Claude upgrade shenanigans

.claude/CLAUDE.md

@@ -1,203 +1,706 @@
-# Bitwarden Directory Connector
+# Bitwarden Directory Connector - Claude Code Configuration
 
-## Project Overview
+Sync users and groups from enterprise directory services (LDAP, Entra ID, Google Workspace, Okta, OneLogin) to Bitwarden organizations. Available as both a desktop GUI (Electron + Angular) and a CLI tool (`bwdc`).
 
-Directory Connector is a TypeScript application that synchronizes users and groups from directory services to Bitwarden organizations. It provides both a desktop GUI (built with Angular and Electron) and a CLI tool (bwdc).
+## Overview
 
-**Supported Directory Services:**
+### What This Project Does
 
-- LDAP (Lightweight Directory Access Protocol) - includes Active Directory and general LDAP servers
+- Connects to enterprise identity providers and retrieves user/group membership data
-- Microsoft Entra ID (formerly Azure Active Directory)
+- Syncs that data to Bitwarden organizations via the Directory Connector API
-- Google Workspace
+- Provides both a desktop GUI application (Electron) and a command-line interface (`bwdc`)
-- Okta
-- OneLogin
 
-**Technologies:**
+### Key Concepts
 
-- TypeScript
+- **Directory Service**: An identity provider (LDAP, Entra ID, GSuite, Okta, OneLogin) that stores users and groups
-- Angular (GUI)
+- **Sync**: The process of fetching entries from a directory and importing them to Bitwarden
-- Electron (Desktop wrapper)
+- **Delta Sync**: Incremental synchronization that only fetches changes since the last sync
-- Node
+- **Entry**: Base class for `UserEntry` and `GroupEntry` - the core data models
-- Jest for testing
+- **Force Sync**: Ignores delta tokens and fetches all entries fresh
+- **Test Mode**: Simulates sync without making API calls or updating state
 
-## Code Architecture & Structure
+---
 
-### Directory Organization
+## Architecture & Patterns
+
+### System Architecture
 
 ```
-src/
+                    User Request (GUI/CLI)
-├── abstractions/       # Interface definitions (e.g., IDirectoryService)
+                            ↓
-├── services/          # Business logic implementations for directory services, sync, auth
+            ┌───────────────────────────────────┐
-├── models/            # Data models (UserEntry, GroupEntry, etc.)
+            │          Entry Points             │
-├── commands/          # CLI command implementations
+            │   main.ts (GUI)  │  bwdc.ts (CLI) │
-├── app/               # Angular GUI components
+            └───────────────────────────────────┘
-└── utils/             # Test utilities and fixtures
+                            ↓
-
+            ┌───────────────────────────────────┐
-src-cli/               # CLI-specific code (imports common code from src/)
+            │           SyncService             │
-
+            │   Orchestrates the sync flow      │
-jslib/                 # Legacy folder structure (mix of deprecated/unused and current code - new code should not be added here)
+            └───────────────────────────────────┘
+                            ↓
+            ┌───────────────────────────────────┐
+            │      DirectoryFactoryService      │
+            │   Creates appropriate IDirectory  │
+            └───────────────────────────────────┘
+                            ↓
+    ┌─────────────────────────────────────────────────────┐
+    │              Directory Services                      │
+    │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────────┐ │
+    │ │  LDAP   │ │ EntraID │ │ GSuite  │ │ Okta/1Login │ │
+    │ └─────────┘ └─────────┘ └─────────┘ └─────────────┘ │
+    └─────────────────────────────────────────────────────┘
+                            ↓
+            ┌───────────────────────────────────┐
+            │        [GroupEntry[], UserEntry[]]│
+            └───────────────────────────────────┘
+                            ↓
+            ┌───────────────────────────────────┐
+            │       RequestBuilder (Batched)    │
+            │   SingleRequestBuilder (<2000)    │
+            │   BatchRequestBuilder  (>2000)    │
+            └───────────────────────────────────┘
+                            ↓
+            ┌───────────────────────────────────┐
+            │         Bitwarden API             │
+            │      POST /import endpoint        │
+            └───────────────────────────────────┘
 ```
 
-### Key Architectural Patterns
-
-1. **Abstractions = Interfaces**: All interfaces are defined in `/abstractions`
-2. **Services = Business Logic**: Implementations live in `/services`
-3. **Directory Service Pattern**: Each directory provider implements `IDirectoryService` interface
-4. **Separation of Concerns**: GUI (Angular app) and CLI (commands) share the same service layer
-
-## Development Conventions
-
 ### Code Organization
 
-**File Naming:**
+```
+src/
+├── abstractions/          # Interface definitions (IDirectoryService, etc.)
+├── app/                   # Angular GUI components
+│   ├── tabs/              # Tab-based navigation (Dashboard, Settings, More)
+│   └── services/          # Angular service providers
+├── commands/              # CLI command implementations
+├── enums/                 # TypeScript enums (DirectoryType, etc.)
+├── models/                # Data models (Entry, UserEntry, GroupEntry)
+├── services/              # Business logic implementations
+│   └── directory-services/  # One service per directory provider
+├── bwdc.ts                # CLI entry point
+├── main.ts                # Electron main process entry point
+└── program.ts             # CLI command routing (Commander.js)
 
