diff --git a/.github/renovate.json b/.github/renovate.json
index 74c88a66c77..350484b5c28 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -4,13 +4,9 @@
   "enabledManagers": ["cargo", "github-actions", "npm"],
   "packageRules": [
     {
-      "groupName": "gh minor",
+      "groupName": "github action dependencies",
       "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"]
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "commitMessagePrefix": "[deps] BRE:"
+      "matchUpdateTypes": ["minor"]
     },
     {
       "matchManagers": ["cargo"],
@@ -211,10 +207,10 @@
         "eslint-plugin-storybook",
         "eslint-plugin-tailwindcss",
         "husky",
-        "jest-extended",
         "jest-junit",
         "jest-mock-extended",
         "jest-preset-angular",
+        "jest-diff",
         "lint-staged",
         "ts-jest"
       ],
diff --git a/apps/browser/src/_locales/en/messages.json b/apps/browser/src/_locales/en/messages.json
index 51fb3a0a770..51e1203673b 100644
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -4007,6 +4007,9 @@
   "passkeyRemoved": {
     "message": "Passkey removed"
   },
+  "autofillSuggestions": {
+    "message": "Autofill suggestions"
+  },
   "itemSuggestions": {
     "message": "Suggested items"
   },
@@ -4586,12 +4589,6 @@
   "textSends": {
     "message": "Text Sends"
   },
-  "bitwardenNewLook": {
-    "message": "Bitwarden has a new look!"
-  },
-  "bitwardenNewLookDesc": {
-    "message": "It's easier and more intuitive than ever to autofill and search from the Vault tab. Take a look around!"
-  },
   "accountActions": {
     "message": "Account actions"
   },
diff --git a/apps/browser/src/auth/popup/settings/account-security.component.html b/apps/browser/src/auth/popup/settings/account-security.component.html
index 0f2754b2bf2..8bc28c9754d 100644
--- a/apps/browser/src/auth/popup/settings/account-security.component.html
+++ b/apps/browser/src/auth/popup/settings/account-security.component.html
@@ -20,7 +20,7 @@ <h2 bitTypography="h6">{{ "unlockMethods" | i18n }}</h2>
             {{ biometricUnavailabilityReason }}
           </bit-hint>
         </bit-form-control>
-        <bit-form-control class="tw-pl-5" *ngIf="this.form.value.biometric">
+        <bit-form-control class="tw-pl-5" *ngIf="this.form.value.biometric && showAutoPrompt">
           <input
             bitCheckbox
             id="autoBiometricsPrompt"
diff --git a/apps/browser/src/auth/popup/settings/account-security.component.ts b/apps/browser/src/auth/popup/settings/account-security.component.ts
index 7e094fe508b..5979afca4b8 100644
--- a/apps/browser/src/auth/popup/settings/account-security.component.ts
+++ b/apps/browser/src/auth/popup/settings/account-security.component.ts
@@ -29,6 +29,7 @@ import { PolicyService } from "@bitwarden/common/admin-console/abstractions/poli
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
+import { DeviceType } from "@bitwarden/common/enums";
 import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -106,6 +107,7 @@ export class AccountSecurityComponent implements OnInit, OnDestroy {
   hasVaultTimeoutPolicy = false;
   biometricUnavailabilityReason: string;
   showChangeMasterPass = true;
+  showAutoPrompt = true;
 
   form = this.formBuilder.group({
     vaultTimeout: [null as VaultTimeout | null],
@@ -141,6 +143,11 @@ export class AccountSecurityComponent implements OnInit, OnDestroy {
   ) {}
 
   async ngOnInit() {
+    // Firefox popup closes when unfocused by biometrics, blocking all unlock methods
+    if (this.platformUtilsService.getDevice() === DeviceType.FirefoxExtension) {
+      this.showAutoPrompt = false;
+    }
+
     const hasMasterPassword = await this.userVerificationService.hasMasterPassword();
     this.showMasterPasswordOnClientRestartOption = hasMasterPassword;
     const maximumVaultTimeoutPolicy = this.policyService.get$(PolicyType.MaximumVaultTimeout);
diff --git a/apps/browser/src/background/main.background.ts b/apps/browser/src/background/main.background.ts
index 98f3867e5ff..5d09122bbd6 100644
--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@@ -665,6 +665,7 @@ export default class MainBackground {
       this.logService,
       this.keyService,
       this.biometricStateService,
+      this.messagingService,
     );
 
     this.appIdService = new AppIdService(this.storageService, this.logService);
diff --git a/apps/browser/src/key-management/biometrics/background-browser-biometrics.service.ts b/apps/browser/src/key-management/biometrics/background-browser-biometrics.service.ts
index 4c4753c3f7f..54b6faad84c 100644
--- a/apps/browser/src/key-management/biometrics/background-browser-biometrics.service.ts
+++ b/apps/browser/src/key-management/biometrics/background-browser-biometrics.service.ts
@@ -1,6 +1,7 @@
 import { Injectable } from "@angular/core";
 
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { UserId } from "@bitwarden/common/types/guid";
@@ -23,6 +24,7 @@ export class BackgroundBrowserBiometricsService extends BiometricsService {
     private logService: LogService,
     private keyService: KeyService,
     private biometricStateService: BiometricStateService,
+    private messagingService: MessagingService,
   ) {
     super();
   }
@@ -97,7 +99,9 @@ export class BackgroundBrowserBiometricsService extends BiometricsService {
           if (await this.keyService.validateUserKey(userKey, userId)) {
             await this.biometricStateService.setBiometricUnlockEnabled(true);
             await this.biometricStateService.setFingerprintValidated(true);
-            this.keyService.setUserKey(userKey, userId);
+            await this.keyService.setUserKey(userKey, userId);
+            // to update badge and other things
+            this.messagingService.send("switchAccount", { userId });
             return userKey;
           }
         } else {
@@ -115,7 +119,9 @@ export class BackgroundBrowserBiometricsService extends BiometricsService {
           if (await this.keyService.validateUserKey(userKey, userId)) {
             await this.biometricStateService.setBiometricUnlockEnabled(true);
             await this.biometricStateService.setFingerprintValidated(true);
-            this.keyService.setUserKey(userKey, userId);
+            await this.keyService.setUserKey(userKey, userId);
+            // to update badge and other things
+            this.messagingService.send("switchAccount", { userId });
             return userKey;
           }
         } else {
diff --git a/apps/browser/src/popup/app.component.ts b/apps/browser/src/popup/app.component.ts
index 7b6e402a90f..9d4835889b9 100644
--- a/apps/browser/src/popup/app.component.ts
+++ b/apps/browser/src/popup/app.component.ts
@@ -137,8 +137,8 @@ export class AppComponent implements OnInit, OnDestroy {
             this.toastService._showToast(msg);
           } else if (msg.command === "reloadProcess") {
             if (this.platformUtilsService.isSafari()) {
-              window.setTimeout(() => {
-                this.biometricStateService.updateLastProcessReload();
+              window.setTimeout(async () => {
+                await this.biometricStateService.updateLastProcessReload();
                 window.location.reload();
               }, 2000);
             }
diff --git a/apps/browser/src/vault/popup/components/vault-v2/autofill-vault-list-items/autofill-vault-list-items.component.html b/apps/browser/src/vault/popup/components/vault-v2/autofill-vault-list-items/autofill-vault-list-items.component.html
index 047d168ecbb..eae8e2cc980 100644
--- a/apps/browser/src/vault/popup/components/vault-v2/autofill-vault-list-items/autofill-vault-list-items.component.html
+++ b/apps/browser/src/vault/popup/components/vault-v2/autofill-vault-list-items/autofill-vault-list-items.component.html
@@ -1,7 +1,7 @@
 <app-vault-list-items-container
   *ngIf="autofillCiphers$ | async as ciphers"
   [ciphers]="ciphers"
-  [title]="'itemSuggestions' | i18n"
+  [title]="((currentURIIsBlocked$ | async) ? 'itemSuggestions' : 'autofillSuggestions') | i18n"
   [showRefresh]="showRefresh"
   (onRefresh)="refreshCurrentTab()"
   [description]="(showEmptyAutofillTip$ | async) ? ('autofillSuggestionsTip' | i18n) : null"
diff --git a/apps/browser/src/vault/popup/components/vault-v2/autofill-vault-list-items/autofill-vault-list-items.component.ts b/apps/browser/src/vault/popup/components/vault-v2/autofill-vault-list-items/autofill-vault-list-items.component.ts
index deba204bd71..d2dd21be6d8 100644
--- a/apps/browser/src/vault/popup/components/vault-v2/autofill-vault-list-items/autofill-vault-list-items.component.ts
+++ b/apps/browser/src/vault/popup/components/vault-v2/autofill-vault-list-items/autofill-vault-list-items.component.ts
@@ -65,6 +65,12 @@ export class AutofillVaultListItemsComponent implements OnInit {
     ),
   );
 
+  /**
+   * Flag indicating that the current tab location is blocked
+   */
+  currentURIIsBlocked$: Observable<boolean> =
+    this.vaultPopupAutofillService.currentTabIsOnBlocklist$;
+
   constructor(
     private vaultPopupItemsService: VaultPopupItemsService,
     private vaultPopupAutofillService: VaultPopupAutofillService,
diff --git a/apps/browser/src/vault/popup/components/vault-v2/vault-header/vault-header-v2.component.spec.ts b/apps/browser/src/vault/popup/components/vault-v2/vault-header/vault-header-v2.component.spec.ts
index 38ec6056d19..1f67dd51c21 100644
--- a/apps/browser/src/vault/popup/components/vault-v2/vault-header/vault-header-v2.component.spec.ts
+++ b/apps/browser/src/vault/popup/components/vault-v2/vault-header/vault-header-v2.component.spec.ts
@@ -152,7 +152,7 @@ describe("VaultHeaderV2Component", () => {
   it("defaults the initial state to true", (done) => {
     // The initial value of the `state$` variable above is undefined
     component["initialDisclosureVisibility$"].subscribe((initialVisibility) => {
-      expect(initialVisibility).toBeTrue();
+      expect(initialVisibility).toBe(true);
       done();
     });
 
diff --git a/apps/browser/src/vault/popup/components/vault-v2/vault-ui-onboarding/vault-ui-onboarding.component.ts b/apps/browser/src/vault/popup/components/vault-v2/vault-ui-onboarding/vault-ui-onboarding.component.ts
deleted file mode 100644
index 20b39c5a88d..00000000000
--- a/apps/browser/src/vault/popup/components/vault-v2/vault-ui-onboarding/vault-ui-onboarding.component.ts
+++ /dev/null
@@ -1,79 +0,0 @@
-import { CommonModule } from "@angular/common";
-import { Component } from "@angular/core";
-
-import { JslibModule } from "@bitwarden/angular/jslib.module";
-import {
-  ButtonModule,
-  DialogModule,
-  DialogService,
-  IconModule,
-  svgIcon,
-} from "@bitwarden/components";
-
-const announcementIcon = svgIcon`
-<svg xmlns="http://www.w3.org/2000/svg" width="86" height="74" fill="none">
-  <g fill-rule="evenodd" clip-path="url(#a)" clip-rule="evenodd">
-    <path class="tw-fill-art-primary" d="m17.477 51.274 2.472 17.441a3.779 3.779 0 0 0 4.583 3.154l1.497-.342a3.779 3.779 0 0 0 2.759-4.831L23.44 49.91l1.8-.573 5.348 16.784a5.668 5.668 0 0 1-4.138 7.247l-1.497.341a5.668 5.668 0 0 1-6.874-4.73l-2.473-17.44 1.871-.266Z"/>
-    <path class="tw-fill-art-accent" d="m55.063 27.1-1.38.316-.211-.92 1.381-.316a3.306 3.306 0 0 1 3.96 2.486l1.052 4.605a3.306 3.306 0 0 1-2.487 3.96l-.92.21-.211-.92.92-.211a2.362 2.362 0 0 0 1.777-2.828l-1.052-4.605a2.362 2.362 0 0 0-2.829-1.777Z"/>
-    <path class="tw-fill-art-primary" d="M49.79 12.5a.18.18 0 0 0-.272-.11L21.855 29.438a.181.181 0 0 0-.058.055l-.208.323-10.947 2.5a.457.457 0 0 0-.139.064.664.664 0 0 0-.15.135.343.343 0 0 0-.06.095l.499 2.182-4.36.996c-1.873.428-3.086 2.465-2.64 4.417l1.5 6.566c.446 1.951 2.423 3.26 4.296 2.832l4.36-.996.499 2.182c.012.012.04.034.095.06a.658.658 0 0 0 .194.055c.07.009.122.004.152-.003l10.947-2.501.328.2a.18.18 0 0 0 .075.025l32.324 3.344a.18.18 0 0 0 .196-.218L49.79 12.5Zm-1.263-1.72a2.07 2.07 0 0 1 3.104 1.299L60.6 51.332a2.07 2.07 0 0 1-2.233 2.517l-32.323-3.343a2.072 2.072 0 0 1-.474-.106l-10.26 2.344a2.474 2.474 0 0 1-1.571-.184c-.463-.217-.973-.643-1.127-1.32l-.085-.37-2.518.576c-2.975.68-5.9-1.37-6.559-4.253l-1.5-6.566c-.659-2.883 1.086-6 4.061-6.68l2.518-.575-.084-.37c-.155-.677.12-1.282.442-1.678.325-.4.803-.727 1.334-.848l10.262-2.345c.113-.113.24-.214.38-.3l27.664-17.05Z"/>
-    <path class="tw-fill-art-accent" d="m10.792 34.793 3.156 13.814-.92.21L9.87 35.004l.921-.21ZM21.59 29.817l4.246 18.578-.508.12-.512.118L20.68 30.02l.91-.203Z"/>
-    <path class="tw-fill-art-primary" d="M64.287.59A.945.945 0 0 1 65.58.248c8.784 5.11 15.628 14.039 18.166 25.145 2.537 11.105.25 22.12-5.443 30.538a.945.945 0 0 1-1.565-1.059c5.398-7.98 7.587-18.46 5.166-29.058C79.48 15.215 72.958 6.726 64.629 1.882A.945.945 0 0 1 64.287.59Z"/>
-    <path class="tw-fill-art-accent" d="M61.6 6.385a.472.472 0 0 1 .643-.18c7.245 4.067 12.949 11.44 15.055 20.66s.171 18.338-4.588 25.149a.472.472 0 0 1-.774-.542c4.603-6.587 6.49-15.431 4.441-24.397-2.048-8.965-7.59-16.113-14.596-20.047a.472.472 0 0 1-.18-.643Z"/>
-    <path class="tw-fill-art-primary" d="M57.804 11.193a.472.472 0 0 1 .604-.285c6.11 2.186 11.426 8.739 13.364 17.22 1.938 8.48-.006 16.693-4.56 21.315a.472.472 0 1 1-.672-.663c4.27-4.335 6.197-12.187 4.311-20.442-1.886-8.254-7.032-14.49-12.761-16.54a.472.472 0 0 1-.286-.605Z"/>
-  </g>
-  <defs>
-    <clipPath id="a">
-      <path fill="#fff" d="M0 0h86v74H0z"/>
-    </clipPath>
-  </defs>
-</svg>
-`;
-
-@Component({
-  standalone: true,
-  selector: "app-vault-ui-onboarding",
-  template: `
-    <bit-simple-dialog>
-      <div bitDialogIcon>
-        <bit-icon [icon]="icon"></bit-icon>
-      </div>
-      <span bitDialogTitle>
-        {{ "bitwardenNewLook" | i18n }}
-      </span>
-      <span bitDialogContent>
-        {{ "bitwardenNewLookDesc" | i18n }}
-      </span>
-
-      <ng-container bitDialogFooter>
-        <button
-          bitButton
-          type="button"
-          buttonType="primary"
-          (click)="navigateToLink()"
-          bitDialogClose
-        >
-          {{ "learnMore" | i18n }}
-          <i class="bwi bwi-external-link bwi-fw" aria-hidden="true"></i>
-        </button>
-        <button bitButton type="button" buttonType="secondary" bitDialogClose>
-          {{ "close" | i18n }}
-        </button>
-      </ng-container>
-    </bit-simple-dialog>
-  `,
-  imports: [CommonModule, DialogModule, ButtonModule, JslibModule, IconModule],
-})
-export class VaultUiOnboardingComponent {
-  icon = announcementIcon;
-
-  static open(dialogService: DialogService) {
-    return dialogService.open<boolean>(VaultUiOnboardingComponent);
-  }
-
-  navigateToLink = async () => {
-    window.open(
-      "https://bitwarden.com/blog/bringing-intuitive-workflows-and-visual-updates-to-the-bitwarden-browser/",
-      "_blank",
-    );
-  };
-}
diff --git a/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.ts b/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.ts
index a0c54987357..7c21c7e6a0c 100644
--- a/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.ts
+++ b/apps/browser/src/vault/popup/components/vault-v2/vault-v2.component.ts
@@ -19,7 +19,6 @@ import { PopupHeaderComponent } from "../../../../platform/popup/layout/popup-he
 import { PopupPageComponent } from "../../../../platform/popup/layout/popup-page.component";
 import { VaultPopupItemsService } from "../../services/vault-popup-items.service";
 import { VaultPopupListFiltersService } from "../../services/vault-popup-list-filters.service";
-import { VaultUiOnboardingService } from "../../services/vault-ui-onboarding.service";
 
