Follow-up changes

Author: quexten

.cargo/config.toml

@@ -6,7 +6,7 @@ rustflags = ["--cfg", "aes_armv8"]
 
 [target.wasm32-unknown-unknown]
 rustflags = ['--cfg', 'getrandom_backend="wasm_js"']
-runner = 'wasm-bindgen-test-runner'
+runner = 'cargo run -p wasm-bindgen-cli-runner --bin wasm-bindgen-test-runner'
 
 # Enable support for 16k pages on Android, JNA is using these same flags
 # https://android-developers.googleblog.com/2024/08/adding-16-kb-page-size-to-android.html

.claude/CLAUDE.md

@@ -1,61 +1,125 @@
 # Bitwarden Internal SDK
 
-Rust SDK centralizing business logic. You're reviewing code as a senior Rust engineer mentoring
-teammates.
+Cross-platform Rust SDK implementing Bitwarden's core business logic.
 
-## Client Pattern
+**Rust Edition:** The SDK targets the
+[2024](https://doc.rust-lang.org/nightly/edition-guide/rust-2024/index.html) edition of Rust.
 
-PasswordManagerClient ([bitwarden-pm](crates/bitwarden-pm/src/lib.rs)) wraps
-[bitwarden_core::Client](crates/bitwarden-core/src/client/client.rs) and exposes sub-clients:
-`auth()`, `vault()`, `crypto()`, `sends()`, `generators()`, `exporters()`.
+**Crate documentation**: Before working in any crate, read available documentation: `CLAUDE.md` for
+critical rules, `README.md` for architecture, `examples/` for usage patterns, and `tests/` for
+integration tests. **Before making changes or reviewing code, review relevant examples and tests for
+the specific functionality you're modifying.**
 
-**Lifecycle**
+## Architecture Overview
 
-- Init → Lock/Unlock → Logout (drops instance). Memento pattern for state resurrection.
+Monorepo crates organized in **four architectural layers**:
 
-**Storage**
+### 1. Foundation Layer
 
-- Consuming apps use `HashMap<UserId, PasswordManagerClient>`.
+- **bitwarden-crypto**: Cryptographic primitives and protocols, key store for securely working with
+  keys held in memory.
+- **bitwarden-state**: Type-safe Repository pattern for SDK state (client-managed vs SDK-managed)
+- **bitwarden-threading**: ThreadBoundRunner for !Send types in WASM/GUI contexts (uses PhantomData
+  marker)
+- **bitwarden-ipc**: Type-safe IPC framework with pluggable encryption/transport
+- **bitwarden-error**: Error handling across platforms (basic/flat/full modes via proc macro)
+- **bitwarden-encoding**, **bitwarden-uuid**: Encoding and UUID utilities
 
-## Issues necessitating comments
+### 2. Core Infrastructure
 
-**Auto-generated code changes**
+- **bitwarden-core**: Base Client struct extended by feature crates via extension traits. **DO NOT
+  add functionality here - use feature crates instead.**
+  - **bitwarden-api-api**, **bitwarden-api-identity**: Auto-generated API clients (**DO NOT edit -
+    regenerate from OpenAPI specs**)
 
-- Changes to `bitwarden-api-api/` or `bitwarden-api-identity/` are generally discouraged. These are
-  auto-generated from swagger specs.
+### 3. Feature Implementations
 
-**Secrets in logs/errors**
+- **bitwarden-pm**: PasswordManagerClient wrapping core Client, exposes sub-clients: `auth()`,
+  `vault()`, `crypto()`, `sends()`, `generators()`, `exporters()`
+  - Lifecycle: Init → Lock/Unlock → Logout (drops instance)
+  - Storage: Apps use `HashMap<UserId, PasswordManagerClient>`
+- **bitwarden-vault**: Vault item models, encryption/decryption and management
+- **bitwarden-collections**: Collection models, encryption/decryption and management
+- **bitwarden-auth**: Authentication (send access tokens)
+- **bitwarden-send**: Encrypted temporary secret sharing
+- **bitwarden-generators**: Password/passphrase generators
+- **bitwarden-ssh**: SSH key generation/import
+- **bitwarden-exporters**: Vault export/import with multiple formats
+- **bitwarden-fido**: FIDO2 two-factor authentication
 
