bitwarden
diff --git a/Diff for: ‎.env.example
+6 b/Diff for: ‎.env.example
+6
diff --git a/Diff for: ‎.github/PULL_REQUEST_TEMPLATE.md
+32-2 b/Diff for: ‎.github/PULL_REQUEST_TEMPLATE.md
+32-2
diff --git a/Diff for: ‎.github/renovate.json
+1-1 b/Diff for: ‎.github/renovate.json
+1-1
diff --git a/Diff for: ‎.github/workflows/build.yml
+3-9 b/Diff for: ‎.github/workflows/build.yml
+3-9
diff --git a/Diff for: ‎.github/workflows/lint.yml
+4-10 b/Diff for: ‎.github/workflows/lint.yml
+4-10
diff --git a/Diff for: ‎.github/workflows/scan.yml
+75 b/Diff for: ‎.github/workflows/scan.yml
+75
diff --git a/Diff for: ‎.gitignore
+4 b/Diff for: ‎.gitignore
+4
diff --git a/Diff for: ‎.nvmrc
+1-1 b/Diff for: ‎.nvmrc
+1-1
diff --git a/Diff for: ‎README.md
+18 b/Diff for: ‎README.md
+18
diff --git a/Diff for: ‎custom-words.txt
+10-1 b/Diff for: ‎custom-words.txt
+10-1
diff --git a/Diff for: ‎docs/architecture/adr/0012-angular-filename-convention.md
-7 b/Diff for: ‎docs/architecture/adr/0012-angular-filename-convention.md
-7
diff --git a/Diff for: ‎docs/architecture/adr/0018-feature-management.md
+5-4 b/Diff for: ‎docs/architecture/adr/0018-feature-management.md
+5-4
@@ -0,0 +1,6 @@
+HTTPS=true
+
+# Generate via ./scripts/generate-certs, or mkcert
+# (see: https://docusaurus.io/docs/cli#enabling-https)
+SSL_CRT_FILE=ssl.crt
+SSL_KEY_FILE=ssl.key
@@ -1,3 +1,33 @@
-## Objective
+## 🎟️ Tracking
 
-<!--Describe what the purpose of this PR is.-->
+<!-- Paste the link to the Jira or GitHub issue or otherwise describe / point to where this change is coming from. -->
+
+## 📔 Objective
+
+<!-- Describe what the purpose of this PR is, for example what bug you're fixing or new feature you're adding. -->
+
+## ⏰ Reminders before review
+
+- Contributor guidelines followed
+- All formatters and local linters executed and passed
+- Written new unit and / or integration tests where applicable
+- Protected functional changes with optionality (feature flags)
+- Used internationalization (i18n) for all UI strings
+- CI builds passed
+- Communicated to DevOps any deployment requirements
+- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
+  team
+
+## 🦮 Reviewer guidelines
+
+<!-- Suggested interactions but feel free to use (or not) as you desire! -->
+
+- 👍 (`:+1:`) or similar for great changes
+- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
+- ❓ (`:question:`) for questions
+- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed
+  issue and could potentially benefit from discussion
+- 🎨 (`:art:`) for suggestions / improvements
+- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention
+- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt
+- ⛏ (`:pick:`) for minor or nitpick changes
@@ -1,7 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["github>bitwarden/renovate-config"],
-  "enabledManagers": ["github-actions", "npm"],
+  "enabledManagers": ["github-actions", "npm", "nvm"],
   "packageRules": [
     {
       "groupName": "gh minor",
 
@@ -1,31 +1,25 @@
----
 name: Build
 
 on:
   push:
     paths-ignore:
       - ".github/workflows/**"
   workflow_dispatch:
-    inputs: {}
-
-defaults:
-  run:
-    shell: bash
 
 jobs:
   lint:
     name: Build
     runs-on: ubuntu-22.04
+
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Check out repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
-          node-version: "18"
 
       - name: Build
         run: |
 
@@ -1,33 +1,27 @@
----
 name: Lint
 
 on:
   push:
     paths-ignore:
       - ".github/workflows/**"
   workflow_dispatch:
-    inputs: {}
-
-defaults:
-  run:
-    shell: bash
 
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-22.04
+
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Check out repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
-          node-version: "18"
 
-      - name: Run linter and spellcheck
+      - name: Lint and spellcheck
         run: |
           npm ci
           npm run lint
 
@@ -0,0 +1,75 @@
+name: Scan
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+  pull_request_target:
+    types: [opened, synchronize]
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  sast:
+    name: SAST scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Scan with Checkmarx
+        uses: checkmarx/ast-github-action@92b6d52097badece63efe997ffe75207010bb80c # 2.0.29
+        env:
+          INCREMENTAL:
+            "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: |
+            --report-format sarif \
+            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
+            --output-path . ${{ env.INCREMENTAL }}
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        with:
+          sarif_file: cx_result.sarif
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Scan with SonarCloud
+        uses: sonarsource/sonarcloud-github-action@e44258b109568baa0df60ed515909fc6c72cba92 # v2.3.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ github.repository_owner }} -Dsonar.projectKey=${{
+            github.repository_owner }}_${{ github.event.repository.name }}
@@ -10,6 +10,10 @@
 
 # Misc
 .DS_Store
+*.crt
+*.key
+*.pem
+.env
 .env.local
 .env.development.local
 .env.test.local
 
@@ -1 +1 @@
-v18
+v20
@@ -20,6 +20,24 @@ npm start
 This command starts a local development server and opens up a browser window. Most changes are
 reflected live without having to restart the server.
 