 import { BlockedInjectionBanner } from "./blocked-injection-banner/blocked-injection-banner.component";
 import {
@@ -58,7 +57,6 @@ enum VaultState {
     VaultHeaderV2Component,
     DecryptionFailureDialogComponent,
   ],
-  providers: [VaultUiOnboardingService],
 })
 export class VaultV2Component implements OnInit, OnDestroy {
   cipherType = CipherType;
@@ -93,7 +91,6 @@ export class VaultV2Component implements OnInit, OnDestroy {
   constructor(
     private vaultPopupItemsService: VaultPopupItemsService,
     private vaultPopupListFiltersService: VaultPopupListFiltersService,
-    private vaultUiOnboardingService: VaultUiOnboardingService,
     private destroyRef: DestroyRef,
     private cipherService: CipherService,
     private dialogService: DialogService,
@@ -123,8 +120,6 @@ export class VaultV2Component implements OnInit, OnDestroy {
   }
 
   async ngOnInit() {
-    await this.vaultUiOnboardingService.showOnboardingDialog();
-
     this.cipherService.failedToDecryptCiphers$
       .pipe(
         map((ciphers) => ciphers.filter((c) => !c.isDeleted)),
diff --git a/apps/browser/src/vault/popup/components/vault-v2/view-v2/view-v2.component.spec.ts b/apps/browser/src/vault/popup/components/vault-v2/view-v2/view-v2.component.spec.ts
index 7ee15aa833b..526ab2e2579 100644
--- a/apps/browser/src/vault/popup/components/vault-v2/view-v2/view-v2.component.spec.ts
+++ b/apps/browser/src/vault/popup/components/vault-v2/view-v2/view-v2.component.spec.ts
@@ -179,7 +179,7 @@ describe("ViewV2Component", () => {
 
       flush(); // Resolve all promises
 
-      expect(doAutofill).toHaveBeenCalledOnce();
+      expect(doAutofill).toHaveBeenCalledTimes(1);
     }));
 
     it('invokes `copy` when action="copy-username"', fakeAsync(() => {
@@ -187,7 +187,7 @@ describe("ViewV2Component", () => {
 
       flush(); // Resolve all promises
 
-      expect(copy).toHaveBeenCalledOnce();
+      expect(copy).toHaveBeenCalledTimes(1);
     }));
 
     it('invokes `copy` when action="copy-password"', fakeAsync(() => {
@@ -195,7 +195,7 @@ describe("ViewV2Component", () => {
 
       flush(); // Resolve all promises
 
-      expect(copy).toHaveBeenCalledOnce();
+      expect(copy).toHaveBeenCalledTimes(1);
     }));
 
     it('invokes `copy` when action="copy-totp"', fakeAsync(() => {
@@ -203,7 +203,7 @@ describe("ViewV2Component", () => {
 
       flush(); // Resolve all promises
 
-      expect(copy).toHaveBeenCalledOnce();
+      expect(copy).toHaveBeenCalledTimes(1);
     }));
 
     it("closes the popout after a load action", fakeAsync(() => {
@@ -218,9 +218,9 @@ describe("ViewV2Component", () => {
 
       flush(); // Resolve all promises
 
-      expect(doAutofill).toHaveBeenCalledOnce();
+      expect(doAutofill).toHaveBeenCalledTimes(1);
       expect(focusSpy).toHaveBeenCalledWith(99);
-      expect(closeSpy).toHaveBeenCalledOnce();
+      expect(closeSpy).toHaveBeenCalledTimes(1);
     }));
   });
 });
diff --git a/apps/browser/src/vault/popup/services/vault-popup-list-filters.service.spec.ts b/apps/browser/src/vault/popup/services/vault-popup-list-filters.service.spec.ts
index 0eb91c6cbe2..e1236be08f9 100644
--- a/apps/browser/src/vault/popup/services/vault-popup-list-filters.service.spec.ts
+++ b/apps/browser/src/vault/popup/services/vault-popup-list-filters.service.spec.ts
@@ -488,7 +488,7 @@ describe("VaultPopupListFiltersService", () => {
       state$.next(true);
 
       service.filterVisibilityState$.subscribe((filterVisibility) => {
-        expect(filterVisibility).toBeTrue();
+        expect(filterVisibility).toBe(true);
         done();
       });
     });
@@ -496,7 +496,7 @@ describe("VaultPopupListFiltersService", () => {
     it("updates stored filter state", async () => {
       await service.updateFilterVisibility(false);
 
-      expect(update).toHaveBeenCalledOnce();
+      expect(update).toHaveBeenCalledTimes(1);
       // Get callback passed to `update`
       const updateCallback = update.mock.calls[0][0];
       expect(updateCallback()).toBe(false);
diff --git a/apps/browser/src/vault/popup/services/vault-ui-onboarding.service.ts b/apps/browser/src/vault/popup/services/vault-ui-onboarding.service.ts
deleted file mode 100644
index f50d6ebc236..00000000000
--- a/apps/browser/src/vault/popup/services/vault-ui-onboarding.service.ts
+++ /dev/null
@@ -1,89 +0,0 @@
-// FIXME: Update this file to be type safe and remove this and next line
-// @ts-strict-ignore
-import { Injectable } from "@angular/core";
-import { firstValueFrom, map } from "rxjs";
-
-import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import {
-  GlobalState,
-  KeyDefinition,
-  StateProvider,
-  VAULT_BROWSER_UI_ONBOARDING,
-} from "@bitwarden/common/platform/state";
-import { DialogService } from "@bitwarden/components";
-
-import { VaultUiOnboardingComponent } from "../components/vault-v2/vault-ui-onboarding/vault-ui-onboarding.component";
-
-// Key definition for the Vault UI onboarding state.
-// This key is used to store the state of the new UI information dialog.
-export const GLOBAL_VAULT_UI_ONBOARDING = new KeyDefinition<boolean>(
-  VAULT_BROWSER_UI_ONBOARDING,
-  "dialogState",
-  {
-    deserializer: (obj) => obj,
-  },
-);
-
-@Injectable()
-export class VaultUiOnboardingService {
-  private onboardingUiReleaseDate = new Date("2024-12-10");
-
-  private vaultUiOnboardingState: GlobalState<boolean> = this.stateProvider.getGlobal(
-    GLOBAL_VAULT_UI_ONBOARDING,
-  );
-
-  private readonly vaultUiOnboardingState$ = this.vaultUiOnboardingState.state$.pipe(
-    map((x) => x ?? false),
-  );
-
-  constructor(
-    private stateProvider: StateProvider,
-    private dialogService: DialogService,
-    private apiService: ApiService,
-  ) {}
-
-  /**
-   * Checks whether the onboarding dialog should be shown and opens it if necessary.
-   * The dialog is shown if the user has not previously viewed it and is not a new account.
-   */
-  async showOnboardingDialog(): Promise<void> {
-    const hasViewedDialog = await this.getVaultUiOnboardingState();
-
-    if (!hasViewedDialog && !(await this.isNewAccount())) {
-      await this.openVaultUiOnboardingDialog();
-    }
-  }
-
-  private async openVaultUiOnboardingDialog(): Promise<boolean> {
-    const dialogRef = VaultUiOnboardingComponent.open(this.dialogService);
-
-    const result = firstValueFrom(dialogRef.closed);
-
-    // Update the onboarding state when the dialog is closed
-    await this.setVaultUiOnboardingState(true);
-
-    return result;
-  }
-
-  private async isNewAccount(): Promise<boolean> {
-    const userProfile = await this.apiService.getProfile();
-    const profileCreationDate = new Date(userProfile.creationDate);
-    return profileCreationDate > this.onboardingUiReleaseDate;
-  }
-
-  /**
-   * Updates and saves the state indicating whether the user has viewed
-   * the new UI onboarding information dialog.
-   */
-  private async setVaultUiOnboardingState(value: boolean): Promise<void> {
-    await this.vaultUiOnboardingState.update(() => value);
-  }
-
-  /**
-   * Retrieves the current state indicating whether the user has viewed
-   * the new UI onboarding information dialog.s
-   */
-  private async getVaultUiOnboardingState(): Promise<boolean> {
-    return await firstValueFrom(this.vaultUiOnboardingState$);
-  }
-}
diff --git a/apps/cli/package.json b/apps/cli/package.json
index 8a6dffb1cb3..d1d8ac76ec4 100644
--- a/apps/cli/package.json
+++ b/apps/cli/package.json
@@ -63,7 +63,7 @@
     "browser-hrtime": "1.1.8",
     "chalk": "4.1.2",
     "commander": "11.1.0",
-    "form-data": "4.0.0",
+    "form-data": "4.0.1",
     "https-proxy-agent": "7.0.5",
     "inquirer": "8.2.6",
     "jsdom": "25.0.1",
diff --git a/apps/desktop/desktop_native/core/src/password/windows.rs b/apps/desktop/desktop_native/core/src/password/windows.rs
index 32300b9f81f..8b297fc33b7 100644
--- a/apps/desktop/desktop_native/core/src/password/windows.rs
+++ b/apps/desktop/desktop_native/core/src/password/windows.rs
@@ -13,7 +13,7 @@ use windows::{
 
 const CRED_FLAGS_NONE: u32 = 0;
 
-pub async fn get_password<'a>(service: &str, account: &str) -> Result<String> {
+pub async fn get_password(service: &str, account: &str) -> Result<String> {
     let target_name = U16CString::from_str(target_name(service, account))?;
 
     let mut credential: *mut CREDENTIALW = std::ptr::null_mut();
diff --git a/apps/web/src/app/billing/organizations/change-plan-dialog.component.ts b/apps/web/src/app/billing/organizations/change-plan-dialog.component.ts
index bc5c7da8db9..73577c7b002 100644
--- a/apps/web/src/app/billing/organizations/change-plan-dialog.component.ts
+++ b/apps/web/src/app/billing/organizations/change-plan-dialog.component.ts
@@ -1062,7 +1062,11 @@ export class ChangePlanDialogComponent implements OnInit, OnDestroy {
   }
 
   private refreshSalesTax(): void {
-    if (!this.taxInformation.country || !this.taxInformation.postalCode) {
+    if (
+      this.taxInformation === undefined ||
+      !this.taxInformation.country ||
+      !this.taxInformation.postalCode
+    ) {
       return;
     }
 
diff --git a/apps/web/src/app/billing/organizations/organization-plans.component.ts b/apps/web/src/app/billing/organizations/organization-plans.component.ts
index 4592f8de894..edc29b16049 100644
--- a/apps/web/src/app/billing/organizations/organization-plans.component.ts
+++ b/apps/web/src/app/billing/organizations/organization-plans.component.ts
@@ -193,7 +193,7 @@ export class OrganizationPlansComponent implements OnInit, OnDestroy {
       this.billing = await this.organizationApiService.getBilling(this.organizationId);
       this.sub = await this.organizationApiService.getSubscription(this.organizationId);
       this.taxInformation = await this.organizationApiService.getTaxInfo(this.organizationId);
-    } else {
+    } else if (!this.selfHosted) {
       this.taxInformation = await this.apiService.getTaxInfo();
     }
 
diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.ts b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.ts
index 2a2ae73227a..1cbe57a7082 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.ts
@@ -16,7 +16,7 @@ import {
 import { OrgDomainApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization-domain/org-domain-api.service.abstraction";
 import { OrgDomainServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization-domain/org-domain.service.abstraction";
 import { OrganizationDomainResponse } from "@bitwarden/common/admin-console/abstractions/organization-domain/responses/organization-domain.response";
-import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
+import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { HttpStatusCode } from "@bitwarden/common/enums";
 import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
@@ -54,7 +54,7 @@ export class DomainVerificationComponent implements OnInit, OnDestroy {
     private validationService: ValidationService,
     private toastService: ToastService,
     private configService: ConfigService,
-    private policyApiService: PolicyApiServiceAbstraction,
+    private policyService: PolicyService,
   ) {
     this.accountDeprovisioningEnabled$ = this.configService.getFeatureFlag$(
       FeatureFlag.AccountDeprovisioning,
@@ -83,9 +83,14 @@ export class DomainVerificationComponent implements OnInit, OnDestroy {
     await this.orgDomainApiService.getAllByOrgId(this.organizationId);
 
     if (await this.configService.getFeatureFlag(FeatureFlag.AccountDeprovisioning)) {
-      const singleOrgPolicy = await this.policyApiService.getPolicy(
-        this.organizationId,
-        PolicyType.SingleOrg,
+      const singleOrgPolicy = await firstValueFrom(
+        this.policyService.policies$.pipe(
+          map((policies) =>
+            policies.find(
+              (p) => p.type === PolicyType.SingleOrg && p.organizationId === this.organizationId,
+            ),
+          ),
+        ),
       );
       this.singleOrgPolicyEnabled = singleOrgPolicy?.enabled ?? false;
     }
diff --git a/libs/admin-console/src/common/collections/services/default-vnext-collection.service.spec.ts b/libs/admin-console/src/common/collections/services/default-vnext-collection.service.spec.ts
index 4aa54429aad..048a4733948 100644
--- a/libs/admin-console/src/common/collections/services/default-vnext-collection.service.spec.ts
+++ b/libs/admin-console/src/common/collections/services/default-vnext-collection.service.spec.ts
@@ -91,7 +91,7 @@ describe("DefaultvNextCollectionService", () => {
 
