Merge branch 'main' into vault/pm-20041/mark-task-complete

2025-06-15 15:30:49 -05:00 · 2025-06-13 15:11:04 -05:00 · 2025-06-13 15:11:04 -05:00 · d1b43bd044
commit d1b43bd044
parent bde0aa3352 db77201ca4
320 changed files with 11779 additions and 1400 deletions
--- a/.config/dotnet-tools.json
+++ b/.config/dotnet-tools.json
@ -3,7 +3,7 @@
  "isRoot": true,
  "tools": {
    "swashbuckle.aspnetcore.cli": {
-      "version": "7.2.0",
+      "version": "7.3.2",
      "commands": ["swagger"]
    },
    "dotnet-ef": {
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -350,14 +350,6 @@ jobs:
          cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../..
          cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../..
      - name: Make Docker stub checksums
        if: |
          github.event_name != 'pull_request'
          && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
        run: |
          sha256sum docker-stub-US.zip > docker-stub-US-sha256.txt
          sha256sum docker-stub-EU.zip > docker-stub-EU-sha256.txt
      - name: Upload Docker stub US artifact
        if: |
          github.event_name != 'pull_request'
@ -378,26 +370,6 @@ jobs:
          path: docker-stub-EU.zip
          if-no-files-found: error
      - name: Upload Docker stub US checksum artifact
        if: |
          github.event_name != 'pull_request'
          && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: docker-stub-US-sha256.txt
          path: docker-stub-US-sha256.txt
          if-no-files-found: error
      - name: Upload Docker stub EU checksum artifact
        if: |
          github.event_name != 'pull_request'
          && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: docker-stub-EU-sha256.txt
          path: docker-stub-EU-sha256.txt
          if-no-files-found: error
      - name: Build Public API Swagger
        run: |
          cd ./src/Api
@ -598,7 +570,7 @@ jobs:
    uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main
    with:
      project: server
-      pull_request_number: ${{ github.event.number }}
+      pull_request_number: ${{ github.event.number || 0 }}
    secrets: inherit
    permissions: read-all
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -17,6 +17,9 @@ on:
 env:
  _AZ_REGISTRY: "bitwardenprod.azurecr.io"
 permissions:
  contents: read
 jobs:
  setup:
    name: Setup
@ -65,9 +68,7 @@ jobs:
          workflow_conclusion: success
          branch: ${{ needs.setup.outputs.branch-name }}
          artifacts: "docker-stub-US.zip,
            docker-stub-US-sha256.txt,
            docker-stub-EU.zip,
            docker-stub-EU-sha256.txt,
            swagger.json"
      - name: Dry Run - Download latest release Docker stubs
@ -78,9 +79,7 @@ jobs:
          workflow_conclusion: success
          branch: main
          artifacts: "docker-stub-US.zip,
            docker-stub-US-sha256.txt,
            docker-stub-EU.zip,
            docker-stub-EU-sha256.txt,
            swagger.json"
      - name: Create release
@ -88,9 +87,7 @@ jobs:
        uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87 # v1.15.0
        with:
          artifacts: "docker-stub-US.zip,
            docker-stub-US-sha256.txt,
            docker-stub-EU.zip,
            docker-stub-EU-sha256.txt,
            swagger.json"
          commit: ${{ github.sha }}
          tag: "v${{ needs.setup.outputs.release_version }}"
--- a/Directory.Build.props
+++ b/Directory.Build.props
@ -3,7 +3,7 @@
  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
-    <Version>2025.6.0</Version>
+    <Version>2025.6.1</Version>
    <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
    <ImplicitUsings>enable</ImplicitUsings>
--- a/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/ProviderBillingService.cs
@ -550,6 +550,15 @@ public class ProviderBillingService(
            [
                new CustomerTaxIdDataOptions { Type = taxIdType, Value = taxInfo.TaxIdNumber }
            ];
            if (taxIdType == StripeConstants.TaxIdType.SpanishNIF)
            {
                options.TaxIdData.Add(new CustomerTaxIdDataOptions
                {
                    Type = StripeConstants.TaxIdType.EUVAT,
                    Value = $"ES{taxInfo.TaxIdNumber}"
                });
            }
        }
        if (!string.IsNullOrEmpty(provider.DiscountId))
--- a/bitwarden_license/src/Sso/Controllers/AccountController.cs
+++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs
@ -499,9 +499,9 @@ public class AccountController : Controller
        // Before any user creation - if Org User doesn't exist at this point - make sure there are enough seats to add one
        if (orgUser == null && organization.Seats.HasValue)
        {
-            var occupiedSeats = await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+            var occupiedSeats = await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
            var initialSeatCount = organization.Seats.Value;
-            var availableSeats = initialSeatCount - occupiedSeats;
+            var availableSeats = initialSeatCount - occupiedSeats.Total;
            if (availableSeats < 1)
            {
                try
--- a/dev/setup_azurite.ps1
+++ b/dev/setup_azurite.ps1
@ -11,7 +11,7 @@ $corsRules = (@{
        AllowedMethods  = @("Get", "PUT");
    });
 $containers = "attachments", "sendfiles", "misc";
-$queues = "event", "notifications", "reference-events", "mail";
+$queues = "event", "notifications", "mail";
 $tables = "event", "metadata", "installationdevice";
 # End configuration
--- a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
@ -242,10 +242,32 @@ public class OrganizationsController : Controller
            Seats = organization.Seats
        };
        if (model.PlanType.HasValue)
        {
            var freePlan = await _pricingClient.GetPlanOrThrow(model.PlanType.Value);
            var isDowngradingToFree = organization.PlanType != PlanType.Free && model.PlanType.Value == PlanType.Free;
            if (isDowngradingToFree)
            {
                if (model.Seats.HasValue && model.Seats.Value > freePlan.PasswordManager.MaxSeats)
                {
                    TempData["Error"] = $"Organizations with more than {freePlan.PasswordManager.MaxSeats} seats cannot be downgraded to the Free plan";
                    return RedirectToAction("Edit", new { id });
                }
                if (model.MaxCollections > freePlan.PasswordManager.MaxCollections)
                {
                    TempData["Error"] = $"Organizations with more than {freePlan.PasswordManager.MaxCollections} collections cannot be downgraded to the Free plan. Your organization currently has {organization.MaxCollections} collections.";
                    return RedirectToAction("Edit", new { id });
                }
                model.MaxStorageGb = null;
                model.ExpirationDate = null;
                model.Enabled = true;
            }
        }
        UpdateOrganization(organization, model);
        var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
        if (organization.UseSecretsManager && !plan.SupportsSecretsManager)
        {
            TempData["Error"] = "Plan does not support Secrets Manager";
--- a/src/Api/Api.csproj
+++ b/src/Api/Api.csproj
@ -34,7 +34,7 @@
    <PackageReference Include="AspNetCore.HealthChecks.SqlServer" Version="8.0.2" />
    <PackageReference Include="AspNetCore.HealthChecks.Uris" Version="8.0.1" />
    <PackageReference Include="Azure.Messaging.EventGrid" Version="4.25.0" />
-    <PackageReference Include="Swashbuckle.AspNetCore" Version="7.2.0" />
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="7.3.2" />
  </ItemGroup>
 </Project>
--- a/src/Api/Billing/Controllers/OrganizationBillingController.cs
+++ b/src/Api/Billing/Controllers/OrganizationBillingController.cs
@ -4,6 +4,7 @@ using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.Billing.Models.Requests;
 using Bit.Api.Billing.Models.Responses;
 using Bit.Api.Billing.Queries.Organizations;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Billing.Pricing;
@ -280,17 +281,36 @@ public class OrganizationBillingController(
        }
        var organization = await organizationRepository.GetByIdAsync(organizationId);
        if (organization == null)
        {
            return Error.NotFound();
        }
        var existingPlan = organization.PlanType;
        var organizationSignup = model.ToOrganizationSignup(user);
        var sale = OrganizationSale.From(organization, organizationSignup);
        var plan = await pricingClient.GetPlanOrThrow(model.PlanType);
        sale.Organization.PlanType = plan.Type;
        sale.Organization.Plan = plan.Name;
        sale.SubscriptionSetup.SkipTrial = true;
        if (existingPlan == PlanType.Free && organization.GatewaySubscriptionId is not null)
        {
            sale.Organization.UseTotp = plan.HasTotp;
            sale.Organization.UseGroups = plan.HasGroups;
            sale.Organization.UseDirectory = plan.HasDirectory;
            sale.Organization.SelfHost = plan.HasSelfHost;
            sale.Organization.UsersGetPremium = plan.UsersGetPremium;
            sale.Organization.UseEvents = plan.HasEvents;
            sale.Organization.Use2fa = plan.Has2fa;
            sale.Organization.UseApi = plan.HasApi;
            sale.Organization.UsePolicies = plan.HasPolicies;
            sale.Organization.UseSso = plan.HasSso;
            sale.Organization.UseResetPassword = plan.HasResetPassword;
            sale.Organization.UseKeyConnector = plan.HasKeyConnector;
            sale.Organization.UseScim = plan.HasScim;
            sale.Organization.UseCustomPermissions = plan.HasCustomPermissions;
            sale.Organization.UseOrganizationDomains = plan.HasOrganizationDomains;
            sale.Organization.MaxCollections = plan.PasswordManager.MaxCollections;
        }
        if (organizationSignup.PaymentMethodType == null || string.IsNullOrEmpty(organizationSignup.PaymentToken))
        {
--- a/src/Api/Dirt/Controllers/HibpController.cs
+++ b/src/Api/Dirt/Controllers/HibpController.cs
@ -8,7 +8,7 @@ using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-namespace Bit.Api.Tools.Controllers;
+namespace Bit.Api.Dirt.Controllers;
 [Route("hibp")]
 [Authorize("Application")]
--- a/src/Api/Dirt/Controllers/ReportsController.cs
+++ b/src/Api/Dirt/Controllers/ReportsController.cs
@ -1,16 +1,16 @@
-using Bit.Api.Tools.Models;
+using Bit.Api.Dirt.Models;
-using Bit.Api.Tools.Models.Response;
+using Bit.Api.Dirt.Models.Response;
 using Bit.Core.Context;
 using Bit.Core.Dirt.Reports.Entities;
 using Bit.Core.Dirt.Reports.Models.Data;
 using Bit.Core.Dirt.Reports.ReportFeatures.Interfaces;
 using Bit.Core.Dirt.Reports.ReportFeatures.OrganizationReportMembers.Interfaces;
 using Bit.Core.Dirt.Reports.ReportFeatures.Requests;
 using Bit.Core.Exceptions;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Tools.Models.Data;
 using Bit.Core.Tools.ReportFeatures.Interfaces;
 using Bit.Core.Tools.ReportFeatures.OrganizationReportMembers.Interfaces;
 using Bit.Core.Tools.ReportFeatures.Requests;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-namespace Bit.Api.Tools.Controllers;
+namespace Bit.Api.Dirt.Controllers;
 [Route("reports")]
 [Authorize("Application")]
@ -47,7 +47,7 @@ public class ReportsController : Controller
    [HttpGet("member-cipher-details/{orgId}")]
    public async Task<IEnumerable<MemberCipherDetailsResponseModel>> GetMemberCipherDetails(Guid orgId)
    {
-        // Using the AccessReports permission here until new permissions  
+        // Using the AccessReports permission here until new permissions
        // are needed for more control over reports
        if (!await _currentContext.AccessReports(orgId))
        {
@ -84,7 +84,7 @@ public class ReportsController : Controller
    }
    /// <summary>
-    /// Contains the organization member info, the cipher ids associated with the member, 
+    /// Contains the organization member info, the cipher ids associated with the member,
    /// and details on their collections, groups, and permissions
    /// </summary>
    /// <param name="request">Request to the MemberAccessCipherDetailsQuery</param>
--- a/src/Api/Dirt/Models/PasswordHealthReportApplicationModel.cs
+++ b/src/Api/Dirt/Models/PasswordHealthReportApplicationModel.cs
@ -1,4 +1,4 @@
-namespace Bit.Api.Tools.Models;
+namespace Bit.Api.Dirt.Models;
 public class PasswordHealthReportApplicationModel
 {
--- a/src/Api/Dirt/Models/Response/MemberAccessReportModel.cs
+++ b/src/Api/Dirt/Models/Response/MemberAccessReportModel.cs
@ -1,10 +1,10 @@
-using Bit.Core.Tools.Models.Data;
+using Bit.Core.Dirt.Reports.Models.Data;
-namespace Bit.Api.Tools.Models.Response;
+namespace Bit.Api.Dirt.Models.Response;
 /// <summary>
 /// Contains the collections and group collections a user has access to including
-/// the permission level for the collection and group collection. 
