Remove masterkey state

[quexten]

🎟️ Tracking

📔 Objective

Removes master-key state, double KDF derivation, and the old login method implementations. This speeds up unlock.

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 3a4fb315-3d57-4c82-8bde-0e364df5685b

---

New Issues (4)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-2359	Npm-multer-2.0.2	details Recommended version: 2.1.1 Description: Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-27959	Npm-koa-3.1.1	details Recommended version: 3.1.2 Description: Koa is middleware for Node.js using ES2017 async functions. Prior to versions 2.16.4 and 3.x prior to 3.1.2, Koa's `ctx.hostname` API performs naiv... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-3304	Npm-multer-2.0.2	details Recommended version: 2.1.1 Description: Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 and 3.0.0-alpha1 allows an att... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-3520	Npm-multer-2.0.2	details Recommended version: 2.1.1 Description: Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR removes legacy master key state, double KDF derivation, and old login method implementations (~1000 lines deleted). It eliminates three feature flags (UseUnlockServiceForPasswordLogin, UnlockKeyConnectorWithSdk, SdkKeyConnectorMigration) that gated the SDK-based unlock transition, making the new unlock paths the sole implementation. The removal is thorough — no dangling references to removed APIs remain in non-test production code.

Code Review Details

• 🎨 : Unused MASTER_PASSWORD_MEMORY import remains after MASTER_KEY state definition was removed — likely contributing to lint CI failure
  • libs/common/src/key-management/master-password/services/master-password.service.ts:20

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[bw-ghapp]

Changes in this PR impact the Autofill experience of the browser client

BIT has tested the core experience with these changes and all feature flags disabled.

✅ Fortunately, these BIT tests have passed! 🎉

[bw-ghapp]

Changes in this PR impact the Autofill experience of the browser client

BIT has tested the core experience with these changes and the feature flag configuration used by vault.bitwarden.com.

✅ Fortunately, these BIT tests have passed! 🎉