This skill should be used when the user asks to "bump the Rust SDK", "update sdk-internal", "bump bitwarden-crypto", "update RustSdk dependencies", "align server SDK with clients", or needs to update the bitwarden/sdk-internal git rev pins in util/RustSdk/rust/Cargo.toml. Provides the methodology for mapping client NPM versions to git commit SHAs, analyzing breaking changes, auditing the API surface, and verifying the bump end-to-end.
The server's util/RustSdk/rust/Cargo.toml pins bitwarden-crypto from the
bitwarden/sdk-internal repository by git rev. This must be periodically bumped to stay
aligned with the Bitwarden client applications.
The RustSdk is used by the Seeder to produce cryptographically correct Protected Data for
integration testing. It is NOT part of the production server runtime. The Rust layer provides
generic field-level encryption (encrypt_string, decrypt_string, encrypt_fields) and
key generation — the C# Seeder drives which fields to encrypt via EncryptPropertyAttribute.
The clients consume sdk-internal via NPM packages (@bitwarden/sdk-internal), while the
server consumes it via Rust git rev pins. The NPM version (e.g., 0.2.0-main.522) does not
directly correspond to a git tag — it encodes a GitHub Actions .
0.2.0-main.522
│ │ │
│ │ └── GitHub Actions run number for publish-wasm-internal workflow
│ └── Branch name (/ replaced with -)
└── Base version from sdk-internal
Publish @bitwarden/sdk-internal workflow ID in the sdk-internal repohead_sha — that is the git rev to pin in Cargo.tomlThe specific API queries are documented in references/methodology.md.
Determine which sdk-internal version to target. Check the latest production release tag from
bitwarden/clients (e.g., web-v2026.2.0):
cd /path/to/clients
git show web-v2026.2.0:package.json | grep sdk-internal
This gives the NPM version (e.g., 0.2.0-main.522). Extract the run number (522).
Query the GitHub Actions API to find the commit that produced that NPM build. See
references/methodology.md for the exact commands.
Compare the current pinned rev against the target rev, focusing on bitwarden-crypto:
cd /path/to/sdk-internal
git log --oneline <old-rev>..<new-rev> -- crates/bitwarden-crypto
Cross-reference each commit against the API surface documented in references/api-surface.md.
Cargo.toml — bump the bitwarden-crypto rev pin to the new SHA#[allow(deprecated)] for any newly-deprecated APIs (with a comment explaining why)cd util/RustSdk/rust
cargo build # Must compile cleanly
cargo test # All tests must pass (roundtrip test is critical)
cargo fmt --check # Formatting must be clean
git diff ../NativeMethods.g.cs # FFI signatures should be unchanged
Also run the C# integration tests:
dotnet test test/SeederApi.IntegrationTest/
Claude does NOT perform this step. Present these commands to the human engineer and wait for confirmation before proceeding.
The human runs SeederUtility and SeederApi to verify Protected Data is correctly produced and
decryptable by the web client. See references/methodology.md for the specific test commands
and validation criteria.
util/ (test infrastructure), not src/ (production)Cargo.lock diff for unexpected transitive crypto crate changes (rsa, aes, sha2, etc.)The API surface reference (references/api-surface.md) must always reflect the actual code.
Two mechanisms enforce this:
/bump-rust-sdk command includes a mandatory final step to
regenerate api-surface.md by reading the actual *.rs source files..claude/hooks/rust-sdk-surface-check.sh blocks if Cargo.toml was
modified but api-surface.md was not updated in the same session.To regenerate: read all .rs files in util/RustSdk/rust/src/, extract every use statement
from bitwarden_crypto, and rewrite references/api-surface.md to match.
references/methodology.md — Detailed step-by-step commands including GitHub Actions API
queries, breaking change analysis checklist, human verification commands, and a worked example
from the Feb 2026 bumpreferences/api-surface.md — Complete inventory of types, traits, and functions the RustSdk
imports from bitwarden-crypto, used to assess breaking change impact| File | Change |
|---|---|
util/RustSdk/rust/Cargo.toml | bitwarden-crypto rev pin update |
util/RustSdk/rust/src/*.rs | Type renames, new parameters, deprecation fixes |
util/RustSdk/rust/Cargo.lock | Auto-regenerated (commit alongside) |
util/RustSdk/NativeMethods.g.cs | Should NOT change (verify) |