-- kebab-case for files: `ldap-directory.service.ts`
+jslib/                     # Legacy shared libraries (do not add new code here)
-- Descriptive names that reflect purpose
+utils/                     # Integration test fixtures
+└── openldap/              # Docker configs, test data, certificates
+```
 
-**Class/Function Naming:**
+### Key Principles
 
-- PascalCase for classes and interfaces
+1. **Shared Service Layer**: GUI (Angular) and CLI share identical service implementations
-- camelCase for functions and variables
+2. **Factory Pattern**: `DirectoryFactoryService` instantiates the correct `IDirectoryService` based on `DirectoryType`
-- Descriptive names that indicate purpose
+3. **Secure Storage**: Credentials stored in system keychain via `KeytarSecureStorageService`
+4. **Delta Tracking**: Incremental sync via delta tokens to minimize API calls
 
-**File Structure:**
+### Core Patterns
 
-- Keep files focused on single responsibility
+#### Directory Service Pattern
-- Create new service files for distinct directory integrations
-- Separate models into individual files when complex
 
-### TypeScript Conventions
+**Purpose**: Abstract different identity providers behind a common interface
 
-**Import Patterns:**
+**Interface** (`src/abstractions/directory.service.ts`):
 
-- Use path aliases (`@/`) for project imports
+```typescript
-  - `@/` - project root
+export interface IDirectoryService {
-  - `@/jslib/` - jslib folder
+  getEntries(force: boolean, test: boolean): Promise<[GroupEntry[], UserEntry[]]>;
-- ESLint enforces alphabetized import ordering with newlines between groups
+}
+```
 
-**Type Safety:**
+**Implementations** in `src/services/directory-services/`:
 
-- Avoid `any` types - use proper typing or `unknown` with type guards
+- `ldap-directory.service.ts` - LDAP/Active Directory
-- Prefer interfaces for contracts, types for unions/intersections
+- `entra-id-directory.service.ts` - Microsoft Entra ID (Azure AD)
-- Use strict null checks - handle `null` and `undefined` explicitly
+- `gsuite-directory.service.ts` - Google Workspace
-- Leverage TypeScript's type inference where appropriate
+- `okta-directory.service.ts` - Okta
+- `onelogin-directory.service.ts` - OneLogin
 
-**Configuration:**
+**Factory** (`src/services/directory-factory.service.ts`):
 
-- Use configuration files or environment variables
+```typescript
-- Never hardcode URLs or configuration values
+createService(type: DirectoryType): IDirectoryService
+```
 
-## Security Best Practices
+#### State Service Pattern
 
-**Credential Handling:**
+**Purpose**: Manage persistent state and credential storage
 
-- Never log directory service credentials, API keys, or tokens
+**Implementation** (`src/services/state.service.ts`):
-- Use secure storage mechanisms for sensitive data
-- Credentials should never be hardcoded
-- Store credentials encrypted, never in plain text
 
-**Sensitive Data:**
+- Configuration and sync settings stored in LowDB (JSON file)
+- Sensitive data (passwords, API keys) stored in system keychain
+- File locking via `proper-lockfile` to prevent concurrent access corruption
+- Platform-specific app data directories:
+  - macOS: `~/Library/Application Support/Bitwarden Directory Connector`
+  - Windows: `%APPDATA%/Bitwarden Directory Connector`
+  - Linux: `~/.config/Bitwarden Directory Connector` or `$XDG_CONFIG_HOME`
 
-- User and group data from directories should be handled securely
+---
-- Avoid exposing sensitive information in error messages
-- Sanitize data before logging
-- Be cautious with data persistence
 
-**Input Validation:**
+## Development Guide
 
-- Validate and sanitize data from external directory services
+### Adding a New Directory Service
-- Check for injection vulnerabilities (LDAP injection, etc.)
-- Validate configuration inputs from users
 
-**API Security:**
+**1. Create the enum value** (`src/enums/directoryType.ts`)
 
-- Ensure authentication flows are implemented correctly
+```typescript
-- Verify SSL/TLS is used for all external connections
+export enum DirectoryType {
-- Check for secure token storage and refresh mechanisms
+  Ldap = 0,
+  EntraID = 1,
+  GSuite = 2,
+  Okta = 3,
+  OneLogin = 4,
+  NewProvider = 5, // Add here
+}
+```
 
-## Error Handling
+**2. Create the configuration model** (`src/models/newProviderConfiguration.ts`)
 
-**Best Practices:**
+```typescript
+export class NewProviderConfiguration {
+  apiUrl: string;
+  apiToken: string;
+  // Provider-specific settings
+}
+```
 
-1. **Try-catch for async operations** - Always wrap external API calls
+**3. Implement the directory service** (`src/services/directory-services/newprovider-directory.service.ts`)
-2. **Meaningful error messages** - Provide context for debugging
-3. **Error propagation** - Don't swallow errors silently
-4. **User-facing errors** - Separate user messages from developer logs
 
-## Performance Best Practices
+```typescript
+import { IDirectoryService } from "@/src/abstractions/directory.service";
+import { GroupEntry } from "@/src/models/groupEntry";
+import { UserEntry } from "@/src/models/userEntry";
+import { BaseDirectoryService } from "./base-directory.service";
 
