[PM-24618] Integrate CLI sends with server branch

[harr1424]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-24618
https://bitwarden.atlassian.net/browse/PM-23109
bitwarden/server#5895

📔 Objective

PM-24618: reveal the functionality related to email based OTP in the CLI's send help output bw send --help
PM-23109: update models to add an AuthType enum and ensure the process of creating and receiving a send supports storing emails associated with the send to be used for email based OTP authentication and the AuthType enum value

Usage of --emails option in create and edit commands is gated behind a feature flag.

💻 Command Output

john@Johns-MacBook-Pro clients % bw send --help
Usage: bw send [options] [command] <data>

Work with Bitwarden sends. A Send can be quickly created using this command or subcommands can be used to fine-tune the Send

Arguments:
  data                            The data to Send. Specify as a filepath with the --file option

Options:
  -f, --file                      Specifies that <data> is a filepath
  -d, --deleteInDays <days>       The number of days in the future to set deletion date, defaults to 7 (default: "7")
  --password <password>           optional password to access this Send. Can also be specified in JSON.
  --email <email>                 optional emails to access this Send. Can also be specified in JSON.
  -a, --maxAccessCount <amount>   The amount of max possible accesses.
  --hidden                        Hide <data> in web by default. Valid only if --file is not set.
  -n, --name <name>               The name of the Send. Defaults to a guid for text Sends and the filename for files.
  --notes <notes>                 Notes to add to the Send.
  --fullObject                    Specifies that the full Send object should be returned rather than just the access url.
  -h, --help                      display help for command

Commands:
  list                            List all the Sends owned by you
  template <object>               Get json templates for send objects
  get [options] <id>              Get Sends owned by you.
  receive [options] <url>         Access a Bitwarden Send from a url
  create [options] [encodedJson]  create a Send
  edit [options] [encodedJson]    edit a Send
  remove-password <id>            removes the saved password from a Send.
  delete <id>                     delete a Send

john@Johns-MacBook-Pro clients % bw send list
[{"object":"send","id":"b30db19a-b7dd-4868-b240-b3c000241108","accessId":"mrENs923aEiyQLPAACQRCA","accessUrl":"https://vault.bitwarden.com/#/send/mrENs923aEiyQLPAACQRCA/SGPAqktzOnHM_H9eSba67g","name":"096b5c3f-a629-4a9f-b6bb-4c913c0df35c","notes":null,"key":"SGPAqktzOnHM/H9eSba67g==","type":0,"maxAccessCount":null,"accessCount":0,"revisionDate":"2025-12-27T02:11:17.647Z","deletionDate":"2026-01-03T02:11:01.097Z","expirationDate":null,"passwordSet":false,"emails":["[email protected]"],"disabled":false,"hideEmail":false,"authType":"Email","text":{"text":"hello world","hidden":false}},

{"object":"send","id":"fc9990eb-ad93-4f2b-a427-b3c00025a65f","accessId":"65CZ_JOtK0-kJ7PAACWmXw","accessUrl":"https://vault.bitwarden.com/#/send/65CZ_JOtK0-kJ7PAACWmXw/MXzuEPT0zX3vc7RRDdvZfw","name":"e91ec017-1915-4b1f-b80e-7d8e57657fbc","notes":null,"key":"MXzuEPT0zX3vc7RRDdvZfw==","type":0,"maxAccessCount":null,"accessCount":0,"revisionDate":"2025-12-27T02:17:04.634Z","deletionDate":"2026-01-03T02:17:04.322Z","expirationDate":null,"passwordSet":false,"emails":["[email protected]"],"disabled":false,"hideEmail":false,"authType":"Email","text":{"text":"hello world","hidden":false}}]

john@Johns-MacBook-Pro clients % bw send get fc9990eb-ad93-4f2b-a427-b3c00025a65f
{"object":"send","id":"fc9990eb-ad93-4f2b-a427-b3c00025a65f","accessId":"65CZ_JOtK0-kJ7PAACWmXw","accessUrl":"https://vault.bitwarden.com/#/send/65CZ_JOtK0-kJ7PAACWmXw/MXzuEPT0zX3vc7RRDdvZfw","name":"e91ec017-1915-4b1f-b80e-7d8e57657fbc","notes":null,"key":"MXzuEPT0zX3vc7RRDdvZfw==","type":0,"maxAccessCount":null,"accessCount":0,"revisionDate":"2025-12-27T02:17:04.634Z","deletionDate":"2026-01-03T02:17:04.322Z","expirationDate":null,"passwordSet":false,"emails":["[email protected]"],"disabled":false,"hideEmail":false,"authType":"Email","text":{"text":"hello world","hidden":false}}

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 6e7e1515-d1eb-49b2-ac30-d0f1da34dc40

New Issues (1)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-22036	Npm-undici-7.16.0	details Recommended version: 7.18.2 Description: Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default m... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package

[codecov]

Codecov Report

❌ Patch coverage is 56.00000% with 22 lines in your changes missing coverage. Please review.
✅ Project coverage is 42.61%. Comparing base (7150283) to head (86f1c6f).
⚠️ Report is 9 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
apps/cli/src/tools/send/send.program.ts	0.00%	17 Missing ⚠️
apps/cli/src/register-oss-programs.ts	0.00%	1 Missing ⚠️
apps/cli/src/tools/send/commands/edit.command.ts	91.66%	0 Missing and 1 partial ⚠️
...on/src/tools/send/models/response/send.response.ts	0.00%	1 Missing ⚠️
...ibs/common/src/tools/send/models/view/send.view.ts	66.66%	0 Missing and 1 partial ⚠️
...ibs/common/src/tools/send/services/send.service.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #18106      +/-   ##
==========================================
+ Coverage   42.46%   42.61%   +0.15%     
==========================================
  Files        3637     3637              
  Lines      105768   105848      +80     
  Branches    15994    16017      +23     
==========================================
+ Hits        44915    45112     +197     
+ Misses      58954    58812     -142     
- Partials     1899     1924      +25     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mcamirault]

LGTM

[claude]

Claude finished @harr1424's task in 3m 16s —— View job

---

Code Review: PM-24618 Integrate CLI sends with server branch

Reviewed commit: aa241bf

Summary

This PR adds email-based OTP authentication support to CLI Sends, properly gated behind the SendEmailOTP feature flag. The implementation is well-structured with comprehensive test coverage.

Review Status: Approve with Minor Suggestion

What was reviewed:

• CLI commands for create/edit with new --email option
• AuthType inference logic based on email/password presence
• Feature flag integration for email authentication
• Model updates across the send domain (Send, SendView, SendData, SendResponse)
• New test files for create and edit commands

Key observations:

• The AuthType correctly uses a const object pattern per ADR-0025
• Feature flag properly gates the email functionality at runtime
• Mutual exclusivity between --password and --email is enforced
• Tests cover CLI flags, JSON input, mixed scenarios, and edge cases

Findings:

• 1 minor suggestion for consistent password validation between create and edit commands

The changes are feature-flagged, well-tested, and follow established patterns. Previous reviewers have approved.

---

[mcamirault]

You addressed all my concerns, looks great!

[mcamirault]

No changes since last review, still looks good