The newApplications field was redundant in the summary type because it can be
calculated from applicationData (where reviewedDate === null). This commit:
1. **Removes newApplications from OrganizationReportSummary type**
- No longer stored in encrypted summary
- Reduces encryption overhead
2. **Removes all validation logic for newApplications**
- Removed from type guards (isOrganizationReportSummary)
- Removed from validation function (validateOrganizationReportSummary)
- Removed from allowedKeys list
3. **Removes newApplications from summary calculation**
- risk-insights-report.service.ts: Removed dummy data generation
- all-activities.service.ts: Removed from initial state and setter
- helpers/risk-insights-data-mappers.ts: Removed from createNewSummaryData()
4. **Creates newApplications$ observable in orchestrator**
- Derives new applications from applicationData
- Filters where reviewedDate === null
- Uses distinctUntilChanged and shareReplay for efficiency
5. **Exposes newApplications$ through data service**
- Added to RiskInsightsDataService
- Wired up in constructor
6. **Updates component to use the observable**
- all-activity.component.ts: Subscribe to dataService.newApplications$
- Removes dependency on summary.newApplications
7. **Removes all newApplications tests**
- Removed backward compatibility tests (no longer needed)
- Removed validation tests for newApplications
- Updated mock data to exclude newApplications
- Removed from risk-insights-report.service.spec.ts
Benefits:
- Single source of truth (derived from applicationData)
- Eliminates redundant data storage
- Reduces encrypted payload size
- Cleaner architecture (computed vs stored data)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add explicit type annotations to newApplications: undefined in test cases
to resolve TS7018 errors. TypeScript cannot infer the type from undefined
alone, so we explicitly annotate it as 'string[] | undefined'.
Fixes:
- Line 279: Added 'as string[] | undefined' to newApplications property
- Line 716: Added 'as string[] | undefined' to newApplications property
This resolves the test suite compilation errors while maintaining the
backward compatibility test coverage for optional newApplications field.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Update the comment for the newApplications field validation to accurately
reflect that the field IS in the type definition (as optional), but is
optional due to legacy encrypted data.
Changed from: "not in type definition"
Changed to: "legacy encrypted data predates this field"
This aligns with the explanation used elsewhere in the codebase and
accurately describes why the field must remain optional.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Handle the possibility of newApplications being undefined by using
nullish coalescing operators to provide safe defaults:
- Use empty array [] as fallback for newApplications
- Use 0 as fallback for newApplicationsCount
This fixes the type errors:
- TS2322: Type 'string[] | undefined' is not assignable to type 'string[]'
- TS18048: 'summary.newApplications' is possibly 'undefined'
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add test cases for the primary use case addressed by this PR: validating
OrganizationReportSummary objects without the newApplications field.
Tests added:
- isOrganizationReportSummary accepts objects without newApplications
- isOrganizationReportSummary accepts objects with undefined newApplications
- validateOrganizationReportSummary accepts objects without newApplications
- validateOrganizationReportSummary accepts objects with undefined newApplications
- Validation enforces empty string rejection when newApplications is present
- Validation enforces array length limits when newApplications is present
- Validation enforces string length limits when newApplications is present
This prevents regression where legacy encrypted data (which predates the
newApplications field) would fail to decrypt.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Enhance validateOrganizationReportSummary() to enforce the same strict
validation constraints as isOrganizationReportSummary():
- Non-empty string validation (prevent empty strings)
- Maximum string length checks (prevent excessively long strings)
- Array length limits (prevent DoS via large arrays)
This prevents potential denial-of-service vulnerabilities where malicious
data could pass validation with empty strings or unbounded array/string
lengths.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Make newApplications optional in OrganizationReportSummary type definition
to match the validation logic. This resolves the type safety violation where
compile-time type checking required the field but runtime validation treated
it as optional.
The field is optional because legacy encrypted data predates this field's
introduction, and making it required would break decryption of existing data.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The validation functions required the newApplications field to be present,
but this field is not in the type definition and old encrypted data doesn't
have it. This was causing decryption failures with the error:
"Invalid OrganizationReportSummary: missing or invalid fields: newApplications (string[])"
Changes:
- Updated isOrganizationReportSummary() to allow newApplications to be undefined
- Updated validateOrganizationReportSummary() to only validate newApplications if present
- Added comments explaining backward compatibility requirement
This provides backward compatibility with existing encrypted data while still
validating the field when it is present.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* PM-22663 WIP on auth route constants
* PM-22663 - Convert desktop & extension to use constants - first pass
* PM-22663 - Further clean up
* PM-22663 - catch more missed routes
* PM-22663 - add barrel files
* PM-22663 - Per PR feedback, add missing as const
* PM-22663 - Per PR feedback and TS docs, use same name for const enum like and derived type. Adjusted filenames to be singular.
* PM-22663 - Per PR feedback update desktop app routing module since auto rename didn't update it for whatever reason.
* Fix feature flag check for "pm-25855-chromium-importer-abe"
The old lofgic actually removed all chromium support when the flag was disabled. It should only remove those browser if the flag is disabled and when on Windows.
