[PM-30584] Implement key-connector migration in SDK

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-30584
bitwarden/server#7136
#809
bitwarden/clients#19360

📔 Objective

We do not want to keep the same master-key that was used during password derivation, but use a separately sampled key - named "key-connector-key". This means that the conversion flow now requires:

• Posting the key to key-connector
• Setting the "key" field on the user to "key-connector-key-wrapped-user-key"

To keep backwards compatibility, we make the request body optional, but if present, the request body contains the key-connector-key-wrapped-user-key. This is subsequently set to the user object.

This will unblock setting the master-key to state during unlock and login, which will improve unlock time, since we can remove double-kdf-derivation.

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 87056924-73ec-48d8-95b5-c3a8ba8795e0

Great job! No new security vulnerabilities introduced in this pull request

[github-actions]

🔍 SDK Breaking Change Detection Results

SDK Version: km/key-connector-management-api (01f6983)
Completed: 2026-03-04 13:00:19 UTC
Total Time: 276s

Client	Status	Details
typescript	✅ No breaking changes detected	TypeScript compilation passed with new SDK version - View Details

---

Breaking change detection completed. View SDK workflow

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
7.5% Duplication on New Code

See analysis details on SonarQube Cloud