "resolved": "8.0.0",
+ "contentHash": "ne1843evDugl0md7Fjzy6QjJrzsjh46ZKbhf8GwBXb5f/gw97J4bxMs0NQKifDuThh/f0bZ0e62NPl1jzTuRqA=="
+ },
+ "System.Memory.Data": {
+ "type": "Transitive",
+ "resolved": "8.0.1",
+ "contentHash": "BVYuec3jV23EMRDeR7Dr1/qhx7369dZzJ9IWy2xylvb4YfXsrUxspWc4UWYid/tj4zZK58uGZqn2WQiaDMhmAg=="
+ },
+ "System.Security.Cryptography.Pkcs": {
+ "type": "Transitive",
+ "resolved": "10.0.0",
+ "contentHash": "UPWqLSygJlFerRi9XNIuM0a1VC8gHUIufyP24xQ0sc+XimqUAEcjpOz9DhKpyDjH+5B/wO3RpC0KpkEeDj/ddg=="
+ },
+ "System.Security.Cryptography.ProtectedData": {
+ "type": "Transitive",
+ "resolved": "9.0.13",
+ "contentHash": "t8S9IDpjJKsLpLkeBdW8cWtcPyYqrGu93Dej1RO6WwuL/lkFSqWlan3rMJfortqz1mRIh+sys2AFsSA6jWJ3Jg=="
+ },
+ "System.Xml.XPath.XmlDocument": {
+ "type": "Transitive",
+ "resolved": "4.3.0",
+ "contentHash": "A/uxsWi/Ifzkmd4ArTLISMbfFs6XpRPsXZonrIqyTY70xi8t+mDtvSM5Os0RqyRDobjMBwIDHDL4NOIbkDwf7A=="
+ },
+ "YubicoDotNetClient": {
+ "type": "Transitive",
+ "resolved": "1.2.0",
+ "contentHash": "uP5F3Ko1gqZi3lwS2R/jAAwhBxXs/6PKDpS6FdQjsBA5qmF0hQmbtfxM6QHTXOMoWbUtfetG7+LtgmG8T5zDIg==",
+ "dependencies": {
+ "NETStandard.Library": "1.6.1"
+ }
+ },
+ "ZiggyCreatures.FusionCache": {
+ "type": "Transitive",
+ "resolved": "2.0.2",
+ "contentHash": "nO6ysiVP/1S1zVZMzsK0xASeSUay27iIlK8GjeyTpIAmq5P4/0KOzV9AqlabZYFgzeQDAu5IcB39ela2w/HCwQ=="
+ },
+ "ZiggyCreatures.FusionCache.Backplane.StackExchangeRedis": {
+ "type": "Transitive",
+ "resolved": "2.0.2",
+ "contentHash": "E9KfGnhY+xcy8bmxoB/jJbfYwBlQwDD6c0v0P/Qr3IxGyJXyncza/45vFo5nI+5CggqczQ1GwQeEJqk0Lg8Q5g==",
+ "dependencies": {
+ "StackExchange.Redis": "2.8.31",
+ "ZiggyCreatures.FusionCache": "2.0.2"
+ }
+ },
+ "ZiggyCreatures.FusionCache.Serialization.SystemTextJson": {
+ "type": "Transitive",
+ "resolved": "2.0.2",
+ "contentHash": "gt5ia5PHpCxhnI0hr51Y6L/acrrU17OuBqiU3vJPFXZxS3R1pIj2hr6WGB5fzW64VZDVdHTYsD5gTr2Pu8I+QQ==",
+ "dependencies": {
+ "ZiggyCreatures.FusionCache": "2.0.2"
+ }
+ },
+ "core": {
+ "type": "Project",
+ "dependencies": {
+ "AWSSDK.SQS": "[4.0.2.5, 4.0.2.5]",
+ "AWSSDK.SimpleEmail": "[4.0.2.5, 4.0.2.5]",
+ "AspNetCoreRateLimit": "[5.0.0, 5.0.0]",
+ "AspNetCoreRateLimit.Redis": "[2.0.0, 2.0.0]",
+ "Azure.Data.Tables": "[12.11.0, 12.11.0]",
+ "Azure.Extensions.AspNetCore.DataProtection.Blobs": "[1.3.4, 1.3.4]",
+ "Azure.Messaging.ServiceBus": "[7.20.1, 7.20.1]",
+ "Azure.Storage.Blobs": "[12.26.0, 12.26.0]",
+ "Azure.Storage.Blobs.Batch": "[12.23.0, 12.23.0]",
+ "Azure.Storage.Queues": "[12.24.0, 12.24.0]",
+ "BitPay.Light": "[1.0.1907, 1.0.1907]",
+ "Braintree": "[5.36.0, 5.36.0]",
+ "CsvHelper": "[33.1.0, 33.1.0]",
+ "Data": "[2026.6.1, )",
+ "DnsClient": "[1.8.0, 1.8.0]",
+ "Duende.IdentityServer": "[7.4.6, 7.4.6]",
+ "DuoUniversal": "[1.3.1, 1.3.1]",
+ "Fido2.AspNet": "[3.0.1, 3.0.1]",
+ "Handlebars.Net": "[2.1.6, 2.1.6]",
+ "LaunchDarkly.ServerSdk": "[8.11.0, 8.11.0]",
+ "MailKit": "[4.16.0, 4.16.0]",
+ "Microsoft.AspNetCore.Authentication.JwtBearer": "[10.0.8, 10.0.8]",
+ "Microsoft.AspNetCore.DataProtection": "[10.0.8, 10.0.8]",
+ "Microsoft.Azure.Cosmos": "[3.52.0, 3.52.0]",
+ "Microsoft.Azure.NotificationHubs": "[4.2.0, 4.2.0]",
+ "Microsoft.Bot.Builder": "[4.23.0, 4.23.0]",
+ "Microsoft.Bot.Builder.Integration.AspNet.Core": "[4.23.0, 4.23.0]",
+ "Microsoft.Bot.Connector": "[4.23.0, 4.23.0]",
+ "Microsoft.Data.SqlClient": "[7.0.0, 7.0.0]",
+ "Microsoft.Extensions.Caching.Cosmos": "[1.8.0, 1.8.0]",
+ "Microsoft.Extensions.Caching.SqlServer": "[10.0.8, 10.0.8]",
+ "Microsoft.Extensions.Caching.StackExchangeRedis": "[10.0.8, 10.0.8]",
+ "Microsoft.Extensions.Configuration.EnvironmentVariables": "[10.0.8, 10.0.8]",
+ "Microsoft.Extensions.Configuration.UserSecrets": "[10.0.8, 10.0.8]",
+ "Microsoft.Extensions.Identity.Stores": "[10.0.8, 10.0.8]",
+ "Newtonsoft.Json": "[13.0.3, 13.0.3]",
+ "OneOf": "[3.0.271, 3.0.271]",
+ "Otp.NET": "[1.4.0, 1.4.0]",
+ "Pam.Domain": "[2026.6.1, )",
+ "Quartz": "[3.15.1, 3.15.1]",
+ "Quartz.Extensions.DependencyInjection": "[3.15.1, 3.15.1]",
+ "Quartz.Extensions.Hosting": "[3.15.1, 3.15.1]",
+ "RabbitMQ.Client": "[7.1.2, 7.1.2]",
+ "SendGrid": "[9.29.3, 9.29.3]",
+ "Serilog.Extensions.Logging.File": "[3.0.0, 3.0.0]",
+ "Stripe.net": "[48.5.0, 48.5.0]",
+ "YubicoDotNetClient": "[1.2.0, 1.2.0]",
+ "ZiggyCreatures.FusionCache": "[2.0.2, 2.0.2]",
+ "ZiggyCreatures.FusionCache.Backplane.StackExchangeRedis": "[2.0.2, 2.0.2]",
+ "ZiggyCreatures.FusionCache.Serialization.SystemTextJson": "[2.0.2, 2.0.2]"
+ }
+ },
+ "data": {
+ "type": "Project"
+ },
+ "infrastructure.dapper": {
+ "type": "Project",
+ "dependencies": {
+ "Core": "[2026.6.1, )",
+ "Dapper": "[2.1.66, 2.1.66]",
+ "Pam.Domain": "[2026.6.1, )"
+ }
+ },
+ "infrastructure.entityframework": {
+ "type": "Project",
+ "dependencies": {
+ "AutoMapper": "[14.0.0, 14.0.0]",
+ "Core": "[2026.6.1, )",
+ "Microsoft.EntityFrameworkCore.Relational": "[8.0.8, 8.0.8]",
+ "Microsoft.EntityFrameworkCore.SqlServer": "[8.0.8, 8.0.8]",
+ "Microsoft.EntityFrameworkCore.Sqlite": "[8.0.8, 8.0.8]",
+ "Npgsql.EntityFrameworkCore.PostgreSQL": "[8.0.4, 8.0.4]",
+ "Pam.Domain": "[2026.6.1, )",
+ "Pomelo.EntityFrameworkCore.MySql": "[8.0.2, 8.0.2]",
+ "linq2db": "[5.4.1, 5.4.1]",
+ "linq2db.EntityFrameworkCore": "[8.1.0, 8.1.0]"
+ }
+ },
+ "pam.domain": {
+ "type": "Project",
+ "dependencies": {
+ "Data": "[2026.6.1, )"
+ }
+ },
+ "sharedweb": {
+ "type": "Project",
+ "dependencies": {
+ "Core": "[2026.6.1, )",
+ "Infrastructure.Dapper": "[2026.6.1, )",
+ "Infrastructure.EntityFramework": "[2026.6.1, )",
+ "Microsoft.Bot.Builder.Integration.AspNet.Core": "[4.23.0, 4.23.0]",
+ "Swashbuckle.AspNetCore.SwaggerGen": "[10.1.7, 10.1.7]"
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/bitwarden_license/src/Scim/packages.lock.json b/bitwarden_license/src/Scim/packages.lock.json
index 4337d161981f..903bc87d916f 100644
--- a/bitwarden_license/src/Scim/packages.lock.json
+++ b/bitwarden_license/src/Scim/packages.lock.json
@@ -1097,6 +1097,7 @@
"BitPay.Light": "[1.0.1907, 1.0.1907]",
"Braintree": "[5.36.0, 5.36.0]",
"CsvHelper": "[33.1.0, 33.1.0]",
+ "Data": "[2026.6.1, )",
"DnsClient": "[1.8.0, 1.8.0]",
