devise_scim 0.1.11

data/app/controllers/devise_scim/groups_controller.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  # Groups controller delegates all model interaction to the host app's ScimAdapter subclass.
+  # The gem handles the SCIM protocol layer; the adapter handles group lifecycle.
+  class GroupsController < ApplicationController
+    def index
+      render_scim(Scim::ListResponse.new(resources: []))
+    end
+
+    def create
+      scim_g  = Scim::Group.from_h(parsed_body)
+      adapter = scim_adapter_for(nil, scim_g)
+      adapter.handle_group_create
+      render_scim(adapter.group_to_scim, status: :created)
+    rescue NotImplementedError => e
+      render_scim(Scim::Error.server_error(e.message), status: :internal_server_error)
+    end
+
+    def show
+      scim_g  = build_scim_group_for_id(params[:id])
+      adapter = scim_adapter_for(nil, scim_g)
+      render_scim(adapter.group_to_scim)
+    rescue NotImplementedError => e
+      render_scim(Scim::Error.server_error(e.message), status: :internal_server_error)
+    end
+
+    def replace
+      scim_g  = Scim::Group.from_h(parsed_body)
+      adapter = scim_adapter_for(nil, scim_g)
+      adapter.handle_group_update
+      render_scim(adapter.group_to_scim)
+    rescue NotImplementedError => e
+      render_scim(Scim::Error.server_error(e.message), status: :internal_server_error)
+    end
+
+    def update
+      scim_g  = Scim::Group.from_h(parsed_body)
+      adapter = scim_adapter_for(nil, scim_g)
+      adapter.handle_group_update
+      render_scim(adapter.group_to_scim)
+    rescue NotImplementedError => e
+      render_scim(Scim::Error.server_error(e.message), status: :internal_server_error)
+    end
+
+    def destroy
+      scim_g  = build_scim_group_for_id(params[:id])
+      adapter = scim_adapter_for(nil, scim_g)
+      adapter.handle_group_destroy
+      head :no_content
+    end
+
+    private
+
+    def parsed_body
+      @parsed_body ||= JSON.parse(request.body.read)
+    rescue JSON::ParserError
+      {}
+    end
+
+    def build_scim_group_for_id(id)
+      g    = Scim::Group.new
+      g.id = id
+      g
+    end
+  end
+end

data/app/controllers/devise_scim/resource_types_controller.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  class ResourceTypesController < ApplicationController
+    LIST_SCHEMA          = "urn:ietf:params:scim:api:messages:2.0:ListResponse"
+    RESOURCE_TYPE_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
+
+    def index
+      types = [user_resource_type]
+      types << group_resource_type if DeviseScim.configuration.enable_groups
+      payload = {
+        "schemas" => [LIST_SCHEMA],
+        "totalResults" => types.size,
+        "Resources" => types
+      }
+      render_scim(payload)
+    end
+
+    private
+
+    def user_resource_type
+      prefix = DeviseScim.configuration.route_prefix
+      {
+        "schemas" => [RESOURCE_TYPE_SCHEMA],
+        "id" => "User",
+        "name" => "User",
+        "endpoint" => "#{prefix}/Users",
+        "schema" => Scim::USER_SCHEMA
+      }
+    end
+
+    def group_resource_type
+      prefix = DeviseScim.configuration.route_prefix
+      {
+        "schemas" => [RESOURCE_TYPE_SCHEMA],
+        "id" => "Group",
+        "name" => "Group",
+        "endpoint" => "#{prefix}/Groups",
+        "schema" => Scim::GROUP_SCHEMA
+      }
+    end
+  end
+end

data/app/controllers/devise_scim/schemas_controller.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  class SchemasController < ApplicationController
+    LIST_SCHEMA = "urn:ietf:params:scim:api:messages:2.0:ListResponse"
+    SCHEMA_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Schema"
+
+    def index
+      schemas = [user_schema]
+      schemas << group_schema if DeviseScim.configuration.enable_groups
+      payload = {
+        "schemas" => [LIST_SCHEMA],
+        "totalResults" => schemas.size,
+        "Resources" => schemas
+      }
+      render_scim(payload)
+    end
+
+    private
+
+    def user_schema
+      {
+        "schemas" => [SCHEMA_SCHEMA],