       // Assert emitted values
       expect(result.length).toBe(2);
-      expect(result).toIncludeAllPartialMembers([
+      expect(result).toContainPartialObjects([
         {
           id: collection1.id,
           name: "DEC_NAME_" + collection1.id,
@@ -167,7 +167,7 @@ describe("DefaultvNextCollectionService", () => {
       const result = await firstValueFrom(collectionService.encryptedCollections$(userId));
 
       expect(result.length).toBe(2);
-      expect(result).toIncludeAllPartialMembers([
+      expect(result).toContainPartialObjects([
         {
           id: collection1.id,
           name: makeEncString("ENC_NAME_" + collection1.id),
@@ -205,7 +205,7 @@ describe("DefaultvNextCollectionService", () => {
 
       const result = await firstValueFrom(collectionService.encryptedCollections$(userId));
       expect(result.length).toBe(3);
-      expect(result).toIncludeAllPartialMembers([
+      expect(result).toContainPartialObjects([
         {
           id: collection1.id,
           name: makeEncString("UPDATED_ENC_NAME_" + collection1.id),
@@ -230,7 +230,7 @@ describe("DefaultvNextCollectionService", () => {
 
       const result = await firstValueFrom(collectionService.encryptedCollections$(userId));
       expect(result.length).toBe(1);
-      expect(result).toIncludeAllPartialMembers([
+      expect(result).toContainPartialObjects([
         {
           id: collection1.id,
           name: makeEncString("ENC_NAME_" + collection1.id),
@@ -253,7 +253,7 @@ describe("DefaultvNextCollectionService", () => {
 
       const result = await firstValueFrom(collectionService.encryptedCollections$(userId));
       expect(result.length).toBe(1);
-      expect(result).toIncludeAllPartialMembers([
+      expect(result).toContainPartialObjects([
         {
           id: newCollection3.id,
           name: makeEncString("ENC_NAME_" + newCollection3.id),
diff --git a/libs/admin-console/test.setup.ts b/libs/admin-console/test.setup.ts
index 6be6e7b8dd1..8ab102f2cf4 100644
--- a/libs/admin-console/test.setup.ts
+++ b/libs/admin-console/test.setup.ts
@@ -1,6 +1,10 @@
 import { webcrypto } from "crypto";
+
+import { addCustomMatchers } from "@bitwarden/common/spec";
 import "jest-preset-angular/setup-jest";
 
+addCustomMatchers();
+
 Object.defineProperty(window, "CSS", { value: null });
 Object.defineProperty(window, "getComputedStyle", {
   value: () => {
diff --git a/libs/admin-console/tsconfig.json b/libs/admin-console/tsconfig.json
index 3d22cb2ec51..4f057fd6af0 100644
--- a/libs/admin-console/tsconfig.json
+++ b/libs/admin-console/tsconfig.json
@@ -8,6 +8,6 @@
       "@bitwarden/key-management": ["../key-management/src"]
     }
   },
-  "include": ["src", "spec"],
+  "include": ["src", "spec", "../../libs/common/custom-matchers.d.ts"],
   "exclude": ["node_modules", "dist"]
 }
diff --git a/libs/common/spec/matchers/index.ts b/libs/common/spec/matchers/index.ts
index 44440be5b54..b2e09cc8e92 100644
--- a/libs/common/spec/matchers/index.ts
+++ b/libs/common/spec/matchers/index.ts
@@ -1,16 +1,12 @@
-import * as matchers from "jest-extended";
-
 import { toBeFulfilled, toBeResolved, toBeRejected } from "./promise-fulfilled";
 import { toAlmostEqual } from "./to-almost-equal";
+import { toContainPartialObjects } from "./to-contain-partial-objects";
 import { toEqualBuffer } from "./to-equal-buffer";
 
 export * from "./to-equal-buffer";
 export * from "./to-almost-equal";
 export * from "./promise-fulfilled";
 
-// add all jest-extended matchers
-expect.extend(matchers);
-
 export function addCustomMatchers() {
   expect.extend({
     toEqualBuffer: toEqualBuffer,
@@ -18,6 +14,7 @@ export function addCustomMatchers() {
     toBeFulfilled: toBeFulfilled,
     toBeResolved: toBeResolved,
     toBeRejected: toBeRejected,
+    toContainPartialObjects,
   });
 }
 
@@ -59,4 +56,9 @@ export interface CustomMatchers<R = unknown> {
    * @returns CustomMatcherResult indicating whether or not the test passed
    */
   toBeRejected(withinMs?: number): Promise<R>;
+  /**
+   * Matches if the received array contains all the expected objects using partial matching (expect.objectContaining).
+   * @param expected An array of partial objects that should be contained in the received array.
+   */
+  toContainPartialObjects<T>(expected: Array<T>): R;
 }
diff --git a/libs/common/spec/matchers/to-contain-partial-objects.spec.ts b/libs/common/spec/matchers/to-contain-partial-objects.spec.ts
new file mode 100644
index 00000000000..ab6f90adf17
--- /dev/null
+++ b/libs/common/spec/matchers/to-contain-partial-objects.spec.ts
@@ -0,0 +1,77 @@
+describe("toContainPartialObjects", () => {
+  describe("matches", () => {
+    it("if the array only contains the partial objects", () => {
+      const actual = [
+        {
+          id: 1,
+          name: "foo",
+        },
+        {
+          id: 2,
+          name: "bar",
+        },
+      ];
+
+      const expected = [{ id: 1 }, { id: 2 }];
+
+      expect(actual).toContainPartialObjects(expected);
+    });
+
+    it("if the array contains the partial objects and other objects", () => {
+      const actual = [
+        {
+          id: 1,
+          name: "foo",
+        },
+        {
+          id: 2,
+          name: "bar",
+        },
+        {
+          id: 3,
+          name: "baz",
+        },
+      ];
+
+      const expected = [{ id: 1 }, { id: 2 }];
+
+      expect(actual).toContainPartialObjects(expected);
+    });
+  });
+
+  describe("doesn't match", () => {
+    it("if the array does not contain any partial objects", () => {
+      const actual = [
+        {
+          id: 1,
+          name: "foo",
+        },
+        {
+          id: 2,
+          name: "bar",
+        },
+      ];
+
+      const expected = [{ id: 1, name: "Foo" }];
+
+      expect(actual).not.toContainPartialObjects(expected);
+    });
+
+    it("if the array contains some but not all partial objects", () => {
+      const actual = [
+        {
+          id: 1,
+          name: "foo",
+        },
+        {
+          id: 2,
+          name: "bar",
+        },
+      ];
+
+      const expected = [{ id: 2 }, { id: 3 }];
+
+      expect(actual).not.toContainPartialObjects(expected);
+    });
+  });
+});
diff --git a/libs/common/spec/matchers/to-contain-partial-objects.ts b/libs/common/spec/matchers/to-contain-partial-objects.ts
new file mode 100644
index 00000000000..f072ca6fba6
--- /dev/null
+++ b/libs/common/spec/matchers/to-contain-partial-objects.ts
@@ -0,0 +1,31 @@
+import { EOL } from "os";
+
+import { diff } from "jest-diff";
+
+export const toContainPartialObjects: jest.CustomMatcher = function (
+  received: Array<any>,
+  expected: Array<any>,
+) {
+  const matched = this.equals(
+    received,
+    expect.arrayContaining(expected.map((e) => expect.objectContaining(e))),
+  );
+
+  if (matched) {
+    return {
+      message: () =>
+        "Expected the received array NOT to include partial matches for all expected objects." +
+        EOL +
+        diff(expected, received),
+      pass: true,
+    };
+  }
+
+  return {
+    message: () =>
+      "Expected the received array to contain partial matches for all expected objects." +
+      EOL +
+      diff(expected, received),
+    pass: false,
+  };
+};
diff --git a/libs/common/src/enums/feature-flag.enum.ts b/libs/common/src/enums/feature-flag.enum.ts
index feffe2ca442..dde31acb9e3 100644
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -13,6 +13,7 @@ export enum FeatureFlag {
   InlineMenuPositioningImprovements = "inline-menu-positioning-improvements",
   InlineMenuTotp = "inline-menu-totp",
   NotificationBarAddLoginImprovements = "notification-bar-add-login-improvements",
+  NotificationRefresh = "notification-refresh",
   UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection",
 
   BrowserFilelessImport = "browser-fileless-import",
@@ -70,6 +71,7 @@ export const DefaultFeatureFlagValue = {
   [FeatureFlag.InlineMenuPositioningImprovements]: FALSE,
   [FeatureFlag.InlineMenuTotp]: FALSE,
   [FeatureFlag.NotificationBarAddLoginImprovements]: FALSE,
+  [FeatureFlag.NotificationRefresh]: FALSE,
   [FeatureFlag.UseTreeWalkerApiForPageDetailsCollection]: FALSE,
 
   [FeatureFlag.BrowserFilelessImport]: FALSE,
diff --git a/libs/common/src/platform/state/implementations/default-derived-state.provider.ts b/libs/common/src/platform/state/implementations/default-derived-state.provider.ts
index 3c8c39e21e8..61f36fa0b75 100644
--- a/libs/common/src/platform/state/implementations/default-derived-state.provider.ts
+++ b/libs/common/src/platform/state/implementations/default-derived-state.provider.ts
@@ -8,7 +8,14 @@ import { DerivedStateProvider } from "../derived-state.provider";
 import { DefaultDerivedState } from "./default-derived-state";
 
 export class DefaultDerivedStateProvider implements DerivedStateProvider {
-  private cache: Record<string, DerivedState<unknown>> = {};
+  /**
+   * The cache uses a WeakMap to maintain separate derived states per user.
+   * Each user's state Observable acts as a unique key, without needing to
+   * pass around `userId`. Also, when a user's state Observable is cleaned up
+   * (like during an account swap) their cache is automatically garbage
+   * collected.
+   */
+  private cache = new WeakMap<Observable<unknown>, Record<string, DerivedState<unknown>>>();
 
   constructor() {}
 
@@ -17,8 +24,14 @@ export class DefaultDerivedStateProvider implements DerivedStateProvider {
     deriveDefinition: DeriveDefinition<TFrom, TTo, TDeps>,
     dependencies: TDeps,
   ): DerivedState<TTo> {
+    let stateCache = this.cache.get(parentState$);
+    if (!stateCache) {
+      stateCache = {};
+      this.cache.set(parentState$, stateCache);
+    }
+
     const cacheKey = deriveDefinition.buildCacheKey();
-    const existingDerivedState = this.cache[cacheKey];
+    const existingDerivedState = stateCache[cacheKey];
     if (existingDerivedState != null) {
       // I have to cast out of the unknown generic but this should be safe if rules
       // around domain token are made
@@ -26,7 +39,7 @@ export class DefaultDerivedStateProvider implements DerivedStateProvider {
     }
 
     const newDerivedState = this.buildDerivedState(parentState$, deriveDefinition, dependencies);
-    this.cache[cacheKey] = newDerivedState;
+    stateCache[cacheKey] = newDerivedState;
     return newDerivedState;
   }
 
diff --git a/libs/common/src/platform/state/implementations/default-derived-state.spec.ts b/libs/common/src/platform/state/implementations/default-derived-state.spec.ts
index 7e8d76bd203..6fcc1c408cb 100644
--- a/libs/common/src/platform/state/implementations/default-derived-state.spec.ts
+++ b/libs/common/src/platform/state/implementations/default-derived-state.spec.ts
@@ -9,6 +9,7 @@ import { DeriveDefinition } from "../derive-definition";
 import { StateDefinition } from "../state-definition";
 
 import { DefaultDerivedState } from "./default-derived-state";
+import { DefaultDerivedStateProvider } from "./default-derived-state.provider";
 
 let callCount = 0;
 const cleanupDelayMs = 10;
@@ -182,4 +183,29 @@ describe("DefaultDerivedState", () => {
       expect(await firstValueFrom(observable)).toEqual(new Date(newDate));
     });
   });
+
+  describe("account switching", () => {
+    let provider: DefaultDerivedStateProvider;
+
+    beforeEach(() => {
+      provider = new DefaultDerivedStateProvider();
+    });
+
+    it("should provide a dedicated cache for each account", async () => {
+      const user1State$ = new Subject<string>();
+      const user1Derived = provider.get(user1State$, deriveDefinition, deps);
+      const user1Emissions = trackEmissions(user1Derived.state$);
+
+      const user2State$ = new Subject<string>();
+      const user2Derived = provider.get(user2State$, deriveDefinition, deps);
+      const user2Emissions = trackEmissions(user2Derived.state$);
+
+      user1State$.next("2015-12-30");
+      user2State$.next("2020-12-29");
+      await awaitAsync();
+
+      expect(user1Emissions).toEqual([new Date("2015-12-30")]);
+      expect(user2Emissions).toEqual([new Date("2020-12-29")]);
+    });
+  });
 });
diff --git a/libs/common/src/platform/state/state-definitions.ts b/libs/common/src/platform/state/state-definitions.ts
index 1ed5227cb13..483a8c050d3 100644
--- a/libs/common/src/platform/state/state-definitions.ts
+++ b/libs/common/src/platform/state/state-definitions.ts
@@ -179,7 +179,6 @@ export const PREMIUM_BANNER_DISK_LOCAL = new StateDefinition("premiumBannerRepro
   web: "disk-local",
 });
 export const BANNERS_DISMISSED_DISK = new StateDefinition("bannersDismissed", "disk");
-export const VAULT_BROWSER_UI_ONBOARDING = new StateDefinition("vaultBrowserUiOnboarding", "disk");
 export const NEW_DEVICE_VERIFICATION_NOTICE = new StateDefinition(
   "newDeviceVerificationNotice",
   "disk",
diff --git a/libs/common/src/tools/cryptography/key-service-legacy-encryptor-provider.spec.ts b/libs/common/src/tools/cryptography/key-service-legacy-encryptor-provider.spec.ts
index 831cad74155..0b60aef4917 100644
--- a/libs/common/src/tools/cryptography/key-service-legacy-encryptor-provider.spec.ts
+++ b/libs/common/src/tools/cryptography/key-service-legacy-encryptor-provider.spec.ts
@@ -184,7 +184,7 @@ describe("KeyServiceLegacyEncryptorProvider", () => {
 
       singleUserId$.complete();
 
