Arch/qa env seeding tweaks

[MGibson1]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-34880
https://bitwarden.atlassian.net/browse/PM-34881
https://bitwarden.atlassian.net/browse/PM-34886

📔 Objective

Various tweaks to smooth qa automation testing.

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – afb68beb-f45f-40a1-871b-0af9ef4c0adf

---

New Issues (2)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	src/Api/AdminConsole/Controllers/GroupsController.cs: 289	details Method at line 289 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from orgUserId. This parameter ... Attack Vector
2		CSRF	src/Api/Vault/Controllers/CiphersController.cs: 287	details Method at line 287 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	src/Api/AdminConsole/Controllers/GroupsController.cs: 275

[codecov]

Codecov Report

❌ Patch coverage is 45.83333% with 26 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.98%. Comparing base (4883d49) to head (f0fa000).
⚠️ Report is 63 commits behind head on main.

Files with missing lines	Patch %	Lines
...lling/Services/Implementations/LicensingService.cs	47.36%	16 Missing and 4 partials ⚠️
...SharedWeb/Utilities/ServiceCollectionExtensions.cs	0.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7430      +/-   ##
==========================================
+ Coverage   58.53%   58.98%   +0.45%     
==========================================
  Files        2069     2076       +7     
  Lines       91306    91466     +160     
  Branches     8128     8130       +2     
==========================================
+ Hits        53443    53952     +509     
+ Misses      35954    35590     -364     
- Partials     1909     1924      +15     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kdenney]

Logic looks good! Only thing I'd ask is if you could add some unit tests to cover the new changes? We've had issues in the past with changes to the licensing logic causing regressions so I like to make sure we cover that area pretty thoroughly. Thanks!

[kdenney]

Approving after our convo in slack. Tests are complicated without giving the licenses to CI. Ideally we refactor this in the future into two services but not needed for this fix.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR adjusts licensing, PlayId tracking, and data protection services to support QA automation testing in non-production environments. The licensing service now separates creation and verification certificates, allowing self-hosted non-production instances to verify both production- and dev-signed licenses. PlayId services consistently gate on !IsProduction() instead of IsDevelopment(). Data protection configuration was refined to allow file system key persistence in dev while skipping Azure blob storage.

All findings from the previous review round have been addressed in fixup commits, including the build failure from mismatched constant names, the inconsistent PlayIdService/PlayIdSingletonService environment checks, and the old-style signature verification paths.

Code Review Details

No new findings. All previously identified issues have been resolved.

[kdenney]

After looking at this again, I have a couple questions.

[kdenney]

This is clean, nice! 😄

[claude]

❌ CRITICAL: Build failure -- constant references do not match renamed declarations

Details and fix

Commit 4028107 renamed the constants to _productionCertThumbprint and _developmentCertThumbprint (with underscore prefix), but the references on lines 71, 118, and 119 still use the old names without the prefix. This will fail to compile.

Suggested change

	var creationCertThumbprint = environment.IsDevelopment() ? developmentCertThumbprint : productionCertThumbprint;
	var creationCertThumbprint = environment.IsDevelopment() ? _developmentCertThumbprint : _productionCertThumbprint;

The same fix is needed on lines 118-119:

CoreHelpers.CleanCertificateThumbprint(_productionCertThumbprint),
CoreHelpers.CleanCertificateThumbprint(_developmentCertThumbprint)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[mzieniukbw]

@MGibson1 this introduced a regression in development self-hosted environment. It is not impossible to run Api Self-Hosted, which now tries to load data protection from /etc/bitwarden, which does not exist in most dev environments