+/// the permission level for the collection and group collection.
 /// </summary>
 public class MemberAccessReportResponseModel
 {
--- a/src/Api/Dirt/Models/Response/MemberCipherDetailsResponseModel.cs
+++ b/src/Api/Dirt/Models/Response/MemberCipherDetailsResponseModel.cs
@ -1,6 +1,6 @@
-using Bit.Core.Tools.Models.Data;
+using Bit.Core.Dirt.Reports.Models.Data;
-namespace Bit.Api.Tools.Models.Response;
+namespace Bit.Api.Dirt.Models.Response;
 public class MemberCipherDetailsResponseModel
 {
--- a/src/Api/Models/Public/Response/CollectionResponseModel.cs
+++ b/src/Api/Models/Public/Response/CollectionResponseModel.cs
@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Api.AdminConsole.Public.Models.Response;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 namespace Bit.Api.Models.Public.Response;
@ -20,6 +21,7 @@ public class CollectionResponseModel : CollectionBaseModel, IResponseModel
        Id = collection.Id;
        ExternalId = collection.ExternalId;
        Groups = groups?.Select(c => new AssociationWithPermissionsResponseModel(c));
        Type = collection.Type;
    }
    /// <summary>
@ -38,4 +40,8 @@ public class CollectionResponseModel : CollectionBaseModel, IResponseModel
    /// The associated groups that this collection is assigned to.
    /// </summary>
    public IEnumerable<AssociationWithPermissionsResponseModel> Groups { get; set; }
    /// <summary>
    /// The type of this collection
    /// </summary>
    public CollectionType Type { get; set; }
 }
--- a/src/Api/Models/Response/CollectionResponseModel.cs
+++ b/src/Api/Models/Response/CollectionResponseModel.cs
@ -1,4 +1,5 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Data;
@ -18,12 +19,14 @@ public class CollectionResponseModel : ResponseModel
        OrganizationId = collection.OrganizationId;
        Name = collection.Name;
        ExternalId = collection.ExternalId;
        Type = collection.Type;
    }
    public Guid Id { get; set; }
    public Guid OrganizationId { get; set; }
    public string Name { get; set; }
    public string ExternalId { get; set; }
    public CollectionType Type { get; set; }
 }
 /// <summary>
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -31,8 +31,8 @@ using Bit.Api.Billing;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Identity.TokenProviders;
 using Bit.Core.Tools.ImportFeatures;
 using Bit.Core.Tools.ReportFeatures;
 using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Dirt.Reports.ReportFeatures;
 using Bit.Core.Tools.SendFeatures;
 #if !OSS
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@ -42,7 +42,6 @@ public class CiphersController : Controller
    private readonly ICurrentContext _currentContext;
    private readonly ILogger<CiphersController> _logger;
    private readonly GlobalSettings _globalSettings;
    private readonly IFeatureService _featureService;
    private readonly IOrganizationCiphersQuery _organizationCiphersQuery;
    private readonly IApplicationCacheService _applicationCacheService;
    private readonly ICollectionRepository _collectionRepository;
@ -57,7 +56,6 @@ public class CiphersController : Controller
        ICurrentContext currentContext,
        ILogger<CiphersController> logger,
        GlobalSettings globalSettings,
        IFeatureService featureService,
        IOrganizationCiphersQuery organizationCiphersQuery,
        IApplicationCacheService applicationCacheService,
        ICollectionRepository collectionRepository)
@ -71,7 +69,6 @@ public class CiphersController : Controller
        _currentContext = currentContext;
        _logger = logger;
        _globalSettings = globalSettings;
        _featureService = featureService;
        _organizationCiphersQuery = organizationCiphersQuery;
        _applicationCacheService = applicationCacheService;
        _collectionRepository = collectionRepository;
@ -375,11 +372,6 @@ public class CiphersController : Controller
    private async Task<bool> CanDeleteOrRestoreCipherAsAdminAsync(Guid organizationId, IEnumerable<Guid> cipherIds)
    {
        if (!_featureService.IsEnabled(FeatureFlagKeys.LimitItemDeletion))
        {
            return await CanEditCipherAsAdminAsync(organizationId, cipherIds);
        }
        var org = _currentContext.GetOrganization(organizationId);
        // If we're not an "admin" or if we're a provider user we don't need to check the ciphers
--- a/src/Api/Vault/Controllers/SecurityTaskController.cs
+++ b/src/Api/Vault/Controllers/SecurityTaskController.cs
@ -1,9 +1,7 @@
 using Bit.Api.Models.Response;
 using Bit.Api.Vault.Models.Request;
 using Bit.Api.Vault.Models.Response;
 using Bit.Core;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Commands.Interfaces;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Enums;
@ -15,7 +13,6 @@ namespace Bit.Api.Vault.Controllers;
 [Route("tasks")]
 [Authorize("Application")]
 [RequireFeature(FeatureFlagKeys.SecurityTasks)]
 public class SecurityTaskController : Controller
 {
    private readonly IUserService _userService;
--- a/src/Billing/Billing.csproj
+++ b/src/Billing/Billing.csproj
@ -10,7 +10,7 @@
    <ProjectReference Include="..\Core\Core.csproj" />
  </ItemGroup>
  <ItemGroup>
-    <PackageReference Include="Swashbuckle.AspNetCore" Version="7.2.0" />
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="7.3.2" />
  </ItemGroup>
 </Project>
--- a/src/Core/AdminConsole/Entities/OrganizationUser.cs
+++ b/src/Core/AdminConsole/Entities/OrganizationUser.cs
@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Interfaces;
 using Bit.Core.Enums;
 using Bit.Core.Models;
@ -9,23 +10,75 @@ using Bit.Core.Utilities;
 namespace Bit.Core.Entities;
 /// <summary>
 /// An association table between one <see cref="User"/> and one <see cref="Organization"/>, representing that user's
 /// membership in the organization. "Member" refers to the OrganizationUser object.
 /// </summary>
 public class OrganizationUser : ITableObject<Guid>, IExternal, IOrganizationUser
 {
    /// <summary>
    /// A unique random identifier.
    /// </summary>
    public Guid Id { get; set; }
    /// <summary>
    /// The ID of the Organization that the user is a member of.
    /// </summary>
    public Guid OrganizationId { get; set; }
    /// <summary>
    /// The ID of the User that is the member. This is NULL if the Status is Invited (or Invited and then Revoked), because
    /// it is not linked to a specific User yet.
    /// </summary>
    public Guid? UserId { get; set; }
    /// <summary>
    /// The email address of the user invited to the organization. This is NULL if the Status is not Invited (or
    /// Invited and then Revoked), because in that case the OrganizationUser is linked to a User
    /// and the email is stored on the User object.
    /// </summary>
    [MaxLength(256)]
    public string? Email { get; set; }
    /// <summary>
    /// The Organization symmetric key encrypted with the User's public key. NULL if the user is not in a Confirmed
    /// (or Confirmed and then Revoked) status.
    /// </summary>
    public string? Key { get; set; }
    /// <summary>
    /// The User's symmetric key encrypted with the Organization's public key. NULL if the OrganizationUser
    /// is not enrolled in account recovery.
    /// </summary>
    public string? ResetPasswordKey { get; set; }
    /// <inheritdoc cref="OrganizationUserStatusType"/>
    public OrganizationUserStatusType Status { get; set; }
    /// <summary>
    /// The User's role in the Organization.
    /// </summary>
    public OrganizationUserType Type { get; set; }
-
+    /// <summary>
    /// An ID used to identify the OrganizationUser with an external directory service. Used by Directory Connector
    /// and SCIM.
    /// </summary>
    [MaxLength(300)]
    public string? ExternalId { get; set; }
    /// <summary>
    /// The date the OrganizationUser was created, i.e. when the User was first invited to the Organization.
    /// </summary>
    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
    /// <summary>
    /// The last date the OrganizationUser entry was updated.
    /// </summary>
    public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow;
    /// <summary>
    /// A json blob representing the <see cref="Bit.Core.Models.Data.Permissions"/> of the OrganizationUser if they
    /// are a Custom user role (i.e. the <see cref="OrganizationUserType"/> is Custom). MAY be NULL if they are not
    /// a custom user, but this is not guaranteed; do not use this to determine their role.
    /// </summary>
    /// <remarks>
    /// Avoid using this property directly - instead use the <see cref="GetPermissions"/> and <see cref="SetPermissions"/>
    /// helper methods.
    /// </remarks>
    public string? Permissions { get; set; }
    /// <summary>
    /// True if the User has access to Secrets Manager for this Organization, false otherwise.
    /// </summary>
    public bool AccessSecretsManager { get; set; }
    public void SetNewId()
--- a/src/Core/AdminConsole/Enums/OrganizationUserStatusType.cs
+++ b/src/Core/AdminConsole/Enums/OrganizationUserStatusType.cs
@ -1,9 +1,34 @@
-namespace Bit.Core.Enums;
+using Bit.Core.Entities;
 namespace Bit.Core.Enums;
 /// <summary>
 /// Represents the different stages of a member's lifecycle in an organization.
 /// The <see cref="OrganizationUser"/> object is populated differently depending on their Status.
 /// </summary>
 public enum OrganizationUserStatusType : short
 {
    /// <summary>
    /// The OrganizationUser entry only represents an invitation to join the organization. It is not linked to a
    /// specific User yet.
    /// </summary>
    Invited = 0,
    /// <summary>
    /// The User has accepted the invitation and linked their User account to the OrganizationUser entry.
    /// </summary>
    Accepted = 1,
    /// <summary>
    /// An administrator has granted the User access to the organization. This is the final step in the User becoming
    /// a "full" member of the organization, including a key exchange so that they can decrypt organization data.
    /// </summary>
    Confirmed = 2,
    /// <summary>
    /// The OrganizationUser has been revoked from the organization and cannot access organization data while in this state.
    /// </summary>
    /// <remarks>
    /// An OrganizationUser may move into this status from any other status, and will move back to their original status
    /// if restored. This allows an administrator to easily suspend and restore access without going through the
    /// Invite flow again.