-- Do not log keys, passwords, or vault data in logs or error paths. Redact sensitive data.
+### 4. Cross-Platform Bindings
 
-**Business logic in WASM**
+- **bitwarden-uniffi**: Mobile bindings (Swift/Kotlin) via UniFFI
+  - Structs: `#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]`
+  - Enums: `#[cfg_attr(feature = "uniffi", derive(uniffi::Enum))]`
+  - Include `uniffi::setup_scaffolding!()` in lib.rs
+- **bitwarden-wasm-internal**: WebAssembly bindings (**thin bindings only - no business logic**)
+  - Structs: `#[derive(Serialize, Deserialize)]` with
+    `#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]`
 
-- `bitwarden-wasm-internal` contains only thin bindings. Move business logic to feature crates.
+## Critical Patterns & Rules
 
-**Unsafe without justification**
+### Cryptography (bitwarden-crypto)
 
-- Any `unsafe` block needs a comment explaining why it's safe and what invariants are being upheld.
+- **DO NOT modify** without careful consideration - backward compatibility is critical
+- **KeyStoreContext**: Never hold across await points
+- Naming: `derive_` for deterministic key derivation, `make_` for non-deterministic generation
+- Use `bitwarden_crypto::safe` module first (password-protected key envelope, data envelope) instead
+  of more low-level primitives
+- IMPORTANT: Use constant time equality checks
+- Do not expose low-level / hazmat functions from the crypto crate.
+- Do not expose key material from the crypto crate, use key references in the key store instead
 
-**Changes to `bitwarden-crypto/` core functionality**
+### State Management (bitwarden-state)
 
-- Generally speaking, this crate should not be modified. Changes need a comment explaining why.
+- **Client-managed**: App and SDK share data pool (requires manual setup)
+- **SDK-managed**: SDK exclusively handles storage (migration-based, ordering is critical)
+- Register types with `register_repository_item!` macro
+- Type safety via TypeId-based type erasure with runtime downcast checks
 
-**New crypto algorithms or key derivation**
+### Threading (bitwarden-threading)
 
-- Detailed description, review and audit trail required. Document algorithm choice rationale and
-  test vectors.
+- Use ThreadBoundRunner for !Send types (WASM contexts, GUI handles, Rc<T>)
+- Pins state to thread via spawn_local, tasks via mpsc channel
+- PhantomData<\*const ()> for !Send marker (zero-cost)
 
-**Encryption/decryption modifications**
+### Error Handling (bitwarden-error-macro)
 
-- Verify backward compatibility. Existing encrypted data must remain decryptable.
+- Three modes: **basic** (string), **flat** (variant), **full** (structure)
+- Generates FlatError trait, WASM bindings, TypeScript interfaces, UniFFI errors
+- Conditional code generation via cfg! for WASM
 
-**Breaking serialization**
+### Security Requirements
 
-- Backward compatibility required. Users must decrypt vaults from older versions.
+- **Never log** keys, passwords, or vault data in logs or error paths
+- **Redact sensitive data** in all error messages
+- **Unsafe blocks** require comments explaining safety and invariants
+- **Encryption/decryption changes** must maintain backward compatibility (existing encrypted data
+  must remain decryptable)
+- **Breaking serialization** strongly discouraged - users must decrypt vaults from older versions
 
-**Breaking API changes**
+### API Changes
 
-- Document migration path for clients.
+- **Breaking changes**: Automated detection via cross-repo workflow (see commit 9574dcc1)
+- TypeScript compilation tested against `clients` repo on PR
+- Document migration path for clients
+
+## Development Workflow
+
+**Build & Test:**
+
+- `cargo check --all-features --all-targets` - Quick validation
+- `cargo test --workspace --all-features` - Full test suite
+
+**Format & Lint:**
+
+- `cargo +nightly fmt --workspace` - Code formatting
+- Use `cargo clippy` to lint code and catch common mistakes
+
+**WASM Testing:**
+
+- `cargo test --target wasm32-unknown-unknown --features wasm -p bitwarden-error -p bitwarden-threading -p bitwarden-uuid` -
+  WASM-specific tests
 
