* Bump identity-style-guide from 6.4.0 to 6.4.1

Bumps [identity-style-guide](https://github.com/18F/identity-style-guide) from 6.4.0 to 6.4.1.
- [Release notes](https://github.com/18F/identity-style-guide/releases)
- [Changelog](https://github.com/18F/identity-style-guide/blob/main/CHANGELOG.md)
- [Commits](18F/identity-design-system@v6.4.0...v6.4.1)

---
updated-dependencies:
- dependency-name: identity-style-guide
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add changelog

changelog: Internal, Dependencies, Update Login.gov Design System to v6.4.1

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>

* Bump nokogiri from 1.13.3 to 1.13.4

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.13.3 to 1.13.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/v1.13.4/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.13.3...v1.13.4)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add changelog

changelog: Internal, Dependencies, Update dependencies to address security advisories

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>

* Adapt StepIndicator script to custom element

**Why**: So it's more easily implemented in the context of a React component

* Ensure component removal clean-up

* Add changelog

[skip changelog]

* email deletion requested

* email language visited

* email language updated

* event disavowal visited

* event disavowal password reset

* Add changelog

changelog: Internal, Documentation, Document additional analytics events

**Why**: Since it may have a negative impact on form usability, revert until we have a chance to think about this more holistically.

[skip changelog]

changelog: Internal, Optimization, Drop unused user columns

Co-authored-by: ManishMShah <manishmshah@fcoh2j-k1b3hv2f.fios-router.home>

* Extract form-steps package from document-capture

**Why**: Because, as part of ongoing IDV API work, we'll want form steps outside the context of document capture.

[skip changelog]

* Remove redundant field property on FormError

* Revert unnecessary revisions to FormError

**Why**:

- Because polyfills are intended to be confined to the polyfill package (#6060)
- So that it's not included in modern browsers (#6068, -0.9kb gzipped)
- To reduce surface area of dependencies shared with USWDS (related to 18F/identity-design-system#312 (comment))

changelog: Internal, Optimization, Reduce size of JavaScript for modern browsers

* Remove visually-disabled effect from FormStepsContinueButton

**Why**: For consistency with other submit buttons, which are always shown as enabled and validate upon submission. Since this button will be used as part of ongoing identity verification work (LG-4159), changing this default behavior ensures we don't exacerbate the inconsistency.

* Add changelog

changelog: Improvements, Identity Proofing, Show document capture submit button as enabled by default for consistency

…ltiple MFA methods. (#6138)

* Add setup router

* delete authenticator service

* LG-5988: work on routing for multiple selections

* LG-5988: remove uneeded helper

* changelog: New Feature, Allow Users to add more than one MFA method on account creation, LG-5988

* LG-5988: spec

* LG-5988: address comments

* rubocop

* Refactor how were doing user updating otp method

* rubocop

* LG-5988: change method name

* redirect fix

* LG-5988: use index

* use dig to reduce errors

* rubocop

* Ensure next url

* LG-5988: rubocop

* LG-5988: use shift for now

* Add "New Feature" badge for in-person proofing

Co-authored-by: Andrew Duthie <aduth@users.noreply.github.com>

changelog: Upcoming Features, In-Person Proofing, Add "new features" badge for links

* Remove unused string interpolation for personal key text

**Why**: Since there is no "accent" interpolation key in the "instructions.personal_key.info_html" string.

changelog: Internal, Localization, Remove unused locale strings

* Remove unnecessary _html suffix

* Remove double-spaces after sentence

Consistency

**Why**: We think this error page is shown when identity
resolution fails, which means IPP is not a viable option
to get verified

[skip changelog]