-**Large Dataset Handling:**
+export class NewProviderDirectoryService extends BaseDirectoryService implements IDirectoryService {
+  constructor(
+    private logService: LogService,
+    private i18nService: I18nService,
+    private stateService: StateService,
+  ) {
+    super();
+  }
 
-- Use pagination for large user/group lists
+  async getEntries(force: boolean, test: boolean): Promise<[GroupEntry[], UserEntry[]]> {
-- Avoid loading entire datasets into memory at once
+    const config = await this.stateService.getDirectory<NewProviderConfiguration>(
-- Consider streaming or batch processing for large operations
+      DirectoryType.NewProvider,
+    );
+    const syncConfig = await this.stateService.getSync();
 
-**API Rate Limiting:**
+    const groups: GroupEntry[] = [];
+    const users: UserEntry[] = [];
 
-- Respect rate limits for Microsoft Graph API, Google Admin SDK, etc.
+    // Fetch from provider API
-- Consider batching large API calls where necessary
+    // Apply filters using inherited filter methods
 
-**Memory Management:**
+    return [groups, users];
+  }
+}
+```
 
-- Close connections and clean up resources
+**4. Register in the factory** (`src/services/directory-factory.service.ts`)
-- Remove event listeners when components are destroyed
+
-- Be cautious with caching large datasets
+```typescript
+case DirectoryType.NewProvider:
+  return new NewProviderDirectoryService(
+    this.logService,
+    this.i18nService,
+    this.stateService
+  );
+```
+
+**5. Add state service support** (`src/services/state.service.ts`)
+
+```typescript
+// Add to secure storage keys if credentials involved
+// Add configuration getter/setter methods
+```
+
+**6. Write tests** (`src/services/directory-services/newprovider-directory.service.spec.ts`)
+
+### Common Patterns
+
+#### Error Handling with State Rollback
+
+```typescript
+async sync(force: boolean, test: boolean): Promise<[GroupEntry[], UserEntry[]]> {
+  // Store initial state for rollback
+  const startingUserDelta = await this.stateService.getUserDelta();
+  const startingGroupDelta = await this.stateService.getGroupDelta();
+
+  try {
+    // Perform sync operations
+    const [groups, users] = await this.directoryService.getEntries(force, test);
+    // ... process and submit
+    return [groups, users];
+  } catch (e) {
+    if (!test) {
+      // Rollback deltas on failure
+      await this.stateService.setUserDelta(startingUserDelta);
+      await this.stateService.setGroupDelta(startingGroupDelta);
+    }
+    this.messagingService.send("dirSyncCompleted", { successfully: false });
+    throw e;
+  }
+}
+```
+
+#### Filter Processing
+
+```typescript
+// In BaseDirectoryService
+protected buildIncludeSet(filter: string): Set<string> {
+  // Parse filter like "include:user1@example.com,user2@example.com"
+}
+
+protected buildExcludeSet(filter: string): Set<string> {
+  // Parse filter like "exclude:user1@example.com"
+}
+
+protected shouldIncludeUser(user: UserEntry, include: Set<string>, exclude: Set<string>): boolean {
+  if (exclude.has(user.email)) return false;
+  if (include.size === 0) return true;
+  return include.has(user.email);
+}
+```
+
+### Running the Desktop GUI (Development)
+
+```bash
+npm install
+npm run rebuild          # Rebuild native modules (keytar)
+npm run electron         # Run GUI with hot reload
+```
+
+### Running the CLI (Development)
+
+```bash
+npm install
+npm run build:cli:watch  # Build CLI with watch mode
+node ./build-cli/bwdc.js --help  # Run CLI commands
+```
+
+---
+
+## Data Models
+
+### Core Types
+
+```typescript
+// Base entry class (src/models/entry.ts)
+abstract class Entry {
+  referenceId: string; // Unique ID within the directory (e.g., DN for LDAP)
+  externalId: string; // ID used for Bitwarden import
+}
+
+// User entry (src/models/userEntry.ts)
+class UserEntry extends Entry {
+  email: string;
+  disabled: boolean;
+  deleted: boolean;
+}
+
+// Group entry (src/models/groupEntry.ts)
+class GroupEntry extends Entry {
+  name: string;
+  userMemberExternalIds: Set<string>; // External IDs of member users
+  groupMemberReferenceIds: Set<string>; // Reference IDs of nested groups
+  users: UserEntry[]; // Populated for display/simulation
+}
+```
+
+### Directory Type Enum
+
+```typescript
+// src/enums/directoryType.ts
+enum DirectoryType {
+  Ldap = 0,
+  EntraID = 1,
+  GSuite = 2,
+  Okta = 3,
+  OneLogin = 4,
+}
+```
+
+### Configuration Models
+
+Each directory provider has a configuration class in `src/models/`:
+
+- `LdapConfiguration` - hostname, port, SSL/TLS, bind credentials, auth mode
+- `EntraIdConfiguration` - tenant, client ID, secret key
+- `GSuiteConfiguration` - domain, admin user, client email, private key
+- `OktaConfiguration` - organization URL, API token
+- `OneLoginConfiguration` - client ID, client secret, region
+
+### Sync Configuration
+
+```typescript
+// src/models/syncConfiguration.ts
+interface SyncConfiguration {
+  users: boolean; // Sync users
+  groups: boolean; // Sync groups
+  interval: number; // Minutes between syncs (minimum 5)
+  userFilter: string; // Include/exclude filter
+  groupFilter: string; // Include/exclude filter
+  removeDisabled: boolean; // Remove disabled users from org
+  overwriteExisting: boolean; // Overwrite existing entries
+  largeImport: boolean; // Enable for >2000 entries
+  // LDAP-specific
+  groupObjectClass: string;
+  userObjectClass: string;
+  groupPath: string;
+  userPath: string;
+  // ... additional LDAP attributes
+}
+```
+
+---
+
+## Security & Configuration
+
+### Security Rules
+
+**MANDATORY - These rules have no exceptions:**
+
+1. **Never log credentials**: API keys, passwords, tokens, and secrets must never appear in logs
+2. **Never hardcode secrets**: All URLs, credentials, and sensitive data must come from configuration
+3. **Use KeytarSecureStorageService**: All credentials must be stored in the system keychain
+4. **Validate external data**: Sanitize all data received from directory services
+5. **LDAP injection prevention**: Be cautious with user-provided LDAP filters
+
+### Secure Storage Keys
+
+The following are stored in the system keychain (not plain JSON):
+
+- `ldapPassword` - LDAP bind password
+- `gsuitePrivateKey` - Google Workspace private key
+- `entraKey` - Microsoft Entra ID client secret
+- `oktaToken` - Okta API token
+- `oneLoginClientSecret` - OneLogin client secret
+- User/group delta tokens
+- Sync hashes
+
+### Environment Variables
+
+| Variable                                   | Required | Description                              | Example              |
+| ------------------------------------------ | -------- | ---------------------------------------- | -------------------- |
+| `BITWARDENCLI_CONNECTOR_APPDATA_DIR`       | No       | CLI app data directory override          | `/custom/path`       |
+| `BITWARDEN_CONNECTOR_APPDATA_DIR`          | No       | GUI app data directory override          | `/custom/path`       |
+| `BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS` | No       | Store secrets in plain text (debug only) | `true`               |
+| `BITWARDENCLI_CONNECTOR_DEBUG`             | No       | Enable debug logging                     | `true`               |
+| `BW_CLIENTID`                              | No       | CLI login client ID                      | `organization.xxxxx` |
+| `BW_CLIENTSECRET`                          | No       | CLI login client secret                  | `xxxxx`              |
+| `BW_NOINTERACTION`                         | No       | Disable interactive prompts              | `true`               |
+| `BW_PRETTY`                                | No       | Pretty-print JSON output                 | `true`               |
+| `BW_RAW`                                   | No       | Raw output (no formatting)               | `true`               |
+| `BW_RESPONSE`                              | No       | JSON response format                     | `true`               |
+| `BW_QUIET`                                 | No       | Suppress stdout                          | `true`               |
+
+### Authentication & Authorization
+
+- **API Token Authentication**: Uses organization `clientId` + `clientSecret`
+- **Token Storage**: Access tokens and refresh tokens stored securely via Keytar
+- **Token Refresh**: Automatic refresh when access token expires
+- **Auth Service**: `src/services/auth.service.ts` handles the authentication flow
+
+---
 