"Duende.IdentityServer": "[7.4.6, 7.4.6]",
"DuoUniversal": "[1.3.1, 1.3.1]",
@@ -1121,6 +1122,7 @@
"Newtonsoft.Json": "[13.0.3, 13.0.3]",
"OneOf": "[3.0.271, 3.0.271]",
"Otp.NET": "[1.4.0, 1.4.0]",
+ "Pam.Domain": "[2026.6.1, )",
"Quartz": "[3.15.1, 3.15.1]",
"Quartz.Extensions.DependencyInjection": "[3.15.1, 3.15.1]",
"Quartz.Extensions.Hosting": "[3.15.1, 3.15.1]",
@@ -1134,33 +1136,44 @@
"ZiggyCreatures.FusionCache.Serialization.SystemTextJson": "[2.0.2, 2.0.2]"
}
},
+ "data": {
+ "type": "Project"
+ },
"infrastructure.dapper": {
"type": "Project",
"dependencies": {
- "Core": "[2026.6.0, )",
- "Dapper": "[2.1.66, 2.1.66]"
+ "Core": "[2026.6.1, )",
+ "Dapper": "[2.1.66, 2.1.66]",
+ "Pam.Domain": "[2026.6.1, )"
}
},
"infrastructure.entityframework": {
"type": "Project",
"dependencies": {
"AutoMapper": "[14.0.0, 14.0.0]",
- "Core": "[2026.6.0, )",
+ "Core": "[2026.6.1, )",
"Microsoft.EntityFrameworkCore.Relational": "[8.0.8, 8.0.8]",
"Microsoft.EntityFrameworkCore.SqlServer": "[8.0.8, 8.0.8]",
"Microsoft.EntityFrameworkCore.Sqlite": "[8.0.8, 8.0.8]",
"Npgsql.EntityFrameworkCore.PostgreSQL": "[8.0.4, 8.0.4]",
+ "Pam.Domain": "[2026.6.1, )",
"Pomelo.EntityFrameworkCore.MySql": "[8.0.2, 8.0.2]",
"linq2db": "[5.4.1, 5.4.1]",
"linq2db.EntityFrameworkCore": "[8.1.0, 8.1.0]"
}
},
+ "pam.domain": {
+ "type": "Project",
+ "dependencies": {
+ "Data": "[2026.6.1, )"
+ }
+ },
"sharedweb": {
"type": "Project",
"dependencies": {
- "Core": "[2026.6.0, )",
- "Infrastructure.Dapper": "[2026.6.0, )",
- "Infrastructure.EntityFramework": "[2026.6.0, )",
+ "Core": "[2026.6.1, )",
+ "Infrastructure.Dapper": "[2026.6.1, )",
+ "Infrastructure.EntityFramework": "[2026.6.1, )",
"Microsoft.Bot.Builder.Integration.AspNet.Core": "[4.23.0, 4.23.0]",
"Swashbuckle.AspNetCore.SwaggerGen": "[10.1.7, 10.1.7]"
}
diff --git a/bitwarden_license/src/Sso/packages.lock.json b/bitwarden_license/src/Sso/packages.lock.json
index 29906d5f12f2..31acb935fb48 100644
--- a/bitwarden_license/src/Sso/packages.lock.json
+++ b/bitwarden_license/src/Sso/packages.lock.json
@@ -1136,6 +1136,7 @@
"BitPay.Light": "[1.0.1907, 1.0.1907]",
"Braintree": "[5.36.0, 5.36.0]",
"CsvHelper": "[33.1.0, 33.1.0]",
+ "Data": "[2026.6.1, )",
"DnsClient": "[1.8.0, 1.8.0]",
"Duende.IdentityServer": "[7.4.6, 7.4.6]",
"DuoUniversal": "[1.3.1, 1.3.1]",
@@ -1160,6 +1161,7 @@
"Newtonsoft.Json": "[13.0.3, 13.0.3]",
"OneOf": "[3.0.271, 3.0.271]",
"Otp.NET": "[1.4.0, 1.4.0]",
+ "Pam.Domain": "[2026.6.1, )",
"Quartz": "[3.15.1, 3.15.1]",
"Quartz.Extensions.DependencyInjection": "[3.15.1, 3.15.1]",
"Quartz.Extensions.Hosting": "[3.15.1, 3.15.1]",
@@ -1173,33 +1175,44 @@
"ZiggyCreatures.FusionCache.Serialization.SystemTextJson": "[2.0.2, 2.0.2]"
}
},
+ "data": {
+ "type": "Project"
+ },
"infrastructure.dapper": {
"type": "Project",
"dependencies": {
- "Core": "[2026.6.0, )",
- "Dapper": "[2.1.66, 2.1.66]"
+ "Core": "[2026.6.1, )",
+ "Dapper": "[2.1.66, 2.1.66]",
+ "Pam.Domain": "[2026.6.1, )"
}
},
"infrastructure.entityframework": {
"type": "Project",
"dependencies": {
"AutoMapper": "[14.0.0, 14.0.0]",
- "Core": "[2026.6.0, )",
+ "Core": "[2026.6.1, )",
"Microsoft.EntityFrameworkCore.Relational": "[8.0.8, 8.0.8]",
"Microsoft.EntityFrameworkCore.SqlServer": "[8.0.8, 8.0.8]",
"Microsoft.EntityFrameworkCore.Sqlite": "[8.0.8, 8.0.8]",
"Npgsql.EntityFrameworkCore.PostgreSQL": "[8.0.4, 8.0.4]",
+ "Pam.Domain": "[2026.6.1, )",
"Pomelo.EntityFrameworkCore.MySql": "[8.0.2, 8.0.2]",
"linq2db": "[5.4.1, 5.4.1]",
"linq2db.EntityFrameworkCore": "[8.1.0, 8.1.0]"
}
},
+ "pam.domain": {
+ "type": "Project",
+ "dependencies": {
+ "Data": "[2026.6.1, )"
+ }
+ },
"sharedweb": {
"type": "Project",
"dependencies": {
- "Core": "[2026.6.0, )",
- "Infrastructure.Dapper": "[2026.6.0, )",
- "Infrastructure.EntityFramework": "[2026.6.0, )",
+ "Core": "[2026.6.1, )",
+ "Infrastructure.Dapper": "[2026.6.1, )",
+ "Infrastructure.EntityFramework": "[2026.6.1, )",
"Microsoft.Bot.Builder.Integration.AspNet.Core": "[4.23.0, 4.23.0]",
"Swashbuckle.AspNetCore.SwaggerGen": "[10.1.7, 10.1.7]"
}
diff --git a/bitwarden_license/test/Commercial.Core.Test/packages.lock.json b/bitwarden_license/test/Commercial.Core.Test/packages.lock.json
index bb35f0deb41b..2011a1ab1bc7 100644
--- a/bitwarden_license/test/Commercial.Core.Test/packages.lock.json
+++ b/bitwarden_license/test/Commercial.Core.Test/packages.lock.json
@@ -1341,7 +1341,7 @@
"commercial.core": {
"type": "Project",
"dependencies": {
- "Core": "[2026.6.0, )",
+ "Core": "[2026.6.1, )",
"CsvHelper": "[33.1.0, 33.1.0]"
}
},
@@ -1350,7 +1350,7 @@
"dependencies": {
"AutoFixture.AutoNSubstitute": "[4.18.1, )",
"AutoFixture.Xunit2": "[4.18.1, )",
- "Core": "[2026.6.0, )",
+ "Core": "[2026.6.1, )",
"Kralizek.AutoFixture.Extensions.MockHttp": "[2.2.1, 2.2.1]",
"Microsoft.Extensions.TimeProvider.Testing": "[10.6.0, 10.6.0]",
"Microsoft.NET.Test.Sdk": "[18.0.1, )",
@@ -1374,6 +1374,7 @@
"BitPay.Light": "[1.0.1907, 1.0.1907]",
"Braintree": "[5.36.0, 5.36.0]",
"CsvHelper": "[33.1.0, 33.1.0]",
+ "Data": "[2026.6.1, )",
"DnsClient": "[1.8.0, 1.8.0]",
"Duende.IdentityServer": "[7.4.6, 7.4.6]",
"DuoUniversal": "[1.3.1, 1.3.1]",
@@ -1398,6 +1399,7 @@
"Newtonsoft.Json": "[13.0.3, 13.0.3]",
"OneOf": "[3.0.271, 3.0.271]",
"Otp.NET": "[1.4.0, 1.4.0]",
+ "Pam.Domain": "[2026.6.1, )",
"Quartz": "[3.15.1, 3.15.1]",
"Quartz.Extensions.DependencyInjection": "[3.15.1, 3.15.1]",
"Quartz.Extensions.Hosting": "[3.15.1, 3.15.1]",
@@ -1416,14 +1418,24 @@
"dependencies": {
"AutoFixture.AutoNSubstitute": "[4.18.1, )",
"AutoFixture.Xunit2": "[4.18.1, )",
- "Common": "[2026.6.0, )",
- "Core": "[2026.6.0, )",
+ "Common": "[2026.6.1, )",
+ "Core": "[2026.6.1, )",
"Kralizek.AutoFixture.Extensions.MockHttp": "[2.2.1, 2.2.1]",
"Microsoft.Extensions.Diagnostics.Testing": "[10.6.0, 10.6.0]",
"Microsoft.NET.Test.Sdk": "[18.0.1, )",
"NSubstitute": "[5.1.0, )",
+ "Pam.Domain": "[2026.6.1, )",
"xunit": "[2.6.6, )"
}
+ },
+ "data": {
+ "type": "Project"
+ },
+ "pam.domain": {
+ "type": "Project",
+ "dependencies": {
+ "Data": "[2026.6.1, )"
+ }
}
}
}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Controllers/CipherLeaseControllerTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Controllers/CipherLeaseControllerTests.cs
