Ac/pm 25823/vnext policy upsert pattern

[JimmyVo16]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-25823

📔 Objective

Add a new version of SavePolicyCommand to enable

1. Individual handlers to access metadata properties
2. Support pre and post side effects.
3. Refactor to clean up policy dependencies and validation logic.
4. Enable each policy to implement only the events relevant to it.
5. Add unit tests

This code isn’t consumed yet and therefore isn’t testable.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 026e22f5-784a-456a-92ca-664b44f6b98c

New Issues (2)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1511	details Method at line 1511 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... ID: pN371p7oxzg66CFSL1H%2F7897Dng%3D Attack Vector
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1392	details Method at line 1392 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... ID: xow1RlTy2gYME4GMTq55sfh%2BBY0%3D Attack Vector

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 299

[codecov]

Codecov Report

❌ Patch coverage is 98.64865% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.72%. Comparing base (3272586) to head (4408040).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...Policies/Implementations/VNextSavePolicyCommand.cs	98.46%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6426      +/-   ##
==========================================
+ Coverage   50.55%   50.72%   +0.16%     
==========================================
  Files        1854     1866      +12     
  Lines       82184    82696     +512     
  Branches     7262     7307      +45     
==========================================
+ Hits        41547    41944     +397     
- Misses      39047    39154     +107     
- Partials     1590     1598       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[JimmyVo16]

I’m not sure if this is needed since it’s from the old pattern. I think it was meant to prevent duplicates, but that was when everything was in one interface. Now we have four interfaces, so I’m not sure it makes sense anymore. I’m happy to remove it.

[r-tome]

Overall this looks great, but since it’s a complex solution, I think it would really benefit from thorough documentation.

• add xmldoc to every new interface clarifying what it represents and when its called
• VNextSavePolicyCommand explain the execution flow

[r-tome]

Why do we always expect the currentPolicy to not be null? What happens when we're setting up a policy the first time?

[JimmyVo16]

Yeah, that should have used the type from the request object.

[r-tome]

currentPolicy is not used

[JimmyVo16]

Hey, I’m addressing your comments here so we can have a thread on it.

Original comment

add xmldoc to every new interface clarifying what it represents and when its called

I added documentation to the method in the interface, would that be sufficient? I’m happy to adjust it if needed, but I’d prefer to avoid duplicating the same text in two places.