* Extend tests
* Update comment
* Remove duplicate test
* Add test for when device cannot be detected and throws and error
* Add descriptive comment to feature flag test case assertions
* Better test assertion
---------
Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
* Add tooltip to icon button to display label
* remove legacy cdr variable
* create overlay on focus or hover
* attach describdedby ids
* fix type errors
* remove aria-describedby when not necessary
* fix failing tests
* implement Claude feedback
* fixing broken specs
* remove host attr binding
* Simplify directive aria logic
* Move id to statis number
* do not render empty tooltip
* pass id to tooltip component
* remove pointer-events none to allow tooltip on normal buttons
* exclude some tooltip stories
* change describedby input name
* add story with tooltip on regular button
* enhanced tooltip docs
* set model directly
* change model to input
* Session timeout policy
* default "custom" is 8 hours, validation fixes
* ownership update
* default max allowed timeout is not selected
* adjusting defaults, fixing backwards compatibility, skip type confirmation dialog when switching between the never and on system lock
* unit test coverage
* wording update, custom hours, minutes jumping on errors
* wording update
* wrong session timeout action dropdown label
* show dialog as valid when opened first time, use @for loop, use controls instead of get
* dialog static opener
* easier to understand type value listener
* unit tests
* explicit maximum allowed timeout required error
* eslint revert
• ensure extension method can accept both `blob` type and `arrayBuffer` type
• replace usage of Swift's `url.absoluteString` with `url.path`
• explicitly discard promise returned by `downloadSafari()`
• confine `data` type to `string` since code all code paths assign a `string` value
* new drawer functions for crit apps
* logic for triggering the drawer functions in components
* cleanup unused logic and rename "navigation" to "action"
- ... since the click is now triggering the drawer instead of navigating to another tab/page
* null check for reportData in drawer methods
* use criticalReportResults$ to avoid duplicating logic
* use criticalReportResults$ to avoid dupe logic
* remove unused code
* Add runtime type guards for decrypted JSON data
- Create risk-insights-type-guards.ts with validation functions
- Replace unsafe type assertions with runtime validation in encryption service
- Validate ApplicationHealthReportDetail, OrganizationReportSummary, and OrganizationReportApplication
- Add detailed error messages for validation failures
- Remove TODO comments for type guard implementation
Improves security by preventing malformed data from bypassing type safety and ensures data integrity for decrypted report structures.
* test file fix
* date validation
* add runtime type guards and validation failure tests
Issue 1: Missing Test Coverage for Type Guard Validation Failures
- Create comprehensive test suite with 17 tests covering all validation scenarios
- Test invalid structures, missing fields, wrong types, and edge cases
- Verify proper error messages and validation logic for all data types
Issue 2: Silent Failure on Validation Errors (Security Concern)
- Re-throw validation errors instead of silently returning empty/default data
- Add descriptive error messages indicating potential data corruption or tampering
- Ensure all validation failures are surfaced as security issues, not swallowed
Additional Fix: Date Validation Vulnerability
- Validate date strings before creating Date objects to prevent Invalid Date (NaN)
- Throw explicit errors for unparseable date strings
- Update error handling to catch and properly surface date validation failures
* add empty string validation and sanitize error messages
- Validate array elements are non-empty strings (atRiskCipherIds, cipherIds, newApplications)
- Sanitize validation error messages to prevent information disclosure
- Log detailed errors for debugging, re-throw generic messages
- Add tests for empty string validation and error message sanitization
* add comprehensive validation for scalar strings and numeric ranges
- Validate all scalar string fields are non-empty (applicationName, userName, email, cipherId, userGuid)
- Add numeric range validation (finite, non-negative) for all count fields
- Export type guard functions for testability and reusability
- Add 19 new tests covering edge cases (empty strings, NaN, Infinity, negative numbers)
* prevent prototype pollution and unexpected property injection in type guards
- Validate object prototype is Object.prototype (prevents __proto__ attacks)
- Check for dangerous own properties (constructor, prototype)
- Strict property enumeration - reject objects with unexpected properties
- Add comprehensive security tests (prototype pollution, unexpected props)
- Protects against data tampering and information leakage
* security: always sanitize error messages to prevent information disclosure
- Remove fragile pattern matching in error handlers
- Always throw generic error messages by default
- Log detailed errors for debugging, never expose to callers
- Future-proof against validation error message changes
- Prevents disclosure of internal data structure details
Applies to all decryption/validation methods in encryption service
* security: comprehensive hardening of type validation system
CRITICAL FIXES:
- Add __proto__ to prototype pollution checks (loop-based)
- Remove conditional error sanitization (always sanitize)
SECURITY ENHANCEMENTS:
- Add integer overflow protection (Number.isSafeInteger)
- Add DoS prevention (array/string length limits: 50K/1K)
- Strengthen all 4 type guards with 10-layer validation
LIMITS:
- Max string length: 1,000 characters
- Max array length: 50,000 elements
- Max safe integer: 2^53 - 1
DOCUMENTATION:
- Update code-review-methodology.md with patterns
- Update .cursorrules with security best practices
- Create comprehensive security audit document
All 57 tests passing. No linting errors.
Defense-in-depth complete - production ready.
* fix: consolidate security constants and add upper bound validation
CRITICAL FIXES:
- Consolidate MAX_STRING_LENGTH and MAX_ARRAY_LENGTH to file level (DRY)
- Add MAX_COUNT constant (10M) for upper bound validation
- Apply upper bound checks to all 12 count fields
BENEFITS:
- Single source of truth for security limits
- Prevents business logic issues from extreme values
- Easier maintenance and updates
* fix(billing): update and refactor observable logic
* tests(billing): add additional expects for dialog
* fix(billing): update for claude feedback
* tests(billing): update test conditions and comments
* add state definition for auto confirm
* typo
* refactor organziation user service
* WIP create auto confirm service
* add POST method, finish implementation
* add missing userId param, jsdoc
* fix DI
* refactor organziation user service
* WIP create auto confirm service
* add POST method, finish implementation
* add missing userId param, jsdoc
* clean up, more DI fixes
* remove @Injectable from service, fix tests
* remove from libs/common, fix dir structure, add tests
* filter at risk passwords count to only critical apps
* PM-26929 assign tasks to those apps that are marked as critical
---------
Co-authored-by: voommen-livefront <voommen@livefront.com>