    /// </remarks>
    Revoked = -1,
 }
--- a/src/Core/AdminConsole/Enums/PolicyType.cs
+++ b/src/Core/AdminConsole/Enums/PolicyType.cs
@ -17,6 +17,7 @@ public enum PolicyType : byte
    AutomaticAppLogIn = 12,
    FreeFamiliesSponsorshipPolicy = 13,
    RemoveUnlockWithPin = 14,
    RestrictedItemTypesPolicy = 15,
 }
 public static class PolicyTypeExtensions
@ -43,7 +44,8 @@ public static class PolicyTypeExtensions
            PolicyType.ActivateAutofill => "Active auto-fill",
            PolicyType.AutomaticAppLogIn => "Automatically log in users for allowed applications",
            PolicyType.FreeFamiliesSponsorshipPolicy => "Remove Free Bitwarden Families sponsorship",
-            PolicyType.RemoveUnlockWithPin => "Remove unlock with PIN"
+            PolicyType.RemoveUnlockWithPin => "Remove unlock with PIN",
            PolicyType.RestrictedItemTypesPolicy => "Restricted item types",
        };
    }
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs
@ -87,7 +87,7 @@ public class InviteOrganizationUsersCommand(IEventService eventService,
            InviteOrganization = request.InviteOrganization,
            PerformedBy = request.PerformedBy,
            PerformedAt = request.PerformedAt,
-            OccupiedPmSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(request.InviteOrganization.OrganizationId),
+            OccupiedPmSeats = (await organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(request.InviteOrganization.OrganizationId)).Total,
            OccupiedSmSeats = await organizationUserRepository.GetOccupiedSmSeatCountByOrganizationIdAsync(request.InviteOrganization.OrganizationId)
        });
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/InviteUsersPasswordManagerValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/InviteUsersPasswordManagerValidator.cs
@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Payments;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Utilities.Validation;
@ -83,14 +84,9 @@ public class InviteUsersPasswordManagerValidator(
            return invalidEnvironment.Map(request);
        }
-        var organizationValidationResult = await inviteUsersOrganizationValidator.ValidateAsync(request.InviteOrganization);
+        // Organizations managed by a provider need to be scaled by the provider. This needs to be checked in the event seats are increasing.
        if (organizationValidationResult is Invalid<InviteOrganization> organizationValidation)
        {
            return organizationValidation.Map(request);
        }
        var provider = await providerRepository.GetByOrganizationIdAsync(request.InviteOrganization.OrganizationId);
        if (provider is not null)
        {
            var providerValidationResult = InvitingUserOrganizationProviderValidator.Validate(new InviteOrganizationProvider(provider));
@ -101,6 +97,13 @@ public class InviteUsersPasswordManagerValidator(
            }
        }
        var organizationValidationResult = await inviteUsersOrganizationValidator.ValidateAsync(request.InviteOrganization);
        if (organizationValidationResult is Invalid<InviteOrganization> organizationValidation)
        {
            return organizationValidation.Map(request);
        }
        var paymentSubscription = await paymentService.GetSubscriptionAsync(
            await organizationRepository.GetByIdAsync(request.InviteOrganization.OrganizationId));
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/InviteUserPaymentValidation.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/InviteUserPaymentValidation.cs
@ -1,10 +1,9 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Payments;
 using Bit.Core.AdminConsole.Utilities.Validation;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Payments;
 public static class InviteUserPaymentValidation
 {
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
@ -70,8 +70,8 @@ public class RestoreOrganizationUserCommand(
        }
        var organization = await organizationRepository.GetByIdAsync(organizationUser.OrganizationId);
-        var occupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+        var seatCounts = await organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
+        var availableSeats = organization.Seats.GetValueOrDefault(0) - seatCounts.Total;
        if (availableSeats < 1)
        {
@ -163,8 +163,8 @@ public class RestoreOrganizationUserCommand(
        }
        var organization = await organizationRepository.GetByIdAsync(organizationId);
-        var occupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+        var seatCounts = await organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
+        var availableSeats = organization.Seats.GetValueOrDefault(0) - seatCounts.Total;
        var newSeatsRequired = organizationUserIds.Count() - availableSeats;
        await organizationService.AutoAddSeatsAsync(organization, newSeatsRequired);
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidator.cs
@ -104,8 +104,8 @@ public class TwoFactorAuthenticationPolicyValidator : IPolicyValidator
            throw new BadRequestException(string.Join(", ", commandResult.ErrorMessages));
        }
-        await Task.WhenAll(currentActiveRevocableOrganizationUsers.Select(x =>
+        await Task.WhenAll(nonCompliantUsers.Select(nonCompliantUser =>
-            _mailService.SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(organization.DisplayName(), x.Email)));
+            _mailService.SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(organization.DisplayName(), nonCompliantUser.user.Email)));
    }
    private static bool MembersWithNoMasterPasswordWillLoseAccess(
--- a/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 #nullable enable
@ -25,4 +26,14 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
    Task<ICollection<Organization>> GetByVerifiedUserEmailDomainAsync(Guid userId);
    Task<ICollection<Organization>> GetAddableToProviderByUserIdAsync(Guid userId, ProviderType providerType);
    Task<ICollection<Organization>> GetManyByIdsAsync(IEnumerable<Guid> ids);
    /// <summary>
    /// Returns the number of occupied seats for an organization.
    /// OrganizationUsers occupy a seat, unless they are revoked.
    /// As of https://bitwarden.atlassian.net/browse/PM-17772, a seat is also occupied by a Families for Enterprise sponsorship sent by an
    /// organization admin, even if the user sent the invitation doesn't have a corresponding OrganizationUser in the Enterprise organization.
    /// </summary>
    /// <param name="organizationId">The ID of the organization to get the occupied seat count for.</param>
    /// <returns>The number of occupied seats for the organization.</returns>
    Task<OrganizationSeatCounts> GetOccupiedSeatCountByOrganizationIdAsync(Guid organizationId);
 }
--- a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
@ -18,16 +18,6 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
    Task<ICollection<OrganizationUser>> GetManyByUserAsync(Guid userId);
    Task<ICollection<OrganizationUser>> GetManyByOrganizationAsync(Guid organizationId, OrganizationUserType? type);
    Task<int> GetCountByOrganizationAsync(Guid organizationId, string email, bool onlyRegisteredUsers);
    /// <summary>
    /// Returns the number of occupied seats for an organization.
    /// Occupied seats are OrganizationUsers that have at least been invited.
    /// As of https://bitwarden.atlassian.net/browse/PM-17772, a seat is also occupied by a Families for Enterprise sponsorship sent by an
    /// organization admin, even if the user sent the invitation doesn't have a corresponding OrganizationUser in the Enterprise organization.
    /// </summary>
    /// <param name="organizationId">The ID of the organization to get the occupied seat count for.</param>
    /// <returns>The number of occupied seats for the organization.</returns>
    Task<int> GetOccupiedSeatCountByOrganizationIdAsync(Guid organizationId);
    Task<ICollection<string>> SelectKnownEmailsAsync(Guid organizationId, IEnumerable<string> emails, bool onlyRegisteredUsers);
    Task<OrganizationUser?> GetByOrganizationAsync(Guid organizationId, Guid userId);
    Task<Tuple<OrganizationUser?, ICollection<CollectionAccessSelection>>> GetByIdWithCollectionsAsync(Guid id);
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@ -294,11 +294,20 @@ public class OrganizationService : IOrganizationService
        if (!organization.Seats.HasValue || organization.Seats.Value > newSeatTotal)
        {
-            var occupiedSeats = await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+            var seatCounts = await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-            if (occupiedSeats > newSeatTotal)
+
            if (seatCounts.Total > newSeatTotal)
            {
-                throw new BadRequestException($"Your organization currently has {occupiedSeats} seats filled. " +
+                if (organization.UseAdminSponsoredFamilies || seatCounts.Sponsored > 0)
-                    $"Your new plan only has ({newSeatTotal}) seats. Remove some users.");
+                {
                    throw new BadRequestException($"Your organization has {seatCounts.Users} members and {seatCounts.Sponsored} sponsored families. " +
                                                  $"To decrease the seat count below {seatCounts.Total}, you must remove members or sponsorships.");
                }
                else
                {
                    throw new BadRequestException($"Your organization currently has {seatCounts.Total} seats filled. " +
                                                  $"Your new plan only has ({newSeatTotal}) seats. Remove some users.");
                }
            }
        }
@ -726,8 +735,8 @@ public class OrganizationService : IOrganizationService
        var newSeatsRequired = 0;
        if (organization.Seats.HasValue)
        {
-            var occupiedSeats = await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+            var seatCounts = await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-            var availableSeats = organization.Seats.Value - occupiedSeats;
+            var availableSeats = organization.Seats.Value - seatCounts.Total;
            newSeatsRequired = invites.Sum(i => i.invite.Emails.Count()) - existingEmails.Count() - availableSeats;
        }
@ -1177,8 +1186,8 @@ public class OrganizationService : IOrganizationService
            var enoughSeatsAvailable = true;
            if (organization.Seats.HasValue)
            {
-                var occupiedSeats = await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+                var seatCounts = await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-                seatsAvailable = organization.Seats.Value - occupiedSeats;
+                seatsAvailable = organization.Seats.Value - seatCounts.Total;
                enoughSeatsAvailable = seatsAvailable >= usersToAdd.Count;
            }
--- a/src/Core/Billing/Constants/StripeConstants.cs
+++ b/src/Core/Billing/Constants/StripeConstants.cs
@ -96,6 +96,12 @@ public static class StripeConstants
        public const string Reverse = "reverse";
    }
    public static class TaxIdType
    {
        public const string EUVAT = "eu_vat";
        public const string SpanishNIF = "es_cif";
    }
    public static class ValidateTaxLocationTiming
    {
        public const string Deferred = "deferred";
--- a/src/Core/Billing/Pricing/PlanAdapter.cs
+++ b/src/Core/Billing/Pricing/PlanAdapter.cs
@ -31,6 +31,7 @@ public record PlanAdapter : Plan
        HasScim = HasFeature("scim");
        HasResetPassword = HasFeature("resetPassword");
        UsersGetPremium = HasFeature("usersGetPremium");
        HasCustomPermissions = HasFeature("customPermissions");
        UpgradeSortOrder = plan.AdditionalData.TryGetValue("upgradeSortOrder", out var upgradeSortOrder)
            ? int.Parse(upgradeSortOrder)
            : 0;
@ -141,6 +142,7 @@ public record PlanAdapter : Plan
        var stripeSeatPlanId = GetStripeSeatPlanId(seats);