* Stub out React entry-point for new IdV API routes

* Create new VerifyController for IdV API

* Clean-up IdvController

* Bring back FeatureFlaggedConcern

by popular demand

* Create feature_flagged_concern_spec.rb

* Create verify_controller_spec.rb

* Create basic React root element

* Disable idv_api_enabled for all environments by default

**Why**: Until it's ready to at least be remotely functional in local development

* Route personal_key instead of password

**Why**: Because that's the goal of LG-6066

* Add README for verify-flow package

**Why**: So that someone unfamiliar can have a basic understanding of its purpose

* Always define config value context for specs

**Why**: Avoid issues with environment-specific configuration

* Always draw route in spec

* Replace FeatureFlaggedConcern with RenderConditionConcern

**Why**: Less magical and open with forwarding of config keys, more explicit with callable behavior

* Inline before_action block

* Add changelog

[skip changelog]

* Namespace new IdV flow routes as "v2"

* Remove unnecessary route drawing

Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>

* Rename "render_if" to "check_or_render_not_found'

https: //github.com//pull/6177#discussion_r849771392
Co-Authored-By: Zach Margolis <zbmargolis@gmail.com>

Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
Co-authored-by: Zach Margolis <zbmargolis@gmail.com>

* Move PageHeading to components package

For reuse in verify-flow

* Add basic FormSteps flow for IdV React implementation

**Why**: So that we can start implementing step screens for the new, React-based identity verification flow.

changelog: Upcoming Features, Identity Verification, Add personal key step screen

* Initialize React I18nContext with global locale data

* Add basic personal key step content

* Fix imports

* Update test default i18n context

* Set default I18nContext value to shared i18n instance

* Import t directly

Moving toward potential future removal of useI18n

* Remove unnecessary string interpolation

https://github.com/18F/identity-idp/pull/6195/files#r849653819

* Update usage for I18nContext.Provider

Previously receives strings object, now receives I18n instance

* Update personal_key info string key

Changed in #6196

* Reorder props

Bit easier to read with className last

* add flash error for phone step in rails

* Add changelog

changelog: Bug Fixes, Identity Proofing, Fixed missing error message for invalid phone step submission- like non US number

* updated relevant rspec test

* Update spec/controllers/idv/phone_controller_spec.rb

specify exact error message we are expecting (us country code)

Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>

* added more precise test for invalid phone number

* Fix spec to test U.S. country code

Co-authored-by: Nadya Primak <nadyaprimak@Nadyas-MacBook-Pro.local>
Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>

**Why**: It's been enabled for a few weeks with no major issues

[skip changelog]

* LG-6066: Initialize personal key value and render badge content

**Why**: As an incremental step toward getting actual personal key initialized into the page, for feature parity with existing step.

changelog: Upcoming Features, Identity Verification, Add personal key step screen

* Remove optional format argument

* Avoid prompt on navigate for VerifyFlow

We probably won't need it, since we'll be persisting values client-side

* Use string keys for nonstandard hash key casing

Should be camelCase for JavaScript app, but avoid camelCase symbols in Ruby

See: #6206 (comment)
Co-Authored-By: Zach Margolis <zbmargolis@gmail.com>

Co-authored-by: Zach Margolis <zbmargolis@gmail.com>

* Typescript-ify ClipboardButton

* Move ClipboardButton to dedicated file

Make room in index for React implementation

* Restore index

* Rename ClipboardButton to ClipboardButtonElement

* Typescript-ify clipboard_button_component

* Define custom element from implementation

* Add global tag definition for lg-clipboard-button

* Add React ClipboardButton implementation

* LG-6066: Implement functional clipboard button on FSMv2 Personal Key step

**Why**: So that we can retain feature parity with the existing screen.

changelog: Upcoming Features, Identity Verification, Add personal key step screen

* Create README.md

* Rename links.copy string to components.clipboard_button.label

Associate with the component

* Render default "Copy" text for button

For consistency with server-side implementation

* Change ClipboardButtonElement as default export

Consistency

* Add optional React peer dependency

* Fix default import type

* Fix name for ClipboardButtonElement in spec

* Use personalKey text for ClipboardButton

* Use index for personal key segment

Avoid React warnings for duplicate content

* Appease linter

* Longer timeout for remove old throttles job

* reduce limits rather than increase timeout

changelog: Internal, Maintenance, Reduce limit for background job that cleans up old Throttle database rows