-      expect(completed).toBeTrue();
+      expect(completed).toBe(true);
     });
 
     it("completes when `userKey$` emits a falsy value after emitting a truthy value", () => {
@@ -199,7 +199,7 @@ describe("KeyServiceLegacyEncryptorProvider", () => {
 
       userKey$.next(null);
 
-      expect(completed).toBeTrue();
+      expect(completed).toBe(true);
     });
 
     it("completes once `dependencies.singleUserId$` emits and `userKey$` completes", () => {
@@ -214,7 +214,7 @@ describe("KeyServiceLegacyEncryptorProvider", () => {
 
       userKey$.complete();
 
-      expect(completed).toBeTrue();
+      expect(completed).toBe(true);
     });
   });
 
@@ -445,7 +445,7 @@ describe("KeyServiceLegacyEncryptorProvider", () => {
 
       singleOrganizationId$.complete();
 
-      expect(completed).toBeTrue();
+      expect(completed).toBe(true);
     });
 
     it("completes when `orgKeys$` emits a falsy value after emitting a truthy value", () => {
@@ -466,7 +466,7 @@ describe("KeyServiceLegacyEncryptorProvider", () => {
       orgKey$.next(OrgRecords);
       orgKey$.next(null);
 
-      expect(completed).toBeTrue();
+      expect(completed).toBe(true);
     });
 
     it("completes once `dependencies.singleOrganizationId$` emits and `userKey$` completes", () => {
@@ -486,7 +486,7 @@ describe("KeyServiceLegacyEncryptorProvider", () => {
 
       orgKey$.complete();
 