+        "id" => Scim::USER_SCHEMA,
+        "name" => "User",
+        "description" => "User Account",
+        "attributes" => user_attributes
+      }
+    end
+
+    def group_schema
+      {
+        "schemas" => [SCHEMA_SCHEMA],
+        "id" => Scim::GROUP_SCHEMA,
+        "name" => "Group",
+        "description" => "Group",
+        "attributes" => [
+          { "name" => "displayName", "type" => "string", "multiValued" => false, "required" => true },
+          { "name" => "members",     "type" => "complex", "multiValued" => true, "required" => false }
+        ]
+      }
+    end
+
+    def user_attributes
+      [
+        { "name" => "userName",    "type" => "string",  "multiValued" => false, "required" => true },
+        { "name" => "name",        "type" => "complex", "multiValued" => false, "required" => false },
+        { "name" => "emails",      "type" => "complex", "multiValued" => true,  "required" => false },
+        { "name" => "phoneNumbers", "type" => "complex", "multiValued" => true, "required" => false },
+        { "name" => "active",      "type" => "boolean", "multiValued" => false, "required" => false },
+        { "name" => "externalId",  "type" => "string",  "multiValued" => false, "required" => false }
+      ]
+    end
+  end
+end

data/app/controllers/devise_scim/service_provider_controller.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  class ServiceProviderController < ApplicationController
+    def show
+      render_scim(service_provider_config)
+    end
+
+    private
+
+    def service_provider_config
+      {
+        "schemas" => ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+        "patch" => { "supported" => true },
+        "bulk" => { "supported" => false, "maxOperations" => 0, "maxPayloadSize" => 0 },
+        "filter" => { "supported" => true, "maxResults" => 200 },
+        "changePassword" => { "supported" => false },
+        "sort" => { "supported" => false },
+        "etag" => { "supported" => false },
+        "authenticationSchemes" => auth_schemes
+      }
+    end
+
+    def auth_schemes
+      if DeviseScim.configuration.auth_method == :oauth
+        [{ "type" => "oauthbearertoken", "name" => "OAuth Bearer Token",
+           "description" => "OAuth2 client_credentials grant" }]
+      else
+        [{ "type" => "oauthbearertoken", "name" => "Bearer Token",
+           "description" => "Static bearer token authentication" }]
+      end
+    end
+  end
+end

data/app/controllers/devise_scim/users_controller.rb

@@ -0,0 +1,281 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  class UsersController < ApplicationController # rubocop:disable Metrics/ClassLength
+    def index
+      scope = apply_filter(tenant_scope)
+      scim_users = scope.map { |u| scim_adapter_for(u, Scim::User.new).to_scim }
+      render_scim(Scim::ListResponse.new(resources: scim_users))
+    end
+
+    def create
+      scim_u = Scim::User.from_h(parsed_body)
+      user   = multi_tenant? ? multi_tenant_create(scim_u) : single_tenant_create(scim_u)
+      render_scim(scim_adapter_for(user, Scim::User.new).to_scim, status: :created)
+    end
+
+    def show
+      render_scim(scim_adapter_for(find_user!(params[:id]), Scim::User.new).to_scim)
+    end
+
+    def replace
+      user   = find_user!(params[:id])
+      scim_u = Scim::User.from_h(parsed_body)
+      adapter = scim_adapter_for(user, scim_u)
+      user.assign_attributes(adapter.attributes_for_update)
+      user.save!
+      render_scim(scim_adapter_for(user, Scim::User.new).to_scim)
+    end
+
+    def update
+      user = find_user!(params[:id])
+      ops  = Scim::PatchOperation.parse_request(parsed_body)
+      apply_patch(user, ops)
+      user.save!
+      render_scim(scim_adapter_for(user, Scim::User.new).to_scim)
+    end
+
+    def destroy
+      handle_deprovision(find_user!(params[:id]))
+    end
+
+    private
+
+    def parsed_body
+      @parsed_body ||= JSON.parse(request.body.read)
+    rescue JSON::ParserError
+      {}
+    end
+
+    def apply_filter(scope)
+      return scope unless params[:filter].present?