        var hasAdditionalSeatsOption = seats.IsScalable;
        var seatPrice = GetSeatPrice(seats);
        var baseSeats = GetBaseSeats(seats);
        var maxSeats = GetMaxSeats(seats);
        var allowSeatAutoscale = seats.IsScalable;
        var maxProjects = plan.AdditionalData.TryGetValue("secretsManager.maxProjects", out var value) ? short.Parse(value) : 0;
@ -156,6 +158,7 @@ public record PlanAdapter : Plan
            StripeSeatPlanId = stripeSeatPlanId,
            HasAdditionalSeatsOption = hasAdditionalSeatsOption,
            SeatPrice = seatPrice,
            BaseSeats = baseSeats,
            MaxSeats = maxSeats,
            AllowSeatAutoscale = allowSeatAutoscale,
            MaxProjects = maxProjects
@ -168,8 +171,16 @@ public record PlanAdapter : Plan
    private static decimal GetBasePrice(PurchasableDTO purchasable)
        => purchasable.FromPackaged(x => x.Price);
    private static int GetBaseSeats(FreeOrScalableDTO freeOrScalable)
        => freeOrScalable.Match(
            free => free.Quantity,
            scalable => scalable.Provided);
    private static int GetBaseSeats(PurchasableDTO purchasable)
-        => purchasable.FromPackaged(x => x.Quantity);
+        => purchasable.Match(
            free => free.Quantity,
            packaged => packaged.Quantity,
            scalable => scalable.Provided);
    private static short GetBaseServiceAccount(FreeOrScalableDTO freeOrScalable)
        => freeOrScalable.Match(
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@ -31,7 +31,6 @@ public class OrganizationBillingService(
    IGlobalSettings globalSettings,
    ILogger<OrganizationBillingService> logger,
    IOrganizationRepository organizationRepository,
    IOrganizationUserRepository organizationUserRepository,
    IPricingClient pricingClient,
    ISetupIntentCache setupIntentCache,
    IStripeAdapter stripeAdapter,
@ -78,13 +77,14 @@ public class OrganizationBillingService(
        var isEligibleForSelfHost = await IsEligibleForSelfHostAsync(organization);
        var isManaged = organization.Status == OrganizationStatusType.Managed;
-
+        var orgOccupiedSeats = await organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
        if (string.IsNullOrWhiteSpace(organization.GatewaySubscriptionId))
        {
            return OrganizationMetadata.Default with
            {
                IsEligibleForSelfHost = isEligibleForSelfHost,
-                IsManaged = isManaged
+                IsManaged = isManaged,
                OrganizationOccupiedSeats = orgOccupiedSeats.Total
            };
        }
@ -108,8 +108,6 @@ public class OrganizationBillingService(
            ? await stripeAdapter.InvoiceGetAsync(subscription.LatestInvoiceId, new InvoiceGetOptions())
            : null;
        var orgOccupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
        return new OrganizationMetadata(
            isEligibleForSelfHost,
            isManaged,
@ -121,7 +119,7 @@ public class OrganizationBillingService(
            invoice?.DueDate,
            invoice?.Created,
            subscription.CurrentPeriodEnd,
-            orgOccupiedSeats);
+            orgOccupiedSeats.Total);
    }
    public async Task
@ -248,12 +246,23 @@ public class OrganizationBillingService(
                        organization.Id,
                        customerSetup.TaxInformation.Country,
                        customerSetup.TaxInformation.TaxId);
                    throw new BadRequestException("billingTaxIdTypeInferenceError");
                }
                customerCreateOptions.TaxIdData =
                [
                    new() { Type = taxIdType, Value = customerSetup.TaxInformation.TaxId }
                ];
                if (taxIdType == StripeConstants.TaxIdType.SpanishNIF)
                {
                    customerCreateOptions.TaxIdData.Add(new CustomerTaxIdDataOptions
                    {
                        Type = StripeConstants.TaxIdType.EUVAT,
                        Value = $"ES{customerSetup.TaxInformation.TaxId}"
                    });
                }
            }
            var (paymentMethodType, paymentMethodToken) = customerSetup.TokenizedPaymentSource;
@ -420,7 +429,7 @@ public class OrganizationBillingService(
        var setNonUSBusinessUseToReverseCharge =
            featureService.IsEnabled(FeatureFlagKeys.PM21092_SetNonUSBusinessUseToReverseCharge);
-        if (setNonUSBusinessUseToReverseCharge)
+        if (setNonUSBusinessUseToReverseCharge && customer.HasBillingLocation())
        {
            subscriptionCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
        }
--- a/src/Core/Billing/Services/Implementations/SubscriberService.cs
+++ b/src/Core/Billing/Services/Implementations/SubscriberService.cs
@ -648,6 +648,12 @@ public class SubscriberService(
            {
                await stripeAdapter.TaxIdCreateAsync(customer.Id,
                    new TaxIdCreateOptions { Type = taxIdType, Value = taxInformation.TaxId });
                if (taxIdType == StripeConstants.TaxIdType.SpanishNIF)
                {
                    await stripeAdapter.TaxIdCreateAsync(customer.Id,
                        new TaxIdCreateOptions { Type = StripeConstants.TaxIdType.EUVAT, Value = $"ES{taxInformation.TaxId}" });
                }
            }
            catch (StripeException e)
            {
--- a/src/Core/Billing/Tax/Commands/PreviewTaxAmountCommand.cs
+++ b/src/Core/Billing/Tax/Commands/PreviewTaxAmountCommand.cs
@ -80,6 +80,15 @@ public class PreviewTaxAmountCommand(
                    Value = taxInformation.TaxId
                }
            ];
            if (taxIdType == StripeConstants.TaxIdType.SpanishNIF)
            {
                options.CustomerDetails.TaxIds.Add(new InvoiceCustomerDetailsTaxIdOptions
                {
                    Type = StripeConstants.TaxIdType.EUVAT,
                    Value = $"ES{parameters.TaxInformation.TaxId}"
                });
            }
        }
        if (planType.GetProductTier() == ProductTierType.Families)
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -181,6 +181,8 @@ public static class FeatureFlagKeys
    public const string EnablePMFlightRecorder = "enable-pm-flight-recorder";
    public const string MobileErrorReporting = "mobile-error-reporting";
    public const string AndroidChromeAutofill = "android-chrome-autofill";
    public const string EnablePMPreloginSettings = "enable-pm-prelogin-settings";
    public const string AppIntents = "app-intents";
    /* Platform Team */
    public const string PersistPopupView = "persist-popup-view";
--- a/src/Core/Dirt/Reports/Entities/PasswordHealthReportApplication.cs
+++ b/src/Core/Dirt/Reports/Entities/PasswordHealthReportApplication.cs
@ -1,9 +1,9 @@
-using Bit.Core.Entities;
+#nullable enable
 using Bit.Core.Entities;
 using Bit.Core.Utilities;
-#nullable enable
+namespace Bit.Core.Dirt.Reports.Entities;
 namespace Bit.Core.Tools.Entities;
 public class PasswordHealthReportApplication : ITableObject<Guid>, IRevisable
 {
--- a/src/Core/Dirt/Reports/Models/Data/MemberAccessCipherDetails.cs
+++ b/src/Core/Dirt/Reports/Models/Data/MemberAccessCipherDetails.cs
@ -1,4 +1,4 @@
-namespace Bit.Core.Tools.Models.Data;
+namespace Bit.Core.Dirt.Reports.Models.Data;
 public class MemberAccessDetails
 {
@ -30,13 +30,13 @@ public class MemberAccessCipherDetails
    public bool UsesKeyConnector { get; set; }
    /// <summary>
-    /// The details for the member's collection access depending 
+    /// The details for the member's collection access depending
-    /// on the collections and groups they are assigned to 
+    /// on the collections and groups they are assigned to
    /// </summary>
    public IEnumerable<MemberAccessDetails> AccessDetails { get; set; }
    /// <summary>
-    /// A distinct list of the cipher ids associated with 
+    /// A distinct list of the cipher ids associated with
    /// the organization member
    /// </summary>
    public IEnumerable<string> CipherIds { get; set; }
--- a/src/Core/Dirt/Reports/ReportFeatures/AddPasswordHealthReportApplicationCommand.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/AddPasswordHealthReportApplicationCommand.cs
@ -1,11 +1,11 @@
-using Bit.Core.Exceptions;
+using Bit.Core.Dirt.Reports.Entities;
 using Bit.Core.Dirt.Reports.ReportFeatures.Interfaces;
 using Bit.Core.Dirt.Reports.ReportFeatures.Requests;
 using Bit.Core.Dirt.Reports.Repositories;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Tools.ReportFeatures.Interfaces;
 using Bit.Core.Tools.ReportFeatures.Requests;
 using Bit.Core.Tools.Repositories;
-namespace Bit.Core.Tools.ReportFeatures;
+namespace Bit.Core.Dirt.Reports.ReportFeatures;
 public class AddPasswordHealthReportApplicationCommand : IAddPasswordHealthReportApplicationCommand
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/DropPasswordHealthReportApplicationCommand.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/DropPasswordHealthReportApplicationCommand.cs
@ -1,9 +1,9 @@
-using Bit.Core.Exceptions;
+using Bit.Core.Dirt.Reports.ReportFeatures.Interfaces;
-using Bit.Core.Tools.ReportFeatures.Interfaces;
+using Bit.Core.Dirt.Reports.ReportFeatures.Requests;
-using Bit.Core.Tools.ReportFeatures.Requests;
+using Bit.Core.Dirt.Reports.Repositories;
-using Bit.Core.Tools.Repositories;
+using Bit.Core.Exceptions;
-namespace Bit.Core.Tools.ReportFeatures;
+namespace Bit.Core.Dirt.Reports.ReportFeatures;
 public class DropPasswordHealthReportApplicationCommand : IDropPasswordHealthReportApplicationCommand
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/GetPasswordHealthReportApplicationQuery.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/GetPasswordHealthReportApplicationQuery.cs
@ -1,9 +1,9 @@
-using Bit.Core.Exceptions;
+using Bit.Core.Dirt.Reports.Entities;
-using Bit.Core.Tools.Entities;
+using Bit.Core.Dirt.Reports.ReportFeatures.Interfaces;
-using Bit.Core.Tools.ReportFeatures.Interfaces;
+using Bit.Core.Dirt.Reports.Repositories;
-using Bit.Core.Tools.Repositories;
+using Bit.Core.Exceptions;
-namespace Bit.Core.Tools.ReportFeatures;
+namespace Bit.Core.Dirt.Reports.ReportFeatures;
 public class GetPasswordHealthReportApplicationQuery : IGetPasswordHealthReportApplicationQuery
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/Interfaces/IAddPasswordHealthReportApplicationCommand.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/Interfaces/IAddPasswordHealthReportApplicationCommand.cs
@ -1,7 +1,7 @@
-using Bit.Core.Tools.Entities;
+using Bit.Core.Dirt.Reports.Entities;
-using Bit.Core.Tools.ReportFeatures.Requests;
+using Bit.Core.Dirt.Reports.ReportFeatures.Requests;
-namespace Bit.Core.Tools.ReportFeatures.Interfaces;
+namespace Bit.Core.Dirt.Reports.ReportFeatures.Interfaces;
 public interface IAddPasswordHealthReportApplicationCommand
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/Interfaces/IDropPasswordHealthReportApplicationCommand.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/Interfaces/IDropPasswordHealthReportApplicationCommand.cs
@ -1,6 +1,6 @@
-using Bit.Core.Tools.ReportFeatures.Requests;
+using Bit.Core.Dirt.Reports.ReportFeatures.Requests;
-namespace Bit.Core.Tools.ReportFeatures.Interfaces;
+namespace Bit.Core.Dirt.Reports.ReportFeatures.Interfaces;
 public interface IDropPasswordHealthReportApplicationCommand
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/Interfaces/IGetPasswordHealthReportApplicationQuery.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/Interfaces/IGetPasswordHealthReportApplicationQuery.cs
@ -1,6 +1,6 @@
-using Bit.Core.Tools.Entities;
+using Bit.Core.Dirt.Reports.Entities;
-namespace Bit.Core.Tools.ReportFeatures.Interfaces;
+namespace Bit.Core.Dirt.Reports.ReportFeatures.Interfaces;
 public interface IGetPasswordHealthReportApplicationQuery
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/MemberAccessCipherDetailsQuery.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/MemberAccessCipherDetailsQuery.cs
@ -2,21 +2,21 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Dirt.Reports.Models.Data;