 ## Testing
 
-**Framework:**
+### Test Structure
 
-- Jest with jest-preset-angular
+```
-- jest-mock-extended for type-safe mocks with `mock<Type>()`
+src/
+├── services/
+│   ├── sync.service.spec.ts              # Unit tests (colocated)
+│   ├── sync.service.integration.spec.ts  # Integration tests
+│   └── directory-services/
+│       ├── ldap-directory.service.spec.ts
+│       └── ldap-directory.service.integration.spec.ts
+utils/
+└── openldap/
+    ├── config-fixtures.ts    # Test configuration helpers
+    ├── user-fixtures.ts      # Expected user data
+    ├── group-fixtures.ts     # Expected group data
+    ├── certs/                # TLS certificates
+    └── docker-compose.yml    # LDAP container config
+```
 
-**Test Organization:**
+### Writing Tests
 
-- Tests colocated with source files
+**Unit Test Template**:
-- `*.spec.ts` - Unit tests for individual components/services
-- `*.integration.spec.ts` - Integration tests against live directory services
-- Test helpers located in `utils/` directory
 
-**Test Naming:**
+```typescript
+import { mock, MockProxy } from "jest-mock-extended";
 
-- Descriptive, human-readable test names
+describe("ServiceName", () => {
-- Example: `'should return empty array when no users exist in directory'`
+  let logService: MockProxy<LogService>;
+  let stateService: MockProxy<StateService>;
+  let service: ServiceUnderTest;
 
-**Test Coverage:**
+  beforeEach(() => {
+    logService = mock();
+    stateService = mock();
+    service = new ServiceUnderTest(logService, stateService);
+  });
 
-- New features must include tests
+  it("should do something", async () => {
-- Bug fixes should include regression tests
+    // Arrange
-- Changes to core sync logic or directory specific logic require integration tests
+    stateService.getSomeValue.mockResolvedValue(expectedValue);
 
-**Testing Approach:**
+    // Act
+    const result = await service.doSomething();
 