+
+      ast = Filter::Parser.parse(params[:filter])
+      Filter::ArelVisitor.new(devise_model).apply(ast, scope)
+    rescue Filter::Parser::ParseError => e
+      raise InvalidFilter, e.message
+    end
+
+    def find_user!(id)
+      user = tenant_scope.find_by("#{devise_model.table_name}.id" => id)
+      raise NotFound, "User #{id} not found" unless user
+
+      user
+    end
+
+    # ── single-tenant ──────────────────────────────────────────────────────────
+
+    def single_tenant_create(scim_u)
+      existing = find_by_uid_or_email(scim_u)
+
+      if existing.nil?
+        build_and_save_user(scim_u)
+      elsif deprovisioned?(existing)
+        reprovision_user(existing, scim_u)
+      else
+        raise Conflict, "User already exists"
+      end
+    end
+
+    def build_and_save_user(scim_u)
+      user    = devise_model.new
+      adapter = scim_adapter_for(user, scim_u)
+      user.assign_attributes(adapter.attributes_for_create)
+      set_scim_meta(user, scim_u.external_id)
+      user.save!
+      adapter.after_provision
+      user
+    end
+
+    def reprovision_user(user, scim_u)
+      user.scim_active            = true if col?(:scim_active)
+      user.scim_deprovisioned_at  = nil  if col?(:scim_deprovisioned_at)
+      user.scim_source            = "scim" if col?(:scim_source)
+      adapter = scim_adapter_for(user, scim_u)
+      user.assign_attributes(adapter.attributes_for_update)
+      user.save!
+      adapter.after_provision
+      user
+    end
+
+    def find_by_uid_or_email(scim_u)
+      email = scim_u.user_name || scim_u.primary_email
+      uid   = scim_u.external_id
+
+      if uid && col?(:scim_uid)
+        devise_model.find_by(scim_uid: uid) || devise_model.find_by(email: email)
+      else
+        devise_model.find_by(email: email)
+      end
+    end
+
+    # ── multi-tenant ───────────────────────────────────────────────────────────
+
+    def multi_tenant_create(scim_u)
+      email = scim_u.user_name || scim_u.primary_email
+      existing = devise_model.find_by(email: email)
+
+      if existing.nil?
+        create_and_assign_user(scim_u)
+      else
+        active_join = tenant_join_for(existing)
+        raise Conflict, "User already belongs to this tenant" if active_join
+
+        other_join = other_tenant_join_for(existing)
+        if other_join
+          handle_exclusivity_conflict(existing, scim_u, other_join)
+        else
+          claim_user(existing, scim_u)
+        end
+        existing
+      end
+    end
+
+    def create_and_assign_user(scim_u)
+      user = devise_model.new
+      adapter = scim_adapter_for(user, scim_u)
+      user.assign_attributes(adapter.attributes_for_create)
+      user.scim_source = "scim" if col?(:scim_source)
+      user.save!
+      assign_to_tenant(user, scim_u.external_id)
+      adapter.after_provision
+      user
+    end
+
+    def claim_user(user, scim_u)
+      user.scim_source = "scim" if col?(:scim_source)
+      user.save! if user.changed?