 using Bit.Core.Dirt.Reports.ReportFeatures.OrganizationReportMembers.Interfaces;
 using Bit.Core.Dirt.Reports.ReportFeatures.Requests;
 using Bit.Core.Entities;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Tools.Models.Data;
 using Bit.Core.Tools.ReportFeatures.OrganizationReportMembers.Interfaces;
 using Bit.Core.Tools.ReportFeatures.Requests;
 using Bit.Core.Vault.Models.Data;
 using Bit.Core.Vault.Queries;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
-namespace Bit.Core.Tools.ReportFeatures;
+namespace Bit.Core.Dirt.Reports.ReportFeatures;
 public class MemberAccessCipherDetailsQuery : IMemberAccessCipherDetailsQuery
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/OrganizationReportMembers/Interfaces/IMemberAccessCipherDetailsQuery.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/OrganizationReportMembers/Interfaces/IMemberAccessCipherDetailsQuery.cs
@ -1,7 +1,7 @@
-using Bit.Core.Tools.Models.Data;
+using Bit.Core.Dirt.Reports.Models.Data;
-using Bit.Core.Tools.ReportFeatures.Requests;
+using Bit.Core.Dirt.Reports.ReportFeatures.Requests;
-namespace Bit.Core.Tools.ReportFeatures.OrganizationReportMembers.Interfaces;
+namespace Bit.Core.Dirt.Reports.ReportFeatures.OrganizationReportMembers.Interfaces;
 public interface IMemberAccessCipherDetailsQuery
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/ReportingServiceCollectionExtensions.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/ReportingServiceCollectionExtensions.cs
@ -1,8 +1,8 @@
-using Bit.Core.Tools.ReportFeatures.Interfaces;
+using Bit.Core.Dirt.Reports.ReportFeatures.Interfaces;
-using Bit.Core.Tools.ReportFeatures.OrganizationReportMembers.Interfaces;
+using Bit.Core.Dirt.Reports.ReportFeatures.OrganizationReportMembers.Interfaces;
 using Microsoft.Extensions.DependencyInjection;
-namespace Bit.Core.Tools.ReportFeatures;
+namespace Bit.Core.Dirt.Reports.ReportFeatures;
 public static class ReportingServiceCollectionExtensions
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/Requests/AddPasswordHealthReportApplicationRequest.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/Requests/AddPasswordHealthReportApplicationRequest.cs
@ -1,4 +1,4 @@
-namespace Bit.Core.Tools.ReportFeatures.Requests;
+namespace Bit.Core.Dirt.Reports.ReportFeatures.Requests;
 public class AddPasswordHealthReportApplicationRequest
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/Requests/DropPasswordHealthReportApplicationRequest.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/Requests/DropPasswordHealthReportApplicationRequest.cs
@ -1,4 +1,4 @@
-namespace Bit.Core.Tools.ReportFeatures.Requests;
+namespace Bit.Core.Dirt.Reports.ReportFeatures.Requests;
 public class DropPasswordHealthReportApplicationRequest
 {
--- a/src/Core/Dirt/Reports/ReportFeatures/Requests/MemberAccessCipherDetailsRequest.cs
+++ b/src/Core/Dirt/Reports/ReportFeatures/Requests/MemberAccessCipherDetailsRequest.cs
@ -1,4 +1,4 @@
-namespace Bit.Core.Tools.ReportFeatures.Requests;
+namespace Bit.Core.Dirt.Reports.ReportFeatures.Requests;
 public class MemberAccessCipherDetailsRequest
 {
--- a/src/Core/Dirt/Reports/Repositories/IPasswordHealthReportApplicationRepository.cs
+++ b/src/Core/Dirt/Reports/Repositories/IPasswordHealthReportApplicationRepository.cs
@ -1,7 +1,7 @@
-using Bit.Core.Repositories;
+using Bit.Core.Dirt.Reports.Entities;
-using Bit.Core.Tools.Entities;
+using Bit.Core.Repositories;
-namespace Bit.Core.Tools.Repositories;
+namespace Bit.Core.Dirt.Reports.Repositories;
 public interface IPasswordHealthReportApplicationRepository : IRepository<PasswordHealthReportApplication, Guid>
 {
--- a/src/Core/Entities/Collection.cs
+++ b/src/Core/Entities/Collection.cs
@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Enums;
 using Bit.Core.Utilities;
 #nullable enable
@ -14,6 +15,8 @@ public class Collection : ITableObject<Guid>
    public string? ExternalId { get; set; }
    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
    public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
    public CollectionType Type { get; set; } = CollectionType.SharedCollection;
    public string? DefaultUserCollectionEmail { get; set; }
    public void SetNewId()
    {
--- a/src/Core/Enums/CollectionType.cs
+++ b/src/Core/Enums/CollectionType.cs
@ -0,0 +1,7 @@
 namespace Bit.Core.Enums;
 public enum CollectionType
 {
    SharedCollection = 0,
    DefaultUserCollection = 1,
 }
--- a/src/Core/Exceptions/BadRequestException.cs
+++ b/src/Core/Exceptions/BadRequestException.cs
@ -3,6 +3,8 @@ using Microsoft.AspNetCore.Mvc.ModelBinding;
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class BadRequestException : Exception
 {
    public BadRequestException() : base()
@ -41,5 +43,5 @@ public class BadRequestException : Exception
        }
    }
-    public ModelStateDictionary ModelState { get; set; }
+    public ModelStateDictionary? ModelState { get; set; }
 }
--- a/src/Core/Exceptions/ConflictException.cs
+++ b/src/Core/Exceptions/ConflictException.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class ConflictException : Exception
 {
    public ConflictException() : base("Conflict.") { }
--- a/src/Core/Exceptions/DnsQueryException.cs
+++ b/src/Core/Exceptions/DnsQueryException.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class DnsQueryException : Exception
 {
    public DnsQueryException(string message)
--- a/src/Core/Exceptions/DomainClaimedException.cs
+++ b/src/Core/Exceptions/DomainClaimedException.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class DomainClaimedException : Exception
 {
    public DomainClaimedException()
--- a/src/Core/Exceptions/DomainVerifiedException.cs
+++ b/src/Core/Exceptions/DomainVerifiedException.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class DomainVerifiedException : Exception
 {
    public DomainVerifiedException()
--- a/src/Core/Exceptions/DuplicateDomainException.cs
+++ b/src/Core/Exceptions/DuplicateDomainException.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class DuplicateDomainException : Exception
 {
    public DuplicateDomainException()
--- a/src/Core/Exceptions/FeatureUnavailableException.cs
+++ b/src/Core/Exceptions/FeatureUnavailableException.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 /// <summary>
 /// Exception to throw when a requested feature is not yet enabled/available for the requesting context.
 /// </summary>
--- a/src/Core/Exceptions/GatewayException.cs
+++ b/src/Core/Exceptions/GatewayException.cs
@ -1,8 +1,10 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class GatewayException : Exception
 {
-    public GatewayException(string message, Exception innerException = null)
+    public GatewayException(string message, Exception? innerException = null)
        : base(message, innerException)
    { }
 }
--- a/src/Core/Exceptions/InvalidEmailException.cs
+++ b/src/Core/Exceptions/InvalidEmailException.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class InvalidEmailException : Exception
 {
    public InvalidEmailException()
--- a/src/Core/Exceptions/InvalidGatewayCustomerIdException.cs
+++ b/src/Core/Exceptions/InvalidGatewayCustomerIdException.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class InvalidGatewayCustomerIdException : Exception
 {
    public InvalidGatewayCustomerIdException()
--- a/src/Core/Exceptions/NotFoundException.cs
+++ b/src/Core/Exceptions/NotFoundException.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.Exceptions;
 #nullable enable
 public class NotFoundException : Exception
 {
    public NotFoundException() : base()
--- a/src/Core/HostedServices/ApplicationCacheHostedService.cs
+++ b/src/Core/HostedServices/ApplicationCacheHostedService.cs
@ -10,9 +10,11 @@ using Microsoft.Extensions.Logging;
 namespace Bit.Core.HostedServices;
 #nullable enable
 public class ApplicationCacheHostedService : IHostedService, IDisposable
 {
-    private readonly InMemoryServiceBusApplicationCacheService _applicationCacheService;
+    private readonly InMemoryServiceBusApplicationCacheService? _applicationCacheService;
    private readonly IOrganizationRepository _organizationRepository;
    protected readonly ILogger<ApplicationCacheHostedService> _logger;
    private readonly ServiceBusClient _serviceBusClient;
@ -20,8 +22,8 @@ public class ApplicationCacheHostedService : IHostedService, IDisposable
    private readonly ServiceBusAdministrationClient _serviceBusAdministrationClient;
    private readonly string _subName;
    private readonly string _topicName;
-    private CancellationTokenSource _cts;
+    private CancellationTokenSource? _cts;
-    private Task _executingTask;
+    private Task? _executingTask;
    public ApplicationCacheHostedService(
@ -67,13 +69,17 @@ public class ApplicationCacheHostedService : IHostedService, IDisposable
    {
        await _subscriptionReceiver.CloseAsync(cancellationToken);
        await _serviceBusClient.DisposeAsync();
-        _cts.Cancel();
+        _cts?.Cancel();
        try
        {
            await _serviceBusAdministrationClient.DeleteSubscriptionAsync(_topicName, _subName, cancellationToken);
        }
        catch { }
-        await _executingTask;
+
        if (_executingTask != null)
        {
            await _executingTask;
        }
    }
    public virtual void Dispose()
--- a/src/Core/HostedServices/IpRateLimitSeedStartupService.cs
+++ b/src/Core/HostedServices/IpRateLimitSeedStartupService.cs
@ -3,6 +3,8 @@ using Microsoft.Extensions.Hosting;
 namespace Bit.Core.HostedServices;
 #nullable enable
 /// <summary>
 /// A startup service that will seed the IP rate limiting stores with any values in the
 /// GlobalSettings configuration.
--- a/src/Core/Jobs/BaseJob.cs
+++ b/src/Core/Jobs/BaseJob.cs
@ -3,6 +3,8 @@ using Quartz;
 namespace Bit.Core.Jobs;
 #nullable enable
 public abstract class BaseJob : IJob
 {
    protected readonly ILogger _logger;
--- a/src/Core/Jobs/BaseJobsHostedService.cs
+++ b/src/Core/Jobs/BaseJobsHostedService.cs
@ -8,6 +8,8 @@ using Quartz.Impl.Matchers;
 namespace Bit.Core.Jobs;
 #nullable enable
 public abstract class BaseJobsHostedService : IHostedService, IDisposable
 {
    private const int MaximumJobRetries = 10;
@ -16,7 +18,7 @@ public abstract class BaseJobsHostedService : IHostedService, IDisposable
    private readonly ILogger<JobListener> _listenerLogger;
    protected readonly ILogger _logger;
-    private IScheduler _scheduler;
+    private IScheduler? _scheduler;
    protected GlobalSettings _globalSettings;
    public BaseJobsHostedService(
@ -31,7 +33,7 @@ public abstract class BaseJobsHostedService : IHostedService, IDisposable
        _globalSettings = globalSettings;
    }
-    public IEnumerable<Tuple<Type, ITrigger>> Jobs { get; protected set; }
+    public IEnumerable<Tuple<Type, ITrigger>>? Jobs { get; protected set; }
    public virtual async Task StartAsync(CancellationToken cancellationToken)
    {
@ -61,10 +63,19 @@ public abstract class BaseJobsHostedService : IHostedService, IDisposable
        _scheduler.ListenerManager.AddJobListener(new JobListener(_listenerLogger),
            GroupMatcher<JobKey>.AnyGroup());
        await _scheduler.Start(cancellationToken);
        var jobKeys = new List<JobKey>();
        var triggerKeys = new List<TriggerKey>();
        if (Jobs != null)
        {
            foreach (var (job, trigger) in Jobs)
            {
                jobKeys.Add(JobBuilder.Create(job)
                    .WithIdentity(job.FullName!)
                    .Build().Key);
                triggerKeys.Add(trigger.Key);
                for (var retry = 0; retry < MaximumJobRetries; retry++)
                {
                    // There's a race condition when starting multiple containers simultaneously, retry until it succeeds..
@ -77,7 +88,7 @@ public abstract class BaseJobsHostedService : IHostedService, IDisposable
                        }
                        var jobDetail = JobBuilder.Create(job)
-                            .WithIdentity(job.FullName)
+                            .WithIdentity(job.FullName!)
