diff --git a/.cspell.json b/.cspell.json
new file mode 100644
index 0000000..001732c
--- /dev/null
+++ b/.cspell.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://raw.githubusercontent.com/streetsidesoftware/cspell/main/cspell.schema.json",
+  "version": "0.2",
+  "dictionaryDefinitions": [
+    {
+      "name": "project-words",
+      "path": "./project-words.txt",
+      "addWords": true
+    }
+  ],
+  "dictionaries": ["project-words"],
+  "ignorePaths": [
+    ".vscode",
+    "**/.cspell.json",
+    "**/.git/**",
+    "**/node_modules/**",
+    "**/package-lock.json",
+    "/project-words.txt"
+  ]
+}
diff --git a/.github/workflows/enforce-labels.yml b/.github/workflows/enforce-labels.yml
index 3e6f19f..442b1e2 100644
--- a/.github/workflows/enforce-labels.yml
+++ b/.github/workflows/enforce-labels.yml
@@ -5,10 +5,18 @@ on:
   workflow_call:
   pull_request:
     types: [labeled, unlabeled, opened, edited, synchronize]
+
+permissions: read-all
+
 jobs:
   enforce-label:
     name: Enforce label
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
+
     steps:
       - name: Enforce label
         uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # 2.2.2
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..2398834
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,75 @@
+name: Lint
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions: read-all
+
+env:
+  APPLY_FIXES: all
+  APPLY_FIXES_EVENT: pull_request
+  APPLY_FIXES_MODE: commit
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Lint
+        id: ml
+        uses: oxsecurity/megalinter@fda6ac3a38be0e969820709ac16e442464e5a035 # v7.3.0
+        env:
+          VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload report
+        if: ${{ success() }} || ${{ failure() }}
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: Lint Report
+          path: |
+            megalinter-reports
+            mega-linter.log
+
+      - name: Create pull request with applied fixes
+        id: cpr
+        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "Apply lint fixes"
+          title: "Apply lint fixes"
+          labels: bot
+      - name: Output pull request
+        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
+        run: |
+          echo "PR: ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "PR URL: ${{ steps.cpr.outputs.pull-request-url }}"
+
+      - name: Prepare commit
+        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
+        run: sudo chown -Rc $UID .git/
+      - name: Commit and push applied lint fixes
+        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
+        uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4.16.0
+        with:
+          branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+          commit_message: "Apply lint fixes"
+          commit_user_name: bitwarden-bot
+          commit_user_email: bot@bitwarden.com
diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml
index b321da2..494d40f 100644
--- a/.github/workflows/workflow-linter.yml
+++ b/.github/workflows/workflow-linter.yml
@@ -6,6 +6,12 @@ on:
     paths:
       - .github/workflows/**
 
+permissions: read-all
+
 jobs:
   call-workflow:
     uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@a30e9c3d658dc97c4c2e61ec749fdab64b83386c
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
diff --git a/.gitignore b/.gitignore
index 4f42dd7..a26b538 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,6 @@ Thumbs.db
 # Node
 node_modules
 npm-debug.log
+
+# Lint
+megalinter-reports/
diff --git a/.jscpd.json b/.jscpd.json
new file mode 100644
index 0000000..2cee5f5
--- /dev/null
+++ b/.jscpd.json
@@ -0,0 +1,15 @@
+{
+  "threshold": 0,
+  "reporters": ["html", "markdown"],
+  "ignore": [
+    "**/node_modules/**",
+    "**/.git/**",
+    "**/.rbenv/**",
+    "**/.venv/**",
+    "**/*cache*/**",
+    "**/.github/**",
+    "**/.idea/**",
+    "**/report/**",
+    "**/*.svg"
+  ]
+}
diff --git a/.mega-linter.yml b/.mega-linter.yml
new file mode 100644
index 0000000..b3343d1
--- /dev/null
+++ b/.mega-linter.yml
@@ -0,0 +1,4 @@
+APPLY_FIXES: all
+DEFAULT_BRANCH: main
+SHOW_ELAPSED_TIME: false
+FILEIO_REPORTER: false
diff --git a/project-words.txt b/project-words.txt
new file mode 100644
index 0000000..32a7ec2
--- /dev/null
+++ b/project-words.txt
@@ -0,0 +1,11 @@
+# Custom dictionary for spellchecking. Before adding a word here, consider whether you can put
+# it in a single (`) or multiline (```) code snippet instead, as they are automatically ignored
+# by the spellchecker. Please keep the list sorted alphabetically.
+
+Bitwarden
+classpath
+fullname
+keyserver
+stefanzweifel
+venv
+yogevbd