bitwarden · theMickster · Oct 8, 2025 · Oct 6, 2025 · Oct 7, 2025 · Oct 7, 2025
@@ -0,0 +1,109 @@
+name: Review code
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions: {}
+
+jobs:
+  review:
+    name: Review
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Check for Vault team changes
+        id: check_changes
+        run: |
+          # Ensure we have the base branch
+          git fetch origin ${{ github.base_ref }}
+
+          echo "Comparing changes between origin/${{ github.base_ref }} and HEAD"
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
+
+          if [ -z "$CHANGED_FILES" ]; then
+            echo "Zero files changed"
+            echo "vault_team_changes=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # Handle variations in spacing and multiple teams
+          VAULT_PATTERNS=$(grep -E "@bitwarden/team-vault-dev(\s|$)" .github/CODEOWNERS 2>/dev/null | awk '{print $1}')
+
+          if [ -z "$VAULT_PATTERNS" ]; then
+            echo "⚠️ No patterns found for @bitwarden/team-vault-dev in CODEOWNERS"
+            echo "vault_team_changes=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          vault_team_changes=false
+          for pattern in $VAULT_PATTERNS; do
+            echo "Checking pattern: $pattern"
+
+            # Handle **/directory patterns
+            if [[ "$pattern" == "**/"* ]]; then
+              # Remove the **/ prefix
+              dir_pattern="${pattern#\*\*/}"
+              # Check if any file contains this directory in its path
+              if echo "$CHANGED_FILES" | grep -qE "(^|/)${dir_pattern}(/|$)"; then
+                vault_team_changes=true
+                echo "✅ Found files matching pattern: $pattern"
+                echo "$CHANGED_FILES" | grep -E "(^|/)${dir_pattern}(/|$)" | sed 's/^/  - /'
+                break
+              fi
+            else
+              # Handle other patterns (shouldn't happen based on your CODEOWNERS)
+              if echo "$CHANGED_FILES" | grep -q "$pattern"; then
+                vault_team_changes=true
+                echo "✅ Found files matching pattern: $pattern"
+                echo "$CHANGED_FILES" | grep "$pattern" | sed 's/^/  - /'
+                break
+              fi
+            fi
+          done
+
+          echo "vault_team_changes=$vault_team_changes" >> $GITHUB_OUTPUT
+
+          if [ "$vault_team_changes" = "true" ]; then
+            echo ""
+            echo "✅ Vault team changes detected - proceeding with review"
+          else
+            echo ""
+            echo "❌  No Vault team changes detected - skipping review"
+          fi
+
+      - name: Review with Claude Code
+        if: steps.check_changes.outputs.vault_team_changes == 'true'
+        uses: anthropics/claude-code-action@a5528eec7426a4f0c9c1ac96018daa53ebd05bc4 # v1.0.7
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          track_progress: true
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+            TITLE: ${{ github.event.pull_request.title }}
+            BODY: ${{ github.event.pull_request.body }}
+            AUTHOR: ${{ github.event.pull_request.user.login }}
+
+            Please review this pull request with a focus on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Security implications
+            - Performance considerations
+
+            Note: The PR branch is already checked out in the current working directory.
+
+            Provide detailed feedback using inline comments for specific issues.
+
+          claude_args: |
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"
@@ -0,0 +1,58 @@
+# Bitwarden Internal SDK
+
+Rust SDK centralizing business logic. You're reviewing code as a senior Rust engineer mentoring
+teammates.
+
+## Client Pattern
+
+PasswordManagerClient ([bitwarden-pm](crates/bitwarden-pm/src/lib.rs)) wraps
+[bitwarden_core::Client](crates/bitwarden-core/src/client/client.rs) and exposes sub-clients:
+`auth()`, `vault()`, `crypto()`, `sends()`, `generators()`, `exporters()`.
+
+**Lifecycle**
+
+- Init → Lock/Unlock → Logout (drops instance). Memento pattern for state resurrection.
+
+**Storage**
+
+- Consuming apps use `HashMap<UserId, PasswordManagerClient>`.
+
+## Issues necessitating comments
+
+**Auto-generated code changes**
+
+- Changes to `bitwarden-api-api/` or `bitwarden-api-identity/` are generally discouraged. These are
+  auto-generated from swagger specs.
+
+**Secrets in logs/errors**
+
+- Do not log keys, passwords, or vault data in logs or error paths. Redact sensitive data.
+
+**Business logic in WASM**
+
+- `bitwarden-wasm-internal` contains only thin bindings. Move business logic to feature crates.
+
+**Unsafe without justification**
+
+- Any `unsafe` block needs a comment explaining why it's safe and what invariants are being upheld.
+
+**Changes to `bitwarden-crypto/` core functionality**
+
+- Generally speaking, this crate should not be modified. Changes need a comment explaining why.
+
+**New crypto algorithms or key derivation**
+
+- Detailed description, review and audit trail required. Document algorithm choice rationale and
+  test vectors.
+
+**Encryption/decryption modifications**
+
+- Verify backward compatibility. Existing encrypted data must remain decryptable.
+
+**Breaking serialization**
+
+- Backward compatibility required. Users must decrypt vaults from older versions.
+
+**Breaking API changes**
+
+- Document migration path for clients.