bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2025-12-06 00:03:34 +00:00
Code Issues Releases Wiki Activity
Files
auth/pm-24211/2fa-email-endpoint
server/.claude/CLAUDE.md
Mick Letofsky bd52cf56e7 Implement reusable Claude code review workflow (#6476)
2025-10-24 18:18:27 +02:00

3.0 KiB
Raw Permalink Blame History

Bitwarden Server - Claude Code Configuration

Project Context Files

Read these files before reviewing to ensure that you fully understand the project and contributing guidelines

  1. @README.md
  2. @CONTRIBUTING.md
  3. @.github/PULL_REQUEST_TEMPLATE.md

Critical Rules

  • NEVER use code regions: If complexity suggests regions, refactor for better readability

  • NEVER compromise zero-knowledge principles: User vault data must remain encrypted and inaccessible to Bitwarden

  • NEVER log or expose sensitive data: No PII, passwords, keys, or vault data in logs or error messages

  • ALWAYS use secure communication channels: Enforce confidentiality, integrity, and authenticity

  • ALWAYS encrypt sensitive data: All vault data must be encrypted at rest, in transit, and in use

  • ALWAYS prioritize cryptographic integrity and data protection

  • ALWAYS add unit tests (with mocking) for any new feature development

Project Structure

  • Source Code: /src/ - Services and core infrastructure
  • Tests: /test/ - Test logic aligning with the source structure, albeit with a .Test suffix
  • Utilities: /util/ - Migration tools, seeders, and setup scripts
  • Dev Tools: /dev/ - Local development helpers
  • Configuration: appsettings.{Environment}.json, /dev/secrets.json for local development

Security Requirements

  • Compliance: SOC 2 Type II, SOC 3, HIPAA, ISO 27001, GDPR, CCPA
  • Principles: Zero-knowledge, end-to-end encryption, secure defaults
  • Validation: Input sanitization, parameterized queries, rate limiting
  • Logging: Structured logs, no PII/sensitive data in logs

Common Commands

  • Build: dotnet build
  • Test: dotnet test
  • Run locally: dotnet run --project src/Api
  • Database update: pwsh dev/migrate.ps1
  • Generate OpenAPI: pwsh dev/generate_openapi_files.ps1

Development Workflow

  • Security impact assessed
  • xUnit tests added / updated
  • Performance impact considered
  • Error handling implemented
  • Breaking changes documented
  • CI passes: build, test, lint
  • Feature flags considered for new features
  • CODEOWNERS file respected

Key Architectural Decisions

  • Use .NET nullable reference types (ADR 0024)
  • TryAdd dependency injection pattern (ADR 0026)
  • Authorization patterns (ADR 0022)
  • OpenTelemetry for observability (ADR 0020)
  • Log to standard output (ADR 0021)

References