Reiterate security standards maintenance amongst AI tool usage

[withinfocus]

🎟️ Tracking

Internal discussions with documentation maintainers.

📔 Objective

Adds additional language around our usage of AI tools and how human and security-conscious review is still in place.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
  team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
  issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[cloudflare-workers-and-pages]

Deploying contributing-docs with    Cloudflare Pages

Latest commit:	2b01897
Status:	✅  Deploy successful!
Preview URL:	https://6490d396.contributing-docs.pages.dev
Branch Preview URL:	https://humans.contributing-docs.pages.dev

View logs

[github-actions]

Checkmarx One – Scan Summary & Details – 612a6afd-5b13-4447-ac28-280bf063f2ff

New Issues (1)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-13466	Npm-body-parser-1.20.3	details Recommended version: 2.2.1 Description: body-parser versions through 2.2.0 is vulnerable to Denial-of-Service (DoS) due to inefficient handling of URL-encoded bodies with very large numbe... Attack Vector: NETWORK Attack Complexity: LOW ID: 0s4MT0saLs1vCfVmZb8bNiwnDXFZtdnRUeU1pWtvyPg%3D Vulnerable Package

[claude]

Claude finished @withinfocus's task —— View job

---

Code review complete

• Read the modified file
• Analyze the specific changes via git diff
• Review against repository guidelines
• Provide comprehensive feedback

---

Review Summary

👍 Overall Assessment: This is a valuable addition that appropriately clarifies the role of AI tools in the Bitwarden development process. The changes strengthen the messaging around human oversight and security standards.

Detailed Feedback

Content Quality (docs/contributing/ai.md:28-43)

Strengths:

• ✅ The addition clearly articulates that AI is a complement, not a replacement, for human review
• ✅ Provides reassurance to both internal and external contributors about quality standards
• ✅ Addresses a key concern about AI-generated code by emphasizing the human review process
• ✅ Maintains appropriate tone and clarity for both audiences (Bitwarden employees and community contributors)

Style Guide Compliance

Formatting:

• ✅ Paragraphs are concise and to-the-point as required by the style guide
• ✅ Proper use of emphasis (bold for the introductory clause in line 28)
• ✅ Consistent paragraph structure

Documentation Standards:

• ✅ Content is appropriate for the access: bitwarden audience restriction
• ✅ Follows the established pattern of the Background section
• ✅ No spelling errors detected

Suggestions for Improvement

📝 Minor stylistic observation (lines 34-39): The three consecutive paragraphs starting with "While", "Every", and "This" could potentially be combined for better flow. Consider consolidating into two paragraphs:

While AI tools enhance developer productivity and help identify potential issues, all code
contributions to Bitwarden undergo thorough human review and approval by the Bitwarden engineering
team. Every contribution, whether created with or without AI assistance, must meet strict security and
quality standards, align with Bitwarden's core architecture, and be thoroughly tested before being
merged.

This ensures that the final decision-making and quality assurance remain firmly in the hands of our
security-conscious development team. Contributors can be confident that all merged code has been
carefully vetted by the Bitwarden team, regardless of the tools used to create it.

However, the current structure is also clear and acceptable—this is purely a matter of style preference.

Testing Recommendations

✅ Verified: The changes deployed successfully to Cloudflare Pages preview

• Preview URL: https://6490d396.contributing-docs.pages.dev

Recommended manual checks:

1. Verify the content renders correctly in both Community and Bitwarden modes
2. Confirm the page navigation and sidebar display correctly
3. Review the content flow in context with surrounding sections

Security Considerations

✅ No security concerns with this documentation change. The content appropriately reinforces security standards rather than weakening them.

Conclusion

Recommendation: ✅ Approve with optional minor refinement

The changes successfully address the objective of reiterating security standards maintenance in the context of AI tool usage. The addition is well-written, appropriate for the audience, and complies with the repository's style guidelines. The optional suggestion above is a minor stylistic preference and not a blocking issue.

---

[theMickster]

Content is solid and I agree with it all; just an idea about flow and stressing human oversight / governance.

[theMickster]

💭💡 I like that we have added human oversight to our document. I'm not so sure it flows best here in the security first approach because it feels like we go back-and-forth between security and oversight/governance.

Maybe a group along these lines:

• Human Oversight
• Our Commitment to Human Review

[withinfocus]

I am a bit leery of more language on the human elements at the moment.