[PM-34716] Implement legacy CLI generate command within Rust CLI

[harr1424]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-34716

📔 Objective

Implement bw generate within the Rust CLI to have full parity with existing CLI.

[github-actions]

Checkmarx One – Scan Summary & Details – 3224daf9-6c4e-4a7a-8903-d38c2b3ec000

---

New Issues (6)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-33671	Npm-picomatch-4.0.3	details Recommended version: 4.0.4 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-39983	Npm-basic-ftp-5.2.0	details Recommended version: 5.2.2 Description: basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters pa... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		Cxd1b70372-eae2	Npm-basic-ftp-5.2.0	details Recommended version: 5.2.2 Description: basic-ftp's CRLF injection protection (added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q) is incomplete. Two code paths bypass the `protectWhitespace... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2025-62718	Npm-axios-1.13.6	details Recommended version: 1.15.0 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when chec... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-33532	Npm-yaml-2.8.2	details Recommended version: 2.8.3 Description: yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-40175	Npm-axios-1.13.6	details Recommended version: 1.15.0 Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.0 and 1.x prior to 1.15.0, the Axios library is vulnerable to a spe... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package

[github-actions]

🔍 SDK Breaking Change Detection Results

SDK Version: tools/PM-34716-SDK-CLI-Generate-Command (3469bc8)
Completed: 2026-04-17 15:01:01 UTC
Total Time: 277s

Client	Status	Details
typescript	✅ No breaking changes detected	TypeScript compilation passed with new SDK version - View Details

---

Breaking change detection completed. View SDK workflow

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.73%. Comparing base (7716ab9) to head (3469bc8).
⚠️ Report is 27 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #958      +/-   ##
==========================================
+ Coverage   83.02%   83.73%   +0.70%     
==========================================
  Files         376      379       +3     
  Lines       45317    45910     +593     
==========================================
+ Hits        37626    38443     +817     
+ Misses       7691     7467     -224     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Hinton]

Do you know if these are CLI concerns or if they occur for all clients?

It might be nicer to do cmp::min(self.words, 3) further down when you call client.generator() since you can drop mut on self.

[dani-garcia]

This is also something that the current passphrase generator code returns an error from:

sdk-internal/crates/bitwarden-generators/src/passphrase.rs

Line 68 in b727827

if !(MINIMUM_PASSPHRASE_NUM_WORDS..=MAXIMUM_PASSPHRASE_NUM_WORDS).contains(&self.num_words)

Maybe we can just make the constants used there public just to make sure they're not out of sync? Or if we don't care about erroring for this, increasing the minimum there.

[harr1424]

@Hinton this behavior is present across all clients: requesting a passphrase with fewer than three words, or more than twenty words, will result in the limit being silently enforced with no message to the user.

[harr1424]

Please see 3469bc8

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
5.0% Duplication on New Code

See analysis details on SonarQube Cloud