-- **Unit tests**: Mock external API calls using jest-mock-extended
+    // Assert
-- **Integration tests**: Use live directory services (Docker containers or configured cloud services)
+    expect(result).toEqual(expectedResult);
-- Focus on critical paths (authentication, sync, data transformation)
+  });
-- Test error scenarios and edge cases (empty results, malformed data, connection failures), not just happy paths
+});
+```
 
-## Directory Service Patterns
+**Integration Test Template** (see `ldap-directory.service.integration.spec.ts`):
 
-### IDirectoryService Interface
+```typescript
+// Requires Docker containers running
+// npm run test:integration:setup
 
-All directory services implement this core interface with methods:
+describe("ldapDirectoryService", () => {
+  let stateService: MockProxy<StateService>;
+  let directoryService: LdapDirectoryService;
 
-- `getUsers()` - Retrieve users from directory and transform them into standard objects
+  beforeEach(() => {
-- `getGroups()` - Retrieve groups from directory and transform them into standard objects
+    stateService = mock();
-- Connection and authentication handling
+    stateService.getDirectoryType.mockResolvedValue(DirectoryType.Ldap);
+    stateService.getDirectory
+      .calledWith(DirectoryType.Ldap)
+      .mockResolvedValue(getLdapConfiguration());
+  });
 
-### Service-Specific Implementations
+  it("syncs users and groups", async () => {
+    const result = await directoryService.getEntries(true, true);
+    expect(result).toEqual([groupFixtures, userFixtures]);
+  });
+});
+```
 
-Each directory service has unique authentication and query patterns:
+### Running Tests
 
-- **LDAP**: Direct LDAP queries, bind authentication
+```bash
-- **Microsoft Entra ID**: Microsoft Graph API, OAuth tokens
+npm test                           # All unit tests (excludes integration)
-- **Google Workspace**: Google Admin SDK, service account credentials
+npm test -- path/to/file.spec.ts   # Single test file
-- **Okta/OneLogin**: REST APIs with API tokens
+npm run test:watch                 # Watch mode
+
+# Integration tests
+npm run test:integration:setup     # Start Docker containers
+npm run test:integration           # Run integration tests
+npm run test:integration:watch     # Watch mode for integration
+```
+
+### Test Environment
+
+- **Mocking**: `jest-mock-extended` with `mock<Type>()` for type-safe mocks
+- **Alternative**: `@fluffy-spoon/substitute` available for some tests
+- **Integration**: Docker containers for LDAP (OpenLDAP)
+- **Fixtures**: Located in `utils/openldap/`
+
+---
+
+## Code Style & Standards
+
+### Formatting
+
+- **Prettier**: Auto-formatting enforced via pre-commit hooks
+- **Config**: `.prettierrc` in project root
+
+### Naming Conventions
+
+- `camelCase` for: variables, functions, method names
+- `PascalCase` for: classes, interfaces, types, enums
+- `SCREAMING_SNAKE_CASE` for: constants (rare in this codebase)
+
+### Imports
+
+**Path Aliases:**
+
+- `@/` maps to project root
+- Example: `import { SyncService } from "@/src/services/sync.service"`
+
+**Import Order (ESLint enforced):**
+
+1. External packages (node_modules)
+2. jslib imports (`@/jslib/...`)
+3. Project imports (`@/src/...`)
+4. Alphabetized within each group with newlines between groups
+
+```typescript
+// External
+import { mock, MockProxy } from "jest-mock-extended";
+
+// jslib
+import { LogService } from "@/jslib/common/src/abstractions/log.service";
+
+// Project
+import { DirectoryType } from "@/src/enums/directoryType";
+import { SyncService } from "@/src/services/sync.service";
+```
+
+### Comments
+
+- Avoid unnecessary comments; code should be self-documenting
+- Use JSDoc only for public APIs that need documentation
+- Inline comments for complex logic only
+
+### Pre-commit Hooks
+
+- **Husky**: Runs `lint-staged` on commit
+- **lint-staged**: Runs Prettier on all files, ESLint on TypeScript files
+
+```bash
+npm run lint             # Check ESLint + Prettier
+npm run lint:fix         # Auto-fix ESLint issues
+npm run prettier         # Auto-format with Prettier
+npm run test:types       # TypeScript type checking
+```
+
+---
+
+## Anti-Patterns
+
+### DO
+
+- ✅ Use `KeytarSecureStorageService` for all credential storage
+- ✅ Implement `IDirectoryService` interface for new directory providers
+- ✅ Use the factory pattern via `DirectoryFactoryService`
+- ✅ Write unit tests with `jest-mock-extended` mocks
+- ✅ Handle errors with state rollback (delta tokens)
+- ✅ Use path aliases (`@/src/...`) for imports
+- ✅ Validate data from external directory services
+- ✅ Use `force` and `test` parameters consistently in sync methods
+
+### DON'T
+
+- ❌ Log credentials, API keys, or tokens
+- ❌ Hardcode URLs, secrets, or configuration values
+- ❌ Store sensitive data in LowDB (JSON) - use Keytar
+- ❌ Skip input validation for LDAP filters (injection risk)
+- ❌ Use `any` types without explicit justification
+- ❌ Add new code to `jslib/` (legacy, read-only)
+- ❌ Ignore delta token rollback on sync failure
+- ❌ Bypass `overwriteExisting` validation for batch imports (>2000 entries)
+
+---
+
+## Deployment
+
+### Building
+
+**Desktop GUI (Electron):**
+
+```bash
+npm run build              # Build main + renderer
+npm run build:dist         # Full distribution build
+npm run dist:win           # Windows installer
+npm run dist:mac           # macOS installer
+npm run dist:lin           # Linux packages (AppImage, RPM)
+```
+
+**CLI Tool:**
+
+```bash
+npm run build:cli:prod     # Production build
+npm run dist:cli:win       # Windows executable
+npm run dist:cli:mac       # macOS executable
+npm run dist:cli:lin       # Linux executable
+```
+
+### Versioning
+
+Follow semantic versioning: `MAJOR.MINOR.PATCH`
+
+- Version format: `YYYY.MM.PATCH` (e.g., `2025.12.0`)
+- Managed in `package.json`
+
+### Publishing
+
+- **CI/CD**: GitHub Actions workflows in `.github/workflows/`
+- **build.yml**: Multi-platform builds with code signing
+- **release.yml**: Version bumping and publishing
+- **Code Signing**: Azure Key Vault (Windows), App Store Connect (macOS)
+- **Auto-update**: Electron Updater for GUI application
+
+---
+
+## Troubleshooting
+
+### Common Issues
+
+#### LDAP Connection Failures
+
+**Problem**: Cannot connect to LDAP server, timeout or connection refused
+
+**Solution**:
+
+1. Verify hostname and port are correct
+2. Check SSL/TLS settings match server configuration
+3. For StartTLS, ensure SSL is enabled and use the non-secure port (389)
+4. For LDAPS, use port 636 and provide CA certificate path
+
+#### Keytar/Native Module Issues
+
+**Problem**: `Error: Module did not self-register` or keytar-related crashes
+
+**Solution**:
+
+```bash
+npm run rebuild    # Rebuild native modules for current Electron version
+npm run reset      # Full reset of keytar module
+```
+
+#### Sync Hash Mismatch
+
+**Problem**: Sync runs but no changes appear in Bitwarden
+
+**Solution**: The sync service skips if the hash matches the previous sync. Use force sync:
+
+```bash
+bwdc sync --force   # CLI
+# Or clear cache
+bwdc clear-cache
+```
+
+#### Large Import Failures
+
+**Problem**: Sync fails for organizations with >2000 users/groups
+
+**Solution**: Enable `largeImport` in sync settings. Note: `overwriteExisting` is incompatible with batch mode.
+
+### Debug Tips
+
+- Enable debug logging: `BITWARDENCLI_CONNECTOR_DEBUG=true`
+- View data file location: `bwdc data-file`
+- Test sync without making changes: `bwdc test`
+- Check last sync times: `bwdc last-sync users` / `bwdc last-sync groups`
+
+---
 
