[PM-31159] State service rewrite

[BTreston]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-31159?search_id=6e3045c2-dde7-4d70-bc1b-5e47e132604d

📔 Objective

⚠️ WIP WIP WIP WIP WIP ⚠️
This is the post-account switching, pre-StateProvider StateService, which is a large monolith containing every getter and setter for every piece of data used by all clients. This in turn means that we cannot delete the data models used by StateService, which has a cascading effect of preventing code deletion.

StateService was never very stable, so we should avoid changing this class at all as it is likely to cause regressions. Additionally, Directory Connector never needed account switching, so it is more complex than we need. It should be replaced and existing data migrated if necessary.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[BTreston]

gsuite is the guinea pig right now.

[github-actions]

Checkmarx One – Scan Summary & Details – 2414c5d8-9110-4f26-8f26-c34e82254a62

New Issues (6)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-22036	Npm-undici-7.16.0	details Recommended version: 7.18.2 Description: Undici is an HTTP/1.1 client for Node.js. In Undici versions prior to 6.23.0 and 7.x prior to 7.18.2, the number of links in the decompression chai... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2025-13465	Npm-lodash-4.17.21	details Recommended version: 4.17.23 Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		Use_Of_Hardcoded_Password	/src/services/state-service/state-vNext.service.spec.ts: 470	details The application uses the hard-coded password "secret-password" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector
4		Use_Of_Hardcoded_Password	/src/services/state-service/state-vNext.service.spec.ts: 124	details The application uses the hard-coded password "secret-password" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector
5		Use_Of_Hardcoded_Password	/src/services/state-service/state-vNext.service.spec.ts: 470	details The application uses the hard-coded password "secret-password" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector
6		Use_Of_Hardcoded_Password	/src/services/state-service/state-vNext.service.spec.ts: 124	details The application uses the hard-coded password "secret-password" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector

[codecov]

Codecov Report

❌ Patch coverage is 57.55102% with 104 lines in your changes missing coverage. Please review.
✅ Project coverage is 18.38%. Comparing base (7381857) to head (a0e7494).
⚠️ Report is 24 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...c/services/state-service/stateMigration.service.ts	0.00%	63 Missing ⚠️
src/services/state-service/state-vNext.service.ts	87.67%	14 Missing and 4 partials ⚠️
...vices/gsuite-directory.service.integration.spec.ts	0.00%	7 Missing ⚠️
src/app/services/services.module.ts	0.00%	5 Missing ⚠️
src/bwdc.ts	0.00%	4 Missing ⚠️
src/main.ts	0.00%	3 Missing ⚠️
src/services/directory-factory.service.ts	0.00%	2 Missing ⚠️
src/abstractions/state-vNext.service.ts	0.00%	1 Missing ⚠️
src/services/state-service/state.service.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #990      +/-   ##
==========================================
+ Coverage   14.90%   18.38%   +3.47%     
==========================================
  Files          67       70       +3     
  Lines        2791     3014     +223     
  Branches      481      524      +43     
==========================================
+ Hits          416      554     +138     
- Misses       2271     2352      +81     
- Partials      104      108       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.