* Update type guards
* Add metric data types. Update places saving a risk insights report summary to save metrics
* Fix types and test error
* Fix critical report members
* Update test case for null username in type-guard
* Fix report application mapped data check
* max init
* add mp4 and organize code better
* fix lint errors
* move empty state logic into risk insights component
* replace getter logic
* sub for org name
* checkForVaultItems fix
- need to use cipherservice instead of report results from data service
* fix all critical issues mentioned by claude bot
* resolve empty state logic bug and memory leaks
- Handle zero-results case in empty state logic
- Add takeUntil cleanup to _setupUserId subscription
- Guard console.warn with isDevMode() check
* use tuple arrays for benefits to prevent XSS risk
Replace pipe-separated strings with typed tuple arrays [string, string][]
for benefits data in empty state component. This eliminates potential XSS
risk from string splitting, provides compile-time type safety, and improves
performance by removing runtime string parsing on every change detection.
* fix(dirt): hide empty states during report generation and fix memory leak
Add isGeneratingReport$ to combineLatest, update empty state conditions
to check !isGenerating, simplify run report logic, and fix memory leak
in route.queryParams subscription.
Addresses Claude bot feedback on PR #16832
* refactor(dirt): use signals and OnPush in empty state card component
Convert @Input() to readonly input signals and add OnPush change
detection strategy. Update template to call signals as functions.
Fixes ESLint compliance issues.
* refactor(dirt): remove unused shouldShowRunReportState variable
The shouldShowRunReportState variable was calculated but never used.
The template already uses @else for the run report state, making this
variable redundant.
* refactor(dirt): consolidate duplicate if statements in empty state logic
Merge 5 separate if/else blocks checking shouldShowImportDataState into
single consolidated block. Move constant benefits assignment outside
conditional. Improves readability and reduces duplication.
* remove unnecessary getOrganizationName wrapper method
* remove duplicate runReport method
Remove runReport arrow function and use generateReport consistently.
Both methods called dataService.triggerReport(), but generateReport
includes an organizationId check for defensive programming.
* feat(dirt): add newApplications$ observable to orchestrator
Add reactive observable that filters applicationData for unreviewed apps
(reviewedDate === null). Observable automatically updates when report
state changes through the pipeline.
- Add newApplications$ observable with distinctUntilChanged
- Filters rawReportData$.data.applicationData
- Uses shareReplay for multi-subscriber efficiency
Related to PM-27284
* feat(dirt): add saveApplicationReviewStatus$ to orchestrator
Implement method to save application review status and critical flags.
Updates all applications where reviewedDate === null to set current date,
and marks selected applications as critical.
- Add saveApplicationReviewStatus$() method
- Add _updateReviewStatusAndCriticalFlags() helper
- Uses existing encryption and API update patterns
- Single API call for both review status and critical flags
- Follows same pattern as saveCriticalApplications$()
Related to PM-27284
* feat(dirt): expose newApplications$ in data service
Expose orchestrator's newApplications$ observable and save method
through RiskInsightsDataService facade. Maintains clean separation
between orchestrator (business logic) and components (UI).
- Expose newApplications$ observable
- Expose saveApplicationReviewStatus() delegation method
- Maintains facade pattern consistency
Related to PM-27284
* feat(dirt): make AllActivitiesService reactive to new applications
Update AllActivitiesService to subscribe to orchestrator's newApplications$
observable instead of receiving data through summary updates.
- Subscribe to dataService.newApplications$ in constructor
- Add setNewApplications() helper method
- Remove newApplications update from setAllAppsReportSummary()
- New applications now update reactively when review status changes
Related to PM-27284
* feat(dirt): connect dialog to review status save method
Update NewApplicationsDialogComponent to call the data service's
saveApplicationReviewStatus method when marking applications as critical.
- Inject RiskInsightsDataService
- Replace placeholder onMarkAsCritical() with real implementation
- Handle success/error cases with appropriate toast notifications
- Close dialog on successful save
- Show different messages based on whether apps were marked critical
Related to PM-27284
* feat(dirt): add i18n strings for application review
Add internationalization strings for the new applications review dialog
success and error messages.