* LG-6066: Implement print button on FSMv2 Personal Key step

**Why**:

- So that we can retain feature parity with the existing screen.
- To reduce size and scope of common application bundle
- To create a more rigid connection between print JavaScript functionality and server-side render logic
- To improve test coverage for existing print button behavior

changelog: Upcoming Features, Identity Verification, Add personal key step screen

* Create README.md

* Bump async from 2.6.3 to 2.6.4

Bumps [async](https://github.com/caolan/async) from 2.6.3 to 2.6.4.
- [Release notes](https://github.com/caolan/async/releases)
- [Changelog](https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md)
- [Commits](caolan/async@v2.6.3...v2.6.4)

---
updated-dependencies:
- dependency-name: async
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add changelog

changelog: Internal, Dependencies, Update dependencies to address security advisories

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>

* Create manifest to associate asset references per Webpack pack

**Why**: Since our current approach to list assets required per pack is not scalable, and does not account.

changelog: Internal, Build, Generate asset manifest during JavaScript build

* Emit as assets.json

* Retrieve assets from asset.json manifest output

* Use existing manifest to append assets

* Omit nil values from AssetSources.get_assets

Because there's nil-safe navigation, so possible nil values

* Add getAssetPath specs

* Add specs for AssetsWebpackPlugin

* Clean up unused references

* Remove more remnants of asset-checker

* Add specs for AssetSources.get_assets

* Stub CSP method for test

* Render JavaScript tag with script text argument

* Add specs for render_javascript_pack_once_tags assets behavior

* Avoid polluting global namespace with content_security_policy_nonce

https: //github.com//pull/6198#discussion_r850804108
Co-Authored-By: Zach Margolis <zbmargolis@gmail.com>

* Add inline comment describing publicPath customization

#6198 (comment)

* Emit asset map as JSON

**Why**: Avoid risks and complication of dealing with executable script tag

* bump circleci

* Add type signature for getAssetPath

1. Parameter not typed (any)
2. Inferred return value is "string", when it can be undefined

Co-authored-by: Zach Margolis <zbmargolis@gmail.com>

changelog: Internal, Database, Background job to log psql table bloat stats

Co-authored-by: Zach Margolis <zachary.margolis@gsa.gov>, Mitchell Henke <mitchell.henke@gsa.gov>

* Add a background job encryptor

**Why**: Currently we use the session encryptor to encrypt args for async proofing activities and sessions. This adds a complication to modifying the way sessions are encrypted because it is coupled to the way background job arguments are encrypted. Adding this new encryptor (which is a clone of the session encryptor) decouples them and enables us to make changes to the session encryptor.

changelog: Internal, Encryption, A new encryptor was added for handling encrypted background job arguments

**Why**: adheres to OIDC spec better

Fixes #5991

changelog: Internal, Encoding, Use URL-safe encoding of SHA256 digests to better match OIDC spec

* Add support for className for FormStepsContinueButton

Sometimes we don't render content after it, we don't need bottom margin

* Remove bottom margin from PersonalKeyStep continue button

* Implement basic React modal component

* Move useInstanceId to react-hooks package

For reuse

* LG-6066: Add personal key confirmation modal to IDV v2 app

**Why**: So that a user can proceed from the personal key step to confirm their personal key and complete the proofing process.

changelog: Upcoming Features, Identity Verification, Add personal key step screen

* Accept code with dashes for PersonalKeyInput

See: #6209 (review)

* Rename StepIndicator as StepIndicatorElement named export

Make room for React implementation

* Add global typings for lg-step-indicator

**Why**: For compatibility with React usage

* Define StepIndicator as side effect of import

**Why**: While impure, this is the easiest way to ensure it's defined in time for the React component, is pretty common practice, and avoids inconsistency with augmented global, where registered name name is assumed.

