Features
- "Immediate" auto-lock that locks when the last view closes
- carry Bitwarden URI match detection into subdomainMatch
- broadcast on local write so a change pushes immediately
- Phase 3 hardening (A2 doc, B3 DAL SSRF, B4 clock-skew)
- password-authority admission producer (iOS + Android)
- password-authority admission producer (extension)
- cross-language feature flags for the phase-1 -> phase-2 rollout
- password-derived admission signing key (Item A)
- admission gate (verify side) closes rogue-injection (Item A)
- sticky roster tombstones close the B1 re-add resurrection
- mirror sync status to the persistent host/background console
- reset sync state on new-vault creation
- activate roster signing on the extension (Item A #3b)
- sign this device's own roster entry at enrollment (Item A #3b, core)
- verify gossiped rosters before merge (Item A #3b, verify half)
- TOFU roster verification kernel (Item A #3a)
- Ed25519 device-key signer for roster mutations (Item A #2)
- roster-entry signing foundation; defer group-key rotation
- fail loud when an unverified caller supplies a browser clientDataHash (B2)
- verify native-app autofill domains via Digital Asset Links
Bug Fixes
- recovery-code Download saves via the native share sheet
- resolve Keychain access group from the signed entitlement (-34018)
- chunk the vault across Noise frames so large vaults sync
- clear all sync state on new-vault creation
- prune the mesh known-set on peer close so bounced peers reconnect
- mint a fresh device id on join so a revoked device can rejoin
- model multiple runtime.onMessage listeners in the bg harness
- render multi-candidate update-login prompt as markup, not text
- accept extension pages hosted in a tab (popout regression)
- sender-gate crypto/sync host and corner-update origin (A3, A4)
- enforce revocation on inbound frames and reap on gossip
- verify the privileged caller before signing a passkey clientDataHash
- only trust webDomain from a verified browser for autofill
- enforce device revocation on a live roster-sync session
- reject future-dated HLC stamps from remote peers (revocation integrity)
- scope autofill fill and corner prompt to the requesting frame
Refactors
- drop reducible
as unknown ascasts across TS (20 -> 5) - switch dispatch + drop wasm-view double casts
Documentation
- record the built revocation/admission state + this session's decisions
- add admin-authority (server-free) re-admit variant to revocation note
- mark B2 pending Android device testing; flag IronFox/Vanadium
- note the CRYPTO_* router path A3 gate found during implementation
- add sec-audit-7726 recheck+fix plan with execution risks
- design note for roster signing and group-key rotation
- add iOS App Store link
- tighten the cloud-like convenience bullet to match the others
- add cloud-storage-backups design note
- backups section and cloud-manager updates
Other
- chore(i18n): translate the 3 device-authorization strings (de/es/fr/it/pt-BR)
- test(sync): grow screenshot seed to 1100 items for large-vault repro
- chore(ios): bump marketing version to 1.1.0
- chore(scripts): per-platform mobile version bump (bump:ios / bump:android)
- style(sync): move signOwnEntry helper below the import block
- ci: name the job 'CI' so branch protection can require it
Full Changelog: 0.5.0-android...0.6.0-android