- applicationReviewSaved: Success toast title
- applicationsMarkedAsCritical: Success message when apps marked critical
- newApplicationsReviewed: Success message when apps reviewed only
- errorSavingReviewStatus: Error toast title
- pleaseTryAgain: Error toast message
Related to PM-27284
* fix(dirt): add subscription cleanup to AllActivitiesService
Critical fix for production code quality and memory leak prevention.
Adds takeUntil pattern to all subscriptions to comply with ADR-0003
(Observable Data Services) requirements.
**Subscription Cleanup (ADR-0003 Compliance):**
- Add takeUntil pattern to AllActivitiesService subscriptions
- Add _destroy$ Subject and destroy() method
- Prevents memory leaks by properly unsubscribing from observables
- Follows Observable Data Services ADR requirements
Changes:
- Import Subject and takeUntil from rxjs
- Add private _destroy$ Subject for cleanup coordination
- Apply takeUntil(this._destroy$) to all 3 subscriptions:
- enrichedReportData$ subscription
- criticalReportResults$ subscription
- newApplications$ subscription
- Add destroy() method for proper resource cleanup
This ensures proper resource cleanup and follows Bitwarden's
architectural decision records for observable management.
Related to PM-27284
* fix(dirt): replace manual takeUntil with takeUntilDestroyed in AllActivitiesService
Fixes critical memory leak by replacing manual subscription cleanup
with Angular's automatic DestroyRef-based cleanup pattern.
**Changes:**
- Replace `takeUntil(this._destroy$)` with `takeUntilDestroyed()` for all 3 subscriptions
- Remove unused `_destroy$` Subject and manual `destroy()` method
- Update imports to use `@angular/core/rxjs-interop`
**Why:**
- Manual `destroy()` method was never called anywhere in codebase
- Subscriptions accumulated without cleanup, causing memory leaks
- `takeUntilDestroyed()` uses Angular's DestroyRef for automatic cleanup
- Aligns with ADR-0003 and .claude/CLAUDE.md requirements
**Impact:**
- Automatic subscription cleanup when service context is destroyed
- Prevents memory leaks during hot module reloads and route changes
- Reduces code complexity (no manual lifecycle management needed)
Related to PM-27284
* refactor(dirt): remove newApplications from OrganizationReportSummary
Removes redundant newApplications field from summary type and uses
derived newApplications$ observable from orchestrator instead.
**Changes:**
- Remove newApplications from OrganizationReportSummary type definition
- Remove dummy data array from RiskInsightsReportService.getApplicationsSummary()
- Remove newApplications subscription from AllActivitiesService
- Update AllActivityComponent to subscribe directly to dataService.newApplications$
**Why:**
- Eliminates data redundancy (stored vs derived)
- newApplications$ already computes from applicationData.reviewedDate === null
- Single source of truth: applicationData is the source
- Simplifies encrypted payload (less data in summary)
- Better separation: stored data (counts) vs computed data (lists)
**Impact:**
- No functional changes - UI continues to display new applications correctly
- Cleaner architecture with computed observable pattern
* cleanup
* fix(dirt): improve dialog type safety and error logging
Addresses critical PR review issues in NewApplicationsDialogComponent:
**Type Safety:**
- Replace unsafe type casting `(this as any).dialogRef` with proper DialogRef injection
- Inject DialogRef<boolean | undefined> using Angular's inject() function
- Ensures type safety and prevents runtime errors from missing dialogRef
**Error Handling:**
- Add LogService to dialog component
- Log errors with "[NewApplicationsDialog]" for debugging
- Maintain user-facing error toast while adding server-side logging
**Impact:**
- Eliminates TypeScript safety bypasses
- Improves production debugging capabilities
- Follows Angular dependency injection best practices
* fixing mock data and test cases for new apps
* refactor(dirt): remove newApplications validation from OrganizationReportSummary type guard
Removes redundant newApplications field validation from the
OrganizationReportSummary type guard and related test cases.