                            .Build();
                        var dupeJ = await _scheduler.GetJobDetail(jobDetail.Key);
@ -106,13 +117,6 @@ public abstract class BaseJobsHostedService : IHostedService, IDisposable
        // Delete old Jobs and Triggers
        var existingJobKeys = await _scheduler.GetJobKeys(GroupMatcher<JobKey>.AnyGroup());
        var jobKeys = Jobs.Select(j =>
        {
            var job = j.Item1;
            return JobBuilder.Create(job)
                .WithIdentity(job.FullName)
                .Build().Key;
        });
        foreach (var key in existingJobKeys)
        {
@ -126,7 +130,6 @@ public abstract class BaseJobsHostedService : IHostedService, IDisposable
        }
        var existingTriggerKeys = await _scheduler.GetTriggerKeys(GroupMatcher<TriggerKey>.AnyGroup());
        var triggerKeys = Jobs.Select(j => j.Item2.Key);
        foreach (var key in existingTriggerKeys)
        {
@ -142,7 +145,10 @@ public abstract class BaseJobsHostedService : IHostedService, IDisposable
    public virtual async Task StopAsync(CancellationToken cancellationToken)
    {
-        await _scheduler?.Shutdown(cancellationToken);
+        if (_scheduler is not null)
        {
            await _scheduler.Shutdown(cancellationToken);
        }
    }
    public virtual void Dispose()
--- a/src/Core/Jobs/JobFactory.cs
+++ b/src/Core/Jobs/JobFactory.cs
@ -4,6 +4,8 @@ using Quartz.Spi;
 namespace Bit.Core.Jobs;
 #nullable enable
 public class JobFactory : IJobFactory
 {
    private readonly IServiceProvider _container;
@ -16,7 +18,7 @@ public class JobFactory : IJobFactory
    public IJob NewJob(TriggerFiredBundle bundle, IScheduler scheduler)
    {
        var scope = _container.CreateScope();
-        return scope.ServiceProvider.GetService(bundle.JobDetail.JobType) as IJob;
+        return (scope.ServiceProvider.GetService(bundle.JobDetail.JobType) as IJob)!;
    }
    public void ReturnJob(IJob job)
--- a/src/Core/Jobs/JobListener.cs
+++ b/src/Core/Jobs/JobListener.cs
@ -3,6 +3,8 @@ using Quartz;
 namespace Bit.Core.Jobs;
 #nullable enable
 public class JobListener : IJobListener
 {
    private readonly ILogger<JobListener> _logger;
@ -28,7 +30,7 @@ public class JobListener : IJobListener
        return Task.FromResult(0);
    }
-    public Task JobWasExecuted(IJobExecutionContext context, JobExecutionException jobException,
+    public Task JobWasExecuted(IJobExecutionContext context, JobExecutionException? jobException,
        CancellationToken cancellationToken = default(CancellationToken))
    {
        _logger.LogInformation(Constants.BypassFiltersEventId, null, "Finished job {0} at {1}.",
--- a/src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationSeatCounts.cs
+++ b/src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationSeatCounts.cs
@ -0,0 +1,8 @@
 namespace Bit.Core.Models.Data.Organizations.OrganizationUsers;
 public class OrganizationSeatCounts
 {
    public int Users { get; set; }
    public int Sponsored { get; set; }
    public int Total => Users + Sponsored;
 }
--- a/src/Core/NotificationHub/INotificationHubClientProxy.cs
+++ b/src/Core/NotificationHub/INotificationHubClientProxy.cs
@ -2,6 +2,8 @@
 namespace Bit.Core.NotificationHub;
 #nullable enable
 public interface INotificationHubProxy
 {
    Task<(INotificationHubClient Client, NotificationOutcome Outcome)[]> SendTemplateNotificationAsync(IDictionary<string, string> properties, string tagExpression);
--- a/src/Core/NotificationHub/INotificationHubPool.cs
+++ b/src/Core/NotificationHub/INotificationHubPool.cs
@ -2,6 +2,8 @@
 namespace Bit.Core.NotificationHub;
 #nullable enable
 public interface INotificationHubPool
 {
    NotificationHubConnection ConnectionFor(Guid comb);
--- a/src/Core/NotificationHub/NotificationHubClientProxy.cs
+++ b/src/Core/NotificationHub/NotificationHubClientProxy.cs
@ -2,6 +2,8 @@
 namespace Bit.Core.NotificationHub;
 #nullable enable
 public class NotificationHubClientProxy : INotificationHubProxy
 {
    private readonly IEnumerable<INotificationHubClient> _clients;
--- a/src/Core/NotificationHub/NotificationHubConnection.cs
+++ b/src/Core/NotificationHub/NotificationHubConnection.cs
@ -1,4 +1,5 @@
-using System.Security.Cryptography;
+using System.Diagnostics.CodeAnalysis;
 using System.Security.Cryptography;
 using System.Text;
 using System.Web;
 using Bit.Core.Settings;
@ -7,21 +8,23 @@ using Microsoft.Azure.NotificationHubs;
 namespace Bit.Core.NotificationHub;
 #nullable enable
 public class NotificationHubConnection
 {
-    public string HubName { get; init; }
+    public string? HubName { get; init; }
-    public string ConnectionString { get; init; }
+    public string? ConnectionString { get; init; }
    private Lazy<NotificationHubConnectionStringBuilder> _parsedConnectionString;
    public Uri Endpoint => _parsedConnectionString.Value.Endpoint;
    private string SasKey => _parsedConnectionString.Value.SharedAccessKey;
    private string SasKeyName => _parsedConnectionString.Value.SharedAccessKeyName;
    public bool EnableSendTracing { get; init; }
-    private NotificationHubClient _hubClient;
+    private NotificationHubClient? _hubClient;
    /// <summary>
    /// Gets the NotificationHubClient for this connection.
-    /// 
+    ///
    /// If the client is null, it will be initialized.
-    /// 
+    ///
    /// <throws>Exception</throws> if the connection is invalid.
    /// </summary>
    public NotificationHubClient HubClient
@ -45,13 +48,13 @@ public class NotificationHubConnection
    }
    /// <summary>
    /// Gets the start date for registration.
-    /// 
+    ///
    /// If null, registration is always disabled.
    /// </summary>
    public DateTime? RegistrationStartDate { get; init; }
    /// <summary>
    /// Gets the end date for registration.
-    /// 
+    ///
    /// If null, registration has no end date.
    /// </summary>
    public DateTime? RegistrationEndDate { get; init; }
@ -155,9 +158,10 @@ public class NotificationHubConnection
        };
    }
    [MemberNotNull(nameof(_hubClient))]
    private NotificationHubConnection Init()
    {
-        HubClient = NotificationHubClient.CreateClientFromConnectionString(ConnectionString, HubName, EnableSendTracing);
+        _hubClient = NotificationHubClient.CreateClientFromConnectionString(ConnectionString, HubName, EnableSendTracing);
        return this;
    }
--- a/src/Core/NotificationHub/NotificationHubPool.cs
+++ b/src/Core/NotificationHub/NotificationHubPool.cs
@ -5,6 +5,8 @@ using Microsoft.Extensions.Logging;
 namespace Bit.Core.NotificationHub;
 #nullable enable
 public class NotificationHubPool : INotificationHubPool
 {
    private List<NotificationHubConnection> _connections { get; }
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@ -19,6 +19,8 @@ using Notification = Bit.Core.NotificationCenter.Entities.Notification;
 namespace Bit.Core.NotificationHub;
 #nullable enable
 /// <summary>
 /// Sends mobile push notifications to the Azure Notification Hub.
 /// Used by Cloud-Hosted environments.
--- a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
@ -13,6 +13,8 @@ using Microsoft.Extensions.Logging;
 namespace Bit.Core.NotificationHub;
 #nullable enable
 public class NotificationHubPushRegistrationService : IPushRegistrationService
 {
    private static readonly JsonSerializerOptions webPushSerializationOptions = new()
@ -37,7 +39,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
    }
    public async Task CreateOrUpdateRegistrationAsync(PushRegistrationData data, string deviceId, string userId,
-        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
+        string? identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
    {
        var orgIds = organizationIds.ToList();
        var clientType = DeviceTypes.ToClientType(type);
@ -79,7 +81,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
    }
    private async Task CreateOrUpdateMobileRegistrationAsync(Installation installation, string userId,
-        string identifier, ClientType clientType, List<string> organizationIds, DeviceType type, Guid installationId)
+        string? identifier, ClientType clientType, List<string> organizationIds, DeviceType type, Guid installationId)
    {
        if (string.IsNullOrWhiteSpace(installation.PushChannel))
        {
@ -137,7 +139,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
    }
    private async Task CreateOrUpdateWebRegistrationAsync(string endpoint, string p256dh, string auth, Installation installation, string userId,
-        string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
+        string? identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
    {
        // The Azure SDK is currently lacking support for web push registrations.
        // We need to use the REST API directly.
