[PM-37474] Include UseRiskInsights in self-host license VerifyData

[AlexRubik]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-37474

📔 Objective

OrganizationLicense.VerifyData() signed the UseRiskInsights claim into the self-host license but never validated it against the organization, leaving the last gap in the org-ability wiring for Access Intelligence on self-host. This adds the comparison using the conditional HasClaim pattern introduced in PM-33980 (!claimsPrincipal.HasClaim(...) || claimValue == orgValue), so that:

• new licenses correctly enforce the UseRiskInsights ability on self-host, and
• pre-existing self-host licenses generated before this claim existed continue to validate (the claim is absent, so the comparison is skipped) rather than being treated as invalid and disabling the organization.

This mirrors the existing UseMyItems and UseInviteLinks clauses in the same method. The claim is already emitted by OrganizationLicenseClaimsFactory and synced onto the organization by Organization.UpdateFromLicense(); VerifyData() was the only consumer missing it.

📸 Screenshots

Not applicable — server-side license validation, no UI changes.

⏰ Reminders before review

Unit tests cover the three branches of the new clause: claim absent (pre-existing license still validates), claim present and matching, and claim present and mismatching (validation fails).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the addition of the UseRiskInsights validation clause in OrganizationLicense.VerifyData() and its accompanying tests. The change correctly mirrors the conditional HasClaim pattern established in PM-33980 for UseMyItems and UseInviteLinks, ensuring pre-existing self-host licenses (which lack the claim) continue to validate while new licenses enforce the ability. Verified the supporting wiring: the claim is emitted by OrganizationLicenseClaimsFactory, excluded from the legacy signature-hash method, and synced via the organization factory/update command. Tests cover all three branches (claim absent, present-and-matching, present-and-mismatching).

Code Review Details

No findings. The change is well-scoped, consistent with the documented PM-33980 pattern, and does not affect license signature hashing (UseRiskInsights remains excluded at OrganizationLicense.cs:235). Test coverage is complete and aligned with the code change.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.26%. Comparing base (2f56f5d) to head (ce44fa7).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7818   +/-   ##
=======================================
  Coverage   61.26%   61.26%           
=======================================
  Files        2194     2194           
  Lines       97313    97318    +5     
  Branches     8768     8768           
=======================================
+ Hits        59615    59620    +5     
  Misses      35584    35584           
  Partials     2114     2114           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AlexRubik]

Closing this draft. The self-host license VerifyData change is being consolidated with the rest of the PM-37469 subtasks into a single PR, #7782, so the whole org-ability change ships in one deploy. Work continues there.