new file mode 100644
index 000000000000..d8f6de5dffb8
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Controllers/CipherLeaseControllerTests.cs
@@ -0,0 +1,77 @@
+using System.Security.Claims;
+using Bit.Api.Pam.Controllers;
+using Bit.Api.Vault.Models.Response;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Vault.Models.Data;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using NSubstitute.ReturnsExtensions;
+using Xunit;
+using CipherType = Bit.Core.Vault.Enums.CipherType;
+
+namespace Bit.Commercial.Pam.Test.Api.Controllers;
+
+// The deprecated GET /ciphers/{id}/lease/cipher endpoint stays in the Api project (it depends on the Vault
+// response models), so it is tested here as an MVC controller. The rest of the cipher-lease resource lives in
+// the Commercial.Pam Minimal API handler (see CipherLeaseEndpointsHandlerTests).
+[ControllerCustomize(typeof(CipherLeaseController))]
+[SutProviderCustomize]
+[Bit.Api.Test.Vault.AutoFixture.CipherLeaseGateBypassCustomize]
+public class CipherLeaseControllerTests
+{
+ // GET /ciphers/{id}/lease/cipher is [Obsolete] (deprecated, scheduled for removal) but still fully functional, so
+ // its behaviour stays under test; suppress the obsolete-usage warning for these deliberate calls.
+#pragma warning disable CS0618
+ [Theory, BitAutoData]
+ public async Task GetCipher_NoLeasedCipher_ThrowsNotFound(
+ Guid id, User user, SutProvider sutProvider)
+ {
+ sutProvider.GetDependency()
+ .GetUserByPrincipalAsync(Arg.Any())
+ .Returns(user);
+ sutProvider.GetDependency()
+ .GetLeasedCipherAsync(user.Id, id)
+ .ReturnsNull();
+
+ await Assert.ThrowsAsync(() => sutProvider.Sut.GetCipher(id));
+ }
+
+ [Theory, BitAutoData]
+ public async Task GetCipher_LeasedCipher_ReturnsFullData(
+ Guid id, Guid organizationId, User user, SutProvider sutProvider)
+ {
+ var cipher = new CipherDetails
+ {
+ Id = id,
+ OrganizationId = organizationId,
+ Type = CipherType.Login,
+ Data = "2.iv|ct|mac",
+ };
+ sutProvider.GetDependency()
+ .GetUserByPrincipalAsync(Arg.Any())
+ .Returns(user);
+ sutProvider.GetDependency()
+ .GetLeasedCipherAsync(user.Id, id)
+ .Returns(cipher);
+ sutProvider.GetDependency()
+ .GetManyByUserIdCipherIdAsync(user.Id, id)
+ .Returns(new List());
+ sutProvider.GetDependency()
+ .GetOrganizationAbilityAsync(organizationId)
+ .Returns(new OrganizationAbility { Id = organizationId });
+
+ var result = await sutProvider.Sut.GetCipher(id);
+
+ Assert.IsAssignableFrom(result);
+ Assert.Equal(id, result.Id);
+ Assert.Equal("2.iv|ct|mac", result.Data); // full data present
+ Assert.Null(result.PartialData); // isPartial == false
+ }
+#pragma warning restore CS0618
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/AccessRequestEndpointsHandlerTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/AccessRequestEndpointsHandlerTests.cs
new file mode 100644
index 000000000000..692c3ee7bc61
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/AccessRequestEndpointsHandlerTests.cs
@@ -0,0 +1,128 @@
+using System.Security.Claims;
+using Bit.Commercial.Pam.Api.Endpoints.Handlers;
+using Bit.Commercial.Pam.Api.Models.Request;
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Commercial.Pam.Models;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Core.Services;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Pam.Models;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Endpoints;
+
+[SutProviderCustomize]
+public class AccessRequestEndpointsHandlerTests
+{
+ private static readonly ClaimsPrincipal _user = new();
+
+ [Theory, BitAutoData]
+ public async Task GetInbox_ReturnsMappedPendingRows(
+ Guid userId, AccessRequestDetails row, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ row.Status = AccessRequestStatus.Pending;
+ sutProvider.GetDependency().GetPendingAsync(userId).Returns([row]);
+
+ var result = await sutProvider.Sut.GetInbox(_user);
+
+ Assert.Single(result.Data);
+ Assert.Equal(row.Id, result.Data.First().Id);
+ }
+
+ [Theory, BitAutoData]
+ public async Task GetHistory_ReturnsMappedHistoryRows(
+ Guid userId, AccessRequestDetails row, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ row.Status = AccessRequestStatus.Approved;
+ sutProvider.GetDependency().GetHistoryAsync(userId).Returns([row]);
+
+ var result = await sutProvider.Sut.GetHistory(_user);
+
+ Assert.Single(result.Data);
+ }
+
+ [Theory, BitAutoData]
+ public async Task GetMine_ReturnsMappedRows(
+ Guid userId, AccessRequestDetails row, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ row.Status = AccessRequestStatus.Pending;
+ sutProvider.GetDependency().GetMineAsync(userId).Returns([row]);
+
+ var result = (await sutProvider.Sut.GetMine(_user)).Data.ToList();
+
+ Assert.Single(result);
+ Assert.Equal(row.Id, result[0].Id);
+ Assert.Equal(AccessRequestStatusNames.Pending, result[0].Status);
+ }
+
+ [Theory, BitAutoData]
+ public async Task GetMine_NoRows_ReturnsEmpty(
+ Guid userId, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ sutProvider.GetDependency().GetMineAsync(userId).Returns([]);
+
+ var result = await sutProvider.Sut.GetMine(_user);
+
+ Assert.Empty(result.Data);
+ }
+
+ [Theory, BitAutoData]
+ public async Task Decide_ReturnsUpdatedRow(
+ Guid userId, Guid requestId, AccessRequestDetails updated, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ updated.Status = AccessRequestStatus.Approved;
+ updated.ProducedLeaseId = null;
+ sutProvider.GetDependency()
+ .DecideAsync(userId, requestId, Arg.Any())
+ .Returns(updated);
+
+ var result = await sutProvider.Sut.Decide(_user, requestId, new AccessDecisionRequestModel { Verdict = AccessDecisionVerdict.Approve });
+
+ Assert.Equal(updated.Id, result.Id);
+ Assert.Equal(AccessRequestStatusNames.Approved, result.Status);
+ }
+
+ [Theory, BitAutoData]
+ public async Task Activate_ReturnsMintedLease(
+ Guid userId, Guid requestId, AccessLease lease, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ lease.Status = AccessLeaseStatus.Active;
+ sutProvider.GetDependency()
+ .ActivateAsync(userId, requestId)
+ .Returns(lease);
+
+ var result = await sutProvider.Sut.Activate(_user, requestId);