+      assign_to_tenant(user, scim_u.external_id, claimed_now: true)
+      scim_adapter_for(user, scim_u).after_provision
+    end
+
+    def handle_exclusivity_conflict(user, scim_u, other_join)
+      config = DeviseScim.configuration
+      if config.user_exclusivity == :multiple
+        assign_to_tenant(user, scim_u.external_id)
+        scim_adapter_for(user, scim_u).after_provision
+      elsif config.exclusivity_conflict == :reassign
+        other_join.update!(active: false)
+        assign_to_tenant(user, scim_u.external_id)
+        scim_adapter_for(user, scim_u).after_provision
+      else
+        raise Conflict, "User already belongs to another tenant"
+      end
+    end
+
+    def tenant_join_for(user)
+      ScimTenantUser.find_by("user_id" => user.id,
+                             tenant_fk_column => current_scim_tenant.id,
+                             "active" => true)
+    end
+
+    def other_tenant_join_for(user)
+      ScimTenantUser.where("user_id" => user.id, "active" => true)
+                    .where.not(tenant_fk_column => current_scim_tenant.id)
+                    .first
+    end
+
+    def assign_to_tenant(user, external_id, claimed_now: false)
+      attrs = {
+        "user_id" => user.id,
+        tenant_fk_column => current_scim_tenant.id,
+        "scim_uid" => external_id,
+        "provisioned_at" => Time.current,
+        "active" => true
+      }
+      attrs["scim_claimed_at"] = Time.current if claimed_now
+      ScimTenantUser.create!(attrs)
+    end
+
+    # ── deprovision ────────────────────────────────────────────────────────────
+
+    def handle_deprovision(user)
+      config = DeviseScim.configuration
+      source = col?(:scim_source) ? user.scim_source : "scim"
+
+      if source != "scim"
+        case config.deprovision_manual_users
+        when false
+          Rails.logger.warn "[DeviseScim] Skipping deprovision of manual user #{user.id}"
+          return render_scim(scim_adapter_for(user, Scim::User.new).to_scim)
+        when :error
+          raise Conflict, "Cannot deprovision a manually-created user"
+        end
+      end
+
+      perform_deprovision(user, config)
+      head :no_content
+    end
+
+    def perform_deprovision(user, config)
+      if multi_tenant?
+        ScimTenantUser.find_by("user_id" => user.id,
+                               tenant_fk_column => current_scim_tenant.id)
+                      &.update!(active: false)
+      end
+      if config.soft_delete
+        user.scim_deprovisioned_at = Time.current if col?(:scim_deprovisioned_at)
+        user.scim_active           = false if col?(:scim_active)
+        user.save! if user.changed?
+      end
+      scim_adapter_for(user, Scim::User.new).after_deprovision
+    end
+
+    # ── patch ──────────────────────────────────────────────────────────────────
+
+    def apply_patch(user, ops)
+      ops.each { |op| apply_op(user, op) }
+    end
+
+    # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    def apply_op(user, patch_op)
+      return apply_valuemap(user, patch_op.value) unless patch_op.raw_path
+
+      case [patch_op.attribute&.downcase, patch_op.sub_attribute&.downcase]
+      when ["active", nil]
+        user.scim_active = patch_op.value if col?(:scim_active)
+      when ["username", nil]
+        user.email = patch_op.value
+      when ["emails", nil]
+        primary = Array(patch_op.value).find { |e| e["primary"] } || Array(patch_op.value).first
+        user.email = primary["value"] if primary
+      when %w[name givenname]
+        user.first_name = patch_op.value if col?(:first_name)
+      when %w[name familyname]
+        user.last_name = patch_op.value if col?(:last_name)
+      end
+    end
+    # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+    # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    def apply_valuemap(user, value)
+      return unless value.is_a?(Hash)
+
+      value.each do |key, val|
+        case key.downcase
+        when "active"   then user.scim_active = val if col?(:scim_active)
+        when "username" then user.email = val
+        when "name"
+          user.first_name = val["givenName"]  if val["givenName"] && col?(:first_name)
+          user.last_name  = val["familyName"] if val["familyName"] && col?(:last_name)
+        end
+      end
+    end
+    # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+    # ── helpers ────────────────────────────────────────────────────────────────
+
+    def set_scim_meta(user, external_id)
+      user.scim_uid    = external_id if col?(:scim_uid)
+      user.scim_source = "scim"      if col?(:scim_source)
+    end
+
+    def col?(name)
+      devise_model.column_names.include?(name.to_s)
+    end
+
+    def deprovisioned?(user)
+      col?(:scim_active) && user.scim_active == false
+    end
+  end
+end

data/docs/contributing.md

@@ -0,0 +1,163 @@
+# Contributing Guide
+
+## Dev Setup
+
+```bash
+git clone https://github.com/vertigo-prime/devise_scim.git
+cd devise_scim
+bundle install
+bundle exec rspec   # should report ~285 examples, 0 failures
+```
+
+The gem uses [Combustion](https://github.com/pat/combustion) — there is no separate test Rails app to create or maintain. `Combustion.initialize! :all` in `spec/rails_helper.rb` boots a full Rails environment from `spec/internal/` in-process. SQLite is used for the test database; no setup is needed beyond `bundle install`.