-      expect(completed).toBeTrue();
+      expect(completed).toBe(true);
     });
   });
 });
diff --git a/libs/common/src/tools/extension/data.ts b/libs/common/src/tools/extension/data.ts
new file mode 100644
index 00000000000..cab6272a068
--- /dev/null
+++ b/libs/common/src/tools/extension/data.ts
@@ -0,0 +1,26 @@
+/** well-known name for a feature extensible through an extension. */
+export const Site = Object.freeze({
+  forwarder: "forwarder",
+} as const);
+
+/** well-known name for a field surfaced from an extension site to a vendor. */
+export const Field = Object.freeze({
+  token: "token",
+  baseUrl: "baseUrl",
+  domain: "domain",
+  prefix: "prefix",
+} as const);
+
+/** Permission levels for metadata. */
+export const Permission = Object.freeze({
+  /** unless a rule denies access, allow it. If a permission is `null`
+   * or `undefined` it should be treated as `Permission.default`.
+   */
+  default: "default",
+  /** unless a rule allows access, deny it. */
+  none: "none",
+  /** access is explicitly granted to use an extension. */
+  allow: "allow",
+  /** access is explicitly prohibited for this extension. This rule overrides allow rules. */
+  deny: "deny",
+} as const);
diff --git a/libs/common/src/tools/extension/extension-registry.abstraction.ts b/libs/common/src/tools/extension/extension-registry.abstraction.ts
new file mode 100644
index 00000000000..7734c01ea50
--- /dev/null
+++ b/libs/common/src/tools/extension/extension-registry.abstraction.ts
@@ -0,0 +1,104 @@
+import { ExtensionSite } from "./extension-site";
+import {
+  ExtensionMetadata,
+  ExtensionSet,
+  ExtensionPermission,
+  SiteId,
+  SiteMetadata,
+  VendorId,
+  VendorMetadata,
+} from "./type";
+
+/** Tracks extension sites and the vendors that extend them. */
+export abstract class ExtensionRegistry {
+  /** Registers a site supporting extensibility.
+   *  Each site may only be registered once. Calls after the first for
+   *  the same SiteId have no effect.
+   *  @param site identifies the site being extended
+   *  @param meta configures the extension site
+   *  @return self for method chaining.
+   *  @remarks The registry initializes with a set of allowed sites and fields.
+   *  `registerSite` drops a registration and trims its allowed fields to only
+   *  those indicated in the allow list.
+   */
+  abstract registerSite: (meta: SiteMetadata) => this;
+
+  /** List all registered extension sites with their extension permission, if any.
+   *  @returns a list of all extension sites. `permission` is defined when the site
+   *    is associated with an extension permission.
+   */
+  abstract sites: () => { site: SiteMetadata; permission?: ExtensionPermission }[];
+
+  /** Get a site's metadata
+   *  @param site identifies a site registration
+   *  @return the site's metadata or `undefined` if the site isn't registered.
+   */
+  abstract site: (site: SiteId) => SiteMetadata | undefined;
+
+  /** Registers a vendor providing an extension.
+   *  Each vendor may only be registered once. Calls after the first for
+   *  the same VendorId have no effect.
+   *  @param site - identifies the site being extended
+   *  @param meta - configures the extension site
+   *  @return self for method chaining.
+   */
+  abstract registerVendor: (meta: VendorMetadata) => this;
+
+  /** List all registered vendors with their permissions, if any.
+   *  @returns a list of all extension sites. `permission` is defined when the site
+   *    is associated with an extension permission.
+   */
+  abstract vendors: () => { vendor: VendorMetadata; permission?: ExtensionPermission }[];
+
+  /** Get a vendor's metadata
+   *  @param site identifies a vendor registration
+   *  @return the vendor's metadata or `undefined` if the vendor isn't registered.
+   */
+  abstract vendor: (vendor: VendorId) => VendorMetadata | undefined;
+
+  /** Registers an extension provided by a vendor to an extension site.
+   *  The vendor and site MUST be registered before the extension.
+   *  Each extension may only be registered once. Calls after the first for
+   *  the same SiteId and VendorId have no effect.
+   *  @param site - identifies the site being extended
+   *  @param meta - configures the extension site
+   *  @return self for method chaining.
+   */
+  abstract registerExtension: (meta: ExtensionMetadata) => this;
+
+  /** Get an extensions metadata
+   *  @param site identifies the extension's site
+   *  @param vendor identifies the extension's vendor
+   *  @return the extension's metadata or `undefined` if the extension isn't registered.
+   */
+  abstract extension: (site: SiteId, vendor: VendorId) => ExtensionMetadata | undefined;
+
+  /** List all registered extensions and their permissions */
+  abstract extensions: () => ReadonlyArray<{
+    extension: ExtensionMetadata;
+    permissions: ExtensionPermission[];
+  }>;
+
+  /** Registers a permission. Only 1 permission can be registered for each extension set.
+   *  Calls after the first *replace* the registered permission.
+   *  @param set the collection of extensions affected by the permission
+   *  @param permission the permission for the collection
+   *  @return self for method chaining.
+   */
+  abstract setPermission: (set: ExtensionSet, permission: ExtensionPermission) => this;
+
+  /** Retrieves the current permission for the given extension set or `undefined` if
+   *  a permission doesn't exist.
+   */
+  abstract permission: (set: ExtensionSet) => ExtensionPermission | undefined;
+
+  /** Returns all registered extension rules. */
+  abstract permissions: () => { set: ExtensionSet; permission: ExtensionPermission }[];
+
+  /** Creates a point-in-time snapshot of the registry's contents with extension
+   *  permissions applied for the provided SiteId.
+   *  @param id identifies the extension site to create.
+   *  @returns the extension site, or `undefined` if the site is not registered.
+   */
+  abstract build: (id: SiteId) => ExtensionSite | undefined;
+}
diff --git a/libs/common/src/tools/extension/extension-site.ts b/libs/common/src/tools/extension/extension-site.ts
new file mode 100644
index 00000000000..e8aba008493
--- /dev/null
+++ b/libs/common/src/tools/extension/extension-site.ts
@@ -0,0 +1,20 @@
+import { deepFreeze } from "../util";
+
+import { ExtensionMetadata, SiteMetadata, VendorId } from "./type";
+
+/** Describes the capabilities of an extension site.
+ *  This type is immutable.
+ */
+export class ExtensionSite {
+  /** instantiate the extension site
+   *  @param site describes the extension site
+   *  @param vendors describes the available vendors
+   *  @param extensions describes the available extensions
+   */
+  constructor(
+    readonly site: Readonly<SiteMetadata>,
+    readonly extensions: ReadonlyMap<VendorId, Readonly<ExtensionMetadata>>,
+  ) {
+    deepFreeze(this);
+  }
+}
diff --git a/libs/common/src/tools/extension/factory.ts b/libs/common/src/tools/extension/factory.ts
new file mode 100644
index 00000000000..10ebc77804a
--- /dev/null
+++ b/libs/common/src/tools/extension/factory.ts
@@ -0,0 +1,24 @@
+import { DefaultFields, DefaultSites, Extension } from "./metadata";
+import { RuntimeExtensionRegistry } from "./runtime-extension-registry";
+import { VendorExtensions, Vendors } from "./vendor";
+
+// FIXME: find a better way to build the registry than a hard-coded factory function
+
+/** Constructs the extension registry */
+export function buildExtensionRegistry() {
+  const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+
+  for (const site of Reflect.ownKeys(Extension) as string[]) {
+    registry.registerSite(Extension[site]);
+  }
+
+  for (const vendor of Vendors) {
+    registry.registerVendor(vendor);
+  }
+
+  for (const extension of VendorExtensions) {
+    registry.registerExtension(extension);
+  }
+
+  return registry;
+}
diff --git a/libs/common/src/tools/extension/index.ts b/libs/common/src/tools/extension/index.ts
new file mode 100644
index 00000000000..e786dde4f59
--- /dev/null
+++ b/libs/common/src/tools/extension/index.ts
@@ -0,0 +1,12 @@
+export { Site, Field, Permission } from "./data";
+export {
+  SiteId,
+  FieldId,
+  VendorId,
+  ExtensionId,
+  ExtensionPermission,
+  SiteMetadata,
+  ExtensionMetadata,
+  VendorMetadata,
+} from "./type";
+export { ExtensionSite } from "./extension-site";
diff --git a/libs/common/src/tools/extension/metadata.ts b/libs/common/src/tools/extension/metadata.ts
new file mode 100644
index 00000000000..895b1d1b31f
--- /dev/null
+++ b/libs/common/src/tools/extension/metadata.ts
@@ -0,0 +1,17 @@
+import { Field, Site, Permission } from "./data";
+import { FieldId, SiteId, SiteMetadata } from "./type";
+
+export const DefaultSites: SiteId[] = Object.freeze(Object.keys(Site) as any);
+
+export const DefaultFields: FieldId[] = Object.freeze(Object.keys(Field) as any);
+
+export const Extension: Record<string, SiteMetadata> = {
+  [Site.forwarder]: {
+    id: Site.forwarder,
+    availableFields: [Field.baseUrl, Field.domain, Field.prefix, Field.token],
+  },
+};
+
+export const AllowedPermissions: ReadonlyArray<keyof typeof Permission> = Object.freeze(
+  Object.values(Permission),
+);
diff --git a/libs/common/src/tools/extension/runtime-extension-registry.spec.ts b/libs/common/src/tools/extension/runtime-extension-registry.spec.ts
new file mode 100644
index 00000000000..6aa7382db57
--- /dev/null
+++ b/libs/common/src/tools/extension/runtime-extension-registry.spec.ts
@@ -0,0 +1,923 @@
+import { deepFreeze } from "../util";
+
+import { Field, Site, Permission } from "./data";
+import { ExtensionSite } from "./extension-site";
+import { DefaultFields, DefaultSites } from "./metadata";
+import { RuntimeExtensionRegistry } from "./runtime-extension-registry";
+import { ExtensionMetadata, SiteId, SiteMetadata, VendorMetadata } from "./type";
+import { Bitwarden } from "./vendor/bitwarden";
+
+// arbitrary test entities
+const SomeSiteId: SiteId = Site.forwarder;
+
+const SomeSite: SiteMetadata = Object.freeze({
+  id: SomeSiteId,
+  availableFields: [],
+});
+
+const SomeVendor = Bitwarden;
+const SomeVendorId = SomeVendor.id;
+const SomeExtension: ExtensionMetadata = deepFreeze({
+  site: SomeSite,
+  product: { vendor: SomeVendor, name: "Some Product" },
+  host: { authorization: "bearer", selfHost: "maybe", baseUrl: "https://vault.bitwarden.com" },
+  requestedFields: [],
+});
+
+const JustTrustUs: VendorMetadata = Object.freeze({
+  id: "justrustus" as any,
+  name: "JustTrust.Us",
+});
+const JustTrustUsExtension: ExtensionMetadata = deepFreeze({
+  site: SomeSite,
+  product: { vendor: JustTrustUs },
+  host: { authorization: "bearer", selfHost: "maybe", baseUrl: "https://justrust.us" },
+  requestedFields: [],
+});
+
+// In the following tests, not-null assertions (`!`) indicate that
+// the returned object should never be null or undefined given
+// the conditions defined within the test case
+describe("RuntimeExtensionRegistry", () => {
+  describe("registerSite", () => {
+    it("registers an extension site", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+
+      const result = registry.registerSite(SomeSite).site(SomeSiteId);
+
+      expect(result).toEqual(SomeSite);
+    });
+
+    it("interns the site", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+
+      const result = registry.registerSite(SomeSite).site(SomeSiteId);
+
+      expect(result).not.toBe(SomeSite);
+    });
+
+    it("registers an extension site with fields", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+      const site: SiteMetadata = {
+        ...SomeSite,
+        availableFields: [Field.baseUrl],
+      };
+
+      const result = registry.registerSite(site).site(SomeSiteId);
+
+      expect(result).toEqual(site);
+    });
+
+    it("ignores unavailable sites", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const ignored: SiteMetadata = {
+        id: "an-unavailable-site" as any,
+        availableFields: [],
+      };
+
+      const result = registry.registerSite(ignored).sites();
+
+      expect(result).toEqual([]);
+    });
+
+    it("ignores duplicate registrations", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      const ignored: SiteMetadata = {
+        ...SomeSite,
+        availableFields: [Field.token],
+      };
+
+      const result = registry.registerSite(SomeSite).registerSite(ignored).site(SomeSiteId);
+
+      expect(result).toEqual(SomeSite);
+    });
+
+    it("ignores unknown available fields", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+      const ignored: SiteMetadata = {
+        ...SomeSite,
+        availableFields: [SomeSite.availableFields, "ignored" as any],
+      };
+
+      const { availableFields } = registry.registerSite(ignored).site(SomeSiteId)!;
+
+      expect(availableFields).toEqual(SomeSite.availableFields);
+    });
+
+    it("freezes the site definition", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      const site = registry.registerSite(SomeSite).site(SomeSiteId)!;
+
+      // reassigning `availableFields` throws b/c the object is frozen
+      expect(() => (site.availableFields = [Field.domain])).toThrow();
+    });
+  });
+
+  describe("site", () => {
+    it("returns `undefined` for an unknown site", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+
+      const result = registry.site(SomeSiteId);
+
+      expect(result).toBeUndefined();
+    });
+
+    it("returns the same result when called repeatedly", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+      registry.registerSite(SomeSite);
+
+      const first = registry.site(SomeSiteId);
+      const second = registry.site(SomeSiteId);
+
+      expect(first).toBe(second);
+    });
+  });
+
+  describe("sites", () => {
+    it("lists registered sites", () => {
+      const registry = new RuntimeExtensionRegistry([SomeSiteId, "bar"] as any[], DefaultFields);
+      const barSite: SiteMetadata = {
+        id: "bar" as any,
+        availableFields: [],
+      };
+
+      const result = registry.registerSite(SomeSite).registerSite(barSite).sites();
+
+      expect(result.some(({ site }) => site.id === SomeSiteId)).toBe(true);
+      expect(result.some(({ site }) => site.id === barSite.id)).toBe(true);
+    });
+
+    it("includes permissions for a site", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+
+      const result = registry
+        .registerSite(SomeSite)
+        .setPermission({ site: SomeSite.id }, Permission.allow)
+        .sites();
+
+      expect(result).toEqual([{ site: SomeSite, permission: Permission.allow }]);
+    });
+
+    it("ignores duplicate registrations", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+      const ignored: SiteMetadata = {
+        ...SomeSite,
+        availableFields: [Field.token],
+      };
+
+      const result = registry.registerSite(SomeSite).registerSite(ignored).sites();
+
+      expect(result).toEqual([{ site: SomeSite }]);
+    });
+
+    it("ignores permissions for other sites", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+
+      const result = registry
+        .registerSite(SomeSite)
+        .setPermission({ site: SomeSite.id }, Permission.allow)
+        .setPermission({ site: "bar" as any }, Permission.deny)
+        .sites();
+
+      expect(result).toEqual([{ site: SomeSite, permission: Permission.allow }]);
+    });
+  });
+
+  describe("registerVendor", () => {
+    it("registers a vendor", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const result = registry.registerVendor(SomeVendor).vendors();
+
+      expect(result).toEqual([{ vendor: SomeVendor }]);
+    });
+
+    it("freezes the vendor definition", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      // copy `SomeVendor` because it is already frozen
+      const original: VendorMetadata = { ...SomeVendor };
+
+      const [{ vendor }] = registry.registerVendor(original).vendors();
+
+      // reassigning `name` throws b/c the object is frozen
+      expect(() => (vendor.name = "Bytewarden")).toThrow();
+    });
+  });
+
+  describe("vendor", () => {
+    it("returns `undefined` for an unknown site", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+
+      const result = registry.vendor(SomeVendorId);
+
+      expect(result).toBeUndefined();
+    });
+
+    it("returns the same result when called repeatedly", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+      registry.registerVendor(SomeVendor);
+
+      const first = registry.vendor(SomeVendorId);
+      const second = registry.vendor(SomeVendorId);
+
+      expect(first).toBe(second);
+    });
+  });
+
+  describe("vendors", () => {
+    it("lists registered vendors", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      registry.registerVendor(SomeVendor).registerVendor(JustTrustUs);
+
+      const result = registry.vendors();
+
+      expect(result.some(({ vendor }) => vendor.id === SomeVendorId)).toBe(true);
+      expect(result.some(({ vendor }) => vendor.id === JustTrustUs.id)).toBe(true);
+    });
+
+    it("includes permissions for a vendor", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+
+      const result = registry
+        .registerVendor(SomeVendor)
+        .setPermission({ vendor: SomeVendorId }, Permission.allow)
+        .vendors();
+
+      expect(result).toEqual([{ vendor: SomeVendor, permission: Permission.allow }]);
+    });
+
+    it("ignores duplicate registrations", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const vendor: VendorMetadata = SomeVendor;
+      const ignored: VendorMetadata = {
+        ...SomeVendor,
+        name: "Duplicate",
+      };
+
+      const result = registry.registerVendor(vendor).registerVendor(ignored).vendors();
+
+      expect(result).toEqual([{ vendor }]);
+    });
+
+    it("ignores permissions for other sites", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+      registry.registerVendor(SomeVendor).setPermission({ vendor: SomeVendorId }, Permission.allow);
+
+      const result = registry.setPermission({ vendor: JustTrustUs.id }, Permission.deny).vendors();
+
+      expect(result).toEqual([{ vendor: SomeVendor, permission: Permission.allow }]);
+    });
+  });
+
+  describe("setPermission", () => {
+    it("sets the all permission", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const target = { all: true } as const;
+
+      const permission = registry.setPermission(target, Permission.allow).permission(target);
+
+      expect(permission).toEqual(Permission.allow);
+    });
+
+    it("sets a vendor permission", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const target = { vendor: SomeVendorId };
+
+      const permission = registry.setPermission(target, Permission.allow).permission(target);
+
+      expect(permission).toEqual(Permission.allow);
+    });
+
+    it("sets a site permission", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      const target = { site: SomeSiteId };
+
+      const permission = registry.setPermission(target, Permission.allow).permission(target);
+
+      expect(permission).toEqual(Permission.allow);
+    });
+
+    it("ignores a site permission unless it is in the allowed sites list", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const target = { site: SomeSiteId };
+
+      const permission = registry.setPermission(target, Permission.allow).permission(target);
+
+      expect(permission).toBeUndefined();
+    });
+
+    it("throws when a permission is invalid", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+
+      expect(() => registry.setPermission({ all: true }, "invalid" as any)).toThrow();
+    });
+
+    it("throws when the extension set is the wrong type", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const target = { invalid: "invalid" } as any;
+
+      expect(() => registry.setPermission(target, Permission.allow)).toThrow();
+    });
+  });
+
+  describe("permission", () => {
+    it("gets the default all permission", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const target = { all: true } as const;
+
+      const permission = registry.permission(target);
+
+      expect(permission).toEqual(Permission.default);
+    });
+
+    it("gets an all permission", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const target = { all: true } as const;