**Changes:**
- Remove "newApplications" from allowed keys in isOrganizationReportSummary()
- Remove newApplications array validation logic
- Remove newApplications validation from validateOrganizationReportSummary()
- Remove 2 test cases for newApplications validation
- Remove newApplications field from 8 test data objects
**Rationale:**
The newApplications field was removed from OrganizationReportSummary type
definition because it's derived data that can be calculated from
applicationData (filtering where reviewedDate === null). The data is now
accessed via the reactive newApplications$ observable instead of being
stored redundantly in the summary object.
**Impact:**
- No functional changes - UI continues to display new applications via observable
- Type guard now correctly validates the actual OrganizationReportSummary structure
- Eliminates data redundancy and maintains single source of truth
- All 43 tests passing
---------
Co-authored-by: Tom <ttalty@bitwarden.com>
* Session timeout policy
* default "custom" is 8 hours, validation fixes
* ownership update
* default max allowed timeout is not selected
* adjusting defaults, fixing backwards compatibility, skip type confirmation dialog when switching between the never and on system lock
* unit test coverage
* wording update, custom hours, minutes jumping on errors
* wording update
* wrong session timeout action dropdown label
* show dialog as valid when opened first time, use @for loop, use controls instead of get
* dialog static opener
* easier to understand type value listener
* unit tests
* explicit maximum allowed timeout required error
* eslint revert
* new drawer functions for crit apps
* logic for triggering the drawer functions in components
* cleanup unused logic and rename "navigation" to "action"
- ... since the click is now triggering the drawer instead of navigating to another tab/page
* null check for reportData in drawer methods
* use criticalReportResults$ to avoid duplicating logic
* use criticalReportResults$ to avoid dupe logic
* remove unused code
* filter at risk passwords count to only critical apps
* PM-26929 assign tasks to those apps that are marked as critical
---------
Co-authored-by: voommen-livefront <voommen@livefront.com>
* created shared card directive
* WIP
* use base card in anon layout
* use bit-card for pricing card component
* add base card to integration cards
* add base card to reports cards
* add base card to integration card
* use card content on report card
* use base card directive on base component
* update dirt card to use bit-card
* run prettier. fix whitespace
* add missing imports to report list stories
* add base card story and docs
* feat: add commercial sdk as optional dependency
* feat: add alias to CLI
* feat: add alias to browser
* feat: add alias to web
* fix: revert optional - we cant omit optional dependencies or the builds break
* feat: remove commercial package from browser build
* feat: remove commercial package from cli build
* feat: remove commercial package from web build
* chore: add commercial sdk to renovate
* fix: windows cli workflow
* fix: accidental change
* feat: add lint for version string
* undo weird merge changes
* WIP: added new services, refactor members to use billing service and member action service
* replace dialog logic and user logic with service implementations
* WIP
* wip add tests
* add tests, continue refactoring
* clean up
* move BillingConstraintService to billing ownership
* fix import
* fix seat count not updating if feature flag is disabled
* refactor billingMetadata, clean up
* Move files to folders. Delete unused component. Move model to file
* Move risk insights services to folder structure capturing domains, api, and view organization. Move mock data
* Remove legacy risk insight report code
* Move api model to file
* Separate data service and orchestration of data to make the data service a facade
* Add orchestration updates for fetching applications as well as migrating data.
* Updated migration of critical applications and merged old saved data to new critical applications on report object
* Update test cases
* Fixed test case after merge. Cleaned up per comments on review
* Fixed decryption and encryption issue when not using existing content key
* Fix type errors
* Fix test update
* Fixe remove critical applications
* Fix report generating flag not being reset
* Removed extra logs
* Remove legacy provider files
* Removing index files to make file re-org easier
* Move manage-clients.component and associated API invocation to AC
* Move add-existing-organization-dialog.component to AC
* Move manage-client-name-dialog.component and associated API call to AC
* Move misc clients files to AC
* Move create-client-dialog.component and associated API call to AC
* Move manage-client-subscription-dialog.component to AC
* Update provider-layout.component
* Cleanup
* Fix linting
* [PM-27024] Fix password change progress card to track only critical apps and detect new at-risk passwords
- Filter at-risk password count to critical applications only
- Update state logic to transition back to assign tasks when new at-risk passwords detected
- Only create security tasks for critical applications with at-risk passwords
- Show 'X new passwords at-risk' message when tasks exist and new at-risk passwords appear
* spec
The Key Connector URL was getting overwritten back to the default URL on `submit()` because `valueChanges` gets triggered during `submit()`. This fix adds a check to make sure we only set the default URL when changing TO Key Connector from a different decryption option. In other words, don't overwrite back to the default URL during `submit()`.
