[PM-35105] Add HighEntropySecret to bitwarden-crypto

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-35105

📔 Objective

Stacked PR 1/4 splitting the secret-protected key envelope work.

Adds HighEntropySecret to the bitwarden-crypto safe module: a wrapper around secret bytes guaranteed to be high-entropy, safe to use as input keying material for a cheap KDF. Includes the bitwarden-sensitive-value dependency and the UniFFI custom-type binding.

Base: main.

[github-actions]

🔍 SDK Breaking Change Detection

SDK Version: km/high-entropy-secret (0eaefd4)

⚠️ If breaking changes are detected, a corresponding pull request addressing them must be ready for merge in the affected client repository.

Client	Status	Details
typescript	✅ No breaking changes detected	Compilation passed with new SDK version - View Details
android	✅ No breaking changes detected	Compilation passed with new SDK version - View Details

---

Breaking change detection uses the build of the SDK from this branch, including any incompatibities pre-existing on or merged into this branch. Check the workflow logs to confirm.
Results update as workflows complete.

[codecov]

Codecov Report

❌ Patch coverage is 75.30864% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.09%. Comparing base (378df4c) to head (53771bf).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...s/bitwarden-crypto/src/safe/high_entropy_secret.rs	76.25%	19 Missing ⚠️
crates/bitwarden-crypto/src/uniffi_support.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1201      +/-   ##
==========================================
- Coverage   85.09%   85.09%   -0.01%     
==========================================
  Files         464      465       +1     
  Lines       63866    63947      +81     
==========================================
+ Hits        54348    54415      +67     
- Misses       9518     9532      +14     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the new HighEntropySecret wrapper added to the bitwarden-crypto safe module (stacked PR 1/4). The type stores secret bytes in Zeroizing, redacts its Debug output, generates material via the CSPRNG (rand::rng().fill_bytes) matching the sibling envelope pattern, and enforces a 16-byte minimum on make(). WASM and UniFFI custom-type bindings follow the established SensitiveString/PasswordProtectedKeyEnvelope conventions, and the bitwarden-sensitive-value workspace dependency is an existing internal crate (path, pinned =3.0.0), not a net-new external dependency.

Code Review Details

No blocking findings.

Notes considered and intentionally not flagged:

• The minimum-length guard is enforced only in make(); from(), from_internal(), and the WASM/UniFFI lift paths trust the caller. This is documented as an explicit trust contract on HighEntropySecretSource and from_internal, with approved sources (PRF outputs, key-connector bytes) that are high-entropy by construction.
• WASM lowering exposes the secret as a Base64 string while UniFFI uses raw Vec<u8>; both round-trip correctly and the exposure is acknowledged in the UniFFI EXPOSE comment.

Test coverage exercises redaction, length rejection/acceptance, distinct generation, byte preservation, and clone behavior.