+
+ Assert.Equal(lease.Id, result.Id);
+ Assert.Equal(AccessLeaseStatusNames.Active, result.Status);
+ }
+
+ [Theory, BitAutoData]
+ public async Task Revoke_InvokesCancelCommand(
+ Guid userId, Guid requestId, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+
+ await sutProvider.Sut.Revoke(_user, requestId);
+
+ await sutProvider.GetDependency().Received(1).CancelAsync(userId, requestId);
+ }
+
+ private static void SetupUser(SutProvider sutProvider, Guid userId)
+ {
+ sutProvider.GetDependency()
+ .GetProperUserId(Arg.Any())
+ .Returns(userId);
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/CipherLeaseEndpointsHandlerTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/CipherLeaseEndpointsHandlerTests.cs
new file mode 100644
index 000000000000..4a31a96ebaf6
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/CipherLeaseEndpointsHandlerTests.cs
@@ -0,0 +1,36 @@
+using System.Security.Claims;
+using Bit.Commercial.Pam.Api.Endpoints.Handlers;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Endpoints;
+
+[SutProviderCustomize]
+public class CipherLeaseEndpointsHandlerTests
+{
+ private static readonly ClaimsPrincipal _user = new();
+
+ [Theory, BitAutoData]
+ public async Task State_ReturnsSnapshotFromQuery(
+ Guid id, Guid userId, Bit.Pam.Entities.AccessLease activeLease, SutProvider sutProvider)
+ {
+ sutProvider.GetDependency()
+ .GetProperUserId(Arg.Any())
+ .Returns(userId);
+ sutProvider.GetDependency()
+ .GetStateAsync(userId, id)
+ .Returns(new Bit.Commercial.Pam.Models.CipherAccessState(id, activeLease, null, null));
+
+ var result = await sutProvider.Sut.State(_user, id);
+
+ Assert.Equal(id, result.CipherId);
+ Assert.NotNull(result.ActiveLease);
+ Assert.Equal(activeLease.Id, result.ActiveLease!.Id);
+ Assert.Null(result.PendingRequest);
+ Assert.Null(result.ApprovedRequest);
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/Filters/PamExceptionHandlerEndpointFilterTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/Filters/PamExceptionHandlerEndpointFilterTests.cs
new file mode 100644
index 000000000000..26e2c7a46180
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/Filters/PamExceptionHandlerEndpointFilterTests.cs
@@ -0,0 +1,90 @@
+using Bit.Commercial.Pam.Api.Endpoints.Filters;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Api;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.AspNetCore.Mvc.ModelBinding;
+using Microsoft.Extensions.DependencyInjection;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Endpoints.Filters;
+
+public class PamExceptionHandlerEndpointFilterTests
+{
+ [Fact]
+ public async Task InvokeAsync_NoException_PassesResultThrough()
+ {
+ var context = CreateContext();
+ EndpointFilterDelegate next = _ => ValueTask.FromResult("ok");
+
+ var result = await new PamExceptionHandlerEndpointFilter().InvokeAsync(context, next);
+
+ Assert.Equal("ok", result);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_NotFoundException_Returns404ErrorResponseModel()
+ {
+ var context = CreateContext();
+ EndpointFilterDelegate next = _ => throw new NotFoundException();
+
+ var result = await new PamExceptionHandlerEndpointFilter().InvokeAsync(context, next);
+
+ var jsonResult = Assert.IsType>(result);
+ Assert.Equal(StatusCodes.Status404NotFound, jsonResult.StatusCode);
+ Assert.Equal("Resource not found.", jsonResult.Value!.Message);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_FeatureUnavailableException_Returns404()
+ {
+ // FeatureUnavailableException derives from NotFoundException, so the feature gate maps to 404 like the rest.
+ var context = CreateContext();
+ EndpointFilterDelegate next = _ => throw new FeatureUnavailableException();
+
+ var result = await new PamExceptionHandlerEndpointFilter().InvokeAsync(context, next);
+
+ var jsonResult = Assert.IsType>(result);
+ Assert.Equal(StatusCodes.Status404NotFound, jsonResult.StatusCode);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_BadRequestExceptionWithModelState_Returns400WithValidationErrors()
+ {
+ var modelState = new ModelStateDictionary();
+ modelState.AddModelError("Name", "Required.");
+ var context = CreateContext();
+ EndpointFilterDelegate next = _ => throw new BadRequestException(modelState);
+
+ var result = await new PamExceptionHandlerEndpointFilter().InvokeAsync(context, next);
+
+ var jsonResult = Assert.IsType>(result);
+ Assert.Equal(StatusCodes.Status400BadRequest, jsonResult.StatusCode);
+ Assert.True(jsonResult.Value!.ValidationErrors!.ContainsKey("Name"));
+ }
+
+ [Fact]
+ public async Task InvokeAsync_UnhandledException_Returns500()
+ {
+ var context = CreateContext();
+ EndpointFilterDelegate next = _ => throw new InvalidOperationException("boom");
+
+ var result = await new PamExceptionHandlerEndpointFilter().InvokeAsync(context, next);
+
+ var jsonResult = Assert.IsType>(result);
+ Assert.Equal(StatusCodes.Status500InternalServerError, jsonResult.StatusCode);
+ }
+
+ private static EndpointFilterInvocationContext CreateContext()
+ {
+ var environment = Substitute.For();
+ environment.EnvironmentName.Returns("Production");
+ var services = new ServiceCollection();
+ services.AddSingleton(environment);
+ services.AddLogging();
+ var httpContext = new DefaultHttpContext { RequestServices = services.BuildServiceProvider() };
+ return EndpointFilterInvocationContext.Create(httpContext);
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/Filters/PamValidationEndpointFilterTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/Filters/PamValidationEndpointFilterTests.cs
new file mode 100644
index 000000000000..62c16934109a
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/Filters/PamValidationEndpointFilterTests.cs
@@ -0,0 +1,73 @@
+using Bit.Commercial.Pam.Api.Endpoints.Filters;
+using Bit.Commercial.Pam.Api.Models.Request;
+using Bit.Core.Models.Api;
+using Bit.Pam.Enums;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Endpoints.Filters;
+
+public class PamValidationEndpointFilterTests
+{
+ [Fact]
+ public async Task InvokeAsync_InvalidRequestModel_ReturnsErrorResponseModel400AndSkipsNext()
+ {
+ // Verdict is [Required] and left null -> invalid.
