* limit port to internal communications
* A few more internal-only ports
* fixup tests
disabled tests that are now failing with a race condition.
* Remove autofill team review requirement
(cherry picked from commit 57b8f18cdd)
(cherry picked from commit 551d80dfa0)
* expose local db file to extension
* fetch from local db as fallback; only fetch new data on changed checksum; fetch from cdn
* check for undefined chrome runtime (for easy Storybook mocking)
* update capital letters lint
* add audit api tests
* add bash script to fetch local db info and split it to meet FF size limits
* add readme
* Rename README.md to readme.md
* remove leftover file
* remove unused methods from audit service
* remove local db logic
* wip
* revert local db build changes
* add tests; sub to updates directly; refactor teardown logic
* fix eslint crashing
* remove temp premium override
* remove unused test
* update timer value
* run prettier
* refetch all domains on app version change
* fix log statement
* harden fetching
* filter empty domains
* fix type issue
* fix typo
* fix type error
* fix cleanup
(cherry picked from commit 7ac6a67835)
* add "All caught up!" state for application review card
- Display success state when all applications have been reviewed and no new applications need review
- Add iconColorClass input to activity-card component to support conditional icon colors (green checkmark for success state)
- Add i18n keys: allCaughtUp and noNewApplicationsToReviewAtThisTime
- Check if all apps have review dates via enrichedReportData$ to determine when to show the caught up state
* fix "Potential Race Condition with State Initialization" from claude issue and replace getter
* feat: shorten socket paths
* fix: No such file or directory error
* feat: remove tmp folder from path
* fix: No such file or directory autofill error
* feat: ban urls not using https
* feat: add exception for dev env
* feat: block fetching of insecure URLs
* feat: add exception for dev env
* feat: block notifications from using insecure URL
* fix: bug where submission was possible regardless of error
* feat: add exception for dev env
* fix: missing constructor param
* max init
* add mp4 and organize code better
* fix lint errors
* move empty state logic into risk insights component
* replace getter logic
* sub for org name
* checkForVaultItems fix
- need to use cipherservice instead of report results from data service
* fix all critical issues mentioned by claude bot
* resolve empty state logic bug and memory leaks
- Handle zero-results case in empty state logic
- Add takeUntil cleanup to _setupUserId subscription
- Guard console.warn with isDevMode() check
* use tuple arrays for benefits to prevent XSS risk
Replace pipe-separated strings with typed tuple arrays [string, string][]
for benefits data in empty state component. This eliminates potential XSS
risk from string splitting, provides compile-time type safety, and improves
performance by removing runtime string parsing on every change detection.
* fix(dirt): hide empty states during report generation and fix memory leak
Add isGeneratingReport$ to combineLatest, update empty state conditions
to check !isGenerating, simplify run report logic, and fix memory leak
in route.queryParams subscription.
Addresses Claude bot feedback on PR #16832
* refactor(dirt): use signals and OnPush in empty state card component
Convert @Input() to readonly input signals and add OnPush change
detection strategy. Update template to call signals as functions.
Fixes ESLint compliance issues.
* refactor(dirt): remove unused shouldShowRunReportState variable
The shouldShowRunReportState variable was calculated but never used.
The template already uses @else for the run report state, making this
variable redundant.
* refactor(dirt): consolidate duplicate if statements in empty state logic
Merge 5 separate if/else blocks checking shouldShowImportDataState into
single consolidated block. Move constant benefits assignment outside
conditional. Improves readability and reduces duplication.
* remove unnecessary getOrganizationName wrapper method
* remove duplicate runReport method
Remove runReport arrow function and use generateReport consistently.
Both methods called dataService.triggerReport(), but generateReport
includes an organizationId check for defensive programming.
* feat(dirt): add newApplications$ observable to orchestrator
Add reactive observable that filters applicationData for unreviewed apps
(reviewedDate === null). Observable automatically updates when report
state changes through the pipeline.