@ -187,7 +189,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
    }
    private static KeyValuePair<string, InstallationTemplate> BuildInstallationTemplate(string templateId, [StringSyntax(StringSyntaxAttribute.Json)] string templateBody,
-        string userId, string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
+        string userId, string? identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
    {
        var fullTemplateId = $"template:{templateId}";
--- a/src/Core/NotificationHub/PushRegistrationData.cs
+++ b/src/Core/NotificationHub/PushRegistrationData.cs
@ -1,5 +1,7 @@
 namespace Bit.Core.NotificationHub;
 #nullable enable
 public record struct WebPushRegistrationData
 {
    public string Endpoint { get; init; }
@ -9,9 +11,9 @@ public record struct WebPushRegistrationData
 public record class PushRegistrationData
 {
-    public string Token { get; set; }
+    public string? Token { get; set; }
    public WebPushRegistrationData? WebPush { get; set; }
-    public PushRegistrationData(string token)
+    public PushRegistrationData(string? token)
    {
        Token = token;
    }
--- a/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CreateSponsorshipCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CreateSponsorshipCommand.cs
@ -16,7 +16,7 @@ public class CreateSponsorshipCommand(
    IOrganizationSponsorshipRepository organizationSponsorshipRepository,
    IUserService userService,
    IOrganizationService organizationService,
-    IOrganizationUserRepository organizationUserRepository) : ICreateSponsorshipCommand
+    IOrganizationRepository organizationRepository) : ICreateSponsorshipCommand
 {
    public async Task<OrganizationSponsorship> CreateSponsorshipAsync(
        Organization sponsoringOrganization,
@ -89,8 +89,8 @@ public class CreateSponsorshipCommand(
        if (isAdminInitiated && sponsoringOrganization.Seats.HasValue)
        {
-            var occupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(sponsoringOrganization.Id);
+            var seatCounts = await organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(sponsoringOrganization.Id);
-            var availableSeats = sponsoringOrganization.Seats.Value - occupiedSeats;
+            var availableSeats = sponsoringOrganization.Seats.Value - seatCounts.Total;
            if (availableSeats <= 0)
            {
--- a/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpgradeOrganizationPlanCommand.cs
@ -107,12 +107,20 @@ public class UpgradeOrganizationPlanCommand : IUpgradeOrganizationPlanCommand
                                                  (newPlan.PasswordManager.HasAdditionalSeatsOption ? upgrade.AdditionalSeats : 0));
        if (!organization.Seats.HasValue || organization.Seats.Value > updatedPasswordManagerSeats)
        {
-            var occupiedSeats =
+            var seatCounts =
-                await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+                await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-            if (occupiedSeats > updatedPasswordManagerSeats)
+            if (seatCounts.Total > updatedPasswordManagerSeats)
            {
-                throw new BadRequestException($"Your organization currently has {occupiedSeats} seats filled. " +
+                if (organization.UseAdminSponsoredFamilies || seatCounts.Sponsored > 0)
                {
                    throw new BadRequestException($"Your organization has {seatCounts.Users} members and {seatCounts.Sponsored} sponsored families. " +
                                                  $"To decrease the seat count below {seatCounts.Total}, you must remove members or sponsorships.");
                }
                else
                {
                    throw new BadRequestException($"Your organization currently has {seatCounts.Total} seats filled. " +
                                              $"Your new plan only has ({updatedPasswordManagerSeats}) seats. Remove some users.");
                }
            }
        }
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@ -842,7 +842,13 @@ public class StripePaymentService : IPaymentService
        try
        {
            await _stripeAdapter.TaxIdCreateAsync(customer.Id,
-                new TaxIdCreateOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber, });
+                new TaxIdCreateOptions { Type = taxInfo.TaxIdType, Value = taxInfo.TaxIdNumber });
            if (taxInfo.TaxIdType == StripeConstants.TaxIdType.SpanishNIF)
            {
                await _stripeAdapter.TaxIdCreateAsync(customer.Id,
                    new TaxIdCreateOptions { Type = StripeConstants.TaxIdType.EUVAT, Value = $"ES{taxInfo.TaxIdNumber}" });
            }
        }
        catch (StripeException e)
        {
@ -1000,6 +1006,15 @@ public class StripePaymentService : IPaymentService
                    Value = parameters.TaxInformation.TaxId
                }
            ];
            if (taxIdType == StripeConstants.TaxIdType.SpanishNIF)
            {
                options.CustomerDetails.TaxIds.Add(new InvoiceCustomerDetailsTaxIdOptions
                {
                    Type = StripeConstants.TaxIdType.EUVAT,
                    Value = $"ES{parameters.TaxInformation.TaxId}"
                });
            }
        }
        if (!string.IsNullOrWhiteSpace(gatewayCustomerId))
@ -1154,6 +1169,15 @@ public class StripePaymentService : IPaymentService
                    Value = parameters.TaxInformation.TaxId
                }
            ];
            if (taxIdType == StripeConstants.TaxIdType.SpanishNIF)
            {
                options.CustomerDetails.TaxIds.Add(new InvoiceCustomerDetailsTaxIdOptions
                {
                    Type = StripeConstants.TaxIdType.EUVAT,
                    Value = $"ES{parameters.TaxInformation.TaxId}"
                });
            }
        }
        Customer gatewayCustomer = null;
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -12,7 +12,6 @@ using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Models;
@ -29,12 +28,9 @@ using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Core.Tokens;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Repositories;
 using Fido2NetLib;
 using Fido2NetLib.Objects;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
@ -44,12 +40,11 @@ using JsonSerializer = System.Text.Json.JsonSerializer;
 namespace Bit.Core.Services;
-public class UserService : UserManager<User>, IUserService, IDisposable
+public class UserService : UserManager<User>, IUserService
 {
    private const string PremiumPlanId = "premium-annually";
    private readonly IUserRepository _userRepository;
    private readonly ICipherRepository _cipherRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly IOrganizationRepository _organizationRepository;
    private readonly IOrganizationDomainRepository _organizationDomainRepository;
@ -65,17 +60,14 @@ public class UserService : UserManager<User>, IUserService, IDisposable
    private readonly IPaymentService _paymentService;
    private readonly IPolicyRepository _policyRepository;
    private readonly IPolicyService _policyService;
    private readonly IDataProtector _organizationServiceDataProtector;
    private readonly IFido2 _fido2;
    private readonly ICurrentContext _currentContext;
    private readonly IGlobalSettings _globalSettings;
    private readonly IAcceptOrgUserCommand _acceptOrgUserCommand;
    private readonly IProviderUserRepository _providerUserRepository;
    private readonly IStripeSyncService _stripeSyncService;
    private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
    private readonly IFeatureService _featureService;
    private readonly IPremiumUserBillingService _premiumUserBillingService;
    private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
    private readonly IRevokeNonCompliantOrganizationUserCommand _revokeNonCompliantOrganizationUserCommand;
    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
    private readonly IDistributedCache _distributedCache;
@ -83,7 +75,6 @@ public class UserService : UserManager<User>, IUserService, IDisposable
    public UserService(
        IUserRepository userRepository,
        ICipherRepository cipherRepository,
        IOrganizationUserRepository organizationUserRepository,
        IOrganizationRepository organizationRepository,
        IOrganizationDomainRepository organizationDomainRepository,
@ -101,7 +92,6 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        ILicensingService licenseService,
        IEventService eventService,
        IApplicationCacheService applicationCacheService,
        IDataProtectionProvider dataProtectionProvider,
        IPaymentService paymentService,
        IPolicyRepository policyRepository,
        IPolicyService policyService,
@ -111,10 +101,8 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        IAcceptOrgUserCommand acceptOrgUserCommand,
        IProviderUserRepository providerUserRepository,
        IStripeSyncService stripeSyncService,
        IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
        IFeatureService featureService,
        IPremiumUserBillingService premiumUserBillingService,
        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
        IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand,
        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
        IDistributedCache distributedCache,
@ -131,7 +119,6 @@ public class UserService : UserManager<User>, IUserService, IDisposable
              logger)
    {
        _userRepository = userRepository;
        _cipherRepository = cipherRepository;
        _organizationUserRepository = organizationUserRepository;
        _organizationRepository = organizationRepository;
        _organizationDomainRepository = organizationDomainRepository;
@ -147,18 +134,14 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        _paymentService = paymentService;
        _policyRepository = policyRepository;
        _policyService = policyService;
        _organizationServiceDataProtector = dataProtectionProvider.CreateProtector(
            "OrganizationServiceDataProtector");
        _fido2 = fido2;
        _currentContext = currentContext;
        _globalSettings = globalSettings;
        _acceptOrgUserCommand = acceptOrgUserCommand;
        _providerUserRepository = providerUserRepository;
        _stripeSyncService = stripeSyncService;
        _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
        _featureService = featureService;
        _premiumUserBillingService = premiumUserBillingService;
        _removeOrganizationUserCommand = removeOrganizationUserCommand;
        _revokeNonCompliantOrganizationUserCommand = revokeNonCompliantOrganizationUserCommand;
        _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
        _distributedCache = distributedCache;
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@ -821,11 +821,6 @@ public class CipherService : ICipherService
    private async Task<bool> UserCanDeleteAsync(CipherDetails cipher, Guid userId)
    {
        if (!_featureService.IsEnabled(FeatureFlagKeys.LimitItemDeletion))
        {
            return await UserCanEditAsync(cipher, userId);
        }
        var user = await _userService.GetUserByIdAsync(userId);
        var organizationAbility = cipher.OrganizationId.HasValue ?
            await _applicationCacheService.GetOrganizationAbilityAsync(cipher.OrganizationId.Value) : null;
@ -835,11 +830,6 @@ public class CipherService : ICipherService
    private async Task<bool> UserCanRestoreAsync(CipherDetails cipher, Guid userId)
    {
        if (!_featureService.IsEnabled(FeatureFlagKeys.LimitItemDeletion))
        {
            return await UserCanEditAsync(cipher, userId);
        }
        var user = await _userService.GetUserByIdAsync(userId);
        var organizationAbility = cipher.OrganizationId.HasValue ?
            await _applicationCacheService.GetOrganizationAbilityAsync(cipher.OrganizationId.Value) : null;
@ -1059,17 +1049,11 @@ public class CipherService : ICipherService
    }
    // This method is used to filter ciphers based on the user's permissions to delete them.
    // It supports both the old and new logic depending on the feature flag.
    private async Task<List<T>> FilterCiphersByDeletePermission<T>(
        IEnumerable<T> ciphers,
        HashSet<Guid> cipherIdsSet,
        Guid userId) where T : CipherDetails
    {
        if (!_featureService.IsEnabled(FeatureFlagKeys.LimitItemDeletion))
        {
            return ciphers.Where(c => cipherIdsSet.Contains(c.Id) && c.Edit).ToList();
        }
        var user = await _userService.GetUserByIdAsync(userId);
        var organizationAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
@ -4,6 +4,7 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Dapper;
@ -200,11 +201,23 @@ public class OrganizationRepository : Repository<Organization, Guid>, IOrganizat
    public async Task<ICollection<Organization>> GetManyByIdsAsync(IEnumerable<Guid> ids)
    {
        await using var connection = new SqlConnection(ConnectionString);
        return (await connection.QueryAsync<Organization>(
            $"[{Schema}].[{Table}_ReadManyByIds]",
            new { OrganizationIds = ids.ToGuidIdArrayTVP() },
            commandType: CommandType.StoredProcedure))
            .ToList();
    }
    public async Task<OrganizationSeatCounts> GetOccupiedSeatCountByOrganizationIdAsync(Guid organizationId)
    {
        using (var connection = new SqlConnection(ConnectionString))
        {
            var result = await connection.QueryAsync<OrganizationSeatCounts>(
                "[dbo].[Organization_ReadOccupiedSeatCountByOrganizationId]",
                new { OrganizationId = organizationId },
                commandType: CommandType.StoredProcedure);
            return result.SingleOrDefault() ?? new OrganizationSeatCounts();
        }
    }
 }
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
@ -88,19 +88,6 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
        }
    }
    public async Task<int> GetOccupiedSeatCountByOrganizationIdAsync(Guid organizationId)
    {
        using (var connection = new SqlConnection(ConnectionString))
        {
            var result = await connection.ExecuteScalarAsync<int>(
                "[dbo].[OrganizationUser_ReadOccupiedSeatCountByOrganizationId]",
                new { OrganizationId = organizationId },
                commandType: CommandType.StoredProcedure);
            return result;
        }
    }