+ var context = CreateContext(new AccessDecisionRequestModel());
+ var nextCalled = false;
+ EndpointFilterDelegate next = _ =>
+ {
+ nextCalled = true;
+ return ValueTask.FromResult("ok");
+ };
+
+ var result = await new PamValidationEndpointFilter().InvokeAsync(context, next);
+
+ Assert.False(nextCalled);
+ var jsonResult = Assert.IsType>(result);
+ Assert.Equal(StatusCodes.Status400BadRequest, jsonResult.StatusCode);
+ Assert.Equal("The model state is invalid.", jsonResult.Value!.Message);
+ Assert.True(jsonResult.Value.ValidationErrors!.ContainsKey(nameof(AccessDecisionRequestModel.Verdict)));
+ }
+
+ [Fact]
+ public async Task InvokeAsync_ValidRequestModel_CallsNext()
+ {
+ var context = CreateContext(new AccessDecisionRequestModel { Verdict = AccessDecisionVerdict.Approve });
+ var nextCalled = false;
+ EndpointFilterDelegate next = _ =>
+ {
+ nextCalled = true;
+ return ValueTask.FromResult("ok");
+ };
+
+ var result = await new PamValidationEndpointFilter().InvokeAsync(context, next);
+
+ Assert.True(nextCalled);
+ Assert.Equal("ok", result);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_NonRequestModelArguments_AreIgnored()
+ {
+ // Route/service-style arguments (a Guid, a string) are not request models and must not be validated.
+ var context = CreateContext(Guid.NewGuid(), "not-a-model");
+ var nextCalled = false;
+ EndpointFilterDelegate next = _ =>
+ {
+ nextCalled = true;
+ return ValueTask.FromResult("ok");
+ };
+
+ var result = await new PamValidationEndpointFilter().InvokeAsync(context, next);
+
+ Assert.True(nextCalled);
+ Assert.Equal("ok", result);
+ }
+
+ // Use DefaultEndpointFilterInvocationContext's params constructor rather than the static Create(...), whose
+ // generic overload would treat a passed object[] as one argument instead of spreading it.
+ private static EndpointFilterInvocationContext CreateContext(params object[] arguments) =>
+ new DefaultEndpointFilterInvocationContext(new DefaultHttpContext(), arguments);
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/Filters/RequireFeatureEndpointFilterTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/Filters/RequireFeatureEndpointFilterTests.cs
new file mode 100644
index 000000000000..0d6adf788bc3
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/Filters/RequireFeatureEndpointFilterTests.cs
@@ -0,0 +1,59 @@
+using Bit.Commercial.Pam.Api.Endpoints.Filters;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Endpoints.Filters;
+
+public class RequireFeatureEndpointFilterTests
+{
+ private const string Flag = "pm-test-flag";
+
+ [Fact]
+ public async Task InvokeAsync_FeatureEnabled_CallsNext()
+ {
+ var featureService = Substitute.For();
+ featureService.IsEnabled(Flag).Returns(true);
+ var context = CreateContext(featureService);
+ var nextCalled = false;
+ EndpointFilterDelegate next = _ =>
+ {
+ nextCalled = true;
+ return ValueTask.FromResult("ok");
+ };
+
+ var result = await new RequireFeatureEndpointFilter(Flag).InvokeAsync(context, next);
+
+ Assert.True(nextCalled);
+ Assert.Equal("ok", result);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_FeatureDisabled_ThrowsFeatureUnavailableAndSkipsNext()
+ {
+ var featureService = Substitute.For();
+ featureService.IsEnabled(Flag).Returns(false);
+ var context = CreateContext(featureService);
+ var nextCalled = false;
+ EndpointFilterDelegate next = _ =>
+ {
+ nextCalled = true;
+ return ValueTask.FromResult("ok");
+ };
+
+ await Assert.ThrowsAsync(
+ async () => await new RequireFeatureEndpointFilter(Flag).InvokeAsync(context, next));
+ Assert.False(nextCalled);
+ }
+
+ private static EndpointFilterInvocationContext CreateContext(IFeatureService featureService)
+ {
+ var services = new ServiceCollection();
+ services.AddSingleton(featureService);
+ var httpContext = new DefaultHttpContext { RequestServices = services.BuildServiceProvider() };
+ return EndpointFilterInvocationContext.Create(httpContext);
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/LeaseEndpointsHandlerTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/LeaseEndpointsHandlerTests.cs
new file mode 100644
index 000000000000..476de4a9ce6f
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Endpoints/LeaseEndpointsHandlerTests.cs
@@ -0,0 +1,121 @@
+using System.Security.Claims;
+using Bit.Commercial.Pam.Api.Endpoints.Handlers;
+using Bit.Commercial.Pam.Api.Models.Request;
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Commercial.Pam.Models;
+using Bit.Commercial.Pam.OrganizationFeatures.Commands.Interfaces;
+using Bit.Commercial.Pam.OrganizationFeatures.Queries.Interfaces;
+using Bit.Core.Services;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Pam.Models;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Endpoints;
+
+[SutProviderCustomize]
+public class LeaseEndpointsHandlerTests
+{
+ private static readonly ClaimsPrincipal _user = new();
+
+ [Theory, BitAutoData]
+ public async Task GetActive_ReturnsMappedLeases(
+ Guid userId, AccessLease lease, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ lease.Status = AccessLeaseStatus.Active;
+ sutProvider.GetDependency().GetActiveAsync(userId).Returns([lease]);
+
+ var result = (await sutProvider.Sut.GetActive(_user)).Data.ToList();
+
+ Assert.Single(result);
+ Assert.Equal(lease.Id, result[0].Id);
+ Assert.Equal(AccessLeaseStatusNames.Active, result[0].Status);
+ }
+
+ [Theory, BitAutoData]
+ public async Task GetActive_NoLeases_ReturnsEmpty(
+ Guid userId, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ sutProvider.GetDependency().GetActiveAsync(userId).Returns([]);
+
+ var result = await sutProvider.Sut.GetActive(_user);
+
+ Assert.Empty(result.Data);
+ }
+
+ [Theory, BitAutoData]
+ public async Task GetHistory_ReturnsMappedLeases(
+ Guid userId, AccessLease lease, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ lease.Status = AccessLeaseStatus.Revoked;
+ sutProvider.GetDependency().GetHistoryAsync(userId).Returns([lease]);
+
+ var result = (await sutProvider.Sut.GetHistory(_user)).Data.ToList();
+
+ Assert.Single(result);
+ Assert.Equal(lease.Id, result[0].Id);
+ Assert.Equal(AccessLeaseStatusNames.Revoked, result[0].Status);
+ }
+
+ [Theory, BitAutoData]
+ public async Task GetMine_ReturnsMappedLeases(
+ Guid userId, AccessLease lease, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ lease.Status = AccessLeaseStatus.Active;
+ sutProvider.GetDependency().GetMineActiveAsync(userId).Returns([lease]);
+
+ var result = (await sutProvider.Sut.GetMine(_user)).Data.ToList();
+
+ Assert.Single(result);
+ Assert.Equal(lease.Id, result[0].Id);
+ Assert.Equal(AccessLeaseStatusNames.Active, result[0].Status);
+ }
+
+ [Theory, BitAutoData]
+ public async Task Revoke_InvokesRevokeCommand(
+ Guid userId, Guid leaseId, SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+
+ await sutProvider.Sut.Revoke(_user, leaseId, new AccessLeaseRevokeRequestModel { Reason = "policy" });
+
+ await sutProvider.GetDependency().Received(1).RevokeAsync(userId, leaseId, "policy");
+ }
+
+ [Theory, BitAutoData]
+ public async Task Extend_ForwardsRouteLeaseId_ReturnsApprovedExtensionDetails(
+ Guid userId, Guid leaseId, AccessLeaseExtensionRequestModel model, AccessRequestDetails details,
+ SutProvider sutProvider)
+ {
+ SetupUser(sutProvider, userId);
+ details.Status = AccessRequestStatus.Approved;
+ details.ProducedLeaseId = null; // an extension produces no lease of its own, so the status stays "approved"
+ sutProvider.GetDependency()
+ .ExtendAsync(userId, Arg.Any())
+ .Returns(details);
+
+ var result = await sutProvider.Sut.Extend(_user, leaseId, model);
+
+ Assert.Equal(details.Id, result.Id);
+ Assert.Equal(AccessRequestStatusNames.Approved, result.Status);
+ Assert.Equal(details.ExtensionOfLeaseId, result.ExtensionOfLeaseId);
+ await sutProvider.GetDependency().Received(1).ExtendAsync(
+ userId,
+ Arg.Is(s =>
+ s.LeaseId == leaseId && s.DurationSeconds == model.DurationSeconds && s.Reason == model.Reason));
+ }
+
+ private static void SetupUser(SutProvider sutProvider, Guid userId)
+ {
+ sutProvider.GetDependency()
+ .GetProperUserId(Arg.Any())
+ .Returns(userId);
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessDecisionRequestModelTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessDecisionRequestModelTests.cs
new file mode 100644
index 000000000000..d21f371a1517
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessDecisionRequestModelTests.cs
@@ -0,0 +1,66 @@
+using System.ComponentModel.DataAnnotations;
+using System.Text.Json;
+using Bit.Commercial.Pam.Api.Models.Request;
+using Bit.Pam.Enums;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Models;
+
+public class AccessDecisionRequestModelTests
+{
+ // Mirror the API's web JSON defaults (camelCase, case-insensitive) so the test exercises the real bind path.