- Add newApplications$ observable with distinctUntilChanged
- Filters rawReportData$.data.applicationData
- Uses shareReplay for multi-subscriber efficiency
Related to PM-27284
* feat(dirt): add saveApplicationReviewStatus$ to orchestrator
Implement method to save application review status and critical flags.
Updates all applications where reviewedDate === null to set current date,
and marks selected applications as critical.
- Add saveApplicationReviewStatus$() method
- Add _updateReviewStatusAndCriticalFlags() helper
- Uses existing encryption and API update patterns
- Single API call for both review status and critical flags
- Follows same pattern as saveCriticalApplications$()
Related to PM-27284
* feat(dirt): expose newApplications$ in data service
Expose orchestrator's newApplications$ observable and save method
through RiskInsightsDataService facade. Maintains clean separation
between orchestrator (business logic) and components (UI).
- Expose newApplications$ observable
- Expose saveApplicationReviewStatus() delegation method
- Maintains facade pattern consistency
Related to PM-27284
* feat(dirt): make AllActivitiesService reactive to new applications
Update AllActivitiesService to subscribe to orchestrator's newApplications$
observable instead of receiving data through summary updates.
- Subscribe to dataService.newApplications$ in constructor
- Add setNewApplications() helper method
- Remove newApplications update from setAllAppsReportSummary()
- New applications now update reactively when review status changes
Related to PM-27284
* feat(dirt): connect dialog to review status save method
Update NewApplicationsDialogComponent to call the data service's
saveApplicationReviewStatus method when marking applications as critical.
- Inject RiskInsightsDataService
- Replace placeholder onMarkAsCritical() with real implementation
- Handle success/error cases with appropriate toast notifications
- Close dialog on successful save
- Show different messages based on whether apps were marked critical
Related to PM-27284
* feat(dirt): add i18n strings for application review
Add internationalization strings for the new applications review dialog
success and error messages.
- applicationReviewSaved: Success toast title
- applicationsMarkedAsCritical: Success message when apps marked critical
- newApplicationsReviewed: Success message when apps reviewed only
- errorSavingReviewStatus: Error toast title
- pleaseTryAgain: Error toast message
Related to PM-27284
* fix(dirt): add subscription cleanup to AllActivitiesService
Critical fix for production code quality and memory leak prevention.
Adds takeUntil pattern to all subscriptions to comply with ADR-0003
(Observable Data Services) requirements.
**Subscription Cleanup (ADR-0003 Compliance):**
- Add takeUntil pattern to AllActivitiesService subscriptions
- Add _destroy$ Subject and destroy() method
- Prevents memory leaks by properly unsubscribing from observables
- Follows Observable Data Services ADR requirements
Changes:
- Import Subject and takeUntil from rxjs
- Add private _destroy$ Subject for cleanup coordination
- Apply takeUntil(this._destroy$) to all 3 subscriptions:
- enrichedReportData$ subscription
- criticalReportResults$ subscription
- newApplications$ subscription
- Add destroy() method for proper resource cleanup
This ensures proper resource cleanup and follows Bitwarden's
architectural decision records for observable management.
Related to PM-27284
* fix(dirt): replace manual takeUntil with takeUntilDestroyed in AllActivitiesService
Fixes critical memory leak by replacing manual subscription cleanup
with Angular's automatic DestroyRef-based cleanup pattern.
**Changes:**
- Replace `takeUntil(this._destroy$)` with `takeUntilDestroyed()` for all 3 subscriptions
- Remove unused `_destroy$` Subject and manual `destroy()` method
- Update imports to use `@angular/core/rxjs-interop`
**Why:**
- Manual `destroy()` method was never called anywhere in codebase
- Subscriptions accumulated without cleanup, causing memory leaks
- `takeUntilDestroyed()` uses Angular's DestroyRef for automatic cleanup
- Aligns with ADR-0003 and .claude/CLAUDE.md requirements
**Impact:**
- Automatic subscription cleanup when service context is destroyed
- Prevents memory leaks during hot module reloads and route changes
- Reduces code complexity (no manual lifecycle management needed)
Related to PM-27284
* refactor(dirt): remove newApplications from OrganizationReportSummary
Removes redundant newApplications field from summary type and uses
derived newApplications$ observable from orchestrator instead.