 ## References
 
-- [Architectural Decision Records (ADRs)](https://contributing.bitwarden.com/architecture/adr/)
+### Official Documentation
-- [Contributing Guidelines](https://contributing.bitwarden.com/contributing/)
+
-- [Code Style](https://contributing.bitwarden.com/contributing/code-style/)
+- [Directory Sync CLI Documentation](https://bitwarden.com/help/directory-sync-cli/)
-- [Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/)
+- [Directory Connector Help](https://bitwarden.com/help/directory-sync/)
-- [Security Definitions](https://contributing.bitwarden.com/architecture/security/definitions)
+
+### Internal Documentation
+
+- [Bitwarden Contributing Guidelines](https://contributing.bitwarden.com/contributing/)
+- [Code Style Guide](https://contributing.bitwarden.com/contributing/code-style/)
+
+### Tools & Libraries
+
+- [ldapts](https://github.com/ldapts/ldapts) - LDAP client for Node.js
+- [Keytar](https://github.com/atom/node-keytar) - Native keychain access
+- [Commander.js](https://github.com/tj/commander.js) - CLI framework
+- [LowDB](https://github.com/typicode/lowdb) - JSON database
+- [Microsoft Graph Client](https://github.com/microsoftgraph/msgraph-sdk-javascript) - Entra ID API
+- [Google APIs](https://github.com/googleapis/google-api-nodejs-client) - GSuite API

.claude/commands/code-explainer.md

@@ -0,0 +1,30 @@
+---
+description: "Provides a brief explanation of the code attached, including key components, notable patterns, and a code walkthrough."
+---
+
+# Code Explainer
+
+Provide a brief explanation of the code attached. I'm trying to better understand it.
+
+## Key Components
+
+- Main classes/functions and their roles
+- Important dependencies
+- Critical flows
+
+## Notable Patterns
+
+- Design patterns used
+- Architecture decisions
+- Important abstractions
+
+## Code Walkthrough
+
+- How it works
+- Key decision points
+- Important considerations
+
+## Gotchas & Tips
+
+- Edge cases to watch for
+- Performance considerations