+### SSL
+
+By default, `npm start` will attempt to start your local instance with SSL enabled using
+certificates referenced in your local dotfile (`.env`).
+
+- copy the provided `.env.example` to `.env` and update the values as needed
+- (requires [OpenSSL](https://www.openssl.org/)) Generate your self-signed certs with
+  `npm run setup:ssl` and follow the instructions.
+  - Alternatively use [mkcert](https://github.com/FiloSottile/mkcert) to
+    [generate and add certs to your trust store](https://docusaurus.io/docs/cli#enabling-https)
+- run `npm start`!
+
+If the script fails to find your `.env` or the required values within, docusaurus will start
+normally without SSL.
+
+If you need to explicitly develop without SSL, simply delete your `.env` file or use the command
+`npm start:insecure` instead.
+
 ## Build
 
 ```bash
 
@@ -2,13 +2,18 @@
 # it in a single (`) or multiline (```) code snippet instead, as they are automatically ignored
 # by the spellchecker. Please keep the list sorted alphabetically.
 
+AndroidX
 Bitwarden
+bitwardensecret
 bytemark
 clickjacking
 CODEOWNERS
 CQRS
+CTAP2
 dockerized
+F-Droid
 Gitter
+HKDF
 hotfix
 hotfixed
 hotfixes
@@ -21,6 +26,7 @@ jumpcloud
 keychain
 keypair
 keyserver
+Kubebuilder
 LDIF
 LLDB
 Mailcatcher
@@ -38,6 +44,7 @@ passcode
 passwordless
 pinentry
 PNSs
+precompiler
 proxied
 refactorings
 roadmap
@@ -54,6 +61,7 @@ signtool
 signup
 sprocs
 sqlcmd
+struct
 subprocessor
 toolset
 TOTP
@@ -62,4 +70,5 @@ Xcodes.app
 xmldoc
 Yellowpages
 Yubico
-YubiKey
+YubiKey
+YubiKeys
@@ -45,17 +45,10 @@ At Bitwarden we also use a couple of more types:
 - `.request` - Api Request
 - `.response` - Api Response
 - `.type` - Enum
-- `.service.abstraction` - Abstract class for a service, used for DI, not all services needs an
-  abstract class
 
 The class names are expected to use the suffix as part of their class name as well. I.e. a service
 implementation will be named `FolderService`, a request model will be named `FolderRequest`.
 
-In the event a service can't be fully implemented, an abstract class is created with the
-`Abstraction` suffix. This typically happens if the Angular and Node implementations have to differ
-for one reason or another. Traditionally interfaces would be used, but a TypeScript interface cannot
-be used to wire up dependency injection in JavaScript.
-
 ### Positive Consequences
 
 - Since most of our code is written in Angular, we should use the Angular coding style guide.
 
@@ -62,10 +62,11 @@ upon startup, login, when their local configuration is updated, and when sync ev
 
 Contexts will be established that communicate to the API using supported clients. Said contexts will
 be available within the service provider for specific targeting as desired. Contexts will be
-established for the user, organization, and service account, with unique IDs for the entity as a key
-and other details as needed. Context attributes when needed can be marked as private to avoid
-spillover to the service provider, and the provider will be added if needed to the [subprocessor
-list][subprocessors] with respective communication should PII be used.
+established for the user, organization, and machine account (previously known as service account),
+with unique IDs for the entity as a key and other details as needed. Context attributes when needed
+can be marked as private to avoid spillover to the service provider, and the provider will be added
+if needed to the [subprocessor list][subprocessors] with respective communication should PII be
+used.
 
 Compile-time configuration will be converted wherever possible to use the feature management service
 provider. SDK access to the service provider will be segmented by environment; some features may
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"$schema": "https://docs.renovatebot.com/renovate-schema.json",`
`3`	`3`	`"extends": ["github>bitwarden/renovate-config"],`
`4`		`- "enabledManagers": ["github-actions", "npm"],`
	`4`	`+ "enabledManagers": ["github-actions", "npm", "nvm"],`
`5`	`5`	`"packageRules": [`
`6`	`6`	`{`
`7`	`7`	`"groupName": "gh minor",`