+
+---
+
+## Test Configurations
+
+The gem must work correctly under three distinct configurations. The spec suite exercises all three via `before`/`after` blocks that temporarily reconfigure the gem and reset after each example or context.
+
+**Single-tenant token auth:**
+
+```ruby
+DeviseScim.configure do |c|
+  c.tenancy    = :single
+  c.auth_method = :token
+  c.token      = "test-token"
+end
+```
+
+**Single-tenant OAuth:**
+
+```ruby
+DeviseScim.configure do |c|
+  c.tenancy    = :single
+  c.auth_method = :oauth
+end
+```
+
+Requires Doorkeeper in the Gemfile. OAuth specs stub or use Doorkeeper's test helpers to issue access tokens.
+
+**Multi-tenant:**
+
+```ruby
+DeviseScim.configure do |c|
+  c.tenancy = :multi
+end
+```
+
+Multi-tenant specs create `DeviseScim::ScimTenant` records and pass their tokens via the `Authorization` header.
+
+Always call `DeviseScim.reset_configuration!` in an `after` block (or use the provided RSpec helpers) to avoid leaking configuration between examples.
+
+---
+
+## Running Checks
+
+All three checks must pass before submitting a PR:
+
+```bash
+# Run the full test suite
+bundle exec rspec
+
+# Lint — fix safe autocorrections first, then review the rest
+bundle exec rubocop --autocorrect
+bundle exec rubocop
+
+# Static security analysis
+bundle exec brakeman --force --no-pager
+```
+
+The CI workflow (`.github/workflows/main.yml`) runs all three. A PR with failing Brakeman output will not be merged regardless of test results.
+
+---
+
+## Test App Structure
+
+`spec/internal/` is the Combustion test application. It is a minimal Rails app that exists solely to host the engine during tests.
+
+**Key files:**
+
+- `spec/internal/db/schema.rb` — defines all tables: `users`, `scim_tenants`, `scim_tenant_users`, `scim_groups`. This schema is loaded via `config.before(:suite)` in `spec/rails_helper.rb`, ensuring AR specs see the correct tables even when the generator spec has overwritten the in-memory connection.
+- `spec/internal/config/routes.rb` — mounts three `scim_for` variants: the default at `/scim/v2`, a groups-enabled variant at `/scim_groups`, and an OAuth-enabled variant at `/scim_oauth`. The routing spec verifies all three.
+- `spec/internal/app/models/user.rb` — the Devise user model used throughout request specs.
+- `spec/internal/app/models/scim_group.rb` — the group model used by groups endpoint specs.
+- `spec/internal/config/initializers/warden.rb` — patches Devise's `configure_warden!` to be a no-op (Warden middleware is not fully instantiated in the test environment).
+
+> [!WARNING]
+> Do not modify `spec/internal/db/schema.rb` without updating all request specs that depend on the table structure. Adding a column that does not exist in production schemas will cause false-positive test passes. Removing a column used by a spec will cause failures that are hard to attribute.
+
+---
+
+## PR Conventions
+
+**Commit messages:**
+
+- Imperative mood, present tense: "Add OAuth token rotation" not "Added OAuth token rotation".
+- First line under 72 characters.
+- Body explains **why**, not what — the diff shows what changed.
+- One logical change per commit; one logical change per PR.
+
+**For SCIM protocol changes:** link to the relevant RFC section in the PR description. RFC 7643 covers the data model; RFC 7644 covers the protocol (endpoints, filter syntax, PATCH operations). Example: "Per RFC 7644 §3.4.2.2, the `pr` operator should match non-null values."
+
+**Test requirements:**
+
+- New features must include request specs in `spec/requests/`.
+- Bug fixes must include a regression test that fails before the fix and passes after.
+- Filter system changes (new operators, new attribute mappings) need both a `spec/filter/parser_spec.rb` example and a `spec/filter/arel_visitor_spec.rb` example.