+      registry.setPermission(target, Permission.none);
+
+      const permission = registry.permission(target);
+
+      expect(permission).toEqual(Permission.none);
+    });
+
+    it("gets a vendor permission", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const target = { vendor: SomeVendorId };
+      registry.setPermission(target, Permission.allow);
+
+      const permission = registry.permission(target);
+
+      expect(permission).toEqual(Permission.allow);
+    });
+
+    it("gets a site permission", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      const target = { site: SomeSiteId };
+      registry.setPermission(target, Permission.allow);
+
+      const permission = registry.permission(target);
+
+      expect(permission).toEqual(Permission.allow);
+    });
+
+    it("gets a vendor permission", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const target = { vendor: SomeVendorId };
+      registry.setPermission(target, Permission.allow);
+
+      const permission = registry.permission(target);
+
+      expect(permission).toEqual(Permission.allow);
+    });
+
+    it("returns undefined when the extension set is the wrong type", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      const target = { invalid: "invalid" } as any;
+
+      const permission = registry.permission(target);
+
+      expect(permission).toBeUndefined();
+    });
+  });
+
+  describe("permissions", () => {
+    it("returns a default all permission by default", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+
+      const permission = registry.permissions();
+
+      expect(permission).toEqual([{ set: { all: true }, permission: Permission.default }]);
+    });
+
+    it("returns the all permission", () => {
+      const registry = new RuntimeExtensionRegistry([], []);
+      registry.setPermission({ all: true }, Permission.none);
+
+      const permission = registry.permissions();
+
+      expect(permission).toEqual([{ set: { all: true }, permission: Permission.none }]);
+    });
+
+    it("includes site permissions", () => {
+      const registry = new RuntimeExtensionRegistry([SomeSiteId, "bar"] as any[], DefaultFields);
+      registry.registerSite(SomeSite).setPermission({ site: SomeSiteId }, Permission.allow);
+      registry
+        .registerSite({
+          id: "bar" as any,
+          availableFields: [],
+        })
+        .setPermission({ site: "bar" as any }, Permission.deny);
+
+      const result = registry.permissions();
+
+      expect(
+        result.some((p: any) => p.set.site === SomeSiteId && p.permission === Permission.allow),
+      ).toBe(true);
+      expect(
+        result.some((p: any) => p.set.site === "bar" && p.permission === Permission.deny),
+      ).toBe(true);
+    });
+
+    it("includes vendor permissions", () => {
+      const registry = new RuntimeExtensionRegistry([], DefaultFields);
+      registry.registerVendor(SomeVendor).setPermission({ vendor: SomeVendorId }, Permission.allow);
+      registry
+        .registerVendor(JustTrustUs)
+        .setPermission({ vendor: JustTrustUs.id }, Permission.deny);
+
+      const result = registry.permissions();
+
+      expect(
+        result.some((p: any) => p.set.vendor === SomeVendorId && p.permission === Permission.allow),
+      ).toBe(true);
+      expect(
+        result.some(
+          (p: any) => p.set.vendor === JustTrustUs.id && p.permission === Permission.deny,
+        ),
+      ).toBe(true);
+    });
+  });
+
+  describe("registerExtension", () => {
+    it("registers an extension", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      registry.registerSite(SomeSite).registerVendor(SomeVendor);
+
+      const result = registry.registerExtension(SomeExtension).extension(SomeSiteId, SomeVendorId);
+
+      expect(result).toEqual(SomeExtension);
+    });
+
+    it("ignores extensions with nonregistered sites", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      registry.registerVendor(SomeVendor);
+
+      // precondition: the site is not registered
+      expect(registry.site(SomeSiteId)).toBeUndefined();
+
+      const result = registry.registerExtension(SomeExtension).extension(SomeSiteId, SomeVendorId);
+
+      expect(result).toBeUndefined();
+    });
+
+    it("ignores extensions with nonregistered vendors", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      registry.registerSite(SomeSite);
+
+      // precondition: the vendor is not registered
+      expect(registry.vendor(SomeVendorId)).toBeUndefined();
+
+      const result = registry.registerExtension(SomeExtension).extension(SomeSiteId, SomeVendorId);
+
+      expect(result).toBeUndefined();
+    });
+
+    it("ignores repeated extensions with nonregistered vendors", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      registry.registerSite(SomeSite).registerVendor(SomeVendor).registerExtension(SomeExtension);
+
+      // precondition: the vendor is already registered
+      expect(registry.extension(SomeSiteId, SomeVendorId)).toBeDefined();
+
+      const result = registry
+        .registerExtension({
+          ...SomeExtension,
+          requestedFields: [Field.domain],
+        })
+        .extension(SomeSiteId, SomeVendorId);
+
+      expect(result).toEqual(SomeExtension);
+    });
+
+    it("interns site metadata", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      registry.registerSite(SomeSite).registerVendor(SomeVendor);
+
+      const internedSite = registry.site(SomeSiteId);
+      const result = registry.registerExtension(SomeExtension).extension(SomeSiteId, SomeVendorId)!;
+
+      expect(result.site).toBe(internedSite);
+    });
+
+    it("interns vendor metadata", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      registry.registerSite(SomeSite).registerVendor(SomeVendor);
+
+      const internedVendor = registry.vendor(SomeVendorId);
+      const result = registry.registerExtension(SomeExtension).extension(SomeSiteId, SomeVendorId)!;
+
+      expect(result.product.vendor).toBe(internedVendor);
+    });
+
+    it("freezes the extension metadata", () => {
+      const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+      registry.registerSite(SomeSite).registerVendor(SomeVendor).registerExtension(SomeExtension);
+      const extension = registry.extension(SomeSiteId, SomeVendorId)!;
+
+      // field assignments & mutation functions throw b/c the object is frozen
+      expect(() => ((extension.site as any) = SomeSite)).toThrow();
+      expect(() => ((extension.product.vendor as any) = SomeVendor)).toThrow();
+      expect(() => ((extension.product.name as any) = "SomeVendor")).toThrow();
+      expect(() => ((extension.host as any) = {})).toThrow();
+      expect(() => ((extension.host.selfHost as any) = {})).toThrow();
+      expect(() => ((extension.host as any).authorization = "basic")).toThrow();
+      expect(() => ((extension.host as any).baseUrl = "https://www.example.com")).toThrow();
+      expect(() => ((extension.requestedFields as any) = [Field.baseUrl])).toThrow();
+      expect(() => (extension.requestedFields as any).push(Field.baseUrl)).toThrow();
+    });
+  });
+
+  describe("extension", () => {
+    describe("extension", () => {
+      it("returns `undefined` for an unknown extension", () => {
+        const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+
+        const result = registry.extension(SomeSiteId, SomeVendorId);
+
+        expect(result).toBeUndefined();
+      });
+
+      it("interns the extension", () => {
+        const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+        registry.registerSite(SomeSite).registerVendor(SomeVendor).registerExtension(SomeExtension);
+
+        const first = registry.extension(SomeSiteId, SomeVendorId);
+        const second = registry.extension(SomeSiteId, SomeVendorId);
+
+        expect(first).toBe(second);
+      });
+    });
+
+    describe("extensions", () => {
+      it("lists registered extensions", () => {
+        const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+        registry.registerSite(SomeSite);
+        registry.registerVendor(SomeVendor).registerExtension(SomeExtension);
+        registry.registerVendor(JustTrustUs).registerExtension(JustTrustUsExtension);
+
+        const result = registry.extensions();
+
+        expect(
+          result.some(
+            ({ extension }) =>
+              extension.site.id === SomeSiteId && extension.product.vendor.id === SomeVendorId,
+          ),
+        ).toBe(true);
+        expect(
+          result.some(
+            ({ extension }) =>
+              extension.site.id === SomeSiteId && extension.product.vendor.id === JustTrustUs.id,
+          ),
+        ).toBe(true);
+      });
+
+      it("includes permissions for extensions", () => {
+        const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+        registry
+          .registerSite(SomeSite)
+          .registerVendor(SomeVendor)
+          .registerExtension(SomeExtension)
+          .setPermission({ vendor: SomeVendorId }, Permission.allow);
+
+        const result = registry.extensions();
+
+        expect(
+          result.some(
+            ({ extension, permissions }) =>
+              extension.site.id === SomeSiteId &&
+              extension.product.vendor.id === SomeVendorId &&
+              permissions.includes(Permission.allow),
+          ),
+        ).toBe(true);
+      });
+    });
+
+    describe("build", () => {
+      it("builds an empty extension site when no extensions are registered", () => {
+        const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+        registry.registerSite(SomeSite).registerVendor(SomeVendor);
+
+        const result = registry.build(SomeSiteId)!;
+
+        expect(result.extensions.size).toBe(0);
+      });
+
+      it("builds an extension site with all registered extensions", () => {
+        const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+        registry.registerSite(SomeSite).registerVendor(SomeVendor).registerExtension(SomeExtension);
+        const expected = registry.extension(SomeSiteId, SomeVendorId);
+
+        const result = registry.build(SomeSiteId)!;
+
+        expect(result).toBeInstanceOf(ExtensionSite);
+        expect(result.extensions.get(SomeVendorId)).toBe(expected);
+      });
+
+      it("returns `undefined` for an unknown site", () => {
+        const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+
+        const result = registry.build(SomeSiteId);
+
+        expect(result).toBeUndefined();
+      });
+
+      describe("when the all permission is `default`", () => {
+        const allPermission = Permission.default;
+
+        it("builds an extension site with all registered extensions", () => {
+          const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+          registry
+            .registerSite(SomeSite)
+            .registerVendor(SomeVendor)
+            .registerExtension(SomeExtension)
+            .setPermission({ all: true }, Permission.default);
+          const expected = registry.extension(SomeSiteId, SomeVendorId);
+
+          const result = registry.build(SomeSiteId)!;
+
+          expect(result.extensions.get(SomeVendorId)).toBe(expected);
+        });
+
+        it.each([[Permission.default], [Permission.allow]])(
+          "includes sites with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ site: SomeSiteId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.get(SomeVendorId)).toEqual(SomeExtension);
+          },
+        );
+
+        it.each([[Permission.none], [Permission.deny]])(
+          "ignores sites with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ site: SomeSiteId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.size).toBe(0);
+          },
+        );
+
+        it.each([[Permission.default], [Permission.allow]])(
+          "includes vendors with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ vendor: SomeVendorId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.get(SomeVendorId)).toEqual(SomeExtension);
+          },
+        );
+
+        it.each([[Permission.none], [Permission.deny]])(
+          "ignores vendors with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ vendor: SomeVendorId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.size).toBe(0);
+          },
+        );
+      });
+
+      describe("when the all permission is `none`", () => {
+        const allPermission = Permission.none;
+
+        it("builds an empty extension site", () => {
+          const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+          registry
+            .registerSite(SomeSite)
+            .registerVendor(SomeVendor)
+            .registerExtension(SomeExtension)
+            .setPermission({ all: true }, Permission.none);
+
+          const result = registry.build(SomeSiteId)!;
+
+          expect(result).toBeInstanceOf(ExtensionSite);
+          expect(result.extensions.size).toBe(0);
+        });
+
+        it.each([[Permission.allow]])("includes sites with `%p` permission", (permission) => {
+          const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+          registry
+            .registerSite(SomeSite)
+            .registerVendor(SomeVendor)
+            .registerExtension(SomeExtension);
+          registry.setPermission({ all: true }, allPermission);
+          registry.setPermission({ site: SomeSiteId }, permission);
+
+          const result = registry.build(SomeSiteId)!;
+
+          expect(result.extensions.get(SomeVendorId)).toEqual(SomeExtension);
+        });
+
+        it.each([[Permission.default], [Permission.none], [Permission.deny]])(
+          "ignores sites with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ site: SomeSiteId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.size).toBe(0);
+          },
+        );
+
+        it.each([[Permission.allow]])("includes vendors with `%p` permission", (permission) => {
+          const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+          registry
+            .registerSite(SomeSite)
+            .registerVendor(SomeVendor)
+            .registerExtension(SomeExtension);
+          registry.setPermission({ all: true }, allPermission);
+          registry.setPermission({ vendor: SomeVendorId }, permission);
+
+          const result = registry.build(SomeSiteId)!;
+
+          expect(result.extensions.get(SomeVendorId)).toEqual(SomeExtension);
+        });
+
+        it.each([[Permission.default], [Permission.none], [Permission.deny]])(
+          "ignores vendors with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ vendor: SomeVendorId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.size).toBe(0);
+          },
+        );
+      });
+
+      describe("when the all permission is `allow`", () => {
+        const allPermission = Permission.allow;
+
+        it("builds an extension site with all registered extensions", () => {
+          const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+          registry
+            .registerSite(SomeSite)
+            .registerVendor(SomeVendor)
+            .registerExtension(SomeExtension)
+            .setPermission({ all: true }, Permission.default);
+          const expected = registry.extension(SomeSiteId, SomeVendorId);
+
+          const result = registry.build(SomeSiteId)!;
+
+          expect(result).toBeInstanceOf(ExtensionSite);
+          expect(result.extensions.get(SomeVendorId)).toBe(expected);
+        });
+
+        it.each([[Permission.default], [Permission.none], [Permission.allow]])(
+          "includes sites with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ site: SomeSiteId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.get(SomeVendorId)).toEqual(SomeExtension);
+          },
+        );
+
+        it.each([[Permission.deny]])("ignores sites with `%p` permission", (permission) => {
+          const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+          registry
+            .registerSite(SomeSite)
+            .registerVendor(SomeVendor)
+            .registerExtension(SomeExtension);
+          registry.setPermission({ all: true }, allPermission);
+          registry.setPermission({ site: SomeSiteId }, permission);
+
+          const result = registry.build(SomeSiteId)!;
+
+          expect(result.extensions.size).toBe(0);
+        });
+
+        it.each([[Permission.default], [Permission.none], [Permission.allow]])(
+          "includes vendors with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ vendor: SomeVendorId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.get(SomeVendorId)).toEqual(SomeExtension);
+          },
+        );
+
+        it.each([[Permission.deny]])("ignores vendors with `%p` permission", (permission) => {
+          const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+          registry
+            .registerSite(SomeSite)
+            .registerVendor(SomeVendor)
+            .registerExtension(SomeExtension);
+          registry.setPermission({ all: true }, allPermission);
+          registry.setPermission({ vendor: SomeVendorId }, permission);
+
+          const result = registry.build(SomeSiteId)!;
+
+          expect(result.extensions.size).toBe(0);
+        });
+      });
+
+      describe("when the all permission is `deny`", () => {
+        const allPermission = Permission.deny;
+
+        it("builds an empty extension site", () => {
+          const registry = new RuntimeExtensionRegistry(DefaultSites, DefaultFields);
+          registry
+            .registerSite(SomeSite)
+            .registerVendor(SomeVendor)
+            .registerExtension(SomeExtension)
+            .setPermission({ all: true }, Permission.deny);
+
+          const result = registry.build(SomeSiteId)!;
+
+          expect(result).toBeInstanceOf(ExtensionSite);
+          expect(result.extensions.size).toBe(0);
+        });
+
+        it.each([[Permission.default], [Permission.none], [Permission.allow], [Permission.deny]])(
+          "ignores sites with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ site: SomeSiteId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.size).toBe(0);
+          },
+        );
+
+        it.each([[Permission.default], [Permission.none], [Permission.allow], [Permission.deny]])(
+          "ignores vendors with `%p` permission",
+          (permission) => {
+            const registry = new RuntimeExtensionRegistry(DefaultSites, []);
+            registry
+              .registerSite(SomeSite)
+              .registerVendor(SomeVendor)
+              .registerExtension(SomeExtension);
+            registry.setPermission({ all: true }, allPermission);
+            registry.setPermission({ vendor: SomeVendorId }, permission);
+
+            const result = registry.build(SomeSiteId)!;
+
+            expect(result.extensions.size).toBe(0);
+          },
+        );
+      });
+    });
+  });
+});
diff --git a/libs/common/src/tools/extension/runtime-extension-registry.ts b/libs/common/src/tools/extension/runtime-extension-registry.ts
new file mode 100644
index 00000000000..1c630dcc915
--- /dev/null
+++ b/libs/common/src/tools/extension/runtime-extension-registry.ts
@@ -0,0 +1,286 @@
+import { deepFreeze } from "../util";
+
+import { ExtensionRegistry } from "./extension-registry.abstraction";
+import { ExtensionSite } from "./extension-site";
+import { AllowedPermissions } from "./metadata";
+import {
+  ExtensionMetadata,
+  ExtensionPermission,
+  ExtensionSet,
+  FieldId,
+  ProductMetadata,
+  SiteMetadata,
+  SiteId,
+  VendorId,
+  VendorMetadata,
+} from "./type";
+
+/** Tracks extension sites and the vendors that extend them in application memory. */
+export class RuntimeExtensionRegistry implements ExtensionRegistry {
+  /** Instantiates the extension registry
+   *  @param allowedSites sites that are valid for use by any extension;
+   *    this is most useful to disable an extension site that is only
+   *    available on a specific client.
+   *  @param allowedFields fields that are valid for use by any extension;
+   *    this is most useful to prohibit access to a field via policy.
+   */
+  constructor(
+    private readonly allowedSites: SiteId[],
+    private readonly allowedFields: FieldId[],
+  ) {
+    Object.freeze(this.allowedFields);
