[PM-28555] Add idempotent sproc to create My Items collections

[eliykat]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-28555

📔 Objective

Add a sproc to:

• allow for the creation of smaller numbers of My Items collections, without using SqlBulkCopy
• ensure My Items collections are properly arranged, rather than relying on the caller
• ensure that duplicate My Items collections are not created for a combination of user and organization.

After some iteration in #6791 , we are accepting some time-of-check time-of-use risk here. Architecture did not want to enforce uniqueness at the database level so we will keep it simple, filter out existing My Items collections in the sproc, and we can increase the isolation level later if it proves to be a problem.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @eliykat's task in 3m 45s —— View job

---

Overall Assessment: APPROVE

This PR successfully adds an idempotent stored procedure to create My Items collections and refactors the collection creation logic into a centralized utility. The implementation properly handles SQL injection through parameterized queries, includes comprehensive integration tests, and follows established codebase patterns. The TOCTOU race condition mentioned in the PR description is an explicitly accepted architectural risk per the team's decision not to enforce uniqueness constraints at the database level.

Code Review Details

Security: ✅ All queries properly parameterized - no SQL injection risks
Correctness: ✅ Proper TVP tuple ordering (OrganizationUserId, CollectionId)
Idempotency: ✅ Filters existing collections at database level via NOT EXISTS
Test Coverage: ✅ Comprehensive tests for both standard and bulk methods
Error Handling: ✅ Consistent with existing repository patterns

Key Implementation Points Verified:

1. Stored Procedure (Collection_CreateDefaultCollections.sql): Uses table-valued parameters correctly, filters existing collections before insert, handles both Collection and CollectionUser tables atomically.

2. Dapper Implementation (CreateDefaultCollectionsAsync): Generates CollectionIds via CoreHelpers.GenerateComb(), properly maps to TwoGuidIdArray TVP, uses async transaction handling throughout.

3. EF Implementation: Queries existing collections first, filters duplicates in-memory, follows SaveChanges pattern for atomic operations.

4. Refactoring: Successfully consolidates collection creation logic from inline implementations in ConfirmOrganizationUserCommand and AutomaticallyConfirmOrganizationUserCommand into reusable repository methods.

5. Bulk vs Standard Methods: Bulk method uses SqlBulkCopy for >1k users, standard method uses stored procedure for smaller batches - appropriate optimization strategy.

No findings to report - code meets security, correctness, and quality standards.

🚢 Ready to merge after required approvals.

[github-actions]

Checkmarx One – Scan Summary & Details – 38631694-83ed-42b2-889e-af1d14689782

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

❌ Patch coverage is 90.58824% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.96%. Comparing base (35868c2) to head (9170b06).
⚠️ Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
...ucture.Dapper/Repositories/CollectionRepository.cs	75.75%	7 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6801      +/-   ##
==========================================
+ Coverage   54.93%   58.96%   +4.02%     
==========================================
  Files        1927     1935       +8     
  Lines       85457    85578     +121     
  Branches     7648     7657       +9     
==========================================
+ Hits        46949    50463    +3514     
+ Misses      36723    33244    -3479     
- Partials     1785     1871      +86     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.