ESM_MIGRATION_PLAN.md

@@ -0,0 +1,156 @@
+# ESM Migration Plan
+
+## Migration Status: Partial Success
+
+The ESM migration has been **partially completed**. The source code is now ESM-compatible with `"type": "module"` in package.json, and webpack outputs CommonJS bundles (`.cjs`) for Node.js compatibility.
+
+### What Works
+
+- ✅ CLI build (`bwdc.cjs`) - builds and runs successfully
+- ✅ Electron main process (`main.cjs`) - builds successfully
+- ✅ All 130 tests pass
+- ✅ Source code uses ESM syntax (import/export)
+
+### What Doesn't Work
+
+- ❌ Electron renderer build - **pre-existing type errors in jslib** (not caused by this migration)
+
+The renderer build was failing with 37 TypeScript errors in `jslib/` **before** the ESM migration began. These are ArrayBuffer/SharedArrayBuffer type compatibility issues in the jslib submodule that need to be addressed separately.
+
+---
+
+## Changes Made
+
+### 1. package.json
+
+```json
+{
+  "type": "module",
+  "main": "main.cjs"
+}
+```
+
+### 2. tsconfig.json
+
+```json
+{
+  "compilerOptions": {
+    "moduleResolution": "node",
+    "module": "ES2020",
+    "skipLibCheck": true,
+    "noEmitOnError": false
+  }
+}
+```
+
+### 3. Webpack Configurations
+
+**CLI (webpack.cli.cjs)**
+
+- Output changed to `.cjs` extension
+- Added `transpileOnly: true` to ts-loader for faster builds
+
+**Main (webpack.main.cjs)**
+
+- Output changed to `.cjs` extension
+- Added `transpileOnly: true` to ts-loader
+
+**Renderer (webpack.renderer.cjs)**
+
+- Created separate `tsconfig.renderer.json` to isolate Angular compilation
+- Removed ESM output experiments (not compatible with Angular's webpack plugin)
+
+### 4. src-cli/package.json
+
+```json
+{
+  "type": "module",
+  "bin": {
+    "bwdc": "../build-cli/bwdc.cjs"
+  }
+}
+```
+
+### 5. New File: tsconfig.renderer.json
+
+Dedicated TypeScript config for Angular renderer to isolate from jslib type issues.
+
+---
+
+## Architecture Decision
+
+### Why CJS Output Instead of ESM Output?
+
+The migration uses a **hybrid approach**:
+
+- **Source code**: ESM syntax (`import`/`export`)
+- **Build output**: CommonJS (`.cjs` files)
+
+This approach was chosen because:
+
+1. **lowdb v1 incompatibility**: The legacy lowdb v1 used in jslib doesn't work properly with ESM output due to lodash interop issues
+
+2. **Native module compatibility**: keytar and other native modules work better with CJS
+
+3. **Electron compatibility**: Electron's main process ESM support is still maturing
+
+4. **jslib constraints**: The jslib submodule is read-only and contains CJS-only patterns
+
+The webpack bundler transpiles ESM source to CJS output, giving us modern syntax in the codebase while maintaining runtime compatibility.
+
+---
+
+## Blocking Issues for Full ESM
+
+### 1. jslib Submodule (Read-Only)
+
+The jslib folder contains:
+
+- `lowdb` v1.0.0 usage (CJS-only, v7 is ESM but has breaking API changes)
+- `node-fetch` v2.7.0 usage (CJS-only, v3 is ESM-only)
+- Pre-existing TypeScript errors (ArrayBuffer type mismatches)
+
+### 2. Angular Webpack Plugin
+
+The `@ngtools/webpack` plugin does its own TypeScript compilation and doesn't support `transpileOnly` mode, so it surfaces type errors from jslib.
+
+---
+
+## Future Work
+
+To complete full ESM migration:
+
+1. **Update jslib submodule** - Fix type errors, upgrade to ESM-compatible dependencies
+2. **Upgrade lowdb** - From v1 to v7 (requires rewriting storage layer)
+3. **Remove node-fetch** - Use native `fetch` (Node 18+) or upgrade to v3
+4. **Enable ESM output** - Once dependencies are updated, change webpack output to ESM
+
+---
+
+## Testing the Migration
+
+```bash
+# Build CLI
+npm run build:cli
+node ./build-cli/bwdc.cjs --help
+
+# Build Electron main
+npm run build:main
+
+# Run tests
+npm test
+```
+
+---
+
+## Files Changed
+
+| File                     | Change                                               |
+| ------------------------ | ---------------------------------------------------- |
+| `package.json`           | Added `"type": "module"`, changed main to `main.cjs` |
+| `tsconfig.json`          | Added `skipLibCheck`, `noEmitOnError`                |
+| `tsconfig.renderer.json` | New file for Angular compilation                     |
+| `webpack.cli.cjs`        | Output to `.cjs`, added `transpileOnly`              |
+| `webpack.main.cjs`       | Output to `.cjs`, added `transpileOnly`              |
+| `webpack.renderer.cjs`   | Use separate tsconfig                                |
+| `src-cli/package.json`   | Added `"type": "module"`, updated bin path           |

jest.config.cjs

@@ -24,13 +24,20 @@ module.exports = {
 
   roots: ["<rootDir>"],
   modulePaths: [compilerOptions.baseUrl],
-  moduleNameMapper: pathsToModuleNameMapper(compilerOptions.paths, { prefix: "<rootDir>/" }),
+  moduleNameMapper: {
+    ...pathsToModuleNameMapper(compilerOptions.paths, { prefix: "<rootDir>/" }),
+    // ESM compatibility: mock import.meta.url for tests
+    "^(\\.{1,2}/.*)\\.js$": "$1",
+  },
   setupFilesAfterEnv: ["<rootDir>/test.setup.ts"],
   // Workaround for a memory leak that crashes tests in CI:
   // https://github.com/facebook/jest/issues/9430#issuecomment-1149882002
   // Also anecdotally improves performance when run locally
   maxWorkers: 3,
 