    public async Task<int> GetOccupiedSmSeatCountByOrganizationIdAsync(Guid organizationId)
    {
        using (var connection = new SqlConnection(ConnectionString))
--- a/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
+++ b/src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs
@ -2,6 +2,7 @@
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Billing.Providers.Repositories;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Dirt.Reports.Repositories;
 using Bit.Core.KeyManagement.Repositories;
 using Bit.Core.NotificationCenter.Repositories;
 using Bit.Core.Platform.Installations;
@ -12,6 +13,7 @@ using Bit.Core.Vault.Repositories;
 using Bit.Infrastructure.Dapper.AdminConsole.Repositories;
 using Bit.Infrastructure.Dapper.Auth.Repositories;
 using Bit.Infrastructure.Dapper.Billing.Repositories;
 using Bit.Infrastructure.Dapper.Dirt;
 using Bit.Infrastructure.Dapper.KeyManagement.Repositories;
 using Bit.Infrastructure.Dapper.NotificationCenter.Repositories;
 using Bit.Infrastructure.Dapper.Platform;
--- a/src/Infrastructure.Dapper/Dirt/PasswordHealthReportApplicationRepository.cs
+++ b/src/Infrastructure.Dapper/Dirt/PasswordHealthReportApplicationRepository.cs
@ -1,14 +1,14 @@
 using System.Data;
 using Bit.Core.Dirt.Reports.Entities;
 using Bit.Core.Dirt.Reports.Repositories;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Repositories;
 using Bit.Infrastructure.Dapper.Repositories;
 using Dapper;
 using Microsoft.Data.SqlClient;
 using ToolsEntities = Bit.Core.Tools.Entities;
-namespace Bit.Infrastructure.Dapper.Tools.Repositories;
+namespace Bit.Infrastructure.Dapper.Dirt;
-public class PasswordHealthReportApplicationRepository : Repository<ToolsEntities.PasswordHealthReportApplication, Guid>, IPasswordHealthReportApplicationRepository
+public class PasswordHealthReportApplicationRepository : Repository<PasswordHealthReportApplication, Guid>, IPasswordHealthReportApplicationRepository
 {
    public PasswordHealthReportApplicationRepository(GlobalSettings globalSettings)
        : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
@ -18,11 +18,11 @@ public class PasswordHealthReportApplicationRepository : Repository<ToolsEntitie
        : base(connectionString, readOnlyConnectionString)
    { }
-    public async Task<ICollection<ToolsEntities.PasswordHealthReportApplication>> GetByOrganizationIdAsync(Guid organizationId)
+    public async Task<ICollection<PasswordHealthReportApplication>> GetByOrganizationIdAsync(Guid organizationId)
    {
        using (var connection = new SqlConnection(ReadOnlyConnectionString))
        {
-            var results = await connection.QueryAsync<ToolsEntities.PasswordHealthReportApplication>(
+            var results = await connection.QueryAsync<PasswordHealthReportApplication>(
                $"[{Schema}].[PasswordHealthReportApplication_ReadByOrganizationId]",
                new { OrganizationId = organizationId },
                commandType: CommandType.StoredProcedure);
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@ -5,6 +5,7 @@ using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using LinqToDB.Tools;
 using Microsoft.EntityFrameworkCore;
@ -375,4 +376,28 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
    {
        throw new NotImplementedException("Collection enhancements migration is not yet supported for Entity Framework.");
    }
    public async Task<OrganizationSeatCounts> GetOccupiedSeatCountByOrganizationIdAsync(Guid organizationId)
    {
        using (var scope = ServiceScopeFactory.CreateScope())
        {
            var dbContext = GetDatabaseContext(scope);
            var users = await dbContext.OrganizationUsers
                .Where(ou => ou.OrganizationId == organizationId && ou.Status >= 0)
                .CountAsync();
            var sponsored = await dbContext.OrganizationSponsorships
                .Where(os => os.SponsoringOrganizationId == organizationId &&
                    os.IsAdminInitiated &&
                    (os.ToDelete == false || (os.ToDelete == true && os.ValidUntil != null && os.ValidUntil > DateTime.UtcNow)) &&
                    (os.SponsoredOrganizationId == null || (os.SponsoredOrganizationId != null && (os.ValidUntil == null || os.ValidUntil > DateTime.UtcNow))))
                .CountAsync();
            return new OrganizationSeatCounts
            {
                Users = users,
                Sponsored = sponsored
            };
        }
    }
 }
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
@ -228,12 +228,6 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
        return await GetCountFromQuery(query);
    }
    public async Task<int> GetOccupiedSeatCountByOrganizationIdAsync(Guid organizationId)
    {
        var query = new OrganizationUserReadOccupiedSeatCountByOrganizationIdQuery(organizationId);
        return await GetCountFromQuery(query);
    }
    public async Task<int> GetCountByOrganizationIdAsync(Guid organizationId)
    {
        var query = new OrganizationUserReadCountByOrganizationIdQuery(organizationId);
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserReadOccupiedSeatCountByOrganizationIdQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserReadOccupiedSeatCountByOrganizationIdQuery.cs
@ -1,48 +0,0 @@
 using Bit.Core.Enums;
 using Bit.Infrastructure.EntityFramework.Models;
 namespace Bit.Infrastructure.EntityFramework.Repositories.Queries;
 public class OrganizationUserReadOccupiedSeatCountByOrganizationIdQuery : IQuery<OrganizationUser>
 {
    private readonly Guid _organizationId;
    public OrganizationUserReadOccupiedSeatCountByOrganizationIdQuery(Guid organizationId)
    {
        _organizationId = organizationId;
    }
    public IQueryable<OrganizationUser> Run(DatabaseContext dbContext)
    {
        var orgUsersQuery = from ou in dbContext.OrganizationUsers
                            where ou.OrganizationId == _organizationId && ou.Status >= OrganizationUserStatusType.Invited
                            select new OrganizationUser { Id = ou.Id, OrganizationId = ou.OrganizationId, Status = ou.Status };
        // As of https://bitwarden.atlassian.net/browse/PM-17772, a seat is also occupied by a Families for Enterprise sponsorship sent by an
        // organization admin, even if the user sent the invitation doesn't have a corresponding OrganizationUser in the Enterprise organization.
        var sponsorshipsQuery = from os in dbContext.OrganizationSponsorships
                                where os.SponsoringOrganizationId == _organizationId &&
                                      os.IsAdminInitiated &&
                                      (
                                          // Not marked for deletion - always count
                                          (!os.ToDelete) ||
                                          // Marked for deletion but has a valid until date in the future (RevokeWhenExpired status)
                                          (os.ToDelete && os.ValidUntil.HasValue && os.ValidUntil.Value > DateTime.UtcNow)
                                      ) &&
                                      (
                                          // SENT status: When SponsoredOrganizationId is null
                                          os.SponsoredOrganizationId == null ||
                                          // ACCEPTED status: When SponsoredOrganizationId is not null and ValidUntil is null or in the future
                                          (os.SponsoredOrganizationId != null &&
                                           (!os.ValidUntil.HasValue || os.ValidUntil.Value > DateTime.UtcNow))
                                      )
                                select new OrganizationUser
                                {
                                    Id = os.Id,
                                    OrganizationId = _organizationId,
                                    Status = OrganizationUserStatusType.Invited
                                };
        return orgUsersQuery.Concat(sponsorshipsQuery);
    }
 }
--- a/src/Infrastructure.EntityFramework/Tools/Configurations/PasswordHealthReportApplicationEntityTypeConfiguration.cs
+++ b/src/Infrastructure.EntityFramework/Tools/Configurations/PasswordHealthReportApplicationEntityTypeConfiguration.cs
@ -1,8 +1,8 @@
-using Bit.Infrastructure.EntityFramework.Tools.Models;
+using Bit.Infrastructure.EntityFramework.Dirt.Models;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Metadata.Builders;
-namespace Bit.Infrastructure.EntityFramework.Tools.Configurations;
+namespace Bit.Infrastructure.EntityFramework.Dirt.Configurations;
 public class PasswordHealthReportApplicationEntityTypeConfiguration : IEntityTypeConfiguration<PasswordHealthReportApplication>
 {
--- a/src/Infrastructure.EntityFramework/Tools/Models/PasswordHealthReportApplication.cs
+++ b/src/Infrastructure.EntityFramework/Tools/Models/PasswordHealthReportApplication.cs
@ -1,9 +1,9 @@
 using AutoMapper;
 using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
-namespace Bit.Infrastructure.EntityFramework.Tools.Models;
+namespace Bit.Infrastructure.EntityFramework.Dirt.Models;
-public class PasswordHealthReportApplication : Core.Tools.Entities.PasswordHealthReportApplication
+public class PasswordHealthReportApplication : Core.Dirt.Reports.Entities.PasswordHealthReportApplication
 {
    public virtual Organization Organization { get; set; }
 }
@ -12,7 +12,7 @@ public class PasswordHealthReportApplicationProfile : Profile
 {
    public PasswordHealthReportApplicationProfile()
    {
-        CreateMap<Core.Tools.Entities.PasswordHealthReportApplication, PasswordHealthReportApplication>()
+        CreateMap<Core.Dirt.Reports.Entities.PasswordHealthReportApplication, PasswordHealthReportApplication>()
            .ReverseMap();
    }
 }
--- a/src/Infrastructure.EntityFramework/Tools/Repositories/PasswordHealthReportApplicationRepository.cs
+++ b/src/Infrastructure.EntityFramework/Tools/Repositories/PasswordHealthReportApplicationRepository.cs
@ -1,22 +1,21 @@
 using AutoMapper;
-using Bit.Core.Tools.Repositories;
+using Bit.Core.Dirt.Reports.Repositories;
 using Bit.Infrastructure.EntityFramework.Dirt.Models;
 using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.Infrastructure.EntityFramework.Tools.Models;
 using LinqToDB;
 using Microsoft.Extensions.DependencyInjection;
 using AdminConsoleEntities = Bit.Core.Tools.Entities;
-namespace Bit.Infrastructure.EntityFramework.Tools.Repositories;
+namespace Bit.Infrastructure.EntityFramework.Dirt.Repositories;
 public class PasswordHealthReportApplicationRepository :
-    Repository<AdminConsoleEntities.PasswordHealthReportApplication, PasswordHealthReportApplication, Guid>,
+    Repository<Core.Dirt.Reports.Entities.PasswordHealthReportApplication, PasswordHealthReportApplication, Guid>,
    IPasswordHealthReportApplicationRepository
 {
    public PasswordHealthReportApplicationRepository(IServiceScopeFactory serviceScopeFactory,
        IMapper mapper) : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.PasswordHealthReportApplications)
    { }
-    public async Task<ICollection<AdminConsoleEntities.PasswordHealthReportApplication>> GetByOrganizationIdAsync(Guid organizationId)
+    public async Task<ICollection<Core.Dirt.Reports.Entities.PasswordHealthReportApplication>> GetByOrganizationIdAsync(Guid organizationId)
    {
        using (var scope = ServiceScopeFactory.CreateScope())
        {
@ -24,7 +23,7 @@ public class PasswordHealthReportApplicationRepository :
            var results = await dbContext.PasswordHealthReportApplications
                .Where(p => p.OrganizationId == organizationId)
                .ToListAsync();
-            return Mapper.Map<ICollection<AdminConsoleEntities.PasswordHealthReportApplication>>(results);
+            return Mapper.Map<ICollection<Core.Dirt.Reports.Entities.PasswordHealthReportApplication>>(results);
        }
    }
 }
--- a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
+++ b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
@ -2,6 +2,7 @@
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Billing.Providers.Repositories;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Dirt.Reports.Repositories;
 using Bit.Core.Enums;
 using Bit.Core.KeyManagement.Repositories;
 using Bit.Core.NotificationCenter.Repositories;
@ -13,6 +14,7 @@ using Bit.Core.Vault.Repositories;
 using Bit.Infrastructure.EntityFramework.AdminConsole.Repositories;
 using Bit.Infrastructure.EntityFramework.Auth.Repositories;
 using Bit.Infrastructure.EntityFramework.Billing.Repositories;
 using Bit.Infrastructure.EntityFramework.Dirt.Repositories;
 using Bit.Infrastructure.EntityFramework.KeyManagement.Repositories;
 using Bit.Infrastructure.EntityFramework.NotificationCenter.Repositories;
 using Bit.Infrastructure.EntityFramework.Platform;
--- a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
@ -4,11 +4,11 @@ using Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider;
 using Bit.Infrastructure.EntityFramework.Auth.Models;
 using Bit.Infrastructure.EntityFramework.Billing.Models;
 using Bit.Infrastructure.EntityFramework.Converters;
 using Bit.Infrastructure.EntityFramework.Dirt.Models;
 using Bit.Infrastructure.EntityFramework.Models;
 using Bit.Infrastructure.EntityFramework.NotificationCenter.Models;
 using Bit.Infrastructure.EntityFramework.Platform;
 using Bit.Infrastructure.EntityFramework.SecretsManager.Models;
 using Bit.Infrastructure.EntityFramework.Tools.Models;
 using Bit.Infrastructure.EntityFramework.Vault.Models;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Infrastructure;
--- a/src/SharedWeb/SharedWeb.csproj
+++ b/src/SharedWeb/SharedWeb.csproj
@ -7,7 +7,7 @@
  </ItemGroup>
  <ItemGroup>
-    <PackageReference Include="Swashbuckle.AspNetCore.SwaggerGen" Version="7.2.0" />
+    <PackageReference Include="Swashbuckle.AspNetCore.SwaggerGen" Version="7.3.2" />
  </ItemGroup>
 </Project>
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@ -23,6 +23,7 @@ using Bit.Core.Auth.UserFeatures;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Implementations;
 using Bit.Core.Billing.TrialInitiation;
 using Bit.Core.Dirt.Reports.ReportFeatures;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.HostedServices;
@ -43,7 +44,6 @@ using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Tokens;
 using Bit.Core.Tools.ImportFeatures;
 using Bit.Core.Tools.ReportFeatures;
 using Bit.Core.Tools.SendFeatures;
 using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
--- a/Show More
+++ b/Show More