**Changes:**
- Remove newApplications from OrganizationReportSummary type definition
- Remove dummy data array from RiskInsightsReportService.getApplicationsSummary()
- Remove newApplications subscription from AllActivitiesService
- Update AllActivityComponent to subscribe directly to dataService.newApplications$
**Why:**
- Eliminates data redundancy (stored vs derived)
- newApplications$ already computes from applicationData.reviewedDate === null
- Single source of truth: applicationData is the source
- Simplifies encrypted payload (less data in summary)
- Better separation: stored data (counts) vs computed data (lists)
**Impact:**
- No functional changes - UI continues to display new applications correctly
- Cleaner architecture with computed observable pattern
* cleanup
* fix(dirt): improve dialog type safety and error logging
Addresses critical PR review issues in NewApplicationsDialogComponent:
**Type Safety:**
- Replace unsafe type casting `(this as any).dialogRef` with proper DialogRef injection
- Inject DialogRef<boolean | undefined> using Angular's inject() function
- Ensures type safety and prevents runtime errors from missing dialogRef
**Error Handling:**
- Add LogService to dialog component
- Log errors with "[NewApplicationsDialog]" for debugging
- Maintain user-facing error toast while adding server-side logging
**Impact:**
- Eliminates TypeScript safety bypasses
- Improves production debugging capabilities
- Follows Angular dependency injection best practices
* fixing mock data and test cases for new apps
* refactor(dirt): remove newApplications validation from OrganizationReportSummary type guard
Removes redundant newApplications field validation from the
OrganizationReportSummary type guard and related test cases.
**Changes:**
- Remove "newApplications" from allowed keys in isOrganizationReportSummary()
- Remove newApplications array validation logic
- Remove newApplications validation from validateOrganizationReportSummary()
- Remove 2 test cases for newApplications validation
- Remove newApplications field from 8 test data objects
**Rationale:**
The newApplications field was removed from OrganizationReportSummary type
definition because it's derived data that can be calculated from
applicationData (filtering where reviewedDate === null). The data is now
accessed via the reactive newApplications$ observable instead of being
stored redundantly in the summary object.
**Impact:**
- No functional changes - UI continues to display new applications via observable
- Type guard now correctly validates the actual OrganizationReportSummary structure
- Eliminates data redundancy and maintains single source of truth
- All 43 tests passing
---------
Co-authored-by: Tom <ttalty@bitwarden.com>
When SSO is required:
- Make the SSO button primary
- Add a tooltip to the disabled buttons
When SSO is not required:
- SSO button remains secondary
- No tooltip on the buttons
Feature Flags enabled: pm-22110-disable-alternate-login-methods
* Resolve the dollar amount issue
* Resolve the non addition of storage amount
* Resolve the estimate tax amount
* Fix the improper tax calculation
* resolv ethe duplicate code
* Added changes to apply the discount only for acceptingSponsorship = true
* PM-22663 WIP on auth route constants
* PM-22663 - Convert desktop & extension to use constants - first pass
* PM-22663 - Further clean up
* PM-22663 - catch more missed routes
* PM-22663 - add barrel files
* PM-22663 - Per PR feedback, add missing as const
* PM-22663 - Per PR feedback and TS docs, use same name for const enum like and derived type. Adjusted filenames to be singular.
* PM-22663 - Per PR feedback update desktop app routing module since auto rename didn't update it for whatever reason.
* Session timeout policy
* default "custom" is 8 hours, validation fixes
* ownership update
* default max allowed timeout is not selected
* adjusting defaults, fixing backwards compatibility, skip type confirmation dialog when switching between the never and on system lock
* unit test coverage
* wording update, custom hours, minutes jumping on errors
* wording update
* wrong session timeout action dropdown label
* show dialog as valid when opened first time, use @for loop, use controls instead of get
* dialog static opener
* easier to understand type value listener
* unit tests
* explicit maximum allowed timeout required error
* eslint revert