+    Object.freeze(this.allowedSites);
+  }
+
+  private allPermission: ExtensionPermission = "default";
+
+  private siteRegistrations = new Map<SiteId, SiteMetadata>();
+  private sitePermissions = new Map<SiteId, ExtensionPermission>();
+
+  private vendorRegistrations = new Map<VendorId, VendorMetadata>();
+  private vendorPermissions = new Map<VendorId, ExtensionPermission>();
+
+  private extensionRegistrations = new Array<ExtensionMetadata>();
+  private extensionsBySiteByVendor = new Map<SiteId, Map<VendorId, number>>();
+
+  registerSite(site: SiteMetadata): this {
+    if (!this.allowedSites.includes(site.id)) {
+      return this;
+    }
+
+    // verify requested fields are on the list of valid fields to expose to
+    // an extension
+    const availableFields = site.availableFields.filter((field) =>
+      this.allowedFields.includes(field),
+    );
+    const validated: SiteMetadata = deepFreeze({ id: site.id, availableFields });
+
+    if (!this.siteRegistrations.has(site.id)) {
+      this.siteRegistrations.set(site.id, validated);
+    }
+
+    return this;
+  }
+
+  site(site: SiteId): SiteMetadata | undefined {
+    const result = this.siteRegistrations.get(site);
+    return result;
+  }
+
+  sites() {
+    const sites: { site: SiteMetadata; permission?: ExtensionPermission }[] = [];
+
+    for (const [k, site] of this.siteRegistrations.entries()) {
+      const s: (typeof sites)[number] = { site };
+      const permission = this.sitePermissions.get(k);
+      if (permission) {
+        s.permission = permission;
+      }
+
+      sites.push(s);
+    }
+
+    return sites;
+  }
+
+  registerVendor(vendor: VendorMetadata): this {
+    if (!this.vendorRegistrations.has(vendor.id)) {
+      const frozen = deepFreeze(vendor);
+      this.vendorRegistrations.set(vendor.id, frozen);
+    }
+
+    return this;
+  }
+
+  vendor(vendor: VendorId): VendorMetadata | undefined {
+    const result = this.vendorRegistrations.get(vendor);
+    return result;
+  }
+
+  vendors() {
+    const vendors: { vendor: VendorMetadata; permission?: ExtensionPermission }[] = [];
+
+    for (const [k, vendor] of this.vendorRegistrations.entries()) {
+      const s: (typeof vendors)[number] = { vendor };
+      const permission = this.vendorPermissions.get(k);
+      if (permission) {
+        s.permission = permission;
+      }
+
+      vendors.push(s);
+    }
+
+    return vendors;
+  }
+
+  setPermission(set: ExtensionSet, permission: ExtensionPermission): this {
+    if (!AllowedPermissions.includes(permission)) {
+      throw new Error(`invalid extension permission: ${permission}`);
+    }
+
+    if ("all" in set && set.all) {
+      this.allPermission = permission;
+    } else if ("vendor" in set) {
+      this.vendorPermissions.set(set.vendor, permission);
+    } else if ("site" in set) {
+      if (this.allowedSites.includes(set.site)) {
+        this.sitePermissions.set(set.site, permission);
+      }
+    } else {
+      throw new Error(`Unrecognized extension set received: ${JSON.stringify(set)}.`);
+    }
+
+    return this;
+  }
+
+  permission(set: ExtensionSet) {
+    if ("all" in set && set.all) {
+      return this.allPermission;
+    } else if ("vendor" in set) {
+      return this.vendorPermissions.get(set.vendor);
+    } else if ("site" in set) {
+      return this.sitePermissions.get(set.site);
+    } else {
+      return undefined;
+    }
+  }
+
+  permissions() {
+    const rules: { set: ExtensionSet; permission: ExtensionPermission }[] = [];
+    rules.push({ set: { all: true }, permission: this.allPermission });
+
+    for (const [site, permission] of this.sitePermissions.entries()) {
+      rules.push({ set: { site }, permission });
+    }
+
+    for (const [vendor, permission] of this.vendorPermissions.entries()) {
+      rules.push({ set: { vendor }, permission });
+    }
+
+    return rules;
+  }
+
+  registerExtension(meta: ExtensionMetadata): this {
+    const site = this.siteRegistrations.get(meta.site.id);
+    const vendor = this.vendorRegistrations.get(meta.product.vendor.id);
+    if (!site || !vendor) {
+      return this;
+    }
+
+    // exit early if the extension is already registered
+    const extensionsByVendor =
+      this.extensionsBySiteByVendor.get(meta.site.id) ?? new Map<VendorId, number>();
+    if (extensionsByVendor.has(meta.product.vendor.id)) {
+      return this;
+    }
+
+    // create immutable copy; this updates the vendor and site with
+    // their internalized representation to provide reference equality
+    // across registrations
+    const product: ProductMetadata = { vendor };
+    if (meta.product.name) {
+      product.name = meta.product.name;
+    }
+    const extension: ExtensionMetadata = Object.freeze({
+      site,
+      product: Object.freeze(product),
+      host: Object.freeze({ ...meta.host }),
+      requestedFields: Object.freeze([...meta.requestedFields]),
+    });
+
+    // register it
+    const index = this.extensionRegistrations.push(extension) - 1;
+    extensionsByVendor.set(vendor.id, index);
+    this.extensionsBySiteByVendor.set(site.id, extensionsByVendor);
+
+    return this;
+  }
+
+  extension(site: SiteId, vendor: VendorId): ExtensionMetadata | undefined {
+    const index = this.extensionsBySiteByVendor.get(site)?.get(vendor) ?? -1;
+    if (index < 0) {
+      return undefined;
+    } else {
+      return this.extensionRegistrations[index];
+    }
+  }
+
+  private getPermissions(site: SiteId, vendor: VendorId): ExtensionPermission[] {
+    const permissions = [
+      this.sitePermissions.get(site),
+      this.vendorPermissions.get(vendor),
+      this.allPermission,
+      // Need to cast away `undefined` because typescript isn't
+      // aware that the filter eliminates undefined elements
+    ].filter((p) => !!p) as ExtensionPermission[];
+
+    return permissions;
+  }
+
+  extensions(): ReadonlyArray<{
+    extension: ExtensionMetadata;
+    permissions: ExtensionPermission[];
+  }> {
+    const extensions = [];
+    for (const extension of this.extensionRegistrations) {
+      const permissions = this.getPermissions(extension.site.id, extension.product.vendor.id);
+
+      extensions.push({ extension, permissions });
+    }
+
+    return extensions;
+  }
+
+  build(id: SiteId): ExtensionSite | undefined {
+    const site = this.siteRegistrations.get(id);
+    if (!site) {
+      return undefined;
+    }
+
+    if (this.allPermission === "deny") {
+      return new ExtensionSite(site, new Map());
+    }
+
+    const extensions = new Map<VendorId, ExtensionMetadata>();
+    const entries = this.extensionsBySiteByVendor.get(id)?.entries() ?? ([] as const);
+    for (const [vendor, index] of entries) {
+      const permissions = this.getPermissions(id, vendor);
+
+      const extension = evaluate(permissions, this.extensionRegistrations[index]);
+      if (extension) {
+        extensions.set(vendor, extension);
+      }
+    }
+
+    const extensionSite = new ExtensionSite(site, extensions);
+    return extensionSite;
+  }
+}
+
+function evaluate(
+  permissions: ExtensionPermission[],
+  value: ExtensionMetadata,
+): ExtensionMetadata | undefined {
+  // deny always wins
+  if (permissions.includes("deny")) {
+    return undefined;
+  }
+
+  // allow overrides implicit permissions
+  if (permissions.includes("allow")) {
+    return value;
+  }
+
+  // none permission becomes a deny
+  if (permissions.includes("none")) {
+    return undefined;
+  }
+
+  // default permission becomes an allow
+  if (permissions.includes("default")) {
+    return value;
+  }
+
+  // if no permission is recognized, throw. This code is unreachable.
+  throw new Error("failed to recognize any permissions");
+}
diff --git a/libs/common/src/tools/extension/type.ts b/libs/common/src/tools/extension/type.ts
new file mode 100644
index 00000000000..f37d4ff8e53
--- /dev/null
+++ b/libs/common/src/tools/extension/type.ts
@@ -0,0 +1,109 @@
+import { Opaque } from "type-fest";
+
+import { Site, Field, Permission } from "./data";
+
+/** well-known name for a feature extensible through an extension. */
+export type SiteId = keyof typeof Site;
+
+/** well-known name for a field surfaced from an extension site to a vendor. */
+export type FieldId = keyof typeof Field;
+
+/** Identifies a vendor extending bitwarden */
+export type VendorId = Opaque<"vendor", string>;
+
+/** uniquely identifies an extension. */
+export type ExtensionId = { site: SiteId; vendor: VendorId };
+
+/** Permission levels for metadata. */
+export type ExtensionPermission = keyof typeof Permission;
+
+/** The capabilities and descriptive content for an extension */
+export type SiteMetadata = {
+  /** Uniquely identifies the extension site. */
+  id: SiteId;
+
+  /** Lists the fields disclosed by the extension to the vendor */
+  availableFields: FieldId[];
+};
+
+/** The capabilities and descriptive content for an extension */
+export type VendorMetadata = {
+  /** Uniquely identifies the vendor. */
+  id: VendorId;
+
+  /** Brand name of the service providing the extension. */
+  name: string;
+};
+
+type TokenHeader =
+  | {
+      /** Transmit the token as the value of an `Authentication` header */
+      authentication: true;
+    }
+  | {
+      /** Transmit the token as an `Authorization` header and a formatted value
+       *  * `bearer` uses OAUTH-2.0 bearer token format
+       *  * `token` prefixes the token with "Token"
+       *  * `basic-username` uses HTTP Basic authentication format, encoding the
+       *     token as the username.
+       */
+      authorization: "bearer" | "token" | "basic-username";
+    };
+
+/** Catalogues an extension's hosting status.
+ *  selfHost: "never" always uses the service's base URL
+ *  selfHost: "maybe" allows the user to override the service's
+ *    base URL with their own.
+ *  selfHost: "always" requires a base URL.
+ */
+export type ApiHost = TokenHeader &
+  (
+    | { selfHost: "never"; baseUrl: string }
+    | { selfHost: "maybe"; baseUrl: string }
+    | { selfHost: "always" }
+  );
+
+/** Describes a branded product */
+export type ProductMetadata = {
+  /** The vendor providing the extension */
+  vendor: VendorMetadata;
+
+  /** The branded name of the product, if it varies from the Vendor name */
+  name?: string;
+};
+
+/** Describes an extension provided by a vendor */
+export type ExtensionMetadata = {
+  /** The part of Bitwarden extended by the vendor's services */
+  readonly site: Readonly<SiteMetadata>;
+
+  /** Product description */
+  readonly product: Readonly<ProductMetadata>;
+
+  /** Hosting provider capabilities required by the extension  */
+  readonly host: Readonly<ApiHost>;
+
+  /** Lists the fields disclosed by the extension to the vendor.
+   *  This should be a subset of the `availableFields` listed in
+   *  the extension.
+   */
+  readonly requestedFields: ReadonlyArray<Readonly<FieldId>>;
+};
+
+/** Identifies a collection of extensions.
+ */
+export type ExtensionSet =
+  | {
+      /** A set of extensions sharing an extension point */
+      site: SiteId;
+    }
+  | {
+      /** A set of extensions sharing a vendor */
+      vendor: VendorId;
+    }
+  | {
+      /** The total set of extensions. This is used to set a categorical
+       *  rule affecting all extensions.
+       */
+      all: true;
+    };
diff --git a/libs/common/src/tools/extension/vendor/addyio.ts b/libs/common/src/tools/extension/vendor/addyio.ts
new file mode 100644
index 00000000000..c33abd570ad
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/addyio.ts
@@ -0,0 +1,25 @@
+import { Field } from "../data";
+import { Extension } from "../metadata";
+import { ExtensionMetadata, VendorMetadata } from "../type";
+
+import { Vendor } from "./data";
+
+export const AddyIo: VendorMetadata = {
+  id: Vendor.addyio,
+  name: "Addy.io",
+};
+
+export const AddyIoExtensions: ExtensionMetadata[] = [
+  {
+    site: Extension.forwarder,
+    product: {
+      vendor: AddyIo,
+    },
+    host: {
+      authorization: "bearer",
+      selfHost: "maybe",
+      baseUrl: "https://app.addy.io",
+    },
+    requestedFields: [Field.token, Field.baseUrl, Field.domain],
+  },
+];
diff --git a/libs/common/src/tools/extension/vendor/bitwarden.ts b/libs/common/src/tools/extension/vendor/bitwarden.ts
new file mode 100644
index 00000000000..7f659c2d07f
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/bitwarden.ts
@@ -0,0 +1,8 @@
+import { VendorMetadata } from "../type";
+
+import { Vendor } from "./data";
+
+export const Bitwarden: VendorMetadata = Object.freeze({
+  id: Vendor.bitwarden,
+  name: "Bitwarden",
+});
diff --git a/libs/common/src/tools/extension/vendor/data.ts b/libs/common/src/tools/extension/vendor/data.ts
new file mode 100644
index 00000000000..7f0802ef82f
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/data.ts
@@ -0,0 +1,11 @@
+import { VendorId } from "../type";
+
+export const Vendor = Object.freeze({
+  addyio: "addyio" as VendorId,
+  bitwarden: "bitwarden" as VendorId, // RESERVED
+  duckduckgo: "duckduckgo" as VendorId,
+  fastmail: "fastmail" as VendorId,
+  forwardemail: "forwardemail" as VendorId,
+  mozilla: "mozilla" as VendorId,
+  simplelogin: "simplelogin" as VendorId,
+} as const);
diff --git a/libs/common/src/tools/extension/vendor/duckduckgo.ts b/libs/common/src/tools/extension/vendor/duckduckgo.ts
new file mode 100644
index 00000000000..ca4634192f5
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/duckduckgo.ts
@@ -0,0 +1,25 @@
+import { Field } from "../data";
+import { Extension } from "../metadata";
+import { ExtensionMetadata, VendorMetadata } from "../type";
+
+import { Vendor } from "./data";
+
+export const DuckDuckGo: VendorMetadata = {
+  id: Vendor.duckduckgo,
+  name: "DuckDuckGo",
+};
+
+export const DuckDuckGoExtensions: ExtensionMetadata[] = [
+  {
+    site: Extension.forwarder,
+    product: {
+      vendor: DuckDuckGo,
+    },
+    host: {
+      authorization: "bearer",
+      selfHost: "never",
+      baseUrl: "https://quack.duckduckgo.com/api",
+    },
+    requestedFields: [Field.token],
+  },
+];
diff --git a/libs/common/src/tools/extension/vendor/fastmail.ts b/libs/common/src/tools/extension/vendor/fastmail.ts
new file mode 100644
index 00000000000..e6fb9ec16be
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/fastmail.ts
@@ -0,0 +1,25 @@
+import { Field } from "../data";
+import { Extension } from "../metadata";
+import { ExtensionMetadata, VendorMetadata } from "../type";
+
+import { Vendor } from "./data";
+
+export const Fastmail: VendorMetadata = {
+  id: Vendor.fastmail,
+  name: "Fastmail",
+};
+
+export const FastmailExtensions: ExtensionMetadata[] = [
+  {
+    site: Extension.forwarder,
+    product: {
+      vendor: Fastmail,
+    },
+    host: {
+      authorization: "bearer",
+      selfHost: "maybe",
+      baseUrl: "https://api.fastmail.com",
+    },
+    requestedFields: [Field.token],
+  },
+];
diff --git a/libs/common/src/tools/extension/vendor/forwardemail.ts b/libs/common/src/tools/extension/vendor/forwardemail.ts
new file mode 100644
index 00000000000..4fbc8c139b1
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/forwardemail.ts
@@ -0,0 +1,25 @@
+import { Field } from "../data";
+import { Extension } from "../metadata";
+import { ExtensionMetadata, VendorMetadata } from "../type";
+
+import { Vendor } from "./data";
+
+export const ForwardEmail: VendorMetadata = {
+  id: Vendor.forwardemail,
+  name: "Forward Email",
+};
+
+export const ForwardEmailExtensions: ExtensionMetadata[] = [
+  {
+    site: Extension.forwarder,
+    product: {
+      vendor: ForwardEmail,
+    },
+    host: {
+      authorization: "basic-username",
+      selfHost: "never",
+      baseUrl: "https://api.forwardemail.net",
+    },
+    requestedFields: [Field.domain, Field.token],
+  },
+];
diff --git a/libs/common/src/tools/extension/vendor/index.ts b/libs/common/src/tools/extension/vendor/index.ts
new file mode 100644
index 00000000000..3bac78c80db
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/index.ts
@@ -0,0 +1,30 @@
+import { deepFreeze } from "../../util";
+
+import { AddyIo, AddyIoExtensions } from "./addyio";
+import { Bitwarden } from "./bitwarden";
+import { DuckDuckGo, DuckDuckGoExtensions } from "./duckduckgo";
+import { Fastmail, FastmailExtensions } from "./fastmail";
+import { ForwardEmail, ForwardEmailExtensions } from "./forwardemail";
+import { Mozilla, MozillaExtensions } from "./mozilla";
+import { SimpleLogin, SimpleLoginExtensions } from "./simplelogin";
+
+export const Vendors = deepFreeze([
+  AddyIo,
+  Bitwarden,
+  DuckDuckGo,
+  Fastmail,
+  ForwardEmail,
+  Mozilla,
+  SimpleLogin,
+]);
+
+export const VendorExtensions = deepFreeze(
+  [
+    AddyIoExtensions,
+    DuckDuckGoExtensions,
+    FastmailExtensions,
+    ForwardEmailExtensions,
+    MozillaExtensions,
+    SimpleLoginExtensions,
+  ].flat(),
+);
diff --git a/libs/common/src/tools/extension/vendor/mozilla.ts b/libs/common/src/tools/extension/vendor/mozilla.ts
new file mode 100644
index 00000000000..b02b97d8777
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/mozilla.ts
@@ -0,0 +1,26 @@
+import { Field } from "../data";
+import { Extension } from "../metadata";
+import { ExtensionMetadata, VendorMetadata } from "../type";
+
+import { Vendor } from "./data";
+
+export const Mozilla: VendorMetadata = {
+  id: Vendor.mozilla,
+  name: "Mozilla",
+};
+
+export const MozillaExtensions: ExtensionMetadata[] = [
+  {
+    site: Extension.forwarder,
+    product: {
+      vendor: Mozilla,
+      name: "Firefox Relay",
+    },
+    host: {
+      authorization: "token",
+      selfHost: "never",
+      baseUrl: "https://relay.firefox.com/api",
+    },
+    requestedFields: [Field.token],
+  },
+];
diff --git a/libs/common/src/tools/extension/vendor/readme.md b/libs/common/src/tools/extension/vendor/readme.md
new file mode 100644
index 00000000000..507769edd4e
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/readme.md
@@ -0,0 +1,33 @@
+# Vendors
+
+This folder contains vendor-specific logic that extends the
+Bitwarden password manager.
+
+## Vendor IDs
+
+A vendor's ID is used to identify and trace the code provided by
+a vendor across Bitwarden. There are a few rules that vendor ids
+must follow:
+
+1. They should be human-readable. (No UUIDs.)
+2. They may only contain lowercase ASCII characters and numbers.
+3. They must retain backwards compatibility with prior versions.
+
+As such, any given ID may not not match the vendor's present
+brand identity. Said branding may be stored in `VendorMetadata.name`.
+
+## Core files
+
+There are 4 vendor-independent files in this directory.
+
+- `data.ts` - core metadata used for system initialization
+- `index.ts` - exports vendor metadata
+- `README.md` - this file
+
+## Vendor definitions
+
+Each vendor should have one and only one definition, whose name
+MUST match their `VendorId`. The vendor is free to use either a
+single file (e.g. `bitwarden.ts`) or a folder containing multiple
+files (e.g. `bitwarden/extension.ts`, `bitwarden/forwarder.ts`) to
+host their files.
diff --git a/libs/common/src/tools/extension/vendor/simplelogin.ts b/libs/common/src/tools/extension/vendor/simplelogin.ts
new file mode 100644
index 00000000000..21ee969cebb
--- /dev/null
+++ b/libs/common/src/tools/extension/vendor/simplelogin.ts
@@ -0,0 +1,25 @@
+import { Field } from "../data";
+import { Extension } from "../metadata";
+import { ExtensionMetadata, VendorMetadata } from "../type";
+
+import { Vendor } from "./data";
+
+export const SimpleLogin: VendorMetadata = {
+  id: Vendor.simplelogin,
+  name: "SimpleLogin",
+};
+
+export const SimpleLoginExtensions: ExtensionMetadata[] = [
+  {
+    site: Extension.forwarder,
+    product: {
+      vendor: SimpleLogin,
+    },
+    host: {
+      authentication: true,
+      selfHost: "maybe",
+      baseUrl: "https://app.simplelogin.io",
+    },
+    requestedFields: [Field.baseUrl, Field.token, Field.domain],
+  },
+];
diff --git a/libs/common/src/tools/rx.spec.ts b/libs/common/src/tools/rx.spec.ts
index 9ce147a3ff4..2c433fef93b 100644
--- a/libs/common/src/tools/rx.spec.ts
+++ b/libs/common/src/tools/rx.spec.ts
@@ -56,7 +56,7 @@ describe("errorOnChange", () => {
 