 ## References
 
@@ -66,3 +130,4 @@ PasswordManagerClient ([bitwarden-pm](crates/bitwarden-pm/src/lib.rs)) wraps
 - [Code Style](https://contributing.bitwarden.com/contributing/code-style/)
 - [Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/)
 - [Security Definitions](https://contributing.bitwarden.com/architecture/security/definitions)
+- [Rust 2024 Edition Guide](https://doc.rust-lang.org/edition-guide/rust-2024/)

.github/PULL_REQUEST_TEMPLATE.md

@@ -6,6 +6,20 @@
 
 <!-- Describe what the purpose of this PR is, for example what bug you're fixing or new feature you're adding. -->
 
+## 🚨 Breaking Changes
+
+<!-- Does this PR introduce any breaking changes? If so, please describe the impact and migration path for clients.
+
+If you're unsure, the automated TypeScript compatibility check will run when you open/update this PR and provide feedback.
+
+For breaking changes:
+1. Describe what changed in the client interface
+2. Explain why the change was necessary
+3. Provide migration steps for client developers
+4. Link to any paired client PRs if needed
+
+Otherwise, you can remove this section. -->
+
 ## ⏰ Reminders before review
 
 - Contributor guidelines followed

.github/renovate.json

@@ -15,12 +15,22 @@
     "go": "1.21"
   },
   "packageRules": [
+    {
+      "groupName": "rust",
+      "matchManagers": ["custom.regex", "dockerfile"],
+      "matchDepNames": ["rust"]
+    },
     {
       "matchManagers": ["cargo"],
       "matchUpdateTypes": ["minor", "patch"],
       "groupName": "pyo3 non-major",
       "matchPackageNames": ["/pyo3*/"]
     },
+    {
+      "matchManagers": ["cargo"],
+      "groupName": "wasm-bindgen group",
+      "matchPackageNames": ["/wasm-bindgen*/"]
+    },
     {
       "groupName": "dockerfile minor",
       "matchManagers": ["dockerfile"],

.github/workflows/build-android.yml

@@ -34,6 +34,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
@@ -54,7 +56,7 @@ jobs:
         run: cross build -p bitwarden-uniffi --release --target=${{ matrix.settings.target }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: android-${{ matrix.settings.target }}
           path: ./target/${{ matrix.settings.target }}/release/libbitwarden_uniffi.so
@@ -78,12 +80,14 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref }}
+          persist-credentials: false
 
       - name: Checkout repo (Push or manual run)
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
@@ -102,7 +106,7 @@ jobs:
           java-version: 17
 
       - name: Download Artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
 
       - name: Move artifacts
         working-directory: crates/bitwarden-uniffi/kotlin/sdk/src/main/jniLibs

.github/workflows/build-rust-crates.yml

@@ -38,6 +38,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
@@ -60,6 +62,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable

.github/workflows/build-swift.yml

@@ -20,6 +20,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Get Package Version
         id: retrieve-version
@@ -38,6 +40,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
@@ -81,14 +85,14 @@ jobs:
           cp -rf crates/bitwarden-uniffi/swift/BitwardenFFI.xcframework artifacts
 
       - name: Upload BitwardenFFI.xcframework artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: BitwardenFFI-${{ env._VERSION }}-${{ steps.build.outputs.short-sha }}.xcframework
           path: artifacts
           if-no-files-found: error
 
       - name: Upload BitwardenSdk sources
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: BitwardenSdk-${{ env._VERSION }}-${{ steps.build.outputs.short-sha }}-sources
           path: crates/bitwarden-uniffi/swift/Sources/BitwardenSdk