+  // ESM support
+  extensionsToTreatAsEsm: [".ts"],
+
   transform: {
     "^.+\\.tsx?$": [
       "jest-preset-angular",
@@ -43,6 +50,8 @@ module.exports = {
         // Makes tests run faster and reduces size/rate of leak, but loses typechecking on test code
         // See https://bitwarden.atlassian.net/browse/EC-497 for more info
         isolatedModules: true,
+        // ESM support
+        useESM: true,
       },
     ],
   },

package.json

@@ -3,6 +3,7 @@
   "productName": "Bitwarden Directory Connector",
   "description": "Sync your user directory to your Bitwarden organization.",
   "version": "2025.12.0",
+  "type": "module",
   "keywords": [
     "bitwarden",
     "password",
@@ -16,7 +17,7 @@
     "url": "https://github.com/bitwarden/directory-connector"
   },
   "license": "GPL-3.0",
-  "main": "main.js",
+  "main": "main.cjs",
   "scripts": {
     "sub:init": "git submodule update --init --recursive",
     "sub:update": "git submodule update --remote",

src-cli/package.json

@@ -3,16 +3,17 @@
   "productName": "Bitwarden Directory Connector",
   "description": "Sync your user directory to your Bitwarden organization.",
   "version": "2.9.5",
+  "type": "module",
   "author": "Bitwarden Inc. <hello@bitwarden.com> (https://bitwarden.com)",
   "homepage": "https://bitwarden.com",
   "license": "GPL-3.0",
-  "main": "main.js",
+  "main": "main.mjs",
   "repository": {
     "type": "git",
     "url": "https://github.com/bitwarden/directory-connector"
   },
   "bin": {
-    "bwdc": "../build-cli/bwdc.js"
+    "bwdc": "../build-cli/bwdc.cjs"
   },
   "pkg": {
     "assets": "../build-cli/**/*"

tsconfig.json

@@ -7,7 +7,7 @@
     "pretty": true,
     "moduleResolution": "node",
     "noImplicitAny": true,
-    "target": "ES2016",
+    "target": "ES2020",
     "module": "ES2020",
     "lib": ["es5", "es6", "es7", "dom"],
     "sourceMap": true,
@@ -18,6 +18,8 @@
     "outDir": "dist",
     "baseUrl": ".",
     "resolveJsonModule": true,
+    "skipLibCheck": true,
+    "noEmitOnError": false,
     "paths": {
       "tldjs": ["./jslib/common/src/misc/tldjs.noop"],
       "@/*": ["./*"]

tsconfig.renderer.json

@@ -0,0 +1,13 @@
+{
+  "extends": "./tsconfig.json",
+  "angularCompilerOptions": {
+    "strictTemplates": true,
+    "preserveWhitespaces": true
+  },
+  "compilerOptions": {
+    "skipLibCheck": true,
+    "noEmitOnError": false
+  },
+  "include": ["src/app"],
+  "exclude": ["jslib", "**/*.spec.ts"]
+}

webpack.cli.cjs

@@ -14,7 +14,12 @@ const ENV = (process.env.ENV = process.env.NODE_ENV);
 const moduleRules = [
   {
     test: /\.ts$/,
-    use: "ts-loader",
+    use: {
+      loader: "ts-loader",
+      options: {
+        transpileOnly: true,
+      },
+    },
     exclude: path.resolve(__dirname, "node_modules"),
   },
   {
@@ -62,7 +67,7 @@ const config = {
     modules: [path.resolve("node_modules")],
   },
   output: {
-    filename: "[name].js",
+    filename: "[name].cjs",
     path: path.resolve(__dirname, "build-cli"),
   },
   module: { rules: moduleRules },

webpack.main.cjs

@@ -10,7 +10,12 @@ const common = {
     rules: [
       {
         test: /\.tsx?$/,
-        use: "ts-loader",
+        use: {
+          loader: "ts-loader",
+          options: {
+            transpileOnly: true,
+          },
+        },
         exclude: /node_modules\/(?!(@bitwarden)\/).*/,
       },
     ],
@@ -57,6 +62,9 @@ const main = {
       ],
     }),
   ],
+  output: {
+    filename: "[name].cjs",
+  },
   externals: {
     "electron-reload": "commonjs2 electron-reload",
     keytar: "commonjs2 keytar",

webpack.renderer.cjs

@@ -38,7 +38,7 @@ const common = {
   plugins: [],
   resolve: {
     extensions: [".tsx", ".ts", ".js", ".json"],
-    plugins: [new TsconfigPathsPlugin({ configFile: "./tsconfig.json" })],
+    plugins: [new TsconfigPathsPlugin({ configFile: "./tsconfig.renderer.json" })],
     symlinks: false,
     modules: [path.resolve("node_modules")],
   },
@@ -113,7 +113,7 @@ const renderer = {
   },
   plugins: [
     new AngularWebpackPlugin({
-      tsConfigPath: "tsconfig.json",
+      tsConfigPath: "tsconfig.renderer.json",
       entryModule: "src/app/app.module#AppModule",
       sourceMap: true,
     }),