     source$.complete();
 
-    expect(complete).toBeTrue();
+    expect(complete).toBe(true);
   });
 
   it("errors when the input changes", async () => {
diff --git a/libs/common/src/tools/util.ts b/libs/common/src/tools/util.ts
new file mode 100644
index 00000000000..9a3a14c1c83
--- /dev/null
+++ b/libs/common/src/tools/util.ts
@@ -0,0 +1,19 @@
+/** Recursively freeze an object's own keys
+ *  @param value the value to freeze
+ *  @returns `value`
+ *  @remarks this function is derived from MDN's `deepFreeze`, which
+ *   has been committed to the public domain.
+ */
+export function deepFreeze<T extends object>(value: T): Readonly<T> {
+  const keys = Reflect.ownKeys(value) as (keyof T)[];
+
+  for (const key of keys) {
+    const own = value[key];
+
+    if ((own && typeof own === "object") || typeof own === "function") {
+      deepFreeze(own);
+    }
+  }
+
+  return Object.freeze(value);
+}
diff --git a/libs/common/src/vault/services/folder/folder.service.spec.ts b/libs/common/src/vault/services/folder/folder.service.spec.ts
index 9fdb4327b98..cc3aa1946ca 100644
--- a/libs/common/src/vault/services/folder/folder.service.spec.ts
+++ b/libs/common/src/vault/services/folder/folder.service.spec.ts
@@ -77,7 +77,7 @@ describe("Folder Service", () => {
       const result = await firstValueFrom(folderService.folders$(mockUserId));
 
       expect(result.length).toBe(2);
-      expect(result).toIncludeAllPartialMembers([
+      expect(result).toContainPartialObjects([
         { id: "1", name: makeEncString("ENC_STRING_1") },
         { id: "2", name: makeEncString("ENC_STRING_2") },
       ]);
@@ -98,7 +98,7 @@ describe("Folder Service", () => {
       const result = await firstValueFrom(folderService.folderViews$(mockUserId));
 
       expect(result.length).toBe(3);
-      expect(result).toIncludeAllPartialMembers([
+      expect(result).toContainPartialObjects([
         { id: "1", name: "DEC" },
         { id: "2", name: "DEC" },
         { name: "No Folder" },
diff --git a/libs/key-management/src/angular/lock/components/lock.component.ts b/libs/key-management/src/angular/lock/components/lock.component.ts
index 6c912b0eaae..c4e32078134 100644
--- a/libs/key-management/src/angular/lock/components/lock.component.ts
+++ b/libs/key-management/src/angular/lock/components/lock.component.ts
@@ -30,7 +30,7 @@ import {
   MasterPasswordVerification,
   MasterPasswordVerificationResponse,
 } from "@bitwarden/common/auth/types/verification";
-import { ClientType } from "@bitwarden/common/enums";
+import { ClientType, DeviceType } from "@bitwarden/common/enums";
 import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -244,6 +244,10 @@ export class LockComponent implements OnInit, OnDestroy {
     if (activeAccount == null) {
       return;
     }
+    // this account may be unlocked, prevent any prompts so we can redirect to vault
+    if (await this.keyService.hasUserKeyInMemory(activeAccount.id)) {
+      return;
+    }
 
     this.setEmailAsPageSubtitle(activeAccount.email);
 
@@ -301,6 +305,11 @@ export class LockComponent implements OnInit, OnDestroy {
     }
 
     if (this.clientType === "browser") {
+      // Firefox closes the popup when unfocused, so this would block all unlock methods
+      if (this.platformUtilsService.getDevice() === DeviceType.FirefoxExtension) {
+        return;
+      }
+
       if (
         this.unlockOptions.biometrics.enabled &&
         autoPromptBiometrics &&
diff --git a/libs/tools/generator/components/src/catchall-settings.component.html b/libs/tools/generator/components/src/catchall-settings.component.html
index 61037c91a73..4afa145c055 100644
--- a/libs/tools/generator/components/src/catchall-settings.component.html
+++ b/libs/tools/generator/components/src/catchall-settings.component.html
@@ -1,4 +1,4 @@
-<form class="box" [formGroup]="settings" class="tw-container">
+<form [formGroup]="settings" class="tw-container">
   <bit-form-field>
     <bit-label>{{ "domainName" | i18n }}</bit-label>
     <input
diff --git a/libs/tools/generator/components/src/credential-generator.component.html b/libs/tools/generator/components/src/credential-generator.component.html
index ce86abe80ae..6f27c7020db 100644
--- a/libs/tools/generator/components/src/credential-generator.component.html
+++ b/libs/tools/generator/components/src/credential-generator.component.html
@@ -56,7 +56,7 @@ <h2 bitTypography="h6">{{ "options" | i18n }}</h2>
   </bit-section-header>
   <div class="tw-mb-4">
     <bit-card>
-      <form [formGroup]="username" class="box tw-container">
+      <form [formGroup]="username" class="tw-container">
         <bit-form-field>
           <bit-label>{{ "type" | i18n }}</bit-label>
           <bit-select
@@ -70,7 +70,7 @@ <h2 bitTypography="h6">{{ "options" | i18n }}</h2>
           }}</bit-hint>
         </bit-form-field>
       </form>
-      <form *ngIf="showForwarder$ | async" [formGroup]="forwarder" class="box tw-container">
+      <form *ngIf="showForwarder$ | async" [formGroup]="forwarder" class="tw-container">
         <bit-form-field>
           <bit-label>{{ "service" | i18n }}</bit-label>
           <bit-select
diff --git a/libs/tools/generator/components/src/forwarder-settings.component.html b/libs/tools/generator/components/src/forwarder-settings.component.html
index d610f53d59f..8ad6eab1acf 100644
--- a/libs/tools/generator/components/src/forwarder-settings.component.html
+++ b/libs/tools/generator/components/src/forwarder-settings.component.html
@@ -1,4 +1,4 @@
-<form class="box" [formGroup]="settings" class="tw-container">
+<form [formGroup]="settings" class="tw-container">
   <bit-form-field *ngIf="displayDomain">
     <bit-label>{{ "forwarderDomainName" | i18n }}</bit-label>
     <input
diff --git a/libs/tools/generator/components/src/passphrase-settings.component.html b/libs/tools/generator/components/src/passphrase-settings.component.html
index 4e073f34243..0af27f7fdcb 100644
--- a/libs/tools/generator/components/src/passphrase-settings.component.html
+++ b/libs/tools/generator/components/src/passphrase-settings.component.html
@@ -2,7 +2,7 @@
   <bit-section-header *ngIf="showHeader">
     <h6 bitTypography="h6">{{ "options" | i18n }}</h6>
   </bit-section-header>
-  <form class="box" [formGroup]="settings" class="tw-container">
+  <form [formGroup]="settings" class="tw-container">
     <div class="tw-mb-4">
       <bit-card>
         <bit-form-field disableMargin>
diff --git a/libs/tools/generator/components/src/password-settings.component.html b/libs/tools/generator/components/src/password-settings.component.html
index 9f8e00921fb..5e4d1079725 100644
--- a/libs/tools/generator/components/src/password-settings.component.html
+++ b/libs/tools/generator/components/src/password-settings.component.html
@@ -2,7 +2,7 @@
   <bit-section-header *ngIf="showHeader">
     <h2 bitTypography="h6">{{ "options" | i18n }}</h2>
   </bit-section-header>
-  <form class="box" [formGroup]="settings" class="tw-container">
+  <form [formGroup]="settings" class="tw-container">
     <div class="tw-mb-4">
       <bit-card>
         <bit-form-field disableMargin>
diff --git a/libs/tools/generator/components/src/subaddress-settings.component.html b/libs/tools/generator/components/src/subaddress-settings.component.html
index 1dfb5e3460d..b7f71b12b2a 100644
--- a/libs/tools/generator/components/src/subaddress-settings.component.html
+++ b/libs/tools/generator/components/src/subaddress-settings.component.html
@@ -1,4 +1,4 @@
-<form class="box" [formGroup]="settings" class="tw-container">
+<form [formGroup]="settings" class="tw-container">
   <bit-form-field>
     <bit-label>{{ "email" | i18n }}</bit-label>
     <input
diff --git a/libs/tools/generator/components/src/username-generator.component.html b/libs/tools/generator/components/src/username-generator.component.html
index 31e224713ed..a5effcc0f99 100644
--- a/libs/tools/generator/components/src/username-generator.component.html
+++ b/libs/tools/generator/components/src/username-generator.component.html
@@ -33,7 +33,7 @@ <h2 bitTypography="h6">{{ "options" | i18n }}</h2>
   </bit-section-header>
   <div [ngClass]="{ 'tw-mb-4': !disableMargin }">
     <bit-card>
-      <form class="box" [formGroup]="username" class="tw-container">
+      <form [formGroup]="username" class="tw-container">
         <bit-form-field>
           <bit-label>{{ "type" | i18n }}</bit-label>
           <bit-select
@@ -47,7 +47,7 @@ <h2 bitTypography="h6">{{ "options" | i18n }}</h2>
           }}</bit-hint>
         </bit-form-field>
       </form>
-      <form *ngIf="showForwarder$ | async" [formGroup]="forwarder" class="box tw-container">
+      <form *ngIf="showForwarder$ | async" [formGroup]="forwarder" class="tw-container">
         <bit-form-field>
           <bit-label>{{ "service" | i18n }}</bit-label>
           <bit-select
diff --git a/libs/tools/generator/components/src/username-settings.component.html b/libs/tools/generator/components/src/username-settings.component.html
index 649cd052e7b..fd8b32e2b3e 100644
--- a/libs/tools/generator/components/src/username-settings.component.html
+++ b/libs/tools/generator/components/src/username-settings.component.html
@@ -1,4 +1,4 @@
-<form class="box" [formGroup]="settings" class="tw-container">
+<form [formGroup]="settings" class="tw-container">
   <bit-form-control>
     <input
       bitCheckbox
diff --git a/libs/tools/generator/core/tsconfig.json b/libs/tools/generator/core/tsconfig.json
index 7c703686b20..a95b588686f 100644
--- a/libs/tools/generator/core/tsconfig.json
+++ b/libs/tools/generator/core/tsconfig.json
@@ -5,7 +5,6 @@
       "@bitwarden/admin-console/common": ["../../../admin-console/src/common"],
       "@bitwarden/auth/common": ["../../../auth/src/common"],
       "@bitwarden/common/*": ["../../../common/src/*"],
-      "@bitwarden/generator-core": ["../../../tools/generator/core/src"],
       "@bitwarden/key-management": ["../../../key-management/src"]
     }
   },
diff --git a/libs/tools/send/send-ui/src/send-list-items-container/send-list-items-container.component.html b/libs/tools/send/send-ui/src/send-list-items-container/send-list-items-container.component.html
index d7755546365..d244be15087 100644
--- a/libs/tools/send/send-ui/src/send-list-items-container/send-list-items-container.component.html
+++ b/libs/tools/send/send-ui/src/send-list-items-container/send-list-items-container.component.html
@@ -18,12 +18,12 @@ <h2 class="tw-font-bold" bitTypography="h6">
         <i
           slot="start"
           *ngIf="send.type === sendType.Text"
-          class="bwi bwi-file-text tw-text-2xl text-muted"
+          class="bwi bwi-file-text tw-text-2xl tw-text-muted"
         ></i>
         <i
           slot="start"
           *ngIf="send.type === sendType.File"
-          class="bwi bwi-file tw-text-2xl text-muted"
+          class="bwi bwi-file tw-text-2xl tw-text-muted"
         ></i>
         {{ send.name }}
         <span slot="secondary">
diff --git a/package-lock.json b/package-lock.json
index 1e82f857b7b..9544eb398a5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -42,7 +42,7 @@
         "chalk": "4.1.2",
         "commander": "11.1.0",
         "core-js": "3.39.0",
-        "form-data": "4.0.0",
+        "form-data": "4.0.1",
         "https-proxy-agent": "7.0.5",
         "inquirer": "8.2.6",
         "jquery": "3.7.1",
@@ -152,7 +152,7 @@
         "html-webpack-injector": "1.1.4",
         "html-webpack-plugin": "5.6.3",
         "husky": "9.1.4",
-        "jest-extended": "4.0.2",
+        "jest-diff": "29.7.0",
         "jest-junit": "16.0.0",
         "jest-mock-extended": "3.0.7",
         "jest-preset-angular": "14.1.1",
@@ -206,7 +206,7 @@
         "browser-hrtime": "1.1.8",
         "chalk": "4.1.2",
         "commander": "11.1.0",
-        "form-data": "4.0.0",
+        "form-data": "4.0.1",
         "https-proxy-agent": "7.0.5",
         "inquirer": "8.2.6",
         "jsdom": "25.0.1",
@@ -17815,9 +17815,9 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
-      "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.1.tgz",
+      "integrity": "sha512-tzN8e4TX8+kkxGPK8D5u0FNmjPUjw3lwC9lSLxxoB/+GtsJG91CO8bSWy73APlgAZzZbXEYZJuxjkHH2w+Ezhw==",
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
@@ -20780,28 +20780,6 @@
         "node": "^14.15.0 || ^16.10.0 || >=18.0.0"
       }
     },
-    "node_modules/jest-extended": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/jest-extended/-/jest-extended-4.0.2.tgz",
-      "integrity": "sha512-FH7aaPgtGYHc9mRjriS0ZEHYM5/W69tLrFTIdzm+yJgeoCmmrSB/luSfMSqWP9O29QWHPEmJ4qmU6EwsZideog==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "jest-diff": "^29.0.0",
-        "jest-get-type": "^29.0.0"
-      },
-      "engines": {
-        "node": "^14.15.0 || ^16.10.0 || >=18.0.0"
-      },
-      "peerDependencies": {
-        "jest": ">=27.2.5"
-      },
-      "peerDependenciesMeta": {
-        "jest": {
-          "optional": true
-        }
-      }
-    },
     "node_modules/jest-get-type": {
       "version": "29.6.3",
       "resolved": "https://registry.npmjs.org/jest-get-type/-/jest-get-type-29.6.3.tgz",
diff --git a/package.json b/package.json
index 9cee3ef44ea..03d1f3d3c75 100644
--- a/package.json
+++ b/package.json
@@ -112,7 +112,7 @@
     "html-webpack-injector": "1.1.4",
     "html-webpack-plugin": "5.6.3",
     "husky": "9.1.4",
-    "jest-extended": "4.0.2",
+    "jest-diff": "29.7.0",
     "jest-junit": "16.0.0",
     "jest-mock-extended": "3.0.7",
     "jest-preset-angular": "14.1.1",
@@ -173,7 +173,7 @@
     "chalk": "4.1.2",
     "commander": "11.1.0",
     "core-js": "3.39.0",
-    "form-data": "4.0.0",
+    "form-data": "4.0.1",
     "https-proxy-agent": "7.0.5",
     "inquirer": "8.2.6",
     "jquery": "3.7.1",
diff --git a/tsconfig.eslint.json b/tsconfig.eslint.json
index 941a612a30c..a69452389f5 100644
--- a/tsconfig.eslint.json
+++ b/tsconfig.eslint.json
@@ -36,6 +36,8 @@
       "@bitwarden/platform": ["./libs/platform/src"],
       "@bitwarden/node/*": ["./libs/node/src/*"],
       "@bitwarden/vault": ["./libs/vault/src"],
+      "@bitwarden/key-management": ["./libs/key-management/src"],
+      "@bitwarden/key-management/angular": ["./libs/key-management/src/angular"],
       "@bitwarden/bit-common/*": ["./bitwarden_license/bit-common/src/*"]
     },
     "plugins": [