+ private static readonly JsonSerializerOptions _web = new(JsonSerializerDefaults.Web);
+
+ [Theory]
+ [InlineData(0, AccessDecisionVerdict.Deny)]
+ [InlineData(1, AccessDecisionVerdict.Approve)]
+ public void Deserialize_BindsIntegerVerdictToEnum(int wire, AccessDecisionVerdict expected)
+ {
+ var model = JsonSerializer.Deserialize($$"""{"verdict":{{wire}}}""", _web);
+
+ Assert.NotNull(model);
+ Assert.Equal(expected, model!.Verdict);
+ Assert.Equal(expected, model.ToSubmission().Verdict);
+ }
+
+ [Theory]
+ [InlineData("\"approve\"")]
+ [InlineData("\"1\"")]
+ public void Deserialize_StringVerdict_Throws(string wire)
+ {
+ // The wire format is the integer enum value; a string is no longer accepted.
+ Assert.Throws(
+ () => JsonSerializer.Deserialize($$"""{"verdict":{{wire}}}""", _web));
+ }
+
+ [Fact]
+ public void Validate_MissingVerdict_IsInvalid()
+ {
+ Assert.Contains(
+ Validate(new AccessDecisionRequestModel { Verdict = null }),
+ r => r.MemberNames.Contains(nameof(AccessDecisionRequestModel.Verdict)));
+ }
+
+ [Fact]
+ public void Validate_UndefinedVerdict_IsInvalid()
+ {
+ Assert.Contains(
+ Validate(new AccessDecisionRequestModel { Verdict = (AccessDecisionVerdict)5 }),
+ r => r.MemberNames.Contains(nameof(AccessDecisionRequestModel.Verdict)));
+ }
+
+ [Theory]
+ [InlineData(AccessDecisionVerdict.Approve)]
+ [InlineData(AccessDecisionVerdict.Deny)]
+ public void Validate_DefinedVerdict_IsValid(AccessDecisionVerdict verdict)
+ {
+ Assert.Empty(Validate(new AccessDecisionRequestModel { Verdict = verdict }));
+ }
+
+ private static List Validate(AccessDecisionRequestModel model)
+ {
+ var results = new List();
+ Validator.TryValidateObject(model, new ValidationContext(model), results, validateAllProperties: true);
+ return results;
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessLeaseResponseModelTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessLeaseResponseModelTests.cs
new file mode 100644
index 000000000000..aeb27124278b
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessLeaseResponseModelTests.cs
@@ -0,0 +1,71 @@
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Models;
+
+public class AccessLeaseResponseModelTests
+{
+ [Theory, BitAutoData]
+ public void Ctor_MapsLeaseToClientShape(AccessLease lease)
+ {
+ lease.Status = AccessLeaseStatus.Active;
+
+ var model = new AccessLeaseResponseModel(lease);
+
+ Assert.Equal(lease.Id, model.Id);
+ Assert.Equal(lease.AccessRequestId, model.RequestId);
+ Assert.Equal(lease.CipherId, model.CipherId);
+ Assert.Equal(lease.CollectionId, model.CollectionId);
+ Assert.Equal(lease.OrganizationId, model.OrganizationId);
+ Assert.Equal(lease.RequesterId, model.RequesterId);
+ Assert.Equal(AccessLeaseStatusNames.Active, model.Status);
+ Assert.Equal(lease.NotBefore, model.NotBefore);
+ Assert.Equal(lease.NotAfter, model.NotAfter);
+ Assert.Equal(lease.RevokedDate, model.RevokedAt);
+ Assert.Equal(lease.RevokedBy, model.RevokedByUserId);
+ Assert.Null(model.RuleId);
+ Assert.Null(model.RevocationReason);
+ }
+
+ [Fact]
+ public void Ctor_MarksTimestampsAsUtc()
+ {
+ // Dapper materialises stored UTC instants with Kind=Unspecified; the model must relabel them UTC so the
+ // serialised JSON carries a 'Z' and clients don't reparse them as local time.
+ var unspecified = new DateTime(2026, 6, 15, 13, 0, 0, DateTimeKind.Unspecified);
+ var lease = new AccessLease
+ {
+ Status = AccessLeaseStatus.Active,
+ NotBefore = unspecified,
+ NotAfter = unspecified.AddHours(1),
+ RevokedDate = unspecified.AddMinutes(30),
+ };
+
+ var model = new AccessLeaseResponseModel(lease);
+
+ Assert.Equal(DateTimeKind.Utc, model.NotBefore.Kind);
+ Assert.Equal(DateTimeKind.Utc, model.NotAfter.Kind);
+ Assert.Equal(DateTimeKind.Utc, model.RevokedAt!.Value.Kind);
+ // SpecifyKind relabels without shifting the wall clock.
+ Assert.Equal(unspecified.Ticks, model.NotBefore.Ticks);
+ }
+
+ [Fact]
+ public void Ctor_LeavesNullRevokedDateNull()
+ {
+ var lease = new AccessLease
+ {
+ Status = AccessLeaseStatus.Active,
+ NotBefore = new DateTime(2026, 6, 15, 13, 0, 0, DateTimeKind.Unspecified),
+ NotAfter = new DateTime(2026, 6, 15, 14, 0, 0, DateTimeKind.Unspecified),
+ RevokedDate = null,
+ };
+
+ var model = new AccessLeaseResponseModel(lease);
+
+ Assert.Null(model.RevokedAt);
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessLeaseStatusNamesTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessLeaseStatusNamesTests.cs
new file mode 100644
index 000000000000..4d7d62acb799
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessLeaseStatusNamesTests.cs
@@ -0,0 +1,17 @@
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Pam.Enums;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Models;
+
+public class AccessLeaseStatusNamesTests
+{
+ [Theory]
+ [InlineData(AccessLeaseStatus.Active, AccessLeaseStatusNames.Active)]
+ [InlineData(AccessLeaseStatus.Expired, AccessLeaseStatusNames.Expired)]
+ [InlineData(AccessLeaseStatus.Revoked, AccessLeaseStatusNames.Revoked)]
+ public void From_MapsToFrontendVocabulary(AccessLeaseStatus status, string expected)
+ {
+ Assert.Equal(expected, AccessLeaseStatusNames.From(status));
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessRequestDetailsResponseModelTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessRequestDetailsResponseModelTests.cs
new file mode 100644
index 000000000000..387c2eee7a17
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessRequestDetailsResponseModelTests.cs
@@ -0,0 +1,149 @@
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Pam.Enums;
+using Bit.Pam.Models;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Models;
+
+public class AccessRequestDetailsResponseModelTests
+{
+ [Fact]
+ public void Ctor_MarksTimestampsAsUtc()
+ {
+ // Regression guard: the approver inbox drops a request whose requested window has lapsed. When the stored
+ // UTC instants are serialised without a 'Z' (Kind=Unspecified), a client east of UTC reparses them as local
+ // time and the shift hides still-valid requests. The model must relabel the kind as UTC.