Also removes the trailing slash `/` from the default URL.
* removing unused properties from org metadata
* removing further properties from the response and replacing them with data already available
* [PM-25379] new org metadata service for new endpoint
* don't need strict ignore
* forgot unit tests
* added cache busting to metadata service
not used yet - waiting for a decision on moving a portion of this to AC
On the SSO Config page, when Key Connector is a valid option, setup a listener to changes to the Member Decryption Options form radio selection:
- If radio selection is Key Connector: set a default URL
- If radio selection is NOT Key Connector: clear the URL
This commit restructures the webpack configs for each project (i.e. web, browser, desktop, cli) such that each project has a base config that is shared in a way that requires less hard-coding of info, and more like simply calling a function with a few properties.
* new messages.json keys
* button changes for dirt activity card
* dummy data
* newApplicationsCount and temp toast
* Added third dirt-activity-card component after the existing two cards
* added newApplications to setAllAppsReportSummary
* make button smaller
* cleanup/nice-to-haves
* remove comment
* simplify activity card icon logic to use nullable iconClass
* use buttonText presence to determine button display in activity card
* apps needing review card
- I think accidentally deleted when resolving merge conflicts
* buttonClick.observed && buttonText
* Add password trigger logic to report service. Also updated api to use classes that properly handle encstring with placeholders for upcoming usage
* Fix merged test case conflict
* Fix type errors and test cases. Make create data functions for report and summary
* Update Risk Insights Report Data Type
* Update encryption usage and test cases. Moved mock data
* Remove unused variable
* Move all-application constructor
* Update all applications and risk insights to look at fetched logic
* Fix name of variable. Fetch last report run
* Cleanup all and critical application tabs drawer dependencies
* Rename components from tool to dirt. Hook up all applications to use reportResult summary
* Critical application cleanup. Trigger refetch of report for enriching when critical applications change
* Fix type errors
* Rename loader from tools to dirt. Cleanup
* Add activity tab updates using data service
* Use safeProviders in access intelligence
* Fix refresh button not appearing. Change "refresh" to "run report"
* Remove multiple async calls for isRunningReport
* Fix report button not showing
* Add no report ran message
* Fix password change on critical applications
Upgrade to the latest supported typescript version in Angular.
Resolved TS errors by:
- adding `: any` which is what the compiler previously implied and now warns about.
- adding `toJSON` to satisfy requirement.
* Adding enums for additional event logs for secrets
* updating messages
* Updating messages to be consistent for logs
* Displaying project logs, and fixing search query param searching in projects list, having deleted log for secrets and projects not show as a link
* Viewing secret and project event logs in event modal, adding to the context menu for secrets and projects the ability to view the logs if user has permission. Restricting logs to SM projs and Secs if the logged in user has event log access but not SM access.
* lint
* Lint Fixes
* fix to messages file
* fixing lint
* Adding machine account event logs
* lint fix
* Update event.service.ts
* removing duplicate function issue from merge
* Update service-accounts-list.component.ts
* fixing message
* Fixes to QA bugs
* lint fix
* linter for messages is annoying
* lint
Makes some tweaks to the SSO config page:
- SSO Identifier: update hint text
- Single Sign-On Service URL: make required, remove hint text
- Client Secret: make hidden by default (add view/hide toggle)
* Use payment domain
* Fixing lint and test issue
* Fix organization plans tax issue
* PM-26297: Use existing billing address for tax calculation if it exists
* PM-26344: Check existing payment method on submit
* Add password trigger logic to report service. Also updated api to use classes that properly handle encstring with placeholders for upcoming usage
* Fix merged test case conflict
* Fix type errors and test cases. Make create data functions for report and summary
