Arch/qa env seeding tweaks

[MGibson1]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-34880
https://bitwarden.atlassian.net/browse/PM-34881
https://bitwarden.atlassian.net/browse/PM-34886

📔 Objective

Various tweaks to smooth qa automation testing.

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 1e7dc9cf-3e84-4dc7-a82c-612f72c6924e

---

New Issues (1)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 289	details Method at line 289 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from orgUserId. This parameter ... Attack Vector

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 275

[codecov]

Codecov Report

❌ Patch coverage is 21.05263% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.74%. Comparing base (4883d49) to head (67ed61f).
⚠️ Report is 40 commits behind head on main.

Files with missing lines	Patch %	Lines
...lling/Services/Implementations/LicensingService.cs	22.58%	19 Missing and 5 partials ⚠️
...SharedWeb/Utilities/ServiceCollectionExtensions.cs	0.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7430      +/-   ##
==========================================
+ Coverage   58.53%   58.74%   +0.21%     
==========================================
  Files        2069     2071       +2     
  Lines       91306    91264      -42     
  Branches     8128     8129       +1     
==========================================
+ Hits        53443    53615     +172     
+ Misses      35954    35733     -221     
- Partials     1909     1916       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kdenney]

Logic looks good! Only thing I'd ask is if you could add some unit tests to cover the new changes? We've had issues in the past with changes to the licensing logic causing regressions so I like to make sure we cover that area pretty thoroughly. Thanks!

[justindbaur]

Suggested change

	IssuerSigningKey = issuerKey,
	IssuerSigningKeys =_verificationCertificates.Select((c) => new X509SecurityKey(c)),

This should also mean you don't need to do any merges since only one would be valid anyways. This just says both of those keys are valid.

[kdenney]

Approving after our convo in slack. Tests are complicated without giving the licenses to CI. Ideally we refactor this in the future into two services but not needed for this fix.

[github-actions]

Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR makes three targeted changes to support QA automation in non-production environments. The licensing service is refactored to separate creation and verification certificates, allowing self-hosted dev instances to accept both production-signed and dev-signed licenses. The data protection configuration removes the development early-return so non-production environments can configure key persistence when settings are available, with a null check added to prevent crashes when certificates are absent. The PlayId service broadens its scope from development-only to all non-production environments.

The previous review finding regarding VerifySignature calls only using _creationCertificate has been addressed -- all three call sites now iterate _verificationCertificates.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud