// the find
bitwarden/server
Bitwarden infrastructure/backend (API, database, Docker, etc).
This is the full backend for Bitwarden, the open-source password manager — covering API services, identity/SSO, SCIM provisioning, secrets manager, billing, and database migrations. It's a production-grade, actively maintained ASP.NET Core microservices codebase. Useful for anyone self-hosting Bitwarden or wanting to study how a serious security-focused SaaS backend is structured.
- Clean separation between open-source core and commercial/licensed features via the bitwarden_license directory — you can clearly see what's gated and why, rather than it being a tangled mess
- Both Dapper (raw SQL/stored procs) and EF Core repositories coexist with clear patterns documented in .claude/skills — the dual-ORM approach is pragmatic for a SQL Server-first app that also needs multi-DB support
- Strong CI pipeline: separate workflows for database tests, security scanning (Checkmarx), load tests, and build — not just a single test step bolted on
- Devcontainer setup with separate community vs internal dev configurations means external contributors can actually get a working environment without needing internal secrets
- Hard dependency on SQL Server for the primary data tier makes self-hosting more expensive and complicated; PostgreSQL/MySQL support via EF Core exists but feels like a second-class citizen in several stored proc-heavy areas
- The .claude directory with AI skill files (implementing-dapper-queries.md, etc.) is novel but signals that institutional knowledge is being offloaded to LLM prompts rather than living in proper developer docs or ADRs — fragile long-term
- The install script downloads from func.bitwarden.com, meaning self-hosters have a runtime dependency on Bitwarden's infrastructure just to bootstrap — not great for air-gapped or offline environments
- Feature parity between self-hosted and cloud is genuinely unclear without reading the license-gated code carefully; several enterprise features (SSO, SCIM, advanced policies) require a license that costs real money even for self-hosters