+ var unspecified = new DateTime(2026, 6, 15, 13, 0, 0, DateTimeKind.Unspecified);
+ var details = new AccessRequestDetails
+ {
+ Status = AccessRequestStatus.Pending,
+ NotBefore = unspecified,
+ NotAfter = unspecified.AddHours(1),
+ CreationDate = unspecified.AddMinutes(-5),
+ ResolvedDate = unspecified.AddMinutes(10),
+ };
+
+ var model = new AccessRequestDetailsResponseModel(details);
+
+ Assert.Equal(DateTimeKind.Utc, model.RequestedNotBefore.Kind);
+ Assert.Equal(DateTimeKind.Utc, model.RequestedNotAfter.Kind);
+ Assert.Equal(DateTimeKind.Utc, model.SubmittedAt.Kind);
+ Assert.Equal(DateTimeKind.Utc, model.ResolvedAt!.Value.Kind);
+ // SpecifyKind relabels without shifting the wall clock.
+ Assert.Equal(unspecified.Ticks, model.RequestedNotBefore.Ticks);
+ }
+
+ [Fact]
+ public void Ctor_LeavesNullResolvedDateNull()
+ {
+ var unspecified = new DateTime(2026, 6, 15, 13, 0, 0, DateTimeKind.Unspecified);
+ var details = new AccessRequestDetails
+ {
+ Status = AccessRequestStatus.Pending,
+ NotBefore = unspecified,
+ NotAfter = unspecified.AddHours(1),
+ CreationDate = unspecified,
+ ResolvedDate = null,
+ };
+
+ var model = new AccessRequestDetailsResponseModel(details);
+
+ Assert.Null(model.ResolvedAt);
+ }
+
+ [Fact]
+ public void Ctor_MapsHumanApproverAsSingleApproversElement()
+ {
+ // The requester's own request list names who decided the request; the resolved approver identity, verdict, and
+ // comment must flow through as a single Approvers element rather than being dropped (which would leave the
+ // client showing a raw id). The array shape future-proofs the contract for multi-party approval.
+ var approverId = Guid.NewGuid();
+ var unspecified = new DateTime(2026, 6, 15, 13, 0, 0, DateTimeKind.Unspecified);
+ var decidedAt = unspecified.AddMinutes(20);
+ var details = new AccessRequestDetails
+ {
+ Status = AccessRequestStatus.Denied,
+ NotBefore = unspecified,
+ NotAfter = unspecified.AddHours(1),
+ CreationDate = unspecified,
+ ResolvedDate = decidedAt,
+ Decisions =
+ [
+ new AccessRequestDecision
+ {
+ DeciderKind = AccessDeciderKind.Human,
+ Id = approverId,
+ Name = "Ada Approver",
+ Email = "ada@example.com",
+ Comment = "Outside approved hours",
+ Verdict = AccessDecisionVerdict.Deny,
+ DecidedAt = decidedAt,
+ },
+ ],
+ };
+
+ var model = new AccessRequestDetailsResponseModel(details);
+
+ var decision = Assert.Single(model.Decisions);
+ Assert.Equal(AccessDeciderKindNames.Human, decision.DeciderKind);
+ Assert.Equal(approverId, decision.Id!.Value);
+ Assert.Equal("Ada Approver", decision.Name);
+ Assert.Equal("ada@example.com", decision.Email);
+ Assert.Equal("Outside approved hours", decision.Comment);
+ Assert.Equal(AccessDecisionVerdict.Deny, decision.Verdict);
+ Assert.Equal(decidedAt.Ticks, decision.DecidedAt.Ticks);
+ Assert.Equal(DateTimeKind.Utc, decision.DecidedAt.Kind);
+ }
+
+ [Fact]
+ public void Ctor_MapsAutomaticDecisionWithNoApproverIdentity()
+ {
+ // An automatic (access-rule) decision is surfaced like any other, but with deciderKind "automatic" and no
+ // approver identity — the client renders it as a rule-driven decision rather than a person.
+ var unspecified = new DateTime(2026, 6, 15, 13, 0, 0, DateTimeKind.Unspecified);
+ var details = new AccessRequestDetails
+ {
+ Status = AccessRequestStatus.Approved,
+ NotBefore = unspecified,
+ NotAfter = unspecified.AddHours(1),
+ CreationDate = unspecified,
+ ResolvedDate = unspecified.AddMinutes(1),
+ Decisions =
+ [
+ new AccessRequestDecision
+ {
+ DeciderKind = AccessDeciderKind.Automatic,
+ Id = null,
+ Verdict = AccessDecisionVerdict.Approve,
+ DecidedAt = unspecified.AddMinutes(1),
+ },
+ ],
+ };
+
+ var model = new AccessRequestDetailsResponseModel(details);
+
+ var decision = Assert.Single(model.Decisions);
+ Assert.Equal(AccessDeciderKindNames.Automatic, decision.DeciderKind);
+ Assert.Null(decision.Id);
+ Assert.Null(decision.Name);
+ Assert.Equal(AccessDecisionVerdict.Approve, decision.Verdict);
+ }
+
+ [Fact]
+ public void Ctor_LeavesDecisionsEmptyWhenPending()
+ {
+ // A pending request has no decision recorded yet, so the decision log is empty.
+ var unspecified = new DateTime(2026, 6, 15, 13, 0, 0, DateTimeKind.Unspecified);
+ var details = new AccessRequestDetails
+ {
+ Status = AccessRequestStatus.Pending,
+ NotBefore = unspecified,
+ NotAfter = unspecified.AddHours(1),
+ CreationDate = unspecified,
+ };
+
+ var model = new AccessRequestDetailsResponseModel(details);
+
+ Assert.Empty(model.Decisions);
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessRequestStatusNamesTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessRequestStatusNamesTests.cs
new file mode 100644
index 000000000000..aa0472e07bdb
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Api/Models/AccessRequestStatusNamesTests.cs
@@ -0,0 +1,20 @@
+using Bit.Commercial.Pam.Api.Models.Response;
+using Bit.Pam.Enums;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Api.Models;
+
+public class AccessRequestStatusNamesTests
+{
+ [Theory]
+ [InlineData(AccessRequestStatus.Pending, false, AccessRequestStatusNames.Pending)]
+ [InlineData(AccessRequestStatus.Approved, false, AccessRequestStatusNames.Approved)]
+ [InlineData(AccessRequestStatus.Approved, true, AccessRequestStatusNames.Activated)]
+ [InlineData(AccessRequestStatus.Denied, false, AccessRequestStatusNames.Denied)]
+ [InlineData(AccessRequestStatus.Cancelled, false, AccessRequestStatusNames.Cancelled)]
+ [InlineData(AccessRequestStatus.ExpiredUnanswered, false, AccessRequestStatusNames.Expired)]
+ public void From_MapsToFrontendVocabulary(AccessRequestStatus status, bool hasLease, string expected)
+ {
+ Assert.Equal(expected, AccessRequestStatusNames.From(status, hasLease));
+ }
+}
diff --git a/bitwarden_license/test/Commercial.Pam.Test/Commands/ActivateAccessRequestCommandTests.cs b/bitwarden_license/test/Commercial.Pam.Test/Commands/ActivateAccessRequestCommandTests.cs
new file mode 100644
index 000000000000..8926c988d776
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Pam.Test/Commands/ActivateAccessRequestCommandTests.cs
@@ -0,0 +1,273 @@
+using Bit.Commercial.Pam.OrganizationFeatures.Commands;
+using Bit.Commercial.Pam.Services;
+using Bit.Core.Exceptions;
+using Bit.Pam.Entities;
+using Bit.Pam.Enums;
+using Bit.Pam.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.Extensions.Time.Testing;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Commercial.Pam.Test.Commands;
+
+[SutProviderCustomize]
+public class ActivateAccessRequestCommandTests
+{
+ private static readonly DateTime _now = new(2026, 6, 10, 12, 0, 0, DateTimeKind.Utc);
+
+ [Theory, BitAutoData]
+ public async Task ActivateAsync_RequestMissing_ThrowsNotFound(Guid userId, Guid requestId)
+ {
+ var sutProvider = Setup();
+ sutProvider.GetDependency().GetByIdAsync(requestId).Returns((AccessRequest?)null);
+
+ await Assert.ThrowsAsync(() => sutProvider.Sut.ActivateAsync(userId, requestId));
+ }
+
+ [Theory, BitAutoData]
+ public async Task ActivateAsync_NotOwner_ThrowsNotFound(Guid userId, AccessRequest request)
+ {
+ var sutProvider = Setup();
+ SetupApprovedRequest(sutProvider, request);
+
+ // Someone else's request is indistinguishable from a missing one, so ids can't be probed.