+
+---
+
+## Extending the Filter System
+
+The filter pipeline is two files:
+
+**`lib/devise_scim/filter/parser.rb`** — tokenizer + recursive descent AST builder.
+
+- The tokenizer uses explicit `m = regex.match(s)` calls rather than `String#gsub`, because `gsub` clobbers `$&` even with a String pattern argument, which interferes with the match data.
+- The AST node types are `Comparison`, `Conjunction`, `Disjunction`, and `AttrPath` (all `Struct`s defined at the top of the file).
+- `Parser.parse(str)` is the public entry point. It raises `Filter::Parser::ParseError` (a subclass of `DeviseScim::InvalidFilter`) on syntax errors.
+
+**`lib/devise_scim/filter/arel_visitor.rb`** — maps AST nodes to Arel conditions.
+
+- `SCIM_TO_AR` is the attribute mapping hash. To support a new SCIM attribute, add an entry: `"newScimAttr" => "ar_column_name"`.
+- All conditions are built with Arel node methods (`col.eq`, `col.matches`, etc.) — never with string interpolation or `where("column = ?", val)`. This is a hard requirement enforced by Brakeman and code review.
+- `ArelVisitor#apply(ast, scope)` returns a new scope with the Arel condition appended via `where`.
+
+**Adding a new operator** (e.g., a hypothetical `contains-all`):
+
+1. Add the operator string to `COMP_OPS` in `parser.rb`.
+2. Add a tokenizer branch in the `elsif` chain that emits a `:op` token.
+3. Add a `when` branch in `visit_comparison` in `arel_visitor.rb` that returns an Arel condition.
+4. Add examples to both spec files.
+
+---
+
+## Adding a New Endpoint
+
+1. **Add route** in `lib/devise_scim/routing.rb` inside the appropriate `draw_*` method, or add a new private method and call it from `scim_for`.
+
+2. **Add controller action** in `app/controllers/devise_scim/`. Inherit from `DeviseScim::ApplicationController` to get `tenant_scope`, `current_scim_tenant`, `render_scim`, and the error rescue chain.
+
+3. **Add request spec** in `spec/requests/`. Test at minimum: unauthenticated request (401), valid request (2xx), and any error paths (404, 409, 400).
+
+4. **Update discovery endpoints** if the new endpoint represents a new resource type or capability:
+   - `ServiceProviderConfig` (`app/controllers/devise_scim/service_provider_controller.rb`) — update `supported` flags for filter, sort, etag, etc.
+   - `Schemas` (`app/controllers/devise_scim/schemas_controller.rb`) — add a schema entry if introducing a new SCIM resource type.
+   - `ResourceTypes` (`app/controllers/devise_scim/resource_types_controller.rb`) — add an entry for the new endpoint.
+
+Discovery endpoint responses are static; update them when the protocol surface changes, not just when implementation details change.
+
+---
+
+## Security
+
+**SQL injection prevention:** all database queries use Arel node methods or parameterized AR queries. The `ArelVisitor` never interpolates user input into strings. The `tenant_scope` helper builds conditions entirely from Arel table/column references. Never introduce `where("#{col} = ?", val)` or equivalent — use `@table[col_name].eq(val)` instead.
+
+**Timing-safe token comparison:** single-tenant Bearer token authentication uses `ActiveSupport::SecurityUtils.secure_compare(raw, config.token)`, which prevents timing-oracle attacks. Do not replace this with `==`.
+
+**BCrypt for token storage:** multi-tenant token digests are stored with `BCrypt::Password.create(raw)`. Do not store raw tokens. Do not use a weaker digest (SHA, MD5) as a "performance optimization".
+
+**Brakeman must stay clean:** run `bundle exec brakeman --force --no-pager` before every PR. A new warning blocks the PR. If you believe a warning is a false positive, add a Brakeman ignore entry with a comment explaining why, and include it in the PR.
+
+**Reporting security issues:** do not open a public GitHub issue for security vulnerabilities. Email the maintainer directly at `devise_scim@vinson.pro`. Include a description of the vulnerability, steps to reproduce, and your assessment of impact. You will receive a response within 72 hours.