[PM-23289] Migrate PIN unlock keys on biometrics/MP unlock

[matt-livefront]

🎟️ Tracking

PM-23289

📔 Objective

#1876 added logic to migrate to a PIN-protected user key envelope when the vault is unlocked with a PIN. However, this wouldn't migrate an existing PIN key if the vault was unlocked with MP or biometrics. This adds a migration that occurs when unlocking with MP or biometrics.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – cabd00be-5da6-4345-a9b9-1a4e7e182449

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.34%. Comparing base (4d1dca1) to head (6a5266c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2026   +/-   ##
=======================================
  Coverage   81.33%   81.34%           
=======================================
  Files         831      831           
  Lines       52439    52456   +17     
=======================================
+ Hits        42651    42668   +17     
  Misses       9788     9788           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[KatherineInCode]

💡 It seems to me we might want to expand the Flight Recorder to work something like OSLog, where you can have several different subsystem logs, and so we could flight record just some subsystems, etc. and it would let us prepend the [Auth] ourselves. Something to consider long-term, I suppose

[matt-livefront]

Ohh that's a good idea, I can drop a ticket into the backlog.

[KatherineInCode]

🤔 Do we also need to delete the pinProtectedUserKey out of state service as part of this?

[matt-livefront]

We do, yeah. This is handled in StateService:

ios/BitwardenShared/Core/Platform/Services/StateService.swift

Lines 2092 to 2093 in 6a5266c

	// Remove any legacy pin protected user keys.
	appSettingsStore.setPinProtectedUserKey(key: nil, userId: userId)