+ await Assert.ThrowsAsync(() => sutProvider.Sut.ActivateAsync(userId, request.Id));
+ }
+
+ [Theory]
+ [BitAutoData(AccessRequestStatus.Pending)]
+ [BitAutoData(AccessRequestStatus.Denied)]
+ [BitAutoData(AccessRequestStatus.Cancelled)]
+ [BitAutoData(AccessRequestStatus.ExpiredUnanswered)]
+ public async Task ActivateAsync_NotApproved_ThrowsConflict(AccessRequestStatus status, AccessRequest request)
+ {
+ var sutProvider = Setup();
+ SetupApprovedRequest(sutProvider, request);
+ request.Status = status;
+
+ await Assert.ThrowsAsync(
+ () => sutProvider.Sut.ActivateAsync(request.RequesterId, request.Id));
+ await sutProvider.GetDependency().DidNotReceiveWithAnyArgs()
+ .CreateFromApprovedRequestAsync(default!, default, default);
+ }
+
+ [Theory, BitAutoData]
+ public async Task ActivateAsync_AlreadyActivated_LiveLease_ReturnsExistingWithoutMinting(
+ AccessRequest request, AccessLease existing)
+ {
+ var sutProvider = Setup();
+ SetupApprovedRequest(sutProvider, request);
+ existing.Status = AccessLeaseStatus.Active;
+ existing.NotAfter = _now.AddMinutes(30);
+ sutProvider.GetDependency().GetByAccessRequestIdAsync(request.Id).Returns(existing);
+
+ var result = await sutProvider.Sut.ActivateAsync(request.RequesterId, request.Id);
+
+ Assert.Same(existing, result);
+ await sutProvider.GetDependency().DidNotReceiveWithAnyArgs()
+ .CreateFromApprovedRequestAsync(default!, default, default);
+ await sutProvider.GetDependency().DidNotReceiveWithAnyArgs()
+ .NotifyCollectionApproversAsync(default);
+ }
+
+ [Theory]
+ [BitAutoData(AccessLeaseStatus.Revoked)]
+ [BitAutoData(AccessLeaseStatus.Expired)]
+ public async Task ActivateAsync_AlreadyActivated_DeadLease_ThrowsConflict(
+ AccessLeaseStatus leaseStatus, AccessRequest request, AccessLease existing)
+ {
+ var sutProvider = Setup();
+ SetupApprovedRequest(sutProvider, request);
+ existing.Status = leaseStatus;
+ sutProvider.GetDependency().GetByAccessRequestIdAsync(request.Id).Returns(existing);
+
+ // A request authorizes access at most once; a revoked or lapsed lease is final.
+ await Assert.ThrowsAsync(
+ () => sutProvider.Sut.ActivateAsync(request.RequesterId, request.Id));
+ }
+
+ [Theory, BitAutoData]
+ public async Task ActivateAsync_AlreadyActivated_ActiveButLapsedLease_ThrowsConflict(
+ AccessRequest request, AccessLease existing)
+ {
+ var sutProvider = Setup();
+ SetupApprovedRequest(sutProvider, request);
+ existing.Status = AccessLeaseStatus.Active;
+ existing.NotAfter = _now.AddMinutes(-1);
+ sutProvider.GetDependency().GetByAccessRequestIdAsync(request.Id).Returns(existing);
+
+ await Assert.ThrowsAsync(
+ () => sutProvider.Sut.ActivateAsync(request.RequesterId, request.Id));
+ }
+
+ [Theory, BitAutoData]
+ public async Task ActivateAsync_WindowNotStarted_ThrowsBadRequest(AccessRequest request)
+ {
+ var sutProvider = Setup();
+ SetupApprovedRequest(sutProvider, request);
+ request.NotBefore = _now.AddHours(1);
+ request.NotAfter = _now.AddHours(2);
+
+ var ex = await Assert.ThrowsAsync(
+ () => sutProvider.Sut.ActivateAsync(request.RequesterId, request.Id));
+ Assert.Contains("not started", ex.Message);
+ }
+
+ [Theory, BitAutoData]
+ public async Task ActivateAsync_WindowEnded_ThrowsBadRequest(AccessRequest request)
+ {
+ var sutProvider = Setup();
+ SetupApprovedRequest(sutProvider, request);
+ request.NotBefore = _now.AddHours(-2);
+ request.NotAfter = _now.AddHours(-1);
+
+ var ex = await Assert.ThrowsAsync(
+ () => sutProvider.Sut.ActivateAsync(request.RequesterId, request.Id));
+ Assert.Contains("already ended", ex.Message);
+ }
+
+ [Theory, BitAutoData]
+ public async Task ActivateAsync_Approved_MintsLeaseSpanningRequestWindow(AccessRequest request)
+ {
+ var sutProvider = Setup();
+ SetupApprovedRequest(sutProvider, request);
+ sutProvider.GetDependency()
+ .CreateFromApprovedRequestAsync(Arg.Any(), _now, Arg.Any())
+ .Returns(AccessLeaseMintOutcome.Minted);
+
+ var result = await sutProvider.Sut.ActivateAsync(request.RequesterId, request.Id);
+
+ Assert.Equal(request.Id, result.AccessRequestId);
+ Assert.Equal(request.OrganizationId, result.OrganizationId);
+ Assert.Equal(request.CollectionId, result.CollectionId);
+ Assert.Equal(request.CipherId, result.CipherId);
+ Assert.Equal(request.RequesterId, result.RequesterId);
+ Assert.Equal(AccessLeaseStatus.Active, result.Status);
+ // Activation mints the window the approver approved, not a window anchored at activation time.
+ Assert.Equal(request.NotBefore, result.NotBefore);
+ Assert.Equal(request.NotAfter, result.NotAfter);
+ Assert.Equal(_now, result.CreationDate);
+ Assert.NotEqual(default, result.Id);
+ await sutProvider.GetDependency().Received(1)
+ .CreateFromApprovedRequestAsync(result, _now, Arg.Any());
+ await sutProvider.GetDependency().Received(1)
+ .NotifyCollectionApproversAsync(request.CollectionId);
+ await sutProvider.GetDependency().Received(1)
+ .NotifyRequesterAsync(request.RequesterId);
+ }
+
+ [Theory, BitAutoData]
+ public async Task ActivateAsync_LostRace_WinnerLive_ReturnsWinner(AccessRequest request, AccessLease winner)
+ {
+ var sutProvider = Setup();
+ SetupApprovedRequest(sutProvider, request);
+ winner.Status = AccessLeaseStatus.Active;
+ winner.NotAfter = _now.AddMinutes(30);
+ sutProvider.GetDependency()
+ .CreateFromApprovedRequestAsync(Arg.Any(), _now, Arg.Any())
+ .Returns(AccessLeaseMintOutcome.PreconditionFailed);
+ sutProvider.GetDependency().GetByAccessRequestIdAsync(request.Id)
+ .Returns((AccessLease?)null, winner);
+
+ var result = await sutProvider.Sut.ActivateAsync(request.RequesterId, request.Id);
+
+ Assert.Same(winner, result);
+ await sutProvider.GetDependency