* Implement React StepIndicator, StepIndicatorStep components

* Render VerifyFlow step indicator

* Add documentation

* Add specs for StepIndicator

* Add specs for StepIndicatorStep

* Take advantage of global typing for tag name definition

* Add changelog

changelog: Upcoming Features, Identity Verification, Add personal key step screen

* Import StepIndicatorElement as type

Ensure import statement is side-effecty for step-indicator-element

…6215)

* Button: Add support for link styled as button

* Add DownloadButton component

* LG-6066: Implement download button for personal key step (IdV app)

**Why**: So that a user can download their personal key to their computer.

changelog: Upcoming Features, Identity Verification, Add personal key step screen

* Remove unused import

* Use fileName from props

See: https://github.com/18F/identity-idp/pull/6215/files#r852255628
Co-Authored-By: Zach Margolis <zbmargolis@gmail.com>

* Use type narrowing to avoid any-cast

See: https://github.com/18F/identity-idp/pull/6215/files#r852258951
Co-Authored-By: Zach Margolis <zbmargolis@gmail.com>

* Use URI encoding for download data URI

consistency with server implementation

see: https://github.com/18F/identity-idp/pull/6215/files#r852251328
Co-Authored-By: Zach Margolis <zbmargolis@gmail.com>

* Add specs for hasProprietarySaveBlob

Co-authored-by: Zach Margolis <zbmargolis@gmail.com>

* Fix Webpack asset manifest generation for production exports

**Why**: So that the asset manifest plugin correctly identifies all assets.

* Handle multiple letters

see: https://github.com/webpack/webpack/blob/a72548f97037c941db3320397392a329f52db66a/lib/Template.js#L149

changelog: Internal, Build, Generate asset manifest during JavaScript build

* Fix typo "mangled"

* Remove query parameter style history navigation for hash fragment

* Remove initialValue support from useHistoryParam

YAGNI!

* FormSteps: Add support for path-based history

* Add basePath for VerifyFlow FormSteps

* Add routes for base and personal_key_confirm

* DRY common step path for IdV app routing

Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>

* Update type handling for possibly-undefined step

* Fix specs

* Remove step clearing logic from form completion

Should be responsibility of consumer to deal with lingering path fragment upon completion if necessary

changelog: Upcoming Features, Identity Verification, Add client-side application path routing

* Pass basePath as data property to VerifyFlow app

**Why**: Because it will be necessary to reliably create step URLs

#6213 (comment)

* Rename getCurrentQueryParam to getCurrentValue

We're not using a query parameter format

* Improve trailing slash handling for useHistoryParam

Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>

* TypeScript-ify Icon component

* Add support for design system icons to Icon component

* Add support for icon prop to Button component

For consistency with ButtonComponent ViewComponent

* Add icons for personal key buttons

* Serve icon sprite asset from same origin

* Add changelog

changelog: Upcoming Features, Identity Verification, Add personal key step screen

* Skip Rails env stubbing

Not necessary, since the condition considers the config value, not env

* Freeze, use set for same origin assets

Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>

* Add spec for DownloadButton icon

Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>

* LG-6114: Use Cleave.js to format personal key (IdV app)

**Why**: So that the value is more readable as the user types, and to ensure feature parity with the existing experience.

changelog: Upcoming Features, Identity Verification, Add personal key step screen

* Remove explicit maxLength

As confirmed via integration specs, Cleave handles this

* Rename formatted-fields to ts

Fix type errors

* Fix formatted-fields TypeScript errors

changelog: Feature, Account Management, Rate limit phone confirmation attempts

changelog: Feature, Account Management, Rate limit phone confirmation attempts

**Why**: Good security practice to avoid timing attacks

[skip changelog]